Intrusion Detection for Linux Servers


Picture:Clock Published on August 14th, 2006 in Linux

cctvAfter last week’s post not really being about technology, this week’s post is even more. It’s about Tripwire, a freeware tool to check consistency of files on a specific linux server and thus, to check wether an intruder was able to log into your machine. As I am interested in all sorts of security & performance tests, I will post some useful tutorials about Nessus, Snort (the most popular Intrusion Detection System, I think) and other tools I can get my hands on in the near future.

Let’s get back to Tripwire. Tripwire is a small Software company providing tools to secure your server’s data. They also provide an open-source version of their product (get it here) which I will focus on. Tripwire creates hashes of the server’s files and saves them in an encrypted database, making it pretty hard for an intruder to change those hashes. Even if that person should get root privileges, Tripwire needs a password which is also being saved in an encrypted manner. Once you have installed Tripwire from its aforementioned website, Gentoo users can simply type in “emerge tripwire” and hit enter, you will want to create the initial database.

Let’s get started: First, you should set up the password by running with the command “./etc/tripwire/twinstall.sh”. This will ask you to enter two passwords. “Site” to encrypt and sign the Tripwire system files and “local” to launch the Tripwire binaries. The configuration file is located at “/etc/tripwire/twcfg.txt”. Should you want to make any changes to it, you will have to re-encrypt it this way: “twadmin –create-cfgfile –cfgfile /etc/tripwire/tw.cfg –site-keyfile /etc/tripwire/site.key twcfg.txt”.

Unfortunately, we’re still not done yet. There’s a policy file located at “/etc/tripwire/twpol.txt”. The one provided with the Gentoo installation is made for Red Hat and dates back to 2001. So you will have to customize the policy for your own distribution and your system in particular. This will probably be the most difficult part, but you might also find some policies on the internet written by other users of your distro. After you’re done customizing your policy file, you have to create an encrypted version of it as well. Running “twadmin –create-polfile –cfgfile tw.cfg –polfile tw.pol –site-keyfile site.key twpol.txt” should accomplish that.

Now you can finally start building your initial database by running “tripwire –init”. This process can take anywhere from a few minutes to several hours depending on the amount of data sitting on the server, but should be done in a couple of minutes in general.

With a simple “tripwire –check” Tripwire checks & alerts you of any modifications made to the files it checked before. Should you be okay with all modifications, you can erase the alert level and update the database with its new hash-values by running “tripwire –update”. Pretty easy, huh? The checking process should be run automatically by creating a shell script which sends you an e-mail with the report. That script can then be used for a cron job that is then scheduled to run by it self.

Here’s a picture of a sample Tripwire report after running “tripwire –check”:
tripwire report

The main usages for Tripwire I see are corporate file servers and web servers.
As always, I’d be very thankful for suggestions on other Intrusion Detection Systems or ways to secure a UNIX system. There is however, an effort to create a complete replacement for Tripwire called AIDE (Advanced Intrusion Detection Environment) which is open-source and being released under the GPL.

Share This

Trackback URL for this post:
http://www.yatblog.com/2006/08/14/intrusion-detection-for-linux-servers/trackback/


Shout it out!