Blog

Cool Halo Trick #12: Detect name server redirection

Problem: I need to be alerted if my server stops using legitimate name servers for hostname resolution.

As part of a compromise, an attacker may modify how the system converts well known host names into IP addresses. This may be done to ensure the host cannot be patched, or to block updates to security software. Halo FIM can be leveraged to detect this type of activity. Further, Halo itself is immune to these types of attacks.

There are two files we need to monitor for changes:

  • /etc/hosts – local database of IP address to hostname mappings
  • /etc/resolv.conf – Identifies the name servers to use for hostname resolution

Login to Halo, navigate to Policies -> File Integrity Policies, and create a new policy to monitor these two files.


Define a baseline server 
and set up alerting as appropriate for your environment.

Related Posts