BSD DevCenter
oreilly.comSafari Books Online.Conferences.


FreeBSD Basics Avoiding Trojans and Rootkits

by Dru Lavigne

Trojans, rootkits, and DDoS agents are a sad reality. It's a little disheartening to think that software exists which, given a chance, can install unwanted files on your system, overwrite or destroy your own files, send your data or user input elsewhere, or use your computer to attack another system.

The more advanced among you may be smiling and smugly thinking "that's why I run a Unix system". True, there are fewer nasties out there which target Unix systems, but they do exist. Further, as the Unix user base increases, so will the amount and frequency of exploits against Unix systems. Fortunately, as a FreeBSD user, there are many utilities available to you, as well as many good habits that you can teach yourself. The next two articles will discuss these utilities and habits.

First Things First

The first habit, as I've stressed many times in this column, is to be behind a firewall. It doesn't matter what type of firewall, as long as you choose something you are comfortable configuring. If you're intimidated at the prospect of learning the syntax of ipf or ipfw, invest in an inexpensive, preconfigured hardware firewall. If you're already running a free firewall on your Windows system (and you should be), place your FreeBSD system behind it until you're ready to tackle a Unix firewall configuration.

Why the big deal about a firewall? Rootkits. These automated kits scan a portion of the Internet looking for open ports. Once a rootkit discovers a port it can attack, it tries to get into that system. A properly configured home firewall won't show any ports open, so a rootkit will pass you by and look for another victim.

Also in FreeBSD Basics:

Fun with Xorg

Sharing Internet Connections

Building a Desktop Firewall

Using DesktopBSD

Using PC-BSD

What if you haven't been behind a firewall? How do you know if your system contains unwanted software? Sometimes it is hard to tell without doing a lot of investigative work. The best advice, unfortunately, is to back up your data files, reinstall, and set up a firewall before you reconnect to the Internet.

Assuming you are behind a firewall, you should test it to ensure that it is indeed hiding all of your ports. First, take an inventory of the open ports on all of the machines behind the firewall. On each machine, regardless of the operating system, run this command at a command prompt:

$ netstat -an

For each line that begins with tcp or udp, record the port number or name that shows up in the "Local Address" section. If you run this command on your FreeBSD system, ignore the ugly looking lines after the "Active UNIX domain sockets" as those don't deal with port numbers.

FreeBSD systems come with the sockstat command which also shows open ports. I prefer the layout of its output to that of the netstat command. Since FreeBSD supports both IPv4 and IPv6 by default, and I'm not interested in the Unix domain sockets, I usually run the command like so:

$ sockstat -46

Record the results of your netstat or sockstat command for each machine in your home network and repeat the command periodically. This way, you know which ports you expect to be open and will recognize if an extra port suddenly appears on your system.

Ideally, you probably don't need any ports open on any of your home systems. For instructions on how to close ports on your FreeBSD system, see Securing FreeBSD.

Once you've recorded which ports are open on your computers, you want to see if your firewall is advertising any of them to the Internet. The best utility for this purpose is nmap. If you've never used nmap, read through Scanning Your Network first.

It is very important that you double- and triple-check the address of your firewall before you launch your scan. You don't want to scan the wrong address inadvertently and have to explain to your ISP why they shouldn't ban you from further Internet access. A thorough scan of all TCP and UDP ports will take a long time. This command will launch such a scan:

$ nmap -v -P0 -sU -p 1-65535 IP_ADDRESS

Related Reading

Practical UNIX and Internet Security
By Simson Garfinkel, Gene Spafford, Alan Schwartz

where IP_ADDRESS is the address of your firewall. Again, check for typos in that address before you press enter and launch the scan. If all goes well, the scan shouldn't find any open ports.


Open ports aren't the only entry point for unwanted software. Whenever you download software you are really trusting that the software only does what it purports to do, and that the file you just downloaded is the same file that was originally placed on the ftp site, not a trojaned version of the original file.

Fortunately, most ftp sites that provide Unix software protect each downloadable file with an MD5 checksum. You may remember from Cryptographic Terminology 101 that MD5 is used to verify the integrity of a file by ensuring none of the bits in the file have been tampered with. If an attacker were to replace a file on an ftp site with a trojan, the MD5 checksum would not match the trojaned file.

As an example, navigate to Next to the five possible .iso files, there is a file called CHECKSUM.MD5 which gives the checksum for each file. If I download 4.7-mini.iso, I should use the md5 command to verify the checksum before I burn the ISO to a CD:

$ md5 4.7-mini.iso

The number I receive back should be identical to the number in the CHECKSUM.MD5 file on the ftp site.

It's good to make a habit of always checking the MD5 checksum of any file you download from the Internet, refusing to download files that lack checksums. If you use the FreeBSD ports collection, the make command will do this automagically for you. This is the easiest and safest way to install software on your FreeBSD system.

If you are ever building a port and it stops to complain about an MD5 checksum mismatch, DO NOT override the error and carry on with the build. One of two things just occurred and you need to rectify the situation. The first possibility is that your ports tree is out of date. If that is the case, cvsup to the latest version of the ports tree. The second possibility is that the file has been changed on the ftp site since the checksum was calculated. If this is the case, you should email the maintainer of the port so he can ensure the original file was not trojaned. You will find the email address of the maintainer in the Makefile. For example, if I were building the doom port, I would be in the /usr/ports/games/doom directory, and could run this command. (Note the mix of upper and lower case.)

$ more Makefile |grep MAINTAINER 

If you email the maintainer, remember to include the output of uname -a so he knows the version of FreeBSD you are using.

File Integrity Utilities

MD5 checksums can also be used to ensure that the files on your own system are untampered. One of the first things a trojan program will do is change some of your binaries so you won't notice that something nasty has just been installed on your system. For example, your ps command could be replaced with another ps that doesn't show any processes used by the trojan. Your ls command could be altered to hide directories created by the trojan. Fortunately, there are several file integrity utilities that automate the process of creating a database of checksums for the important files on your FreeBSD system. The most common and well known of these utilities is tripwire.

tripwire is available as a free, open source version and as a commercial, try for 30 days before buying version. I'll end today's article by walking you through a build of the tripwire port of the open source version on your FreeBSD system. First, start the build:

$ cd /usr/ports/security/tripwire
$ make install clean

This will trudge along for several minutes, so go grab a drink and wait until the install stops and presents you with this screen:

Installer program for:
Tripwire(R) 2.3 Open Source for LINUX

Copyright (C) 1998-2000 Tripwire (R) Security Systems, Inc.  Tripwire (R)
is a registered trademark of the Purdue Research Foundation and is
licensed exclusively to Tripwire (R) Security Systems, Inc.

LICENSE AGREEMENT for Tripwire(R) 2.3 Open Source for LINUX

Please read the following license agreement.  You must accept the
agreement to continue installing Tripwire.

Press ENTER to view the License Agreement.

At this point, you'll be presented with many pages worth of licensing information as it displays the full GNU General Public License followed by the Tripwire Trademark Information. Use your spacebar to read your way through it until you get to this line:

Please type "accept" to indicate your acceptance of this
license agreement. [do not accept] accept

Make sure you type the word accept or the installation will abort. If you inadvertently press Enter instead, the build will abort. Simply repeat make install clean and be careful to type accept next time you are prompted. At this point, the build will carry on, but don't go too far away as it will prompt for more user input.

Using configuration file install.cfg

Checking for programs specified in install configuration file....

/usr/sbin/sendmail exists.  Continuing installation.

/usr/bin/vi exists.  Continuing installation.

Verifying existence of binaries...

./bin/i386-unknown-freebsd_r/siggen found
./bin/i386-unknown-freebsd_r/tripwire found
./bin/i386-unknown-freebsd_r/twprint found
./bin/i386-unknown-freebsd_r/twadmin found

This program will copy Tripwire files to the following directories:

         TWBIN: /usr/local/sbin
         TWMAN: /usr/local/man
      TWPOLICY: /usr/local/etc/tripwire
      TWREPORT: /var/db/tripwire/report
          TWDB: /var/db/tripwire
  TWSITEKEYDIR: /usr/local/etc/tripwire
 TWLOCALKEYDIR: /usr/local/etc/tripwire

CLOBBER is false.

Continue with installation? [y/n] y


Next, the installation will create several directories and copy some files. Note that some documents are created for you in /usr/local/share/doc/tripwire. tripwire will also create manpages in section 5 and 8 of the manual:

Copying files...

/usr/local/share/doc/tripwire/README: copied
/usr/local/share/doc/tripwire/Release_Notes: copied
/usr/local/share/doc/tripwire/COPYING: copied
/usr/local/sbin/tripwire: copied
/usr/local/sbin/twadmin: copied
/usr/local/sbin/twprint: copied
/usr/local/sbin/siggen: copied
/usr/local/share/doc/tripwire/TRADEMARK: copied
/usr/local/share/doc/tripwire/policyguide.txt: copied
/usr/local/etc/tripwire/twpol.txt: copied
/usr/local/man/man5/twpolicy.5: copied
/usr/local/man/man5/twconfig.5: copied
/usr/local/man/man5/twfiles.5: copied
/usr/local/man/man8/siggen.8: copied
/usr/local/man/man8/tripwire.8: copied
/usr/local/man/man8/twadmin.8: copied
/usr/local/man/man8/twintro.8: copied
/usr/local/man/man8/twprint.8: copied

Next, you will be prompted to create a passphrase. If you've read the cryptosystems series, you'll remember that passphrases are used whenever keys are generated. Remember the passphrase or you will be unable to access the tripwire database. You'll be prompted for this passphrase several times as the installation creates and signs the tripwire configuration file, policy file, and database:

The Tripwire site and local passphrases are used to
sign a variety of files, such as the configuration,
policy, and database files.

Passphrases should be at least 8 characters in length
and contain both letters and numbers.

See the Tripwire manual for more information.

Creating key files...

(When selecting a passphrase, keep in mind that good passphrases typically
have upper and lower case letters, digits and punctuation marks, and are
at least 8 characters in length.)

Enter the site keyfile passphrase:
Verify the site keyfile passphrase:
Generating key (this may take several minutes)...Key generation complete.

(When selecting a passphrase, keep in mind that good passphrases typically
have upper and lower case letters, digits and punctuation marks, and are
at least 8 characters in length.)

Enter the local keyfile passphrase:
Verify the local keyfile passphrase:
Generating key (this may take several minutes)...Key generation complete.

Generating Tripwire configuration file...

Creating signed configuration file...
Please enter your site passphrase: 
Wrote configuration file: /usr/local/etc/tripwire/tw.cfg

A clear-text version of the Tripwire configuration file
has been preserved for your inspection.  It is recommended
that you delete this file manually after you have examined it.

Customizing default policy file...

Creating signed policy file...
Please enter your site passphrase: 
Wrote policy file: /usr/local/etc/tripwire/tw.pol

A clear-text version of the Tripwire policy file
has been preserved for your inspection.  This implements
a minimal policy, intended only to test essential
Tripwire functionality.  You should edit the policy file
to describe your system, and then use twadmin to generate
a new signed copy of the Tripwire policy.

The installation succeeded.

Please refer to /usr/local/share/doc/tripwire/Release_Notes
for release information and to the printed user documentation
for further instructions on using Tripwire 2.3 Open Source for LINUX.

Creating tripwire database
Please enter your local passphrase: 
Parsing policy file: /usr/local/etc/tripwire/tw.pol
Generating the database...
*** Processing Unix File System ***
### Warning: File system error.
### Filename: /usr/tmp
### No such file or directory
### Continuing...
### Warning: File system error.
### Filename: /usr/local/krb5
### No such file or directory
### Continuing...

At this point, you may get several more errors complaining that Kerberos is missing from your system. Don't worry, the installation will continue.

Wrote database file: /var/db/tripwire/hostname.twd
The database was successfully generated.
To create a floppy backup of your tripwire database
run "make floppy". The default database will not
fit on a floppy, however with the removal of objects
from the database, it can be made to fit on a 1.44 MB
floppy disk.

The tripwire database, configuration file and
policy file are signed using the local and site keys,
therefore according to the support staff at, creating a floppy is not necessary.

In the next article, I'll start with what to do with your newly installed tripwire database. Then I'll move on to some alternatives to tripwire as well as other ports that are designed to look for rootkits. In the meantime, take a peek at man tripwire.

Dru Lavigne is a network and systems administrator, IT instructor, author and international speaker. She has over a decade of experience administering and teaching Netware, Microsoft, Cisco, Checkpoint, SCO, Solaris, Linux, and BSD systems. A prolific author, she pens the popular FreeBSD Basics column for O'Reilly and is author of BSD Hacks and The Best of FreeBSD Basics.

Read more FreeBSD Basics columns.

Return to the BSD DevCenter.

Sponsored by: