technomenace.com

chkrootkit (Check Rootkit) is a common Unix based program intented to help system administrators check their system for known rootkits. It is basically a shell script using common UNIX/Linux tools like strings and grep commands to check core system programs for signatures. If you doubt that your server has been hacked, chkrootkit is what you need to run.

Chkrootkit’s installation is very easy. I am describing the steps below.

1. Ssh to the server as ‘root’, and then wget the chkrootkit from its FTP location.

wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz

2. Unpack the tarball in the current directory.

tar xvzf chkrootkit.tar.gz

3. Go to the directory newly created, and compile the script.

cd chkrootkit*
make sense

4. Once the compilation is complete, use the below command to execute chkrootkit.

./chkrootkit

NOTE: Make sure that you have gcc and make on the server or else the installation will fail

At this point, I would suggest that you set a crontab to execute this chkrootkit daily. You can even have the results sent to you via email.

For that, create a file /etc/cron.daily/chkrootkit.sh

Insert the following to the new file and save it:

#!/bin/bash
cd /yourinstallpath/chkrootkit-0.42b/
./chkrootkit | mail -s "Daily chkrootkit from Servername" admin@youremail.com

1. Replace ‘yourinstallpath’ with the actual path to where you unpacked Chkrootkit.
2. Change ‘Servername’ to the server your running so you know where it’s coming from.
3. Change ‘admin@youremail.com’ to your actual email address where the script will mail you.

Change the file permissions so that it can execute:

chmod 755 /etc/cron.daily/chkrootkit.sh

You will receive daily chkrootkit reports on your email address from now on.

This tutorial describes how to close an Open DNS server. An Open DNS server allows anyone to use that server as a DNS lookup server. This is a potential threat and such access must either be blocked, or restricted to a few trusted IPs. This is how it is done.

1. Make a list of IPs you consider as trusted (i.e., only those IPs which can use this DNS server for DNS lookups). The list should include all IPs on the server. Now if you don’t know what I am talking about, ssh to your server, and type in the below command as root:

ifconfig | grep 'inet addr' | cut -f2 -d: | cut -f1 -d' ' | sort | uniq

2. Open /etc/named.conf in an editor. I would recommend that you take a backup of the file first before this.

cp -p /etc/named.conf /etc/named.conf.bak
vi /etc/named.conf

3. Locate this line:

key "rndckey" {
};

Move your cursor below this block of code, and press ‘i’ (to change into vi’s insert mode) and then type in the following:

acl "trusted" {
IP1; IP2; IP3; IP4; externalIP1 ;
};

Modify the line IP1; IP2; IP3; IP4; externalIP1 ; to include server’s IP addresses and any external IPs which you wish to allow recursive queries.

4. Once the acl “trusted” is added, move down the file and locate the block named options. Inside it add the below lines:

allow-recursion { trusted; };
allow-notify { trusted; };
allow-transfer { trusted; };

This is how the options block might look like once the changes are made:

options {
directory "/var/named";
allow-recursion { trusted; };
allow-notify { trusted; };
allow-transfer { trusted; };
dump-file “/var/named/data/cache_dump.db”;
statistics-file “/var/named/data/named_stats.txt”;
/*
* If there is a firewall between you and nameservers you want
* to talk to, you might need to uncomment the query-source
* directive below. Previous versions of BIND always asked
* questions using port 53, but BIND 8.1 uses an unprivileged
* port by default.
*/
// query-source address * port 53;
};

5. Save the changes (use ‘esc’ + ‘:wq’ in vi editor) and then restart named

/etc/init.d/named stop
/etc/init.d/named start

Do you wish to be notified by email whenever someone login to the server as root? The tip that you read below is useful if more than one admins know the server root password, and you want to know when and where they access the server from.

To make this possible, just edit the file /root/.bashrc and add the below line at the end of the file:

echo 'ALERT - Root Shell Access (YourserverName) on:' `date` `who` | mail -s "Alert: Root Access from `who | cut -d"(" -f2 | cut -d")" -f1`" you@yourdomain.com

Replace ‘YourServerName‘ with the handle for your actual server and ‘you@yourdomain.com‘ with your actual email address.

How does this work? You may ask! /home/<user>/.bashrc is one of the scripts executed when a successful login for that user occur. Since we have to be alerted during root logins, we place this code at the end of /root/.bashrc.

Consider the case that you wish to be alerted when a user, say ‘joe‘ login to his account. In that case you can paste the one line code to /home/joe/.bashrc.