Koozali.org: home of the SME Server

Contrib Feedback: Root Kit Hunter

lee

Contrib Feedback: Root Kit Hunter
« Reply #15 on: August 11, 2004, 09:23:29 PM »
I've just be trying the rkhunter and it's great, thanks Duncan.  Just a couple of points though.

Duncan you have included in your rpm /usr/local/rkhunter/lib/rkhunter/tmp/group and
/usr/local/rkhunter/lib/rkhunter/tmp/passwd which contain a copy of the passwd and group files on your server so the first time rkhunter is run it reports spurious changes.  If these files are omitted then rkhunter just builds the files first time it runs without reporting changes.

Secondly rkhunter doesn't recognise the distribution correctly and so all the md5 checks are skipped thus defeating one of its main features.  This is because 5.6 lacks an /etc/redhat-release file and 6.x has an /etc/redhat-release file but with non-standard text.  rkhunter can be patched to recognise 5.6+ smeserver as RH7.3 fairly easily.  Paste the code below into a file (say /tmp/rkhunter.patch)
Code: [Select]

--- /usr/local/bin/rkhunter     Wed Aug 11 19:26:43 2004
+++ /usr/local/bin/rkhunter.new Wed Aug 11 19:29:51 2004
@@ -1704,6 +1704,13 @@
            fi
        fi

+       # smeserver / e-smith is a RH7 based distro so pretend we saw RH7.3
+       if [ -e "/etc/e-smith-release" ]
+         then
+           full_osname='Red Hat Linux release 7.3 (Valhalla)'
+           valid_os='1'
+           logtext "Info: Found /etc/e-smith-release"
+       fi

        # Debian?
        if [ -e "/etc/debian_version" ]

Then enter
Code: [Select]
patch -p0 </tmp/rkhunter.patchrkhunter should now run md5 checks correctly.  

Thirdly just a note to get rkhunter to give a totally clean bill of health you need to disable the older and insecure ssh version 1 connections.  Most reasonablely up to date clients default to version 2 anyway so disabling version 1 shouldn't cause any problems.
 
Code: [Select]
mkdir -p /etc/e-smith/templates-custom/etc/ssh/sshd_config
echo "Protocol 2" > /etc/e-smith/templates-custom/etc/ssh/sshd_config/20Protocol
/sbin/e-smith/expand-template /etc/ssh/sshd_config
/sbin/service sshd reload


rkhunter should now run without reporting any warnings allowing a lazy admin to just check the bottom of the report for "Some errors has been found while checking. Please perform a manual check on this machine xxxx" if anything does happen.

duncan

Contrib Feedback: Root Kit Hunter
« Reply #16 on: August 12, 2004, 12:48:46 AM »
Oopss, I really should pull my finger out and do something about my buildroot. Fancy shipping an rpm with my usernames and groups.

Thanks for the tip on the patch. I have built, patched and uploaded 1.1.5.1. I should really talk to the USA guys about modifying their script for automatic updates.

A question to those using this. Would you prefer to see an email notification that results from

/usr/local/bin/rkhunter --cronjob --quiet | /bin/mail admin

Regards Duncan

lee

Contrib Feedback: Root Kit Hunter
« Reply #17 on: August 12, 2004, 11:35:38 AM »
Hi guys,

I've gone for the lazy admin option of:
Code: [Select]
#!/usr/bin/perl -w
#
# Run a rkhunter scan and email admin if something interesting found
#
use strict;
use constant TRUE         => 1;
use constant FALSE        => not TRUE;
use constant SUBJECT      => "$ENV{HOSTNAME} weekly rkhunter check";
use constant EMAIL        => 'admin';
use constant ONLY_ON_FAIL => TRUE;
use constant FULL_REPORT  => TRUE;
my $command='/usr/local/bin/rkhunter --cronjob'.(FULL_REPORT?'':' --quiet');
my $results=$command;
if(not ONLY_ON_FAIL or $results=~/warning/i){
        open(OUTPUT,'|/bin/mail -s "'.SUBJECT.'" '.EMAIL)
                or die "$0: Can't send email $?";
        print OUTPUT $results;
        close(OUTPUT);
}

So I'm only sent an email if there is anything wrong but when it does email it sends the whole report for me to look through.  One advantage is that once you have rkhunter running clean you can  move the script from a weekly check up to a more frequent scan, daily or even hourly depending on your degree of paranoia, giving a faster notification of an potential security problem.

Regards,
Lee

Offline mdo

  • *
  • 355
  • +0/-0
Contrib Feedback: Root Kit Hunter
« Reply #18 on: August 13, 2004, 10:19:53 PM »
Re: md5 checks

Thanks Lee and Duncan for the updates but I suspect that (even with the latest version 1.1.5) md5 checks are not working here?

Rootkit Hunter 1.1.5 is running
Determining OS... Ready
Checking binaries
....
- Scan results --

MD5
MD5 compared: 0
Incorrect MD5 checksums: 0

Lee
from your patch
logtext "Info: Found /etc/e-smith-release"

is this info going into the rkhunter's logfile (email)? I cannot find that.

cat /etc/e-smith-release
SME Server 6.0.1-01

so this file does exist.

Any ideas?

Thanks,
Michael
...

lee

Contrib Feedback: Root Kit Hunter
« Reply #19 on: August 16, 2004, 12:07:08 PM »
Well they do kinda work but ...

When rkhunter does its md5 checks it does two sets of checks, one against a white list of programs that should match a set of good programs checksums, the other against a black list of known bad program checksums that are placed on the system by rootkits.    There are sets of white/black lists per operating system / distribution.  Neither RH7 nor SME have a white list of good MD5 checksums so that is why you get" MD5 compared: 0" appear at the end, rkhunter has successfully scanned down an  empty list!  rkhunter does however scan system files against the MD5 checksums of known rootkit hacked versions for RH7 (1.1.4 with my patch or version 1.1.5 onwards).

The found "Info: Found /etc/e-smith-release" does go into the logfile but rkhunter only writes to its logfile (default: /var/log/rkhunter.log) if the program is run with the '--createlogfile' option (rkhunter --help gives the syntax breakdown)..

Offline mdo

  • *
  • 355
  • +0/-0
Contrib Feedback: Root Kit Hunter
« Reply #20 on: August 16, 2004, 12:38:50 PM »
Many thanks for the clarification and your help Lee, everything works as explained (ver 1.1.5 here, used the createlogfile option).

Regards,
Michael
...

duncan

Contrib Feedback: Root Kit Hunter
« Reply #21 on: August 16, 2004, 12:56:16 PM »
Hi all,

I think I will make use of the perl script and go to a daily run on the next release. It will mean adding the ssh template - but I cant see that as being a drama.

Thanks Lee for the additions - they clean things up nicely.

Regards Duncan

lee

Contrib Feedback: Root Kit Hunter
« Reply #22 on: August 19, 2004, 10:48:05 AM »
Michael is hard at work with another new version of rkhunter (1.1.6) available at http://freshmeat.net/redir/rkhunter/46074/url_tgz/rkhunter-1.1.6.tar.gz.  It seems to run fine on 6.0.1 (once patched for sme) although it reports an increasing number of programs - GnuPG, Apache, OpenSSL and ProFTPd - as vulnerable and needing upgrading to later versions to avoid being security holes.  Guess I'll hide that bit from the suits until I've had a chance to source and test some upgrade rpms :-( .

Lee

lee

Contrib Feedback: Root Kit Hunter
« Reply #23 on: August 19, 2004, 11:50:27 AM »
Also I note that the --update option seems to have been fixed and as long as /usr/local/etc/rkhunter.conf has lines:  
    LATESTVERSION=/rkhunter_latest.dat
    UPDATEFILEINFO=/rkhunter_fileinfo.dat
(upgrading seemed to preserve a version of the conf file that didn't have this leading to errors during update). I've updated that little perl script to run an update before checking the system.

Code: [Select]
#!/usr/bin/perl -w
#
# Run a rkhunter scan and email admin if something interesting found
#
use strict;
use constant TRUE         => 1;
use constant FALSE        => not TRUE;
use constant SUBJECT      => "$ENV{HOSTNAME} daily rkhunter check";
use constant EMAIL        => 'admin';
use constant ONLY_ON_FAIL => TRUE;
use constant FULL_REPORT  => TRUE;
use constant UPDATE       => TRUE;
if(UPDATE){
system('/usr/local/bin/rkhunter --update 2>&1 >/dev/null')
}
my $command='/usr/local/bin/rkhunter --cronjob'.(FULL_REPORT?'':' --quiet');
my $results=$command;
if(not ONLY_ON_FAIL or $results=~/warning/i){
        open(OUTPUT,'|/bin/mail -s "'.SUBJECT.'" '.EMAIL)
                or die "$0: Can't send email $?";
        print OUTPUT $results;
        close(OUTPUT);
}


Lee

duncan

Contrib Feedback: Root Kit Hunter
« Reply #24 on: August 20, 2004, 12:48:52 AM »
I have added 1.1.6 to the directory.

It now uses the above script (cheers and beers for Lee) on a daily basis and adds a ssh template fragment to disable ssh V1 connections.

rpm -e to remove the weekly script
rpm -ivh to install the new package

Regards Duncan

lee

Contrib Feedback: Root Kit Hunter
« Reply #25 on: August 20, 2004, 01:20:50 PM »
Hi Duncan,

Tried out your latest rpm on a couple of machines and it all works great (5.6/6.0.1).  Thanks for all your work.

Lee

lee

Contrib Feedback: Root Kit Hunter
« Reply #26 on: August 30, 2004, 02:58:52 PM »
Hi all,

There is a new version of the rootkit hunter code (1.1.7) available from the freshmeat site http://freshmeat.net/redir/rkhunter/46074/url_tgz/rkhunter-1.1.7.tar.gz.  Patched for sme the program and it seems to run fine.  New version checks for passwordless logins as well as extra rootkits.

Regards,
Lee.

Offline dilligaf

  • *
  • 266
  • +0/-0
    • http://www.willcraft.com
assistance to determine if I can change these pkg
« Reply #27 on: August 30, 2004, 05:30:14 PM »
Hi,
I ran the latest rkhunter.
Under the Application version scan I was presented with the following:
GnuPG 1.0.7 Vulnerable http://www.gnupg.org/
Apache 1.3.27 Vulnerable http://www.apache.org/
OpenSSL 0.9.6b Vulnerable http://www.openssl.org/
ProFTPd 1.2.9 Vulnerable http://www.proftpd.org/
I am on SME 6.0.1.
Should I change these pkgs, do I just get the latest from the sites I have appended to the vulnerabilite?
Assistance greatly appreciated.
Dan

duncan

Contrib Feedback: Root Kit Hunter
« Reply #28 on: September 01, 2004, 12:51:45 AM »
I have updated to 1.1.7.1.

Regards Duncan

lee

Contrib Feedback: Root Kit Hunter
« Reply #29 on: September 01, 2004, 09:07:37 PM »
Hi Dan,

You could have a go at upgrading those applications although I'd work on a development not on a production machine at first if I were you (I note that for ProFTPd SME is using the current production release of the code and 1.2.10 is a development version though it does contain a bug fix that would seem to effect SME security if I'm reading the advisory correctly cuz SME does use CIDRs in defining local networks which is where the bug creeps in).

There is now an SME security team and an updates team forming on contribs.org (http://forums.contribs.org/index.php?topic=23856.0) and it's likely that these kinds of updates will be addressed shortly or if you are doing the upgrading work anyway you could consider joining one of those groups and contributing your updates of the standard packages.


Duncan,
Your rpm works well here, thanks again.

Regards,
Lee