zeldor.biz

Linux, programming and more

Weekend Security Check

by 2 Comments

Some of my servers providing FTP service and I check every weekend all the uploaded and system files for viruses and rootkits.
If somebody starts a upload, nobody think about potential danger e.g. virus.

You can start all this checks separated or as a script.

Here are some examples:

Installing rkhunter:

1

aptitude install rkhunter

Before you start a check, be sure your database is up to date.

1

rkhunter --update

Click to resize:

After update you can start a full check:

1

rkhunter --checkall --sk

Installing clamav:

1

aptitude install clamav

The same thing, before you start to scan please update your database:

1

freshclam

Update Procedure:

1
2
3
4

ClamAV update process started at Sun Jun  5 20:41:32 2011
main.cvd is up to date (version: 53, sigs: 846214, f-level: 53, builder: sven)
daily.cvd is up to date (version: 13148, sigs: 125934, f-level: 60, builder: guitar)
bytecode.cvd is up to date (version: 143, sigs: 40, f-level: 60, builder: edwin)

Create a quarantine directory for infected files:

1

mkdir /var/tmp/quarantine

Start a scan:

1

clamscan -r --move=/var/tmp/quarantine/ /var/www

Weekend cron script:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32

#!/bin/sh
# <kiwi@zeldor.biz>
# Sun Jun  5 21:22:56 CEST 2011
# Report recipient
RECIPIENT="reports@gadget.zeldor.biz"
QUARANTINE="/var/tmp/quarantine/"
 
LOG="/tmp/weekly_scan.log"
rm -f $LOG
 
# Update rkhunter-DB
rkhunter --update --nocolors &amp;&gt;$LOG
 
# Update Clamav-DB
freshclam --quiet &amp;&gt;&gt;$LOG
 
# Start rkhunter scan
rkhunter --checkall --nocolors --sk &amp;&gt;&gt;$LOG
 
# Start Clamav scan
clamscan -r -i --move=$QUARANTINE /var/www &amp;&gt;&gt;$LOG
 
echo "----------- SCAN SUMMARY -----------" &amp;&gt;&gt;$LOG
 
if [ "$(ls -A $QUARANTINE)" ]; then
     echo "Take action, quarantine is not empty!" &amp;&gt;&gt;$LOG
else
    echo "Quarantine directory is empty" &amp;&gt;&gt;$LOG
fi
 
echo "Please look at the attachment for more details" | mutt -s "Weekly check report, $(date +'Week %V')" -a $LOG -- $RECIPIENT
</kiwi@zeldor.biz>

Categories

Archives

Tags

apache2 Apple arduino ARM Automation backup bash Cisco Cluster Corosync Database Debian Debian squeeze DIY DNS Fedora FTP Fun Icinga Ipv6 KVM Linux LVM MAC OS X Monitoring MySQL Nagios Nginx openSUSE OpenVPN PHP Proxy Python python3 qemu RAID rsync Samba security ssh Ubuntu virtualization Windows Windows 7 Wordpress

Comments

  2. You’re using ‘&>’ as redirection, but this is a bashism. Therefore you should use ‘/bin/bash’ within the shebang (/bin/sh could link to bash,dash,ksh…).
    And instead of writing ‘&>>$LOG’ at every line you may write ‘exec >$LOG’ at line 9.

    Regards,
    Enrico

Leave a Reply

Your email address will not be published. Required fields are marked *