Tips on basic Linux server security
by George Rushmore - for Help Net Security
While you can use Tripwire or any other similiar solution for checking the integrity of files that reside on your system, there is another way of doing this. To tell you the truth, it is not as powerful, but it is usable. Let's consider this seven liner:

----------------cut-here-------------------
#!/bin/bash
for rpmlist in `rpm -qa | sort`
do
echo " __ $rpmlist __"
rpm -V $rpmlist
done > /tmp/123.out
cat /tmp/123.out | mail -s "RPM Check `date +%T %A %d.%m.%Y`" admin@yoursystem.net
----------------cut-here-------------------

This shell script basically makes a list of RPM files on your system, sorts them in an easily viewable format and verifies them to see what has changed. After that it mails the whole list to the administrative mailbox. Everything can of course be re-configured to suite your needs the best.

This is the snapshop of one of the e-mails sent as the result of this shell script:



Also it would be suitable to add this script in CRON, so you can receive a daily snapshot of the RPM's on your system. In this exaple is starts every day at 10 am.

[admin@pilatus]# crontab -l
# DO NOT EDIT THIS FILE - edit the master and reinstall.
# (/tmp/crontab.1759 installed on Tue Apr 16 16:06:48 2002)
00 10 * * * /usr/local/etc/rpmcheck.sh

Checking the logs

Usually you should periodically check the logs on your system. All the vital things about the current status of your system can be seen from the logs. While manually checking all the files takes some time, and time is precious, there are a few tools that help you automate the process of checking your system logs.

I like to use LogSentry, a freeware product by Psionic Technologies.

As can be seen from the product description: "LogSentry automatically monitors your system logs and mails security violations to you on a periodic basis. It is based on a program that ships with the TIS Gauntlet firewall but has been improved upon in many ways to make it work nicely for normal system auditing."

Setting up your copy of logcheck.sh is very easy, these are some of the main sections that must be edited:

SYSADMIN=admin@dotcom.net
As the purpose of LogSentry is to send you e-mail alerts of things happening on your system, you should point out your mailbox.

LOGTAIL=/usr/local/bin/logtail
Full path to logtail program is usually in /usr/local/bin. Logtail is custom executable that remembers the last position of a text file. This program is used by logcheck to parse out information from the last time the log was opened, this prevents reviewing old material twice.

TMPDIR=/usr/local/etc/tmp-something
This should be non public writable /tmp directory which prevents race condition and potential symlink problems.

LogCheck should also be added to CRON, so it can check the logs in desired time formats. I prefer every 30 minutes.

A few examples of LogCheck reports:

Security Violations
=-=-=-=-=-=-=-=-=-=
May 13 23:58:32 pilus sshd[2633]: Bad protocol version identification '' from 81.65.212.13

Security Violations
=-=-=-=-=-=-=-=-=-=
May 10 01:51:20 pilus su(pam_unix)[2530]: authentication failure; logname=spartacus uid=502 euid=0 tty= ruser= rhost= user=root

Spotlight

Behavioral analysis and information security

Posted on 22 September 2014.  |  In this interview, Kevin Watkins, Chief Architect at Appthority, talks about the benefits of using behavioral analysis in information security and how behavioral analysis can influence the evolution of security technologies.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Tue, Sep 23rd
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //