Chkrootkit-Portsentry-Howto
版本1.0
作者:Falko Timme
本文档介绍如何安装chkrootkit和portsentry。 所有* nix操作系统都应该工作(或许有关于路径等的轻微变化)。
Chkrootkit“是本地检查rootkit的标志的工具”(来自http://www.chkrootkit.org )。
“Sentry工具为Unix平台提供主机级安全服务,PortSentry,Logcheck / LogSentry和HostSentry可以防止端口扫描,自动执行日志文件审核,并持续检测可疑登录活动”(来自http:// sourceforge)。 net / projects / sentrytools / )。
这是一个实践指南; 它不包括理论背景。 他们在网络上的许多其他文档中被处理。
本文档不附带任何形式的保证!
1获取来源
我们需要以下软件: chkrootkit , portsentry和logcheck 。 我们将从/ tmp目录安装软件。
cd / tmp
wget --passive-ftp ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz
wget http://heanet.dl.sourceforge.net/sourceforge/sentrytools/portsentry-1.2.tar.gz
wget http://heanet.dl.sourceforge.net/sourceforge/sentrytools/logcheck-1.1.1.tar.gz
2安装Chkrootkit
mv chkrootkit.tar.gz / usr / local /
cd / usr / local /
tar xvfz chkrootkit.tar.gz
ln -s chkrootkit-0.43 / chkrootkit (用正确的版本号替换0.43 )
cd chkrootkit /
合理
您现在将 在 / usr / local / chkrootkit 下 找到 chkrootkit 程序 。 通过键入运行它
cd / usr / local / chkrootkit / && ./chkrootkit
您的输出将如下所示:
ROOTDIR is `/' Checking `amd'... not found Checking `basename'... not infected Checking `biff'... not infected Checking `chfn'... not infected Checking `chsh'... not infected Checking `cron'... not infected Checking `date'... not infected Checking `du'... not infected Checking `dirname'... not infected Checking `echo'... not infected Checking `egrep'... not infected Checking `env'... not infected Checking `find'... not infected Checking `fingerd'... not found Checking `gpm'... not found Checking `grep'... not infected Checking `hdparm'... not found Checking `su'... not infected Checking `ifconfig'... not infected Checking `inetd'... not infected Checking `inetdconf'... not infected Checking `identd'... not found Checking `init'... not infected Checking `killall'... not infected Checking `ldsopreload'... not infected Checking `login'... not infected Checking `ls'... not infected Checking `lsof'... not infected Checking `mail'... not infected Checking `mingetty'... not found Checking `netstat'... not infected Checking `named'... not infected Checking `passwd'... not infected Checking `pidof'... not infected Checking `pop2'... not found Checking `pop3'... not found Checking `ps'... not infected Checking `pstree'... not infected Checking `rpcinfo'... not infected Checking `rlogind'... not found Checking `rshd'... not found Checking `slogin'... not infected Checking `sendmail'... not infected Checking `sshd'... not infected Checking `syslogd'... not infected Checking `tar'... not infected Checking `tcpd'... not infected Checking `tcpdump'... not infected Checking `top'... not infected Checking `telnetd'... not found Checking `timed'... not found Checking `traceroute'... not found Checking `vdir'... not infected Checking `w'... not infected Checking `write'... not infected Checking `aliens'... no suspect files Searching for sniffer's logs, it may take a while... nothing found Searching for HiDrootkit's default dir... nothing found Searching for t0rn's default files and dirs... nothing found Searching for t0rn's v8 defaults... nothing found Searching for Lion Worm default files and dirs... nothing found Searching for RSHA's default files and dir... nothing found Searching for RH-Sharpe's default files... nothing found Searching for Ambient's rootkit (ark) default files and dirs... nothing found Searching for suspicious files and dirs, it may take a while... /usr/lib/perl/5.6.1/auto/Test/Harness/.packlist /usr/lib/perl/5.6.1/auto/DB_File/.packlist Searching for LPD Worm files and dirs... nothing found Searching for Ramen Worm files and dirs... nothing found Searching for Maniac files and dirs... nothing found Searching for RK17 files and dirs... nothing found Searching for Ducoci rootkit... nothing found Searching for Adore Worm... nothing found Searching for ShitC Worm... nothing found Searching for Omega Worm... nothing found Searching for Sadmind/IIS Worm... nothing found Searching for MonKit... nothing found Searching for Showtee... nothing found Searching for OpticKit... nothing found Searching for T.R.K... nothing found Searching for Mithra... nothing found Searching for OBSD rk v1... nothing found Searching for LOC rootkit ... nothing found Searching for Romanian rootkit ... nothing found Searching for Suckit rootkit ... nothing found Searching for Volc rootkit ... nothing found Searching for Gold2 rootkit ... nothing found Searching for TC2 Worm default files and dirs... nothing found Searching for Anonoying rootkit default files and dirs... nothing found Searching for ZK rootkit default files and dirs... nothing found Searching for ShKit rootkit default files and dirs... nothing found Searching for AjaKit rootkit default files and dirs... nothing found Searching for zaRwT rootkit default files and dirs... nothing found Searching for anomalies in shell history files... nothing found Checking `asp'... not infected Checking `bindshell'... not infected Checking `lkm'... nothing detected Checking `rexedcs'... not found Checking `sniffer'... eth0: not promisc and no PF_PACKET sockets eth0:0: not promisc and no PF_PACKET sockets eth0:1: not promisc and no PF_PACKET sockets eth0:2: not promisc and no PF_PACKET sockets eth0:3: not promisc and no PF_PACKET sockets eth0:4: not promisc and no PF_PACKET sockets Checking `w55808'... not infected Checking `wted'... nothing deleted Checking `scalper'... not infected Checking `slapper'... not infected Checking `z2'... nothing deleted |
如果发现蠕虫,rootkit等,则用字符串INFECTED (大写字母)表示。
如果要在3点钟时每个电子邮件获取一次chkrootkit的输出,您可以在root的cron文件中放置以下行(该位置取决于您的发行版本;在Debian下,在/ var / spool / cron / crontabs / root下) ;你也可以在/ var / spool / cron / tabs / root或类似的东西下找到它):
0 3 * * *(cd / usr / local / chkrootkit; ./chkrootkit 2>&1 | mail -s“chkrootkit output”me@myself.tld)
然后跑
chmod 600 / var / spool / cron / crontabs / root
/etc/init.d/cron重新启动
3安装Portsentry
cd / tmp
tar xvfz portsentry-1.2.tar.gz
cd portsentry_beta /
做linux
安装
Portsentry 将安装到/ usr / local / psionic / portsentry / 。
编辑/usr/local/psionic/portsentry/portsentry.conf并指定portentry要保护的端口:
# Un-comment these if you are really anal: #TCP_PORTS="1,7,9,11,15,70,79,80,109,110,111,119,138,139,143,512,513,514,515,540,635,1080,1524,2000,[...]" #UDP_PORTS="1,7,9,66,67,68,69,111,137,138,161,162,474,513,517,518,635,640,641,666,700,2049,31335,[...]" # # Use these if you just want to be aware: TCP_PORTS="1,11,15,79,111,119,143,540,635,1080,1524,2000,5742,6667,12345,12346,20034,27665,31337,[...]" UDP_PORTS="1,7,9,69,161,162,513,635,640,641,700,37444,34555,31335,32770,32771,32772,32773,32774,[...]" # # Use these for just bare-bones #TCP_PORTS="1,11,15,110,111,143,540,635,1080,1524,2000,12345,12346,20034,32771,32772,32773,32774,[...]" #UDP_PORTS="1,7,9,69,161,162,513,640,700,32770,32771,32772,32773,32774,31337,54321" |
它应该是系统上没有使用的端口。 例如,如果您在服务器上使用IMAP(端口143 TCP),则应从上面的列表中删除143。 portsentry.conf的其他部分被很好地评论,但通常默认值应该可以工作。
现在我们需要为portentry ( /etc/init.d/portsentry )创建一个init脚本。 我们将以先进的隐形模式运行portentry ,因为它是检测端口扫描的最强大的方法:
#!/bin/bash
case "$1" in
start)
echo "Starting Portsentry..."
ps ax | grep -iw '/usr/local/psionic/portsentry/portsentry -atcp' | grep -iv 'grep' > /dev/null
if [ $? != 0 ]; then
/usr/local/psionic/portsentry/portsentry -atcp
fi
ps ax | grep -iw '/usr/local/psionic/portsentry/portsentry -audp' | grep -iv 'grep' > /dev/null
if [ $? != 0 ]; then
/usr/local/psionic/portsentry/portsentry -audp
fi
echo "Portsentry is now up and running!"
;;
stop)
echo "Shutting down Portsentry..."
array=(`ps ax | grep -iw '/usr/local/psionic/portsentry/portsentry' | grep -iv 'grep' \
| awk '{print $1}' | cut -f1 -d/ | tr '\n' ' '`)
element_count=${#array[@]}
index=0
while [ "$index" -lt "$element_count" ]
do
kill -9 ${array[$index]}
let "index = $index + 1"
done
echo "Portsentry stopped!"
;;
restart)
$0 stop && sleep 3
$0 start
;;
*)
echo "Usage: $0 {start|stop|restart}"
exit 1
esac
exit 0 |
chmod 755 /etc/init.d/portsentry
为了在启动时启动portentry ,请执行以下操作:
ln -s /etc/init.d/ portsentry /etc/rc2.d/S20 portsentry
ln -s /etc/init.d/ portsentry /etc/rc3.d/S20 portsentry
ln -s /etc/init.d/ portsentry /etc/rc4.d/S20 portsentry
ln -s /etc/init.d/ portsentry /etc/rc5.d/S20 portsentry
ln -s /etc/init.d/ portsentry /etc/rc0.d/K20 portsentry
ln -s /etc/init.d/ portsentry /etc/rc1.d/K20 portsentry
ln -s /etc/init.d/ portsentry /etc/rc6.d/K20 portsentry
现在我们开始portentry :
/etc/init.d/portsentry start
请注意:如果您运行portsentry chkrootkit可能会抱怨受感染的bindinghell:
检查`bondedhell'...感染(PORTS:31337)
这是正常的,没有什么可担心的。
4安装Logcheck
cd / tmp
tar xvfz logcheck-1.1.1.tar.gz
cd logcheck-1.1.1 / systems / <您的系统类型,例如linux>
现在更改logcheck.sh中的变量SYSADMIN 。 SYSADMIN是每个电子邮件将收到logcheck的输出的人(可以是安装logcheck的系统上的电子邮件地址或用户):
[...] # CONFIGURATION SECTION PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/ucb:/usr/local/bin # Logcheck is pre-configured to work on most BSD like systems, however it # is a rather dumb program and may need some help to work on other # systems. Please check the following command paths to ensure they are # correct. # Person to send log activity to. SYSADMIN=me@myself.tld # Full path to logtail program. # This program is required to run this script and comes with the package. LOGTAIL=/usr/local/bin/logtail [...] |
cd ../../
mkdir -p / usr / local / etc / tmp
make <你的系统类型,例如linux>
这将在/ usr / local / etc下安装logcheck 。
现在我们必须创建一个cron作业才能定期运行logcheck 。 编辑root的cron文件(例如/ var / spool / cron / crontabs / root ,请参阅第2节“安装Chkrootkit”),并输入以下行:
0 3 * * * /usr/local/etc/logcheck.sh
然后跑
chmod 600 / var / spool / cron / crontabs / root
/etc/init.d/cron重新启动
这将在凌晨3点每天调用logcheck 。 现在将通知您异常的系统事件,安全违规,系统攻击等。如果您的系统直接暴露在互联网上,您会注意到互联网上有很多恶意活动,您会得到一个安全感为何很重要。
链接
Chkrootkit: http : //www.chkrootkit.org/
Portsentry: http : //sourceforge.net/projects/sentrytools/
