How can you tell a real server security threat from a false alarm? SearchOpenSource.com's Linux servers and clusters expert Don Becker, co-founder of the original Beowulf project, describes how to determine whether your server has been compromised or not.
In this tip, Becker explains the process of configuring your Linux distribution for clusters and offers a helpful hint for using the top or ps programs to determine the process identification on a server.
How do you go about installing and configuring Linux for clusters?
Don Becker: Most Linux distributions are not set up to be cluster operating systems. However, you can use them as the basis for "classic Beowulf" clusters, where a full distribution is loaded onto each machine. You'll need to add and configure management utilities and, perhaps, communications libraries. It is challenging to convert a workstation-oriented or stand-alone server distribution into a cluster because the management tools must match the specific distribution.
Most add-on cluster toolkits handle automated installation, usually by leveraging the functionality provided by the distribution. For example, they write a "kickstart" file for RPM-based distributions, like Red Hat for example. Then, they use ad hoc utilities to finish configuring each subsystem on the freshly installed distribution. These tools may need to be updated each time a new version of the underlying distribution comes out or changes.
Should users be concerned about references to Beowulf popping up in the /var/log/messages.0 file?
Becker: There are many different implementations of Beowulf software out there, and you may be seeing one of them. But it's more likely that you are seeing the kernel message from one of the device drivers I wrote when I was working on the Beowulf Project at NASA. Usage information for some of those drivers was published on the Beowulf.org website, and the drivers had URLs with "beowulf.org."
How should users handle a server whose security may have been compromised?
The safest solution is to save your applications and data, and start with a freshly installed Linux distribution on a new machine.
In the meantime, you can get an idea of what is running and where the program is located by looking at the /proc entry for one of the processes. For example, say you've found a process running on your server called "brute." Use the "top" or "ps" programs to find the process ID (PID)of a "brute." Then, look in /proc/
root# ps ax | grep brute | head -10 26235 ? Ss 0:00 /tmp/.../.brute ... root# cat /proc/26235/maps 00b31000-00b4a000 r-xp 00000000 03:0a 612182 /lib/ld-2.4.so 00b4a000-00b4b000 r-xp 00018000 03:0a 612182 /lib/ld-2.4.so 00b4b000-00b4c000 rwxp 00019000 03:0a 612182 /lib/ld-2.4.so 00b4e000-00c7b000 r-xp 00000000 03:0a 612183 /lib/libc-2.4.so ... 08047000-08052000 r-xp 00000000 03:0a 614274 /tmp/.../.brute 08052000-08053000 rw-p 0000b000 03:0a 614274 /tmp/.../.brute