Next Previous Contents

7. Intrusion Detection

Intruders are constantly attempting different mechanisms to attack your system. You must be able to detect these varying attempts, and know what to do when they happen. You should also be able to distinguish the normal operating conditions from an actual attack.

You must be able to determine things like whether or not there really was an intrusion, to what extent the attack occured.

7.1 What is Intrusion Detection?

Intrusion Detection is the method in which a security administrator uses to detect the presence of an unauthorized intruder. An Intrusion Detection System (IDS) are the combination of tools that a security administrator uses to detect the intrusion. Briefly, the available types of intrusion detection include:

7.2 General Indications of Intrusion

Being capable of detecting an intrusion is as important as being able to stop it once it happens. It is important that you are able to detect the subtle signs left by an intruder during his attack of your system.

Suspicious signs of intrusion include at least the following:

User Indications

System Indications

File System Indications

Network Indications

7.3 General Methods for Detecting Intrusions

In order to determine if an intruder has violated your system, you must be familiar with the normal system administration tools, and be able to use them to find the ``footprint'' a cracker may have left behind. This procedure can be relatively easy, or practically impossible, depending on how much preparation you have done, as well as the stage you've detected the intruder, and how skilled the intruder is.

There are pointers throughout this document that list the various tools available. Some of the tools and methods you should become familiar with include:

7.4 Intrusion Detection Tools

There are many intrusion detection tools available for Linux, and many new tools are constantly becomming available. While the majority of the tools are host-based intrusion detection tools, there are a number of network-based tools as well.

Host Based Detection Tools

There are also several intrusion detection tools available at including a tool called klaxton which basically sets a trap for an intruder, then notifies you when some is ``doorknob rattling''.

7.5 Integrity Checking

A very good way to determine if you have an unwanted visitor is to check your local files for possible trojan horses, missing files, files that are larger or smaller than they are supposed to be, etc.

Fortunately, there are several tools that can verify the file integrity. Many Linux distributions use RPM for their package management, which inherently has integrity checking. Also available is the well-known program called tripwire.

7.6 Using tripwire

Tripwire runs a number of checksums on all your important binaries and config files and compares them against a database of former, known-good values as a reference. Thus, any changes in the files will be flagged.

It's a good idea to install tripwire onto a floppy, and then physically set the write protect on the floppy. This way intruders can't tamper with tripwire itself or change the database. Once you have tripwire setup, it's a good idea to run it as part of your normal security administration duties to see if anything has changed.

You can even add a crontab entry to run tripwire from your floppy every night and mail you the results in the morning. Something like:

                # set mailto
                # run tripwire
                15 05 * * * root /usr/local/adm/tcheck/tripwire 
will mail you a report each morning at 5:15am.

Tripwire can be a godsend to detecting intruders before you would otherwise notice them. Since a lot of files change on the average system, you have to be careful what is cracker activity and what is your own doing, which is a solid reason to keep track of the status of the binaries on your system.

A company called Visual Computing Corporation now apparently has been given exclusive rights to continue development of tripwire, originally developed at Purdue University. It looks to be so-far-so-good, as there is still a working version for Linux. You can find more information from them at

7.7 Using The Red Hat Package Mangaer

The Red Hat Package Manager (RPM) program includes the ability to verify all packages that it has installed on the system.

RPM has facilities for verifying that a package is not corrupt or has components missing. A program added or removed by a cracker will not match the original and RPM will generally report a verification failure.

Now, when your system is compromised, you can use the command:

                        root# rpm -Va
to verify each file on the system. See the RPM man page, as there are a few other options that can be included to make it less verbose. Keep in mind you must also be sure your RPM binary has not been compromised. RPM can also be combined with PGP to check a package's signature. Typical output might look like the following:

                          ..5....T /bin/login
should sound alarm bells. RPM produces the following useful output fields:

This means that every time a new RPM is added to the system, the RPM database will need to be re-archived. You will have to decide the advantages versus drawbacks. Also, keep in mind that it won't verify programs that RPM did not install.

Specifically, the files /var/lib/rpm/fileindex.rpm and /var/lib/rpm/packages.rpm most likely won't fit on a single floppy. Compressed, each should fit on a separate floppy. Consider storing this (as well as the actual /bin/rpm executable!!) on a Zip cartrige.

7.8 File System Guidelines

Intruders often either modify, delete, or replace existing files in order to either cover their tracks, assist them in gaining access, or to gather further information.

Ensuring the integrity of the files and programs on your system is vital in intrusion detection. Several means can be used to determine if files have been tampered with on your system:

7.9 Physical Intrusion Detection

Intruders may attempt to breach your network's by physical infitration as well as via the network. Keep in mind that one system can be used to penetrate many others, so securing one machine is as important as securing another.

The first thing to always note is when your machine was rebooted. Since Linux is a robust and stable OS, the only times your machine should reboot is when YOU take it down for OS upgrades, hardware swapping, or the like. You should always investigate machine reboots.

Check for signs of tampering on the case and computer area. Although many intruders clean traces of their presence out of logs, it's a good idea to check through them all and note any discrepancy.

7.10 Packet Sniffers

One of the more common ways intruders gain access to multiple systems on your network is by employing a packet sniffer on a already compromised host. This software-based ``sniffer'' just listens on the Ethernet port for things like ``password'' and ``login'' and ``su'' in the packet stream and then logs the traffic after that. This way, attackers gain passwords for systems they are not even attempting to break into. Clear text passwords are very vulnerable to this attack.

An attacker doesn't even need to compromise a system to do this, they could also bring a laptop or PC into your building and tap into your net.

Using SSH, or other encrypted password methods, thwarts this attack. Things like APOP for POP email accounts also prevents this attack. (Normal POP logins are very vulnerable to this, as is anything that sends clear text passwords over the wire.)

If you are using syslog to send your data to a central log server, consider that the data is sent in clear text, and much information can be gathered from this data. Consider using a secure implementation of syslog, which encrypts and compresses the data before it is sent. See the Using Syslog section for more information on configuring syslogd(8) securely.

Next Previous Contents