Monday, October 23, 2023

DHCP deleting custom entries in /etc/resolv.conf file

 

If you are working on cloud environments like AWS, OCI you might have come across a requirement where you need to add custom settings on DNS like name servers, search domains and so on. Any changes to /etc/resolv.conf or the network configuration files will be reverted by the DNS server associated with the cloud virtual network.

 

There are many ways to set custom DNS settings and make sure it’s not overridden by DHCP. Using Dhclient supersede option is one of the best methods.

 

The dhclient.conf file allows you to configure various options for the DHCP client (dhclient) that controls how your system obtains IP addresses and network configuration information from DHCP servers. The supersede directive is used to override and modify DHCP options that are provided by the DHCP server. It allows you to replace or supplement the DHCP options with your own settings.

 

Below, I'll explain how to use the supercede directive in the dhclient.conf file.

 

Config file: /etc/dhcp/dhclient.conf

 

Basic Syntax with usage:

interface "<INTERFACE>" {

supersede domain-search "<OPTION-NAME>", "OPTION-VALUE";

}

 

Example: If you want to set a custom DNS server on Oracle Linux 8.8, you may use dhclient supersede option as follows:

 

interface "ens3" {

supersede domain-name-servers 8.8.8.8;

}

 

You should reboot the server to see this is action or you can manually set the /etc/resolv.conf file with the required DNS but during the next DHCP renewal, dhclient will check the configuration file and update the superseded value for the DNS name server in /etc/resolv.conf.

 

You can supersede a number of DHCP options in the dhclient.conf file. Here's a list of DHCP options that can be superseded, along with their descriptions:

 

1.     subnet-mask: Specifies the subnet mask for the client's IP address.

2.     broadcast-address: Defines the broadcast address for the client's subnet.

3.     routers: Sets the default gateway or router for the client.

4.     domain-name-servers: Specifies the DNS servers used by the client.

5.     domain-name: Specifies the domain name for the client's network.

6.     domain-search: Specifies the domain search list for the client.

7.     host-name: Sets the hostname for the client.

8.     ntp-servers: Specifies the Network Time Protocol (NTP) servers used for time synchronization.

9.     netbios-name-servers: Specifies the NetBIOS name servers for Windows networking.

10.  netbios-scope: Defines the NetBIOS scope for Windows networking.

11.  interface-mtu: Sets the Maximum Transmission Unit (MTU) for the client's network interface.

12.  domain-name-servers-append: Appends DNS servers to the list provided by the DHCP server.

13.  classless-static-routes: Specifies static routes for the client.

14.  nis-domain: Sets the Network Information Service (NIS) domain.

15.  nis-servers: Specifies NIS servers for the client.

16.  nisplus-domain: Sets the NIS+ domain.

17.  nisplus-servers: Specifies NIS+ servers for the client.

18.  nisplus-client: Configures the NIS+ client settings.

19.  slp-directory-agent: Specifies Service Location Protocol (SLP) directory agents.

20.  slp-service-scope: Defines the SLP service scope.

21.  ldap-servers: Specifies LDAP (Lightweight Directory Access Protocol) servers.

22.  ldap-base-dn: Sets the LDAP base domain name.

23.  ldap-raid-info: Configures LDAP RAID (Redundant Array of Independent Disks) information.

24.  vivso: Supports Vendor-Identifying Vendor Specific Options (VIVSO).

These options can be superseded in the dhclient.conf file to customize the client's network configuration. Keep in mind that not all of these options may be present in your DHCP server's response. It's essential to understand which options are provided by your DHCP server and which ones you need to supersede to meet your network's specific requirements.

Wednesday, October 18, 2023

Intrusion Detection and Integrity Checks with AIDE in Linux

 Advanced Intrusion Detection Environment (AIDE) is an open-source utility designed to monitor and protect the integrity of files on a Linux system. AIDE creates a database of file attributes and uses it to perform regular checks for changes, additions, or deletions in system files, alerting you to potential security breaches. When properly used AIDE helps to protect the system internally, by providing a layer of protection against viruses, rootkits, malware, and detection of unauthorized activities.

 

Why Use AIDE?

  1. Detect Unauthorized Changes: AIDE can identify unauthorized changes to critical system files, helping you catch intrusion attempts promptly.
  2. File Integrity Monitoring: It offers continuous file integrity monitoring, making it ideal for ensuring the stability and security of your server.
  3. Customizable Rules: AIDE allows you to define specific rules for monitoring, tailoring its functionality to your unique server environment.
  4. Alerts and Reports: It generates detailed reports and alerts when changes are detected, making it easier to respond to security incidents.

 

Install AIDE

AIDE is readily available in all the operating system software repositories.

 

# yum install aide


Initilize AIDE

Check if the AIDE database is created and initialized using:

 

# aide --check

 

You might end up with the below error, its because the AIDE database has not been created and initialized.

 

[root@delme ~]# aide --check

Couldn't open file /var/lib/aide/aide.db.gz for reading

 


Create and Initialize AIDE Database using:

 

# aide --init

 

Initializing the AIDE database will take some time as its building a database with entries of the files in the server for integrity checks.

 


As you can see from the logs, the new AIDE DB has been created at ‘/var/lib/aide/aide.db.new.gz’.

 

            [root@delme ~]# aide --init

Start timestamp: 2023-10-17 17:19:48 +0000 (AIDE 0.16)

AIDE initialized database at /var/lib/aide/aide.db.new.gz

 

 

Running the AIDE check now will again error out because the AIDE is still not in the location AIDE needs it to be.

 

[root@delme ~]# aide --check

Couldn't open file /var/lib/aide/aide.db.gz for reading

 

We need to rename the AIDE created in the initialization step as follows:

 

            # mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz

 

Running an AIDE check should complete successfully.

 

[root@delme ~]# aide --check

Start timestamp: 2023-10-18 09:34:17 +0000 (AIDE 0.16)

AIDE found differences between database and filesystem!!

 

Summary:

  Total number of entries:    152841

  Added entries:         0

  Removed entries:       0

  Changed entries:       2

 

---------------------------------------------------

Changed entries:

---------------------------------------------------

 

f   ...    .C... : /root/dead.letter

f           C    : /var/spool/anacron/cron.daily

 

---------------------------------------------------

Detailed information about changes:

---------------------------------------------------

 

File: /root/dead.letter

  SHA512   : jdMY+0A4RF8MDhMhdE1GvbQbxo695cYf | Q9XC53FBoeyLpzXe7bcUvEex0C/EwNZq

             KoS4la95t3np7LxoeMmH943uDFipAq8d | v1BNdB8ZlDwIgMTemCoUSeOWtz1CowZ3

             Q3VgvcerraMGjo6TVP1FHg==         | G/nTFnnCNr9ihxO/NGeTtg==

 

File: /var/spool/anacron/cron.daily

  SHA512   : MAp+To9ckjKmE7nZl5/J5M9EXxsgks8O | BsPYbhD/SXkrAdJ4Z4V6ng7BhrFJmqeZ

             wv/5ABt5bMMxWkrjOci3mQhRKfOoNV/h | IJ87kg0X3xVlJYrXV9MR7+0BJ90/0wg2

             eQBfHpitQxsAY2867cU2FQ==         | TI+f0QyA7lChmEYPer2QxQ==

 

---------------------------------------------------

The attributes of the (uncompressed) database(s):

---------------------------------------------------

/var/lib/aide/aide.db.gz

  MD5      : fkL+BqnpQdU/i6i3Y3kYqg==

  SHA1     : soqet8oNzHlY9RyDvmHxkqqHY50=

  RMD160   : yIFtCdBrYrt8XY0YipYaMMLP6N0=

  TIGER    : Cbz88BLcGNlurtyIUeizs8KOjof0vc97

  SHA256   : mZK5eTK5nHYDxp/Q7bpCjBtZXa8o8jTx

             INo+S3qXTVE=

  SHA512   : ASgbZO1egNtthUi4TkMqDuQFpKwUr7bh

             SHkdcSscF6rN2p0EKqdd27qmjDf3cr7X

             nCuHDXZrTfYwPSy46KGfdQ==

 

End timestamp: 2023-10-18 09:34:49 +0000 (run time: 0m 32s)

[root@delme ~]#

 

As you can see AIDE has detected 2 changes in the system since the DB is initialized/updated. Review those changes and make sure everything is fine.

 

Once verified, you should update the AIDE DB to include the known changes using the --update command option.

 

However, if there are changes in the filesystem, which is usually the case when you update the DB, AIDE will create a new DB as follows. You need to back up the old and rename the newly generated one to be the main db.

 

[root@delme ~]# aide --update

Start timestamp: 2023-10-18 09:44:02 +0000 (AIDE 0.16)

AIDE found differences between database and filesystem!!

New AIDE database written to /var/lib/aide/aide.db.new.gz

 

Summary:

  Total number of entries:    152841

  Added entries:         0

  Removed entries:       0

  Changed entries:       2

 

Rename the AIDE Db to include newly modified/added files:

 

# mv /var/lib/aide/aide.db.gz /var/lib/aide/aide.db.$(date +%d%m%y%H%M).gz

 

# mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz

 

Running a check again should give you a clean summary provided there are no further changes in the system.

 

AIDE configuration

AIDE’s configuration file is /etc/aide.conf file. You can customize the rules for file monitoring based on your needs. For example, you can add or exclude specific directories or files from monitoring.

The AIDE confirmation file contains the directives that defines the database location, where the new database be created when running an update, default rules, files and directories to be included in the database for monitoring and so on.

 

The following are the default rules, that can be applied to the files and directories to be added to the DB.

#p:      permissions

#i:      inode:

#n:      number of links

#u:      user

#g:      group

#s:      size

#b:      block count

#m:      mtime

#a:      atime

#c:      ctime

#S:      check for growing size

#acl:           Access Control Lists

#selinux        SELinux security context

#xattrs:        Extended file attributes

#md5:    md5 checksum

#sha1:   sha1 checksum

#sha256:        sha256 checksum

#sha512:        sha512 checksum

#rmd160: rmd160 checksum

#tiger:  tiger checksum

 

#haval:  haval checksum (MHASH only)

#gost:   gost checksum (MHASH only)

#crc32:  crc32 checksum (MHASH only)

#whirlpool:     whirlpool checksum (MHASH only)

 

#R:             p+i+n+u+g+s+m+c+acl+selinux+xattrs+md5

#L:             p+i+n+u+g+acl+selinux+xattrs

#E:             Empty group

#>:             Growing logfile p+u+g+i+n+S+acl+selinux+xattrs

 

 

You can create custom rules of your choice using the above default rules.

There are few custom rules already in the configuration file as follows.

 

# NORMAL = R+sha512

NORMAL = p+i+n+u+g+s+m+c+acl+selinux+xattrs+sha512

 

# For directories, don't bother doing hashes

DIR = p+i+n+u+g+acl+selinux+xattrs

 

# Access control only

PERMS = p+u+g+acl+selinux+xattrs

 

# Logfile are special, in that they often change

LOG = p+u+g+n+S+acl+selinux+xattrs

 

# Content + file type.

CONTENT = sha512+ftype

 

# Extended content + file type + access.

CONTENT_EX = sha512+ftype+p+u+g+n+acl+selinux+xattrs

 

# Some files get updated automatically, so the inode/ctime/mtime change

# but we want to know when the data inside them changes

DATAONLY =  p+n+u+g+s+acl+selinux+xattrs+sha512

 

You may define rules to watch files and directories. The configuration file contains several default rules that does a job of monitoring files, but you are free to tweak.

 

An example rule set:

Check everything for all files under the /root directory with the exception of checking for permissions only for the hidden files under /root.

 

            /root/\..* PERMS

     /root   CONTENT_EX

 

Use the following to help you detect any changes in data inside all files/directory under /etc/.

 
        /etc/   DATAONLY 

 

You may specify to ignore files and directories using “!” as follows:

            # Files under there directores are too volatile, hence do not include in the AIDE database

!/usr/src

!/usr/tmp

 

Some thoughts on setting up the AIDE rules

There are currently thirteen attributes that AIDE can log including permissions, owner, group, size, all three timestamps (atime, ctime, and mtime), plus lower-level stuff like inode, block count and number of links .

You need to review the rules in the AIDE configuration file and set proper regular expression matching the files you need to monitor is key to effective use of AIDE. If you are monitoring too many file and directories you might end up with extremely long logs to go through. On the other hand a narrow set of rules could risk missing an important change on your system.

 

Run System Integrity Checks Frequently

AT the very minimum AIDE should be configured to run every week or ideally everyday. You could setup a cornjob as follows.

        0 0 * * * /usr/sbin/aide --check

 



Tuesday, October 17, 2023

How to remove malwares and virus from Linux servers

 

Linux servers are renowned for their resilience and security. However, even the most robust systems can fall prey to malware. When malicious software breaches your Linux server's defences, knowing how to eliminate it is paramount. In this comprehensive guide, we will walk you through the steps necessary to remove malware from your Linux server, including utilizing the helpful tools like 'rkhunter', 'clamav'.

 

However, prevention is better than cure. We will take a quick look into few other tools like 'Snort' for intrusion detection and 'Aide' for system integrity checks.

 

1. Isolate and Assess the Damage

Your initial step when dealing with malware is to isolate the infected server. Disconnect it from the network to prevent further contamination and assess the extent of the damage. Look for signs of unauthorized access, altered or deleted files, and unusual system behavior.

 

2. Identify the Malware

Accurate identification of the malware is crucial. Use trusted antivirus or anti-malware tools compatible with Red Hat Linux, such as ClamAV or rkhunter, to scan your server. These tools can detect known malware signatures, though be mindful of false positives when taking action.

 

2.1 Install ClamAV Antivirus and scan the server.

You need to enable the EPEL repository for installing software like ClamAV and rkhunter.

 

    # yum --enablerepo ol8_developer_EPEL install clamav clamav-update

 

Once installed you need to update the ClamAV antivirus database using:

 

# freshclam 

 

 

Then, you should do a full scan of the server using the following command:

 

        # clamscan -r /

 

ClamAV will print a scan summary after the scan is finished.

 

2.2. Install rkhunter and scan the server

The 'rkhunter' is a specialized tool for detecting rootkits and other intrusions. This tool is adept at detecting rootkits, which are often used by malware to maintain unauthorized access to a system. 'RkHunter' can provide an extra layer of security by identifying any suspicious activities.

 

You can install it on your Linux server using (RedHat based falvours):

 

# yum --enablerepo ol8_developer_EPEL install rkhunter

 

Scan your server for rootkits and malwares using:

 

# rkhunter --check

 

The RkHunter will first analyse the system binaries, libraries and strings for any known infections. Then it will check for rootkits, ports known for being used for trojans and backdoors, start-up files for malwares and so on. It will also perform various other security checks on the server. 

 

And finally, it will print a summary of the results.

 


3. Quarantine and Backup

Once the malware is identified, quarantine infected files.

Take backups of important files before any further actions, but keep in mind that the backed up files could be infected. Backups serve as a safety net, allowing you to recover in case of unforeseen issues during the removal process.

 

4. Manual Inspection

Some malware may evade automated detection. Thoroughly inspect critical system files and directories manually. Look for suspicious changes, new files, or unexpected processes running on your Linux server.

 

5. Disable Unnecessary Services

Disable or shut down any unnecessary services or applications on your server. Malware often exploits vulnerabilities in these services. Keep your software and the operating system of the server up to date to patch known vulnerabilities.

 

6. Remove Malicious Code

If you've identified the malware's code within your server, remove it. Caution is crucial during this process, as editing system files can be risky. Seek expert advice if you're uncertain.

 

7. User Accounts and Permissions

Review user accounts and permissions on your Linux server. Disable or remove suspicious or unnecessary accounts. Reset the passwords for all accounts and enforce strong password policies.


8. Intrusion Detection System

Implement an Intrusion Detection System (IDS) to monitor server activity and detect any unusual behavior. Linux supports various IDS solutions; you can consider using Snort or Suricata.

 

We shall review how to install and configure Snort on Linux systems on another post.

 

9. System Integrity Checks

Regularly perform system integrity checks on your Linux server using tools like AIDE (Advanced Intrusion Detection Environment) to detect any file changes.

 

# yum install aide

 


Initialize aide database

# aide --init

 

 

Check for any changes in the system using the following command.

 

# aide --check 

 

As you can see I created a file testfile.txt and aide detected it.

 

At times, the only option would be to restore from a good known backup or rebuilding the system from scratch. Prevention is always better than cure and you should follow all the security best practices like applying patches, updates and making use of good AntiVirus, Rootkit, IDS are crucial steps. Always prioritize proactive security measures to protect your server.