QUESTION
What are the tell-tale signs that a Linux server has been hacked? Are there any tools that can generate and email an audit report on a scheduled basis?
ANSWER
- Keep a pristine copy of critical system files (such as ls, ps, netstat, md5sum) somewhere, with an md5sum of them, and compare them to the live versions regularly. Rootkits will invariably modify these files. Use these copies if you suspect the originals have been compromised.
- aide or tripwire will tell you of any files that have been modified - assuming their databases have not been tampered with.
- Configure syslog to send your logfiles to a remote log server where they can't be tampered with by an intruder. Watch these remote logfiles for suspicious activity
- read your logs regularly - use logwatch or logcheck to synthesize the critical information.
- Know your servers. Know what kinds of activities and logs are normal.