Simple method of checking your server security

making-a-trip-wire-alarm-system

This method does not prevent from entering someone to the server, but it will notify you if somebody or something will change files in your server. Software that will help us called “Tripwire”.

Step 1. Install tripwire on your Linux server.

sudo apt-get update
sudo apt-get install tripwire

You should see several such messages, select Yes everytime:

Screen Shot 2017-02-10 at 14.19.00

Then it will ask site key and local key. Enter them:
Screen Shot 2017-02-10 at 14.21.20

Successful installation message:

Screen Shot 2017-02-10 at 14.22.04

Step 2. Email

Install utility for sending emails.

sudo apt-get install mailutils

Step 3. Configure tripwire.

Create policy file by command:

sudo twadmin --create-polfile /etc/tripwire/twpol.txt

Initialize tripwire by command:

sudo tripwire --init

Send email with report to yourself:

sudo tripwire --check | mail -s "Report from tripwire" [your email address]

Screen Shot 2017-02-10 at 14.31.07

Check your email. If report have hundreds of rows for directory “/proc”, lets just remove this folder from tracking. proc is virtual file system, so it will generate dozens of false positives for tripwire. Left part in this step is about removing proc from tripwire tracking, so if you don’t need it, skip this step.

Change tripwire config file by commenting out line with “/proc”:

sudo vim /etc/tripwire/twpol.txt

Screen Shot 2017-02-10 at 14.35.43

Save and exit from the file (“/wq” in vim).

Write new policy into tripwire database:

sudo twadmin -m P /etc/tripwire/twpol.txt

Reinitialize tripwire:

sudo tripwire --init

Check one more time your report:

sudo tripwire --check | mail -s "Report from tripwire" [your email address]

At this time report should be small enough to inspect all rows.

Remove your temporary policy file:

sudo rm /etc/tripwire/twpol.txt

Step 4. Configure cron to send you mails with report

Edit cron to send your report everyday at 3.30 am:

crontab -e

Screen Shot 2017-02-10 at 14.44.14

Step 5. Everyday life

From day you installed tripwire you need to periodically check tripwire report. If in email you will see lots of new rows, you should mark them as good changes. So from time to time enter to your server and run:

sudo tripwire --check --interactive

Search for all rows with “[x]” (Control+W – find command in nano) and see that this file changed by you. Do not remove “[x]” mark, left it as is, just inspect all such rows. Save and exit from the file. Tripwire marked changes in “[x]” files as OK and will not include these files into the next report, of course, if those files would not be changed one more time.

 

If you have found a spelling error, please, notify us by selecting that text and pressing Ctrl+Enter.

Profile photo of Doszhan Kalibek

Doszhan Kalibek