Network Integrity Monitoring

This is a guest post by David Montine. If you want to guest post on this blog, check out the guidelines here.

If you have a blog, or own domain names, you should be worried regarding how secure they are. Who wants to wake up one day just to see their blog defaced, blacklisted or linked at http://www.zone-h.org/archive ? (yes, they have a full web site showing screenshots of hacked sites).

Or even worse, find out days after that someone managed to get access to your account at the registrar and modified the whois and DNS records from your site?

Attackers are getting smarter, so you need to protect yourself. There are multiple documents explaining how to improve the security of your servers or how the harden your wordpress installation. However, today I would like to talk about integrity monitoring.

Integrity monitoring is a very common practice on server security, generally done inside a file system, where it creates a cryptographic checksum of all your files and if something changes you get an alert. Useful, no? This is called FIM (file integrity monitoring).

What we don’t see often is this kind of integrity checking being done to your Internet assets. What if someone modifies your site in the middle of the night? Or changes the registration information of your domain? When will you find it out?

To be really caution, you can try to run every day a few commands to verify that all your information is accurate. For example, to check the ip addresses pointing to your domain, you can do a nslookup on the command prompt:

>nslookup domain.com

Or go online to sites like http://network-tools.com/ or http://dnsstuff.com to check that information.

However, repetitive tasks are better done by an application, so you don’t have to worry about it. That’s why I released a very neat and simple online tool that can automate this integrity checking for you. It has a very creative name, NBIM (Network-based integrity monitoring) and is available online for anyone to use (yes, free, no ads, no survey to fill, etc).

You go there, add your web site and domains to be monitored and when something changes, you will receive an alert via email (or twitter) showing when and what was altered. If you didn’t make the change yourself, you can rush to recover your site from the previous backup (you do one, right?) or call your domain provider to fix the issue, thus protecting your online presence.

How useful it is? A few months ago (real story), I got this alert via email:

Sucuri nbim: www.xx.com (whois) modified Modifications: 16,19c16,17 < Status: clientDeleteProhibited < Status: clientTransferProhibited < Status: clientUpdateProhibited < Updated Date: 26-feb-2007 — > Status: ok

> Updated Date: 07-jan-2009

End of Notification

I was shocked! Someone removed the lock from my domain. I called immediately the registrar and found out that it has been unlocked by my account a day before from an IP address located in Korea. I changed my password immediately (it was kind a weak) and reported the issue to the ISP owner of that ip address.

Anyone is welcome to try it and see for yourself. It is very important that you verify in real time that your Internet presence is not being altered.

David Montine is the founder of Sucuri.net, a site that provides several information security tools and services.