Advertisment

Security on Linux: Security-enhancement Tools

author-image
PCQ Bureau
New Update

Snort



Snort is an open-source NIDS (Network Intrusion Detection System), capable of performing real-time traffic analysis and packet logging on IP networks. It can be used to detect a variety of attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes and OS fingerprinting attempts. Snort has three primary uses. It can be used as a straight packet sniffer like tcpdump, a packet logger (useful for network traffic debugging, etc), or as a full-blown

NIDS.






PCQLinux2004 contains the snort RPM, which can be installed during PCQLinux2004 installation by selecting PCQ Specials>Security>snort on the package selection list. It can also be installed after PCQLinux 2004 installation by installing the RPM from PCQLinux 2004 CD 2. The command for that is rpm -ivh snort-2.1.0-1.

Advertisment

Before running snort you will need to download two files: unicode.map and threshold.conf from the url http://cvs.sourceforge.net/viewcvs.py/snort/snort/etc/. Next copy these files to the directory /etc/snort.

Now it is time to run the application for that. Enter the command






#/usr/sbin/snort -d -h 192.168.3.0/24 -c /etc/snort/snort.conf







Replace the local subnet address according to your LAN setup. To run the program in background mode, add the switch ‘-D’ to the above command. 

Snort comes with a comprehensive set of rules containing signatures of various kinds of attacks such as syn attacks and port scans. Whenever the incoming traffic matches with the any rule in the set, an alert is logged into the log files. If you want to modify or add rules, you can do that too. The rules files are in /etc/snort/rules.

Advertisment

By default snort outputs all alerts to the directory /var/log/snort. When we ran attacks on the machine on which snort was running, it provided detailed logs about the attack giving the date, time of the attack, source IP address, TCP header information and a Web link to find more information on the particular attack. So, if you want to make your machine secure, the best defense is to use snort as it will alert you of any intrusion attempts made into your system.

Tripwire



Tripwire is a very valuable security tool for Linux systems, if it is installed on a clean system. It should be installed right after the OS installation, and before you have connected your system to a network. When Tripwire is initially set up, it creates a database that records certain file information. When it is run, it compares a designated set of files and directories to the information stored in the database. Added or deleted files are flagged and reported, as are any files that have changed from their previously recorded state in the database. Tripwire will report the changes (when you run a check), which will give system administrators a clue that they need to enact damage-control measures immediately if certain files have been altered.






Tripwire can be installed during PCQLinux2004 setup by selecting PCQLinux Specials>Security>tripwire on the package selection list or it can be installed afterwards by installing the RPM tripwire-2.3.1-2 from PCQLinux2004 CD 2.

After installation a new directory /etc/tripwire is created, which contains the configuration files. Now run the configuration script # /etc/tripwire/twinstall.sh, which will prompt you to set a site passphrase and a local passphrase. Passphrases are special passwords used to digitally sign files. Choose a good passphrase containing letters, digits and punctuation marks. Next, the configuration file is created and will be digitally signed, so you will be required to enter the site passphrase. After that the policy file is created and signed, so you are again prompted to enter your site passphrase. Tripwire is now installed and ready to run.

Advertisment

Creating the Tripwire database



The Tripwire database contains the cryptographic checksums of your system files. To create the database, run the following command. # tripwire –init. It will  

ask you for your local passphrase. Enter the passphrase and the database will be built. The database file will be stored as

/var/lib/tripwire/host.twd, where host is replaced by the

computer’s host name. Tripwire selects the files and directories to checksum by examining its policy file. The default policy file is appropriate for most Linux

distros, but chances are that it may be looking for files, which may not be present on your system. In that case you will see an error message saying that the particular file is missing. Though these errors do not stop the database creation, they can make it difficult to recognize real error messages.

Configuring the policy file



A text version of the policy file is kept as /etc/tripwire/twpol.txt. To make changes to the file, open the file in a text editor and comment out lines containing references to files that are not present on your system. Now you have to digitally sign the policy file. So run the command 

Advertisment



# tripwire –update-policy /etc/tripwire/twpol.txt. 

You will be asked to enter your site passphrase again. Rebuild the database using the # tripwire –init command. Now you should not get any error messages. To add new files to be included in the checksum database, add references to those files in the policy file and rebuild the database.

Checking the integrity of files



To check the integrity of files on your system, run the command # tripwire –check. Ideally, you should not get any error message, but if any files/folders have been changed, deleted or added, you will get an error message indicating the type of error. Now you should take appropriate actions to add, replace or delete files.

Updating the database



If the file change is expected which could be in the case of installing a new program, then you should update the database to reflect the change. For that run the command # tripwire –update. This command updates the database to reflect changes and is faster than rebuilding the entire database using the #tripwire –init command.

Anoop Mangla

Advertisment