Monitoring your system
After you take steps to prevent intrusion, you need to set up a monitoring system to detect whether an attack against your server has taken place. If you're alerted to an attack, you're better prepared to handle it. Tripwire (see Resources) alerts you to unauthorized activity that takes place with system files on your server. Use Logwatch (see Resources) to create reports you can analyze.
Tripwire sets up a baseline of normal system binaries for your computer. It then reports any anomalies against this baseline through an email alert or through a log. Essentially, if the system binaries have changed, you'll know about it. If a legitimate installation causes such a change, no problem. But if the binaries are altered as a result of a Trojan horse-type installation, you have a starting point from which to research the attack and fix the problems.
- To install and configure Tripwire through the command line, type the following command and then press Enter:
sudo aptitude install tripwire
- Choose Yes to all of the questions during the installation.
You may be asked to create a passphrase. If you are, make note of it for future use.
- When you reach the screen shown in Figure 1, Tripwire has been installed. Click OK.
Tripwire installation complete
- Open your text editor to make the configurations shown in Listing 2, substituting your server name for
hostname(you'll be using Emacs here):
hostname ~ # emerge tripwire hostname ~ # cd /etc/tripwire hostname ~ # emacs -nw /etc/tripwire/twpol.txt hostname ~ # emacs -nw /etc/tripwire/twcfg.txt
- Enter the following command to create keys and sign the policy:
hostname ~ # cd /etc/tripwire ; sh ./twinstall.sh
- Initialize everything, and create the database using the next command (you should be asked to supply your passphrase here):
hostname ~ # tripwire --init
When this process is complete, Tripwire has created a snapshot of your system. This baseline will be used to check whether any critical files have been changed. If they have, you'll be alerted to it.
You can run reports from Tripwire, as well. From your editor, type this command:
sudo twprint --print-report -r\
Now, your prompt changes to a single carat (
>). At this new prompt, type:
If you don't know the exact time you ran your report, navigate to the directory /var/lib/tripwire/reports to see the complete file name.
To fine-tune the capabilities of Tripwire, you can look to
twadmin. You can also set a
cron job to email you a copy of this report each day or configure Tripwire to email you if an anomaly is reported.
Logwatch helps you monitor your system's log files. This program requires a working mail server on your network to email the logs to you. If you want to change the .conf file, you need to open /usr/share/logwatch/default.conf/logwatch.conf and look for the line that reads
user.name.domain.tld to your email address.
You can install Logwatch with this command:
sudo aptitude install logwatch
To email the logs to yourself, type:
logwatch --mailto email@example.com --range All
Pressing Enter sends a copy of the report to the email address specified. If you aren't running a mail server on your network but would still like to see a Logwatch report, the following command provides it on your screen:
logwatch --range All --archives --detail Med
The output spans several screens; press Shift-Page Up to move to the beginning of the report.