ProHoster > Blog > Ulamuliro > Momwe mungayikitsire ndikugwiritsa ntchito AIDE (Advanced Intrusion Detection Environment) mu CentOS 8

Momwe mungayikitsire ndikugwiritsa ntchito AIDE (Advanced Intrusion Detection Environment) mu CentOS 8

Asanayambe maphunziro "Woyang'anira" Linux» Takonza zomasulira za zinthu zosangalatsa.

Momwe mungayikitsire ndikugwiritsa ntchito AIDE (Advanced Intrusion Detection Environment) mu CentOS 8

AIDE imayimira "Advanced Intrusion Detection Environment" ndipo ndi imodzi mwa njira zodziwika kwambiri zowunikira kusintha kwa machitidwe ogwiritsira ntchito kutengera LinuxAIDE imagwiritsidwa ntchito kuteteza ku pulogalamu yaumbanda ndi mavairasi komanso kuzindikira zochita zosaloledwa. Kuti atsimikizire kukhulupirika kwa mafayilo ndikupeza kulowerera, AIDE imapanga database ya zambiri za mafayilo ndikuyerekeza momwe dongosololi lilili pano ndi database iyi. AIDE imathandiza kuchepetsa nthawi yofufuzira zochitika poyang'ana kwambiri mafayilo omwe asinthidwa.

Zinthu za AIDE:

  • Imathandizira mafayilo osiyanasiyana, kuphatikiza: mtundu wa fayilo, inode, uid, gid, zilolezo, kuchuluka kwa maulalo, mtime, ctime ndi atime.
  • Chithandizo cha kupsinjika kwa Gzip, SELinux, XAttrs, Posix ACLs ndi zizindikiro za dongosolo la mafayilo.
  • Imathandizira ma aligorivimu osiyanasiyana kuphatikiza md5, sha1, sha256, sha512, rmd160, crc32, etc.
  • Kutumiza zidziwitso ndi imelo.

Munkhaniyi, tiwona momwe tingayikitsire ndikugwiritsa ntchito AIDE kuti tizindikire kulowerera mu CentOS 8.

Zofunikira

  • Seva ikuyendetsedwa CentOS 8, yokhala ndi RAM yosachepera 2GB.
  • kupeza mizu

Kuyamba

Ndibwino kuti musinthe kachitidwe kaye. Kuti muchite izi, yendetsani lamulo lotsatirali.

dnf update -y

Pambuyo pokonzanso, yambitsaninso dongosolo lanu kuti zosintha zichitike.

Kukhazikitsa AIDE

AIDE imapezeka mu malo osungiramo zinthu zakale. CentOS 8. Mutha kuyiyika mosavuta poyendetsa lamulo lotsatirali:

dnf install aide -y

Kukhazikitsa kukamaliza, mutha kuwona mtundu wa AIDE pogwiritsa ntchito lamulo ili:

aide --version

Muyenera kuwona zotsatirazi:

Aide 0.16

Compiled with the following options:

WITH_MMAP
WITH_PCRE
WITH_POSIX_ACL
WITH_SELINUX
WITH_XATTR
WITH_E2FSATTRS
WITH_LSTAT64
WITH_READDIR64
WITH_ZLIB
WITH_CURL
WITH_GCRYPT
WITH_AUDIT
CONFIG_FILE = "/etc/aide.conf"

Zosankha zomwe zilipo aide zitha kuwonedwa motere:

aide --help

Momwe mungayikitsire ndikugwiritsa ntchito AIDE (Advanced Intrusion Detection Environment) mu CentOS 8

Kupanga ndi kuyambitsa database

Chinthu choyamba chomwe muyenera kuchita mukakhazikitsa AIDE ndikuyiyambitsa. Kuyambitsa kumaphatikizapo kupanga nkhokwe (chithunzi) cha mafayilo onse ndi zolemba pa seva.

Kuti muyambitse database, yesani lamulo ili:

aide --init

Muyenera kuwona zotsatirazi:

Start timestamp: 2020-01-16 03:03:19 -0500 (AIDE 0.16)
AIDE initialized database at /var/lib/aide/aide.db.new.gz

Number of entries:	49472

---------------------------------------------------
The attributes of the (uncompressed) database(s):
---------------------------------------------------

/var/lib/aide/aide.db.new.gz
  MD5      : 4N79P7hPE2uxJJ1o7na9sA==
  SHA1     : Ic2XBj50MKiPd1UGrtcUk4LGs0M=
  RMD160   : rHMMy5WwHVb9TGUc+TBHFHsPCrk=
  TIGER    : vkb2bvB1r7DbT3n6d1qYVfDzrNCzTkI0
  SHA256   : tW3KmjcDef2gNXYqnOPT1l0gDFd0tBh9
             xWXT2iaEHgQ=
  SHA512   : VPMRQnz72+JRgNQhL16dxQC9c+GiYB8g
             uZp6uZNqTvTdxw+w/IYDSanTtt/fEkiI
             nDw6lgDNI/ls2esijukliQ==


End timestamp: 2020-01-16 03:03:44 -0500 (run time: 0m 25s)

Lamulo lomwe lili pamwambapa lipanga database yatsopano aide.db.new.gz mu katalogu /var/lib/aide. Itha kuwoneka pogwiritsa ntchito lamulo ili:

ls -l /var/lib/aide

Zotsatira:

total 2800
-rw------- 1 root root 2863809 Jan 16 03:03 aide.db.new.gz

AIDE sigwiritsa ntchito fayilo yatsopanoyi mpaka itasinthidwa kukhala aide.db.gz. Izi zitha kuchitika motere:

mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz

Ndibwino kuti musinthe databaseyi nthawi ndi nthawi kuti muwonetsetse kuti zosintha zikuyang'aniridwa bwino.

Mutha kusintha malo a database posintha parameter DBDIR mu file /etc/aide.conf.

Kuthamanga sikani

AIDE tsopano yakonzeka kugwiritsa ntchito nkhokwe yatsopano. Yendetsani cheke choyamba cha AIDE osasintha:

aide --check

Lamuloli litenga nthawi kuti lithe kutengera kukula kwa fayilo yanu komanso kuchuluka kwa RAM pa seva yanu. Mukamaliza jambulani muyenera kuwona zotsatirazi:

Start timestamp: 2020-01-16 03:05:07 -0500 (AIDE 0.16)
AIDE found NO differences between database and filesystem. Looks okay!!

Zomwe zili pamwambazi zikuti mafayilo onse ndi zolemba zimagwirizana ndi database ya AIDE.

Kuyesa kwa AIDE

Mwachikhazikitso, AIDE samatsata chikwatu cha Apache chokhazikika /var/www/html. Tiyeni tikonze AIDE kuti tiwone. Kuti muchite izi muyenera kusintha fayilo /etc/aide.conf.

nano /etc/aide.conf

Onjezani pamwamba pamzere "/root/CONTENT_EX" Otsatirawa:

/var/www/html/ CONTENT_EX

Kenako, pangani fayilo aide.txt mu katalogu /var/www/html/pogwiritsa ntchito lamulo ili:

echo "Test AIDE" > /var/www/html/aide.txt

Tsopano yendetsani cheke cha AIDE ndikuwonetsetsa kuti fayilo yomwe idapangidwa yapezeka.

aide --check

Muyenera kuwona zotsatirazi:

Start timestamp: 2020-01-16 03:09:40 -0500 (AIDE 0.16)
AIDE found differences between database and filesystem!!

Summary:
  Total number of entries:	49475
  Added entries:		1
  Removed entries:		0
  Changed entries:		0

---------------------------------------------------
Added entries:
---------------------------------------------------

f++++++++++++++++: /var/www/html/aide.txt

Tikuwona kuti fayilo yomwe idapangidwa idapezeka aide.txt.
Pambuyo posanthula zosintha zomwe zapezeka, sinthani database ya AIDE.

aide --update

Pambuyo pakusintha muwona zotsatirazi:

Start timestamp: 2020-01-16 03:10:41 -0500 (AIDE 0.16)
AIDE found differences between database and filesystem!!
New AIDE database written to /var/lib/aide/aide.db.new.gz

Summary:
  Total number of entries:	49475
  Added entries:		1
  Removed entries:		0
  Changed entries:		0

---------------------------------------------------
Added entries:
---------------------------------------------------

f++++++++++++++++: /var/www/html/aide.txt

Lamulo lomwe lili pamwambapa lipanga database yatsopano aide.db.new.gz mu katalogu

/var/lib/aide/

Mutha kuziwona ndi lamulo ili:

ls -l /var/lib/aide/

Zotsatira:

total 5600
-rw------- 1 root root 2864012 Jan 16 03:09 aide.db.gz
-rw------- 1 root root 2864100 Jan 16 03:11 aide.db.new.gz

Tsopano sinthaninso nkhokwe yatsopano kuti AIDE igwiritse ntchito nkhokwe yatsopano kuti iwonetse zosintha zina. Mutha kuyitchanso motere:

mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz

Yambitsaninso cheke kuti muwonetsetse kuti AIDE ikugwiritsa ntchito nkhokwe yatsopano:

aide --check

Muyenera kuwona zotsatirazi:

Start timestamp: 2020-01-16 03:12:29 -0500 (AIDE 0.16)
AIDE found NO differences between database and filesystem. Looks okay!!

Timayendetsa cheke

Ndibwino kuyendetsa cheke cha AIDE tsiku lililonse ndikutumiza lipotilo. Izi zitha kukhala zokha pogwiritsa ntchito cron.

nano /etc/crontab

Kuti muyendetse cheke cha AIDE tsiku lililonse nthawi ya 10:15, onjezani mzerewu kumapeto kwa fayilo:

15 10 * * * root /usr/sbin/aide --check

AIDE tsopano akudziwitsani ndi imelo. Mutha kuyang'ana imelo yanu ndi lamulo ili:

tail -f /var/mail/root

Logi ya AIDE ikhoza kuwonedwa pogwiritsa ntchito lamulo ili:

tail -f /var/log/aide/aide.log

Pomaliza

M'nkhaniyi, mwaphunzira momwe mungagwiritsire ntchito AIDE kuti muwone kusintha kwamafayilo ndikuzindikira mwayi wosaloledwa wa seva. Pazokonda zina, mutha kusintha fayilo /etc/aide.conf configuration. Pazifukwa zachitetezo, tikulimbikitsidwa kusunga nkhokwe ndi fayilo yosinthira pa media yowerengera. Zambiri zitha kupezeka muzolemba AIDE Doc.

Dziwani zambiri za maphunzirowa.

Source: www.habr.com

Gulani kuchititsa kodalirika kwamasamba okhala ndi chitetezo cha DDoS, ma seva a VPS VDS Gulani malo odalirika osungira mawebusayiti okhala ndi chitetezo cha DDoS, ma seva a VPS VDS | ProHoster