<< HOWTO-Index
NEW!
Visit my Linux forums!
 This Howto is also available on HowtoForge! If you have also written tutorials, you can publish them there.
Chkrootkit-Portsentry-Howto
Version 1.0
Author: Falko Timme <ft [at] falkotimme [dot] com>
Last edited 03/15/2004
This document describes
how to install chkrootkit and portsentry. It should work (maybe with slight
changes concerning paths etc.) on all *nix operating systems.
Chkrootkit "is
a tool to locally check for signs of a rootkit" (from http://www.chkrootkit.org).
"The Sentry
tools provide host-level security services for the Unix platform. PortSentry,
Logcheck/LogSentry, and HostSentry protect against portscans, automate log file
auditing, and detect suspicious login activity on a continuous basis" (from
http://sourceforge.net/projects/sentrytools/).
This howto is meant
as a practical guide; it does not cover the theoretical backgrounds. They are
treated in a lot of other documents in the web.
This document comes
without warranty of any kind!
1 Get the Sources
We need the following
software: chkrootkit,
portsentry and logcheck.
We will install the software from the /tmp
directory.
cd /tmp
wget --passive-ftp ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz
wget http://heanet.dl.sourceforge.net/sourceforge/sentrytools/portsentry-1.2.tar.gz
wget http://heanet.dl.sourceforge.net/sourceforge/sentrytools/logcheck-1.1.1.tar.gz
2 Install Chkrootkit
mv chkrootkit.tar.gz /usr/local/
cd /usr/local/
tar xvfz chkrootkit.tar.gz
ln -s chkrootkit-0.43/ chkrootkit (replace
0.43 with the right version
number)
cd chkrootkit/
make sense
You will now find
the chkrootkit
program under /usr/local/chkrootkit.
Run it by typing
cd /usr/local/chkrootkit/
&& ./chkrootkit
Your output will
look something like this:
ROOTDIR is `/'
Checking `amd'... not found
Checking `basename'... not infected
Checking `biff'... not infected
Checking `chfn'... not infected
Checking `chsh'... not infected
Checking `cron'... not infected
Checking `date'... not infected
Checking `du'... not infected
Checking `dirname'... not infected
Checking `echo'... not infected
Checking `egrep'... not infected
Checking `env'... not infected
Checking `find'... not infected
Checking `fingerd'... not found
Checking `gpm'... not found
Checking `grep'... not infected
Checking `hdparm'... not found
Checking `su'... not infected
Checking `ifconfig'... not infected
Checking `inetd'... not infected
Checking `inetdconf'... not infected
Checking `identd'... not found
Checking `init'... not infected
Checking `killall'... not infected
Checking `ldsopreload'... not infected
Checking `login'... not infected
Checking `ls'... not infected
Checking `lsof'... not infected
Checking `mail'... not infected
Checking `mingetty'... not found
Checking `netstat'... not infected
Checking `named'... not infected
Checking `passwd'... not infected
Checking `pidof'... not infected
Checking `pop2'... not found
Checking `pop3'... not found
Checking `ps'... not infected
Checking `pstree'... not infected
Checking `rpcinfo'... not infected
Checking `rlogind'... not found
Checking `rshd'... not found
Checking `slogin'... not infected
Checking `sendmail'... not infected
Checking `sshd'... not infected
Checking `syslogd'... not infected
Checking `tar'... not infected
Checking `tcpd'... not infected
Checking `tcpdump'... not infected
Checking `top'... not infected
Checking `telnetd'... not found
Checking `timed'... not found
Checking `traceroute'... not found
Checking `vdir'... not infected
Checking `w'... not infected
Checking `write'... not infected
Checking `aliens'... no suspect files
Searching for sniffer's logs, it may take a while... nothing found
Searching for HiDrootkit's default dir... nothing found
Searching for t0rn's default files and dirs... nothing found
Searching for t0rn's v8 defaults... nothing found
Searching for Lion Worm default files and dirs... nothing found
Searching for RSHA's default files and dir... nothing found
Searching for RH-Sharpe's default files... nothing found
Searching for Ambient's rootkit (ark) default files and dirs... nothing found
Searching for suspicious files and dirs, it may take a while...
/usr/lib/perl/5.6.1/auto/Test/Harness/.packlist /usr/lib/perl/5.6.1/auto/DB_File/.packlist
Searching for LPD Worm files and dirs... nothing found
Searching for Ramen Worm files and dirs... nothing found
Searching for Maniac files and dirs... nothing found
Searching for RK17 files and dirs... nothing found
Searching for Ducoci rootkit... nothing found
Searching for Adore Worm... nothing found
Searching for ShitC Worm... nothing found
Searching for Omega Worm... nothing found
Searching for Sadmind/IIS Worm... nothing found
Searching for MonKit... nothing found
Searching for Showtee... nothing found
Searching for OpticKit... nothing found
Searching for T.R.K... nothing found
Searching for Mithra... nothing found
Searching for OBSD rk v1... nothing found
Searching for LOC rootkit ... nothing found
Searching for Romanian rootkit ... nothing found
Searching for Suckit rootkit ... nothing found
Searching for Volc rootkit ... nothing found
Searching for Gold2 rootkit ... nothing found
Searching for TC2 Worm default files and dirs... nothing found
Searching for Anonoying rootkit default files and dirs... nothing found
Searching for ZK rootkit default files and dirs... nothing found
Searching for ShKit rootkit default files and dirs... nothing found
Searching for AjaKit rootkit default files and dirs... nothing found
Searching for zaRwT rootkit default files and dirs... nothing found
Searching for anomalies in shell history files... nothing found
Checking `asp'... not infected
Checking `bindshell'... not infected
Checking `lkm'... nothing detected
Checking `rexedcs'... not found
Checking `sniffer'... eth0: not promisc and no PF_PACKET sockets
eth0:0: not promisc and no PF_PACKET sockets
eth0:1: not promisc and no PF_PACKET sockets
eth0:2: not promisc and no PF_PACKET sockets
eth0:3: not promisc and no PF_PACKET sockets
eth0:4: not promisc and no PF_PACKET sockets
Checking `w55808'... not infected
Checking `wted'... nothing deleted
Checking `scalper'... not infected
Checking `slapper'... not infected
Checking `z2'... nothing deleted
|
If a worm, rootkit,
etc. is found this is indicated by the string INFECTED
(in capital letters).
If you want to
get the output of chkrootkit
once a day per email at 3 am you can put the following line in root's cron file
(the location depends on your distribution; under Debian it is under /var/spool/cron/crontabs/root;
you might also find it under /var/spool/cron/tabs/root
or something similar):
0 3 * * * (cd /usr/local/chkrootkit;
./chkrootkit 2>&1 | mail -s "chkrootkit output" me@myself.tld)
Then run
chmod 600 /var/spool/cron/crontabs/root
/etc/init.d/cron restart
3 Install Portsentry
cd /tmp
tar xvfz portsentry-1.2.tar.gz
cd portsentry_beta/
make linux
make install
Portsentry
will be installed to /usr/local/psionic/portsentry/.
Edit /usr/local/psionic/portsentry/portsentry.conf
and specify the ports you want portsentry
to protect:
# Un-comment these if you are really anal:
#TCP_PORTS="1,7,9,11,15,70,79,80,109,110,111,119,138,139,143,512,513,514,515,540,635,1080,1524,2000,[...]"
#UDP_PORTS="1,7,9,66,67,68,69,111,137,138,161,162,474,513,517,518,635,640,641,666,700,2049,31335,[...]"
#
# Use these if you just want to be aware:
TCP_PORTS="1,11,15,79,111,119,143,540,635,1080,1524,2000,5742,6667,12345,12346,20034,27665,31337,[...]"
UDP_PORTS="1,7,9,69,161,162,513,635,640,641,700,37444,34555,31335,32770,32771,32772,32773,32774,[...]"
#
# Use these for just bare-bones
#TCP_PORTS="1,11,15,110,111,143,540,635,1080,1524,2000,12345,12346,20034,32771,32772,32773,32774,[...]"
#UDP_PORTS="1,7,9,69,161,162,513,640,700,32770,32771,32772,32773,32774,31337,54321"
|
It should be ports
that are not in use on the system. E.g., if you use IMAP (port 143 TCP) on the
server you should remove 143 from the list above. The rest of portsentry.conf
is well commented, but normally the default values should work.
Now we need to
create an init script for portsentry
(/etc/init.d/portsentry).
We will run portsentry
in advanced stealth mode as it is the most powerful way to detect portscans:
#!/bin/bash
case "$1" in
start)
echo "Starting Portsentry..."
ps ax | grep -iw '/usr/local/psionic/portsentry/portsentry -atcp' | grep -iv 'grep' > /dev/null
if [ $? != 0 ]; then
/usr/local/psionic/portsentry/portsentry -atcp
fi
ps ax | grep -iw '/usr/local/psionic/portsentry/portsentry -audp' | grep -iv 'grep' > /dev/null
if [ $? != 0 ]; then
/usr/local/psionic/portsentry/portsentry -audp
fi
echo "Portsentry is now up and running!"
;;
stop)
echo "Shutting down Portsentry..."
array=(`ps ax | grep -iw '/usr/local/psionic/portsentry/portsentry' | grep -iv 'grep' \
| awk '{print $1}' | cut -f1 -d/ | tr '\n' ' '`)
element_count=${#array[@]}
index=0
while [ "$index" -lt "$element_count" ]
do
kill -9 ${array[$index]}
let "index = $index + 1"
done
echo "Portsentry stopped!"
;;
restart)
$0 stop && sleep 3
$0 start
;;
*)
echo "Usage: $0 {start|stop|restart}"
exit 1
esac
exit 0
|
chmod 755 /etc/init.d/portsentry
In order to start
portsentry at boot time
do the following:
ln -s /etc/init.d/portsentry
/etc/rc2.d/S20portsentry
ln -s /etc/init.d/portsentry
/etc/rc3.d/S20portsentry
ln -s /etc/init.d/portsentry
/etc/rc4.d/S20portsentry
ln -s /etc/init.d/portsentry
/etc/rc5.d/S20portsentry
ln -s /etc/init.d/portsentry
/etc/rc0.d/K20portsentry
ln -s /etc/init.d/portsentry
/etc/rc1.d/K20portsentry
ln -s /etc/init.d/portsentry
/etc/rc6.d/K20portsentry
Now we start portsentry:
/etc/init.d/portsentry
start
Please note:
If you run portsentry
chkrootkit might complain
about an infected bindshell:
Checking `bindshell'...
INFECTED (PORTS: 31337)
This is normal
and nothing to worry about.
4 Install Logcheck
cd /tmp
tar xvfz logcheck-1.1.1.tar.gz
cd logcheck-1.1.1/systems/<your system type, e.g. linux>
Now change the
variable SYSADMIN in logcheck.sh.
SYSADMIN is the person
that will receive logcheck's
output per email (this can be an email address or a user on the system where
you install logcheck on):
[...]
# CONFIGURATION SECTION
PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/ucb:/usr/local/bin
# Logcheck is pre-configured to work on most BSD like systems, however it
# is a rather dumb program and may need some help to work on other
# systems. Please check the following command paths to ensure they are
# correct.
# Person to send log activity to.
SYSADMIN=me@myself.tld
# Full path to logtail program.
# This program is required to run this script and comes with the package.
LOGTAIL=/usr/local/bin/logtail
[...]
|
cd ../../
mkdir -p /usr/local/etc/tmp
make <your system type, e.g. linux>
This will install
logcheck under /usr/local/etc.
Now we have to
create a cron job in order to run logcheck
periodically. Edit root's cron file (e.g. /var/spool/cron/crontabs/root,
see section 2 "Install Chkrootkit") and enter the following line:
0 3 * * * /usr/local/etc/logcheck.sh
Then run
chmod 600 /var/spool/cron/crontabs/root
/etc/init.d/cron restart
This will invoke
logcheck once a day at
3 am. It will now inform you about unusual system events, security violations,
system attacks, etc. If your system is exposed directly to the internet you
will notice that there are lots of malicious activities in the internet, and
you will get a feeling why security is very important.
Links
Chkrootkit: http://www.chkrootkit.org/
Portsentry: http://sourceforge.net/projects/sentrytools/
NEW!
Visit my Linux forums!
 This Howto is also available on HowtoForge! If you have also written tutorials, you can publish them there.
<< HOWTO-Index
|