@how@
Verified User
thanks Jose.
Wael
Wael
ELS - Easy Linux Security script
- Thread starter smtalk
- Start date
@how@
Verified User
jjma
Verified User
Any update on whethere the sysctl.conf hardening works on a centos 5.1 install?
thanks
Jon
jjma
Verified User
eaccelerator fails
Using the latest version of els and custombuid 1.2.
Jonathan
Using the latest version of els and custombuid 1.2.
Jonathan
jjma
Verified User
Fixed eaccelerator
Solution is to change the placement of eaccelerator in the php.ini so that it is above the Zend Optimizer lines.
Currently the els script places the eaccelerator code below the Zend Optimizer code.
Jon
Solution is to change the placement of eaccelerator in the php.ini so that it is above the Zend Optimizer lines.
Currently the els script places the eaccelerator code below the Zend Optimizer code.
Jon
I got todays chkrootkit (0.48) email and noticed it showed and error:
So I started to look at the code and the bug appears to be in line #1111
I've been googling around and seems to be a "know issue", where Debian .deb file simply decided to "drop" the scan with the excuse "It looks like this simple tool is shell script which is not carefully
considering large files etc... ". In gentoo I found a patch file that changed to line to the following:
(changes the -1 to -n1) yet this does not fix the problem.
Anybody has a fix for this? Or this test is really not that necessary? Anybody has this issue?
Thanks!
Code:
...
...
...
Searching for Fu rootkit default files... nothing found
Searching for ESRK rootkit default files... nothing found
Searching for rootedoor... nothing found
Searching for ENYELKM rootkit default files... nothing found
Searching for common ssh-scanners default files... nothing found
Searching for suspect PHP files...
/usr/bin/find: head terminated by signal 13
/usr/bin/find: head terminated by signal 13
/usr/bin/find: head terminated by signal 13
/usr/bin/find: head terminated by signal 13
/usr/bin/find: head terminated by signal 13
/usr/bin/find: head terminated by signal 13
/usr/bin/find: head terminated by signal 13
/usr/bin/find: head terminated by signal 13
/usr/bin/find: head terminated by signal 13
/usr/bin/find: head terminated by signal 13
/usr/bin/find: head terminated by signal 13
/usr/bin/find: head terminated by signal 13
/usr/bin/find: head terminated by signal 13
/usr/bin/find: head terminated by signal 13
/usr/bin/find: head terminated by signal 13
/usr/bin/find: head terminated by signal 13
/usr/bin/find: head terminated by signal 13
/usr/bin/find: head terminated by signal 13
/usr/bin/find: head terminated by signal 13
/usr/bin/find: head terminated by signal 13
/usr/bin/find: head terminated by signal 13
/usr/bin/find: head terminated by signal 13
/usr/bin/find: head terminated by signal 13
/usr/bin/find: head terminated by signal 13
/usr/bin/find: head terminated by signal 13
/usr/bin/find: head terminated by signal 13
...
...So I started to look at the code and the bug appears to be in line #1111
Code:
fileshead="`${find} ${ROOTDIR}tmp ${ROOTDIR}var/tmp ${findargs} -type f -exec head -1 {} \; | grep php 2> /dev/null`"I've been googling around and seems to be a "know issue", where Debian .deb file simply decided to "drop" the scan with the excuse "It looks like this simple tool is shell script which is not carefully
considering large files etc... ". In gentoo I found a patch file that changed to line to the following:
Code:
fileshead="`${find} ${ROOTDIR}tmp ${ROOTDIR}var/tmp ${findargs} -type f -exec head -n1 {} \; | grep php 2> /dev/null`"(changes the -1 to -n1) yet this does not fix the problem.
Anybody has a fix for this? Or this test is really not that necessary? Anybody has this issue?
Thanks!
Today I checked my email queue and saw a root queued mail from cron. I checked and it contained the following:
After checking /etc/cron.daily/rkhunter.sh I did see it does echo the update it does to the files before doing the test. After testing, found a fix; simply do the update on the same "run" as the check (no need to do it beforehand)
Simply change:
To:
Hope this helps somebody.
Cheers
Jose
Code:
/etc/cron.daily/rkhunter.sh:
[ Rootkit Hunter version 1.3.2 ]
[1;33mChecking rkhunter data files...[0;39m
Checking file mirrors.dat[34C[ [1;32mNo update[0;39m ]
Checking file programs_bad.dat[29C[ [1;32mNo update[0;39m ]
Checking file backdoorports.dat[28C[ [1;32mNo update[0;39m ]
Checking file suspscan.dat[33C[ [1;32mNo update[0;39m ]
Checking file i18n/cn[38C[ [1;32mNo update[0;39m ]
Checking file i18n/en[38C[ [1;32mNo update[0;39m ]
Checking file i18n/zh[38C[ [1;32mNo update[0;39m ]
Checking file i18n/zh.utf8[33C[ [1;32mNo update[0;39m ]After checking /etc/cron.daily/rkhunter.sh I did see it does echo the update it does to the files before doing the test. After testing, found a fix; simply do the update on the same "run" as the check (no need to do it beforehand)
Simply change:
Code:
(/usr/local/bin/rkhunter --update && /usr/local/bin/rkhunter -sk -c --nocolors 2>&1 | mail -s "RKhunter Scan Details" [email protected])To:
Code:
(/usr/local/bin/rkhunter -sk -c --nocolors --update 2>&1 | mail -s "RKhunter Scan Details" [email protected])Hope this helps somebody.
Cheers
Jose
skaag
Verified User
By the way if you are on Ubuntu, you want the script to think you are on Debian. However the script fails to properly check for Ubuntu (and even for Debian, since it specifically looks for 3.1 but current Debian is 4.0).
All you need to do is edit els, locate the function: supporteddistros()
At the very end of the function, before the last } character add this:
DISTRO=DEBIAN3
So it will look like this:
This will in effect force the script to function in "Debian" / "Ubuntu" mode.
All you need to do is edit els, locate the function: supporteddistros()
At the very end of the function, before the last } character add this:
DISTRO=DEBIAN3
So it will look like this:
This will in effect force the script to function in "Debian" / "Ubuntu" mode.
Last edited:
I have a very stupid question
I just ran this excellent script to install rkhunter and all went well and it looks like rkhunter installed perfectly fine.
But now that it is installed how do I actually run the rkhunter to weed out any rootkits ?
I just ran this excellent script to install rkhunter and all went well and it looks like rkhunter installed perfectly fine.
But now that it is installed how do I actually run the rkhunter to weed out any rootkits ?
rkhunter -c
I'd just like to add my piece of **** on this script..
I run DA on debian etch, and wanted to update APF, and do some smart tweaking after server hack 3 days ago...
Well THIS SCRIPT IS NOT DEBIAN COMPATIBLE... Stop saying so.
It just managed to screw up BFD / APF that was outdated, but that was running...
Before releasing such script for an os, start by testing it, and most of all correct it when bugs are warned...
For my piece of ****, under debian etch i get following installation errors on a els --all
admin email adress :
/usr/sbin/els: line 412: /bin/rpm: Aucun fichier ou répertoire de ce type (no file or directory of this sort)
APF Updater
cp: ne peut évaluer `/etc/apf.bk.last/vnet/*.rules': Aucun fichier ou répertoire de ce type (no file or directory of this sort)
BFD install
/usr/sbin/els: line 1169: /bin/rpm: Aucun fichier ou répertoire de ce type (no file or directory of this sort)
/usr/sbin/els: line 1170: /bin/rpm: Aucun fichier ou répertoire de ce type (no file or directory of this sort)
LibSafe install
/usr/sbin/els: line 1169: /bin/rpm: Aucun fichier ou répertoire de ce type (no file or directory of this sort)
install MyTop :
Warning: prerequisite DBD::mysql 1 not found.
Warning: prerequisite DBI 1.13 not found.
Warning: prerequisite Term::ReadKey 2.1 not found.
Oh yes, i'm under Mysql5... you should test it, as mytop is after reading, mysql4 dedicated apparently
Optimize Mysql Tables :
/usr/sbin/els: line 1859: /bin/rpm: Aucun fichier ou répertoire de ce type
grep: /etc/my.cnf: Aucun fichier ou répertoire de ce type
grep: /etc/my.cnf: Aucun fichier ou répertoire de ce type
Start APF :
/etc/init.d/apf: line 8: /etc/rc.d/init.d/functions: Aucun fichier ou répertoire de ce type
Man author and owner of this script really lacks of documentation of his script... Oh my its the same guy from custombuild, the **** that screwed up also my server... what am i just half surprised, and why didn't i remember it ...
Last edited:
disable php functions
els stil want to disable php functions under php_cli (/usr/local/lib/php.ini) where anyone should use php_cgi (suphp)
Offcourse you use ./build secure_php in custombuild, but because we are very lazy
els --all can't be used, and got to check by hand (what we also must do, but lazy...)
Thanks.
els stil want to disable php functions under php_cli (/usr/local/lib/php.ini) where anyone should use php_cgi (suphp)
Offcourse you use ./build secure_php in custombuild, but because we are very lazy
els --all can't be used, and got to check by hand (what we also must do, but lazy...)Thanks.
