The exploitation of servers within an enterprise network is often a tremendous money maker for network attacke...
Pwn an enterprise file server in the DMZ, and one can potentially obtain all manner of sensitive customer data. Successfully exploiting a database server can wreak much havoc within a network. Obtain privileged access to a domain controller, and one can -- for all practical purposes -- own the domain along with all data it contains.
In the interest of due diligence, the prudent system administrators should familiarize themselves and their teams with some of the more useful server security tools and mechanisms at their disposal.
Don't block me, bro
The Bro Network Security Monitor is an open source network monitoring tool that comes with a BSD license (i.e., a simple, permissive and free computer software license), which allows for virtually restriction-free usage. When installed on a network-connected device, Bro sniffs all traffic entering and exiting its network interface. What sets Bro apart from similar network monitoring tools, such as Wireshark and Snort, is its ability to decompose all traffic into relevant log files and block traffic, as opposed to simply alerting on traffic.
For example, when installed on a network-connected device and left in its default configuration, Bro captures all inbound and outbound traffic in .pcap format, and subsequently saves each packet in a log file in accordance with its type. If an HTTP packet is captured, it is sent to the http.log file. If a DHCP packet is captured, it is sent to the dhcp.log file, and this behavior is repeated for each packet for each type of protocol. If, after analysis, the system administrator deems that certain HTTP traffic is malicious, she can configure Bro to block said traffic. All of this is highly scriptable -- not to mention flexible.
Bro must run on a Unix or Unix-like platform, and to maximize Bro to its fullest potential, system administrators should learn the Bro scripting language. Since Bro catches packets on the network, it's usable with any server OS. Considering that Bro is a free yet powerful resource, these requirements are a small price to pay when compared with Bro's effectiveness.
Let's go log watching
Within a Linux server environment, system administrators may deem it necessary to examine the traffic on each individual server. Enter Logwatch. Rather than focus on an entire network of servers, Logwatch focuses on the individual Linux server. More specifically, Logwatch examines a server's logs, and emails a digest of alert-worthy activity to the system administrator.
For example, Linux administrators track Secure Shell (SSH) activity against the server, a very common occurrence. Logwatch alerts the system administrator with regard to how many failed-versus-successful SSH attempts were made against a server, along with how many root login attempts were made. Tracking such information allows the system administrator peace of mind about who is and is not successfully connecting to the server.
Logwatch is primarily a Linux tool, and system administrators can download and install Logwatch via the following command:
sudo apt-get install logwatch
Afterward, the system administrator should edit the Logwatch.conf file to email alerts to whomever they deem necessary. Then, configure Logwatch to alert on specific kinds of traffic, or simply allow the default settings to remain in place and edit the configurations as needed.
What we have here is a failure to ban
In the same spirit as Logwatch, Fail2ban is an open source, Linux-based intrusion prevention system that many consider complimentary to the log-based server security tool.
Like Logwatch, Fail2ban focuses on securing the individual server as opposed to enterprise network activity, but where it differs is in its ability to block certain types of activity, as opposed to simply alerting. The tool does so by examining local log files and searching for patterns of malicious activity. Once malicious activity is detected, fail2ban records the source IP address of the malicious activity and inserts said IP address into iptables with a DROP rule associated with the IP address.
System administrators with Linux servers interested in using Fail2ban to help secure a Linux service, such as Apache, SSH or Courier, must first download and install Fail2ban via the following command:
sudo apt-get install fail2ban
Depending on the server configuration, Fail2ban may install with the daemon already running. Therefore, system administrators should examine the Jail configuration file and insert IP addresses that they want blocked or ignored. Then restart the Fail2ban daemon by running the following command:
sudo /etc/init.d/fail2ban restart
At this point, Fail2ban will begin examining local log files, and it will block traffic from IP addresses that it deems malicious.
Windows Server security tools that don't break the bank
How to defend against brute-force SSH attacks
Is Snort OpenAppID the answer to application control?
A must-know Linux commands list for server admins