ขั้นตอนการติดตั้ง RedHat Linux Internet Server 

Background BootDisk Start Partition RH73 RH80 RH90 Fedora Enterprise OpenNA IPCop
OpenSSH DHCP IPTables DNS Squid TransparentProxy Apache Samba Mail Service
SquidGuard Anti-Spam Anti-Virus Tripwire LogSentry HostSentry PortSentry Snort
Squirrelmail Quota Counter Wvdial DynamicDNS WebMin UserMin PHP GCC DataBase Phorum phpBB2 ADSL
CaseStudy Remote-Boot Compile-Kernel Firewall Tips Training Software END
Home Up NextStackedPage PreviousStackedPage NextPage PreviousPage FirstChildPage Blank 

เปิดอบรม Linux
รุ่นที่ 1 ระหว่างวันจันทร์ที่ 16 มีนาคม 2552 ถึงวันศุกร์ที่ 20 มีนาคม 2552
รุ่นที่ 2 ระหว่างวันจันทร์ที่ 27 เมษายน 2552 ถึงวันศุกร์ที่ 1 พฤษภาคม 2552

Click here
รุ่นที่ 2 ย้ายมาจาก รุ่นที่ 2 ระหว่างวันจันทร์ที่ 30 มีนาคม 2552 ถึงวันศุกร์ที่ 3 เมษายน 2552
 

LogSentry

      ตั้งแต่ 28 กค. 2547 22:09 น. ท่านเข้ามาที่หน้านี้เป็นลำดับที่  counter

การติดตั้ง LogSentry

     เป็นการตรวจสอบ Log file ต่างๆที่เกิดขึ้นในระบบ ซึ่งเราในฐานะที่เป็นผู้ดูแลระบบ คงไม่มีเวลา
ดูแลเป็นประจำทุกๆวัน ดังนั้นการที่เรามี LogSentry เข้ามาช่วย ก็เพื่อเป็นการแบ่งเบาภาระได้ในระดับหนึ่ง ซึ่งจะตรวจสอบสิ่งต่างๆแล้วแจ้งให้เราทราบ

ให้เราเริ่มด้วยการเอา logsentry-1.1.1.tar.gz ไปไว้ที่ /home/util เผื่อมีการลงซ้ำในอนาคต

[root@one util]# cp logsentry-1.1.1.tar.gz /var/tmp/
[root@one util]# cd /var/tmp/
[root@one tmp]# tar xzpf logsentry-1.1.1.tar.gz
[root@one tmp]# cd logcheck-1.1.1/
[root@one logcheck-1.1.1]# cd systems/linux/
[root@one linux]# ls
logcheck.hacking logcheck.violations     README.linux.IMPORTANT
logcheck.ignore  logcheck.violations.ignore
logcheck.sh    README.linux
[root@one linux]#

เราเริ่มด้วยการ copy ไปไว้ที่ /var/tmp จากนั้นก็เปลี่ยนไปทำงานที่ /var/tmp ทำการแตก tar.gz ออกมา
แล้วก็เข้าไปยัง Directory ของ logcheck-1.1.1/ และ systems/linux/ ลอง ls ดูจะเห็นแฟ้มต่างๆ
เริ่มด้วยการแก้ไขแฟ้ม logcheck.sh ให้เป็นดังนี้  vi logcheck.sh

#!/bin/sh
#
#logcheck.sh: Log file checker
#Written by Craig Rowland <crowland@psionic.com>
#
#This file needs the program logtail.c to run
#
#This script checks logs for unusual activity and blatant
#attempts at hacking. All items are mailed to administrators
# for review. This script and the logtail.c program are based upon
#    the frequentcheck.sh script idea from the Gauntlet(tm) Firewall
#(c)Trusted Information Systems Inc. The original authors are
#Marcus J. Ranum and Fred Avolio.
#
#Default search files are tuned towards the TIS Firewall toolkit
# the TCP Wrapper program. Custom daemons and reporting facilites
#can be accounted for as well...read the rest of the script for
#details.
#
#Version Information
#
#1.0 9/29/96 -- Initial Release
#1.0111/01/96 -- Added working /tmp directory for symlink protection
#  (Thanks Richard Bullington (rbulling@obscure.org)
#1.11/03/97 -- Made this script more portable for Sun's.
#1/03/97 -- Made this script work on HPUX
#        5/14/97 -- Added Digital OSF/1 logging support. Big thanks
#              to Jay Vassos-Libove <libove@compgen.com> for
#              his changes.
 

# CONFIGURATION SECTION

PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/ucb:/usr/local/bin

# Logcheck is pre-configured to work on most BSD like systems, however it
# is a rather dumb program and may need some help to work on other
# systems. Please check the following command paths to ensure they are
# correct.

# Person to send log activity to.
SYSADMIN=root

# Full path to logtail program.
# This program is required to run this script and comes with the package.

LOGTAIL=/usr/bin/logtail

# Full path to SECURED (non public writable) /tmp directory.
# Prevents Race condition and potential symlink problems. I highly
# recommend you do NOT make this a publically writable/readable directory.
# You would also be well advised to make sure all your system/cron scripts
# use this directory for their "scratch" area.

TMPDIR=/var/logsentry

# The 'grep' command. This command MUST support the
# '-i' '-v' and '-f' flags!! The GNU grep does this by default (that's
# good GNUs for you Linux/FreeBSD/BSDI people :) ). The Sun grep I'm told
# does not support these switches, but the 'egrep' command does (Thanks
# Jason <jason@mastaler.com> ). Since grep and egrep are usually the GNU
# variety on most systems (well most Linux, FreeBSD, BSDI, etc) and just
# hard links to each other we'll just specify egrep here. Change this if
# you get errors.

# Linux, FreeBSD, BSDI, Sun, HPUX, etc.
GREP=egrep

# The 'mail' command. Most systems this should be OK to leave as is.
# If your default mail command does not support the '-s' (subject) command
# line switch you will need to change this command one one that does.
# The only system I've seen this to be a problem on are HPUX boxes.
# Naturally, the HPUX is so superior to the rest of UNIX OS's that they
# feel they need to do everything differently to remind the rest that
# they are the best ;).

# Linux, FreeBSD, BSDI, Sun, etc.
MAIL=mail
# HPUX 10.x and others(?)
#MAIL=mailx
# Digital OSF/1, Irix
#MAIL=Mail

# File of known active hacking attack messages to look for.
# Only put messages in here if you are sure they won't cause
# false alarms. This is a rather generic way of checking for
# malicious activity and can be inaccurate unless you know
# what past hacking activity looks like. The default is to
# look for generic ISS probes (who the hell else looks for
# "WIZ" besides ISS?), and obvious sendmail attacks/probes.

HACKING_FILE=/etc/logsentry/hacking

# File of security violation patterns to specifically look for.
# This file should contain keywords of information administrators should
# probably be aware of. May or may not cause false alarms sometimes.
# Generally, anything that is "negative" is put in this file. It may miss
# some items, but these will be caught by the next check. Move suspicious
# items into this file to have them reported regularly.

VIOLATIONS_FILE=/etc/logsentry/violations

# File that contains more complete sentences that have keywords from
# the violations file. These keywords are normal and are not cause for
# concern but could cause a false alarm. An example of this is the word
# "refused" which is often reported by sendmail if a message cannot be
# delivered or can be a more serious security violation of a system
# attaching to illegal ports. Obviously you would put the sendmail
# warning as part of this file. Use your judgement before putting words
# in here or you can miss really important events. The default is to leave
# this file with only a couple entries. DO NOT LEAVE THE FILE EMPTY. Some
# grep's will assume that an EMPTY file means a wildcard and will ignore
# everything! The basic configuration allows for the more frequent sendmail
# error.
#
# Again, be careful what you put in here and DO NOT LEAVE IT EMPTY!

VIOLATIONS_IGNORE_FILE=/etc/logsentry/violations.ignore

# This is the name of a file that contains patterns that we should
# ignore if found in a log file. If you have repeated false alarms
# or want specific errors ignored, you should put them in here.
# Once again, be as specific as possible, and go easy on the wildcards

IGNORE_FILE=/etc/logsentry/ignore


# The files are reported in the order of hacking, security
# violations, and unusual system events. Notice that this
# script uses the principle of "That which is not explicitely
# ignored is reported" in that the script will report all items
# that you do not tell it to ignore specificially. Be careful
# how you use wildcards in the logcheck.ignore file or you
# may miss important entries.

# Make sure we really did clean up from the last run.
# Also this ensures that people aren't trying to trick us into
# overwriting files that we aren't supposed to. This is still a race
# condition, but if you are in a temp directory that does not have
# generic luser access it is not a problem. Do not allow this program
# to write to a generic /tmp directory where others can watch and/or
# create files!!

# Shouldn't need to touch these...
HOSTNAME=`hostname`
DATE=`date +%m/%d/%y:%H.%M`

umask 077
rm -f $TMPDIR/check.$$ $TMPDIR/checkoutput.$$ $TMPDIR/checkreport.$$
if [ -f $TMPDIR/check.$$ -o -f $TMPDIR/checkoutput.$$ -o -f $TMPDIR/checkreport.$$ ]; then
echo "Log files exist in $TMPDIR directory that cannot be removed. This
may be an attempt to spoof the log checker." \
| $MAIL -s "$HOSTNAME $DATE ACTIVE SYSTEM ATTACK!" $SYSADMIN
exit 1
fi

# LOG FILE CONFIGURATION SECTION
# You might have to customize these entries depending on how
# you have syslogd configured. Be sure you check all relevant logs.
# The logtail utility is required to read and mark log files.
# See INSTALL for more information. Again, using one log file
# is preferred and is easier to manage. Be sure you know what the
# > and >> operators do before you change them. LOG FILES SHOULD
# ALWAYS BE chmod 600 OWNER root!!

# Generic and Linux Slackware 3.x
#$LOGTAIL /var/log/messages > $TMPDIR/check.$$

# Linux Red Hat Version 3.x, 4.x
$LOGTAIL /var/log/messages > $TMPDIR/check.$$
$LOGTAIL /var/log/secure >> $TMPDIR/check.$$
$LOGTAIL /var/log/maillog >> $TMPDIR/check.$$

# FreeBSD 2.x
#$LOGTAIL /var/log/messages > $TMPDIR/check.$$
#$LOGTAIL /var/log/maillog >> $TMPDIR/check.$$

# BSDI 2.x
#$LOGTAIL /var/log/messages > $TMPDIR/check.$$
#$LOGTAIL /var/log/secure >> $TMPDIR/check.$$
#$LOGTAIL /var/log/maillog >> $TMPDIR/check.$$
#$LOGTAIL /var/log/ftp.log >> $TMPDIR/check.$$
# Un-comment out the line below if you are using BSDI 2.1
#$LOGTAIL /var/log/daemon.log >> $TMPDIR/check.$$

# SunOS, Sun Solaris 2.5
#$LOGTAIL /var/log/syslog > $TMPDIR/check.$$
#$LOGTAIL /var/adm/messages >> $TMPDIR/check.$$

# HPUX 10.x and others(?)
#$LOGTAIL /var/adm/syslog/syslog.log > $TMPDIR/check.$$

# Digital OSF/1
# OSF/1 - uses rotating log directory with date & time in name
#    LOGDIRS=`find /var/adm/syslog.dated/* -type d -prune -print`
#    LOGDIR=`ls -dtr1 $LOGDIRS | tail -1`
#    if [ ! -d "$LOGDIR" ]
#    then
#     echo "Can't identify current log directory." >> $TMPDIR/checkrepo$
#    else
#        $LOGTAIL $LOGDIR/auth.log >> $TMPDIR/check.$$
#        $LOGTAIL $LOGDIR/daemon.log >> $TMPDIR/check.$$
#        $LOGTAIL $LOGDIR/kern.log >> $TMPDIR/check.$$
#        $LOGTAIL $LOGDIR/lpr.log >> $TMPDIR/check.$$
#        $LOGTAIL $LOGDIR/mail.log >> $TMPDIR/check.$$
#        $LOGTAIL $LOGDIR/syslog.log >> $TMPDIR/check.$$
#        $LOGTAIL $LOGDIR/user.log >> $TMPDIR/check.$$
#    fi
#


# END CONFIGURATION SECTION. YOU SHOULDN'T HAVE TO EDIT ANYTHING
# BELOW THIS LINE.

# Set the flag variables
FOUND=0
ATTACK=0

# See if the tmp file exists and actually has data to check,
# if it doesn't we should erase it and exit as our job is done.
 
if [ ! -s $TMPDIR/check.$$ ]; then
rm -f $TMPDIR/check.$$
exit 0
fi

# Perform Searches

# Check for blatant hacking attempts
if [ -f "$HACKING_FILE" ]; then
if $GREP -i -f $HACKING_FILE $TMPDIR/check.$$ > $TMPDIR/checkoutput.$$; then
echo >> $TMPDIR/checkreport.$$
echo "Active System Attack Alerts" >> $TMPDIR/checkreport.$$
echo "=-=-=-=-=-=-=-=-=-=-=-=-=-=" >> $TMPDIR/checkreport.$$
cat $TMPDIR/checkoutput.$$ >> $TMPDIR/checkreport.$$
FOUND=1
ATTACK=1
fi
fi

# Check for security violations
if [ -f "$VIOLATIONS_FILE" ]; then
if $GREP -i -f $VIOLATIONS_FILE $TMPDIR/check.$$ |
  $GREP -v -f $VIOLATIONS_IGNORE_FILE > $TMPDIR/checkoutput.$$; then
echo >> $TMPDIR/checkreport.$$
echo "Security Violations" >> $TMPDIR/checkreport.$$
echo "=-=-=-=-=-=-=-=-=-=" >> $TMPDIR/checkreport.$$
cat $TMPDIR/checkoutput.$$ >> $TMPDIR/checkreport.$$
FOUND=1
fi
fi

# Do reverse grep on patterns we want to ignore
if [ -f "$IGNORE_FILE" ]; then
if $GREP -v -f $IGNORE_FILE $TMPDIR/check.$$ > $TMPDIR/checkoutput.$$; then
echo >> $TMPDIR/checkreport.$$
echo "Unusual System Events" >> $TMPDIR/checkreport.$$
echo "=-=-=-=-=-=-=-=-=-=-=" >> $TMPDIR/checkreport.$$
cat $TMPDIR/checkoutput.$$ >> $TMPDIR/checkreport.$$
FOUND=1
fi
fi

# If there are results, mail them to sysadmin

if [ "$ATTACK" -eq 1 ]; then
cat $TMPDIR/checkreport.$$ | $MAIL -s "$HOSTNAME $DATE ACTIVE SYSTEM ATTACK!" $SYSADMIN
elif [ "$FOUND" -eq 1 ]; then
cat $TMPDIR/checkreport.$$ | $MAIL -s "$HOSTNAME $DATE system check" $SYSADMIN
fi

# Clean Up
rm -f $TMPDIR/check.$$ $TMPDIR/checkoutput.$$ $TMPDIR/checkreport.$$
 

บรรทัดสีแดงบนพื้นเหลืองคือที่เปลี่ยนแปลงแก้ไขมีทั้งหมด 6 บรรทัดด้วยกันหรือท่านสามารถที่จะลากดำทั้งหมดบนพื้นเหลืองไปวางบน NotePad ก็ได้ แล้เอาไปวางใน putty ที่เราแก้แฟ้ม logcheck.sh อีกทีก็ได้ 
ผมได้เอาแฟ้มนี้ไปไว้ที่ /home/util

cp logcheck.sh /home/util

จากนั้นเราก็ไขแฟ้ม Makefile ตามข้างล่างนี้

# Makefile for logcheck package.
# logtail.c : Log file tailing program
#
# Send problems/code hacks to crowland@psionic.com or crowland@vni.net
# Thanks to rbulling@obscure.org for cleaning this Makefile up..
#

# Generic compiler
 CC = cc
# GNU..
# CC = gcc

# Normal systems flags
CFLAGS = -O2 -march=i686 -funroll-loops
# Braindead HPUX compiler flags
#CFLAGS = -O -Aa

# If you change these be sure you edit logcheck.sh to reflect
# the new paths!!

# This is where keyword files go.
INSTALLDIR = /etc/logsentry

# This is where logtail will go
INSTALLDIR_BIN = /usr/bin

# Some people want the logcheck.sh in /usr/local/bin. Uncomment this
# if you want this. /usr/local/etc was kept for compatibility reasons.
#INSTALLDIR_SH = /usr/local/bin
INSTALLDIR_SH = /usr/sbin

# The scratch directory for logcheck files.
TMPDIR = /var/logsentry

# Debug mode for logtail
# CFLAGS = -g -DDEBUG

all:
@echo "Usage: make <systype>"
@echo "<systype> is one of: "
@echo " linux, bsdos, freebsd, sun, generic, hpux, digital"
@echo ""
@echo "NOTE: This will make and install the package in these"
@echo "   directories:"
@echo "    logcheck configuration files : $(INSTALLDIR)"
@echo "    logcheck.sh shell script   : $(INSTALLDIR_SH)"
@echo "    logtail program       : $(INSTALLDIR_BIN)"
@echo ""
@echo "Edit the makefile if you wish to change these paths."
@echo "Any existing files will be overwritten."

clean:
/bin/rm ./src/logtail ./src/logtail.o

uninstall:
/bin/rm $(INSTALLDIR_SH)/logcheck.sh
/bin/rm $(INSTALLDIR)/logcheck.ignore
/bin/rm $(INSTALLDIR)/logcheck.hacking
/bin/rm $(INSTALLDIR)/logcheck.violations
/bin/rm $(INSTALLDIR)/logcheck.violations.ignore
/bin/rm $(INSTALLDIR_BIN)/logtail

install:
@echo "Making $(SYSTYPE)"
$(CC) $(CFLAGS) -o ./src/logtail ./src/logtail.c
@echo "Creating temp directory $(TMPDIR)"
@if [ ! -d $(TMPDIR) ]; then /bin/mkdir $(TMPDIR); fi
@echo "Setting temp directory permissions"
chmod 700 $(TMPDIR)
@echo "Copying files"
cp ./systems/$(SYSTYPE)/logcheck.hacking $(INSTALLDIR)
cp ./systems/$(SYSTYPE)/logcheck.violations $(INSTALLDIR)
cp ./systems/$(SYSTYPE)/logcheck.violations.ignore $(INSTALLDIR)
cp ./systems/$(SYSTYPE)/logcheck.ignore $(INSTALLDIR)
cp ./systems/$(SYSTYPE)/logcheck.sh $(INSTALLDIR_SH)
cp ./src/logtail $(INSTALLDIR_BIN)
@echo "Setting permissions"
chmod 700 $(INSTALLDIR_SH)/logcheck.sh
chmod 700 $(INSTALLDIR_BIN)/logtail
chmod 600 $(INSTALLDIR)/logcheck.violations.ignore
chmod 600 $(INSTALLDIR)/logcheck.violations
chmod 600 $(INSTALLDIR)/logcheck.hacking
chmod 600 $(INSTALLDIR)/logcheck.ignore
@echo "Done. Don't forget to set your crontab."

generic:
make install SYSTYPE=generic

linux:
make install SYSTYPE=linux

bsdos:
make install SYSTYPE=bsdos

freebsd:
make install SYSTYPE=freebsd

sun:
make install SYSTYPE=sun

hpux:
make install SYSTYPE=hpux

digital:
make install SYSTYPE=digital

 

เช่นเดียวกันบรรทัดสีแดงบนพื้นเหลืองคือที่เปลี่ยนแปลงแก้ไขมีทั้งหมด 5 บรรทัดด้วยกันหรือท่านสามารถที่จะลากดำทั้งหมดบนพื้นเหลืองไปวางบน NotePad ก็ได้ แล้วเอาไปวางใน putty ที่เราแก้แฟ้ม Makefile อีกทีก็ได้หรือสามารถที่จะ download แฟ้มทั้งสามคือ logsentry-1.1.1.tar.gz logcheck.sh และ Makefile ได้ที่นี่

[root@one logcheck-1.1.1]# cd
[root@one root]# find /* > LogSentry1
[root@one root]# cd /var/tmp/logcheck-1.1.1/
[root@one logcheck-1.1.1]# mkdir –m0700 /etc/logsentry
[root@one logcheck-1.1.1]# make linux
[root@one logcheck-1.1.1]# strip /usr/bin/logtail
[root@one logcheck-1.1.1]# cd /etc/logsentry/
[root@one logsentry]# mv logcheck.hacking hacking
[root@one logsentry]# mv logcheck.violations violations
[root@one logsentry]# mv logcheck.violations.ignore violations.ignore
[root@one logsentry]# mv logcheck.ignore ignore
[root@one logsentry]# cd
[root@one root]# find /* > LogSentry2
[root@one root]# diff LogSentry1 LogSentry2 > LogSentry-Installed

จากนั้นก็ทำการสั่งตามคำสั่งข้างบนทีละบรรทัด เราก็จะได้ Logsentry ตามต้องการ

งานต่อไปคือการสั่งให้เครื่องทำงานในทุกๆวันโดยการสร้างแฟ้ม logsentry ไว้ที่ /etc/cron.daily/ 
โดยมีเนื้อหาดังนี้

#!/bin/sh
# Daily check Log files for security violations and unusual activity.
/home/util/logcheck.sh

แล้วตามด้วยการเปลี่ยน permission แฟ้มดังกล่าวคือ

[root@one /]# chmod 510 /etc/cron.daily/logsentry

อนึ่ง Logsentry จะไม่รายงานผ่านทาง e-mail ถ้าไม่มีสิ่งใดที่ต้องรายงาน

แฟ้มต่างๆที่ใช้ในการทำ logsentry นี้มีให้ Download ประกอบด้วยแฟ้มต่างๆดังนี้

     logsentry.sh
  logsentry-1.1.1-tar.gz
     logcheck.sh
     MakeFileLog คือแฟ้ม MakeFile ในที่นี้นั่นเอง
     

Home Up NextStackedPage PreviousStackedPage NextPage PreviousPage FirstChildPage Blank 
Background BootDisk Start Partition RH73 RH80 RH90 Fedora Enterprise OpenNA IPCop
OpenSSH DHCP IPTables DNS Squid TransparentProxy Apache Samba Mail Service
SquidGuard Anti-Spam Anti-Virus Tripwire LogSentry HostSentry PortSentry Snort
Squirrelmail Quota Counter Wvdial DynamicDNS WebMin UserMin PHP GCC DataBase Phorum phpBB2 ADSL
CaseStudy Remote-Boot Compile-Kernel Firewall Tips Training Software END

 

Google
Search WWW Search phst.ph.mahidol.ac.th Search www.rtrc.in.th

โดย gook55
แนะนำบทความได้ที่


sermpan55@hotmail.com
ICQ: 51822478
Since: Aug 18,2002
Last Updated: May 01,2007

กระดานข่าว phorum

สถิติการเข้าดูเวบawstats
Since: Dec 24,2003
MRTG Since:Aug 12,2004
 

WebBoard dServer

 

poweredby02

 

 

 


สำหรับท่านที่สนใจในการติดตั้ง
Linux Internet Server
จะจัดเปิดอบรมให้ที่
คณะสาธารณสุขศาสตร์ ม.มหิดล กรุงเทพมหานครฯ
ใช้เวลารวม 5 วัน
ในรูปแบบอบรมเชิงปฏิบัติการ ในการทำ Internet Server


กำหนดการอบรมระหว่าง
เดือนมีนาคม-พฤษภาคม 2552


รายละเอียดการอบรมและประมวลภาพการอบรมรุ่นต่างๆ