Tripwiring your linux box

Privilege escalation, trojan’ed SSH daemons, key loggers… While the focus is still mostly on MS platforms, Unix boxes aren’t free of exploits. As they are made popular by Macs and ever more approachable distributions like Ubuntu, they become more of a focus. The large share of the server market they represent is a considerable source of information that is mouth-watering to hackers.

A good tool in the fight against ever evolving malware is Tripwire (the open source version cause we’re cheap). It takes the signature of key files on your systems (configuration, binaries) and checks them regularly for changes. Its major strength is the fact that no matter what exploit was used to compromise a certain binary, if this binary is infected, tripwire will go off. Modern antivirus softwares look for specific signatures of known infections, and there are so many of them that they only look for the ones that are thought to be in the wild at any given time. They also are in reactive mode against 0days and usually take a few days to adjust. Their behavioral analysis methods are based on heuristics and generate too many false positives to be worthwhile.

Tripwire doesn’t care what the infection is, it just goes off if something changed. This is simple and efficient. Now it should only be one piece of a comprehensive security policy.

In this article we’ll look at getting it installed and going on Ubuntu in a matter of minutes. You’ll want to be root for all this.

——————————————

First, get the package:

aptitude install tripwire

It’ll ask you for the passphrases used to secure itself.

You’ll end up with these config files in /etc/tripwire:

——————————————

Edit /etc/tripwire/twpol.txt to define which areas to keep an eye on, a pretty ok default is provided but needs some tweaking for Ubuntu and personal preference. I’d publish mine but hey, that’d be pretty stupid. Just keep in mind that you can use an exclamation mark “!” to negate a line, let’s say you want it to look at /etc but not /etc/shadow (user will want to change passwords in most cases) you’ll have a rule that looks like that:

{
/etc        -> $(SEC_BIN) ;
! /etc/passwd ;
}

——————————————

When you’re done, run:

twadmin --create-polfile -S /etc/tripwire/site.key /etc/tripwire/twpol.txt

This will create the secured policy file based on the text file you just edited.

——————————————

The config file (/etc/tripwire/twcfg.txt) can be edited too but the defaults are nice too. When done run:

twadmin --create-cfgfile -S /etc/tripwire/site.key /etc/tripwire/twcfg.txt

Again, this creates it secured equivalent.

——————————————

Make sure that the created file are only readable/writable by root

chmod 600 /etc/tripwire/tw.cfg /etc/tripwire/tw.pol

Good practice dictates that you also should be removing plain text configuration files but you’ll want to keep them around for a little while, as you tweak your original config.

——————————————

Finally, you can initialize the database with:

tripwire --init

What this does is take a snapshot of everything you’ve specified in the policy file. If any of it changes, you’ll be notified.

——————————————

The following will run the check for changes manually.

tripwire --check

When you installed the package with aptitude, /etc/cron.daily/tripwire was automatically created to have this run everyday, root will received a mail report every day.

——————————————

If you want to make a change to the base config:

edit /etc/tripwire/twpol.txt
twadmin --create-polfile -S /etc/tripwire/site.key /etc/tripwire/twpol.txt
tripwire --init

If you want to update the base config, for example to acknowledge changes that happened on the box:

tripwire --update --twrfile /var/lib/tripwire/report/<hostname>-<date>-<hour>.twr

The death of the internet

Let me throw a few of concepts we’ve been hearing about more & more lately:

  • metered bandwidth
  • end of net neutrality
  • content censorship
  • protocol restrictions
  • geographic restrictions
  • wiretapping
  • deep packet inspection
  • malware becoming crimeware
  • dataleaks
  • DDoS
  • internet kill switch

The way that we used to see the internet as an unrestricted web of information is changing rapidly. And it looks like the free ride is coming to an end.

Corporations want to dictate our internet usage, politicians don’t understand the issues of a technology from the next generation; and if they do, lobbyist money has a strong convincing power. And quite frankly your average user has no clue either. What was once a free and unrestricted flow of information is quickly becoming a metered and port/site/protocol restricted happy network.

references:

Traffic discrimination & Net Neutrality

Comcast’s P2P throttling suit

What was revolutionary about the internet was its lack of boundaries, the world was connected. Since then the marketing & licensing geniuses have caught on to the fact that it is possible to restrict content by geographic location. Like regions on DVDs you now cannot consume certain media in certain regions. It is a travesty to the human accomplishment that is the internet and inevitably leads to the absurdity that it is easier to consume pirated content than legal one.

Organized crime also has caught on, the obnoxious malware & viruses that were once spreading for fame or installing dumb toolbars are now becoming very targeted at committing crimes. From harvesting financial information to generating DDOS attacks. A black market of stolen information and network hitmen is emerging on an internet that many companies handling your data do not understand. Viruses much like biologic organisms are becoming polymorphic with self defense mechanisms. Their technological advancement clearly shows funded work as opposed to the classic image of the basement hacker we all have ingrained in our heads.

references:

Zeus botnets specialized in harvesting financial data

Researchers hijack control of the Torpig botnet for 10 days and recover 70 GB of stolen data from 180,000 infections

Governments are starting to play their silly international politics game on this new field, releasing cyber attacks against one another. The amount of information & critical infrastructure facing the great network is making it a strategic field of military and intelligence importance. It is clear that the network in its current state of international openness is an issue to government interests, and we can fully expect to find cyber borders erected in the near future, not unlike the great firewall of China even though this last example has other applications. Applications that pertain to opinion control via censoring, China isn’t the only country doing that, Australia is pretty good at it. And the U.S. is working on creating a presidential “interet kill switch”, you know just in case people here get sick enough of 2 everlasting wars and 4th amendment tramplings to take the streets. Egypt has just done it, they shut down internet and cell phone communications during their 2011 protests.

references:

Stuxnet’s specific targeting of Iran’s SCADA controled systems

The Great Firewall of China

Australia’s intenet censorship

Obama’s internet kill switch

How Egypt shut down the internet

At a time when Wikileaks is putting to shame governments and corporations, more controls are inevitable.

So what’s next?

Computers and network devices have become increasingly powerfull. So much so that this blog you’re reading is instantiated on a 8 years old server sitting on a fridge behind a home DSL. Besides computing & networking power, something else has been growing that you might have heard about: social networks.

I think that one day, a couple of geeks will be tired of the state of the internet and will throw a home-made link between their houses to share what they want when they want without getting advertised, wiretapped, datamined or attacked. This can currently be done with long range wireless devices (WiMAX) or even by adding a layer to the current infrastructure (think VPN).  Soon a third geek friend will want in, and provided that he is trusted by the founders, he’ll get in. After a while, adding friends of friends will become too far out of reach for the founders to decide and they will implement a social reputation based system for dealing with users.

And that’s it, you have a social network (at the strictest send of the term) that is growing & correcting itself based on reputation. This will of course be completely decentralized (unlike the internet) which means you will be relaying information for individuals you don’t know, hence the criticality of its reputation element.

This network will eventually be overrun by corporate, mafia & government interests finding ways to abuse the reputation systems, it will slowly die and be replaced by another couple of geeks down the road.

The end.

OH MY GOD

I came home to find one of my garbage cans laying on the ground. WHAT THE HELL? WHO DID THIS? I know, I will solve this ruthless crime with my new CCTV installation.

An the culprit is:

[flv:http://ben.akrin.com/wp-content/uploads/2010/12/poubelle.flv 640 480]

the wind…