Current time: 04-20-2014, 01:15 AM Hello There, Guest! (LoginRegister)

Post Reply 
What about cron as a hack monitor?
03-17-2012, 05:59 AM (This post was last modified: 03-17-2012 06:00 AM by kelly7552.)
Post: #1
What about cron as a hack monitor?
Picking up from another thread, I've become intrigued by the following code

Code:
find . -type d -perm -o=w

What's interesting about this command is, if placed in a shell and run as a cron job, it could be 'silent' until something bad happened to your account. I'm wondering whether other commands could be placed together which are 'silent' (i.e. no output) when conditions are normal, but create output, therefore email when things are abnormal. The use of cron would be perfect for this since they could be run once a day and report only when there is an obvious problem. Any thoughts for other commands?

-Bill Kelly
See Harden Wordpress for wordpress and dreamhost hardening tips
Find all posts by this user
Quote this message in a reply
03-17-2012, 07:31 AM
Post: #2
RE: What about cron as a hack monitor?
(03-17-2012 05:59 AM)kelly7552 Wrote:  Any thoughts for other commands?

http://wiki.dreamhost.com/Detecting_intrusions
Find all posts by this user
Quote this message in a reply
03-17-2012, 07:40 AM
Post: #3
RE: What about cron as a hack monitor?
(03-17-2012 07:31 AM)bobocat Wrote:  http://wiki.dreamhost.com/Detecting_intrusions

Bobocat,

I've looked at this wiki, and it's really cool. But I was specifically thinking of commands that are 'silent' when normally run; therefore no email from a cron job. While these are great scripts and shells, they send output which is likely to be ignored if it comes every day. I was really trying to have an email that is the 'oh crap!' factor; it should not arrive.

-Bill

-Bill Kelly
See Harden Wordpress for wordpress and dreamhost hardening tips
Find all posts by this user
Quote this message in a reply
03-17-2012, 08:10 AM
Post: #4
RE: What about cron as a hack monitor?
create a git repo of your account. run a cronjob of 'git status | grep Changes'
Find all posts by this user
Quote this message in a reply
03-17-2012, 08:11 AM
Post: #5
RE: What about cron as a hack monitor?
I personally like a daily report. I've actually been thinking about taking bobocat's scripts and parts of yours to make a daily report that includes things I might want to look into further. So far tho I haven't done alot other that conceptualize. The trick is in fact to suppress details that are normal, so that when the report arrives it includes only things that need to be looked into/checked further.
Find all posts by this user
Quote this message in a reply
03-17-2012, 08:16 AM
Post: #6
RE: What about cron as a hack monitor?
(03-17-2012 08:11 AM)LakeRat Wrote:  I personally like a daily report. I've actually been thinking about taking bobocat's scripts and parts of yours to make a daily report that includes things I might want to look into further. So far tho I haven't done alot other that conceptualize. The trick is in fact to suppress details that are normal, so that when the report arrives it includes only things that need to be looked into/checked further.

i simplified it for the wiki. i use a series of colours to tag low, med, and high threat changes. most of my report comes greyed out, with just they key potential problems in red. the only way to get to that stage is run a full report and start adding files to the low threat list. it gets better over time.

you can configure git to do the same with the .gitignore file, but it's either ignore or not, whereas I want to monitor. Usually I just open, look for red, and delete....
Find all posts by this user
Quote this message in a reply
03-17-2012, 08:18 AM (This post was last modified: 03-17-2012 08:18 AM by kelly7552.)
Post: #7
RE: What about cron as a hack monitor?
(03-17-2012 08:10 AM)bobocat Wrote:  create a git repo of your account. run a cronjob of 'git status | grep Changes'

Got the second part about adding to the cronjob, but any info on the first part for the git-illiterate?

-Bill

-Bill Kelly
See Harden Wordpress for wordpress and dreamhost hardening tips
Find all posts by this user
Quote this message in a reply
03-17-2012, 08:32 AM
Post: #8
RE: What about cron as a hack monitor?
(03-17-2012 08:18 AM)kelly7552 Wrote:  Got the second part about adding to the cronjob, but any info on the first part for the git-illiterate?

Um, Google?
Find all posts by this user
Quote this message in a reply
03-17-2012, 08:50 AM (This post was last modified: 03-17-2012 08:55 AM by kelly7552.)
Post: #9
RE: What about cron as a hack monitor?
(03-17-2012 08:32 AM)bobocat Wrote:  Um, Google?

Yup tried google and dreamhost wiki, but I not really trying to create a code repository am I? This is where git instructions become sort of overwhelming. If I just want to stick my account into a git repository, then it's really not a project. From the dreamhost wiki, there are quick instructions for creating a local project:
Code:
# Create the local repository
[local ~]$ cd project
[local project]$ git init
[local project]$ touch .gitignore
[local project]$ git add .
[local project]$ git commit
I assume this creates a local empty project. From my repository experience (or lack of it) I'm not confident that I want to wade into what would happen is I did this on /home/myuser/. Is this what your suggesting? Then use .gitignore to ignore files you expect to change?

ps. I loved the smart-assed google link!

-Bill Kelly
See Harden Wordpress for wordpress and dreamhost hardening tips
Find all posts by this user
Quote this message in a reply
03-17-2012, 08:58 AM
Post: #10
RE: What about cron as a hack monitor?
It's not only what I'm suggesting, it's almost an official DH recommendation: http://discussion.dreamhost.com/thread-1...#pid150533
Find all posts by this user
Quote this message in a reply
Post Reply 


Forum Jump: