Tripwire is a great tool for checking to see whether files have been created, deleted, or modified. Tripwire stores a snapshot of your files in its database, and you can compare your files against the snapshot to discover any changes that might indicate a compromise. Tripwire's main feature is file integrity checking, and it's capable of checking VFAT filesystems and verifying installed RPMs.
Most distributions have packages for Tripwire, or you can grab its source code from SourceForge if you'd like to compile it from scratch. After you have installed Tripwire, you should set it up:
cd /etc/tripwire ./twinstall.sh tripwire --init rm twcfg.txt twpol.txt
The twinstall.sh script creates a site key and the local key, signs the configuration file twcfg.txt with the site key and creates tw.cfg, and signs the policy file, twpol.txt, with the site key and creates tw.pol.
The next step is to create the database and sign it with the local key using
tripwire --init. You should now type the key you entered last time, and finally remove the plaintext configuration files.
The first thing you should do after installing GNU/Linux is to make a snapshot with Tripwire. Then, to perform basic integrity checking, issue the command
tripwire --check. This compares your files against the snapshot in the database. Alternatively, you can specify files and directories you wish to check:
tripwire --check /bin/cp /bin/login
This should be enough to get you started. One main disadvantage of Tripwire is that if you update your critical files frequently, you have to update your snapshot database also.
SSH encrypts data being sent and received, whether you're using a remote shell or transferring files using scp and sftp. It replaces less secure utilities such as FTP and Telnet that send data over the Net in plain text. The main reason I like SSH is that I can use keys instead of passwords.
I use SSH to establish remote shells on systems that I work on, and to run interactive and non-interactive commands on remote systems. For example, to run
uptime on a remote host, I use
ssh -l luka hostname uptime. This tells SSH to log me in as user luka, and then run the
uptime command. The
-l option, which specifies the login, is necessary only if the username on the remote system is different from your username on the local system.
To run an interactive command, use the
-t option. For example, to use vi to make a quick edit on a file on a remote host, I'd use
ssh -t -l luka hostname vi filename. This will log me in to the remote system, start up
vi filename, then log me out of the remote system when I finish my vi session.
Network Mapper (nmap)
Nmap is a highly capable portscanner that was written by hacker Fyodor. It alows you to check whether a host is up, scan for open ports, and even see what operating system a host is running. For some people, it's the primary security tool under Linux. Some basic options you can pass to nmap are:
-P0scans the host without pinging it.
-sSsends a SYN packet and waits for response.
-sFdoes a stealth scan using a FIN packet.
-Otries to guess the operating system of the remote host.
-pdefines a range of ports for scanning. For example,
nmap -p 80-88will scan ports 80 through 88.
This is only a small fraction of nmap's capabilities -- it has many other options as well. Refer to the nmap man page to see them all.
Netcat is often called "TCP/IP Swiss Army knife," meaning that it can do almost anything as a network tool. Netcat has built-in scanning features, and reads and writes data across the network using TCP and UDP protocols. It is also useful as a debugging tool, as it can create almost any kind of connection.
The basic usage for netcat is
netcat host port. This command opens a TCP connection with the host on the specified port. I often use netcat to scan a range of ports to see which ports are open. For example,
netcat -v -z hostname 1-1024 scans the host for ports 1-1024 to see which ports are open.
Iptables is an amazing security tool that comes built into the kernel for configuring Linux firewalls. A number of graphical front ends make configuration easier. I use KIptablesGenerator, a front end that generates a script and lets you configure allowed ports and network address translation (NAT), or Firewall Builder, a tool that simplifies iptables configuration.
Iptables syntax is complex,with many options. Some good tutorials on the Web covering iptables in detail. I like the iptables tutorial by Oskar Andreasson, and the Netfilter site has documentation as well.
Ping is really old network tool, but it still does the job. Yes, there are better versions with more options, such as fping and hping, but the quickest way to see whether a host is up is to use ping.
Tcpdump prints the packets traveling across the network, and can be used as a network protocol analyzer. Tcpdump has advanced options for filtering packets and specifying the interface to listen on. To run tcpdump you need to be logged in as root.
If you run tcpdump in default mode its output can be huge. To minimize the output, I use the host option -- for example,
tcpdump host 192.168.0.1. This command displays only frames containing the address 192.168.0.1. When I want to scan a specific port I run a command like
tcpdump -e host 192.168.0.1 and port 23, which displays the frames with the information about port 23 (Telnet). The
-e option allows tcpdump to show MAC addresses.
Dig performs DNS lookups and whois queries. Dig is used for troubleshooting DNS problems. By default, dig will query the servers specified in your /etc/resolv.conf, but you can also specify a server if you don't want to use those in resolv.conf. This is particularly handy when you're testing DNS servers to verify that they're returning the right information for a domain.
IPTraf is a useful network monitoring tool built using ncurses. IPTraf generates statistics including TCP, UDP, and ICMP info and Ethernet and IP stats. IPTraf can show you IP packet counts, IP packet errors, and incoming and outgoing packets on both TCP and UDP. It also has built-in display filters that allow you to filter the output.
Netstat prints information about network connections, routing tables, and interface statistics. Its information about network connections, which allows you to see every connection made to and from your computer, is especially valuable. If no options are passed to the program, netstat prints information about open sockets.
For any enterprise, network administration is important. These network tools can help keep your network safe.