[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-users] PortSentry and Logcheck ?
- Subject: Re: [cobalt-users] PortSentry and Logcheck ?
- From: Brent Sims <brent@xxxxxxxxxxx>
- Date: Sun Jun 4 15:39:03 2000
On Sun, 4 Jun 2000, Diana Brake so wrote:
} Please count me as a person who would be eternally grateful for such
} instructions...:)
Okay, lets do logcheck first. Installing it is as easy as
pie. Thus it is a good one to start with. I'd recomend that you
read the documentation first. While there are quite a few steps,
most of them are the result of my liking to talk a lot. This is
really a very very easy install. There's little or no chance of
doing any damage to your system if you just take your time and
carefully follow the instructions.
I stay pretty busy so it might be a week or so before I do
portsentry but, after doing this one, you really ought to be able to
do portsentry on your own. It's not much more difficult at all.
1) head over to http://www.psionic.com/abacus/logcheck/
and download yourself a copy of the current release.
While you are there subscribe to the announcement
list as you most certainly want to know when updates
are released. Always update security related items
whenever a new update is released.
2) After you download the distribution FTP it over to
your Cobalt RaQ server. Get in the habit of building
software from a non-privledged user account. Your
admin account will do quite nicely. Just fire up your
favorite FTP client, login into your admin account
and transfer the distribution to your server. The
default directory - the first one you see when you
login - will do quite nicely.
3) After FTPing the distribution to your server telnet
into your server - again, use the admin account.
Odds are that you'll automatically end up right
where you need to be. If not, just issue the
following command:
cd /home/sites/home/admin/
Quite simply, you want to be in the directory where
you uploaded the Logcheck distribution to. You may
have to root around a bit to find it.
4) When you are in the directory where the logcheck
distribution is, issue the following commands, in
this order, to unpack the distribution:
gunzip logcheck-1.1.1.tar.gz
tar xf logcheck-1.1.1.tar
5) Now type cd /logcheck-1.1.1/ to move to the newly
created directory in which logcheck's source files
will be found. Then type ls so you can see what's
there. Then su to root and simply type;
make generic (I used generic, I believe linux
will work too but I haven't tried
it myself).
at the command line and hit enter. It will take a
few seconds to compile and install the program.
Then type:
make install
6) You'll need to edit one (1) line on the logcheck.sh
file in order to make it work. You'll find this file
in /usr/local/etc so just type cd /usr/local/etc/
at the command prompt and hit enter. If you then
do a ls at the command line and hit enter you should
be able to see a file named logcheck.sh
7) Open logcheck.sh in an editor. Both vi and pico are
installed on my RaQ2. vi is The "Editor" that Unix
system admins prefer but it can be a bit difficult
to deal with at first. So you might try pico if you
are not handy with vi. Just type pico logcheck.sh
at the command line. Then use the arrow keys to scroll
to the line that reads:
# Person to send log activity to.
SYSADMIN=root
And change root to the user name for your admin acocunt,
which is probably admin. Then save the file by holding
down the control key (ctrl) and touching the o (oh)
key and hitting return.
8) logcheck is now installed on your RaQ.
9) logcheck needs to be ran from cron. To make this happen
all you need to do is install an itty bitty little script
in the crontab of your choice. You have quite a few
choices on the RaQ. At the very least I recomend that
you run logcheck once each day. I personally run it
each and every hour on the servers here. Each time
it runs it will send you an email so you might want
to think this out a bit. Installing the crontab is
as easy as pie. Since you should run it every hour
I use the hourly crontab as an example: While still
root, type cd /etc/cron.hourly if you want
run it daily type cd /etc/con.daily
Now do an ls We want to make sure that you are in
the proper directory and that you don't overwrite
any existing files so take note of the file names,
if any, you see.
10) Type pico at the command line and type the following
two lines - hitting the enter key after each of them:
#!/bin/sh
/usr/local/etc/./logcheck.sh
If you are really lazy, you can download the script
I used on our RaQs at ftp://ftp.webokay.com/pub/
The script to run logcheck is called, you guessed
it, logcheck.
11) Save the file by holding down the control key (ctrl)
and touching the o (oh) key. You'll be asked for a
file name. logcheck would be a good choice. After
typing it just hit the return key. Then exit pico
by holding down the control (ctrl) key and touching
the x key.
12) Last, but not least, you need to make the crontab
executable. While root and still there in the
/etc/cron.hourly/daily directory, type the following
command:
/bin/chmod 700 logcheck
13) Logcheck is now fully functional and operating on
your server.
14) type exit at the prompt. This will put you back
in the admin account. Then type:
cd /home/sites/home/admin/
This will take you back to the directory where
the distribution was unpacked. Now all the files
and directories need to be removed. While there
are some tricks, one can quickly get into a
whole lot of trouble with the rm and the rmdir
command so I'm going to recomend that you
remove each file and directory individually and
that will take some time.
To remove a file simply type:
/bin/rm FILENAME
at the prompt. You'll need to do this for each file.
To remove the directories simply typeL
/bin/rmdir DIRECTORYNAME
While there are a lot of tricks you can use to speed
things up, always remember that it is very easy to
get carried away. Thus, until you really have a
handle on things, the best way to proceed is the slow
but safe way - do each of them individually. You can
do a few today and a few tomorrow or whatever. Or
you can read the manual page (man rm man rmdir)
and learn a few shortcuts.
15) Last, but not least, I don't want my email sitting
on the Cobalts - any live server. A hacker can come
along and see what I'm doing if it is there so I added
a little procmailrc script to my admin account which
which bounces all the mail directly to a special
account I use for this purpose. You may want to do
the same. If so, just type:
cd /home/sites/home/admin/
at the prompt. Then fire up pico or vi and create and
then save the following file as .procmailrc
:0:
youremail@xxxxxxxxxxx
This will cause all the email that is sent to your
admin account to be sent to youremail@xxxxxxxxxxx
Your ISP provided account will work nicely.
Feel free to modify, circulate plagurize or whatever... If
you have any problems with the install, I'll be more than happy to
help.
Running a server without at least some security monitoring
tools is not a good idea. You really need to install at least this,
perhaps a bit more. It's really not that hard. Just take your time
and things will most certainly go well.
Peace be with you,
Brent
Brent Sims
WebOkay Internet Services
http://www.WebOkay.net
Brent@xxxxxxxxxxx
(719) 595-1427 (Voice/Fax)