Host Security  «Prev  Next»

Lesson 6 Detecting attacks
Objective List ways to detect attacks.

Detecting Hacker Attacks

A major problem in detecting attacks is that crackers normally do not leave any traces. If a cracker steals a password, he or she will connect without leaving error traces, and the log file entries may show no unusual activity. While it may be hard to immediately destroy a log of the initial connection, tools are available that allow subsequent connections to be made with few traces. Also, smart hackers do not show up on the user list. For example, when you use the finger or who commands, the crackers will not be listed; experienced crackers use tools that do not write the appropriate log entries and so do not show up when you try to trace crackers using these utilities.

The only way to directly detect a competent cracker is to use netstat to identify active network connections while the cracker is online, or to use ps to identify active processes. Neither of these commands can be easily overcome by the cracker. However, if the cracker has root access, even these traces can be hidden.
There are, however, things you should look out for. Watch for any unusual system activity, such as users connecting from overseas, at odd hours, or performing atypical operations. Also look for changes to the system configuration; for example, certain security measures may be disabled, or backdoors may be enabled in standard files.
Finally, there may be anomalies in log files; for example, connections without the appropriate log entries signal a possible break-in. Luckily, there are tools that can help automate many of these checks. However, your best defense is to prevent attacks in the first place.
The following simulation shows you how to discover anomalous system behavior.
Detecting attacks
The next lesson introduces insecure remote login services.

Nameserver Types

There are two nameserver configuration types:
  1. authoritative:Authoritative nameservers answer to resource records that are part of their zones only. This category includes both primary (master) and secondary (slave) nameservers.
  2. recursive: Recursive nameservers offer resolution services, but they are not authoritative for any zone. Answers for all resolutions are cached in a memory for a fixed period of time, which is specified by the retrieved resource record.

Although a nameserver can be both authoritative and recursive at the same time, it is recommended not to combine the configuration types. To be able to perform their work, authoritative servers should be available to all clients all the time. On the other hand, since the recursive lookup takes far more time than authoritative responses, recursive servers should be available to a restricted number of clients only, otherwise they are prone to distributed denial of service (DDoS) attacks.