How can I detect unwanted intrusions on my servers?

How are other admins monitoring their servers to detect any unauthorized access and/or hacking attempts? In a larger organization it's easier to throw people at the problem but in a smaller shop how can you effectively monitor your servers?

I tend to scan through the server logs looking for anything that jumps out at me, but it's really easy to miss things. In one case we were tipped off by low hard drive space: our server was taken over as an FTP site - they did a great job hiding the files by messing with the FAT table. Unless you knew the specific name of the folder it wouldn't show up in Explorer, from DOS, or when searching for files.

What other techniques and/or tools are people using?


Solution 1:

It partly depends on what type of system you're running on. I'll outline some suggestions for Linux, because I'm more familiar with it. Most of them apply to Windows as well but I don't know the tools...

  • Use an IDS

    SNORT® is an open source network intrusion prevention and detection system utilizing a rule-driven language, which combines the benefits of signature, protocol and anomaly based inspection methods. With millions of downloads to date, Snort is the most widely deployed intrusion detection and prevention technology worldwide and has become the de facto standard for the industry.

    Snort reads network traffic and can look for things like "drive by pen testing" where someone just runs an entire metasploit scan against your servers. Good to know these sort of things, in my opinion.

  • Use the logs...

    Depending on your usage you can set it up so you know whenever a user logs in, or logs in from an odd IP, or whenever root logs in, or whenever someone attempts to login. I actually have the server e-mail me every log message higher than Debug. Yes, even Notice. I filter some of them of course, but every morning when I get 10 emails about stuff it makes me want to fix it so it stops happening.

  • Monitor your configuration - I actually keep my entire /etc in subversion so I can track revisions.

  • Run scans. Tools like Lynis and Rootkit Hunter can give you alerts to possible security holes in your applications. There are programs that maintain a hash or hash tree of all your bins and can alert you to changes.

  • Monitor your server - Just like you mentioned diskspace - graphs can give you a hint if something is unusual. I use Cacti to keep an eye on CPU, network traffic, disk space, temperatures, etc. If something looks odd it is odd and you should find out why it's odd.

Solution 2:

Automate everything you can ... take a look at projects like OSSEC http://www.ossec.net/ Client/server install ... really easy setup and the tuning isn't bad either. Easy way to tell if something has been changed including registry entries. Even in a small shop I would look at setting up a syslog server so you can digest all of you logs in one place. Check out syslog agent http://syslogserver.com/syslogagent.html if you are only looking to send your windows logs to a syslog server for analysis.

Solution 3:

On Linux, I use logcheck to regularly report suspicious entries in my log files. It's also very useful for detecting non-security related unexpected events.