ServerBuddies Support Blog

OSSEC Open Source Host-based Intrusion Detection System.

OSSEC is an Open Source Host-based Intrusion Detection System. It performs log analysis, integrity checking, Windows registry monitoring, rootkit detection, real-time alerting and active response. It runs on most operating systems, including Linux, OpenBSD, FreeBSD, MacOS, Solaris and Windows. A list with all supported platforms is available http://www.ossec.net/main/supported-systems

If you have one system to monitor, you can install the OSSEC HIDS locally on that box and do everything from there.

However, if you are administering a few systems, you can select one to be your OSSEC server and the others to be OSSEC agents, forwarding events to the server for analysis. One of the greatest benefits of the OSSEC HIDS is its scalability, allowing you to monitor multiple systems from a central point.

The best option is to select one of your machines to be the OSSEC server and perform the “server” installation on it. Then, choose the “agent” installation for the others.

Your IDS and rootkit rules will be just in one box, making it much easier to administer and configure.

Please make sure that you understand the type of installation you are choosing (manager, agent, local, etc) and are also aware of the order (always install the manager first).

Extract the compressed package and run the “./install.sh” script (It will guide you through the installation).

Remember to open the port 1514 (UDP) if there is a firewall between the server and the agents (if you didn’t choose the local installation).

Start the OSSEC HIDS.

Installing Root Check

RootCheck scans the system looking for possible trojans ,scans the ports for malicious activity ,and checks for rootkits,and also the logs,permissions and more.
Rootcheck is a very simple software. Just download, unpack, compile and execute it. It will scan the system and print if it found or not anything.

Installation Instructions

Login to your server and su to root.

This will take you to an interactive installtion. Make sure you have CPAN on
your box because rootcheck requires the Perl Modules IO::Interface.

If the installtion is finished you will get this message

Compilation sucessfull. Ready to go.
———————————————————
That’s it! If everything went ok, you should be ready to run RootCheck. If you any doubts about installation, please refer to INSTALL file.
You can also find additional information at :
http://www.ossec.net/rootcheck/
Improves, patches, comments are very welcome.
———————————————————
Scanning the System

Now you are ready to run rootcheck.
There are quite a few options butthe simplest one is

If the installation was perfect you would get a progress screen of the scan after which the results wiill be writen into results.txt the result is quite explanatory and gives details of all suspected files.

There is also an example file that explains the different options for root check

More Information about rootcheck is available at http://www.ossec.net/main/rootcheck

Examples that show some features of TCP wrapper

If you just want to restrict ssh connections without configuring or using /etc/hosts.deny, you can add the following entries to /etc/hosts.allow:

The version of TCP wrapper that comes with Red Hat also supports the extended options documented in the hosts_options(5)man page. Here is an example how an additional program can be spawned in e.g. the /etc/hosts.allow file:

For information on the % expansions, see “man 5 hosts_access”.

The TCP wrapper is quite flexible.

And xinetd provides its own set of host-based and time-based access control functions. You can even tell xinetd to limit the rate of incoming connections.

The TCP wrapper is quite flexible. And xinetd provides its own set of host-based and time-based access control functions. You can even tell xinetd to limit the rate of incoming connections.

East-Tec DiskSanitizer for Linux

East-Tec DiskSanitizer for Linux is designed to prevent the recovery of sensitive data that you wish to be deleted from a hard disk. Neither simple file deletion, formatting the disk, nor using fdisk is enough to foil attempts to recover previously recorded data from a hard disk. East-Tec DiskSanitizer overwrites every sector of data on a disk to remove all traces of data. Data is removed according with U.S. Department of Defense standards or custom user security levels. East-Tec DiskSanitizer can be operated from a floppy disk to sanitize any drive from the computer, regardless of the file system or the operating system. It also features verification capabilities and full user control during the sanitizing process.

The program can now sanitize independent partitions on your hard drive without affecting other partitions.

To retire servers with sensitive data, it is important to ensure that data cannot be recovered from the hard disks. To ensure that all traces of data are removed, the DiskSanitizer tool can be used. This tool can be operated from a floppy disk and it removes data according with the U.S. Department of Defense (DoD) standards.

DiskSanitizer is available at http://freshmeat.net/projects/disksanitizer.

Protect a server within a network by using a TCP Wrapper.

The Xinetd super server that comes with most Linux distributions includes a built-in TCP wrapper.

It can be used to explicitly define network services to accept incoming connections from specified servers and networks.

The TCP wrappers implements access control through the use of two files, /etc/hosts.allow and /etc/hosts.deny

A recommended security-strategy is to block all incoming requests by default, but allow specific hosts or networks to connect.

To deny everything by default, add the following line to /etc/hosts.deny:

To accept incoming SSH connections from e.g. nodes lab1, lab2 and lab3, add the following line to /etc/hosts.allow

To accept incoming SSH connections from all servers from a specific network, add the name of the subnet to /etc/hosts.allow.

For example:

To accept incoming ssh connections from IP address 192.168.0.1 and subnet 192.168.5, add the following line to /etc/hosts.allow:

You can even tell xinetd to limit the rate of incoming connections. The TCP wrapper is quite flexible. And xinetd provides its own set of host-based and time-based access control functions.