How to use Tripwire to detect the intrusion of an Ubuntu VPS server

Source: Internet
Author: User
Tags vps set up email ubuntu vps vps server


When managing a networked server, server security is a very complex issue. Although you can configure firewalls, set up logging policies, buy security services, or lock apps, it's not enough if you want to make sure that every intrusion is blocked.
A HIDS can collect your computer's file system and configuration, storing this information for reference and to determine the current state of operation of the system. If there is a change between the known safe state and the current state, it may not be safe.
The next popular HIDS for Linux is tripwire. This software can track many different file system data to detect whether unauthorized changes have occurred.
In this article, we'll discuss how to install and configure tripwire on Ubuntu 12.04. Because of the features of IDs, it is best to run IDs shortly after the server is created so that you can determine the file system is not a problem.

Installing Tripwire

Fortunately, Tripwire is already in Ubuntu's default repository. We can use apt-get to install Tripwire:

sudo apt-get updatesudo apt-get install tripwire

After a considerable amount of package-dependent configuration is required, it can be run.
First, you want to configure the push-dependent mail application. If you want to configure email notifications, select Internet Site
It will ask if you want to configure the password during the installation process and choose Yes for these prompts. It will ask if you want to regenerate the configuration file and choose Yes. Choose Yes for the policy file as well.
Next you will be asked to enter site key. Tripwire uses two keys to ensure the security of the configuration file:
Site key This key is used to ensure the security of the configuration file, we need to confirm that the configuration file has not been modified, which directly leads to the credibility of the entire monitoring system results. The same configuration file can be used on different servers, and site key can also be used on different servers.
Local key This key is used to confirm that the user is authorized to run.
You will first enter site key and then the local key, which is recommended to use strong passwords.

Initializing the database

After the

Installation is complete, you must initialize the database. Just like most security programs, Tripwire comes with its own default configuration. Perhaps you need to customize your own rules, which will change the default settings.
First, if you do not choose to create a policy at install time, you can create one by using the following command:
Sudo twadmin–create-polfile/etc/tripwire/twpol/txt
You must provide the site key entered at configuration time to execute.
This will create an encrypted policy file based on a plain text file in the directory we specify (/etc/tripwire). This file is checked while the tripwire is running.
Now we can initialize the Tripwire database to confirm our system. This time only the key points that we specifically specified in the policy file will be checked.
Because this policy file is not customized for our system, we see a lot of warnings and errors. We use these errors as a reference when adjusting our configuration files. The basic method of
Initializing a database is:
Sudo tripwire–init
This will create our database files, as well as the errors that we must refer to when adjusting the configuration.
We want to save the configuration results, we can save them to a file in the Tripwire configuration directory. We can perform a check and deposit the file list in the Test_results file in the tripwire configuration directory.
sh-c ' tripwire--check | grep Filename > test_results '
If we look at these files, we can do this

Less /etc/tripwire/test_resultsFilename: /etc/rc.bootFilename: /root/mailFilename: /root/MailFilename: /root/.xsession-errors. . .
Configure the policy file for your own system

Now that we have a list of files that Tripwire cannot monitor, we can remove these files by configuring the policy file.
In the editor, open a plain text file with root privileges:
Sudo nano /etc/tripwire/twpol.txt
Search for each file in the Test_results, and comment out all the rows in the match that you found.
In the "Boot Script" section, you should comment out the/etc/rc.boot line because it does not exist in the Ubuntu system.

(  "Boot Scripts",  severity = $(SIG_HI)){        /etc/init.d             -> $(SEC_BIN) ;        #/etc/rc.boot            -> $(SEC_BIN) ;        /etc/rcS.d              -> $(SEC_BIN) ;

There are many files in the/root directory, which should be commented out in my system, as long as nothing in your system should be commented out.

(RuleName ="Root config files", severity = -) {/root -$ (Sec_crit);# Catch All additions To/root        #/root/mail-$ (sec_config);        #/root/mail-$ (sec_config);        #/root/.xsession-errors-$ (sec_config);        #/root/.xauth-$ (sec_config);        #/root/.tcshrc-$ (sec_config);        #/root/.sawfish-$ (sec_config);        #/root/.pinerc-$ (sec_config);        #/root/.mc-$ (sec_config);        #/root/.gnome_private-$ (sec_config);        #/root/.gnome-desktop-$ (sec_config);        #/root/.gnome-$ (sec_config);        #/root/.esd_auth-$ (sec_config);        #/root/.elm-$ (sec_config);        #/root/.cshrc-$ (sec_config);        /root/. BASHRC -$ (sec_config);#/root/.bash_profile-$ (sec_config);        #/root/.bash_logout-$ (sec_config);        /root/. bash_history -$ (sec_config);#/root/.amandahosts-$ (sec_config);        #/root/$ (sec_config);        #/root/.addressbook-$ (sec_config);        #/root/. Xresources-$ (sec_config);        #/root/. Xauthority-$ (sec_config)-I.; # changes Inode number on login        #/root/. Iceauthority-$ (sec_config);}

The last part that should be checked is the file descriptor that was faulted in the/proc file system. These files are changed at all times, and if we do not delete them in the configuration file, false positives will be triggered periodically.
In Devices & Kernel information, you can see a list of/proc file system checks that you want to check.

(  "Devices & Kernel information",  $(SIG_HI),){        /dev            $(Device) ;        /proc           $(Device) ;}

However, we do not want it to check every file under the directory, and we want to configure all directories under/proc without checking.

{/dev/$ (Device) ; #/proc-$ (Device) ; /proc/devices-$ (Device) ; /proc/net-$ (Device) ; /proc/tty-$ (Device) ; /proc/sys-$ (Device) ; /proc/cpuinfo-$ (Device) ; /proc/modules-$ (Device) ; /proc/mounts-$ (Device) ; /proc/DMA-$ (Device) ; /proc/filesystems-$ (Device) ; /proc/interrupts-$ (Device) ; /proc/ioports-$ (Device) ; /proc/SCSI-$ (Device) ; /proc/kcore-$ (Device) ; /proc/self-$ (Device) ; /proc/kmsg-$ (Device) ; /proc/stat-$ (Device) ; /proc/loadavg-$ (Device) ; /proc/uptime-$ (Device) ; /proc/locks-$ (Device) ; /proc/meminfo-$ (Device) ; /proc/misc-$ (Device) ;}

When we are in this section of the file, we also want to do something about the/dev/pts file system. Tripwire default does not check this directory, in order to let tripwire also check this directory, we can explicitly specify:

{        /dev                    -> $(Device) ;        /dev/pts                -> $(Device) ;        #/proc                  -> $(Device) ;        /proc/devices           -> $(Device) ;        /proc/net               -> $(Device) ;        /proc/tty               -> $(Device) ;        . . .

The last thing to do is to comment out the rows of/var/run and/var/lock so that our system does not generate tokens because of normal service changes in the system.

(  "System boot changes",  severity = $(SIG_HI)){        #/var/lock              -> $(SEC_CONFIG) ;        #/var/run               -> $(SEC_CONFIG) ; # daemon PIDs        /var/log                -> $(SEC_CONFIG) ;}

Save and close the file when you are finished with these edits.
Now that our configuration file has been modified, we need to recreate an encrypted policy file to allow Tripwire to read using:
sudo twadmin -m P /etc/tripwire/twpol.txt
Once created, we must reinitialize the database to execute our policy:
sudo tripwire –init
The warnings that were given before should be gone now. If you still have a warning, you need to edit the/etc/tripwire/twpol.txt file until the warning disappears completely.

Inspection configuration

If your database initialization does not have an error, the configuration file will match your system. But we should run a check to see if tripwire really has no errors.
Basic Grammar check:
sudo tripwire --check
You should see a custom output report on the screen stating that there are no errors in your system.
Once done, you can be sure that your configuration is correct. We should clean up sensitive information from our system.
We should remove the test_results we created earlier:
Sudo rm /etc/tripwire/test_results
Another thing to do is to delete the plain text configuration file. We have been encrypted by password to ensure security.
We must encrypt a plain text file before handing it over to Twadmin, and we will also generate an encrypted version. We can turn it into a plain text file once again through the pipeline:
Sudo sh –c ‘twadmin –print-polfile > /etc/tripwire/twpol.txt’
Now move him to the backup location and recreate it.

sudo mv /etc/tripwire/twpol.txt /etc/tripwire/twpol.txt.baksudo‘twadmin --print-polfile > /etc/tripwire/twpol.txt‘

If done properly, you can safely delete the plain text files:

sudo rm /etc/tripwire/twpol.txtsudo rm /etc/tripwire/twpol.txt.bak
Set up Email Reminders

We will configure tripwire to automatically run and notify automatically every day. At run time, the database needs to be upgraded when a system change occurs.
We will use the Mail command to send our notification to our email address. In our system is not installed temporarily, need to download from storage warehouse.
This gives us a great opportunity to see what changes have been made to the system through tripwire.
Install the following:
Sudo apt-get install mailutils
Now that we're done with the installation, let's test if we can send the report. This report will send both warnings and changes, and we do not need to notify tripwire when we install the new software:
Sudo tripwire --check | mail –s “Tripwire report for ‘uname –n’” [email protected]
Soon your email will receive a report on the details of the software that was just installed. This indicates that tripwire can send us the changes to the file system via email.
We should now perform an interactive check of the update database with the following command:
sudo tripwire --check --interactive
This is the same run test at peace, but it will not be output to the screen at the end, but instead generate a text file to open in the default editor.
This report will contain the full details of each file change. In fact, on my machine, the report usually has 2275 lines that long. A lot of this information is very helpful for solving security problems, but for us, we are not interested in most of them.
The most important parts are at the top, and after some introductory information, you should see a check box that indicates new or modified.
These check boxes indicate that you need to update the database to complete these changes. You should search for each check box with an X, and then confirm that the changes have been approved by you.
If you do not endorse these changes, delete the X. The file for the database will not be updated, which will cause tripwire to report the markup at the next report.
After you decide which files need to be changed, save and close the file.
This will require you to enter the local key so that tripwire can update the database file.
If we run the command again after accepting these changes, the report will certainly be shorter.

Use cron to automate the tripwire

Now that we have the ability to run these functions manually, we can also set up timed tasks so that tripwire can perform checks every morning.
We want to use Root's timed task because the Edit System timer task can not include system updates.
You can provide the following command to confirm that the root has a scheduled task:
sudo crontab -l
If a timed task already exists, you should back up the task by pipe:
sudo sh -c ‘crontab -l > crontab.bad‘
We can then edit this scheduled task:
sudo crontab -e
If this is your first time running a scheduled task, it will ask which editor you want to open. If you don't have a custom editor, the Nano is a good choice.
After opening the file, we can customize the tripwire of automation. Because we only need tripwire to run every day, we just need to set the boot time to be enough.
Typically, services run during off-peak hours to avoid interfering with peak hours.
The command format we need to use is min hour * * * command. This command and we previously configured the mail to send the report using a command. This is where root is running, so we don't need to use sudo.
In order for Tripwire to run at 3:30 every day, we can write:

303-s"Tripwire report for `uname -n`" [email protected]

You can make adjustments according to your needs.


You now have an automated intrusion detection system that will send you a change report on your file system. You should regularly check the reports that are sent by e-mail to monitor the changes that occur. Whether you are discovering suspicious activity or a normal change, you should upgrade the Tripwire database.

Original Address

How to use Tripwire to detect the intrusion of an Ubuntu VPS server

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.