In message <199701011435 .
JAA01074 @
sparc .
south-border .
com>,
The Unseen slapped a few random keys to produce:
>In message <3 .
0 .
32 .
19961231145712 .
00a49df8 @
lexicon .
ins .
com>,
>Brad Daugherty slapped a few random keys to produce:
>>>> I don't see how CDROM provides significant advantages on a WEB
>server
>>>> "graffiti" attack.
>>
>>In order to avoid graffiti try something like this:
>>
>>1)Write a program that checks the size/date of the WWW directory
>> If it fails have it Kill the WWW server
>> and send email to the admin.
>>2)Setup a CRON job to run the program every 15 min.
>>
>>If a hacker is good enough they will find it, but who would be looking
>for suc
>>h a random thing?
>>
>>Just make sure you change the size whenever you make a change to your
>document
>>s.
>
>Or better yet, incorperate tripwire with MD5 file signatures into this
>scheme instead of rolling your own. Use perl to scan for perticular
>files
>that may have changed taking guestbooks "public" growable files into
>account.
>
>Ian
Unusual for me answer my own E-mail... 8-)
Here's my donation... (no flames please) Please keep in mind that
I just created this off the top of my head. You are more than welcome
to alter/tailor to your needs...
Ian
-------
#!/usr/local/bin/perl
#
# The purpose of this script is to help secure our WWW files
# from grafitti. We are going to use tripwire to help us keep
# track of file signatures and alert us when there are major
# inconsistancies that may result from someone trying to hack
# our site.
#
# Ideal config consists of a WWW server mounting via NFS the
# document tree. This script is intended to be run on the
# NFS server.
#
# Feel free to distribute and/or alter this script as needed.
# But be kind and email me the changes... ian @
south-border .
com
package WWWcheck;
$Alert=0;
@SendData=();
# Specify the email address of the admin you want information
# mailed to.
$AdminUser="securityuser";
# Specify the metheod of emailing.
$SendmailCMD="/usr/lib/sendmail -t";
# The following variables define where tripwire is. Specify
# the correct database and config files to be given to tripwire
# as options. Tripwire will run in quiet mode to eliminate
# pass babble.
$TripCMD="/place/to/bin/tripwire";
$TripDatabase="/place/to/tripwire/www.database";
$TripConfigFile="/place/to/tripwire/WWW.conf";
# If your WWW server mounts it's document tree via NFS from
# a hardened server and this script and tripwire run on the
# NFS server, set DoNFSshare to 1. This will unshare the NFS
# directory after a grace period defined below.
$DoNFSshare=1;
$NFSunsharecmd="/usr/sbin/unshare";
$NFSwwwdir="/place/to/real/NFS/server/WWW";
# Change this to 1 to kill the httpd server remotely based on
# the outcome of tripwire. Be sure to review RemoteHttpKill,
# RemoteHost, and RemoteCMD. I like ssh because of the key
# exchange.
$DoRemoteKill=1;
# These are used when DoRemoteKill is set to 1
$RemoteCMD="/opt/PUBsshd/bin/ssh";
$RemoteHost="WWW";
$RemoteHttpKill="/etc/init.d/httpd stop";
# This defines how long to wait gracefully before proceeding
# with killing the httpd server and NFS server.
$SleepTime="sleep 3600";
#<----you do not need to change anything below here--->
# Issue tripwire command with options. Compile a list of
# changes that have occured from the last update of the
# tripwire database. Save these modifications to be sent
# as a notification to the admin.
sub BuildTripDatabase
{
open(Tripdata,"$TripCMD -d $TripDatabase -c $TripConfigFile -q|");
while(<Tripdata>) {
split;
chop;
push(@SendData,$_);
}
}
sub AlertAdmin
{
if(@SendData == '') {
return;
}
open(ALERT,"|$SendmailCMD");
print ALERT "To:$AdminUser\n";
print ALERT "cc:\n";
print ALERT "subject: WWW server Document tree\n";
print ALERT "-------\n";
print ALERT "Has changed since the last tripwire database update. Here\n";
print ALERT "is a summery of the output from tripwire run at \n\n\n";
for(@SendData) {
print ALERT "$_\n";
}
print ALERT "\nThe following actions will be taken...\n\n";
if($DoNFSshare == '1' && $DoRemoteKill == '1') {
print ALERT "Your WWW server mounts it's document tree via NFS from\n";
print ALERT "this server and you have elected to kill the remote httpd\n";
print ALERT "daemon running on the WWW server. The following command will\n";
print ALERT "issued:\n\n";
print ALERT "$SleepTime ; $NFSunsharecmd $NFSwwwdir ; $RemoteCMD $RemoteHost '($RemoteHttpKill)\n\n";
close(ALERT);
return;
}
if($DoNFSshare == '1') {
# print STDERR `$SleepTime ; $NFSunsharecmd $NFSwwwdir 2>1 &`;
print ALERT "Your WWW server is mounting it's document tree via an NFS\n";
print ALERT "server which is this host according to variables set. The\n";
print ALERT "following command will be issued:\n\n";
print ALERT "$SleepTime ; $NFSunsharecmd $NFSwwwdir\n\n";
}
if($DoRemoteKill == '1') {
# print STDERR `$RemoteCMD $RemoteHost '($SleepTime ; $RemoteHttpKill) &'`;
print ALERT "According to our options you have elected to disable httpd\n";
print ALERT "service on the WWW server. the following command will be\n";
print ALERT "issued:\n\n";
print ALERT "$RemoteCMD $RemoteHost '($SleepTime ; $RemoteHttpKill)\n\n";
}
if($DoNFSshare == '0' && $DoRemoteKill == '0') {
print ALERT "Although we have detected differences that may indicate an\n";
print ALERT "attack, options set tell us that we are to take no action\n";
print ALERT "in response. YOU MUST CHECK to see if this is really the\n";
print ALERT "intended reaction to the tripwire output!\n\n";
}
close(ALERT);
}
sub PerformKill
{
if($DoNFSshare == '1' && $DoRemoteKill == '1') {
print STDERR `$SleepTime ; $NFSunsharecmd $NFSwwwdir ; $RemoteCMD $RemoteHost '($RemoteHttpKill)'`;
return;
}
if($DoNFSshare == '1') {
print STDERR `($SleepTime ; $NFSunsharecmd $NFSwwwdir)`;
}
if($DoRemoteKill == '1') {
print STDERR `$SleepTime ; $RemoteCMD $RemoteHost '($RemoteHttpKill)'`;
}
}
sub main
{
&BuildTripDatabase();
&AlertAdmin();
&PerformKill();
}
package main;
&WWWcheck'main();
References:
|
|
