SIM is designed to be intuitive and modular in nature, and to provide a clean and informative status system.
SIM will consistently verifying that services are online, load averages are in check, and log files are at reasonable sizes. It can be much usefull to host that are exposed to internet. Below steps show how to install SIM on Linux.
[1] Login to your server via SSH as root.
[2] Type: wget http://www.r-fx.org/downloads/sim-current.tar.gz
This will download the most current version of SIM (System Integrity Monitor)
[3] Type: tar -xzvf sim-current.tar.gz
This will extract the tar.gz file at once.
[4] The last line should look like “sim-2.5-3/CREDITS” everything before the / is the directory where the script was extracted too.
Type: cd sim-2.5-3
where sim-2.5-3 is the directory that SIM was extracted too.
[5] Type: ./setup -i
Then press “Enter”
Then when it says MORE press the “space bar”
Then press “Enter”
Then when it syas MORE press the “space bar”
[6] Now you will press ENTER one more time to do the auto-configuration script for SIM.
Please note the following config is what I use, and you can change some monitoring services if you choose.
[7] Where is SIM installed ?
[/usr/local/sim]:
Press Enter
Where should the sim.log file be created ?
[/usr/local/sim/sim.log]:
Press Enter
Max size of sim.log before rotated ? (value in KB)
[128]:
Type: 512
Press Enter
The larger the file the more SIM (System Integrity Monitor) logs we can view. This is good for looking back.
Where should alerts be emailed to ? (e.g: root, user@domain)
[root]:
Type: youremail@yourdomain (One off server would be more secure.)
Press Enter
Disable alert emails after how many events, to avoid email flood ?
(Note: events stats are cleared daily)
[8]:
Press Enter
The below are configuration options for Service modules:
press return to continue…
Press Enter
Auto-restart services found to be offline ? (true=enable, false=disable)
[true]:
Press Enter
Enforce laxed service checking ? (true=enable, false=disable)
[true]:
Press Enter
Disable auto-restart after how many downed service events ?
(Note: events stats are cleared daily)
[10]:
Press Enter
Enable FTP service monitoring ? (true=enable, false=disable)
[false]:
Press Enter
Enable HTTP service monitoring ? (true=enable, false=disable)
[false]:
Type: true
Press Enter
Enable DNS service monitoring ? (true=enable, false=disable)
[false]:
Type: true (if you are running ensim do not type true just press enter)
Press Enter
Enable SSH service monitoring ? (true=enable, false=disable)
[false]:
Type: true
Press Enter
Enable MYSQL service monitoring ? (true=enable, false=disable)
[false]:
Type: true
Press Enter
Enable SMTP service monitoring ? (true=enable, false=disable)
[false]:
Type: true
Press Enter
TCP/IP port that SMTP operates on ?
[25]:
Press Enter
Enable XINET service monitoring ? (true=enable, false=disable)
[false]:
Type: true
Press Enter
TCP/IP port that any XINET service operates on (e.g: pop3, 110) ?
[110]:
Press Enter
Enable ENSIM service monitoring ? (true=enable, false=disable)
[false]:
Press Enter
Enable PGSQL service monitoring ? (true=enable, false=disable)
[false]:
After an unclean HTTP shutdown, semaphore array’s may remain allocated
and cause the service to fall into a looping restart cycle. Using this
feature clears semaphore arrays on HTTP restart.
Enable semaphore cleanup ?
[false]:
Press Enter
This is an implamented feature in the http module, its purpose is to
determine if/when the apache server locks up or otherwise stops
responding.
Enable URL aware monitoring ?
Type: true
Press Enter
URL path to a local file ? (exclude HTTP://)
Note: This URL should be valid and reside on the local server, otherwise
HTTP will loop restarting
[127.0.0.1/index.html]:
Type: site.com/index.html that resides on your local server
Press Enter
HTTP log files can grow large and cause the service to crash
(segfault), this feature will keep the main HTTP logs incheck.
Enable HTTP log monitor ?
[false]:
Press Enter
MySQL uses a /tmp symlink of its mysql.sock socket file. This
feature verifies that the symlink exists from the main mysql.sock
file, and if not it is recreated.
Enable MySQL Socket correction ?
[false]:
Press Enter
Enable NETWORK monitoring ? (true=enable, false=disable)
[false]:
Type: true
Press Enter
interface to monitor ?
[eth0]:
Press Enter
Enable LOAD monitor ? (true=enable, false=disable)
[false]:
Type: true
Press Enter
Load level before status condition ‘warning’ ?
[25]:
Type: 5
Press Enter
Load level before status condition ‘critical’ ?
[45]:
Type: 10
Press Enter
Enable a global (wall) message at status condition ‘warning’ & ‘critical’ ?
[false]:
Press Enter
Renice services at status condition ‘warning’ or ‘critical’ ?
(3 values – warn, crit, false – false=disabled)
[false]:
Press Enter
Stop nonessential services at status condition ‘warning’ or ‘critical’ ?
(3 values – warn, crit, false – false=disabled)
[false]:
Press Enter
Reboot system on status condition ‘warning’ or ‘critical’ ?
(3 values – warn, crit, false – false=disabled)
[false]:
Press Enter
[8] Now the SIM (System Integrity Monitor) has been configured we will add a cron.
[9] Type: ./setup -c
If it says “Removed SIM cronjob.” then you must type it again.
Type: ./setup -c
Now it should say Installed SIM cronjob.
Congratulations SIM (System Integrity Monitor) is now installed, and running every 5 minutes.
PRM or called as Process Resource Monitor is open source tool check process table and matches process id’s with set resource limits in the config file or per-process based rules. Process id’s that match or exceed the set limits are logged and killed. How to install RPM tool is given below.
First we must fetch the package:
wget http://www.rfxnetworks.com/downloads/prm-current.tar.gz
And extract it:
tar xvfz prm-current.tar.gz
The current version of prm as of this writing is 0.3, so lets cd to the 0.3 extracted path:
cd prm-0.3/
And finally run the enclosed install.sh script:
./install.sh
Configuration
The prm installation is located at ‘/usr/local/prm’, and the configuration file is labeled ‘conf.prm’.
Open the ‘/usr/local/prm/conf.prm’ file with your preferred editor. There is an array of options in this file but we will only be focusing on the main variables.
Lets skip down to the user e-mail alert’s section and set the USR_ALERT value to ’1′; enabling alerts.
# enable user e-mail alerts [0=disabled,1=enabled] USR_ALERT=”1″
And configure our e-mail addresses for alerts:
# e-mail address for alerts USR_ADDR=”root, you@domain.com”
Check the 5,10, or 15 minute load average; relative to the later option below for min. load level.
# check 5,10,15 minute load average. [1,2,3 respective of 5,10,15] LC=”1″
PRM optionally has a required load average for running. If the load is not equal to or greater than this value; PRM will not run. Setting this value to zero will force the script to always run but this should not be needed.
# min load level required to run (decimal values unsupported) MIN_LOAD=”1″
This is the introduction described wait value, used for pauses between trigger increments. The value of wait multiplied by the value of kill_trig equal the duration of time before a process is killed (10×3=30seconds).
# seconds to wait before rechecking a flagged pid (pid’s noted resource # intensive but not yet killed). WAIT=”10″
The trigger limit before processes are killed, described in detail in the above ‘wait’ description and introduction.
# counter limit that a process must reach prior to kill. The counter value # increases for a process flagged resource intensive on rechecks. KILL_TRIG=”3″
The max percentage of CPU a process should be allowed to use before PRM flags it for killing.
# Max CPU usage readout for a process – % of all cpu resources (decimal values unsupported) MAXCPU=”35″
The max percentage of MEM a process should be allowed to use before PRM flags it for killing.
# Max MEM usage readout for a process – % of system total memory (decimal values unsupported) MAXMEM=”15″
That is it; you should tweak the MAXCPU/MAXMEM limits to your desired needs but the defaults should be fine for most.
Usage
The executable program resides in ‘/usr/local/prm/prm’ and ‘/usr/local/sbin/prm’. The prm executable can receive one of two arguments:
-s Standard run
-q Quiet run
The log path for prm is ‘/usr/local/prm/prm_log’, as well pid specific logs are stored in ‘/usr/local/prm/killed/’.
A default cronjob for PRM is installed to ‘/etc/cron.d/prm’, and is configured to run once every 5 minutes.
There is a provided ignore file, to ignore processes based on string rules. The ignore file is located at ‘/usr/local/prm/ignore’. This file supports line separated ignore strings. As a default the strings ‘root, named and postgre’ are ignored by PRM; this script was not intended to monitor root processes but rather user land tasks. It could easily watch root processes by removing the given line in the ignore file but this is strongly discouraged.
CHKROOTKIT is very useful open source tool to detect signs of a rootkit. It have shell script that checks system binaries for rootkit alteration.It can be used to scan trojans. It checks any system files had been changed or modified. Below steps shows how simple to it is to download install CHKROOTKIT.
#Change to root
su -
#Type the following
wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz
# Check the MD5 SUM of the download for security:
ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.md5
md5sum chkrootkit.tar.gz
#Unpack the tarball using the command
tar xvzf chkrootkit.tar.gz
#Change to the directory it created
cd chkrootkit*
#Compile by typing
make sense
#To use chkrootkit, just type the command
./chkrootkit
#Everything it outputs should be ‘not found’ or ‘not infected’…
Important Note: If you see ‘Checking `bindshell’… INFECTED (PORTS: 465)’ read on.
I’m running PortSentry/klaxon. What’s wrong with the bindshell test?
If you’re running PortSentry/klaxon or another program that binds itself to
unused ports probably chkrootkit will give you a false positive on the bindshell test
(ports 114/tcp, 465/tcp, 511/tcp, 1008/tcp, 1524/tcp, 1999/tcp, 3879/tcp, 4369/tcp, 5665/tcp,
10008/tcp, 12321/tcp, 23132/tcp, 27374/tcp, 29364/tcp, 31336/tcp, 31337/tcp, 45454/tcp, 47017/tcp, 47889/tcp, 60001/tcp).
#Now,
cd ..
#Then remove the .gz file
rm chkrootkit.tar.gz
Daily Automated System Scan that emails you a report
While in SSH run the following:
vi /etc/cron.daily/chkrootkit.sh
Insert the following to the new file:
#!/bin/bash
cd /yourinstallpath/chkrootkit-0.42b/
./chkrootkit | mail -s “Daily chkrootkit from Servername” admin@youremail.com
Important:
1. Replace ‘yourinstallpath’ with the actual path to where you unpacked Chkrootkit.
2. Change ‘Servername’ to the server your running so you know where it’s coming from.
3. Change ‘admin@youremail.com’ to your actual email address where the script will mail you.
Now save the file in SSH:
Ctrl+X then type Y
Change the file permissions so we can run it
chmod 755 /etc/cron.daily/chkrootkit.sh
Now if you like you can run a test report manually in SSH to see how it looks.
cd /etc/cron.daily/
./chkrootkit.sh
You’ll now receive a nice email with the report! This will now happen everyday so you don’t have to run it manually.
Rkhunter is an Unix based tool to scans for rootkits, trojans, backdoors and local exploits.
Below is the installation steps :
Installing:
wget http://jaist.dl.sourceforge.net/sourcef … 2.9.tar.gz
tar -zxvf rkhunter-1.2.9.tar.gz
cd rkhunter-1.2.9
./installer.sh
Now you can run a test scan with the following command:
/usr/local/bin/rkhunter -c
How to setup a daily scan report?
vi /etc/cron.daily/rkhunter.sh
add the following replacing your email address:
#!/bin/bash
cd /usr/local/bin/
./rkhunter -c –cronjob 2>&1 | mail -s “Daily Rkhunter Scan Report” email@domain.com
chmod +x /etc/cron.daily/rkhunter.sh
Updating rkhunter
gets the latest database updates from their central server and matches your OS better to prevent false positives.
rkhunter –update
I just got a false positive!! What do i do?
False positives are warnings which indicates there is a problem, but aren’t really a problem. Example: some Linux distro updated a few common used binaries like `ls` and `ps`. You (as a good sysadmin) update the new packages and run (ofcourse) daily Rootkit Hunter. Rootkit Hunter isn’t yet aware of these new files and while scanning it resports some “bad” files. In this case we have a false positive. You could always have your datacenter or a system administrator check out the server to verify that it is not compromised.
More information on rkhunter can be found here: http://www.rootkit.nl
CSF Installation is quite straightforward:
rm -fv csf.tgz
wget http://www.configserver.com/free/csf.tgz
tar -xzf csf.tgz
cd csf
sh install.sh
If you would like to disable APF+BFD (which you will need to do if you have
them installed otherwise they will conflict horribly):
sh disable_apf_bfd.sh
That’s it. You can then configure csf and lfd in WHM, or edit the files
directly in /etc/csf/*
CSF is pre configured to work on a cPanel server with all the standard cPanel
ports open. It also auto-configures your SSH port if it’s non-standard on
installation.
You should ensure that kernel logging daemon (klogd) is enabled. Typically, VPS
servers have this disabled and you should check /etc/init.d/syslog and make
sure that any klogd lines are not commented out. If you change the file,
remember to restart syslog.
See the ‘Readme’ file for more information.
Uninstallation
==============
Removing csf and lfd is even more simple:
cd /etc/csf
sh uninstall.sh
