#contents

*Rootkit Problem on FLEX [#rootkitproblem]

A rootkit is a malicious software designed to obtain root-level access to a computer while hiding its presence or identity from antivirus software. Common ways for rootkits to get installed on your system are through trojan horses contained in drive-by downloads, known system vulnerabilities, suspicious email attachments, web surfing, or simply by password cracking.

On Linux, there are several rootkit scanner tools that help project against known or potential rootkits. One such rootkit detection tool is called Rootkit Hunter (rkhunter).

* Protecting FLEX by rkhunter [#protect]

**Installation [#install]

Install rkhunter on Ubuntu:
 $ sudo apt-get install rkhunter

**Perform Rootkit Scanning [#perform]

To perform rootkit scanning on FLEX, simply run the following.
 $ sudo rkhunter -c

Once rkhunter is initiated, it will go ahead and run a series of tests as follows.
- Compare SHA-1 hashes of system binaries against known good values maintained in the database.
- Check for known rootkit files and directories, as well as rootkit strings.
- Perform malware detection, including checking for login backdoors, sniffer log files, and other suspicious directories.
- Perform trojan specific checks such as examining enabled xinetd services.
- Perform checks on network ports and interfaces.
- Perform system boot checks.
- Perform group and account checks.
- Perform system configuration file checks.
- Perform filesystem checks. 

** Log files [#log]
Once scanning is completed, rkhunter stores the result in /var/log/rkhunter.log. We can check for any warning and results something like this:

 System checks summary
 ===================== 
 
 Rootkit checks...
    Rootkits checked : 310
    Possible rootkits: 2
    Rootkit names    : SHV4 Rootkit, SHV5 Rootkit
 
 Applications checks...
    All checks skipped
 
 The system checks took: 1 minute and 54 seconds
 
 All results have been written to the log file: /var/log/rkhunter.log
 
 One or more warnings have been found while checking the system.
 Please check the log file (/var/log/rkhunter.log)

**Database update [#update]

Rootkit Hunter relies on a set of database files to detect rootkits. If we would like to check if the database files are up-to-date, simply run rkhunter with "--update" option. If there is a newer version of the database files, it will automatically fetch up-to-date database files using wget.
 $ sudo rkhunter --update 
 
 [ Rootkit Hunter version 1.4.0 ]
  
 Checking rkhunter data files...
   Checking file mirrors.dat                                  [ No update ]
   Checking file programs_bad.dat                             [ No update ]
   Checking file backdoorports.dat                            [ No update ]
   Checking file suspscan.dat                                 [ No update ]
   Checking file i18n/cn                                      [ No update ]
   Checking file i18n/de                                      [ No update ]
   Checking file i18n/en                                      [ No update ]
   Checking file i18n/tr                                      [ No update ]
   Checking file i18n/tr.utf8                                 [ No update ]
   Checking file i18n/zh                                      [ No update ]
   Checking file i18n/zh.utf8                                 [ No update ]

* FLEX Firewall [#firewall]

We also set up firewall for FLEX to protect it from any outsider's attacks. The software to perform firewall management in Ubuntu is UFW.
 $ sudo ufw enable
By defaults, we deny all incoming connections and allow all outgoing connections.
 $ sufo ufw default deny incoming
 $ sudo ufw default allow outgoing
And then, we open some specific standard ports used for communications:
 $ sudo ufw allow ssh
 $ sudo ufw allow ftp
 and so on.

We found recently that some ports still can be explored by outsiders. We therefore add the following rules:
 $ sudo ufw deny out 3724
 $ sudo ufw deny 40000:60000/tcp
 $ sudo ufw deny 40000:60000/udp
To check the firewall status, use the following command:
 $ sudo ufw status verbose




Front page   Edit Diff Backup Attach Copy Rename Reload   New List of pages Search Recent changes   Help   RSS of recent changes