Chkrootkit
① Download and install chkrootkit
|
1 2 3 |
# cd /usr/local/src # wget ftp://ftp.chkrootkit.org/pub/seg/pac/chkrootkit.tar.gz # tar xvf chkrootkit.tar.gz |
➁Create /root/bin directory and move chkrootkit command to that directory
|
1 2 |
# mkdir -p /root/bin # mv chkrootkit-0.58b/chkrootkit /root/bin |
➂Check chkrootkit.
|
1 |
# chkrootkit | grep INFECTED |
If nothing is displayed, no problem.
④Create chkrootkit periodic execution script and change permissions
Create chkrootkit execution script in a directory where it is automatically executed daily
|
1 |
# vi /etc/cron.daily/chkrootkit |
Scheduled Script Contents
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 |
#!/bin/bash PATH=/usr/bin:/bin:/root/bin LOG=/tmp/$(basename ${0}) # Run chkrootkit chkrootkit > $LOG 2>&1 # log output cat $LOG | logger -t $(basename ${0}) # SMTPS bindshell false positive response if [ ! -z "$(grep 465 $LOG)" ] && \ [ -z $(/usr/sbin/lsof -i:465|grep bindshell) ]; then sed -i '/465/d' $LOG fi # Support for Suckit false positives when updating upstart package if [ ! -z "$(grep Suckit $LOG)" ] && \ [ -z "$(rpm -V `rpm -qf /sbin/init`)" ]; then sed -i '/Suckit/d' $LOG fi # Send mail to root only when rootkit is detected [ ! -z "$(grep INFECTED $LOG)" ] && \ grep INFECTED $LOG | mail -s "chkrootkit report in `hostname`" root |
Add execution permission to chkrootkit execution script
|
1 |
# chmod 700 /etc/cron.daily/chkrootkit |
⑥Backup commands used by chkrootkit
If the commands used by chkrootkit are tampered with, rootkit will not be detected.
Back up these commands.
If necessary, run chkrootkit with the backed up command
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 |
# cd /root # mkdir /root/chkrootkit_cmd # cp `which --skip-alias awk cut echo egrep grep find head id ls netstat ps strings sed ssh uname` chkrootkit_cmd/ # ls -l /root/chkrootkit_cmd/ total 2820 -rwxr-xr-x 1 root root 763808 Jun 19 13:56 awk -rwxr-xr-x 1 root root 49128 Jun 19 13:56 cut -rwxr-xr-x 1 root root 36496 Jun 19 13:56 echo -rwxr-xr-x 1 root root 106 Jun 19 13:56 egrep -rwxr-xr-x 1 root root 209224 Jun 19 13:56 find -rwxr-xr-x 1 root root 169800 Jun 19 13:56 grep -rwxr-xr-x 1 root root 45016 Jun 19 13:56 head -rwxr-xr-x 1 root root 44928 Jun 19 13:56 id -rwxr-xr-x 1 root root 145280 Jun 19 13:56 ls -rwxr-xr-x 1 root root 148672 Jun 19 13:56 netstat -rwxr-xr-x 1 root root 124696 Jun 19 13:56 ps -rwxr-xr-x 1 root root 124080 Jun 19 13:56 sed -rwxr-xr-x 1 root root 922568 Jun 19 13:56 ssh -rwxr-xr-x 1 root root 36944 Jun 19 13:56 strings -rwxr-xr-x 1 root root 36664 Jun 19 13:56 uname |
⑦Run chkrootkit on the copied command
|
1 |
# chkrootkit -p /root/chkrootkit_cmd | grep INFECTED |
If nothing is displayed, no problem.
⑧Compresses backed up commands
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 |
# tar zcvf chkrootkit_cmd.tar.gz chkrootkit_cmd chkrootkit_cmd/ chkrootkit_cmd/awk chkrootkit_cmd/cut chkrootkit_cmd/echo chkrootkit_cmd/egrep chkrootkit_cmd/find chkrootkit_cmd/head chkrootkit_cmd/id chkrootkit_cmd/ls chkrootkit_cmd/netstat chkrootkit_cmd/ps chkrootkit_cmd/strings chkrootkit_cmd/sed chkrootkit_cmd/ssh chkrootkit_cmd/uname chkrootkit_cmd/grep |
|
1 2 3 4 5 6 7 |
# ls -l total 6360 -rw-------. 1 root root 1149 Jun 18 16:59 anaconda-ks.cfg -rw------- 1 root root 488 Jun 19 11:45 appid_stats.log drwxr-xr-x 2 root root 24 Jun 19 13:54 bin drwxr-xr-x 2 root root 184 Jun 19 13:56 chkrootkit_cmd -rw-r--r-- 1 root root 1334827 Jun 19 13:57 chkrootkit_cmd.tar.gz |
⑨Send chkrootkit use command (compressed version) to root by e-mail
|
1 |
# echo|mail -a chkrootkit_cmd.tar.gz -s chkrootkit_cmd.tar.gz root |
⑩Download and save chkrootkit_cmd.tar.gz file to Windows
⑪Delete commands on the backed up server
|
1 |
# rm -f chkrootkit_cmd.tar.gz |
Logwatch
①Install
|
1 |
# dnf install logwatch -y |
②Edit configuration file
|
1 2 |
# cat /usr/share/logwatch/default.conf/logwatch.conf >> /etc/logwatch/conf/logwatch.conf # vi /etc/logwatch/conf/logwatch.conf |
|
1 2 3 4 5 6 7 |
●Per line 51 Set "MailTo = root" as a comment and set the email address you want to receive notifications to the line below it. #MailTo = root MailTo = [Mail address] ●Per line 84 : Set the level of detail for log notifications #Detail = Low Detail = High |
③Output Logwatch reports
|
1 |
# logwatch --output stdout |
It will appear as follows
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 |
################### Logwatch 7.11 (07/22/24) #################### Processing Initiated: Thu Jun 19 14:03:52 2025 Date Range Processed: yesterday ( 2025-Jun-18 ) Period is day. Detail Level of Output: 10 Type of Output/Format: stdout / text Logfiles for Host: Lepard ################################################################## --------------------- Kernel Audit Begin ------------------------ Number of audit daemon starts: 2 Number of audit initializations: 2 ------------------------------------------------------------------------------ ------------------------------------------------------------------------------ --------------------- Disk Space Begin ------------------------ Filesystem Size Used Avail Use% Mounted on /dev/mapper/almalinux-root 17G 6.0G 12G 35% / /dev/nvme0n1p2 960M 325M 636M 34% /boot ---------------------- Disk Space End ------------------------- --------------------- lm_sensors output Begin ------------------------ No sensors found! Make sure you loaded all the kernel drivers you need. Try sensors-detect to find out which these are. ---------------------- lm_sensors output End ------------------------- ###################### Logwatch End ######################### |
④Test to see if the report arrives at the address you set. Check if you receive a log report email like the one above.
|
1 |
# /etc/cron.daily/0logwatch |
Introduce disk usage check script
1. Script Creation
|
1 2 |
# cd /var/www/system # vi disk_capacity_check.sh |
Contents of disk_capacity_check.sh
|
1 2 3 4 5 6 7 8 9 10 |
#!/bin/bash # Designation of e-mail address to be notified MAIL="<your mailaddress>" DVAL=`/bin/df / | /usr/bin/tail -1 | /bin/sed 's/^.* \([0-9]*\)%.*$/\1/'` if [ $DVAL -gt 80 ]; then echo "Disk usage alert: $DVAL %" | mail -s "Disk Space Alert in `hostname`" $MAIL fi |
|
1 |
# chmod 700 disk_capacity_check.sh |
2. Execution Confirmation
①Check current usage rates
|
1 |
# df -h |
It appears as follows
|
1 2 3 4 5 6 7 8 9 |
Filesystem Size Used Avail Use% Mounted on /dev/mapper/almalinux-root 17G 6.0G 11G 36% / devtmpfs 4.0M 0 4.0M 0% /dev tmpfs 836M 0 836M 0% /dev/shm tmpfs 335M 6.3M 329M 2% /run tmpfs 1.0M 0 1.0M 0% /run/credentials/systemd-journald.service /dev/nvme0n1p2 960M 325M 636M 34% /boot tmpfs 1.0M 0 1.0M 0% /run/credentials/getty@tty1.service tmpfs 168M 12K 168M 1% /run/user/1000 |
②Create a dummy file to achieve at least 80% utilization
|
1 |
# dd if=/dev/zero of=dummyfile bs=1M count=8000 |
③check again
|
1 |
# df -h |
Run it and make sure it is above 80%.
④Run check scripts
|
1 |
# /var/www/system/disk_capacity_check.sh |
You will receive an email to the email address you have set up, stating something like "Disk usage alert: 82 %".
⑤Delete "dummyfile"
|
1 |
# rm dummyfile |
⑥Periodic Execution Setting
|
1 2 |
# crontab -e 30 2 * * * /var/www/system/disk_capacity_check.sh |