Tuesday, March 16, 2010

How to configure rsyslog for basic remote logging

 1.How to enable a basic remote logging via  TCP port.
Step 1 (of course you need at least one rsyslog server an one client)
What to do on the server machine to recive rsyslog messages

sudo nano /etc/rsyslog.conf

If the following lines exist uncomment them if not add them:

$ModLoad imtcp
$InputTCPServerRun 10512

Save the file and exit.

Step 2 - restart rsyslog service like this:

sudo service rsyslog restart

Step 3 - the client side
Edit the rsyslog file like this:

sudo nano /etc/rsyslog.conf 

After all the rules in there you add this lines:
*.*   @@
# if you need to forward to other systems as well, just
# add additional config lines:
*.*   @@other-server.example.net:10512

Save and exit.Restart rsyslog like I showd you in Step 2.

Note that rsylog messages from the client will be writen in the same files as your local log.


How to find if your system is infected with a rootkit

Fo that you must install a program named chkrootkit:

sudo aptitude install chkrootkit

How to use?

sudo chkrootkit

If it finds any rootkits except at firmware or hypervisor level it will let you know.For more info on what is a rootkit read this link.

Wednesday, March 3, 2010

How to verifyi the integrity of critical files on a Linux system

AIDE is the name file integrity verification is the game :)

The Advanced Intrusion Detection Environment (AIDE) is a free replacement for the popular file integrity verification tool known as Tripwire. It creates a database from regular expression rules that it finds in a configuration file. Once this database is initialized, it can be used to verify the integrity of critical system and user files. AIDE uses most of the popular message digest algorithms (md5, sha1, rmd160, tiger, haval, etc.) for checking file integrity. Additional algorithms may also be easily added. All of the traditional file system attributes may be checked for inconsistencies as well.

1.How to install AIDE

sudo aptitude install aide (yum install aide.x86_64 on fedora)

2.How to configure AIDE

AIDE has 2 configuration files and one folder:

/etc/default/aide The AIDE general configuration file.
/etc/aide/aide.conf The AIDE rules configuration file.
/etc/aide/aide.conf.d/ Here is specified what files will AIDE scan and with what rules.

or if you are on fedora linux  there is only one file :

/etc/aide.conf The AIDE configuration file.

3.How to use AIDE

First you must check to see if AIDE's database is present

cd /var/lib/aide
ls -ltr

If you see the file aide.db in the output of the ls command or the directory is empty, then proceed to the initialization step. If, instead, you see the file aide.db.new, then you need to rename the aide.db.new file to aide.db using this command:

sudo mv /var/lib/aide/aide.db.new /var/lib/aide/aide.db

If there is no database you must initialize AIDE like this:

sudo aide.wrapper --init  (or if this doesen't work try aide --init if you are on fedora linux)

Now you are ready to do an initial check on files and folders of your system like this:

sudo aide.wrapper --check (or aide --check if you are on fedora)

If all is well in the directories, and files being monitored, you will see this message when the check completes:

### All files match AIDE database. Looks okay!
If not you will see the files that have changed from last time you ran AIDE.

4.If you modify any aide configuration  file on ubuntu you must run the update-aide-conf  for the configuration changes to take effect:

sudo update-aide-conf

Note : On ubuntu AIDE  is very well configured and is aded as a cron job to be run daily with the update parameter.
It is also wise to copy  /var/lib/aide/aide.db on a  usb stick or on some safe external support and copy it back to your sistem when you want to check for system changes.

Tuesday, March 2, 2010

How to set default password expiry for all new users

There is a file in etc named login.defs where you can specify your options
1.Open the file with your favorite editor:

sudo nano /etc/login.defs

2.Search for the following lines:

PASS_MAX_DAYS   99999  (maximun days before password expires)
PASS_MIN_DAYS   0           (minimum days before the password can be changed)
PASS_MIN_LEN    5            (minimum password lenght)
PASS_WARN_AGE   7          (expiration warning how many days before your password will expire)

Edit them to your likeing and save the file.There are many moore options you can set in this file.For more detail type :

man login.defs

What is passwd and how to use it

 The passwd ulility is a must know utility for manageing users passwords.

passwd [-k] [-l] [-u [-f]] [-d] [-n mindays] [-x maxdays] [-w warndays] [-i inactivedays] [-S] [--stdin] [username]

-k The option -k, is used to indicate that the update should only
be for expired authentication tokens (passwords); the user
wishes to keep their non-expired tokens as before.

-l This option is used to lock the specified account and it is
available to root only. The locking is performed by rendering
the encrypted password into an invalid string (by prefixing the
encrypted string with an !).

This option is used to indicate that passwd should read the new password from standard input, which can be a pipe.

-u This is the reverse of the -l option - it will unlock the
account password by removing the ! prefix. This option is avail-
able to root only. By default passwd will refuse to create a
passwordless account (it will not unlock an account that has
only "!" as a password). The force option -f will override this

-d This is a quick way to delete a password for an account. It will set the named account passwordless. Available to root only.

-n This will set the minimum password lifetime, in days, if the
user’s account supports password lifetimes. Available to root

-x This will set the maximum password lifetime, in days, if the
user’s account supports password lifetimes. Available to root

-w This will set the number of days in advance the user will begin
receiving warnings that her password will expire, if the user’s
account supports password lifetimes. Available to root only.

-i This will set the number of days which will pass before an
expired password for this account will be taken to mean that the
account is inactive and should be disabled, if the user’s
account supports password lifetimes. Available to root only.

-S This will output a short information about the status of the
password for a given account. Available to root user only.


1.Change your current password.Open a shell and type:


2. How to lock an accont

passwd -l john

3.How to set the minimum and the maximum time before a password must be change + a warning to the user set to warn him about 7 days before expiration time.

passwd -n 4 -x 120 -w 7

4.How to see a users configuration

passwd -S john 
john PS 2010-02-23 4 120 7 -1 (Password set, SHA512 crypt.)

- you can see if the account has a password(PS), creation date,minimum password age(4),maximum password age(120),warning day (7),time before the account is rendered inactive after the password has expired (-1 means instantly)