LINUX SECURITY --- November 28, 2000 Published by ITworld.com, the IT problem-solving network http://www.itworld.com/newsletters ----------------------------------------------------------------------- HIGHLIGHTS * Tools to help you verify the integrity of your network ----------------------------------------------------------------------- Taking Back Your Box By Rick Johnson Last week we discussed the growing problem of vulnerable Linux systems hitting the Internet. Default installations are a feeding ground for /unscrupulous souls looking for somewhere to park their root kits. Now maybe I was under the influence of the holidays, but I made a statement about each of us helping one person in the community with security. Well, that statement managed to elicit quite a positive response. As I responded to the incoming emails, a familiar pattern appeared. First, quite a few readers are new to the security arena. Second, everyone was genuinely concerned with locking down his or her own server; however, they lacked the knowledge of where to begin. Then, of course, there was the third: a definite fear of a Trojan infestation. Well, the first two points will only come with time. Trojans are a complicated issue, but it can be overcome. I hesitate to say this but, if you are lucky, something will tip you off to a compromised system. Whether an anomalous log entry or an unauthorized activity complaint, be thankful that you now are aware of the infestation. Think of the poor souls out there who spend their days happily plugging away on their box without ever knowing that someone is secretly watching over their shoulder. Without using a file integrity verification tool, the job is difficult. Thankfully, the open source community has once again provided the necessary tools to overcome this obstacle. Here are a couple of them. (Standard disclaimer: While I have used these tools, I can by no means guarantee their effectiveness. As always, your mileage may vary.) * Rkdet (http://vancouver-webpages.com/rkdet/) -- Rkdet is a daemon intended to catch someone installing a rootkit or running a packet sniffer. Designed to run continuously with a small footprint under an innocuous name, when triggered it sends email, appends to a log file, and disables networking or halts the system. * Chkrootkit (http://www.chkrootkit.org/) -- Chkrootkit is a program to aid in rootkit detection and identification. Chkrootkit looks for known "signatures" in trojaned system binaries. It can scan for signs of the Solaris rootkit, FreeBSD rootkit, lrk3, lrk4, lrk5, t0rn and some lrk variants. * Tomsrtbt (http://www.toms.net/rb/) -- Tomsrtbt is a floppy based distribution of Linux with an emphasis on system recovery. It will give you an untouched set of tools to allow for assessment of a potentially compromised system. While none of these tools are a replacement for a fresh system reinstall, they will help combat that lingering system integrity doubt. Of course, nothing is certain, but isn't that part of the fun? About the author(s) ---------------- Rick Johnson is currently the Manager of Security Services for FusionStorm, a remote managed services company. When not writing, he heads the development team for PMFirewall, an Ipchains Firewall and Masquerading Configuration Utility for Linux. Rick can be contacted via email at rick@pointman.org or on the web at http://www.pointman.org.
<<attachment: winmail.dat>>