Contents
Chkrootkit
①Download , Install
|
1 2 3 |
# cd /usr/local/src # wget https://launchpad.net/chkrootkit/main/0.55/+download/chkrootkit-0.55.tar.gz # tar xvf chkrootkit-0.55.tar.gz |
➁Create /root/bin directory and move chkrootkit command to that directory
|
1 2 |
# mkdir -p /root/bin # mv chkrootkit-0.55/chkrootkit /root/bin |
➂Check chkrootkit.
|
1 2 |
# chkrootkit | grep INFECTED If nothing is displayed, no problem. |
Checking `chsh'… INFECTED
If the above display appears, it is probably a false positive.
④Create chkrootkit periodic execution script and change permissions
Create chkrootkit execution script in a directory where it is automatically executed daily
|
1 |
# vi /etc/cron.daily/chkrootkit |
Scheduled Script Contents
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 |
#!/bin/bash PATH=/usr/bin:/bin:/root/bin LOG=/tmp/$(basename ${0}) # Run chkrootkit chkrootkit > $LOG 2>&1 # log output cat $LOG | logger -t $(basename ${0}) # SMTPS bindshell false positive response if [ ! -z "$(grep 465 $LOG)" ] && \ [ -z $(/usr/sbin/lsof -i:465|grep bindshell) ]; then sed -i '/465/d' $LOG fi # Support for Suckit false positives when updating upstart package if [ ! -z "$(grep Suckit $LOG)" ] && \ [ -z "$(rpm -V `rpm -qf /sbin/init`)" ]; then sed -i '/Suckit/d' $LOG fi # Send mail to root only when rootkit is detected [ ! -z "$(grep INFECTED $LOG)" ] && \ grep INFECTED $LOG | mail -s "chkrootkit report in `hostname`" root |
Add execution permission to chkrootkit execution script
|
1 |
# chmod 700 /etc/cron.daily/chkrootkit |
⑥Backup commands used by chkrootkit
If the commands used by chkrootkit are tampered with, rootkit will not be detected.
Back up these commands.
If necessary, run chkrootkit with the backed up command
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 |
# cd /root # mkdir /root/chkrootkit_cmd # cp `which --skip-alias awk cut echo egrep find head id ls netstat ps strings sed ssh uname` chkrootkit_cmd/ # ls -l /root/chkrootkit_cmd/ total 2568 -rwxr-xr-x 1 root root 723256 Mar 5 12:22 awk -rwxr-xr-x 1 root root 49952 Mar 5 12:22 cut -rwxr-xr-x 1 root root 37352 Mar 5 12:22 echo -rwxr-xr-x 1 root root 32 Mar 5 12:22 egrep -rwxr-xr-x 1 root root 214168 Mar 5 12:22 find -rwxr-xr-x 1 root root 45872 Mar 5 12:22 head -rwxr-xr-x 1 root root 41672 Mar 5 12:22 id -rwxr-xr-x 1 root root 142072 Mar 5 12:22 ls -rwxr-xr-x 1 root root 161712 Mar 5 12:22 netstat -rwxr-xr-x 1 root root 141080 Mar 5 12:22 ps -rwxr-xr-x 1 root root 116824 Mar 5 12:22 sed -rwxr-xr-x 1 root root 844272 Mar 5 12:22 ssh -rwxr-xr-x 1 root root 33256 Mar 5 12:22 strings -rwxr-xr-x 1 root root 37536 Mar 5 12:22 uname |
⑦Run chkrootkit on the copied command
If nothing is displayed, no problem.
|
1 |
# chkrootkit -p /root/chkrootkit_cmd | grep INFECTED |
⑧Compresses backed up commands
|
1 |
# tar zcvf chkrootkit_cmd.tar.gz chkrootkit_cmd |
⑨Download and save chkrootkit_cmd.tar.gz file to Windows
⑪Delete commands on the backed up server
|
1 |
# rm -f chkrootkit_cmd.tar.gz |
Logwatch
①Install
|
1 |
# dnf install logwatch |
②Edit configuration file
|
1 2 3 4 5 6 7 8 9 |
# cat /usr/share/logwatch/default.conf/logwatch.conf >> /etc/logwatch/conf/logwatch.conf # vi /etc/logwatch/conf/logwatch.conf ●Line 53 : Set "MailTo = root" as a comment and set the email address you want to receive notifications to the line below it. #MailTo = root MailTo = [Mail address] ●Per line 86 : Set the level of detail for log notifications #Detail = Low Detail = High |
③Output Logwatch reports
|
1 |
# logwatch --output stdout |
It will appear as follows
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 |
################### Logwatch 7.8 (01/22/23) #################### Processing Initiated: Sun Mar 5 13:40:07 2023 Date Range Processed: yesterday ( 2023-Mar-04 ) Period is day. Detail Level of Output: 10 Type of Output/Format: stdout / text Logfiles for Host: Lepard ################################################################## -----------omission---------- **Unmatched Entries** Binding to IPv6 address not available since kernel does not support IPv6.: 12 Time(s) No hostname configured, using default hostname.: 1 Time(s) ---------------------- Systemd End ------------------------- --------------------- Disk Space Begin ------------------------ Filesystem Size Used Avail Use% Mounted on /dev/mapper/fedora-root 15G 4.3G 11G 29% / /dev/nvme0n1p2 960M 218M 743M 23% /boot ---------------------- Disk Space End ------------------------- ###################### Logwatch End ######################### |
④Test to see if the report arrives at the address you set. Check if you receive a log report email like the one above.
|
1 |
# /etc/cron.daily/0logwatch |
Introduce disk usage check script
1 Script Creation
|
1 2 |
# cd /var/www/system # vi disk_capacity_check.sh |
Contents of disk_capacity_check.sh
|
1 2 3 4 5 6 7 8 9 10 |
#!/bin/bash #Designation of e-mail address to be notified MAIL="<Mail address>" DVAL=`/bin/df / | /usr/bin/tail -1 | /bin/sed 's/^.* \([0-9]*\)%.*$/\1/'` if [ $DVAL -gt 80 ]; then echo "Disk usage alert: $DVAL %" | mail -s "Disk Space Alert in `hostname`" $MAIL fi |
|
1 |
# chmod 700 disk_capacity_check.sh |
2 Execution Confirmation
①Check current usage rates
|
1 |
# df -h |
It appears as follows
|
1 2 3 4 5 6 7 8 9 10 11 |
Filesystem Size Used Avail Use% Mounted on devtmpfs 4.0M 0 4.0M 0% /dev tmpfs 2.2G 0 2.2G 0% /dev/shm tmpfs 896M 1.6M 895M 1% /run /dev/mapper/fedora-root 15G 4.4G 11G 30% / /dev/loop2 50M 50M 0 100% /var/lib/snapd/snap/snapd/18357 /dev/loop0 64M 64M 0 100% /var/lib/snapd/snap/core20/1822 /dev/loop1 44M 44M 0 100% /var/lib/snapd/snap/certbot/2772 tmpfs 2.2G 8.0K 2.2G 1% /tmp /dev/nvme0n1p2 960M 218M 743M 23% /boot tmpfs 448M 4.0K 448M 1% /run/user/1000 |
②Create a dummy file to achieve at least 80% utilization
|
1 |
# dd if=/dev/zero of=dummyfile bs=1M count=9000 |
➂Run check scripts
|
1 |
# /var/www/system/disk_capacity_check.sh |
You will receive an email to the email address you have set up, stating something like "Disk usage alert: 88 %".
④Delete "dummyfile"
|
1 |
# rm dummyfile |
⑤Periodic Execution Setting
|
1 2 |
# crontab -e 30 2 * * * /var/www/system/disk_capacity_check.sh |