When an attacker breaks into a system, he will usually try to gain control by making his own changes to system administration files, such as password files. He can create his own user and password information, allowing him access at any time, or he can simply change the root user password. He can also replace entire programs, such as the login program, with his own version. One method of detecting such actions is to use an integrity checking tool such as Tripwire or Advanced Intrusion Detection Environment (AIDE) to detect any changes to system administration files. AIDEI is a free and enhanced alternative to Tripwire (Ubuntu main repository). It provides easy configuration and detailed reporting.
An integrity checking tool works by first creating a database of unique identifiers for each file or program to be checked. These can include features such as permissions and file size, but more important, they can also include checksum numbers generated by encryption algorithms from the file's contents. Default identifiers are checksum numbers created by algorithms such as the SHA2 modification digest algorithm. An encrypted value that provides such a unique identification of a file is known as a signature. In effect, a signature provides an accurate snapshot of the contents of a file. Files and programs are then periodically checked by generating their identifiers again and matching them with those in the database. The intrusion detection application will generate signatures of the current files and programs and match them against the values previously generated for its database. Any differences are noted as changes to the file, and you are notified of the changes.
Note You can also check your log files for any suspicious activity. The Ivarlloglmessages file in particular is helpful for checking for critical events such as user logins, FTP connections, and superuser logins.
This page intentionally left blank
Was this article helpful?