Quick and easy MD5 checksums

[problemchild]

If you use Linux and if you're interested in intrusion detection at all, you've probably heard about Tripwire and other utilities that will "fingerprint" the files on your system with an MD5 cryptographic checksum and periodically check the integrity of those files to be sure they haven't been tampered with. Unfortunately, packages like Tripwire can be very difficult and time consuming to configure properly, especially for Linux novices.

The good news is that you don't need Tripwire to create and check md5sums on your system files. Linux comes with everything you need to do it with a couple of simple commands. Creating a checksum for a file is as easy as the following command:

Code:

problemchild@localhost $ md5sum /bin/su
b749ebe140ad89e8b102aa8852e75a78 /bin/su

Obviously, you don't want to do this for every file on your system, so you can automate the process quite a bit. First, build a list of files whose integrity you would like to ensure. I would suggest starting with these files, but you can and probably should add to the list as your needs dictate:

/usr/bin/chfn
/usr/bin/chsh
/usr/bin/crontab
/usr/bin/du
/usr/bin/find
/usr/bin/killall
/usr/bin/passwd
/usr/bin/pidof
/usr/bin/top
/bin/login
/bin/ls
/bin/netstat
/bin/ps
/sbin/ifconfig
/sbin/route
/usr/sbin/syslogd
/usr/sbin/tcpd
/etc/fstab
/etc/group
/etc/inittab
/etc/login.access
/etc/passwd
/etc/profile
/etc/services
/etc/shadow

Once you have the list, save it in a text file, for example "filelist." Be sure to include the absolute path to the file. Then you can create the md5sums by using the "cat" command to list the contents of the file and then running md5sum on the output. The resulting md5sums can then be stored in a text file called "files.md5" Note that the "`" character in the example is not a single quote. It is the chracter found to the left of the "1" key on most US keyboards. (I don't know the name of this character. I've used it for years without knowing its proper name.)

Code:

problemchild@localhost $  md5sum `cat filelist` > files.md5

A quick look at the resulting files.md5 will reveal the following contents:

af5b7a03593229535924825a34394a2b /usr/bin/chfn
0c4a449142ab7e21a1d72a9f101dc644 /usr/bin/chsh
f1c01f37780f516e1f2bfe3dff01f9f9 /usr/bin/crontab
d9d57d56a5c7a7ed810b709a7d8079b8 /usr/bin/du
6eeb6fb51300b30a05b7c1bea6ef0884 /usr/bin/find
39404d1879e0de2b5637d19ece410291 /usr/bin/killall
7f86015501636a33085a0504186810c2 /usr/bin/passwd
39404d1879e0de2b5637d19ece410291 /usr/bin/pidof
f5b2ed7e8004d66b6e6e6ee701324b45 /usr/bin/top
b749ebe140ad89e8b102aa8852e75a78 /bin/login
d33f094819a9b2042fb84a343e800523 /bin/ls
4aed19d3e4e9fc83db19a9c3a3b7c6e1 /bin/netstat
b9ec2d135b545fbb4bb7454aa02864f8 /bin/ps
6fe9e4a8dbf154988bec0822e498f75e /sbin/ifconfig
8c1b42308acdf16edb1f82f8afe4e1f3 /sbin/route
cd5f32e15080064869ebae781e43518c /usr/sbin/syslogd
1983c7e6da50430f01385df369468e77 /usr/sbin/tcpd
56b68efdc4be309a04de15e346f7041f /etc/fstab
fa28b3c4d18596ff615dec7b4d48f176 /etc/group
3c6be6e9c948214c89df452c5eff54d1 /etc/inittab
d30c542d565436bd5333a80466d5ccf8 /etc/login.access
45547a1f47cdb8c802e9c056357092dd /etc/passwd
b466ad437cc0d53f3d25a45b02427a19 /etc/profile
6dcf38ae8c007e116f2a57bd27a389b7 /etc/services
d52d60ea13161c6eb67081730bbc99aa /etc/shadow

There you have all your md5sums in a nice, neat package. Verifying the files is done with the command 'md5sum -c files.md5'

Code:

problemchild@localhost $ md5sum -c files.md5
/usr/bin/chfn: OK
/usr/bin/chsh: OK
/usr/bin/crontab: OK
/usr/bin/du: OK
/usr/bin/find: OK
/usr/bin/killall: OK
/usr/bin/passwd: OK
/usr/bin/pidof: OK
/usr/bin/top: OK
/bin/login: OK
/bin/ls: OK
/bin/netstat: OK
/bin/ps: OK
/sbin/ifconfig: OK
/sbin/route: OK
/usr/sbin/syslogd: OK
/usr/sbin/tcpd: OK
/etc/fstab: OK
/etc/group: OK
/etc/inittab: OK
/etc/login.access: OK
/etc/passwd: OK
/etc/profile: OK
/etc/services: OK
/etc/shadow: OK

Once you create your md5sums, remember to move them off of the system and put them in a secure location, preferably some removable medium that can be stored safely. Also, if you upgrade any packages on your system, you will need to generate new md5sums to reflect the changes in the files. By doing this regularly, you'll know if any unwelcome guests start tampering with system files.

[doktorf00bar]

Good post. Tripwire can be a bit of a pain, and it really doesn't do much more then your solution here.

[NetSec]

Cool post!!! I've been thinking of installing Tripwire, and probably will eventually, but this is an excellent approach until I get around to it...

I'm going to try to write a script to run in a daily cron with this, and send the results back to me in an e-mail... Using something like: "md5sum -c filelist.md5 | grep FAILED" and then pop the results in a mail message...

I'd like to implement some kind of incrementation variable into it, so my mail would say something like: "0 files changed" or "7 files changed", and then provide the details of the altered files... But I'll have to think about that because I'm not very good with shell scripts... Any hints???

Kind of a simple approach, but you might at least get 1 email before an intruder catches on and mucks up your checksums... (Maybe hide the md5 file or give it an obscure name??? But then I guess its location will be in your script...)

[t2k2]

Very cool post problemchild. I was thinking about some sort of a file integrity solution for my linux boxes. Thanks again.

[jdenny]

... Note that the "`" character in the example is not a single quote. It is the chracter found to the left of the "1" key on most US keyboards. (I don't know the name of this character. I've used it for years without knowing its proper name.)

Good post. And since nobody else is going tell you, that "`" character is called backtick, which may be found under the "~", which is called tilde...

(A quick search of "backtick definition" at google: http://zlab.bu.edu/~mfrith/UNIX_notes.html)

Peace always,
<jdenny>

[problemchild]

Thanks. I was hoping somebody would fill me in on the name of it. I felt kind of stupid posting about a character I couldn't name, but.....

[slarty]

What a complete waste of time! All someone has to do is trojan "md5sum", and you're back to square one. Or they could simply spot files.md5 and change it (tripwire has some degree of protection to prevent unauthorised modification of its file database)

Tripwire is not invulnerable (unless you run it after booting of a read-only medium with your normal system offline), but it's a hell of a lot more secure than running md5sum.

If you must use md5sum in this way, burn a statically linked binary of md5sum to a read-only medium (along with all your md5sums) but remember that it's still not guaranteed.

Someone who has got root can relatively easily trojan the kernel to make it look like the system is unmodified - there are ways to detect a trojan'd running kernel, but there are further ways to hide it (and no, lsmod will *not* show them up)

Unfortunately tripwire etc, are designed to detect a successful attack and someone trojan'ing the system - however:

1. If someone has trojaned your system, you need to reformat it anyway, and audit all user data that were on it at the time for unauthorised modification.
2. If you don't recognise immediately, you may be bolting the stable door after the horse has bolted.

If there's something someone wants from your system, and they get root, they can take it straight away, and then they're finished. An automated attack tool will (if successful obviously) enable them to achieve this in only a few seconds, probably before you notice.

Why not run snort on your ethernet segment in front of your router (or firewall) and try to detect attackers before they compromise your system?

[SodaMoca5]

Two items here. First I thought this was a very well written tutorial. Clear, concise, and with easy to follow examples. Thank you.

Second, to Slarty. I am sorry but I felt your post was durogatory for no good reason. It is true that his method is to detect that an intrusion has occured. It is a chance, not a guarantee, to discover that something is amiss. He did mention that the .txt file should be put on removable media to keep the data intact in case of an attack. Your addition to put the md5sum binary on a protected medium as well simply helps.

However the main reason I feel your post was unnecessarily negative is that defense in depth is better than relying on one tool. You mentioned detecting attacks before they began by using a tool outside the firewall. Excellent suggestion, maybe you could post a tutorial about how to configure such a system. With that statement you still have the firewall, trenchline 2, and then you should have intrusion detection, virus protection, etc. on the system itself. All adding more defenses, some proactive while others are reactive.

The process shown here demonstrates how to do the same basic task as some software out there with the tools provided by the OS. I consider that a good idea and a good tutorial. How important the usage is should be determined by the administrator themself. However, a quick check that has a high probability of alerting me that an attack has occurred and that my forward defenses were breached is a good thing even if it does show that I failed in my primary purpose of defeating the attack before it could cause damage.

Putting this into a script would make running this occasionally easy and quick. Useful, I think so but you can decide for yourself.

[Tedob1]

thanks problemchild, read your post this morning, and began implementing it on a 2k network.

you can never have too many devices in place.

[problemchild]

Originally posted here by slarty
[B]All someone has to do is trojan "md5sum", and you're back to square one. Or they could simply spot files.md5 and change it

I did say that the list of generated md5sums should be moved onto a removable meduim and stored in a safe palce. I failed to mention the md5sum binary as well, but that's a good point. You don't want to verify checksums with a trojaned md5sum, obviously. I probably should have included md5sum itself in the list of files to verify, as well.

Tripwire is not invulnerable (unless you run it after booting of a read-only medium with your normal system offline), but it's a hell of a lot more secure than running md5sum.

Nowhere did I say that this was better than Tripwire or that either was a perfect technique, only that md5sum is a simple way of performing the same basic task if you don't have the time or experience to deal with Tripwire. I didn't mean to imply that Tripwire isn't worthwhile or that it isn't wirth spending the time to learn. But running md5sum is better than doing nothing, which is what most people do, and I stand by it on those grounds.

At any rate, your point is well taken. As with any security measure, checksums are only one layer in a comprehensive hardening plan. For those who might be wondering, I have a personal checklist of hardening procedures that I follow for every Linux installation, and each of my tutorials deals with one specific step on that checklist. A list of my tutorials is available in my profile intro. Once I have all the steps posted as indivual tutorials, I will post my checklist with links to each of the more detailed tutorials.

Used in conjunction with other hardening techniques, I think running md5sum is a reasonable and prudent measure, and I have to respectfully disagree with you about it being a waste of time.