[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-users] PortSentry and Logcheck ?
- Subject: Re: [cobalt-users] PortSentry and Logcheck ?
- From: "Frank Cubillos" <cubillos@xxxxxxxxxxxxxxxxxx>
- Date: Sun Jun 4 18:35:23 2000
Man Brent you are too cool! Thanks for the detailed instructions, this
newbie definitely sends you his gratitude and many thanks!! Let us know how
Port Sentry works out for you, might bother you for the install on that one
(please :o)). Saw you mention Pico where can one find it, and how easy to
install?
Your MY hero! LOL
Frank
----- Original Message -----
From: "Brent Sims" <brent@xxxxxxxxxxx>
To: <cobalt-users@xxxxxxxxxxxxxxx>
Sent: Sunday, June 04, 2000 5:39 PM
Subject: Re: [cobalt-users] PortSentry and Logcheck ?
> On Sun, 4 Jun 2000, Diana Brake so wrote:
>
> } Please count me as a person who would be eternally grateful for such
> } instructions...:)
>
> Okay, lets do logcheck first. Installing it is as easy as
> pie. Thus it is a good one to start with. I'd recomend that you
> read the documentation first. While there are quite a few steps,
> most of them are the result of my liking to talk a lot. This is
> really a very very easy install. There's little or no chance of
> doing any damage to your system if you just take your time and
> carefully follow the instructions.
>
> I stay pretty busy so it might be a week or so before I do
> portsentry but, after doing this one, you really ought to be able to
> do portsentry on your own. It's not much more difficult at all.
>
> 1) head over to http://www.psionic.com/abacus/logcheck/
> and download yourself a copy of the current release.
> While you are there subscribe to the announcement
> list as you most certainly want to know when updates
> are released. Always update security related items
> whenever a new update is released.
>
> 2) After you download the distribution FTP it over to
> your Cobalt RaQ server. Get in the habit of building
> software from a non-privledged user account. Your
> admin account will do quite nicely. Just fire up your
> favorite FTP client, login into your admin account
> and transfer the distribution to your server. The
> default directory - the first one you see when you
> login - will do quite nicely.
>
> 3) After FTPing the distribution to your server telnet
> into your server - again, use the admin account.
> Odds are that you'll automatically end up right
> where you need to be. If not, just issue the
> following command:
>
> cd /home/sites/home/admin/
>
> Quite simply, you want to be in the directory where
> you uploaded the Logcheck distribution to. You may
> have to root around a bit to find it.
>
> 4) When you are in the directory where the logcheck
> distribution is, issue the following commands, in
> this order, to unpack the distribution:
>
> gunzip logcheck-1.1.1.tar.gz
> tar xf logcheck-1.1.1.tar
>
> 5) Now type cd /logcheck-1.1.1/ to move to the newly
> created directory in which logcheck's source files
> will be found. Then type ls so you can see what's
> there. Then su to root and simply type;
>
> make generic (I used generic, I believe linux
> will work too but I haven't tried
> it myself).
>
> at the command line and hit enter. It will take a
> few seconds to compile and install the program.
> Then type:
>
> make install
>
> 6) You'll need to edit one (1) line on the logcheck.sh
> file in order to make it work. You'll find this file
> in /usr/local/etc so just type cd /usr/local/etc/
> at the command prompt and hit enter. If you then
> do a ls at the command line and hit enter you should
> be able to see a file named logcheck.sh
>
> 7) Open logcheck.sh in an editor. Both vi and pico are
> installed on my RaQ2. vi is The "Editor" that Unix
> system admins prefer but it can be a bit difficult
> to deal with at first. So you might try pico if you
> are not handy with vi. Just type pico logcheck.sh
> at the command line. Then use the arrow keys to scroll
> to the line that reads:
>
> # Person to send log activity to.
> SYSADMIN=root
>
> And change root to the user name for your admin acocunt,
> which is probably admin. Then save the file by holding
> down the control key (ctrl) and touching the o (oh)
> key and hitting return.
>
> 8) logcheck is now installed on your RaQ.
>
> 9) logcheck needs to be ran from cron. To make this happen
> all you need to do is install an itty bitty little script
> in the crontab of your choice. You have quite a few
> choices on the RaQ. At the very least I recomend that
> you run logcheck once each day. I personally run it
> each and every hour on the servers here. Each time
> it runs it will send you an email so you might want
> to think this out a bit. Installing the crontab is
> as easy as pie. Since you should run it every hour
> I use the hourly crontab as an example: While still
> root, type cd /etc/cron.hourly if you want
> run it daily type cd /etc/con.daily
>
> Now do an ls We want to make sure that you are in
> the proper directory and that you don't overwrite
> any existing files so take note of the file names,
> if any, you see.
>
> 10) Type pico at the command line and type the following
> two lines - hitting the enter key after each of them:
>
> #!/bin/sh
> /usr/local/etc/./logcheck.sh
>
> If you are really lazy, you can download the script
> I used on our RaQs at ftp://ftp.webokay.com/pub/
> The script to run logcheck is called, you guessed
> it, logcheck.
>
> 11) Save the file by holding down the control key (ctrl)
> and touching the o (oh) key. You'll be asked for a
> file name. logcheck would be a good choice. After
> typing it just hit the return key. Then exit pico
> by holding down the control (ctrl) key and touching
> the x key.
>
> 12) Last, but not least, you need to make the crontab
> executable. While root and still there in the
> /etc/cron.hourly/daily directory, type the following
> command:
>
> /bin/chmod 700 logcheck
>
> 13) Logcheck is now fully functional and operating on
> your server.
>
> 14) type exit at the prompt. This will put you back
> in the admin account. Then type:
>
> cd /home/sites/home/admin/
>
> This will take you back to the directory where
> the distribution was unpacked. Now all the files
> and directories need to be removed. While there
> are some tricks, one can quickly get into a
> whole lot of trouble with the rm and the rmdir
> command so I'm going to recomend that you
> remove each file and directory individually and
> that will take some time.
>
> To remove a file simply type:
>
> /bin/rm FILENAME
>
> at the prompt. You'll need to do this for each file.
>
> To remove the directories simply typeL
>
> /bin/rmdir DIRECTORYNAME
>
> While there are a lot of tricks you can use to speed
> things up, always remember that it is very easy to
> get carried away. Thus, until you really have a
> handle on things, the best way to proceed is the slow
> but safe way - do each of them individually. You can
> do a few today and a few tomorrow or whatever. Or
> you can read the manual page (man rm man rmdir)
> and learn a few shortcuts.
>
> 15) Last, but not least, I don't want my email sitting
> on the Cobalts - any live server. A hacker can come
> along and see what I'm doing if it is there so I added
> a little procmailrc script to my admin account which
> which bounces all the mail directly to a special
> account I use for this purpose. You may want to do
> the same. If so, just type:
>
> cd /home/sites/home/admin/
>
> at the prompt. Then fire up pico or vi and create and
> then save the following file as .procmailrc
>
> :0:
> youremail@xxxxxxxxxxx
>
> This will cause all the email that is sent to your
> admin account to be sent to youremail@xxxxxxxxxxx
> Your ISP provided account will work nicely.
>
> Feel free to modify, circulate plagurize or whatever... If
> you have any problems with the install, I'll be more than happy to
> help.
>
> Running a server without at least some security monitoring
> tools is not a good idea. You really need to install at least this,
> perhaps a bit more. It's really not that hard. Just take your time
> and things will most certainly go well.
>
> Peace be with you,
>
> Brent
>
> Brent Sims
> WebOkay Internet Services
> http://www.WebOkay.net
> Brent@xxxxxxxxxxx
> (719) 595-1427 (Voice/Fax)
>
>
>
>
> _______________________________________________
> cobalt-users mailing list
> cobalt-users@xxxxxxxxxxxxxxx
> To Subscribe or Unsubscribe, please go to:
> http://list.cobalt.com/mailman/listinfo/cobalt-users
>