Intrusion detection systems

• Tripwire (debian)

Install tripwire with apt-get (apt-get install tripwire)

cd /etc/tripwire
/usr/sbin/twadmin --create-polfile twpol.txt
/usr/sbin/tripwire --init  # Have patience, this will take a minute or so and
                           # you'll get loads of "No such file" warnings...

Ok, we're fully installed now. So let's run our first check so we can tune the policy

/usr/sbin/tripwire --check > twout.txt # lots of warnings and patience  gain...

Now use this perl script (fixpol.pl)

 chmod u+x fixpol.pl
 ./fixpol.pl twout.txt twpol.txt | more    # there's lots of output

fixpol prints what to do next near the end of its output in particular:

You should now run

 diff twpol.txt twpol.txt.new | more

to make sure my changes aren't garbage. If it looks ok run

 /usr/sbin/twadmin --create-polfile twpol.txt.new
 /usr/sbin/tripwire --init

to install the new policy in the database.

Now you're in a position to run

 /usr/sbin/tripwire --check

regularly in cron or whatever.

Comprehensive intrusion detection

• tiger - Report system security vulnerabilities
• tiger-otheros - Scripts to run Tiger in other operating systems

apt-get install tiger tiger-otheros

see also: How to scan your Linux-Distro for Root Kits

Either install the package that comes with your distribution (on Debian you would run)

apt-get install chkrootkit

or download the sources from www.chkrootkit.org and install manually:

wget --passive-ftp ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz
tar xvfz chkrootkit.tar.gz
cd chkrootkit-<version>/
make sense

Afterwards, you can move the chkrootkit directory somewhere else, e.g. /usr/local/chkrootkit:

cd ..
mv chkrootkit-<version>/ /usr/local/chkrootkit

Now you can run chkrootkit manually:

cd /usr/local/chkrootkit
./chkrootkit

(if you installed a chkrootkit package coming with your distribution, your chkrootkit might be somewhere else).

You can even run chkrootkit by a cron job and get the results emailed to you: Run

crontab -e

to create a cron job like this:

0 3 * * * (cd /usr/local/chkrootkit-<version>; ./chkrootkit 2>&1 | mail -s "chkrootkit output my server"  you@yourdomain.com)

That would run chkrootkit every night a 3.00h.

Download the latest rkhunter sources from www.rootkit.nl:

wget http://downloads.rootkit.nl/rkhunter-1.2.7.tar.gz
tar xvfz rkhunter-1.2.7.tar.gz
cd rkhunter/
./installer.sh

This will install rkhunter to the directory /usr/local/rkhunter. Now run

rkhunter --update

to download the latest chkrootkit/trojan/worm signatures (you should do this regularly). Now you can scan your system for malware by running

rkhunter -c

download from here

 # wget http://www.rootkit.nl/files/lynis-1.1.8.tar.gz
 # tar xvfz lynis-1.1.8.tar.gz
 # ./lynis --check-update
 # ./lynis -c

• debsums - Verify installed package files against MD5 checksums (Debian systems)
• md5sum

Generate a checksum for the partition you wish to image, run from shell

# md5sum /dev/hdc2 > /tmp/hdc2.md5

To make the copy of the disk(s), we'll use the dd command. From shell…

# dd if=/dev/hdc of=/tmp/hdc.img

You will need enough space in /tmp to hold a copy of the entire /dev/hdc drive. This means that /tmp shouldn't be a RAM disk and should not be stored on /dev/hdc. Write it to another hard disk !