This article describes host intrusion detection as a Linux security measure.
The purpose of host intrusion detection is to detect the presence of rootkits and malware.
This article deals with the following tools (*).
(*) For the version, use the latest version at the time of writing this article.
chkrootkit chkrootkit is a tool for detecting the existence of rootkits. The standard CentOS repository does not include the chkrootkit package like Ubuntu does.
You can download chkrootkit from Download at chkrootkit.org. In this article, we will explain the procedure for installing chkrootkit using CentOS 7 as an example.
In addition, chkrootkit uses the following command. It is meaningless after it has already been tampered with, so it should be taken into consideration when introducing it. Also, since chkrootkit does not have a function to automatically deal with rootkit even if it is detected, it is necessary to take action manually after detection.
The following command is used by the chkrootkit script.
awk、cut、echo、egrep、find、head、id、ls、netstat、ps、strings、sed、uname
--Installation of required packages
# yum groups install -y "Development Tools"
# yum install -y wget glibc-static
--Download chkrootkit
# wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz
--Unzip
# tar xzvf chkrootkit.tar.gz
# cd chkrootkit-0.53
# make sense
--Create symbolic link
# cd ../; mv chkrootkit-0.53/ /usr/local/
# ln -s /usr/local/chkrootkit-0.53/ /usr/local/chkrootkit
--Rootkit detection
# cd /usr/local/chkrootkit
# ./chkrootkit
--Rootkit detection (executed for the specified directory)
# ./chkrootkit -r <directory>
You can check it regularly by setting it with cron. The following will be done daily at 3 o'clock and you will be notified by email.
0 3 * * * (cd /usr/local/chkrootkit; ./chkrootkit 2>&1 | mail -s "chkrootkit output" root)
rkhunter rkhunter is also a tool for detecting the existence of rootkits. Like chkrootkit, it is not included in the CentOS standard repository, so change rkhunter to sourceforge.net. Download from files / rkhunter / 1.4.6 /). Alternatively, you can install it from the EPEL repository.
--Download rkhunter
# wget https://sourceforge.net/projects/rkhunter/files/rkhunter/1.4.6/rkhunter-1.4.6.tar.gz
--Unzip
# tar xzvf rkhunter-1.4.6.tar.gz
--Installing rkhunter
# cd rkhunter-1.4.6
# ./installer.sh --install
If you are installing from the EPEL repository, you can install it by following the steps below.
--Installing epel-release
# yum install -y epel-release
--Installing rkhunter
# yum install rkhunter
The operation settings of rkhunter are set in /etc/rkhunter.conf
, and the default database directory is / var / lib / rkhunter / db
. Rootkit discovery will log to the /var/log/rkhunter.log
file.
--rkhunter update
# rkhunter --update
--Update the status of the command executable file
# rkhunter --propupd
--Rootkit detection (--check
executes rootkit detection, -skip-keypress
does not enter Enter, --report-warnings-only
displays only a warning about the command result )
# rkhunter --check --skip-keypress --report-warnings-only
maldetect(Linux Malware Detect) maldetect (Linux Malware Detect) is a free malware detection tool released under the license of ** GNU GPLv2 **. See R-FX NETWORKS for the official blog.
The features of maldetect are as follows.
--Automatic update of signature (*) for malware detection --ClamAV is adopted as open source antivirus software for the detection engine --Create a database of file system information to be detected and compare it with the inspected information to detect tampering.
(*) Byte sequence common to specific malware samples
--Download
# wget http://www.rfxn.com/downloads/maldetect-current.tar.gz
--Unzip
# tar xzvf maldetect-current.tar.gz
--Installation
# cd maldetect-1.6.4/
# ./install.sh
The cronjob installed by maldetect will be deployed to /etc/cron.daily/maldet
. It is set to scan and update signatures on a regular basis.
If you do not specify any operation settings for maldetect, it will be installed in /usr/local/maldetect/conf.maldet
.
--Update
# maldet --update
--Malware scan execution (execution targeting the specified directory)
# maldet --scan-all <directory>
When you build and operate a server, you are responsible for managing the system.
Systems management is a collection of knowledge. You can improve security by using OSS etc. without spending too much money.