Handling of compromised Linux systems
-
Upload
michael-boelen -
Category
Technology
-
view
1.731 -
download
1
Transcript of Handling of compromised Linux systems
Linux SystemsCompromised
Understanding and dealing with break-ins
Ede, 5 February 2016
Michael [email protected]
Agenda
Today1. How do “they” get in2. Rootkits3. Malware handling4. Defenses
2
Michael Boelen
● Security Tools○ Rootkit Hunter (malware scan)
○ Lynis (security audit)
● 150+ blog posts
● Founder of CISOfy
3
How do “they” get in
Intrusions
● Passwords● Vulnerabilities● Weak configurations
5
Why?
6
Keeping Control
● Rootkits● Backdoors
7
Rootkits 101
Rootkits
● (become | stay) root● (software) kit
9
Rootkits
● Stealth● Persistence● Backdoors
10
How to be the best rootkit?
Hiding ★
In plain sight!
/etc/sysconfig/…/tmp/mysql.sock/bin/audiocnf
12
Hiding ★★
Slightly advanced
● Rename processes● Delete file from disk● Backdoor binaries
13
Hiding ★★★
Advanced
● Kernel modules● Change system calls● Hidden passwords
14
Demo
Demo
16
Demo
17
Continuous Game
18
Detection
Challenges
● We can’t trust anything● Even ourselves● No guarantees
21
Rootkit Hunter
Detect theundetectable!
22
Dealing with malware
● Owner?● Risk?● What if we pull the plug?
Activate your plan!
24
VLANBogus DNSLooks Real™
Quarantine
25
Consider Research
Memory dump(Volatility)
Static analysis
26
Restore
Does it include malware?
27
Defense
Best protection
At least● Perform security scans● Collect data● System Hardening
29
Frameworks / Patches
● SELinux● AppArmor● Grsecurity
30
Compilers
● Remove● Limit usage
31
Harden Applications
● Use chroot● Limit permissions● Change defaults
32
Kernel Hardening
● sysctl -a● Don’t allow ptrace
33
Automation
Tip: Lynis
● Linux / UNIX● Open source● GPLv3
35
Conclusions
Conclusions
● Good rootkits are hard to detect
● Use cost-effective methods● Detect● Restore● Learn
● Apply hardening
37
You finished this presentation
Success!
More Linux security?
Presentationsmichaelboelen.com/presentations/
Follow● Blog Linux Audit (linux-audit.com)● Twitter @mboelen
39
40