[ previous ] [ Abstract ] [ Copyright Notice ] [ Contents ] [ next ]

Securing Debian HOWTO
Chapter 6 Before the compromise


6.1 Set up Intrusion Detection.

FIXME: Write more about this.

Debian includes some tools for Intrusion Detection which you might want to setup (if truly paranoid of if your system is really critical).

Always be aware that in order really improve the system's security with the introduction of any of these tools, you need to have an alert+response mechanism, so don't use Intrusion Detection if you are not going to alert anyone (i.e. don't waste your time configuring things you will not use later on).


6.1.1 Network based intrusion detection: Using snort

snort is a flexible packet sniffer or logger that detects attacks using an attack signature dictionary. It detects a variety of attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, and much more. Snort has a real-time alerting capability. This is a tool which should be installed on every router to keep an eye on your network. Just install it via apt-get install snort, follow the questions and watch it log.

Snort in Debian is enabled with many security checks which you might want, ; however, you should customize the setup to take into account the particular services you run on your system. You might also want to retrieve additional checks specific to these services


6.1.2 Host based detection

Tiger is an old intrusion detection tool which has been ported to Debian since woody. Tiger provides check of common issues related to security breakins, checks passwords strength, filesystem problems, communicating processes... The Debian version includes new security checks Debian-specific: MD5sums of provided binaries, and checks of installed and vulnerable packages. The default installation makes tiger run each day and generate a report that is sent to the superuser. The generated reports can give away information of a successful compromise of the system.

Other audit tools, on-site, like logcheck, portsentry or any of the filesystem integrity checkers (see Checking filesystem integrity, Section 4.21) can be quite useful in order to set up detection of anomalies in a secured environment.


6.2 Useful kernel patches

FIXME: This section needs to cover how these specific patches can be installed in Debian using the kernel-2.x.x-patch-XXX packages.

There are some kernel patches, which significantly enhance system security. Here are a few of them:


6.3 Avoiding rootkits


6.3.1 LKM - Loadable Kernel Modules

LKM (Loadable Kernel Modules) are files containing dynamically loadable kernel components. They are dynamically loadable in kernel to run assigned tasks. On the GNU/Linux they are used to expand the functionality of kernel. Several advantages can be taken using LKMs, as we saw, they can dynamically be loadabled without recompiling the entire kernel, can be used to specify devices drivers (or filesystems) and other hardware drivers like soundcards, networkcards. But some crackers might use LKMs for rootkits (knark and adore) to install backdoors for GNU/Linux systems.

LKM rootkits can hide processes, files, directories and even connections without modifying the source code of binaries.


6.3.1.1 The adore rootkit

You can find it at http://packetstorm.securify.com/groups/teso/adore-0.38.tar.gz. See the README for compiling and configuring adore. Once you have already ran ./startadore you can run ./ava. The startadore script load the lkm rootkit and make it invisible on lsmod command. Now you are free to use adore, the usage of ava is very easy to understand. Just take a look at the output from ./ava.

     Usage: ./ava {h,u,r,R,i,v,U} [file, PID or dummy (for U)]
     
     	h hide file
     	u unhide file
     	r execute as root
     	R remove PID forever
     	U uninstall adore
     	i make PID invisible
     	v make PID visible


6.3.1.2 The knark rootkit

You can find it at http://packetstorm.securify.com/UNIX/penetration/rootkits/knark-0.59.tar.gz Get the source code from the address above, then compile it typing "make". So you are ready to load the lkm rootkits, use

     insmod knark.o

A hidden directory /proc/knark is created, which includes some files that will define what things will be hidden from the system, strings in /proc/net, files, pids, redirects..


6.3.1.3 The rkit toolkit

You can find it at http://packetstorm.securify.com/UNIX/penetration/rootkits/Rkit-1.01.tgz Put your UID in the rkit.c "#define magik_UID" statement as in:

     #define magik_UID 500

Compile the rkit.c and load the kernel module. All the processes made by the defined UID will be hidden from the system.


6.3.2 Detecting rootkits

Detection of rootkits in Debian can be accomplished with chkrootkit, which can detect some of them.

You can also use SKAT. SKAT checks the kernel memory area (/dev/kmem) for information about the target host, this information includes the installation of Loadable Kernel Modules.

FIXME: Add info on how to compile the kernel w/o lkm support?


6.4 Genius/Paranoia Ideas — what you could do

This is probably the most unstable and funny section, since I hope that some of the "duh. that sounds crazy" ideas might be realized. Following here you will find some ideas — it depends on the point of view whether you say they are genius, paranoid, crazy or secure — to increase your security rapidly but you will not come unscathed out of it.


6.4.1 Building a honeypot

FIXME. More Content specific to Debian needed.

If you wish (and can also implement it and dedicate time to it) you can set a full honeypot using a Debian GNU/Linux system. You have all the tools needed in order to setup all the honeynet: the firewall, the network intrusion detector and the fake server. Be careful, however, you have to be pretty sure that you will be alerted in time (see The importance of logs and alerts, Section 4.11) so that you can take appropiate measures and terminate the compromise as soon as you fill you've seen enough.

You can read more about building honeypots in Lanze Spitzner's excellent article To Build a Honeypot (from the Know your Enemy series), or David Raikow's Building your own honeypot. Also, the Honeynet Proyect is dedicated to building honeypots and auditing attacks made to them, there is valuable information there on howto setup a honeypot and howto audit the results of an attack (check out the contest).


[ previous ] [ Abstract ] [ Copyright Notice ] [ Contents ] [ next ]
Securing Debian HOWTO
v1.93 20 November 2001Tue, 13 Nov 2001 15:54:35 +0100
Javier Fernández-Sanguino Peña jfs@computer.org