Tuesday, October 4, 2016

Install AIDE - the Advanced Intrusion Detection Environment - on CentOS server



Install and initialize the advanced intrusion detection system (aide).

# yum install aide
# aide --init
AIDE, version 0.15.1
### AIDE database at /var/lib/aide/aide.db.new.gz initialized.
# cd /var/lib/aide
# ls -lrt
total 8352
-rw-------. 1 root root 3089567 Jul 23 04:04 aide.db.gz
-rw-------. 1 root root 5456781 Oct  4 03:34 aide.db.new.gz
# mv aide.db.new.gz aide.db.gz
mv: overwrite ‘aide.db.gz’? y
# aide --check
AIDE, version 0.15.1
### All files match AIDE database. Looks okay!

Let's test if aide works and identifies a new file in the file system.

# touch /sbin/testvirus
# aide --check
AIDE 0.15.1 found differences between database and filesystem!!
Start timestamp: 2016-10-04 03:52:35
Summary:
  Total number of files:        57471
  Added files:                  1
  Removed files:                0
  Changed files:                1
---------------------------------------------------
Added files:
---------------------------------------------------
added: /usr/sbin/testvirus
---------------------------------------------------
Changed files:
---------------------------------------------------
changed: /usr/sbin
---------------------------------------------------
Detailed information about changes:
---------------------------------------------------
Directory: /usr/sbin
 Mtime    : 2016-10-04 03:17:40              , 2016-10-04 03:52:33
 Ctime    : 2016-10-04 03:17:40              , 2016-10-04 03:52:33

Check the exit value of the command:

#  echo $?
5

The exit status of aide is 5 in our test. From the aide man page, the  exit status is 0 if no errors occurred. Except when the --check command was requested, in which case the exit status is defined as:
       1 * (new files detected?)     +
       2 * (removed files detected?) +
       4 * (changed files detected?)

Thus, 1 new and 1 changed file returns 1*1 + 4*1 = 5.

# rm /sbin/testvirus
rm: remove regular empty file ‘/sbin/testvirus’? y

Automatic email for file system changes

Create a file /root/security/check-aide.sh containing the following. Replace you@youremail.com with your email address.

#!/bin/sh
/sbin/aide --check > /tmp/aide.check.out 2>&1 || /bin/mail -s "`hostname` aide file changes `date`" you@youremail.com < /tmp/aide.check.out

Make it executable:

# chmod +x /root/security/check-aide.sh

Create a file /etc/cron.d/check-aide-filesystemchanges containing the following:

# /etc/cron.d/check-aide-filesystemchanges - run aide and report
# Global variables
SHELL=/bin/bash
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin
MAILTO=""
HOME=/
# Every day check for unexpected file system changes
17 7 * * * root /root/security/check-aide.sh >/var/log/check-aide.sh.log 2>&1

Set only the read permission for owner (root):
# chmod 400 /etc/cron.d/check-aide-filesystemchanges

That's it. You should start receiving emails every day containing aide identified changes. If you see a new or file modification change that you cannot explain, follow up to see if your server has been hacked. Here is the first email sent out by this setup, flagging itself!

Delivered-To: #####@gmail.com
Received: by 10.55.128.135 with SMTP id b129csp1930534qkd;
        Mon, 3 Oct 2016 21:48:55 -0700 (PDT)
X-Received: by 10.107.191.196 with SMTP id p187mr2319814iof.131.1475556535786;
        Mon, 03 Oct 2016 21:48:55 -0700 (PDT)
Return-Path: <root@sanyalnet-cloud-vps.freeddns.org>
Received: from sanyalnet-cloud-vps.freeddns.org (sanyalnet-cloud-vps.freeddns.org. [64.137.248.161])
        by mx.google.com with ESMTPS id 135si21431755itj.120.2016.10.03.21.48.55
        for <#####@gmail.com>
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Mon, 03 Oct 2016 21:48:55 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of root@sanyalnet-cloud-vps.freeddns.org designates 64.137.248.161 as permitted sender) client-ip=64.137.248.161;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of root@sanyalnet-cloud-vps.freeddns.org designates 64.137.248.161 as permitted sender) smtp.mailfrom=root@sanyalnet-cloud-vps.freeddns.org
Received: by sanyalnet-cloud-vps.freeddns.org (Postfix, from userid 0)
 id AF32A2017F71; Tue,  4 Oct 2016 04:48:06 +0000 (UTC)
Date: Tue, 04 Oct 2016 04:48:06 +0000
To: #####@gmail.com
Subject: sanyalnet-cloud-vps.freeddns.org aide file changes Tue Oct  4
 04:48:06 UTC 2016
User-Agent: Heirloom mailx 12.5 7/5/10
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <20161004044806.AF32A2017F71@sanyalnet-cloud-vps.freeddns.org>
From: root@sanyalnet-cloud-vps.freeddns.org (root)

AIDE 0.15.1 found differences between database and filesystem!!
Start timestamp: 2016-10-04 04:36:56

Summary:
  Total number of files: 57473
  Added files:   3
  Removed files:  1
  Changed files:  7


---------------------------------------------------
Added files:
---------------------------------------------------

added: /etc/cron.d/check-aide-filesystemchanges
added: /root/security/check-aide.sh
added: /var/log/check-aide.sh.log

---------------------------------------------------
Removed files:
---------------------------------------------------

removed: /etc/cron.d/tun

---------------------------------------------------
Changed files:
---------------------------------------------------

changed: /root/security
changed: /root/security/cymru.org.ipv4fullbogon.sh
changed: /root/security/dshield.org.blacklist.sh
changed: /root/security/dump-fail2ban-blocklist.sh
changed: /root/security/dump-fail2ban-blocklist.sh.bak
changed: /root/security/etopen.blacklist.sh
changed: /var/log/dshield.org.ip.blacklist.log

---------------------------------------------------
Detailed information about changes:
---------------------------------------------------


Directory: /root/security
 Mtime    : 2016-09-28 22:08:04              , 2016-10-04 04:30:38
 Ctime    : 2016-09-28 22:08:04              , 2016-10-04 04:30:38

File: /root/security/cymru.org.ipv4fullbogon.sh
 Perm     : -rwxr-xr-x                       , -rwx------
 Ctime    : 2016-07-24 13:08:27              , 2016-10-04 04:29:06
 ACL      : old = A:
----
user::rwx
group::r-x
other::r-x
----
                  D: <NONE>
            new = A:
----
user::rwx
group::---
other::---
----
                  D: <NONE>

File: /root/security/dshield.org.blacklist.sh
 Perm     : -rwxr-xr-x                       , -rwx------
 Ctime    : 2016-07-24 13:08:09              , 2016-10-04 04:29:06
 ACL      : old = A:
----
user::rwx
group::r-x
other::r-x
----
                  D: <NONE>
            new = A:
----
user::rwx
group::---
other::---
----
                  D: <NONE>

File: /root/security/dump-fail2ban-blocklist.sh
 Ctime    : 2016-09-28 22:08:04              , 2016-10-04 04:29:06

File: /root/security/dump-fail2ban-blocklist.sh.bak
 Ctime    : 2016-09-23 17:25:54              , 2016-10-04 04:29:06

File: /root/security/etopen.blacklist.sh
 Perm     : -rwxr-xr-x                       , -rwx------
 Ctime    : 2016-07-24 13:47:02              , 2016-10-04 04:29:06
 ACL      : old = A:
----
user::rwx
group::r-x
other::r-x
----
                  D: <NONE>
            new = A:
----
user::rwx
group::---
other::---
----
                  D: <NONE>

File: /var/log/dshield.org.ip.blacklist.log
 Size     : 116460                           , 116373





No comments:

Post a Comment

"SEO" link builders: move on, your spam link will not get posted.

Note: Only a member of this blog may post a comment.