How to catch Linux system intruders
20th Sep 2008 | 06:00
Secure your Linux box by locking it down and posting a guard to watch for intruders
There's no doubt that Linux is a secure operating system. However, nothing is perfect. Millions of lines of code are churned through the kernel every second and it only takes a single programming mistake to open a door into the operating system. If that line of code happens to face the Internet, that's a backdoor to your server.
The eyes have it
Patches are often released quicker and more often for Linux systems than they are for proprietary products. This is because anyone can take a look at the code – and thousands of developers regularly do. This 'many eyes' approach, which was advanced by Linus Torvalds, means that problems like back doors are usually found quickly. It also means that fixes are released just as quickly.
There's been a very vocal debate on the Linux kernel mailing list recently, with developers arguing about whether security bugs that are fixed should be formally announced and documented. Torvalds believes that making a big song and dance about security patches attracts the attention of miscreants like bees to honey. Others believe that anything but complete openness goes against the philosophy of Free Software.
The debate is still burning, but while the overlords of the Linux kernel are deciding which way to swing, there's a great deal you can do to protect your system, even if an Internet facing service is compromised in some way.
Watching for traps with Tripwire
Tripwire generates checksums from all the essential binaries that are running on your system. Every file has a completely unique checksum. If a single bit of data changes in the file, the checksum it generates will be completely different.
These checksums can't be cracked or duplicated because they rely on a tried and tested method of encryption. Using this database of checksums, Tripwire will periodically recheck the value of each binary file in its database. If any file has changed, the wire is tripped and an alarm is signalled.
This system is incredibly effective, because the first thing a hacker usually does when they gain access to your system is replace important system files with their own version. This is known as a 'rootkit', and it means that the hacker can always access your system – even after you locate and update the original 'back door' security problem.
There are various tools that look for the tell-tale signature of a rootkit installation, but Tripwire pre-empts these tools by catching changes to the file system – hopefully before the rootkit can even be used. For this reason, you can find Tripwire in the package repository of nearly every Linux distribution we can think of. Just search for it and install.
Tripwire defence has been so successful that a proprietary company has been launched on the back of the original Tripwire product; both are confusingly called Tripwire. Thankfully, however, the opensource version of the software is still popular, despite the fact that, like all Linux security tools, it takes a considerable effort to get it working.
Most of that effort is to do with editing arcane configuration files. Choosing Ubuntu or Debian can help with this, as both of these distributions include a quick setup wizard when you install the packages. We've used Ubuntu Hardy Heron in the example configuration below. We've also provided the manual commands for configuration if you're using a different distribution.
Make sure everything that needs to be installed is installed. If you add more packages after the Tripwire installation, you'll have to go through a rather convoluted reconfiguration routine. For this reason, it's more straightforward to install Tripwire after you've configured and set up the server exactly as you need it.
After installing the Tripwire packages, you'll be presented with the Tripwire configuration wizard. The first question asks whether you want to create or use your site passkey. This is the unique encryption key that's used to generate the checksum information for your files, and Tripwire uses two – one for files that are only going to be used on the installation machine (such as the Tripwire configuration files themselves), and another for files that may be accessed and used on other machines across a network. The next page of the wizard will ask you for these.
However, there is a caveat. If someone else has a copy of the same keys, they can potentially create files that appear authentic. There's a slight security risk with keys generated by the Debian installer, so if you're in any doubt about the security of your system, you should generate the keys manually (see the next paragraph for how to do this). Otherwise, continue with the next page of the wizard, enter long phrases that you can easily remember for both configuration keys and let the set-up wizard generate the configuration file.
To generate both the local and server keys manually, open a terminal and switch to using the System Administrator's account. Type the following (Ubuntu users should precede both lines with 'sudo'):
twadmin -m G -S /etc/Tripwire/site.key
twadmin -m G -L /etc/Tripwire/ hostname-local.key
You should replace 'hostname' in the second command with your machine's hostname. In Ubuntu, this is the word that comes after the 'username@' symbol in the command line. In both cases, you'll be asked for a passphrase to generate the key. You need to use these keys to encrypt the two configuration files used by Tripwire, both of which reside in the '/etc/Tripwire' directory in plain text – which is why they have the '.txt' extension. Encrypt the first by typing the following command:
twadmin -m F -S site.key twcfg.txt
Enter pass phrase:
As you can see in the above commands, you will be asked for your passkey, and you will need to enter the passphrase that you used to generate the server-side key earlier. The second configuration file that we need to encrypt is called 'twpol.txt' . This is Tripwire's policy file, and it contains all of the policies and rules used by Tripwire to govern its file protection. Debian/Ubuntu creates a default set of policies that should be more than adequate for most installations. If you take a look at the policies themselves, you will see small sections of code that look like the example given below:
rulename = "Critical system boot files",
severity = $(SIG_HI)
The syntax above is relatively straightforward, if a little verbose. The section above is protecting critical system boot files, as explained in the rule name. You can see which directories specifically in the lower section.
The boot directory contains both Grub and the Linux boot loader. A rootkit or trojan that changes any files here could cause serious damage. The '/lib/modules' directory contains all the kernel drivers for your system. A subtle change to the modules here could cause all kinds of subtle and not so subtle havoc. For this reason, both directories have been given a severity of SIG_HI, which is the strongest possible signal from Tripwire that something is wrong.
Earlier on in the configuration file, SIG_HI is given a point score of 100. If you have directories and files that aren't part of a standard Ubuntu installation, and these need to be protected, then you'll need to create your own policies for those locations. After you've finished looking at the policy file, it's time to encrypt it as we did the first one. Just type the following:
twadmin -m P twpol.txt
You will be asked for your passphrase again before the encrypted file can be generated. And that's all the configuration you need. The next step is to type 'Tripwire --init' to start building the database from the locations specified in your configuration file. The time this takes is dependent on how many directories and files need to be scanned, but expect to wait long enough for the kettle to boil and the tea to stew.
When you come back to the screen, you'll probably see some error messages as Tripwire complains about directories specified in the configuration file that don't exist. You can safely ignore these. Tripwire is now ready to defend your system.
Testing your current file system against the copy held in the Tripwire database is as simple as typing 'Tripwire --check'. After a few minutes, Tripwire will start to report any detected changes. As an experiment, try editing one of the files covered by your policy.
You could add a new group, for example, or change a user's password. Either of these actions will change a configuration file, making it different from the one held in the Tripwire database. The generated report will include a useful table, so that you can see exactly what has changed and what kind of severity the issue has raised. Below the table, the output goes into greater detail. Here's a snippet from Tripwire's output if you change a password:
Rule Name: Security Control (/etc/shadow)
Severity Level : 66
You can see the rule name under which the password files fall under (shadow is the encrypted file used to store passwords), and you can also see the severity for the issue. At a security level of 66, it's less severe than a change detected in the boot files and modules directories, but it's still notable. Because the output from Tripwire is quite detailed, you can decide for yourself the likelihood of a compromised system. The output is stored in an encrypted form in the '/var/lib/ Tripwire/report' directory, and if you take a look at it, you can see a file for every report you've run.
If you want to make any discovered changes permanent and flag them as acceptable, type 'Tripwire --update -r hostnamereport. twr', inserting the name of the report you want to edit instead of our placeholder. This will decrypt the report's contents into a Vim editing session (as set in one of the configuration files). Instructions are embedded within the file, but you generally just need to remove an 'x' from the files you want to update.
Quitting the editor will run the scan again, with your changes added. With everything running correctly, you might want to schedule a regular time interval for Tripwire checks. Running a check at least once every 24 hours is recommended, but this all depends on the vulnerability of your system. If you know that your system has security issues, try running Tripwire once every few hours. As long as you check the reports, you can be completely certain that your system hasn't been compromised.
Update: removed incorrect space in wadmin -m G -S /etc/Tripwire/site.key. Apologies! - Ed.