[CentOS] centos security

Sun Feb 19 08:29:35 UTC 2012
Lorenzo Martínez Rodríguez <lorenzo at lorenzomartinez.es>

I remember I sent weeks ago next email to other guy with same doubts:

just if it helps, please find below these lines the steps I have used to 
analyze several suspicious machines in some customers, to check if they 
have been compromised or not:

* Chrootkit && rkhunter -> To search for known trojans and common linux 
* unhide (http://www.unhide-forensics.info/) -> to check for hidden 
processes and tcp sockets
* rpm -Va ->  To check binary integrity against installed rpms
* If netstat binary looks to be sane, check listening sockets
* If ps binary looks to be sane, check shown running processes
* Check console connections with "last" and "lastb" commands
* Tcpdump on network interfaces avoiding traffic for known running 
services (80, 25, 21, etc... depending on the role of the machine) to 
check for the weird traffic
* grep -i segfault /var/log/* -> to check for buffer overflows in logs
* grep -i auth /var/log/* |grep -i failed -> to check authentication 
failed tries.
* lsmod -> to check loaded kernel modules (it is ver difficult to find 
out something wrong here, but just to be sure nothing weird appears).
* lsof -> to check opened current files
* Check xinetd -> to find out if someone has added some new "service"
* have a look to /tmp, /opt, /usr/bin, /usr/local/bin, /usr/sbin and 
* check /etc/passwd and verify created users are licit to be there.
* check crontab for every user to avoid any process to be programmed

Hope the checklist helps...

El 19/02/12 03:18, Al escribió:
> On Feb 18, 2012, at 9:07 PM, Donkey Hottie wrote:
>> 19.2.2012 3:38, Al kirjoitti:
>>> Any suggestions on what to run on a centos box to verify that the
>>> server isn't compromised or being sniffed?  Thanks!
>> rkhunter comes to my mind.
> Thanks for the suggestion, any others?
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos


Lorenzo Martinez Rodriguez

Visit me:   http://www.lorenzomartinez.es
Mail me to: lorenzo at lorenzomartinez.es
My blog: http://www.securitybydefault.com
My twitter: @lawwait
PGP Fingerprint: 97CC 2584 7A04 B2BA 00F1 76C9 0D76 83A2 9BBC BDE2