Comments on Chkrootkit-Portsentry-Howto

Chkrootkit-Portsentry-HowtoThis document describes how to install chkrootkit and portsentry. It should work (maybe with slight changes concerning paths etc.) on all *nix operating systems. Chkrootkit "is a tool to locally check for signs of a rootkit" (from http://www.chkrootkit.org). "The Sentry tools provide host-level security services for the Unix platform. PortSentry, Logcheck/LogSentry, and HostSentry protect against portscans, automate log file auditing, and detect suspicious login activity on a continuous basis".

1 Comment(s)

Add comment

Please register in our forum first to comment.

Comments

By: Anonymous
Reply  

I have written a better cron script, so thought would share it:

#!/bin/bash
[email protected]
TMPDIR=/tmp
HOSTNAME=`hostname`
DATE=`date "+%d/%m/%Y %H:%M"`
CHKROOTKIT=/usr/local/chkrootkit/chkrootkit
MAIL=mail

#
# Clean up before its runs
rm -f $TMPDIR/chkrootkit.$$
if [ -f $TMPDIR/chkrootkit.$$ ]; then
echo "Checkroot kit temp files exist in $TMPDIR directory that cannot be removed. This
may be an attempt to spoof the checker." \
| $MAIL -s "$HOSTNAME $DATE ACTIVE SYSTEM ATTACK!" $SYSADMIN
exit 1
fi

#
# Check for root kits
$CHKROOTKIT |grep INFECTED > $TMPDIR/chkrootkit.$$
if [ -s $TMPDIR/chkrootkit.$$ ]; then
cat $TMPDIR/chkrootkit.$$ | $MAIL -s "$DATE - ROOTKIT DETECTED ON $HOSTNAME!" $SYSADMIN
fi

# Clean Up
rm -f $TMPDIR/chkrootkit.$$

Cheers,
Max
www.intellectit.com.au