How To Protect Yourself Against Script Kiddies

Rootkits are popular tools used by hackers after breaking into system, to strengthen their hold. Learn how to protect your Linux system against rootkits and other threats.

InformationWeek Staff, Contributor

August 7, 2004

5 Min Read

So how do you protect yourself?

You could completely disconnect your machines from the Internet. However, this doesn't make your Web server very useful. Really, your best protection is to keep anyone from getting through the door in the first place. Keep your systems up to date. The vast majority of system break-ins stem from problems where patches had already been available, but not applied.

You also need to follow systems administration best practices such as removing and blocking any services you're not actually using. Doing so makes sure that there's no vulnerable locks for someone to try to pick, in cases where you never intend to use those doors in the first place. Of course there's also firewalling to prevent anyone actually reaching the machine. The built-in firewall in Linux can block people from even knocking on the door, since it can prevent them from even reaching the port a service listens on.

The next thing you can do to protect yourself is deploy intrusion detection systems. This class of software watches for known techniques for breaking in, such as port probing (where intruders try multiple ports in succession, like rattling doorknobs, until the intruder finds a vulnerability), buffer overflow attempts, and changing critical system files. Tools include Snort for network guarding, Tripwire and AIDE for the filesystem, and a wide range of commercial intrusion detection offerings for everything from small businesses to large enterprise installations.

However, even these measures aren't enough to protect against rootkits, because eventually someone will manage to break in. A great place to turn for rootkit protection is chkrootkit. Not only is chkrootkit a popular rootkit-detection program, this site also offers a wide variety of articles and resources you can follow to learn more and keep your knowledge up to date. Rootkit Hunter is another popular tool. These are similar tools, but using both allows you to perhaps catch something that one or the other wouldn't have seen. It's a good idea to set up these programs ahead of time rather than after the fact. This way, they run regularly in cron and can let you know up front that something's wrong.

You do have to keep in mind that rootkit authors know about all of these tools. It's best to make immediate backups of your various Interactive Development Environment (IDE) and rootkit-hunting data files offsite, since the rootkits might actually attack these as well. Also, back up your data files. You can reinstall your system, but replacing the data is harder.

So what do you do if the unimaginable happens?

The first thing you have to do is figure out that someone got in. You might already be compromised and not realize it. You might have been for a year. Run chkrootkit and Rootkit Hunter and see if they turn anything up. Then keep the system and tools up to date and monitor your logs.

Once someone does manage to break in, the first thing to do is yank the system off the network. This can be painful, but the longer you let the attacker have access, the more damage they can do -- especially if they are watching you and can see that you're onto them.

If they've gained root access, your smartest response is to go through those data backups to find ones that you trust, and then set up a brand new system. But do not overwrite or throw out the compromised drives. They can provide valuable evidence to help law enforcement track down and prosecute the people who hacked your system.

You might also choose to report the break-in to CERT, or your organization might do so after you follow the appropriate corporate break-in policies. Be sure to keep regularly-updated printouts of the CERT contact information in case your entire network is taken down by an attack. CERT then does its best to coordinate evidence-gathering, contacting other involved administrators, and maybe even connecting isolated incidents to one another to form a bigger picture. The SANS Information and Computer Security Resources page is also valuable reading, and worth bookmarking and checking for updates.

Wrapping Up
Network security is a never-ending battle between those few who want to keep intruders out, and the many who want to break in. Some attackers just want to take a walk through your system to say that they did, others have more nefarious purposes, such as stealing information or damaging your systems. Even those who are breaking in just for fun will deface your sites and post about what they did among their peers, attracting more unpleasant attention from those with the tools and knowhow to have some fun with your systems.

Be proactive, and save yourself a lot of headaches. Keep up with the latest types of attacks by watching sites like CERT and SANS-you can subscribe to their alert lists so you can find out about things immediately. (Subscribe to the SANS security newsletter list. The link to subscribe to the CERT list is currently broken.)

Most of all, keep your systems as up to date as humanly possible. There's little more embarrassing than having to admit that your system was broken into because you hadn't made the time to fix a particular known vulnerability.

Dee-Ann LeBlanc is an award-winning technical journalist, author and instructor focusing on Linux. Her latest book is "Linux for Dummies 5th Edition." E-mail Dee-Ann LeBlanc.

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like

More Insights