General Utilities for UNIX Security

AIDE

AIDE (Advanced Intrusion Detection Environment) is a free replacement to Tripwire. It creates a database from regular expressions rules that it finds from its configuration files. The database is filled with checksums for system files. The basic idea is that once the database is created it can be used to verify the integrity of the files examined. It uses digest algorithms that check the integrity of the files. Its main use is to verify the integrity of selected files in order to assess if unauthorized changes have been made.

Logsurfer

Logsurfer is a text-based logfile monitoring program designed to run in real-time. Logsurfer like many of its predecessors/competitors (e.g. Swatch) parses log information via rules specified. Logsurfer however has the advantage of being in C, faster than Perl, it works on any text file (or text from stdin), has two level regular expression for exclusions, dynamic rule updating and many other features. Logsurfer and any log parsing tool should be used to verify the integrity of the logs. Remember logging is one of the primary ways of detecting problems. If logs are not inspected they are nothing more than a waste of disk space.

Logcheck

An alternative to logsurfer is logcheck. Although logsurfer is a more robust full feature product it can be intimidating. Logcheck fits nicely when you are still getting accustomed to the log parsing modality and is a good starting place.

OpenSSH

OpenSSH is a free version of the SSH protocol suite of network connectivity tools. It replaces such utilities as telnet, rlogin, ftp, rsh and other such insecure programs. OpenSSH encrypts all traffic, including passwords, to eliminate connection hijacking, listening in or prying and other network-level attacks. With OpenSSH are various tools as described below:

ssh – replacement for rlogin, telnet and rexec

scp – replacement for rcp

sftp – replacement for ftp

SSH clients can be downloaded for Windows. York has a site licence for the SSH.com license. As well, both Tera-Term and putty are good free examples available for download. Both scp and sftp clients exist for UNIX variants and Windows. The Windows version most commonly used for GUI interaction is the free client WinSCP. For more server type use (batch processing) pscp and psftp from the same author as putty are available. With these clients there is little reason to run the insecure predecessors as outlined in Common UNIX Services to Disable.

Sudo

Sudo is a vital tool in locking down the system administrator (root) privileges. Sudo (superuser do) allows a system administrator to give certain users (or groups of users) the ability to run some (or all) commands as root or another user while logging the commands and arguments. Another main advantage of having sudo is that the root password can be kept more secure. By avoiding root logins an audit trail it created. Even on a single user system (e.g. a UNIX-based desktop) using sudo rather than logging in as root can prevent accidental commands from being run under the root userid. The key is to avoid using the root login whenever possible (which really is always except in an emergency).

TCP Wrappers

Perhaps one of the most important first levels of system security is TCP Wrappers. Servers on UNIX systems usually either provide their services via the TCP/IP protocol stack to everyone or no one. In addition to this conceptual weakness, logging of connections is minimal and does not include, for example, source or timestamp. Connection attempts can be an early warning signal that a site is under attack so you want to capture as much information as possible.

tcpd – the program implementing the tcp wrapper - was developed as a result of an actual attack. It provides (1) some level of access control based on the source and destination of the connection request and (2) logging for successful and unsuccessful connections. TCP wrappers have the advantage over firewalls in that access can be granted by both host (foo.bar.com) and domain (.bar.com) as well as IP (192.168. or 192.168.1.2) TCP wrapper starts a filter program before the requested server process is started, assuming the connection request is permitted by the access control lists. All messages about connections and connection attempts are logged via syslogd.