Rootkit Hunter (RKH) is an easy-to-use tool which checks computers running UNIX (clones) for the presence of rootkits and other unwanted tools. You can use RKH along with ckrootkit to routinely check your system for possible infestation. You could manually update or scan your system or you could use a crontan script like this:

#!/bin/sh

( /usr/local/bin/rkhunter –versioncheck
/usr/local/bin/rkhunter –update
/usr/local/bin/rkhunter –cronjob –report-warnings-only
) | /bin/mail -s ‘rkhunter Daily Run’ root

For Linux systems, if the script is saved in the /etc/cron.daily directory, then the system will automatically run it once per day.

Alternatively, the rkhunter command can be added directly to your root crontab. For example:

30 5 * * * /rkhunter -c –cronjob

Rootkit Hunter will now run at 5:30 (AM).

Rootkit Hunter in action:

One of the first things that should be done after a fresh operating system install is to see what services are running, and remove any unneeded services from the system startup process. You could use a port scanner (such as nmap ) and run it against the host, but if one didn’t come with the operating system install, you’ll likely have to connect your fresh (and possibly insecure) machine to the network to download one. Also, nmap can be fooled if the system is using firewall rules. With proper firewall rules, a service can be completely invisible to nmap unless certain criteria (such as the source IP address) also match. When you have shell access to the server itself, it is usually more efficient to find open ports using programs that were installed with the operating system. One program that will do what we need is netstat, a program that will display various network-related information and statistics.

To get a list of listening ports and their owning processes under Linux, run this:

From the output, you can see that this machine is probably a workstation, since it just has a DHCP client running along with an SSH daemon for remote access. The ports in use are listed after the colon in the Local Address column (68 for dhclient).

Unfortunately, the BSD version of netstat does not let us list the processes and the process IDs (PIDs) that own the listening port. Nevertheless, the BSD netstat command is still useful for listing the listening ports on your system.

To get a list of listening ports under FreeBSD, run this command:

The ports in use are listed in the Local Address column. Many have memorized the common port numbers for popular services, and can see that this server is running SSH, SMTP, DNS, IMAP, and IMAP+SSL services. If you are ever in doubt about which services typically run on a given port, either eliminate the -n switch from netstat (which tells netstat to use names but can take much longer to run when looking up DNS addresses) or manually grep the /etc/services file:

For most other Unix-like operating systems you can use the lsof utility (http://ftp.cerias.purdue.edu/pub/tools/unix/sysutils/lsof/). lsof is short for “list open files” and, as the name implies, allows you to list files that are open on a system, in addition to the processes and PIDs that have them open. Since sockets and files work the same way under Unix, lsof can also be used to list open sockets. This is done with the -i command-line option.

To get a list of listening ports and the processes that own them using lsof, run this command:

# lsof -i -n | egrep ‘COMMAND|LISTEN’

[ Taken from the Book: Network Security Hacks ]Linux Commands/Tools Security Tips

There are many log files in linux systems, but we will outline six that are most important.

1. /var/log/cups/ - This directory stores the log files for the printing system CUPS.
2. /var/log/news/ - This Directory stores messages for the news system.
3. /var/log/boot.msg - When the system boots, all boot script messages are displayed on the first virtual console. This opften happens so fast that you cannot read all the messages. You can, however, read the boot messages including the output from start scripts of services in this file. You can display messages from the kernel during the boot procedure later with the command dmesg (/bin/dmesg).
4. /var/log/mail - Messages from the mail system are written to this file. because this system often generates a lot of messages, there are additional log files: /var/log/mail.err
   /var/log/mail.info
   /var/log/mail.warn
5. /var/log/wtmp - This file contain information about which user was logger in from where and for how long (since the file was created). This file contents are in binary form and can only be displayed with the command last (/usr/bin/last). Because of the binary format, it is difficult to manipulate entries in this file.
6. /var/log/lastlog - This file contains information about user’s last login, from where, and for how long. You can view the contents of this command with the command lastlog.

Security Tips

One of the crucial task one have as an administrator is to make sure that there is no suspicious activity on the system that might compromise security.
Monitoring tasks include evaluating login activity for signs of a security breach, such as multiple failed logins.

To monitor login activity, you can use the following six commands.

1. who. This command shows who is currently logged intothe system and information such as the time of the last login. You can use options such as -H (display column headings), -r (current runlevel), and -a (display information provided by most options).
   For example, entering who -H returns the following:
   
2. w. This command displays information about the users currently on the machine and their processes.
   The first line includes information the current time, how long the system has been running, how many users are currently logged on, the system load average for the past 1, 5, and 15 minutes. Below the first line is an entry for each user that displays the login name, the tty name, the remote host, login time, idle time, JCPU, PCPU, and the command line of the users current process.
   You can use options such as -h (don’t display the header), -s (don’t display the login time, JCPU, and PCPU), and -V (display version information)
   For example, entering w returns the following:
   
3. finger. This command displays information about local and remote system suers. By default, the following information is displayed about each user logged into the local host: login name, User’s full name, Associated terminal name, Idle time, Login time. You can use the options -l (long format) and -s (short format).
   For example, entering finger -s returns the following:
   
4. last. This command displays a listing of the last logged in users. Last searches back through the file /var/log/wtmp (or the file designated by the option -f) and displays a list of all users logged in (and out) since the file was created. You can use options such as -num (where num is the number of lines to display), -a (display the hostname in the last column), and -x (display system shutdown entries and runlevel changes).
   For exmample, entering last -ax returns the following:
   
5. lastlog. This command formats and prints the contents of the last log file (/var/log/lastlog). the login name, port, and last login time are displayed. You can use options such as -u login_name (display information for designated users only) and -h (display a one line help message).
   For example, entering lastlog returns the following:
   
6. faillog. This command formats and displays the contents of the failure log (/var/log/faillog) and maintains failure counts and limits. You can use options such as -u login_name (display information for designated users only) and -p (display in UID order).
   For example, entering faillog returns the following: