Linux Server Security
Security is a particular interest of mine, but not one in which I regularly get to indulge professionally. Most companies are reluctant to invest in security auditing since there is rarely any visible benefit (to the layman anyway). As such, most of my security-related work consists of recovering compromised hosts, and post-compromise forensics (how did the intruder get in, how can we stop it happening in the future, is the system backdoored etc). Over the of years I've also provided detailed forensics reports which have been used as the basis of both criminal and civil prosecutions.
One area of security which I do get to work in regularly is PCI DSS, the bane of e-Commerce webmasters (you can read about my views on PCI DSS here). Typically clients come to me with the results of a security audit from a QA (Qualified PCI DSS Assessor); I go through the report and fix or refute things (mostly the latter, since the reports are generally filled with false positives). Usually one or two hours is enough to take care of any issues, leaving you free from PCI DSS worries for another year.
Security was one of my first interests, and was the subject of my first book, back in 2005. Since then things have changed a lot, with web exploits being the primary threat that I encounter. I get a strange fascination out of inspecting hacker tools recovered from compromised servers, and over the years I've encountered all manner of worms, rootkits, back-doored binaries and scanners. As a result I can usually clean up hacked servers quickly and efficiently, and pinpoint the source of the intrusion. Optionally I can then also advise on pro-active measures to stop similar things happening in the future.
Tools that I'm particularly fond of include:
- Snoopy - a command logger, useful for spotting exploit attempts on web code.
- iptables/ipset - stateful packet filtering and logging.
- mod_security - Apache module, useful for blocking web exploit attempts.
- strace - one of many tools for analysing suspect binaries.
- p0f - passive fingerprinting, see here.
- chkrootkit - a bit dated in its approach, but still worth using.
- Nessus - very comprehensive vulnerability scanner.
- Tripwire - maintaining the integrity of files.
- Nikto - web exploit scanner, somewhat prone to false positives.
... but of course, nothing beats the basics like netstat, strings and strace, combined with a bit of common sense and logic
- › Home
- › Linux Consultancy
- › Web Development
- › Server/Website Performance
- › MySQL Support and Consultancy
- › Linux Server Security
- › Dialog Quiz
- › Apache Fingerprinting: mod_pof
- › mod_miserable (Apache)
- › Firefox Toolbar Tutorial
- › JSPenguins (XPenguins clone)
- › Art, Electronics, Woodwork and other little projects I do when I'm hiding in the shed from my wife.
(+44) 07890 592198