Linux Intrusion Detection With Tripwire On Ubuntu and Debian part 1

When it comes to running a server on the public internet, one of the biggest problems you will deal with is hackers and script kiddies trying to break in and use your server’s resources for their own purposes. Generally, these individuals are quite stealthy and will attempt to cover their tracks once they have gained access to a system, including securing the method they used to gain access and setting up their own secured methods to keep the access they’ve gained to the system. Unfortunately, this can mean a system may have been compromised for weeks or months prior to discovery.
Fortunately, there are tools to help you catch an attacker in the act. One tool for Linux systems is Tripwire. As the name implies, it attempts to trip up attackers and alert you to intrusions. It  does this by monitoring important system files and alerting you to any changes made that could be the work of an attacker.

Installing Tripwire

For Debian and Ubuntu systems, Tripwire is included in the main repositories, and installation is as simple as:
sudo apt-get update
sudo apt-get install tripwire mailutils
The installation walks you through a couple of screens. If you have no mail application configured on your server to send email, then it will install one. If you don’t have anything set up, the simplest option to choose is “internet site” and your server will then send email directly for you. Note that email from this server without configuration may be flagged as spam by your mail system.
After setting the mail system, the installer will then notify you about the creation of secure keys for the encryption of the Tripwire configuration files. It also warns you that in the event of your system already being compromised, an attacker may be able to access these keys in an unencrypted format while using this installer. After OKing this screen, you’ll be asked if you want to create the keys during installation. Unless you think your system has already been compromised, you should be fine to continue with this, and hit “Yes” to create the keys. If you aren’t certain, click “No” and you will need to create the keys manually, which we’ll explain later.
If you selected “Yes”, you’ll see a similar warning again for another key that Tripwire needs. You will need to click “Ok”, and then select “Yes” to have the installer create the key, or “No” to do it yourself later. The same security risks apply from before.

Creating Configuration Files

With the warnings out of the way, and assuming you said “Yes” to them, you’ll be asked if you want to create configuration files for Tripwire, and an explanation of where the files are kept. These files will be encrypted with the keys you will set later on. It makes sense to say “Yes” on both of these screens. After this, a screen will appear prompting you to set a site-key passphrase. You will need this to change the configuration of Tripwire later, so don’t lose it. After entering the passphrase once, the next screen will ask you to confirm the passphrase and the key will be generated. Another similar pair of screens will follow for the local-key for encrypting the Tripwire database. Again, you don’t want to lose this.
Finally, the installation concludes with a message that Tripwire has been installed and tells you where the files have been placed.

Creating Keys Manually

If you chose not to create the keys using the installer, they can be set up now with the following commands:
sudo twadmin –generate-keys –site-keyfile /etc/tripwire/site.key
sudo twadmin –generate-keys –local-keyfile /etc/tripwire/$HOSTNAME-local.key
You will be prompted to provide a passphrase in each case. In case you skipped the section on continuing the installation using the installer, these passphrases will be needed when re-configuring Tripwire, so they need to be strong, and you must not lose them. If you didn’t let the installer create your keys, you also need to manually create the policy file. We’ll start with the default file for now:
sudo twadmin –create-polfile /etc/tripwire/twpol.txt
You will be prompted for the site-key passphrase you set earlier to encrypt the configuration file.
At this point we have Tripwire installed and configured with a strict base configuration. This configuration is encrypted using the passphrase and key you set before, preventing any intruders from tampering with the configuration. In part 2, we’ll be looking at initializing Tripwire and getting started configuring the Tripwire policy file to fit your system.