This is an old revision of the document!
Intrusion detection systems
AIDE
Tripwire
Linux (misc)
Comprehensive intrusion detection
- tiger - Report system security vulnerabilities
- tiger-otheros - Scripts to run Tiger in other operating systems
apt-get install tiger tiger-otheros
chkrootkit
see also: How to scan your Linux-Distro for Root Kits
Either install the package that comes with your distribution (on Debian you would run)
apt-get install chkrootkit
or download the sources from www.chkrootkit.org and install manually:
wget --passive-ftp ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz tar xvfz chkrootkit.tar.gz cd chkrootkit-<version>/ make sense
Afterwards, you can move the chkrootkit directory somewhere else, e.g. /usr/local/chkrootkit
:
cd .. mv chkrootkit-<version>/ /usr/local/chkrootkit
Now you can run chkrootkit manually:
cd /usr/local/chkrootkit ./chkrootkit
(if you installed a chkrootkit package coming with your distribution, your chkrootkit might be somewhere else).
You can even run chkrootkit by a cron job and get the results emailed to you: Run
crontab -e
to create a cron job like this:
0 3 * * * (cd /usr/local/chkrootkit-<version>; ./chkrootkit 2>&1 | mail -s "chkrootkit output my server" you@yourdomain.com)
That would run chkrootkit every night a 3.00h.
rkhunter
Download the latest rkhunter sources from www.rootkit.nl:
wget http://downloads.rootkit.nl/rkhunter-1.2.7.tar.gz tar xvfz rkhunter-1.2.7.tar.gz cd rkhunter/ ./installer.sh
This will install rkhunter to the directory /usr/local/rkhunter
. Now run
rkhunter --update
to download the latest chkrootkit/trojan/worm signatures (you should do this regularly). Now you can scan your system for malware by running
rkhunter -c
MD5 sum checks
- debsums - Verify installed package files against MD5 checksums (Debian systems)
- md5sum
Generate a checksum for the partition you wish to image, run from shell
# md5sum /dev/hdc2 > /tmp/hdc2.md5
To make the copy of the disk(s), we'll use the dd command. From shell…
# dd if=/dev/hdc of=/tmp/hdc.img
You will need enough space in /tmp to hold a copy of the entire /dev/hdc drive. This means that /tmp shouldn't be a RAM disk and should not be stored on /dev/hdc. Write it to another hard disk !