Open source security

There is an industry joke that goes something like this: What makes a system insecure? Answer: Switching it on.

Sadly the quip hides a great deal of truth and in today`s increasingly connected world, chances are that if you have a computer attached to a network or to the Internet you will experience some sort of malicious attack.

Chances are that if you have a computer attached to a network or to the Internet you will experience some sort of malicious attack.

Alastair Otter, Journalist, ITWeb

Most times, box owners don`t even know they have been attacked because they have no real way of measuring the security of their systems and their level of exposure. A figure that comes to mind is a recent survey by Ernst & Young that found that only 40% of corporations were confident that they would detect a systems attack. And these are corporations that have resources and skills to expend on security.

For home users and small and medium-sized businesses, the figure is very probably significantly higher than 40%.

One of the main reasons that most users are unable to detect and prevent intrusions into their systems is the fact that the process is enormously time-consuming. Traditionally, good intrusion detection has relied on manually scanning log files looking for irregularities as well as monitoring system files for alterations. But if you run even a moderately busy server, particularly a Web server, monitoring log files alone could consume the better part of your day.

Fortunately there are a number of open source applications that go some way to making the process just a little easier and less time-consuming. And while we can`t look at them all, two stand out in the field of intrusion detection: Tripwire and LogSentry.

Tripwire, which is shipped with most Linux distributions, creates a signature database of all the files on a system known to be clean which it then uses to check for changes to files, particularly system files.

Typically, when an intruder gains access to a system they will want to leave behind Trojans, applications that can hide their activities. Often these will replace known tools on the system such as ls, ftp, su and ifconfig, and while the new tool will be seemingly normal from the outside, it will most likely contain extra code. Using the original database, Tripwire compares system files against the unaltered signature which will throw up any changes in file size, for example, a sure sign that files have been tampered with. If this happens, chances are the system has been compromised in some way.

The best way, and only truly reliable way, of installing Tripwire is to install it immediately following a brand new install of the operating system. Obviously, as the system is altered and new applications are added, the signature database will need to be updated. Capturing an entire system database can be time-consuming, so it may be necessary to limit the check to critical file areas. What you consider critical may be different to other users, but at a minimum all binary and library file systems should be checked regularly, bearing in mind that compromised files could well be located anywhere on the system so it is best to protect as much as possible.

The other tool is LogSentry, previously known as Logcheck. LogSentry may not be on all distributions and can be found at http://www.psionic.com/products/logsentry.html. LogSentry scans the log files you specify for unusual activity and attacks. Manually scanning logs on a regularly used system is almost impossible and highly prone to error. While LogSentry is by no means bullet-proof, it does simplify the process to a manageable level.

LogSentry checks three primary areas: It checks logs for active system attacks, looks for security violations and checks for unusual system actions. These reports are then e-mailed to root which can then scan a much smaller list of log events.

Oftentimes LogSentry will pick up fairly innocent activities such as users that mistype commands or directories and are not being malicious. However, it is worth wading through these for the few times that someone is genuinely trying to crack the system. LogSentry is not completely bullet-proof, an obvious case being when an attacker has already gained root and is hiding their tracks. But LogSentry will pick up the initial attempts by the attackers before they gain root, giving administrators a bit of a warning.

Security is a people-intensive business and no matter how good the tools, someone will still have to wade through hundreds of logs and build signature files of known secure systems. Tools such as LogSentry and Tripwire simplify the task enormously and are just about indispensable in the Linux administrator`s toolbox.