Tips on basic Linux server security
by George Rushmore - for Help Net Security
While you can use Tripwire or any other similiar solution for checking the integrity of files that reside on your system, there is another way of doing this. To tell you the truth, it is not as powerful, but it is usable. Let's consider this seven liner:

for rpmlist in `rpm -qa | sort`
echo " __ $rpmlist __"
rpm -V $rpmlist
done > /tmp/123.out
cat /tmp/123.out | mail -s "RPM Check `date +%T %A %d.%m.%Y`"

This shell script basically makes a list of RPM files on your system, sorts them in an easily viewable format and verifies them to see what has changed. After that it mails the whole list to the administrative mailbox. Everything can of course be re-configured to suite your needs the best.

This is the snapshop of one of the e-mails sent as the result of this shell script:

Also it would be suitable to add this script in CRON, so you can receive a daily snapshot of the RPM's on your system. In this exaple is starts every day at 10 am.

[admin@pilatus]# crontab -l
# DO NOT EDIT THIS FILE - edit the master and reinstall.
# (/tmp/crontab.1759 installed on Tue Apr 16 16:06:48 2002)
00 10 * * * /usr/local/etc/

Checking the logs

Usually you should periodically check the logs on your system. All the vital things about the current status of your system can be seen from the logs. While manually checking all the files takes some time, and time is precious, there are a few tools that help you automate the process of checking your system logs.

I like to use LogSentry, a freeware product by Psionic Technologies.

As can be seen from the product description: "LogSentry automatically monitors your system logs and mails security violations to you on a periodic basis. It is based on a program that ships with the TIS Gauntlet firewall but has been improved upon in many ways to make it work nicely for normal system auditing."

Setting up your copy of is very easy, these are some of the main sections that must be edited:
As the purpose of LogSentry is to send you e-mail alerts of things happening on your system, you should point out your mailbox.

Full path to logtail program is usually in /usr/local/bin. Logtail is custom executable that remembers the last position of a text file. This program is used by logcheck to parse out information from the last time the log was opened, this prevents reviewing old material twice.

This should be non public writable /tmp directory which prevents race condition and potential symlink problems.

LogCheck should also be added to CRON, so it can check the logs in desired time formats. I prefer every 30 minutes.

A few examples of LogCheck reports:

Security Violations
May 13 23:58:32 pilus sshd[2633]: Bad protocol version identification '' from

Security Violations
May 10 01:51:20 pilus su(pam_unix)[2530]: authentication failure; logname=spartacus uid=502 euid=0 tty= ruser= rhost= user=root


Harnessing artificial intelligence to build an army of virtual analysts

PatternEx, a startup that gathered a team of AI researcher from MIT CSAIL as well as security and distributed systems experts, is poised to shake up things in the user and entity behavior analytics market.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Mon, Feb 8th