Detecting and Handling a Break-in

by Simson L. Garfinkel

We've all heard horror stories about crackers breaking into computer systems, wreaking havoc with data, and compromising private information. If you are responsible for administering security at your site, your primary tools in the fight against computer crackers are periodic backups and an educated user base.

The most important duty of any system administrator is to make sure that regular backups of all data are made. That's because if your system is broken into, the only way you can determine what damage has been done is by comparing your system with the backup tapes.

The next step is to teach your users about computer security. Every user account on your system should have a password, and all passwords should be hard to guess especially if your computer or network has a modem that allows remote access. Remember, passwords are your computer's first line of defense: If a potential intruder doesn't have a valid password to your system, he or she probably won't get in.

The best password is an eight-character sequence of letters that won't be found in any dictionary. Users shouldn't pick easily guessed passwords, like names, places, or license plate or social security numbers. And don't think that by taking an easily guessed password and reversing it, or capitalizing it, or adding a number, you'll be making it substantially harder to guess. With a 2400-baud modem and an automatic dialing program, a typical cracker can try 100,000 such combinations in just under two weeks, working nights so you won't notice their repetitive dialing.

If your computer is attached directly to the Internet, you'll have other security concerns as well. There's nothing that prevents another computer on the Internet from mounting the disks on your computer's Network File System (NFS) server. Once the disks are mounted, an attacker can view any file or create his own. Other network services have unknown back doors as well ways that someone on the Net can gain access to your computer without first logging in.

Instead of disconnecting from the Net, set up a firewall between your internal network and the outside world. A firewall is a router that is configured so packets from the outside world can only be sent to a single machine on your internal network. Concentrate all of your security on this machine: Give it no user accounts, remove the C compiler, and don't run any network services other than mail.

Detective work
Normally, you'll discover a break-in because something about your computer will be amiss a new account has been added to your /etc/passwd file or NetInfo database, or a new version of the passwd command has been installed.

Your users will sometimes notice the results of a break-in before you do: Somebody might discover missing files or that a few new files have been mysteriously created. Users should be taught to report all such happenings to the system administrator. Tell them to make the report by telephone the intruder might be monitoring your electronic mail.

Another break-in giveaway is suspicious activity on the part of your authorized users, like a user who is logged in on two separate dial-up lines simultaneously, or a user logged in when you know he's hiking in the Australian outback.

System managers should make a habit of snooping around their systems, looking for things that are unusual. Use the last command to look at the logfiles of your computers with dial-ins or network access see who is logging on after hours or over the weekends. Look at the modification times of the programs in the /bin, /usr/bin, /usr/ucb, /NextApps, and /LocalApps directories to see if anything has changed without your knowledge. Scan the /etc/sendmail/aliases file to see if new aliases have been created without your knowledge. Look in your users' home directories to see if ~/.rhosts files have been created NeXTstep doesn't need them, but an intruder might create such a file to allow remote access from a computer outside your network. Also check the file /etc/hosts.equiv. When looking around your computer, be mindful of people's privacy. But don't be shy, either: Snooping around your system is really no different than having a guard walk around an office at night.

Don't panic!
After a security breach, you'll be faced with many different choices. No matter what has happened, you will only make matters worse if you act without thinking.

Before going on, ask yourself: Do you really have a security breach, or has one of your authorized users simply made a mistake? Was any damage really done? Is it important to obtain and protect evidence that might be used in an investigation? Is it important to get the system back into normal operation as soon as possible? Are you willing to take the chance that files have been altered or removed? If not, how can you be sure changes were made? Does it matter if anyone within the organization hears about the incident? If somebody outside hears about it?

And lastly: Can it happen again?

Before going further, get a notebook and start a log immediately. Write down everything you know about your current security situation and what you suspect.

If you've caught an intruder in the act, you have a number of choices. You can ignore them or try to contact them with the UNIX write or talk commands. You can look at what they are doing with the ps command. Alternatively, you might try to trace the connection using commands like finger, who, or netstat. Lastly, you can break the connection by either killing their processes, unplugging the modem or network connection, or shutting down the computer.

Cleaning up
After a break-in, you'll probably want to shut down your system anyway and take stock of what's happened. Now you'll need to do a thorough check of your disks to see if anything was altered or changed. You might want to reassign passwords to all of your users, delete all ~/.rhosts files, and scan the file system for new setuid files. As a last resort, you can always reload the operating system and backups.

If you know who broke into your system, you might consider legal action, but consult an attorney first. Remember many computer crimes are actually inside jobs caused by disgruntled employees.

Simson L. Garfinkel is a NeXTWORLD senior editor and coauthor of Practical UNIX Security (O'Reilly & Associates, 1991).