chkrootkit 入侵监测系统
安装:
wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz
tar zxvf chkrootkit.tar.gz
cd chkrootkit-*
make sense (编译,注意不是./configure)
cd ..
cp -r chkrootkit-* /usr/local/chkrootkit (将编译好的目录复制到...)
rm -rf chkrootkit (删除遗留源代码)
测试:
cd /usr/local/chkrootkit
./chkriitkit | grep INFECTED(没有显示INFECTED 一切正常)
运行监测:
在/usr/local/chkrootkit目录下./chkrootkit
让监测自动化
cd ~
vi chkrootkit (建立chkrootkit在里面输入如下内容)
#!/bin/bash PATH=/usr/bin:/bin TMPLOG=`mktemp` # Run the chkrootkit # Output the log # bindshe of SMTPSllHow to do some wrongs # If the rootkit have been found,mail root |
chmod 700 chkrootkit
mv chkrootkit /etc/cron.daily/ ( 将脚本移动到每天自动运行的目录中)
为了防止被入侵后chkrootkit命令被黑客更改将命令备份
cd ~
mkdir /root/commands
cp `which --skip-alias awk cut echo egrep find head id ls netstat ps strings sed uname` /root/commands/
/usr/local/chkrootkit/chkrootkit -p /root/commands|grep INFECTED (测试用备份命令运行)
为了安全,将命令打包压缩之后下载到本地,再将服务器端删除
cd ~
tar cvf commands.tar commands
gzip commands.tar
将commands.tar.gz 下载到本机后
rm-rf commands
若服务器端被更改,将本机commands.tar.gz上传到服务器解压
/usr/local/chkrootkit/chkrootkit -p /root/commands|grep INFECTED
chkrootkit的参数
Usage: ./chkrootkit [options] [testname ...] Options: -h show this help and exit -V show version information and exit -l show available tests -d debug -q quiet mode -x expert mode -r dir use dir as the root directory -p dir1:dir2:dirN path for the external commands used by chkrootkit -n skip NFS mounted dirs |