What tools does Brownrice use to alert us to a compromised hosted web site or server? Let me show you:
OSSEC: A great open source tool that constantly monitors server log files and file systems in real-time. OSSEC’s log monitoring helps with an important part of PCI Compliance, it can be configured to automatically block bad guys from doing bad things, and its a fantastic tool for post-mortem hack analysis. We have OSSEC installed on all of our hosting servers, virtual servers, and managed customer servers. It reports back to a mother-ship server so we can keep an eye on things from a central location.
Clamav: Another open source project that we’ve been using for years and just seems to keep getting better and better. Clamav is free (like OSSEC) and we’ve always used it on our anti-spam servers to scan incoming email for viri. Recently we’ve noticed that it is also great at scanning a web site’s files for intrusion/malware/hacky-stuff so we’ve begun running it every night on all of our shared web hosting servers. To date its identified infected web site files with 100% accuracy.
rkhunter: Yep, more free, open source goodness. We’ve used rkhunter for years to identify servers that have been compromised. In the early days we’d wipe out the operating system of any machine that rkhunter identified as having a rootkit installed in it. After some time we got good enough that we were able to actually diagnose the rootkit and remove it from an infected machine which sure made customers happy since they experienced no downtime. The reality now is that we don’t see *any* rootkits these days – but we still install rkhunter on every machine that we manage – just in case.
Sucuri: While this isn’t an open source company they are doing GREAT work and I’m happy to link to them. They’ve got a free site scanner that not only checks the site for malware it also checks the site against a bunch of blacklists. Sucuri also has a paid-for service that will scan your site at periodic intervals and alert you to a hack. They’ll also come into a hacked site and clean out the infection. We clean hacks for our hosting and virtual server customers as part of our normal hosting service – but I hear Sucuri does a great job as well.
Google Safe Browsing: I’m sure you’ve navigated to a site with either the Google Chrome or Firefox browsers and have been faced with a menacing page that says something to the effect of “The web site you are about to visit is infected, has malware, and is part of the axis of evil and may destroy your life and that of your computer. Are you sure you want to proceed?!?” The great thing for us is that Google provides this info free of charge to everyone, whether you are using a Browser or not: We scan this page to ensure our network is always clean: http://www.google.com/safebrowsing/diagnostic?site=AS:17098
The tools above are our “security suite.” We use many other monitoring tools as well (coming in other post.) Combining all of these things allow us to nearly immediately know that a client site or server is has been compromised and gives us a quick and clear picture of how the bad guy got in and what they did so we can close the door, kick them out, and inform the customer.
What security tools do you like to use? Did we miss any good ones? (I’m sure we did.) Let me know in the comments!
~ Oban