[ale] SIP Hacks

SimonTek simontek at gmail.com
Thu Oct 14 16:26:59 EDT 2010 

As I tell everyone, Change you ssh port numbers. Pick a random number, if
you ever check your /var/log/secure log you will see a ton of random
attacks.

These are from my blog, http://simontekhacks.blogspot.com/

Basically I keep notes that may come in handy for future.


*Scripts that come in handy.

Server e-mail every time someone logs in as root*

To have the server e-mail you every time someone logs in as root, SSH into
server and login as root.

At command prompt type: vi .bash_profile

Scroll down to the end of the file and add the following line:

echo 'ALERT - Root Shell Access on:' `date` `who` | mail -s "Alert: Root
Access from `who | awk '{print $6}'`" your at email.com

Save and exit.

Install chkrootkit

To install chrootkit, SSH into server and login as root.

At command prompt type: cd /root/

At command prompt type: wget
ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz

At command prompt type: tar xvzf chkrootkit.tar.gz

At command prompt type: cd chkrootkit-0.44

At command prompt type: make sense


To run chkrootkit

At command prompt type: /root/chkrootkit-0.44/chkrootkit

Make sure you run it on a regular basis, perhaps including it in a cron job.

Chkrootkit is a program that scans for root kits.


To modify LogWatch, SSH into server and login as root.

At command prompt type: vi /etc/log.d/conf/logwatch.conf


Scroll down to

MailTo = root

and change to

Mailto = your at email.com

Note: Set the e-mail address to an offsite account incase you get hacked.


Now scroll down to

Detail = Low

Change that to Medium, or High...

Detail = 5 or Detail = 10

Note: High will give you more detailed logs with all actions.


*
Not Needed for security, but always comes in handy. *
*Clear Cache from a linux box.
Works only with Kernels 2.6.16 or newer*

sync; echo 3 > /proc/sys/vm/drop_caches


Quick Script I use for the machine and cron jobs

Named: clean.sh
#!/bin/bash

###
### Shell script to clean the cache on the machine, it also lists current
memory usage, and
### afterwards its cleared so I can compare.
###
### SimonTek April 16th, 2009
###
free -m
sync; echo 3 > /proc/sys/vm/drop_caches
free -m
-- 
SimonTek
404-585-1308
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.ale.org/pipermail/ale/attachments/20101014/281426b0/attachment.html

More information about the Ale mailing list