最近我的一台服务器遭到攻击。除了加强当地的安全措施外,我还计划安装一个工具来监控文件系统的变化。
我想要一个免费工具(免费),并希望它通过电子邮件发送报告或远程保存结果以避免操纵。
我一直在检查家庭,我认为它可以完成这项工作。不过我想知道是否还有其他解决方案。
答案1
如果您使用的是基于 CentOS / RHEL 的系统,您可以audit.x86_64
为服务器安装和配置默认审核系统,用于命令、文件以及您想要审核的内容。下面有一个 Cent OS 的操作方法,我还链接了 RHEL 站点,但它可能需要一个帐户。我不熟悉基于 Debian 的系统或 Ubuntu,因此它可能是具有类似软件包的相同命令。快速谷歌搜索也可以很快找到 Ubuntu 的一些东西。
RHEL/CentOS:
CentOS 7 如何使用Linux审计系统
RHEL 7 系统审计
RHEL 6 系统审计
经过进一步研究,相同的auditctl系统似乎可以像RHEL 7一样安装在Ubunutu上。
乌班图:
下面的命令将在 Ubuntu 上安装它。手册页应该解释它是如何工作的,尽管我相当确定它与 RPM 安装版本几乎相同。
sudo apt-get install auditd
答案2
tripwire
已经有点老了,但仍然工作得很好,并且完成了它应该做的工作(向您发送电子邮件警告受监视文件的任何和所有更改 - 例如将其设置为默认监视所有文件并排除您不这样做的文件/目录不在乎)。
可以为大多数(如果不是全部)Linux 发行版(以及 *bsd)预先打包。以下是 debian tripwire 包中的描述:
Package: tripwire
Description-en: file and directory integrity checker
Tripwire is a tool that aids system administrators and users in
monitoring a designated set of files for any changes. Used with
system files on a regular (e.g., daily) basis, Tripwire can notify
system administrators of corrupted or tampered files, so damage
control measures can be taken in a timely manner.
Homepage: https://github.com/Tripwire/tripwire-open-source
我还建议用于git
所有重要文件的版本控制(并将git push
更改推送到远程存储库作为备份,以防止损坏和意外或故意删除)。
当然,etckeeper
对于自动化版本控制(git
默认情况下)/etc
:
Package: etckeeper
Description-en: store /etc in git, mercurial, bzr or darcs
The etckeeper program is a tool to let /etc be stored in a git, mercurial,
bzr or darcs repository. It hooks into APT to automatically commit changes
made to /etc during package upgrades. It tracks file metadata that version
control systems do not normally support, but that is important for /etc, such
as the permissions of /etc/shadow. It's quite modular and configurable, while
also being simple to use if you understand the basics of working with version
control.
Homepage: https://etckeeper.branchable.com/
答案3
AIDE is a tool for monitoring file system changes. It can be used
to detect unauthorized monitored files and directories. AIDE was
written to be a simple and free alternative to Tripwire. Features
currently included in AIDE are as follows:
o File attributes monitored: permissions, inode, user, group
file size, mtime, atime, ctime, links and growing size.
o Checksums and hashes supported: SHA1, MD5, RMD160, and TIGER.
CRC32, HAVAL and GOST if Mhash support is compiled in.
o Plain text configuration files and database for simplicity.
o Rules, variables and macros that can be customized to local
site or system policies.
o Powerful regular expression support to selectively include or
exclude files and directories to be monitored.
o gzip database compression if zlib support is compiled in.
o Free software licensed under the GNU General Public License.
The homepage of AIDE is https://aide.github.io