January | 2012 | Webové stránky Jana Faixe

# sudo update-grub Generating grub.cfg Found linux image: /boot/vmlinuz-2.6.30-9-generic Found initrd image: /boot/initrd.img-2.6.30-9-generic Found linux image: /boot/vmlinuz-2.6.30-8-generic Found initrd image: /boot/initrd.img-2.6.30-8-generic Adding Windows Found memtest86+ image: /boot/memtest86+.bin done

http://linuxgazette.net/105/odonovan.html

Linux Internet Server Security and Configuration Tutorial
http://www.yolinux.com/TUTORIALS/LinuxTutorialInternetSecurity.html

Install basic security tools

aptitude install portsentry fail2ban denyhosts logwatch rkhunter

Configure basic security tools

OSSEC

http://www.ossec.net/main/manual/manual-installation
http://dcid.me/texts/my-ossec-setup-manual.php

apt-get install gcc make libc-dev
wget http://www.ossec.net/files/ossec-hids-2.6.tar.gz
tar zxvf ossec-hids-2.6.tar.gz
cd ossec-hids-2.6
sudo ./install.sh

Select: local (if you only have one system to monitor), root@localhost, enable active response [n]
ln -s /var/ossec/bin/ossec-logtest /var/ossec/ossec-logtest

Find what is running and what type of logs are available.
lsof | grep log

Compare with what OSSEC added automatically
cat /var/ossec/etc/ossec.conf |grep "/"

Add manually the logs that are missing using the util.sh tool that comes with OSSEC:
(Get util.sh, run hg clone https://bitbucket.org/dcid/ossec-hids, find it in contrib directory)

/var/ossec/bin/util.sh addfile /var/log/httpd/site4.access.log

Tests the logs

cat /var/log/syslog | /var/ossec/bin/ossec-logtest -a

Add monitoring of important files or directories

/var/ossec/etc/ossec.conf
/var/www
or ignore often changed files

/etc/motd

To start/stop OSSEC HIDS

/var/ossec/bin/ossec-control

Fail2ban

http://www.fail2ban.org/wiki/index.php/Whitelist

/etc/fail2ban/jail.local

action = %(action_mw)s

/etc/fail2ban/fail2ban.conf

ignoreip = 127.0.0.1 192.168.1.0/24

http://linux.m2osw.com/zmeu-attack

[apache-badbots]
enabled = true
port = http,https
filter = apache-badbots
logpath = /var/log/apache*/*access.log
maxretry = 3
findtime = 5
bantime = 14400

[webmin-auth]
enabled = true
port = 10000
filter = webmin-auth
logpath = /var/webmin/miniserv.log
maxretry = 3
findtime = 5
bantime = 14400

/etc/fail2ban/filter.d/apache-badbots.conf

[Definition]
badbotsmy = admin|phpmyadmin|phpMyAdmin|pma|PMA|forum|board|guestbook|scripts|db|web|sql|php|mysql|

failregex = ^ -.*"(GET|POST).*HTTP.*"(?:%(badbots)s|%(badbotscustom)s)"$
^ -.*"(GET|POST).*(?:%(badbotsmy)s).*HTTP.*"$

/etc/init.d/fail2ban restart

RK Hunter

/etc/default/rkhunter

CRON_DAILY_RUN="true"
CRON_DB_UPDATE="true"

/etc/cron.daily/rkhunter change parameter

--report-warnings-only

--no-mail-on-warning

Logwatch

/etc/logwatch/conf/logwatch.conf

LogDir = /var/log
TmpDir = /var/cache/logwatch
Output = stdout
Format = text
Encode = none
MailTo = root
MailFrom = Logwatch
Range = yesterday
Detail = High
Service = All
Service = "-eximstats"
mailer = "/usr/sbin/sendmail -t"

mkdir /var/cache/logwatch

Denyhosts

/etc/denyhosts.conf

ADMIN_EMAIL =

Prey for notebooks

http://preyproject.com

aptitude install curl
wget http://preyproject.com/releases/0.5.3/prey-0.5.3-linux.zip
unzip prey-0.5.3-linux.zip
mv prey /usr/share
rm -f unzip prey-0.5.3-linux.zip
touch /var/log/prey.log
touch /tmp/prey-curl-headers.txt

/usr/share/prey/config

# you can get both of these from Prey's web service
api_key='xyz'
device_key='xyz'
# mailbox to send the report
mail_to='jan@faix.cz'
# the password is now stored base64 encrypted
# if you wish to generate it by hand, run
# $ echo -n "password" | openssl enc -base64
smtp_server='mail.faix.cz:25'
smtp_username='jan@faix.cz'
smtp_password='cHJkZWw='

(sudo crontab -l | grep -v prey; echo "*/20 * * * * /usr/share/prey/prey.sh > /var/log/prey.log") | sudo crontab -

Tripwire

is obsolete, use OSSEC instead!!!

Monthly Archives: January 2012

How to reinstall Grub 2 to master boot record

GRUB

How to add Vista/Windows 7 partition to Grub 2

Securing a New Linux Installation