Security Checks During Server Compromise
We can use some techniques and tools to investigate our server if we suspect they’ve been compromised.
Compromised as a result of various factors: weak passwords, weak iptables rules, older versions of software with known exploits, and more.
Below command helps you check for any “backdoors” which have been opened on your server.
#
netstat -an
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 117.214.112.13:53 0.0.0.0:* LISTEN
tcp 0 0 192.168.1.1:53 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN
tcp 0 0 192.168.1.1:22 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:3128 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN
tcp 0 0 192.168.1.1:3128 192.168.1.2:53704 ESTABLISHED
tcp 0 0 192.168.1.1:3128 192.168.1.2:53705 ESTABLISHED
tcp 0 0 192.168.1.1:22 192.168.1.2:33097 ESTABLISHED
tcp 0 0 192.168.1.1:3128 192.168.1.2:53703 ESTABLISHED
tcp 0 0 192.168.1.1:3128 192.168.1.2:53702 ESTABLISHED
tcp 0 0 192.168.1.1:3128 192.168.1.2:35523 ESTABLISHED
tcp6 0 0 :::53 :::* LISTEN
tcp6 0 0 ::1:953 :::* LISTEN
Sniff for any connections to a particular port using tcpdump
#
tcpdump -v src port 3128
07:58:07.756470 IP (tos 0×0, ttl 64, id 20876, offset 0, flags [DF], proto TCP (6), length 52) laptop.ss.com.3128 > dell.local.36737: ., cksum 0×130f (correct), ack 3466497798 win 482
^C
1 packets captured
1 packets received by filter
0 packets dropped by kernel
This will capture all the packets with destination port 3128.
To list all the open IP sockets associated with your SSH server run the following command:
#
lsof -i:22
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
sshd 2701 root 3u IPv4 7109 TCP laptop.ss.com:ssh (LISTEN)
sshd 3891 root 3r IPv4 12124 TCP laptop.ss.com:ssh->dell.local:33097 (ESTABLISHED)
lsof can be used to display all his running processes for a particular user.
More example can be found in the man pages for lsof.
Pros and Cons of Lightweight Directory Access Protocol (LDAP)
The main benefit of using LDAP is the consolidation of certain types of information within your organization. For example, all of the different lists of users within your organization can be merged into one LDAP directory. This directory can be queried by any LDAP-enabled applications that need this information. It can also be used by users who need directory information.
Other LDAP benefits include its ease of implementation (compared to X.500) and its well-defined Application Programming Interface (API), which means that the number of LDAP-enabled applications and LDAP gateways should increase in the future.
On the negative side, if you want to use LDAP, you will need LDAP-enabled applications or the ability to use LDAP gateways. While LDAP usage should only increase, currently there are not very many LDAP-enabled applications available for Linux.
OpenLDAP server daemon slapd Installation in Ubuntu
First, install the OpenLDAP server daemon slapd and ldap-utils, a package containing LDAP management utilities:
sudo apt-get install slapd ldap-utils
By default slapd is configured with minimal options needed to run the slapd daemon.
The configuration example in the following sections will match the domain name of the server. For example, if the machine’s Fully Qualified Domain Name (FQDN) is ldap.example.com, the default suffix will be dc=example,dc=com.
Populating LDAP
OpenLDAP uses a separate directory which contains the cn=config Directory Information Tree (DIT). The cn=config DIT is used to dynamically configure the slapd daemon, allowing the modification of schema definitions, indexes, ACLs, etc without stopping the service.
slapd - Stand-alone LDAP Daemon
LDAP (Lightweight Directory Access Protocol) is a proposed open standard for accessing global or local directory services over a network and/or the Internet. A directory, in this sense, is very much like a phone book. LDAP can handle other information, but at present it is typically used to associate names with phone numbers and email addresses. LDAP directories are designed to support a high volume of queries, but the data stored in the directory doesn’t change very often.
OpenLDAP includes slapd (a stand-alone LDAP server), slurpd (a stand-alone LDAP replication server), libraries implementing the LDAP protocol, utilities, tools, and sample clients.
Slapd is the stand-alone LDAP daemon. It listens for LDAP connections on any number of ports (default 389), responding to the LDAP operations it receives over these connections. slapd is typically invoked at boot time, usually out of /etc/rc.local.
renice — alter priority of running processes
Renice alters the scheduling priority of one or more running processes. The following who parameters are interpreted as process ID’s, process group ID’s, or user names. a process group causes all processes in the process group to have their scheduling priority altered. a user causes all processes owned by the user to have their scheduling priority altered. By default, the processes to be affected are specified by their process ID’s.
For example,
renice +1 987 -u daemon root -p 32
would change the priority of process ID’s 987 and 32, and all processes owned by users daemon and root.
Users other than the super-user may only alter the priority of processes they own, and can only monotonically increase their “nice value” within the range 0 to PRIO_MAX (20). (This prevents overriding administrative fiats.) The super-user may alter the priority of any process and set the priority to any value in the range PRIO_MIN (?20) to PRIO_MAX. Useful priorities are: 20 (the affected processes will run only when nothing else in the system wants to), 0 (the “base” scheduling priority), anything negative (to make things go very fast).
