I'm maintaining my VPS and since there is a web server running on it I thought I want to know if there was a successful break in attempt.
So I have created a hourly timer that runs 'find' command on specific directory (something like shown below):
echo '<table>' > /path/to/working/copy/srv.html find /srv -printf '<tr><td>last modified: %TT</td><td>last status change: %CT</td><td>owner: %G:%U</td><td>permissions: %m</td><td>diskspace: %s</td><td>%h/%f</td></tr>\n' >> /path/to/working/copy/srv.html echo '</table>' >> /path/to/working/copy/srv.html
If anything was changed on that directory then 'svn stat' will reveal that (otherwise it returns an empty string). So I thought why not put 'svn stat' on that directory into timer and if non-empty string was returned I would send myself an email with 'top', 'journal' and 'netstat' outputs for future investigation. So I run that every hour.
I was wondering if anybody have been using this approach before. I would appreciate any comments.
Last edited by Gregosky (2014-07-22 12:29:46)
I noticed nobody answered so I take it nobody have been using that approach. In such case I would rephrase my original question - how are you maintaining your filesystem integrity?
I know there are packages like AIDE however I was thinking about using something simple first hence my question. I would appreciate your comments.
Last edited by Gregosky (2014-07-22 12:29:58)
I'm guessing that would be a great way to check if system was altered (i.e. cracker have modified any of packages already installed).
But what if intruder would put some malicious binary somewhere out of sight? Or even simpler scenario - what if my web page php script would contain a bug allowing anybody to exploit it to run a command on the server (theoretical scenario I hope) - I'm guessing there would be two things could happen - attacker would try to implant some sort of root-kit or modify php to implant something dodgy (i.e. insert some invisible elements that user would click without knowing of but clicking on them would run a camera or something of this sort).
My guess is that attacker would need some sort of binary to allow himself to implant a root-kit - so in both cases attacker action that would cause file system to be changed and that change would be outside of pacman scope.
In your opinion does it make sense to 'watch' such directory so if something like that happens an early warning would be sent?