Network Integrity Monitoring

By Daniel Scocco

This is a guest post by David Montine. If you want to guest post on this blog, check out the guidelines here.

If you have a blog, or own domain names, you should be worried regarding how secure they are. Who wants to wake up one day just to see their blog defaced, blacklisted or linked at http://www.zone-h.org/archive ? (yes, they have a full web site showing screenshots of hacked sites).

Or even worse, find out days after that someone managed to get access to your account at the registrar and modified the whois and DNS records from your site?

Attackers are getting smarter, so you need to protect yourself. There are multiple documents explaining how to improve the security of your servers or how the harden your wordpress installation. However, today I would like to talk about integrity monitoring.

Network Integrity Monitoring

Integrity monitoring is a very common practice on server security, generally done inside a file system, where it creates a cryptographic checksum of all your files and if something changes you get an alert. Useful, no? This is called FIM (file integrity monitoring).

What we don’t see often is this kind of integrity checking being done to your Internet assets. What if someone modifies your site in the middle of the night? Or changes the registration information of your domain? When will you find it out?

To be really caution, you can try to run every day a few commands to verify that all your information is accurate. For example, to check the ip addresses pointing to your domain, you can do a nslookup on the command prompt:

>nslookup domain.com

Or go online to sites like http://network-tools.com/ or http://dnsstuff.com to check that information.

However, repetitive tasks are better done by an application, so you don’t have to worry about it. That’s why I released a very neat and simple online tool that can automate this integrity checking for you. It has a very creative name, NBIM (Network-based integrity monitoring) and is available online for anyone to use (yes, free, no ads, no survey to fill, etc).

You go there, add your web site and domains to be monitored and when something changes, you will receive an alert via email (or twitter) showing when and what was altered. If you didn’t make the change yourself, you can rush to recover your site from the previous backup (you do one, right?) or call your domain provider to fix the issue, thus protecting your online presence.

How useful it is? A few months ago (real story), I got this alert via email:

Sucuri nbim: www.xx.com (whois) modified
Modifications:
16,19c16,17
< Status: clientDeleteProhibited < Status: clientTransferProhibited < Status: clientUpdateProhibited < Updated Date: 26-feb-2007 --- > Status: ok
> Updated Date: 07-jan-2009

End of Notification

I was shocked! Someone removed the lock from my domain. I called immediately the registrar and found out that it has been unlocked by my account a day before from an IP address located in Korea. I changed my password immediately (it was kind a weak) and reported the issue to the ISP owner of that ip address.

Anyone is welcome to try it and see for yourself. It is very important that you verify in real time that your Internet presence is not being altered.

David Montine is the founder of Sucuri.net, a site that provides several information security tools and services.



Share

11 Responses to “Network Integrity Monitoring”

  • Bob

    Premature post. Don’t worry, it happens to all the guys.

  • Mayooresan

    Wow interesting.
    These hackers usually hack popular blogs and sites. So far my site is not dat popular so I can sleep for a while. lol 🙂

    Most of the internet security gurus are complaining that, WordPress lacks security and vulnerable to hackers. Is it true?

  • Daniel Scocco

    @Mayooresan,

    My rule of thumb is that if someone wants to hack your website, he will manage to do it somehow.

    Your first defense is therefore your backups.

    As for WordPress, as long as you keep updated with the latest versions, it should not be more or less secure than other CMSs.

  • Melodee Patterson

    Thanks for the wonderful free monitoring tool. I was wondering how I could easily watch for problems.

  • dd

    Mayooresan:

    Don’ t think that just because your site is not popular that you will not be a target. Lots of attacks lately are done by automation tools that scan all possible sites (either using google search or direct scan via ip) and attempt to exploit the vulnerable ones.

  • excITingIP.com

    I had recently written an article on Phishing and Pharming. So, the hackers can actually change the DNS records and make the users typing your website name on a browser, go to theirs!! So, I guess this is a good application. Thanks for the info.

    excITingIP.com

  • Chanda @ BizDharma.com

    True Daniel. It doesnt matter if the blog is big or small, there are many spammers who just want to get a hook of your blog to spam it even though you dont go ahead than a few thousand users

  • GoBusiness101

    Very concrete example you gave. almost hacked by the hackers.

  • Nate Holland

    Wow thanks for the info and free dl. this wi6ll really come in handy for bloggers ad marketers alike. I seriously don’t get why they need to hack sites. I mean even accounts on social networks are hacked. What ever for?

  • teratips

    Now this tool will help great people, thanks

  • Boerne Search

    Wow, I never even thought of this. I better look into it. Thanks again.

    Kane

Comments are closed.