Do I still trust my server?
Do I still trust my server?
The second edition of our security column focuses on the question of how to detect manipulations on your server. Or, to put it another way: Do I still trust my server?
There are various methods to detect server manipulations, which should ideally be combined. One such method is the use of file-based "Intrusion Detection Systems," like the "Advanced Intrusion Detection Environment," or AIDE for short.
Typically, AIDE is shipped with modern Linux distributions and can therefore be installed via package manager. The configuration is done in the file aide.conf, which includes rules that specify which files should be part of the inspection. It is important to note that AIDE does not detect manipulations that existed before the software was set up. Therefore, it is advisable to install and configure AIDE when the host system can be assumed to be trustworthy, such as right after setting up the system in a secure environment.
AIDE creates a “snapshot” of the files installed on a server, which then serves as the baseline for further analysis. For this, AIDE calculates a checksum for each file specified in the configuration and stores this checksum in a database. At regular intervals, for example once a day, AIDE recalculates these checksums and does a comparison with those in the database. If the checksum has changed, the administrator is informed and can then investigate whether this change is plausible or possibly due to an attacker's manipulation. For example, if the stored checksum of web server executables or their configuration changes after an update of the web server, this seems plausible. However, if this occurs outside of such procedures, it should raise suspicion. Software usually does not change on its own without external intervention. If it does, unexpected functions might have been added. Consequently, it is essential to investigate what might have happened and whether continuing operation carries risks.
In everyday IT operations, it is usually impossible for administrators to know every vulnerability in server software. Often, there are extended periods between the disclosure of a vulnerability and its remediation. Therefore, it is crucial to pay attention to unusual changes and regularly inspect your systems for such alterations. Tools like AIDE can assist with this. If a potential compromise is discovered, a cautious approach is important.
For detailed information on AIDE, its configuration and secure usage, please refer to the developer's page. If you suspect that your systems have been compromised, we are here to assist you. Additionally, our experts can help analyze your systems for potential vulnerabilities or harden your servers. Get in touch with us!