Skip to content

workstations and servers

Here is a small guide on how to secure workstations and servers as much as possible without compromising flexibility.

tools

Some tools you can use to aid in enhancing security are described here.

chkrootkit

This tool can be used to see if known rootkits have been used on the system. Of course if you are already compromised the intruders will most probably provide a version of chkrootkit that reports all ok, so to be sure install this from source :

chkrootkit
1
wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz

If you are really suspicious, intruders could also have altered wget to retrieve it from another site. But the effort to do that is probably too much. So this could all be done from a separately booted usb stick as well.

rkhunter

Rootkit hunter, does similar.

last

Last is a tool you can use to see what logins have succeeded. You will see a lot of entries for your own account but it will not show all 'sudo's entered.

The successful attempts also have an ip address associated, you can scan that list to see if any unknown addresses are present, for instance 86.83.125.141 which is presumably an lvnl address but it is worthwhile to check that next time.

lastb

This command show bad login attempts, mostly it will be me just mistyping but you could always look at this list to detect suspicious login attempts.

/var/log/auth

This is not a command, but it shows you all sudo attempts. You can view the file as is, because every login/logout has 1 line, but you can also filter the Failed attempt with :

failed login attempts
1
grep Failed /var/log/auth

Again if there are not much attempts it is probably your own mistyping again. If you try this on a server with open ssh port you will see what names are being tried by intruders. fail2ban should lock all the ip's that are printed next to it but this really prompts me to open up ssh for installs and closing it again after that just to discourage all the traffic on port 22.

fail2ban

This program should always be running, it detects failed login attempts and closes down access for the ip address involved.

snort

samhain

This is a host intrusion detector. You should first init the database :

samhain
1
samhain -t init

This seems to create a database of hashes to check later to see if any of these files has been fiddled with. To do a check later :

check
1
samhain -t check

However it seems not to install correctly, so not used now.

sagan