Otu esi etinye, Hazie Tripwire IDS na Debian 10

IDS Tripwire bụ a pụrụ ịdabere na ya sistemu nchọpụta intrusion na na-achọpụta mgbanwe emere na faịlụ na akwụkwọ ndekọ aha akọwapụtara. Tripwire IDS na-achọpụta ọgbaghara site n'ịtụle sistemu arụ ọrụ na ngwa, itinye akụrụngwa na ọrụ sistemu ndị ọzọ.

Na njedebe nke ntuziaka a, ị ga-ama Otu esi etinye Tripwire IDS na Debian 10 Buster gị sistemụ nrụọrụ.

Ihe ndi choro

  • OS akwadoro: Debian 10 Buster
  • Akaụntụ onye ọrụ: Akaụntụ onye ọrụ nwere sudo ma ọ bụ ohere mgbọrọgwụ.

Tupu ịmalite, jide n'aka na sistemụ arụmọrụ Debian 10 gị dị ọhụrụ:

sudo apt update && sudo apt upgrade -y

Advertisement


Olee otú Wụnye

Tripwire na-abịa dị ka ngwugwu ndabara na ebe nchekwa Debian, na-eme ka ọ dị mma ma dị mfe ịwụnye. Iji malite ntinye nke Tripwire, mebie iwu a:

sudo apt install tripwire -y

Pịnye wee tinye (Y) ka ịga n'ihu nrụnye.

Otu esi etinye tripwire na debian 10

Ka nrụnye na-amalite, ị ga-enweta ihuenyo nhazi mmapụta postfix dị ka n'okpuru na-egosi:

Otu esi etinye tripwire na debian 10

Gaa n'ihu site na ịpị (TAB) iji mee ka ọ pụta ìhè (Ọ dị mma) họrọ wee pịa tinye ka ịga n'ihu nrụnye nrụnye.

Otu esi etinye tripwire na debian 10

Na ihuenyo na-esote, họrọ nhọrọ nhazi postfix nke dabara na mkpa gị wee pịa ( Tinye) ka ịga n'ihu na ihuenyo ọzọ nke ịmepụta aha usoro.

Otu esi etinye tripwire na debian 10

Ugbu a ị nwere ike ịnye aha mail sistemụ gị wee kụọ ya ( Tinye) ka ịga n'ihu na ihuenyo ọzọ nke itinye paswọọdụ igodo saịtị gị. Tupu passphrase, ị ga-ahụ ịdọ aka ná ntị dị ka n'okpuru:

Otu esi etinye tripwire na debian 10

Nke a bụ ịdọ aka ná ntị zuru oke na mgbe a na-arụ ọrụ nrụnye, ihuenyo na-esote ebe ị debere passphrase gị ga-abụ nke ezoro ezo nwa oge, na-eduga na enwere ike irigbu ya. Nke a ekwesịghị imetụta ọtụtụ mmadụ ma ọ bụrụ na sistemụ gị dị ọhụrụ yana, ka mma, dị na ntọala echekwara.

Ngwaọrụ etinyere na netwọkụ nkịtị ebe oghere na ndị ọrụ ndị ọzọ nọ, ma ọ bụ malware ma ọ bụ adịghị ike na-erigbu kwesịrị ichegbu onwe ya maka nke a.

Pịa taabụ ka ịhọrọ (Ọ dị mma) ma tie ( Tinye) ịga n'ihu na ihuenyo passphrase:

Otu esi etinye tripwire na debian 10

Ọ bụrụ na ịchọghị ịtọ okwu mbanye, pịa bọtịnụ taabụ gị wee họrọ (Mba), ọzọ ọ bụrụ na ịmee, pịa (ENTER) na (YES) ka ịga n'ihu na ihuenyo ọzọ, nke bụ akwụkwọ ịdọ aka ná ntị ọzọ ị hụrụ.

Otu esi etinye tripwire na debian 10

Dị ka ị na-ahụ, ọ na-akọwa usoro nke iji ụzọ igodo ịbanye n'ime faịlụ dị iche iche yana ịdọ aka ná ntị gbasara usoro ntinye nke igodo na-ezoro ezo n'oge ịwụnye. Pịa igodo taabụ gị ka ịhọrọ (Ọ dị mma) ma tie ( Tinye) ịga n'ihu na imepụta okwuntughe.

Otu esi etinye tripwire na debian 10

Pịa ( Tinye) igodo bọtịnụ ka ịga n'ihu na-ewughachi faịlụ nhazi Tripwire.

Otu esi etinye tripwire na debian 10

Tinye akpaokwu saịtị gị wee pịa (TAB) igodo ma tinye ka ịga n'ihu na ihuenyo nkwenye:

Otu esi etinye tripwire na debian 10

Tinyegharịa paswọọdụ saịtị wee kụọ ya (TAB) igodo ịhọrọ (Ọ dị mma) na pịa ( Tinye) ịga n'ihu na ihuenyo na-esote, nke ga-akpali gị ịrụgharị tripwire, mana oge a na nhọrọ igodo nke abụọ, igodo mpaghara:

Otu esi etinye tripwire na debian 10

Pịa ( Tinye) igodo iji gaa n'ihu na ihuenyo passphrase igodo mpaghara tripwire na-esote:

Otu esi etinye tripwire na debian 10

Dị ka ọ dị na mbụ na paswọọdụ igodo saịtị, pịa ( Tinye) ka ịga n'ihu na ihuenyo mpịnye na-esote wee kwado paswọọdụ gị dịka i jiri ya mee ( igodo saịtị). Ozugbo emechara, ị ga-enweta nseta ihuenyo ikpeazụ nke Tripwire arụnyere:

Otu esi etinye tripwire na debian 10

Pịa ( Tinye) igodo maka oge ikpeazụ iji wuchaa nrụnye.

Otu esi ahazi

Ugbu a ogologo njem nke mmapụta na-adịghị agwụ agwụ agwụla, ma ugbu a ọ bụ oge maka ịhazi ihe ndabere nke nrụnye Tripwire gị na sistemụ arụmọrụ Debian gị.

Ihe mbụ ị ga - eme bụ ịmepụta igodo Tripwire na ibido nchekwa data. Ị nwere ike iji editọ ederede ọ bụla na Debian iji hazie Tripwire. Maka ntuziaka, anyị ga-eji nano.

Gaa na ndekọ ma weta nke gị (twcfg.txt) faịlụ nhazi site na ime iwu a:

cd /etc/tripwire/ && sudo nano twcfg.txt
otu esi etinye debian 10 tripwire ids

Ntọala ndabara dị mma ebe a, a na-atụ aro ka ị gbanwee ndabara (REPORTLEVEL=3) ka ọ bụrụ (REPORTLEVEL=4). Ozugbo emechara, pịa (CTRL+O) ịzọpụta mgbe ahụ (CTRL+X) ịpụ apụ.

Ugbu a, ị ga-ewepụta faịlụ nhazi ọhụrụ site na ịme iwu njedebe ndị a:

sudo twadmin -m F -c tw.cfg -S site.key twcfg.txt

A ga-akpali gị maka passphrase saịtị gị dị ka ihe atụ dị n'okpuru, tinye okwuntughe wee kụọ tinye:

otu esi etinye debian 10 tripwire ids

Ihe atụ mmepụta:

otu esi etinye debian 10 tripwire ids

Ugbu a, ị ga-emepụta faịlụ na-esonụ (twpolmake.pl) faịlụ iji kwalite amụma Tripwire site na iji ndezi ederede nano.

sudo nano twpolmake.pl

Wee tinye koodu a na faịlụ gị:

#!/usr/bin/perl
$POLFILE=$ARGV[0];

open(POL,"$POLFILE") or die "open error: $POLFILE" ;
my($myhost,$thost) ;
my($sharp,$tpath,$cond) ;
my($INRULE) = 0 ;

while () {
     chomp;     if (($thost) = /^HOSTNAME\s*=\s*(.*)\s*;/) {
         $myhost = `hostname` ; chomp($myhost) ;
         if ($thost ne $myhost) {             
           $_="HOSTNAME=\"$myhost\";" ;         
         }
     }
         elsif ( /^{/ ) {
          $INRULE=1 ;

     }   elsif ( /^}/ ) {
          $INRULE=0 ;
     }
         elsif ($INRULE == 1 and ($sharp,$tpath,$cond) = /^(\s*\#?\s*)(\/\S+)\b(\s+->\s+.+)$/) {
          $ret = ($sharp =~ s/\#//g) ;
          if ($tpath eq '/sbin/e2fsadm' ) {
          $cond =~ s/;\s+(tune2fs.*)$/; \#$1/ ;
           }
           if (! -s $tpath) {
             $_ = "$sharp#$tpath$cond" if ($ret == 0) ;
           }
         else {
             $_ = "$sharp$tpath$cond" ;
           }
     }
    print "$_\n" ;
}
close(POL) ;

Ozugbo emechara, chekwaa faịlụ ahụ (CTRL+O) wee pụọ na nano nchịkọta akụkọ (CTRL+X). Na-esote, mebie iwu:

sudo perl twpolmake.pl twpol.txt > twpol.txt.new / 
sudo twadmin -m P -c tw.cfg -p tw.pol -S site.key twpol.txt.new

Ị ga-ahụ mmepụta na-esonụ:

Please enter your site passphrase:  
Wrote policy file: /etc/tripwire/tw.pol

Ugbu a, ị ga-emepụta nchekwa data Tripwire ọhụrụ site na ime iwu ndị a na njedebe gị:

sudo tripwire -m i -s -c tw.cfg

Ihe atụ mmepụta:

Please enter your local passphrase:
### Warning: File system error.
### Filename: /var/lib/tripwire/debian10.twd
### No such file or directory ### Continuing...

Mara, iji gosipụta nchekwa data emepụtara, jiri iwu a:

sudo twprint -m d -d /var/lib/tripwire/debian10.twd

Ihe atụ mmepụta:

Open Source Tripwire(R) 2.4.3.7 Database 
Database generated by:        root 
Database generated on:        Tues 14 July 2021 08:06:19 AM UTC 
Database last updated on:     Never =============================================================================== 
Database Summary:  =============================================================================== 
Host name:                         debian10 Host IP address:              45.58.38.142 
Host ID:                      None 
Policy file used:             /etc/tripwire/tw.pol 
Configuration file used:      /etc/tripwire/tw.cfg 
Database file used:           /var/lib/tripwire/debian10.twd 
Command line used:            tripwire -m i -s -c tw.cfg  =============================================================================== 
Object Summary:  =============================================================================== 
------------------------------------------------------------------------------- 
# Section: Unix File System 
-------------------------------------------------------------------------------

Iji dowe nchekwa data tripwire IDS nke ị mebere ka ọ dị ọhụrụ, mebie iwu a:

sudo tripwire --update --accept-all

Ihe atụ mmepụta:

### Error: File could not be opened. 
### Filename: /var/lib/tripwire/report/debian10-20210509-084141.twr 
### No such file or directory 
### Exiting...

Ugbu a, ọ dị mma ịnwale usoro tripwire site na iji ya. Mezue iwu ka ime ya:

sudo tripwire -m c -s -c /etc/tripwire/tw.cfg

Tripwire na-edekọ akụkọ ya na ebe ndabara na (/var/lib/tripwire/akụkọ/):

cd /var/lib/tripwire/report/ && ls

Mara ma ọ bụrụ na-amasị gị inyocha akụkọ ọ bụla dị na ndekọ. Jiri iwu mbipụta a:

sudo twprint -m r -t 4 -r /var/lib/tripwire/report/<report file name>.twr

Advertisement


Esi Nyochaa

Ugbu a, ị tinyela ma hazie sistemu tripwire gị, ọ kacha mma ka ịme ụfọdụ ngwa ngwa iji hụ na tripwire na-arụ ọrụ nke ọma n'oge a. Ụzọ kachasị mma bụ ịmepụta faịlụ ole na ole ma mee tripwire megide ha iji chọpụta faịlụ ndị ahụ.

Nke mbụ, mepụta faịlụ ụfọdụ:

sudo touch test1 test2 test3

Nzọụkwụ ọzọ bụ ịgba ọsọ Tripwire iji jide n'aka na Tripwire nwere ike ịchọpụta faịlụ ndị ahụ nke ọma:

sudo tripwire --check --interactive

Ọ bụrụ na ịnweghị mperi na Tripwire IDS gị, ị ga-ahụ faịlụ ndị emepụtara ọhụrụ na mmepụta ndị a:

mmepụta

Mara, ị nwekwara ike ịlele akụkọ ewepụtara n'oge ọ bụla site na ịme iwu a:

sudo twprint --print-report --twrfile /var/lib/tripwire/report/debian10-20210509-084636.twr

Otu esi edozi mkpesa Cronjob

Ka ịtọlite ​​​​cronjob ka ọ nwee mkpesa akpaka n'oge achọrọ, pịnye iwu a:

sudo crontab -e

Ugbu a mepụta oge ịchọrọ iji mee akụkọ gị. Ọ bụrụ na ịmaghị ka esi edobe oge, jiri Crontab.Guru.

Gbaa ihe atụ awa 12 ọ bụla:

00 */12 * * * /usr/sbin/tripwire --check

A ga-emepụta ma chekwaa akụkọ ndị ahụ na ebe faịlụ ahụ(/var/lib/tripwire/akụkọ/).


Advertisement


Okwu na mmechi

Iji chịkọta ihe, ị nwere arụnyere na hazie Tripwire IDS na Debian 10 Buster. N'ozuzu, ndị na-agba ọsọ na-anwakarị iji trojans, backdoors na faịlụ ejiri mebie sistemu ejikọrọ. Ntughari na-enyere aka igbochi nsogbu a site na izochi ozi (checksums, nha faịlụ, Mtime, ctime, inode, wdg) na akwụkwọ ndekọ aha na faịlụ dị mkpa na ịchekwa ozi na nchekwa data.

Ọ bụrụ na ị nwere ajụjụ, nweere onwe gị ịhapụ ikwu okwu n'okpuru.

Ahapụ a Comment