Tripwire is a great tool to monitor your server for changes. Skip past my rant to get into the guts of it. Otherwise, enjoy!
We all use wordpress because it’s easy to install, there’s plenty of people out there to create themes and it’s so easy to work with. The downside is that it’s incredibly insecure. Before you start bagging me and saying “it’s the server that’s secure (or not) and not wordpress” or “try keeping it up to date” consider that a) i’m right, and b) wordpress requires that files be written to the filesystem for image uploads, plugins, themes and updates. Not to mention the the individual needs of third party plugins. Because of these requirements, the server must allow writes to the filesystem. And if one of those writes is a php script, the attacker can do whatever they want on the filesystem with the permissions of the web-server.
So the best you can do is follow these steps: a) make sure the filesystem is locked down as much as possible. Only allow writes to the /upload directory. When you do updates, relax the permissions to only what’s being updated, execute the updates and the harden again. This is because wordpress needs write access to files and directories to update them – obviously. But for 99% of the time, we don’t want things changing especially with php. b) enable SELinux if you have it. It’s not going to do much except limit low-level system changes. Security in depth, right?! c) make sure the /wp-admin directory is protected with a password. If you’re using apache, stick a .htaccess file in there and enforce basic authentication so that only those with appropriate credentials can even try to log in. Otherwise IP restrictions work too if suitable. And d) track changes to the filesystem with Tripwire.
Finally, the point of this article. Install Tripwire following these instructions:
yum install tripwire
Tripwire uses keys to ensure changes to the tripwire database (what it compares checksums of files to) isn’t changed by unauthorised people or things. The following command will ask you for a passphrase so think of a good one and don’t forget it. Each time you initialise the database, you’ll need to enter this passphrase.
tripwire-setup-keyfiles
Tripewire needs to create the database of files so it can later compare them and see if anything was changed:
Edit the “/etc/tripwire/twpol.txt” file to make sure you’re happy with what Tripwire is going to track. For example, all i want to track is the “/etc” and “/var/www/html” directories. But you may want to track everything or just use the defaults which are pretty good.
Any changes to that file “/etc/tripwire/twpol.txt” must be followed by the bellow command.
tripwire --init
For what it’s worth, here’s a sample of how you can add a directory to Tripwire’s list of directories to include:
(
rulename = "Website Public Content",
severity = $(SIG_HI)
)
{
/var/www/html -> $(SEC_CONFIG) ;
}
I bet you can improve on it by replacing “SEC_CONFIG” with something more appropriate but i’m not sure what that might be.
If you messed up and need to regenerate the “/etc/tripwire/twpol.txt” file like i did while writing this article, (no scotch while documenting) delete the “/etc/tripwire/twpol.txt” file and run the following.
cd /etc/tripwire /usr/sbin/twadmin --create-polfile -S site.key /etc/tripwire/twpol.txt tripwire --init
Finally we need to test Tripwire. Run the following:
tripwire --check
You should see nothing has changed. Let’s test it. Make a change to the filesystem and then re-run the “tripwire –check” command. For me, i’m going to add a file “/var/www/html/i_shouldnt_be_here”.
touch /var/www/html/i_shouldnt_be_here
Running the “tripwire –check” told me that:
Added: "/var/www/html/i_shouldnt_be_here"
We can easily have this emailed to us on a daily basis with the following command. Add it to cron so you have it as often as you like:
tripwire --check | mail -s "Tripwire summary for `hostname`" [email protected] -
References: http://linuxpitstop.com/install-tripwire-ids-on-centos-linux-7/
