There are two standard ways to see if a cracker has broken into your system. One is to check logins as documented in the /var/log/wtmp file. The other is to check log file activity to see when the traffic on your Linux systems should be at a minimum.
But one of the ways people break into a system is by reading the clear-text passwords that a user might send over the network. One useful tool for looking at network traffic is Ethereal, a protocol analyzer that is available for Linux/Unix and Microsoft Windows. It s included with Red Hat Linux in the ethereal-* RPM packages.
A more descriptive but colloquial name for a protocol analyzer is a sniffer . Protocol analyzers such as Ethereal record, or sniff, the traffic on a network. If you re on an Ethernet network, you can record all communication between all computers on the LAN.
If a message is transmitted in clear text, Ethereal converts it into a readable format. For example, take Figure 22.4, which shows an Ethereal view of various network packets. Note the highlighted packet number 19 carefully .
As you can see, packet 19 shows the password that user mj entered to connect to the local FTP server: a1b2c3d4 .
This illustrates one reason why physical security on a network is so important: if crackers can gain physical access to a LAN, they can connect a computer with Ethereal and find the password of anyone who uses a clear-text server on that LAN.
Ethereal is far from the most sophisticated tool that a cracker can use. If you can detect a clear-text password with Ethereal, you know that a cracker could read that password as well.
Once you have installed the ethereal-* RPM packages, you can start this tool with the ethereal command.
It s a good idea to inspect your log files for suspicious activity. For example, login records are available in the /var/log/wtmp file. Because this is a binary file, you need a binary reader, utmpdump , for this purpose. Read the records of this file by issuing the utmpdump /var/log/wtmp command. An excerpt from my output is shown in Figure 22.5.
Note the second-to-last entry in Figure 22.5. As you can see, the originating IP address is 18.104.22.168. If that does not belong to an authorized computer or network, you should be concerned . Someone might be trying to break into your system. You might then consider adding iptables firewall commands that would block access from this IP address or the associated IP network.
You learned about how log files are configured through /etc/syslog.conf in Chapter 13 . Most log files are stored in the /var/log directory; log entries are stamped with a time of day. You can view different log files periodically, to check for suspicious activity at times when there should be no activity on your system or your network.
Unfortunately, a skilled cracker will try to fool you into believing that everything is all right on your system. For example, a cracker with root access could replace the files in your /var/log directory.
One important tool for checking the integrity of your files is Tripwire. As of this writing, there is both an open source and a commercial version of this software. The open source version is included with the Red Hat Installation RPMs and is documented at www.tripwire.org; the commercial version is available as part of the TriSentry suite from Psionic Technologies ( www.psionic.com ).
Tripwire is designed to check the integrity of key configuration files on your system. In order for the tool to be effective, you should install it as soon as possible; it can t detect unwanted changes after a cracker has broken into and changed key files on your system.
Once you ve installed Tripwire, you need to set it up and create a basic database. Then the cron job that comes with the Tripwire RPM can check your files on a daily basis.
It s easy to set up Tripwire. Just run the installation script, /etc/tripwire/twinstall.sh . The script is in text format; you can even use a text editor to modify the locations of installation files. It includes a copy of the Tripwire license, the GPL.
When you run the default script, you re prompted to add local and site passphrases , which are passwords used to encrypt access to Tripwire. During the setup process, the twinstall.sh script also creates a configuration and policy file in the /etc/tripwire directory.
Next, initialize the Tripwire database with the tripwire --init command. This command may take a few minutes as it uses its policy file, tw.pol , to build an initial database. It may cite a few errors as it searches for files that you may not have installed.
You can update the Tripwire policy file by editing /etc/tripwire/twpol.txt . For example, if you haven t installed the "Z" shell, you could delete the reference to /bin/zsh . Once your changes are complete, you can update Tripwire policies with the following command:
# tripwire --update-policy /etc/tripwire/twpol.txt
Once you install it, Tripwire is an important tool for defending your system. A cracker may try to hide his or her tracks by changing various tripwire files. You can prevent this by using some secure or read-only media; for example, some administrators write Tripwire files to a read-only CD.
Assuming you installed Tripwire from the Red Hat Linux RPM package, the database is checked daily. In fact, there is a tripwire-check script in the /etc/cron.daily directory. As discussed in Chapter 13 , this script is run by default, at 4:02 a.m. every morning, through /etc/crontab .
You may want to edit this file to save the output; for example, you might direct the output from the tripwire command to a log file:
/usr/sbin/tripwire --check >> /var/log/tripwire
The resulting output is interesting. For the purpose of this book, I temporarily deleted the /sbin/poweroff file before running the tripwire-check script. In /var/log/tripwire , this led to the following output:
Rule Name: Critical Utility Sym-Links (/sbin/poweroff) Security Level: 100 Removed: "/sbin/poweroff"
While this warning seems subtle, it tells you that someone has deleted the poweroff command from your Linux system.