ELS - Easy Linux Security script

[@how@]

thanks Jose.

Wael

 

[jca]

Anytime, thanks to you and smtalk for making the script. Glad I can help!

Cheers

Jose

 

[digi]

after download:

MD5 invalid. Aborting.

 

[@how@]

after download:

MD5 invalid. Aborting.

in update ?

Wael

 

[digi]

New server (quadcore), new fresh install, CentOS 5.2 x86_64

[root@lalalala ~]# wget -O installer.sh http://els.web4host.net/installer.sh; chmod +x installer.sh; sh installer.sh
--19:33:00-- http://els.web4host.net/installer.sh
Resolving els.web4host.net... 67.205.112.100
Connecting to els.web4host.net|67.205.112.100|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3003 (2.9K) [application/x-sh]
Saving to: `installer.sh'

100%[=====================================>] 3,003 --.-K/s in 0.1s

19:33:02 (25.8 KB/s) - `installer.sh' saved [3003/3003]

Downloading...
Done.
MD5 invalid. Aborting.

 

[jjma]

The harden kernel option fails in the last version of ELS:
/etc/sysctl.conf exists.
sysctl is used to harden the kernel. If you have not hardened your
kernel with sysctl or do not know how to, it is recommended to have
ELS do it for you. Your current /etc/sysctl.conf will be backed up to
/usr/local/els/bakfiles/sysctl.conf.
Proceed? (y/n): y
Download Failed.
Invalid MD5.
Aborting.

How can i fix this?

Any update on whethere the sysctl.conf hardening works on a centos 5.1 install?

thanks

Jon

 

[jjma]

eaccelerator fails

PHP Fatal error: [Zend Optimizer] Zend Optimizer 3.3.3 is incompatible with eAccelerator 0.9.5.3 in Unknown on line 0
[FAILED]

Using the latest version of els and custombuid 1.2.

Jonathan

 

[jjma]

Fixed eaccelerator

Solution is to change the placement of eaccelerator in the php.ini so that it is above the Zend Optimizer lines.

Currently the els script places the eaccelerator code below the Zend Optimizer code.

Jon

 

[jca]

I got todays chkrootkit (0.48) email and noticed it showed and error:

...
...
...
Searching for Fu rootkit default files... nothing found
Searching for ESRK rootkit default files... nothing found
Searching for rootedoor... nothing found
Searching for ENYELKM rootkit default files... nothing found
Searching for common ssh-scanners default files... nothing found
Searching for suspect PHP files...
/usr/bin/find: head terminated by signal 13
/usr/bin/find: head terminated by signal 13
/usr/bin/find: head terminated by signal 13
/usr/bin/find: head terminated by signal 13
/usr/bin/find: head terminated by signal 13
/usr/bin/find: head terminated by signal 13
/usr/bin/find: head terminated by signal 13
/usr/bin/find: head terminated by signal 13
/usr/bin/find: head terminated by signal 13
/usr/bin/find: head terminated by signal 13
/usr/bin/find: head terminated by signal 13
/usr/bin/find: head terminated by signal 13
/usr/bin/find: head terminated by signal 13
/usr/bin/find: head terminated by signal 13
/usr/bin/find: head terminated by signal 13
/usr/bin/find: head terminated by signal 13
/usr/bin/find: head terminated by signal 13
/usr/bin/find: head terminated by signal 13
/usr/bin/find: head terminated by signal 13
/usr/bin/find: head terminated by signal 13
/usr/bin/find: head terminated by signal 13
/usr/bin/find: head terminated by signal 13
/usr/bin/find: head terminated by signal 13
/usr/bin/find: head terminated by signal 13
/usr/bin/find: head terminated by signal 13
/usr/bin/find: head terminated by signal 13
...
...

So I started to look at the code and the bug appears to be in line #1111

fileshead="`${find} ${ROOTDIR}tmp ${ROOTDIR}var/tmp ${findargs} -type f -exec head -1 {} \; | grep php 2> /dev/null`"

I've been googling around and seems to be a "know issue", where Debian .deb file simply decided to "drop" the scan with the excuse "It looks like this simple tool is shell script which is not carefully
considering large files etc... ". In gentoo I found a patch file that changed to line to the following:

fileshead="`${find} ${ROOTDIR}tmp ${ROOTDIR}var/tmp ${findargs} -type f -exec head -n1 {} \; | grep php 2> /dev/null`"

(changes the -1 to -n1) yet this does not fix the problem.

Anybody has a fix for this? Or this test is really not that necessary? Anybody has this issue?

Thanks!

 

[keefe007]

I secured /tmp on a Debian system and now mysqld and apache doesn't work. Apache can't create the session files in /tmp and mysqld can't create the socket. Any ideas?

 

[smtalk]

Try:

chmod 0777 /tmp

 

[keefe007]

Okay that worked. Is the /tmp still secure then?

 

[smtalk]

Yes, it is.

 

[jca]

Today I checked my email queue and saw a root queued mail from cron. I checked and it contained the following:

/etc/cron.daily/rkhunter.sh:

[ Rootkit Hunter version 1.3.2 ]

Checking rkhunter data files...
  Checking file mirrors.dat[ No update ]
  Checking file programs_bad.dat[ No update ]
  Checking file backdoorports.dat[ No update ]
  Checking file suspscan.dat[ No update ]
  Checking file i18n/cn[ No update ]
  Checking file i18n/en[ No update ]
  Checking file i18n/zh[ No update ]
  Checking file i18n/zh.utf8[ No update ]

After checking /etc/cron.daily/rkhunter.sh I did see it does echo the update it does to the files before doing the test. After testing, found a fix; simply do the update on the same "run" as the check (no need to do it beforehand)

Simply change:

(/usr/local/bin/rkhunter --update && /usr/local/bin/rkhunter -sk -c --nocolors 2>&1 | mail -s "RKhunter Scan Details" [email protected])

To:

(/usr/local/bin/rkhunter -sk -c --nocolors --update 2>&1 | mail -s "RKhunter Scan Details" [email protected])

Hope this helps somebody.

Cheers

Jose

 

[skaag]

By the way if you are on Ubuntu, you want the script to think you are on Debian. However the script fails to properly check for Ubuntu (and even for Debian, since it specifically looks for 3.1 but current Debian is 4.0).

All you need to do is edit els, locate the function: supporteddistros()
At the very end of the function, before the last } character add this:
DISTRO=DEBIAN3

So it will look like this:

...
exit
fi
DISTRO=DEBIAN3
}
...

This will in effect force the script to function in "Debian" / "Ubuntu" mode.

 

[darkus]

I have a very stupid question

I just ran this excellent script to install rkhunter and all went well and it looks like rkhunter installed perfectly fine.

But now that it is installed how do I actually run the rkhunter to weed out any rootkits ?

 

[tdldp]

I have a very stupid question

I just ran this excellent script to install rkhunter and all went well and it looks like rkhunter installed perfectly fine.

But now that it is installed how do I actually run the rkhunter to weed out any rootkits ?

rkhunter -c



I'd just like to add my piece of **** on this script..
I run DA on debian etch, and wanted to update APF, and do some smart tweaking after server hack 3 days ago...
Well THIS SCRIPT IS NOT DEBIAN COMPATIBLE... Stop saying so.
It just managed to screw up BFD / APF that was outdated, but that was running...
Before releasing such script for an os, start by testing it, and most of all correct it when bugs are warned...

For my piece of ****, under debian etch i get following installation errors on a els --all

admin email adress :
/usr/sbin/els: line 412: /bin/rpm: Aucun fichier ou répertoire de ce type (no file or directory of this sort)

APF Updater
cp: ne peut évaluer `/etc/apf.bk.last/vnet/*.rules': Aucun fichier ou répertoire de ce type (no file or directory of this sort)

BFD install
/usr/sbin/els: line 1169: /bin/rpm: Aucun fichier ou répertoire de ce type (no file or directory of this sort)
/usr/sbin/els: line 1170: /bin/rpm: Aucun fichier ou répertoire de ce type (no file or directory of this sort)

LibSafe install
/usr/sbin/els: line 1169: /bin/rpm: Aucun fichier ou répertoire de ce type (no file or directory of this sort)

install MyTop :
Warning: prerequisite DBD::mysql 1 not found.
Warning: prerequisite DBI 1.13 not found.
Warning: prerequisite Term::ReadKey 2.1 not found.

Oh yes, i'm under Mysql5... you should test it, as mytop is after reading, mysql4 dedicated apparently

Optimize Mysql Tables :
/usr/sbin/els: line 1859: /bin/rpm: Aucun fichier ou répertoire de ce type
grep: /etc/my.cnf: Aucun fichier ou répertoire de ce type
grep: /etc/my.cnf: Aucun fichier ou répertoire de ce type

Start APF :
/etc/init.d/apf: line 8: /etc/rc.d/init.d/functions: Aucun fichier ou répertoire de ce type

Man author and owner of this script really lacks of documentation of his script... Oh my its the same guy from custombuild, the **** that screwed up also my server... what am i just half surprised, and why didn't i remember it ...

 

[tolisgr]

How can I uninstall/disable APC installed from ELS ?

 

[digi]

disable php functions

els stil want to disable php functions under php_cli (/usr/local/lib/php.ini) where anyone should use php_cgi (suphp)

Offcourse you use ./build secure_php in custombuild, but because we are very lazy els --all can't be used, and got to check by hand (what we also must do, but lazy...)

Thanks.

 

[nimafire]

hello. i have problem and forget to ask.
when i try to secure my .tmp with els and try...its my error :

[root@download]#els --securepartitions

Secure /tmp function is temporary disabled on CentOS 5.