rkdet

Abstract

This program is a daemon intended to catch someone installing a rootkit or running a packet sniffer. It is designed to run continually with a small footprint under an innocuous name. When triggered, it sends email, appends to a logfile, and disables networking or halts the system. it is designed to install with the minimum of disruption to a normal multiuser system, and should not require rebuilding with each kernel change or system upgrade.

Background

Background: Intruders may gain access to your system by a variety of mechanisms - they may steal the password of an authorized user, obtain a password by packet sniffing on a network, or exploit a hole such as buffer-overrun on a system daemon. Once access has been obtained, a hacker may be content to use CPU cycles to run an IRC robot such as eggdrop, crack passwords obtained elsewhere (or on your system if shadow passwords are not installed), or simply to store files - hacking tools, or stolen data, for instance. Often, however, a hacker will take some steps to cover their traces and to hide their activity from casual inspection. To do this, they need to obtain root access, if they do not already have it. A number of exploits are available to gain root from a regular account using suid programs such as mount, cron, or game programs. The hacker then typically disables system accounting and logging, or tries to prevent their activities from being logged. A prebuilt package of programs to do this is known as a "rootkit". In most cases, this kit replaces system commands such as "ps" and "netstat" with versions that do not report the hackers programs or ip address. If a watch is kept for changes to these programs, an intrusion may be detected.

Another common practice is to install a packet sniffer. This will build a list of usernames and passwords for any telnet or ftp logins taking place on the same network segment as the compromised machine. In theory, other logins may be detected, such as IMAP, POP3 (email), windows networking etc. Again, if a watch is kept for this activity (signalled by a change in status of a network interface to promiscuous mode), an intrusion may be detected. (However, it would be possible for a hacker to monitor logins on the compromised machine ONLY without changing the interface status.)

Other Security Systems

chkrootkit is a tool for detecting a rootkit after the fact (it does not need to be run first, like rkdet or tripwire) and will detect many common rootkits. Many useful links.

LIDS - Linux Intrsion Detection System - is a series of kernel patches that enable module and mountpoint locking. LIDS is available from LIDS.org.

The Linux Security Audit Project was created to help coordinate and discuss the security and auditing of free software.

The NSA has a Secure Linux project which includes mandatory access control architecture.

Bastille Linux is a series of scripts which tighten up security on stock Linux systems, by changing permissions and disabling features. Taken to extreme, this will also prevent legitimate work and is more suitable for hardening a dedicated loghost or fileserver than a development system. Bastille is available from www.bastille-linux.org

Tripwire is a package which monitors checksums in a similar way to rkdet, but is designed to be run at discrete intervals such as once a day. It monitors many many more files. Tripwire may be found at www.tripwire.org

PortSentry is a program which logs (and optionally blocks) access to TCP and UDP services on the system. It will detect scans for exploitable services (old versions of imap, ftp) and scans for trojan horses (Back Orifice, Netbus etc.) PortSentry is available from www.psionic.com

ifstatus by David A Curry is a standalone program to check for promiscuous interfaces. Builds for Unix including Sun Solaris. ifstatus is available from ftp://ftp.cerias.purdue.edu/pub/tools/unix/sysutils/ifstatus/

dtk or "Deception Toolkit" is a kit of fake daemons and services designed to waste an intruders time. dtk is available from all.net/dtk/example.html

Download

There may be some minor upgrades here from the last version announced at FreshMeat, etc.

note: Many people see an "out of space" error. Please increase the allocation in rkdet.c prior to version 0.54.

#define MAXF 30
#define SIZES 3000
#define SIZEF 2000
It is recommended that users rebuild rkdet from source after customizing the messages etc. The binary here sends mail to "root" (you do forward root to a human, don't you ??); it is suggested that at least the binary be renamed (and init.d/rkdet renamed/edited)

Maintained by Andrew Daviel