Security Ripcord

I have been a part of many conversations about Linux-based systems running Anti-virus.  To date my best examples for saying that it should be taken into consideration has been that it ensures that your hardening standards are consistent across the environment.  Conversations of the fact that there are Linux-based malware, rootkits, privilege escalation vulnerabilities have all met with grumbled “Whatever”s, shaking of heads, and a look like “this conversation had better move on or we are done here.”  A recent incident response, however, has provided me with a better example of how anti-virus running on any system, especially servers, can be beneficial.

Let’s set up the scenario.  A US-based company has operating system hardening standards that they adhere to for all deployments.  Servers should not be placed on the internal network until it is proven that the server has been updated and hardened appropriately.  These hardening standards including anti-virus and file integrity software on all systems regardless of operating system.  So you can imagine the surprise of one of the network administrators when she received an email from a company overseas asking them to investigate a server that was conducting a FTP brute force attack on several of their servers.  A quick investigation showed that there had been a significant amount of network communications occurring between this internal server and several external IP addresses.

Network administrators started looking at the internal system in more detail.  It turns out that several developers, in an effort to test updates to one of the companies primary web-based applications, had placed a test web-server and database on the network.  Because of some older firewall rules the IP address they gave the server permitted access to the server on port 80, 443, and 22.  Further investigation determined that these developers did not follow company policy and harden the server although they did install Symantec Anti-virus and configured it to start when the system was booted.  After some initial investigations by server administrators the server was isolated from the network and I was asked to perform a data analysis to determine what had occurred on the system.

Once the data analysis was complete the story was fairly straight-forward.  After being accessible to the Internet for approximately 24 hours the “root” account was access via an SSH brute force attack.  This despite the fact that the developers had used an 8-character password with upper and lower case letters, one number, and one special character (the administrator I talked to also stated that it did not appear to be a modified dictionary word that he could readily read).  Although the SSH brute force attack should have been very noticeable from a network standpoint, it was never flagged.  With access to the “root” account the remote users started uploading tools to the server.  Specifically, the uploaded several well-known attack scripts to run brute force and run denial of service attacks, along with programs designed to connect the server with a botnet, were uploaded to the server.  Symantec anti-virus started alerting immediately.   Although it did not detect all of the malicious files that were uploaded it definitely identified and quarantined many files while writing alerts to the system’s syslog.

As with all system compromises this scenario shows a breakdown of security protections on multiple levels.  Incident response plans are recommended, and in some cases mandatory, for this very reason.  But I find it interesting that of all of the security controls in place by this company, the one that ended up performing its task the best was the anti-virus program on a Linux-based operating system.  Although anti-virus can be considered a prevention control, it is primarily a detection control.  Had this system been configured to centrally log, or had the developers periodically reviewed the system logs, the unauthorized access would have been detected almost immediately.  As it was, the system was used to attack other systems on the Internet for about a week before somebody alerted the company to their problem.

Hopefully this provides a little better explanation of the need and usefulness of deploying anti-virus programs within a Linux, Unix, Mac, FreeBSD, etc environment.  Not only are you protecting your own assets by reducing the gap between system compromise and your staff’s response, you are also making the Interwebs a safer place.

Go forth and do good things,

Don C. Weber

I am about to harden a Linux box and I need to re-read the documentation to Bastille. As I started typing the URL I remembered that the original URL I am use to following has been obtained by a Domain Squatter. I had originally heard about this incident while listening to PDC. I was then actually affected by it when I discovered that a link in the CIS VMware ESX Server Benchmark pointing one of Jay’s articles was broken because of the new bogus site put up by the Domain Squatter.

If you would like more information about this check out the letter Jay Beale wrote to the users of Bastille. It does seem that he will be able to get the site back through his lawyers. I am not sure if Bastille is trademarked and therefore might not fall under the Anticybersquatting Consumer Protection Act but I assume that he should, at least, have some copyright precedence to fall back on. He also points out that although the new site currently points to the actual Bastille download site he is worried about the potential for this site to distribute hacked versions of the software. To protect against this possibility he will be using his PGP key to create a signature for legitimate releases that users can use to verify the versions they obtain.

This whole thing really ticks me off. I agree that purchasing an original domain name (not a product name that has been trademarked), and selling it to somebody when they find the need for it, is perfectly legitimate. But I do not like the idea of people waiting around for a site’s domain registrations to expire, snatch them up before the original owner or organization can update the account, and then attempt to sell it back to the original owner for a large fee. One simple act by an outside individual could cost a company a lot of money either in the repurchase of the domain name or the re-branding of an entire product or line. Although for big business this might not be a problem, I can see a real impact to open source projects and small businesses.

I wish Jay the best of luck with this whole incident.

Go forth and do good things,
Cutaway

Bastille-Linux, Bastille-Unix, Linux, CISecurity, Security Ripcord, Jay Beale, domain squatter

Okay, I am getting a little sick and tired of the constant chatter about “this operating system is better than that operating system.” It is like the white noise in the background of any room where there is more than one technically savvy person. People just need to get over the fact that there is more than one tool out there and that a job can usually be done by any one of those tools. Sure, many times one of those tools does a better job than the rest, but guess what, that is true of everything else in life.

“Where is this coming from?” you ask. Well, this past week I had an interview for an Security Manager position and one of the system administrators asked the question, “So, how are you going to treat my linux server if you are hired to this position?” I told him that I didn’t have a problem with one operating system over another. I explained that any job can be done by any operating system and that a good security administrator will have to be ready to evaluate any system to determine how it is affecting the security of the environment. A pretty good answer in my mind but it seems that the statement “any job can be done by any operating system” raised a few hairs and ruffled a few tail feathers.

Look, in my heart of hearts I am a Linux man. However, I working in a Solaris and IRIX mixed environment that is moving to a Solaris and SUSE mix and periodically a Windows system will rear its ugly head. Do I mind? No. I am happy to secure or provided suggestions when securing any operating system. Has this hurt me a little in the fact that I am not completely conversant in any one operating system. Maybe, but I am ready for all encounters and I will overcome either with the knowledge in my head or a little bit of SANS Reading Room and/or Google.
Please get over it,

Cutaway