[Tfug] Automated security checks

[John Gruenenfelder]

Greetings TFUG,

Recently, while digging around some of the new packages to find their way into
the Debian archive, I came across a handful of harden-* packages.  These
are metapackages designed to offer suggestions for *helping* you to secure a
system.

For example, harden-environment aims to help detect local intrusions and does
so with the following:

Depends: debsums | samhain | integrit | tripwire | aide | ids, sash | osh
Recommends: logcheck, checksecurity
Suggests: harden-nids, sudo, debsums, samhain, integrit, tripwire, aide, ids, sash, osh, libsafe

This seemed like a decent place to start so I began investigating some of
these suggestions to see how useful they might be.  I thought it would be a
good idea to ask here on TFUG to see what sorts of experiences anybody has had
with these and which they would or would not recommend.  Any thoughts on
specific programs/packages or the more general question of useful automated
checks?


Here is some of what I've found on my own:

The "logcheck" package, at first look, seems like a great idea.  It scans your
syslog for suspicious messages and emails you a report.  It performs this by
having a big database of regex of messages to ignore.  Unfortunately, this
appears to be a dead project upstream and as a result the database is horribly
out of date for a current Debian system, and essentially useless if you are
tracking Debian/testing or unstable.  The email reports are bursting with
warnings about harmless syslog messages.

After a little more checking, I found that logcheck is actually maintained by
the "Debian logcheck Team" and that there is some effort underway to resurrect
and update the package and database.  The webpage they have set up is rather
sparse and I didn't see any information about when they might put out a new
useful version.

The "checksecurity" package appears to be broken out of the box.  I was going
to investigate fixing it, but I found that it was also quite old, limited, and
very like superceded by newer programs.

The "tiger" package appears to be useful.  I have installed it and have begun
to receive the email it generates.  It states quite plainly that it will not
work properly until you have modified its config file to suit your system.
That said, the default config is pretty good.  I think most of what I'll need
to do is just to tweak/disable bits here and there that are generating either
pointless messages or false positives.  Looking at the dates on the shipped
files shows that some of them are quite old (2003-2007 or so) and some are
recent.  So, at least it appears to be a live project.

I have also installed the "samhain" package, a data integrity checker and
intrusion detection tool.  It was suggested along with tripwire, integrit, or
aide.  I haven't used any of them so I can't really say which ones are better
than others.  The main reason I picked samhain is because its description says
that the integrity database can be signed to enable detection of tampering.
That sounded like a nice feature to have.  I haven't yet had a chance to
configure and test samhain, so I can't really comment more.


On a somewhat related note, I've been using "denyhosts" for quite some time on
a few different systems.  Denyhosts is an answer to the problem of idiot
crackers trying to get into your system by flooding your box with countless
SSH connection attempts.  They are not trying to exploit flaws in SSH
implementations, rather they appear to have some database of common account
IDs and common poor passwords and operate on the idea that eventually one of
them will work somewhere on the Net.  Denyhosts is a fairly simple
countermeasure which monitors your login attempt logfile and keeps track of
the number of failed attempts from each IP address.  It then adds entries to
the hosts.deny file to keep these people away.

There are other viable solutions, of course, such as those that use iptables
instead of hosts.deny, but I found denyhosts very easy to use and it also has
a nice feature where users can submit the IPs they block to a central service
and receive from that service lists of IPs that others have blocked (given
some useful threshold so you aren't fed bad data).

Just recently, however, I have found that denyhosts is no longer part of the
Debian archive.  From the bug report leading to its removal it seems that the
project is dead upstream and has some outstanding security bugs filed against
it.  The same report recommends the "fail2ban" package as a replacement, and,
from its description, it appears to offer more features and work with more
services.  I don't know about the user-data-sharing capability, but that's
hardly a deal breaker.  The descriptions also says that fail2ban can use
either firewall chains or hosts.deny.  Is anybody here using either of these
packages?  What have your experiences been?

A new package to appear in the archive is "libpam-shield".  Its description is
quite short, but it does indicate that it is used to lock out remote attackers
trying to brute-force their way in with password guessing and does so using
iptables.  Since it is a PAM module it won't cover as many services as
fail2ban appears to.  I have not yet enabled it, but having looked at its
config file it hits all the important points such as a persistent database of
IPs and automatic timed expiration of entries.  It also supports blocking by
null-routing, using iptables, or by using iptables via the ufw firewall
package.  Has anybody used libpam-shield before?


-- 
--John Gruenenfelder    Systems Manager, MKS Imaging Technology, LLC.
Try Weasel Reader for PalmOS  --  http://weaselreader.org
"This is the most fun I've had without being drenched in the blood
of my enemies!"
        --Sam of Sam & Max
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://tfug.org/pipermail/tfug_tfug.org/attachments/20140201/4bf198fd/attachment.bin>