Linux security measures Host intrusion detection (chkrootkit / rkhunter / maldetect)

Introduction

This article describes host intrusion detection as a Linux security measure.

The purpose of host intrusion detection is to detect the presence of rootkits and malware.

This article deals with the following tools (*).

(*) For the version, use the latest version at the time of writing this article.

chkrootkit chkrootkit is a tool for detecting the existence of rootkits. The standard CentOS repository does not include the chkrootkit package like Ubuntu does.

You can download chkrootkit from Download at chkrootkit.org. In this article, we will explain the procedure for installing chkrootkit using CentOS 7 as an example.

In addition, chkrootkit uses the following command. It is meaningless after it has already been tampered with, so it should be taken into consideration when introducing it. Also, since chkrootkit does not have a function to automatically deal with rootkit even if it is detected, it is necessary to take action manually after detection.

The following command is used by the chkrootkit script.

awk、cut、echo、egrep、find、head、id、ls、netstat、ps、strings、sed、uname

Introduction of chkrootkit

--Installation of required packages # yum groups install -y "Development Tools" # yum install -y wget glibc-static

--Download chkrootkit # wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz

--Unzip # tar xzvf chkrootkit.tar.gz

--Create symbolic link # cd ../; mv chkrootkit-0.53/ /usr/local/ # ln -s /usr/local/chkrootkit-0.53/ /usr/local/chkrootkit

Run chkrootkit

--Rootkit detection # cd /usr/local/chkrootkit
# ./chkrootkit --Rootkit detection (executed for the specified directory) # ./chkrootkit -r <directory>

You can check it regularly by setting it with cron. The following will be done daily at 3 o'clock and you will be notified by email.

0 3 * * * (cd /usr/local/chkrootkit; ./chkrootkit 2>&1 | mail -s "chkrootkit output" root)

rkhunter rkhunter is also a tool for detecting the existence of rootkits. Like chkrootkit, it is not included in the CentOS standard repository, so change rkhunter to sourceforge.net. Download from files / rkhunter / 1.4.6 /). Alternatively, you can install it from the EPEL repository.

Introduction of rkhunter

--Download rkhunter # wget https://sourceforge.net/projects/rkhunter/files/rkhunter/1.4.6/rkhunter-1.4.6.tar.gz --Unzip # tar xzvf rkhunter-1.4.6.tar.gz

--Installing rkhunter # cd rkhunter-1.4.6 # ./installer.sh --install

If you are installing from the EPEL repository, you can install it by following the steps below.

--Installing epel-release # yum install -y epel-release --Installing rkhunter # yum install rkhunter

Run rkhunter

The operation settings of rkhunter are set in /etc/rkhunter.conf, and the default database directory is / var / lib / rkhunter / db. Rootkit discovery will log to the /var/log/rkhunter.log file.

--rkhunter update # rkhunter --update --Update the status of the command executable file # rkhunter --propupd --Rootkit detection (--check executes rootkit detection, -skip-keypress does not enter Enter, --report-warnings-only displays only a warning about the command result ) # rkhunter --check --skip-keypress --report-warnings-only

maldetect(Linux Malware Detect) maldetect (Linux Malware Detect) is a free malware detection tool released under the license of ** GNU GPLv2 **. See R-FX NETWORKS for the official blog.

The features of maldetect are as follows.

--Automatic update of signature (*) for malware detection --ClamAV is adopted as open source antivirus software for the detection engine --Create a database of file system information to be detected and compare it with the inspected information to detect tampering.

(*) Byte sequence common to specific malware samples

Introduction of maldetect

--Download # wget http://www.rfxn.com/downloads/maldetect-current.tar.gz --Unzip # tar xzvf maldetect-current.tar.gz --Installation # cd maldetect-1.6.4/
# ./install.sh

The cronjob installed by maldetect will be deployed to /etc/cron.daily/maldet. It is set to scan and update signatures on a regular basis.

Run maldetect

If you do not specify any operation settings for maldetect, it will be installed in /usr/local/maldetect/conf.maldet.

--Update # maldet --update --Malware scan execution (execution targeting the specified directory) # maldet --scan-all <directory>

in conclusion

When you build and operate a server, you are responsible for managing the system.

Systems management is a collection of knowledge. You can improve security by using OSS etc. without spending too much money.

Recommended Posts

Linux security measures Host intrusion detection (chkrootkit / rkhunter / maldetect)
Linux security measures Intrusion detection by Snort
Effective and simple Web server security measures "Linux"