Trojans, rootkits, and DDoS agents are a sad reality. It's a little disheartening to think that software exists which, given a chance, can install unwanted files on your system, overwrite or destroy your own files, send your data or user input elsewhere, or use your computer to attack another system.
The more advanced among you may be smiling and smugly thinking "that's why I run a Unix system". True, there are fewer nasties out there which target Unix systems, but they do exist. Further, as the Unix user base increases, so will the amount and frequency of exploits against Unix systems. Fortunately, as a FreeBSD user, there are many utilities available to you, as well as many good habits that you can teach yourself. The next two articles will discuss these utilities and habits.
First Things First
The first habit, as I've stressed many times in this column, is to be
behind a firewall. It doesn't matter what type of firewall, as long as you
choose something you are comfortable configuring. If you're intimidated at
the prospect of learning the syntax of
ipfw, invest in an inexpensive, preconfigured hardware
firewall. If you're already running a free firewall on your Windows system
(and you should be), place your FreeBSD system behind it until you're
ready to tackle a Unix firewall configuration.
Why the big deal about a firewall? Rootkits. These automated kits scan a portion of the Internet looking for open ports. Once a rootkit discovers a port it can attack, it tries to get into that system. A properly configured home firewall won't show any ports open, so a rootkit will pass you by and look for another victim.
Also in FreeBSD Basics:
What if you haven't been behind a firewall? How do you know if your system contains unwanted software? Sometimes it is hard to tell without doing a lot of investigative work. The best advice, unfortunately, is to back up your data files, reinstall, and set up a firewall before you reconnect to the Internet.
Assuming you are behind a firewall, you should test it to ensure that it is indeed hiding all of your ports. First, take an inventory of the open ports on all of the machines behind the firewall. On each machine, regardless of the operating system, run this command at a command prompt:
$ netstat -an
For each line that begins with tcp or udp, record the port number or name that shows up in the "Local Address" section. If you run this command on your FreeBSD system, ignore the ugly looking lines after the "Active UNIX domain sockets" as those don't deal with port numbers.
FreeBSD systems come with the
sockstat command which also
shows open ports. I prefer the layout of its output to that of the
netstat command. Since FreeBSD supports both IPv4 and IPv6
by default, and I'm not interested in the Unix domain sockets, I usually
run the command like so:
$ sockstat -46
Record the results of your
sockstat command for each machine in your home network and
repeat the command periodically. This way, you know which ports you
expect to be open and will recognize if an extra port suddenly appears on
Ideally, you probably don't need any ports open on any of your home systems. For instructions on how to close ports on your FreeBSD system, see Securing FreeBSD.
Once you've recorded which ports are open on your computers, you want
to see if your firewall is advertising any of them to the Internet. The
best utility for this purpose is
nmap. If you've never used
nmap, read through Scanning Your Network
It is very important that you double- and triple-check the address of your firewall before you launch your scan. You don't want to scan the wrong address inadvertently and have to explain to your ISP why they shouldn't ban you from further Internet access. A thorough scan of all TCP and UDP ports will take a long time. This command will launch such a scan:
$ nmap -v -P0 -sU -p 1-65535 IP_ADDRESS
IP_ADDRESS is the address of your firewall. Again, check
for typos in that address before you press enter and launch the scan. If all
goes well, the scan shouldn't find any open ports.
Open ports aren't the only entry point for unwanted software. Whenever you download software you are really trusting that the software only does what it purports to do, and that the file you just downloaded is the same file that was originally placed on the ftp site, not a trojaned version of the original file.
Fortunately, most ftp sites that provide Unix software protect each downloadable file with an MD5 checksum. You may remember from Cryptographic Terminology 101 that MD5 is used to verify the integrity of a file by ensuring none of the bits in the file have been tampered with. If an attacker were to replace a file on an ftp site with a trojan, the MD5 checksum would not match the trojaned file.
As an example, navigate to ftp://ftp.freebsd.org/pub/FreeBSD/ISO-IMAGES-i386/4.7.
Next to the five possible
.iso files, there is a file called
CHECKSUM.MD5 which gives the checksum for each file. If I
4.7-mini.iso, I should use the
command to verify the checksum before I burn the ISO to a CD:
$ md5 4.7-mini.iso 117076d76ef37267694d9820c763f9b2
The number I receive back should be identical to the number in the
CHECKSUM.MD5 file on the ftp site.
It's good to make a habit of always checking the MD5 checksum of any file
you download from the Internet, refusing to download files that lack checksums.
If you use the FreeBSD ports collection, the
make command will do
this automagically for you. This is the easiest and safest way to install
software on your FreeBSD system.
If you are ever building a port and it stops to complain about an MD5
checksum mismatch, DO NOT override the error and carry on with the build.
One of two things just occurred and you need to rectify the situation.
The first possibility is that your ports tree is out of date. If that is
cvsup to the latest version of the ports tree. The
second possibility is that the file has been changed on the ftp site since
the checksum was calculated. If this is the case, you should email the
maintainer of the port so he can ensure the original file was not
trojaned. You will find the email address of the maintainer in the
Makefile. For example, if I were building the
doom port, I would be in the
/usr/ports/games/doom directory, and could run this command.
(Note the mix of upper and lower case.)
$ more Makefile |grep MAINTAINER MAINTAINER = jmz@FreeBSD.org
If you email the maintainer, remember to include the output of
-a so he knows the version of FreeBSD you are using.
File Integrity Utilities
MD5 checksums can also be used to ensure that the files on your own system
are untampered. One of the first things a trojan program will do is change some
of your binaries so you won't notice that something nasty has just been
installed on your system. For example, your
ps command could be
replaced with another
ps that doesn't show any processes used by
the trojan. Your
ls command could be altered to hide directories
created by the trojan. Fortunately, there are several file integrity utilities
that automate the process of creating a database of checksums for the important
files on your FreeBSD system. The most common and well known of these utilities
tripwire is available as a free, open source version and as a commercial, try for 30 days before
buying version. I'll end today's article by walking you through a
build of the
tripwire port of the open source version on your
FreeBSD system. First, start the build:
$ cd /usr/ports/security/tripwire $ make install clean
This will trudge along for several minutes, so go grab a drink and wait until the install stops and presents you with this screen:
Installer program for: Tripwire(R) 2.3 Open Source for LINUX Copyright (C) 1998-2000 Tripwire (R) Security Systems, Inc. Tripwire (R) is a registered trademark of the Purdue Research Foundation and is licensed exclusively to Tripwire (R) Security Systems, Inc. LICENSE AGREEMENT for Tripwire(R) 2.3 Open Source for LINUX Please read the following license agreement. You must accept the agreement to continue installing Tripwire. Press ENTER to view the License Agreement.
At this point, you'll be presented with many pages worth of licensing information as it displays the full GNU General Public License followed by the Tripwire Trademark Information. Use your spacebar to read your way through it until you get to this line:
Please type "accept" to indicate your acceptance of this license agreement. [do not accept] accept
Make sure you type the word
accept or the installation will
abort. If you inadvertently press Enter instead, the build will abort. Simply
make install clean and be careful to type
accept next time you are prompted. At this point, the build will
carry on, but don't go too far away as it will prompt for more user input.
Using configuration file install.cfg Checking for programs specified in install configuration file.... /usr/sbin/sendmail exists. Continuing installation. /usr/bin/vi exists. Continuing installation. ---------------------------------------------- Verifying existence of binaries... ./bin/i386-unknown-freebsd_r/siggen found ./bin/i386-unknown-freebsd_r/tripwire found ./bin/i386-unknown-freebsd_r/twprint found ./bin/i386-unknown-freebsd_r/twadmin found This program will copy Tripwire files to the following directories: TWBIN: /usr/local/sbin TWMAN: /usr/local/man TWPOLICY: /usr/local/etc/tripwire TWREPORT: /var/db/tripwire/report TWDB: /var/db/tripwire TWSITEKEYDIR: /usr/local/etc/tripwire TWLOCALKEYDIR: /usr/local/etc/tripwire CLOBBER is false. Continue with installation? [y/n] y ----------------------------------------------
Next, the installation will create several directories and copy some files.
Note that some documents are created for you in
tripwire will also
create manpages in section 5 and 8 of the manual:
Copying files... /usr/local/share/doc/tripwire/README: copied /usr/local/share/doc/tripwire/Release_Notes: copied /usr/local/share/doc/tripwire/COPYING: copied /usr/local/sbin/tripwire: copied /usr/local/sbin/twadmin: copied /usr/local/sbin/twprint: copied /usr/local/sbin/siggen: copied /usr/local/share/doc/tripwire/TRADEMARK: copied /usr/local/share/doc/tripwire/policyguide.txt: copied /usr/local/etc/tripwire/twpol.txt: copied /usr/local/man/man5/twpolicy.5: copied /usr/local/man/man5/twconfig.5: copied /usr/local/man/man5/twfiles.5: copied /usr/local/man/man8/siggen.8: copied /usr/local/man/man8/tripwire.8: copied /usr/local/man/man8/twadmin.8: copied /usr/local/man/man8/twintro.8: copied /usr/local/man/man8/twprint.8: copied
Next, you will be prompted to create a passphrase. If you've read the
cryptosystems series, you'll remember that passphrases are used whenever
keys are generated. Remember the passphrase or you will be unable to
access the tripwire database. You'll be prompted for this passphrase
several times as the installation creates and signs the
tripwire configuration file, policy file, and database:
---------------------------------------------- The Tripwire site and local passphrases are used to sign a variety of files, such as the configuration, policy, and database files. Passphrases should be at least 8 characters in length and contain both letters and numbers. See the Tripwire manual for more information. ---------------------------------------------- Creating key files... (When selecting a passphrase, keep in mind that good passphrases typically have upper and lower case letters, digits and punctuation marks, and are at least 8 characters in length.) Enter the site keyfile passphrase: Verify the site keyfile passphrase: Generating key (this may take several minutes)...Key generation complete. (When selecting a passphrase, keep in mind that good passphrases typically have upper and lower case letters, digits and punctuation marks, and are at least 8 characters in length.) Enter the local keyfile passphrase: Verify the local keyfile passphrase: Generating key (this may take several minutes)...Key generation complete. ---------------------------------------------- Generating Tripwire configuration file... ---------------------------------------------- Creating signed configuration file... Please enter your site passphrase: Wrote configuration file: /usr/local/etc/tripwire/tw.cfg A clear-text version of the Tripwire configuration file /usr/local/etc/tripwire/twcfg.txt has been preserved for your inspection. It is recommended that you delete this file manually after you have examined it. ---------------------------------------------- Customizing default policy file... ---------------------------------------------- Creating signed policy file... Please enter your site passphrase: Wrote policy file: /usr/local/etc/tripwire/tw.pol A clear-text version of the Tripwire policy file /usr/local/etc/tripwire/twpol.txt has been preserved for your inspection. This implements a minimal policy, intended only to test essential Tripwire functionality. You should edit the policy file to describe your system, and then use twadmin to generate a new signed copy of the Tripwire policy. ---------------------------------------------- The installation succeeded. Please refer to /usr/local/share/doc/tripwire/Release_Notes for release information and to the printed user documentation for further instructions on using Tripwire 2.3 Open Source for LINUX. Creating tripwire database Please enter your local passphrase: Parsing policy file: /usr/local/etc/tripwire/tw.pol Generating the database... *** Processing Unix File System *** ### Warning: File system error. ### Filename: /usr/tmp ### No such file or directory ### Continuing... ### Warning: File system error. ### Filename: /usr/local/krb5 ### No such file or directory ### Continuing... <snip>
At this point, you may get several more errors complaining that Kerberos is missing from your system. Don't worry, the installation will continue.
Wrote database file: /var/db/tripwire/hostname.twd The database was successfully generated. To create a floppy backup of your tripwire database run "make floppy". The default database will not fit on a floppy, however with the removal of objects from the database, it can be made to fit on a 1.44 MB floppy disk. The tripwire database, configuration file and policy file are signed using the local and site keys, therefore according to the support staff at tripwiresecurity.com, creating a floppy is not necessary.
In the next article, I'll start with what to do with your newly
installed tripwire database. Then I'll move on to some alternatives to
tripwire as well as other ports that are designed to look for
rootkits. In the meantime, take a peek at
Dru Lavigne is a network and systems administrator, IT instructor, author and international speaker. She has over a decade of experience administering and teaching Netware, Microsoft, Cisco, Checkpoint, SCO, Solaris, Linux, and BSD systems. A prolific author, she pens the popular FreeBSD Basics column for O'Reilly and is author of BSD Hacks and The Best of FreeBSD Basics.
Read more FreeBSD Basics columns.
Return to the BSD DevCenter.