There are a number of good reasons to keep an eye on your server security. Few sysadmin types absorb the necessary security knowledge required to keep their infrastructure safe without enthusiasm and effort. If you\u2019re anything like me, there have been a few bumps along the way, such as when I had a server compromised around the turn of the millennium thanks to a nasty PHP bug, or when I was faced with and repelled two relatively signi\ufb01 cant DDoS attacks.
\nThis chapter will cover another attack vector, rootkits, and a fantastic piece of software called Rootkit Hunter (you may know it as rkhunter). You will start off, however, by exploring how to monitor your \ufb01lesystem\u2019s important \ufb01les, such as its executables.<\/p>\n
Filesystem Integrity<\/strong><\/p>\n I used Tripwire (http:\/\/sourceforge.net\/projects\/tripwire). It\u2019s now referred to as Open Source Tripwire, thanks to the availability of other products. Tripwire ran periodically (overnight using cron) and used cryptographic hashing to monitor any \ufb01 le changes on your system. Rootkits<\/strong><\/p>\n Let\u2019s now move onto a different approach to \ufb01 le \ufb01ngerprinting. On Debian derivatives: On Red Hat derivatives: Assuming that your installation didn\u2019t throw up any errors, you can run a few simple commands to get started. The following command populates the \ufb01 le properties database with data about the \ufb01les on your machine: Note that there are subtle differences between versions or distributions, so try adding -c or –checkall if errors appear. Configuration<\/strong><\/p>\n To con\ufb01gure Rootkit Hunter, you can edit its long con\ufb01 g \ufb01 le, which can be found at \/etc\/ rkhunter.conf. ( echo “Subject: [rkhunter] $(hostname -f)\u2014Daily report” echo “To: $REPORT_EMAIL” As ever, it might be prudent to create a copy of this \ufb01 le before altering it.<\/p>\n echo “Subject: [rkhunter] $(hostname -f)\u2014Daily report”<\/p>\n echo “To: $REPORT_EMAIL”<\/p>\n As ever, it might be prudent to create a copy of this \ufb01le before altering it.<\/p>\n Summary<\/strong><\/p>\n You\u2019re now armed with the ability to digitally \ufb01ngerprint the \ufb01les on your \ufb01lesystem. As a result, you can quickly compare former MD5sums to see if your \ufb01les have been altered, and also run Rootkit Hunter, either every night or periodically. The nice thing about rootkit checkers is that they also offer peace of mind by having a scheduled scan point out a con\ufb01 g mistake that you\u2019ve made. You can then hopefully remedy the mistake before it causes you further security issues. \u25a0 Don\u2019t rely on rootkit tools to reduce your efforts postevent; just use them to identify the issue. From there, \ufb01gure out how a compromise was possible before you set\u00a0about rebuilding your machine.<\/p>\n","protected":false},"excerpt":{"rendered":" There are a number of good reasons to keep an eye on your server security. Few sysadmin types absorb the necessary security knowledge required to keep their infrastructure safe without enthusiasm and effort. If you\u2019re anything like me, there have been a few bumps along the way, such as when<\/p>\n","protected":false},"author":3,"featured_media":989,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":true,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[5,3],"tags":[],"class_list":["post-988","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-knowledgebase","category-tutorial-how-to"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"https:\/\/i0.wp.com\/www.virtono.com\/community\/wp-content\/uploads\/2017\/06\/digital_fingerprint_0.jpg?fit=370%2C370&ssl=1","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p7ISfL-fW","jetpack_likes_enabled":true,"jetpack-related-posts":[{"id":688,"url":"https:\/\/www.virtono.com\/community\/knowledgebase\/setting-up-security-on-apache\/","url_meta":{"origin":988,"position":0},"title":"Setting Up Security on Apache","author":"Daniel Draga","date":"October 9, 2016","format":false,"excerpt":"To get an in-depth knowledge on Apache Web Server, please visit, this. However if you've already begun working with Apache and know about it, and are only concerned with securing your server, here are a few tricks that will help you out, read them and use them carefully. Protecting the\u2026","rel":"","context":"In "Knowledgebase"","block_context":{"text":"Knowledgebase","link":"https:\/\/www.virtono.com\/community\/category\/knowledgebase\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":1219,"url":"https:\/\/www.virtono.com\/community\/tutorial-how-to\/samba-server-security\/","url_meta":{"origin":988,"position":1},"title":"Samba server security","author":"Shreyash Sharma","date":"October 31, 2017","format":false,"excerpt":"This article gives an\u00a0overview\u00a0of the possibilities of some\u00a0security settings of\u00a0a Samba server.\u00a0With regard to security, of course, there are always different options, some of which lead to the same goal.\u00a0This article shows those configuration parameters that can sometimes be used to take simple but effective security measures.\u00a0The settings were all\u00a0tested\u00a0on\u2026","rel":"","context":"In "Tutorials"","block_context":{"text":"Tutorials","link":"https:\/\/www.virtono.com\/community\/category\/tutorial-how-to\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":3330,"url":"https:\/\/www.virtono.com\/community\/tutorial-how-to\/how-to-set-up-ssh-keys-on-ubuntu-20-04\/","url_meta":{"origin":988,"position":2},"title":"How to Set Up SSH Keys on Ubuntu 20.04","author":"George B.","date":"April 27, 2023","format":false,"excerpt":"In this tutorial, we will learn how to set up SSH keys on Ubuntu 20.04. Secure Shell (SSH) is a protocol used to securely connect to a remote server or computer. It provides a secure way to transfer files, execute remote commands, and manage remote systems. SSH keys are a\u2026","rel":"","context":"In "Tutorials"","block_context":{"text":"Tutorials","link":"https:\/\/www.virtono.com\/community\/category\/tutorial-how-to\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/www.virtono.com\/community\/wp-content\/uploads\/2023\/04\/How-to-Set-Up-SSH-Keys-on-Ubuntu-20.04.png?fit=600%2C330&ssl=1&resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.virtono.com\/community\/wp-content\/uploads\/2023\/04\/How-to-Set-Up-SSH-Keys-on-Ubuntu-20.04.png?fit=600%2C330&ssl=1&resize=350%2C200 1x, https:\/\/i0.wp.com\/www.virtono.com\/community\/wp-content\/uploads\/2023\/04\/How-to-Set-Up-SSH-Keys-on-Ubuntu-20.04.png?fit=600%2C330&ssl=1&resize=525%2C300 1.5x"},"classes":[]},{"id":218,"url":"https:\/\/www.virtono.com\/community\/knowledgebase\/introduction-to-server\/","url_meta":{"origin":988,"position":3},"title":"INTRODUCTION TO SERVER","author":"Daniel Draga","date":"July 30, 2016","format":false,"excerpt":"Servers are the one that is responsible to provide response to each client\u2019s request simultaneously. A Server may be responsible to process a single request or more than one request at a time. \u00a0 A\u00a0server\u00a0is a system (software\u00a0and suitable\u00a0computer hardware) that responds to requests across a\u00a0computer network\u00a0to provide, or help\u2026","rel":"","context":"In "Knowledgebase"","block_context":{"text":"Knowledgebase","link":"https:\/\/www.virtono.com\/community\/category\/knowledgebase\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/www.virtono.com\/community\/wp-content\/uploads\/2016\/07\/server-rack1.jpg?fit=1200%2C857&ssl=1&resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.virtono.com\/community\/wp-content\/uploads\/2016\/07\/server-rack1.jpg?fit=1200%2C857&ssl=1&resize=350%2C200 1x, https:\/\/i0.wp.com\/www.virtono.com\/community\/wp-content\/uploads\/2016\/07\/server-rack1.jpg?fit=1200%2C857&ssl=1&resize=525%2C300 1.5x, https:\/\/i0.wp.com\/www.virtono.com\/community\/wp-content\/uploads\/2016\/07\/server-rack1.jpg?fit=1200%2C857&ssl=1&resize=700%2C400 2x, https:\/\/i0.wp.com\/www.virtono.com\/community\/wp-content\/uploads\/2016\/07\/server-rack1.jpg?fit=1200%2C857&ssl=1&resize=1050%2C600 3x"},"classes":[]},{"id":3930,"url":"https:\/\/www.virtono.com\/community\/tutorial-how-to\/how-to-install-apache-on-almalinux-9-2\/","url_meta":{"origin":988,"position":4},"title":"How to Install Apache on AlmaLinux 9.2","author":"George B.","date":"September 22, 2023","format":false,"excerpt":"This guide will walk you through setting up virtual hosts to run multiple websites on a single server and installing Apache on AlmaLinux 9.2. Whether you're running a personal blog, a small business website, or a complex web application, having a robust web server is essential. Apache, one of the\u2026","rel":"","context":"In "Tutorials"","block_context":{"text":"Tutorials","link":"https:\/\/www.virtono.com\/community\/category\/tutorial-how-to\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/www.virtono.com\/community\/wp-content\/uploads\/2023\/09\/How-to-Install-Apache-on-AlmaLinux-9.2.png?fit=360%2C240&ssl=1&resize=350%2C200","width":350,"height":200},"classes":[]},{"id":230,"url":"https:\/\/www.virtono.com\/community\/tutorial-how-to\/steps-to-install-ssl-certificate-on-apache-web-server\/","url_meta":{"origin":988,"position":5},"title":"Steps to Install SSL Certificate on Apache Web Server","author":"Daniel Draga","date":"July 30, 2016","format":false,"excerpt":"SSL stands for Secure Socket Layer. Secure Socket Layer (SSL) technology allows web browsers and web servers to communicate over a secure connection. What is a Certificate? A certificate is a digitally-signed statement from one entity (person, company, etc.), saying that the public key (and some other information) of some\u2026","rel":"","context":"In "Tutorials"","block_context":{"text":"Tutorials","link":"https:\/\/www.virtono.com\/community\/category\/tutorial-how-to\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/www.virtono.com\/community\/wp-content\/uploads\/2016\/07\/ic.jpg?fit=1200%2C628&ssl=1&resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.virtono.com\/community\/wp-content\/uploads\/2016\/07\/ic.jpg?fit=1200%2C628&ssl=1&resize=350%2C200 1x, https:\/\/i0.wp.com\/www.virtono.com\/community\/wp-content\/uploads\/2016\/07\/ic.jpg?fit=1200%2C628&ssl=1&resize=525%2C300 1.5x, https:\/\/i0.wp.com\/www.virtono.com\/community\/wp-content\/uploads\/2016\/07\/ic.jpg?fit=1200%2C628&ssl=1&resize=700%2C400 2x, https:\/\/i0.wp.com\/www.virtono.com\/community\/wp-content\/uploads\/2016\/07\/ic.jpg?fit=1200%2C628&ssl=1&resize=1050%2C600 3x"},"classes":[]}],"_links":{"self":[{"href":"https:\/\/www.virtono.com\/community\/wp-json\/wp\/v2\/posts\/988","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.virtono.com\/community\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.virtono.com\/community\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.virtono.com\/community\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/www.virtono.com\/community\/wp-json\/wp\/v2\/comments?post=988"}],"version-history":[{"count":1,"href":"https:\/\/www.virtono.com\/community\/wp-json\/wp\/v2\/posts\/988\/revisions"}],"predecessor-version":[{"id":990,"href":"https:\/\/www.virtono.com\/community\/wp-json\/wp\/v2\/posts\/988\/revisions\/990"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.virtono.com\/community\/wp-json\/wp\/v2\/media\/989"}],"wp:attachment":[{"href":"https:\/\/www.virtono.com\/community\/wp-json\/wp\/v2\/media?parent=988"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.virtono.com\/community\/wp-json\/wp\/v2\/categories?post=988"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.virtono.com\/community\/wp-json\/wp\/v2\/tags?post=988"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
\nBy generating and recording the hashes of any \ufb01les visible on the \ufb01lesystem initially, during its \ufb01rst run, Tripwire was able to alert the administrator if any hashes didn\u2019t match those it had recorded on each subsequent run. If the \ufb01 le had been altered in any way the hash would be changed. It\u2019s a clever approach, despite being I\/O resource intensive on older hardware, and has since given birth to great-grandchildren. One example is the popular AIDE (Advanced Intrusion Detection Environment), which is described as \u201ca \ufb01 le and directory integrity checker\u201d at http:\/\/ aide.sourceforge.net. I would certainly recommend trying AIDE or Tripwire on a development virtual machine if you get the chance. Be warned, however, that if you are lax with the initial con\ufb01guration, then you will be bombarded with false positives.
\nThis type of security often appears under the umbrella of host-based intrusion detection systems, or HIDS, and it was reportedly one of the \ufb01rst types of software-based security because mainframes had few externally risky interactions over networks.
\nIf you don\u2019t want to run nightly \ufb01lesystem checks or you aren\u2019t in a position to receive daily system reports, then that\u2019s not a problem. You can opt to go for an older approach where you only scan your \ufb01lesystem once, after you have built your server, in order to collect information about what \ufb01les are installed on the \ufb01lesystem. I will explain why this is useful in a moment.<\/p>\n
\nIf you\u2019re interested in protecting your \ufb01les against rootkits (which contain code that allows someone else to access or control one of your machines), then you should consider an excellent tool called RootKit Hunter (also called rkhunter; http:\/\/rkhunter.sourceforge.net).
\nAt install time, the RootKit Hunter manual warns that if you\u2019re trying to run the software on a presumably compromised system and the following standard commands or utilities aren\u2019t present, then you probably won\u2019t be able to run it successfully: cat, sed, head, or tail.
\nI\u2019m pointing this out for good reason: these commands might be corrupt or missing on a compromised machine. If you\u2019ve installed RootKit Hunter to hunt down evil \ufb01les and you discover that your system has been compromised, then you really need to rebuild your machine. Don\u2019t assume that the remedial work you do from that point onward will make your machine secure enough for ongoing use. It\u2019s simply not worth it due to the time you will spend repairing the machine again in the future.
\nIn other words, use software to identify successful attacks for exactly that purpose: identi\ufb01 cation. Also, always assume that you\u2019re going to need to run through a full rebuild afterward. I know from experience that these insidious rootkits are like \ufb01lesystem limpets. You might \ufb01 nd (as I have in the past) that you spend more time chasing your tail attempting to clean the system than a rebuild would actually take.
\nLectures aside, let\u2019s look at using Rootkit Hunter. Once you have installed this sophisticated software, using the following commands, you can continue easily without any problem.<\/p>\n
\n# apt-get install rkhunter On Red Hat derivatives:<\/p>\n
\n# yum install rkhunter<\/p>\n
\n# rkhunter\u2014propupd Next, in order to scan any new software being installed and to trigger after software updates have occurred, you should enable the APT_AUTOGEN option to yes in the \ufb01 le \/etc\/default\/rkhunter. I have only veri\ufb01 ed this on Debian derivatives with Apt Package Manager; there might be a different option on Red Hat derivatives.
\nHaving made that change, you\u2019re now ready to make your \ufb01rst run of RootKit Hunter, as follows:
\n# rkhunter\u2014check<\/p>\n
\nPeriodically you can also update your rkhunter threat list with the following command (you could create a speci\ufb01 c cron job if you like) to keep track of the latest threats:
\n# \/usr\/local\/bin\/rkhunter\u2014update
\nAs you can see, Rootkit Hunter is paying attention to the key directories that contain executable \ufb01 les (\/usr\/sbin in this example). These are exactly the types of binary \ufb01les (among many others) that become infected by a rootkit.
\nThink for a moment of the Greeks and the Trojan horse allegory. In addition to those rootkits that immediately infect binaries, a piece of code can remain dormant for any period of time until executed by a legitimate user or on a schedule. Following that, a system compromise takes place.<\/p>\n
\nTo receive overnight reports on the integrity of your machine, you just need to edit two con\ufb01 g parameters, one de\ufb01 ning the e-mail address of the recipient and the latter of which is adjustable if the standard mail command won\u2019t work on your system by default.
\nOnce inside the con\ufb01 g \ufb01 le, look for these salient lines, uncomment them, and adjust them to your needs:
\n#MAIL-ON-WARNING=me@mydomain root@mydomain #MAIL_CMD=mail -s “[rkhunter] Warnings found for ${HOST_NAME}” The \ufb01 rst line, once uncommented, speci\ufb01 es where to send the reports (multiple addresses can be separated by a space). The second line deals with the mail command and the subject line for the e-mail reports sent to those addresses.
\n20
\nChapter 2: Digitally Fingerprint Your Files
\nc02.indd 04\/15\/2016 Page 20
\nSimply re-run the software with rkhunter\u2014check to test if these changes work correctly and check your e-mail inbox.
\nTo inspect the cron job that helps schedule when these reports will be generated, you can look in the \ufb01 le \/etc\/cron.daily\/rkhunter. By default, cron.daily will generally run between 0100 hours and 0500 hours each morning on many distributions.
\nIf you want to change how the e-mails look, then you can search for the following lines in the cron.daily \ufb01le:
\nif [ -s “$OUTFILE” -a -n “$REPORT_EMAIL” ]; then<\/p>\n
\nFrom what I have covered, there are two rules that you should keep in mind:
\n\u25a0 Always keep your recorded MD5sums (or any other hashes) somewhere safe (encrypted and password protected) and far away from the server.<\/p>\n