http://linuxgazette.net/105/odonovan.html
Linux Internet Server Security and Configuration Tutorial
http://www.yolinux.com/TUTORIALS/LinuxTutorialInternetSecurity.html
Install basic security tools
aptitude install portsentry fail2ban denyhosts logwatch rkhunter
Configure basic security tools
OSSEC
http://www.ossec.net/main/manual/manual-installation
http://dcid.me/texts/my-ossec-setup-manual.php
apt-get install gcc make libc-dev
wget http://www.ossec.net/files/ossec-hids-2.6.tar.gz
tar zxvf ossec-hids-2.6.tar.gz
cd ossec-hids-2.6
sudo ./install.sh
ln -s /var/ossec/bin/ossec-logtest /var/ossec/ossec-logtest
Find what is running and what type of logs are available.
lsof | grep log
Compare with what OSSEC added automatically
cat /var/ossec/etc/ossec.conf |grep "/"
Add manually the logs that are missing using the util.sh tool that comes with OSSEC:
(Get util.sh, run hg clone https://bitbucket.org/dcid/ossec-hids, find it in contrib directory)
/var/ossec/bin/util.sh addfile /var/log/httpd/site4.access.log
cat /var/log/syslog | /var/ossec/bin/ossec-logtest -a
/var/ossec/etc/ossec.conf
/var/www
or ignore often changed files
/etc/motd
/var/ossec/bin/ossec-control
Fail2ban
http://www.fail2ban.org/wiki/index.php/Whitelist
/etc/fail2ban/jail.local
action = %(action_mw)s
/etc/fail2ban/fail2ban.conf
ignoreip = 127.0.0.1 192.168.1.0/24
http://linux.m2osw.com/zmeu-attack
[apache-badbots]
enabled = true
port = http,https
filter = apache-badbots
logpath = /var/log/apache*/*access.log
maxretry = 3
findtime = 5
bantime = 14400
[webmin-auth]
enabled = true
port = 10000
filter = webmin-auth
logpath = /var/webmin/miniserv.log
maxretry = 3
findtime = 5
bantime = 14400/etc/fail2ban/filter.d/apache-badbots.conf
[Definition]
badbotsmy = admin|phpmyadmin|phpMyAdmin|pma|PMA|forum|board|guestbook|scripts|db|web|sql|php|mysql|
failregex = ^ -.*"(GET|POST).*HTTP.*"(?:%(badbots)s|%(badbotscustom)s)"$
^ -.*"(GET|POST).*(?:%(badbotsmy)s).*HTTP.*"$/etc/init.d/fail2ban restart
RK Hunter
/etc/default/rkhunter
CRON_DAILY_RUN="true"
CRON_DB_UPDATE="true"/etc/cron.daily/rkhunter change parameter
--report-warnings-only
--no-mail-on-warning
Logwatch
/etc/logwatch/conf/logwatch.conf
LogDir = /var/log
TmpDir = /var/cache/logwatch
Output = stdout
Format = text
Encode = none
MailTo = root
MailFrom = Logwatch
Range = yesterday
Detail = High
Service = All
Service = "-eximstats"
mailer = "/usr/sbin/sendmail -t"mkdir /var/cache/logwatch
Denyhosts
/etc/denyhosts.conf
ADMIN_EMAIL =
Prey for notebooks
aptitude install curl
wget http://preyproject.com/releases/0.5.3/prey-0.5.3-linux.zip
unzip prey-0.5.3-linux.zip
mv prey /usr/share
rm -f unzip prey-0.5.3-linux.zip
touch /var/log/prey.log
touch /tmp/prey-curl-headers.txt/usr/share/prey/config
# you can get both of these from Prey's web service
api_key='xyz'
device_key='xyz'
# mailbox to send the report
mail_to='jan@faix.cz'
# the password is now stored base64 encrypted
# if you wish to generate it by hand, run
# $ echo -n "password" | openssl enc -base64
smtp_server='mail.faix.cz:25'
smtp_username='jan@faix.cz'
smtp_password='cHJkZWw='(sudo crontab -l | grep -v prey; echo "*/20 * * * * /usr/share/prey/prey.sh > /var/log/prey.log") | sudo crontab -
Tripwire
is obsolete, use OSSEC instead!!!
