chkrootkit is a tool to locally check for signs of a rootkit. It
contains a chkrootkit: shell script that checks system binaries for
Open up the terminal and type the following command to install chkrootkit:
$ sudo apt-get install chkrootkit
Open up the terminal and type the command: $ sudo chkrootkit
This will perform all tests
If you want an automatic daily run of chkrootkit:
Open /etc/chkrootkit.conf and Replace RUN_DAILY="false" by RUN_DAILY="true"
If you also want a daily mailed report :
Open /etc/cron.daily/chkrootkit and replace '$CHKROOTKIT $RUN_DAILY_OPTS' by
'$CHKROOTKIT $RUN_DAILY_OPTS | mail -s '"\"Daily chkrootkit run from $HOSTNAME \"$YOUR_EMAIL_ADDRESS"'
Rootkit Hunter scans files and systems for known and unknown rootkits, backdoors, sniffers, and malware. The application consists of the main shell script, a few text-based databases, and optional Perl scripts. It can recognise and run external applications like 'skdet' and 'unhide'. It should run on almost every Unix clone.
Open up the terminal and type the following command to install Rkhunter:
$ sudo apt-get install Rkhunter
Open up the terminal and type the command: $ sudo rkhunter --check
This will perform all tests
By default, the log file '/var/log/rkhunter.log' will be created. It will contain the results of the checks made by Rkhunter
The following command option causes rkhunter to check and download the later version of any of its text data files: $ sudo rkhunter --update
What is DenyHosts?DenyHosts is a script intended to be run by Linux system administrators to help thwart SSH server attacks (also known as dictionary based attacks and brute force attacks). If you've ever looked at your ssh log (/var/log/secure on Redhat, /var/log/auth.log on Mandrake, etc...) you may be alarmed to see how many hackers attempted to gain access to your server. Hopefully, none of them were successful (but then again, how would you know?). Wouldn't it be better to automatically prevent that attacker from continuing to gain entry into your system?
Features- Parses /var/log/secure to find all login attempts and filters failed and successful attempts. - Synchronization mode (new in 2.0) allows DenyHosts daemons the ability to share data via a centralized server to proactively thwart attacks.
- Can be run from the command line, cron or as a daemon (new in 0.9)
- Records all failed login attempts for the user and offending host
- For each host that exceeds a threshold count, records the evil host
- Keeps track of each non-existent user (eg. sdadasd) when a login attempt failed.
- Keeps track of each existing user (eg. root) when a login attempt failed.
- Keeps track of each offending host (with 0.8+ these hosts can be purged if the associated entry in /etc/hosts.deny is expired)
- Keeps track of suspicious logins (that is, logins that were successful for a host that had many login failures)
- Keeps track of the file offset, so that you can reparse the same file (/var/log/secure) continuously (until it is rotated).
- When the log file is rotated, the script will detect it and parse from the beginning.
- Appends /etc/hosts.deny and adds the newly banned hosts
- Optionally sends an email of newly banned hosts and suspicious logins.
- Keeps a history of all user, host, user/host combo and suspicious logins encountered which includes the data and number of corresponding failed login attempts.
- Maintains failed valid and invalid user login attempts in separate files, such that it is easy to see which valid user is under attack (which would give you the opportunity to remove the account, change the password or change it's default shell to something like /sbin/nologin
- Upon each run, the script will load the previously saved data and re-use it to append new failures.
- Resolves IP addresses to hostnames, if available (new in v0.6.0).
- /etc/hosts.deny entries can be expired (purge) at a user specified time (new in 0.8)
These are some of the people and sites that have blogged about DenyHosts:
- Tool of the Month
- Preventing SSH Dictionary Attacks With DenyHosts
- Securing SSH with DenyHosts
- The Life Of Ken
- The Mad Philosopher
- Jay R. Wren
- Nix Bits
- Ho John Lee
2. Fail2banFail2ban scans log files (e.g. /var/log/apache/error_log) and bans IPs that show the malicious signs -- too many password failures, seeking for exploits, etc. Generally Fail2Ban is then used to update firewall rules to reject the IP addresses for a specified amount of time, although any arbitrary other action (e.g. sending an email) could also be configured. Out of the box Fail2Ban comes with filters for various services (apache, courier, ssh, etc).
3. Ubuntu security tools
The Ubuntu repositories contain several useful tools for maintaining a secure network and network administration. This page attempts to list the most popular and useful of these utilities, a brief description of them, and how to install them.
- Wireshark (Previously called Ethereal) - a popular network traffic analyzing tool, that can capture both off the wire and from existing capture files. It features a helpful GUI to ease analysis. Note: The Universe package adds a menu entry that expects the user to have a root account. To use ethereal in Ubuntu, use gksudo in a terminal. You should only run it using sudo if need to capture packets live; root privileges are not required to read saved capture files. For Ubuntu 6.06 and earlier install the ethereal and ethereal-common packages from the Universe Repository.
- For Ubuntu 6.10 onwards install install the wireshark and wireshark-common packages from the Universe Repository.
- ''Nessus'' - a powerful remote network security auditor, with a nice GUI. Nessus supports plugins and offers a usually current attack database. It also features useful scripting abilities, allowing you to automate many tasks. Nessus is no longer open source, but is available free for personal use.
- ''OpenVAS'' (The Open Vulnerability Assessment System) is a framework of several services and tools offering a comprehensive and powerful vulnerability scanning and vulnerability management solution. The actual security scanner is accompanied with a daily updated feed of Network Vulnerability Tests (NVTs), over 20,000 in total (as of January 2011). All OpenVAS products are Free Software. Most components are licensed under the GNU General Public License (GNU GPL). (forum thread on how to install and use.)
- Nmap - the standard network mapper. Has a thousand and one uses. To install Nmap install the nmap package.
- Etherape - an etherman clone. It displays network activity with an intuitive UI. Install the etherape package from the Universe Repository.
- Kismet - a wireless sniffing tool. Includes support for GPS map scanning with in use of the gpsdrive package. Install the kismet package from the Universe Repository.
- Chkrootkit - chkrootkit can be used to help determine if a machine has been compromised. While not what you should use for the 'final word' on if you have been compromised, it runs a lot of useful checks and can direct suspicions towards finding a solution. To install chkrootkit install the chkrootkit package.
- Rkhunter (Ubuntu 6.06 and above only) - another rootkit detection software. Install the rkhunter package from the Universe Repository.
- tiger - Tiger is a package consisting of Bourne Shell scripts, C code and data files which is used for checking for security problems on a UNIX system. It scans system configuration files, file systems, and user configuration files for possible security problems and reports them. Install tiger chkrootkit john.
- GnuPG - also known as GPG, is an open source PGP replacement implementing the OpenPGP standard. Lacks support for IDEA, but is incredibly useful. Included by default. GnuPG will allow you to encrypt emails, digitally sign, and integrates well into the Evolution mail client as well as Thunderbird.
- Seahorse - a light-weight Gnome frontend for GPG, makes managing keys much easier. Install the seahorse package from the Universe Repository.
- Nemesis - a command-line based packet injection utility. Requires a bit of reading the documentation to get full use from. To install nemesis install the nemesis package from the Universe Repository.
- Tcpdump - while its name suggests that it works for only TCP, tcpdump also supports UDP, BGP, NFS, and a lot of other packet types. It is a powerful network utility that should be in every admins toolbox, allowing you to pull in everything off the wire. In combination with ethereal it doesn't miss much. To install tcpdump install the tcpdump package.
- OpenSSH - OpenSSH almost singlehandedly stopped admins from using telnet, an insecure protocol. The OpenSSH client is installed by default. Generally you want to use SSH instead of telnet or rsh. In some situations, such as large number of clients, you might want to pursue other options, such as telnet with ssl. To install the ssh server install the openssh-server package.
- denyhosts (Ubuntu 6.10 and above only) - scans your SSH logs to find brute-force attacks, and then blocks the IPs they came from. To install denyhosts install the denyhosts package.