Other Security Techniques and Tools

Security is a many-sided problem, and as such, a number of tools have been developed to help an administrator implement a highly secure system. In the preceding four sections, I've addressed the first-line defensive techniques and how they can be applied to Webmin. Those techniques are designed to prevent intrusion in the first place. They do nothing to let you know an intrusion has taken place, nor do they respond proactively to an attack that is underway. Therefore, it is worth taking a brief tangential look at some intrusion detection tools, and attack response tools.

Intrusion Detection

There are a large number of free and commercial intrusion detection systems (IDSs) available for all of the major UNIX variants. An IDS provides an easy method of auditing one or more systems to ensure that they have not been exploited. Most such systems create a database of file identifier keys (usually an MD5 hash or similar strongly encrypted key), which is also encrypted with a passphrase known only to the system administrator. Some systems provide an easy means to store the database on another machine, or it can be written to a floppy or CD for use in a read-only mode, so that even if the machine is violated tampering with the file key database is impossible rather than merely extremely difficult.

Perhaps the most popular IDS for free UNIX systems is Tripwire, which is available in both an Open Source and proprietary version. It is available in package form from many Linux distribution vendors and source downloads for all supported operating systems. Tripwire uses a database of MD5 keys, which is generated on a known secure system. Using a simple cron job, Tripwire can then be run periodically to ensure no unexpected changes have occurred on the system since the last database generation. Using two passphrases, it is possible for Tripwire to prevent unauthorized tampering with the database (for example, a cracker regenerating the database after having modified all of the files needed for future entry).

Another simple but effective intrusion detection method for systems that use RPM or any other package manager that keeps a database and can verify file integrity is to keep a copy of the package database on another system or stored on read-only media. With this database and a known good installation of the package manager, one can verify all of the system files quickly and easily. The drawback of this method is that it cannot detect new files and modification of files that were not installed from packages. If no proper intrusion detection system is available, this can be a lifesaver in the event of an intrusion on a system that has no complete IDS installed.

Some pitfalls to watch for in the event of an intrusion is that once a cracker has gained access to your system with root privileges, there is nothing to prevent him from modifying the Tripwire or package manager binaries to prevent them from reporting good results even after all of their changes. Such a modification is usually obvious to an experienced administrator, because normal file changes should show up in such checks, and over time those changes will probably not be accurately reported by the cracked IDS or package manager. This problem is most easily worked around by installing secondary versions of these tools and running them against a database stored on read-only media, like a CD or floppy disk with writing disabled. While a cracker with the knowledge to make these changes is rare, it is likely that such ideas will eventually be included in rootkits, making it easy for even the most brain-damaged cracker to thoroughly cover his tracks pretty effectively.

Proactive Attack Response Tools

There are several new tools designed to recognize common types of attack and respond to them quickly enough to diffuse the attack. There is no single name for such systems, and the way in which they work varies depending on their particular focus. Two such tools are PortSentry and Hogwash.

PortSentry is the most mature of these types of tool and takes a more basic approach to the problem. PortSentry keeps an eye on network connections and watches for a rapid series of abnormal connections that is usually indicative of a network scan. When such a scan is detected the host from which the attack originates is simply blocked using the normal packet filter on the system. PortSentry is made more attractive by the fact that a Webmin module exists to easily administer and configure a PortSentry installation.

A newer entry into the field, Hogwash uses a rule-based system to detect hundreds of known exploit types and can drop those packets without disturbing any other kind of traffic from the host. Hogwash is based on the rule engine of the Snort network intrusion detection system, but adds the ability to respond to the intrusion by dropping or disarming the troublemaking packet by rewriting it to a harmless form.