Ossec created Daniel Cid has a page on setting up OSSEC step by step: http://dcid.me/texts/my-ossec-setup-manual.html
Even with OSSEC installed and configured, check to see if you have all your logs added into OSSEC – see step 2.
Rootcheck is an open source command line tool that looks for indicators of compromise on Linux or BSD systems. It tries to find known backdoors, kernel-level rootkits, malware and insecure configuration settings. It is included as part of OSSEC, but can also be executed separately from here as needed. If you suspect your server has been compromised it will certainly help with your investigation.
Install and run details can be found here: http://dcid.me/rootcheck
Also read this blog post titled “Investigating a Compromised Server with Rootcheck”
Good list to go over after building systems!
Example check to perform:
This is CCZE, a fast log colorizer written in C, intended to be a
drop-in replacement for colorize (http://colorize.raszi.hu).
CCZE is a robust and modular log colorizer with plugins for apm, exim, fetchmail, httpd, postfix, procmail, squid, syslog, ulogd, vsftpd, xferlog, and more.
# yum install ccze (Red Hat/CentOS)
# apt-get install ccze (Debian/Ubuntu)
tail -f -n 50 /var/log/syslog | ccze
Output is really nice as shown here:
Shodan https://www.shodan.io/ is a search engine that lets the user find specific types of computers (routers, servers, etc.) connected to the internet using a variety of filters. Some have also described it as a search engine of service banners, which are meta-data the server sends back to the client. This can be information about the server software, what options the service supports, a welcome message or anything else that the client can find out before interacting with the server.
Shodan collects data mostly on web servers (HTTP, port 80), as well as FTP (port 21), SSH (port 22) Telnet (port 23), SNMP (port 161), SIP (port 5060), and Real Time Streaming Protocol (RTSP, port 554). The latter can be used to access webcams and their video stream.
On Dustin Kirkland’s blog http://blog.dustinkirkland.com/2016/01/data-driven-analysis-tmp-on-tmpfs.html he wrote up a piece on running /tmp on tmpfs and I’m sold on it!
– Put /tmp on tmpfs and you’ll improve your Linux system’s I/O, reduce your carbon foot print and electricity usage, stretch the battery life of your laptop, extend the longevity of your SSDs, and provide stronger security.
– In fact, we should do that by default on Ubuntu servers and cloud images.
– Having tested 502 physical and virtual servers in production at Canonical, 96.6% of them could immediately fit all of /tmp in half of the free memory available and 99.2% could fit all of /tmp in (free memory + free swap).
The benefits of /tmp on tmpfs are:
- Performance: reads, writes, and seeks are insanely fast in a tmpfs; as fast as accessing RAM
- Security: data leaks to disk are prevented (especially when swap is disabled), and since /tmp is its own mount point, we should add the nosuid and nodev options (and motivated sysadmins could add noexec, if they desire).
- Energy efficiency: disk wake-ups are avoided
- Reliability: fewer NAND writes to SSD disks
To enable it is a simple:
$ echo "tmpfs /tmp tmpfs rw,nosuid,nodev" | sudo tee -a /etc/fstab
$ sudo reboot
More info at the link above