When attacking Linux boxes, one of the most common script kiddie practices is to install a rootkit that replaces key system binaries with trojaned versions. These trojans are usually designed to hide files, network traffic, or processes that the intruder doesn't want the administrator to see. Binaries that report the status of the system like ps, top, ls, netstat, ifconfig, and du are commonly trojaned to filter their output to only what the intruder wants seen. Additionally, the unwelcome guest will try to cover his/her tracks by editing or deleting system logs and .bash_history files.

Fortunately, Linux includes a built-in defense against such common practices: the chattr (change attribute) command. File attributes set with this command are binding on every user, even root. There are a number of file attributes that can be set with chattr, but the ones that interest us are:

i - "Immutable." The file cannot be modified, deleted, or linked, even by root.
a - "Append only." The file cannot be deleted or moved, but may be added to.
u - "Undeletable." The file may be deleted, but its contents can be recovered.

If the +i bit is set, no user - not even root - may alter or delete the file. Although a skilled attacker with a knowledge of Linux and chattr will be able to figure it out and remove the attribute, 99% of script kiddie exploits will fail when they hit an immutable file. This attribute is very useful to protect system binaries that normally never change, save for the occasional system update. The +a and +u bits are useful for log files and history files that must be written to regularly, and are therefore unsuitable for the +i bit, but are in danger of modification by an attacker.

One of the popular rootkits widely available on the Internet will attempt to trojan the following files, so they are prime candidates for the immutable attribute:


The bit can be set like this:

chattr +i /bin/ls

Additionally, an attacker will often edit or delete root's .bash_history file, or simply redirect it to /dev/null to conceal his or her keystrokes while working as root. This file should be set with the +a attribute:

chattr +a /root/.bash_history

It might also be wise to set the +u bit in case the attacker manages to figure out what you've done and remove the attribute:

chattr +u /root/.bash_history

Depending on the particular system logger your system uses, the contents of /var/log are also good candidates for chattr +a

File attributes can be viewed with the lsattr command. As an additional security measure, once all the attributes are set, the chattr command itself may be removed from the machine to a remote machine or to some removable medium so that the attacker cannot change the attributes back. As with most basic hardening techniques, this will not stop a skilled attacker, but may slow the attacker down enough to buy you some time. However, script kiddies often don't even understand how their exploits really work, so you have a good change of stopping them in their tracks with this trick. More information on chattr and its uses can be found with "man chattr" and, of course, the ever-popular Google.