What to Do in the Event of a Breach

Suppose that the worst happens: Your system is compromised to the point that the intruder has gained root access. You may discover this through Tripwire reports, a chkrootkit run that reports problems, or some other means. What should you do? Unfortunately, in this situation you can't trust anything on your computer. Given root access, the cracker could have changed any file, including those you might use to restore the system to its normal state. Even if you've identified a root kit, you can't be sure those are the only files the intruder has changed. In broad outline, the procedure for dealing with an intrusion is as follows:

1. Disconnect your system from the network. Remove your system from the Internet and from your local network. You should literally unplug the network connection (if it's wired). This step ensures that your system can't be abused to attack others while you're trying to repair it.

2. Make a backup. Before you do anything else, make a backup of the system in its compromised state. This backup serves two main purposes. First, depending on how you choose to proceed, you may need to restore user data files from the backup. Second, you can use the backup for subsequent investigations. It may even prove to be helpful evidence if a criminal investigation ensues. Evidence that your system was compromised could help fix the blame where it belongs if the cracker used your system to attack others. You may want to make a separate backup of/etc for easy reference later in this procedure.

Tip The ideal backup is the original disk—you can then install a new replacement disk. Alternatively, you could copy compromised partitions to a spare disk using dd. Using the original disk or a full copy as the backup enables law enforcement to study the disk in detail, should the matter become a criminal investigation. Investigators might find traces of deleted files that could implicate the true culprit, and these traces would be lost if you were to use tar, dump, or other conventional backup tools.

3. Determine the method of entry. This step is easier said than done. Your log files may provide clues concerning the method of entry, as might symptoms of system misbehavior. As you research the security of important servers and other programs, you may discover a server or two with known security bugs that might have been used to gain entry.

4. Wipe the system clean. Delete every system file on the computer—program files, libraries, configuration files, and so on. Do this by using an emergency Linux system and making new filesystems on the old partitions. If you've separated /home or other user data directories onto separate partitions, you can probably spare them, although it's possible that an intruder has left surprises even on these directories. As a minimal precaution, search any partitions you intend to keep for executable files (find I home -perm -0111 -type f should do the trick for /home) and evaluate whether they should be executable (or even present) yourself.

5. Reinstall or recover the system. Reinstall the system from scratch or restore it from a backup. (The latter option is covered in Chapter 17, "Protecting Your System with Backups.") If necessary, restore your system's configuration to its pre-intrusion state—for instance, set up your servers the way they were before the intrusion. If you restore either the entire system or configuration files from backups, be sure the backups were made before the intrusion. If you made a backup of/etc in Step 2, do not restore it in its entirety. You can use individual files as models for changes to your system, but blindly restoring these files may end up restoring an intruder's "back door." One possible exception is user database files, such as /etc/shadow and /etc/passwd; however, you should audit these files to be sure you aren't restoring any suspicious accounts.

6. Upgrade system security. Update old packages and fix any possible methods of entry you identified in Step 3. If you couldn't identify anything specific, you'll have to make do with package updates and increasing your general level of security. For instance, you might add a packet-filter firewall, as described in Chapter 20, or remove any servers you don't need to run. You should also change the root password and possibly ordinary users' passwords.

7. Restore data files. If you wiped out /home or other important data files, you can now restore them. If the intruder modified user files (say, defacing a website), you may need to restore from an older backup.

8. Restore to the network. Only after you've upgraded security should you contemplate returning the system to the network. At this point, your system should be clean and much harder to break into than it was before, so it's no longer a menace to others.

This procedure may seem tedious and paranoid, but it's better to err on the side of safety. If you don't take adequate precautions against fresh compromises, or if you don't clean every trace of the intruder from your system, you might see return visits, which will only give you more headaches.

On the other hand, some types of intrusion are not serious enough to merit this entire procedure. For instance, if you've found an old account that should have been deleted long ago but that's still being used, you can probably just delete the account. Likewise, if an authorized user has been abusing the system to attack others without gaining local root access, you can probably skip the long process. Basically, this procedure exists to protect you and your data from a cracker who's acquired root privileges. Those privileges mean that the intruder could have hidden away files in odd locations to be used after a partial cleaning, simplifying a future break-in—even if the system has improved security after the intruder's been discovered once.

In addition to the clean-up procedure, you may want to undertake other measures. For instance, you might want to initiate disciplinary action against an authorized user who has abused computing privileges. You might even want to contact the police. Unfortunately, small-time cracking activities are extremely common, and the police lack the resources to pursue all but the most damaging intrusions. For instance, the FBI most likely won't take an interest even in an interstate intrusion unless damages exceed several thousand dollars.

Warning One thing you should never do in response to a break-in is to retaliate. As a practical matter, a misaimed retaliation can harm innocent people and land you in hot water. Even if you manage to attack the true perpetrator and don't get caught yourself, this activity only raises the general level of lawlessness on the Internet at large. It may invite a further retaliation from the original cracker, leading to an escalating spiral of attacks.

Team LIB

This document was created by an unregistered ChmMagic, please go to http:/

0 0

Post a comment