Linux Nexus

Linux Malware Detect (LMD)

Linux Malware Detect (LMD) is a malware scanner for Linux released under the GNU GPLv2 (free, open source) license, that is designed around the threats faced in shared hosted environments.

==========================================================

Installation & Configuration

root@server [~]# wget http://www.rfxn.com/downloads/maldetect-current.tar.gz

2010-05-15 23:34:05 (148 MB/s) – `maldetect-current.tar.gz’ saved [268031/268031]

 

root@server [~]# tar xfz maldetect-current.tar.gz

root@server [~]# cd maldetect-*

root@server [~]# ./install.sh

Linux Malware Detect v1.3.4

(C) 1999-2010, R-fx Networks <proj@r-fx.org>

(C) 2010, Ryan MacDonald <ryan@r-fx.org>

inotifywait (C) 2007, Rohan McGovern <rohan@mcgovern.id.au>

This program may be freely redistributed under the terms of the GNU GPL

 

installation completed to /usr/local/maldetect

config file: /usr/local/maldetect/conf.maldet

exec file: /usr/local/maldetect/maldet

exec link: /usr/local/sbin/maldet

cron.daily: /etc/cron.daily/maldet

 

maldet(32517): {sigup} performing signature update check…

maldet(32517): {sigup} local signature set is version 2010051510029

maldet(32517): {sigup} latest signature set already installed

==========================================================

Now that LMD is installed, take note of the file locations as that is the next thing we need to do.

root@server [~]# vim /usr/local/maldetect/conf.maldet

==========================================================

The configuration file is fully commented so you should be able to make out most options but lets take a moment to review the more important ones:

email_alert
This is a top level toggle for the e-mail alert system, this must be turned on if you want to receive alerts.

email_addr
This is a comma spaced list of e-mail addresses that should receive alerts.

quar_hits
This tells LMD that it should move malware content into the quarantine path and strip it of all permissions. Files are fully restorable to original path, owner and permission using the –restore FILE option.

quar_clean
This tells LMD that it should try to clean malware that it has cleaner rules for, at the moment base64_decode and gzinflate file injection strings can be cleaned. Files that are cleaned are automatically restored to original path, owner and permission.

quar_susp
Using this option allows LMD to suspend a user account that malware is found residing under. On CPanel systems this will pass the user to /scripts/suspendacct and add a comment with the maldet report command to the report that caused the users suspension (e.g: maldet –report SCANID). On non-cpanel systems, the users shell will be set to /bin/false.

quar_susp_minuid
This is the minimum user id that will be evaluated for suspension, the default should be fine on most systems.

The rest of the options in conf.maldet can be left as defaults unless you clearly understand what they do and how they may influence scan results and performance.

==========================================================

If we wanted to scan all user public_html paths under /home*/ this can be done with:

maldet –scan-all /home?/?/public_html

If you wanted to scan the same path but scope it to content that has been created/modified in the last 5 days you would run:

maldet –scan-recent /home?/?/public_html 5
If you performed a scan but forget to turn on the quarantine option, you could quarantine all malware results from a previous scan with:

maldet –quarantine SCANID

Similarly to the above, if you wanted to attempt a clean on all malware results from a previous scan that did not have the feature enabled, you would do so with:

maldet –clean SCANID

If you had a file that was quarantined from a false positive or that you simply want to restore (i.e: you manually cleaned it), you can use the following:

maldet –restore config.php.2384
maldet –restore /usr/local/maldetect/quarantine/config.php.2384

==========================================================

Daily Scans

The cronjob installed by LMD is located at /etc/cron.daily/maldet and is used to perform a daily update of signatures, keep the session, temp and quarantine data to no more than 14d old and run a daily scan of recent file system changes.

The daily scan supports Ensim virtual roots or standard Linux /home*/user paths, such as Cpanel. The default is to just scan the web roots daily, which breaks down as /home*/*/public_html or on Ensim /home/virtual/*/fst/var/www/html and /home/virtual/*/fst/home/*/public_html.

If you are running monitor mode, the daily scans will be skipped and instead a daily report will be issued for all monitoring events. If you need to scan additional paths, you should review the cronjob and edit it accordingly.

==========================================================

There are three modes that the monitor can be executed with and they relate to what will be monitored, they are USERS|PATHS|FILES.

e.g: maldet –monitor users
e.g: maldet –monitor /root/monitor_paths
e.g: maldet –monitor /home/mike,/home/ashton
The options break down as follows:
USERS – The users option will take the homedirs of all system users that are above inotify_minuid and monitor them. If inotify_webdir is set then the users webdir, if it exists, will only be monitored.
PATHS – A comma spaced list of paths to monitor
FILE – A line spaced file list of paths to monitor

Once you start maldet in monitor mode, it will preprocess the paths based on the option specified followed by starting the inotify process.

==========================================================

The alerting of file hits under monitor mode is handled through a daily report instead of sending an email on every hit. The cron.daily job installed by LMD will call an –alert-daily flag and send an alert for the last days hits. There is also an –alert-weekly option that can be used, simply edit the cron at /etc/cron.daily/maldet and change the –alert-daily to –alert-weekly.

How to generate CSR, Key and CRT using OPENSSL.

What is SSL :

Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL), are cryptographic protocols that provide communication security over the Internet.[1] TLS and SSL encrypt the segments of network connections above the Transport Layer, using asymmetric cryptography for key exchange, symmetric encryption for privacy, and message authentication codes for message integrity.

What is CSR :

In public key infrastructure (PKI) systems, a certificate signing request (also CSR or certification request) is a message sent from an applicant to a certificate authority in order to apply for a digital identity certificate

================================================================================================================================

Generate domains Private Key on the Server :

root@test [~/test]# openssl genrsa -des3 -out www.linuxnexus.net.in.key 2048
Generating RSA private key, 2048 bit long modulus
…+++
………………………+++
e is 65537 (0×10001)
Enter pass phrase for www.linuxnexus.net.in.key:
Verifying – Enter pass phrase for www.linuxnexus.net.in.key:

Generate a Certificate Signing Request (CSR) :

root@test [~/test]# openssl req -new -key www.linuxnexus.net.in.key -out www.linuxnexus.net.in.csr
Enter pass phrase for www.linuxnexus.net.in.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [GB]:IN
State or Province Name (full name) [Berkshire]:Nikhil Tare
Locality Name (eg, city) [Newbury]:Nasik
Organization Name (eg, company) [My Company Ltd]:Linux Nexus
Organizational Unit Name (eg, section) []:Support
Common Name (eg, your name or your server’s hostname) []:Nikhil
Email Address []:nikhil.tare@linuxnexus.net.in

Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:password@123
An optional company name []:Linux Nexus

Generate a .crt for your domain :

root@test [~/test]# openssl x509 -req -days 365 -in www.linuxnexus.net.in.csr -signkey www.linuxnexus.net.in.key -out www.linuxnexus.net.in.crt
Signature ok
subject=/C=IN/ST=Nikhil Tare/L=Nasik/O=Linux Nexus/OU=Support/CN=Nikhil/emailAddress=nikhil.tare@linuxnexus.net.in
Getting Private key
Enter pass phrase for www.linuxnexus.net.in.key:
root@rose [~/test]# ll

You can generate CSR for your domain using above steps.

================================================================================================================================

About Nagios:

Nagios is a free, open-source web-based network monitor developed by Ethan Galstad. Nagios is designed to run on Linux, but can be also be used on Unix variants. Nagios monitors the status of host systems and network services and notifies the user of problems.

How It Works:

 Nagios runs on a server, usually as a daemon (or service). Nagios periodically run plugins residing (usually) on the same server; they contact (PING etc.) hosts and servers on your network or on the Internet. You can also have information sent to Nagios. You then view the status information using the web interface

 

Nagios installation and setup

How to install and configure nagios in linux

The required source file can be obtained from

http://www.nagios.org/download

The needed source files are ” Nagios Core ” and ” Nagios Plugins “

Nagios server setup

Login to Server  as root user.

cd /usr/local

#  wget  http://prdownloads.sourceforge.net/sourceforge/nagios/nagios-3.2.3.tar.gz

 Create a new nagios user account and give it a password.

#   useradd nagios

# passwd nagios

 Create a new nagcmd group for allowing external commands to be submitted through the web interface. Add both the nagios user and the apache user to the group.

# groupadd nagcmd

# usermod -a -G nagcmd nagios

# usermod -a -G nagcmd apache

Compiling nagios server

[root@]# tar -xvzf nagios-3.2.3.tar.gz

[root@]# cd nagios-3.2.3

[root@]# ./configure –with-command-group=nagcmd

[root@]#  make all

[root@]# make install

[root@]# make install-init

[root@]# make install-config

[root@]#  make install-commandmode

Don’t start Nagios yet – there’s still more that needs to be done…

Download Nagios Plugins

Download the source code tarballs of Nagios plugins (from: http://www.nagios.org/download/ for links to the latest versions)

[root@ ]#  wget http://prdownloads.sourceforge.net/sourceforge/nagiosplug/nagios-plugins-1.4.14.tar.gz

[root@ ]# cd nagios-plugins-1.4.14

[root@ ]# ./configure  –with-nagios-user=nagios –with-nagios-group=nagios

[root@ ]#  make

[root@ ]#  make install

Configure the Web Interface

Install the Nagios web config file in the Apache conf.d directory.

[root@ ]# make install-webconf

Create a nagiosadmin account for logging into the Nagios web interface. Remember the password you assign to this account – you’ll need it later.

[root@ ]# htpasswd -c /usr/local/nagios/etc/htpasswd.users nagiosadmin

 

The compilation part in nagios server is over and now we can continue with configuration once the nagios client server is configured.

Nagios client server installation and configuration

In client server the needed packages are nagios pluggin and nrpe

You can download and install the nagios pluggin as same as in nagios server here also.

downloading  and installing nrpe on client side

root@ [~]# cd /

root@ []#  wget http://prdownloads.sourceforge.net/sourceforge/nagios/nrpe-2.12.tar.gz

root@ []# tar -xvzf nrpe-2.12.tar.gz

root@ []#  rm -rf nrpe-2.12.tar.gz

root@ []#  cd nrpe-2.12/

root@ []# ./configure

root@ []# make all

root@ []# make install-plugin

root@ []# make install-daemon

root@ []# make install-daemon-config

root@ []# make install-xinetd

root@ []# vi /etc/xinetd.d/nrpe

Add the entries as

=============================

# default: on

# description: NRPE (Nagios Remote Plugin Executor)

service nrpe

{

flags           = REUSE

socket_type     = stream

port            = 5666

wait            = no

user            = nagios

group           = nagios

server          = /usr/local/nagios/bin/nrpe

server_args     = -c /usr/local/nagios/etc/nrpe.cfg –inetd

log_on_failure  += USERID

disable         = no

only_from       = 127.0.0.1 1.2.3.4 

}

————————————————————————————-

In above file, here the IP 1.2.3.4 is my nagios server’s IP

————————————————————————————-

Also add the port 5666 to /etc/services file : 5666 is the nrpe port

The entry added to /etc/services is

 nrpe            5666/tcp                         # NRPE

After that restart xinetd

Also open the 5666 port in CSF

root@ []#  service csf restart

root@ []#  service xinetd restart

Testing the nrpe connection

root@[]# netstat -at |grep nrpe

tcp        0      0 *:nrpe                      *:*                         LISTEN

root@[]# telnet localhost 5666

Trying 127.0.0.1…

Connected to localhost.

Escape character is ‘^]’.

root@ []# /usr/local/nagios/libexec/check_nrpe -H localhost

NRPE v2.12

 

With these the nagios client setup is over

***********************************************************

Now we can continue with configuring nagios server

[]# cd /usr/local/nagios/etc/objects

Now we need to define these two files localhosts.cfg and commands.cfg

 Define hostgroup in localhosts.cfg as follows:

 ############################################################

#

# HOST GROUP DEFINITION

#

############################################################

# Define an ional hostgroup for Linux machines

define hostgroup{

hostgroup_name  linux_servers ; The name of the hostgroup

alias           Linux Servers ; Long name of the group

members         *

}

Then define host and services as follows under HOST DEFINITION:

[root@ ]# cat localhosts.cfg

define host {

use                     linux-server

host_name               server.example.com

alias                   server.example.com

address                 <ip address of server>

check_command           check_nrpe!check_ping

contacts                nagiosadmin

notifications_enabled   1

notification_ions    d,u,r,f

}

And under SERVICE DEFINITIONS define services as follows:

define service {

use generic-service

host_name       *

service_description     HTTP

check_command   check_http

contacts        nagiosadmin,staff

notifications_enabled 1

}

In commands.cfg we need to define all the services that needs to be monitored

[root@]# cat command.cfg

define command{

command_name    check_crond

command_line    /usr/local/nagios/libexec/check_crond $HOSTADDRESS$

}

Now we can check if there is any error in nagios configuration using

 [root@ ]# /usr/local/nagios/bin/nagios -v /usr/local/nagios/etc/nagios.cfg

Total Warnings: 0

Total Errors:   0

Restart Apache to make the new settings take effect.

[root@ ]# service httpd restart

Now we need to restart nagios service and access the Nagios status Page using URL :

http://server-hostname/nagios

Use the login information you have used for the user nagiosadmin while configuring web interface.

=====================================================

How to Install Grsecurity on centos 6.0(i686) :

========================================================================================================
Benifits of Grsecurity :
* An intelligent and robust Role-Based Access Control (RBAC) system that can generate least privilege policies for your entire system with no configuration
* Change root (chroot) hardening
* /tmp race prevention
* Extensive auditing
* Prevention of arbitrary code execution, regardless of the technique used (stack smashing, heap corruption, etc)
* Prevention of arbitrary code execution in the kernel
* Randomization of the stack, library, and heap bases
* Kernel stack base randomization
* Protection against exploitable null-pointer dereference bugs in the kernel
* Reduction of the risk of sensitive information being leaked by arbitrary-read kernel bugs
* A restriction that allows a user to only view his/her processes
* Security alerts and audits that contain the IP address of the person causing the alert

========================================================================================================

The ideal way to install Grsecurity on 32 bit OS is :

Fetch the sources:

Download kernel from kernel.org

#wget http://www.kernel.org/pub/linux/kernel/v2.6/longterm/v2.6.32/linux-2.6.32.51.tar.gz

Downlaod latest Grsecurity patch from below URL :

#wget http://grsecurity.net/stable/grsecurity-2.2.2-2.6.32.51-201201021326.patch

Extract:
tar xjf linux-2.6.32.51.tar.gz

Patch the kernel:

#cd linux-2.6.32.51

#patch -p1 < ../grsecurity-2.2.2-2.6.32.51-201201021326.patch

Now start making the kernel :

# make clean && make mrproper

Edit your kernel as per your need :

# make menuconfig

Compile your kernel and install it:

# make bzImage

# make modules

# make modules_install

Make sure it’s working ok with the help of following command :

# depmod 2.6.32.51-grsec

Installing and booting the new kernel :

# cp arch/i386/boot/bzImage /boot/vmlinuz-2.6.32.51-grsec

There is also a file called “System.map” that must be copied to the same boot directory.

# cp System.map /boot

Do not forget to make changes in /etc/grub.conf

also go to grub prompt after this and fire below command :

# grub > savedefault –-default=0 –-once

Now reboot server :

#Shutdown -r now.

Changing kernel manually :

1. Download the latest kernel from kernel.org

Example:

#wget http://www.kernel.org/pub/linux/kernel/v2.6/linux-2.6.28.tar.gz
#tar -xvf linux-2.6.28.tar.gz
#cd linux-2.6.28

2. Configure the kernel options

#make menuconfig

3. Make dependencies

#make dep

4. Make the kernel : You can now compile the actual kernel. This can take about 15 minutes to complete on a 500 MHz system.

#make bzImage

5. Make the modules : Modules are parts of the kernel that are loaded on the fly, as they are needed. They are stored in individual files (e.g. ext3.o). The more modules you have, the longer this will take to compile:

#make modules

6. Install the modules : This will copy all the modules to a new directory, “/lib/modules/a.b.c” where a.b.c is the kernel version

#make modules_install

#make install

# depmod 2.6.28

7.Installing and booting the new kernel :

#cp arch/i386/boot/bzImage /boot/vmlinuz-2.6.28

There is also a file called “System.map” that must be copied to the same boot directory.

#cp System.map /boot

Do not forget to make changes in /etc/grub.conf

also go to grub prompt after this and fire below command :

# grub > savedefault –default=0 –once

Shutdown -r now.
=================================================================

It will surely work Best Luck !

Install VirtualBox 4.1.6 on Fedora 16/15, CentOS/Red Hat (RHEL) 6/5.7

 

Oracle VirtualBox is a powerful x86 and AMD64/Intel64 virtualization product for enterprise as well as home use. VirtualBox is a general-purpose full virtualizer for x86 hardware. Targeted at server, desktop and embedded use, it is now the only professional-quality virtualization solution that is also Open Source Software.

 

VirtualBox supports a large number of guest operating systems:

• Windows 3.x
• Windows NT 4.0
• Windows 2000
• Windows XP
• Windows Server 2003
• WindowsVista
• Windows 7
• DOS
• Linux (2.4 and 2.6)
• Solaris
• OpenSolaris
• OpenBSD

 

This guide shows howto install VirtualBox 4.1 (currently 4.1.6) on Fedora 16, Fedora 15, Fedora 14, Fedora 13, Fedora 12, CentOS 6/5.7, Red Hat (RHEL) 6.1/6/5.7. This howto uses Virtual Box yum repositories.

 

1. Change to root User

su -

## OR ##

sudo -i

 

2. Install Fedora or RHEL Repo Files

cd /etc/yum.repos.d/

 

## Fedora 16/15/14/13/12 users

wget http://download.virtualbox.org/virtualbox/rpm/fedora/virtualbox.repo

 

## CentOS 6/5.7 and Red Hat (RHEL) 6/5.7 users

wget http://download.virtualbox.org/virtualbox/rpm/rhel/virtualbox.repo

 

3. Update latest packages and check your kernel version

Update packages

yum update

 

Check that that you are running latest installed kernel version
Output of following commands version numbers should match:

rpm -qa kernel |sort |tail -n 1

 

uname -r

Note: If you got kernel update or run older kernel than newest installed then reboot:

reboot

 

4. Install following dependency packages

CentOS 5 and Red Hat (RHEL) 5 needs EPEL repository, install it with following command:

rpm -Uvh http://download.fedora.redhat.com/pub/epel/5/i386/epel-release-5-4.noarch.rpm

yum install binutils gcc make patch libgomp glibc-headers glibc-devel kernel-headers kernel-devel dkms

 

## PAE kernel users install ##

yum install binutils gcc make patch libgomp glibc-headers glibc-devel kernel-headers kernel-PAE-devel dkms

 

5. Install VirtualBox Latest Version (current 4.1.6)

yum install VirtualBox-4.1

 

Note:
This command create automatically vboxusers group and VirtualBox user must be member of that group.
This command also build needed kernel modules.

Rebuild kernel modules with following command:

 

(Make sure that the system is running in init level 5)

/etc/init.d/vboxdrv setup

## OR ##

service vboxdrv setup

 

6. Add VirtualBox User to vboxusers Group

usermod -a -G vboxusers user_name

 

7. Start VirtualBox

Use launcher or simply:

VirtualBox

 

Troubleshooting

If you have problems with KERN_DIR parameter or your kernel directory is not automatically detected then set KERN_DIR environment variable manually, using following method:

## Current running kernel on Fedora ##

KERN_DIR=/usr/src/kernels/`uname -r`

 

## Current running kernel on CentOS and Red Hat (RHEL) ##

KERN_DIR=/usr/src/kernels/`uname -r`-`uname -m`

 

## Fedora example ##

KERN_DIR=/usr/src/kernels/2.6.33.5-124.fc13.i686

 

## CentOS and Red Hat (RHEL) example ##

KERN_DIR=/usr/src/kernels/2.6.18-194.11.1.el5-x86_64

 

## Export KERN_DIR ##

export KERN_DIR=/usr/src/kernels/`uname -r`-`uname -m`

====================================================

Please follow below steps to install Mysql Server on Linux CentOS:

========================================

Firstly, please make sure that the mysql packages are available under the yum:

[root@server10068 ~]# yum list mysql*

if yes, then use below command to install mysql:

[root@server10068 ~]# yum install mysql*

Make sure that the installation goes well. Now, please install the Mysql database on the server using below command:
[root@server10068 ~]# mysql_install_db

It will create mysql database for the mysql server. Now, need to reset the password for the Mysql server root user. Please use below command for it:

[root@server10068 ~]# /usr/bin/mysqladmin -u root password ‘new-password’

replace the ‘new-password’ with the password you would like to set.

Now, create my.cnf under root home directory using below command:

[root@server10068 ~]# touch /root/.my.cnf

Once done, edit the file in your favorite editor like vi or nano and put below code:

[client]

user=”root”

password=”new-password”

Please replace the “new-password” with the password you have used above while setting up  with the mysqladmin command.

Your Mysql server is now installed and configured on your machine. You can confirm the same by firing the command as below:

[root@server10068 ~]# mysql

========================================