In a previous article, we’ve seen how to install iwatch (http://blog.grs.gr/?p=455&lang=en). If you watch a directory with continuous changes, you may find useful to exclude specific types of files and/or directories.
Let’s say that you want to monitor a web server that hosts example.com, site’s file structure at /var/www/example.com and media files mostly at /var/www/example.com/uploads. Let’s say you want to skip monitoring /var/www/example.com/uploads.
http://perezbox.com/2013/03/ossec-for-website-security-part-i/
https://hackertarget.com/defending-wordpress-ossec/
# /var/ossec/bin/util.sh addfile /var/log/httpd/somesite.access_log
service ossec start
service ossec stop
service ossec restart
service ossec status
You might find useful changing this file:
nano /var/ossec/etc/ossec.conf
<!-- Frequency that syscheck is executed - set to every 4 hours --> <frequency>14400</frequency> <!-- Directories to check (perform all possible verifications) --> <directories realtime="yes" check_all="yes">/etc,/usr/bin,/usr/sbin</directories> <directories realtime="yes" check_all="yes">/bin,/sbin</directories> <directories realtime="yes" report_changes="yes" restrict=".htaccess|.php|.html|.js">[path to the root of your site]</directories> <alert_new_files>yes</alert_new_files> <scan_on_start>no</scan_on_start> <auto_ignore>no</auto_ignore>
This reduces syscheck frequence to 14400, adds monitoring to site root path and alerts for new files.
To enable alerting for new files, edit
/var/ossec/rules/ossec_rules.xml
Go to rule 554 and change level to 7 like this:
<rule id=”554″ level=”7″> <category>ossec</category> <decoded_as>syscheck_new_entry</decoded_as> <description>File added to the system.</description> <group>syscheck,</group> </rule>
copied from http://ossec.github.io/downloads.html#deb-installation
To install with apt-get do the following:
Step 1. Install the apt-get repository key:
# apt-key adv --fetch-keys http://ossec.wazuh.com/repos/apt/conf/ossec-key.gpg.key
Step 2. Add the repository for Debian (available distributions are Sid, Jessie and Wheezy):
# echo ‘deb http://ossec.wazuh.com/repos/apt/debian wheezy main’ >> /etc/apt/sources.list
Or add the repository for Ubuntu (available distributions are Precise, Trusty and Utopic):
# echo ‘deb http://ossec.wazuh.com/repos/apt/ubuntu precise main’ >> /etc/apt/sources.list
Step 3. Update the repository:
# apt-get update
Step 4. Install OSSEC HIDS server/manager:
# apt-get install ossec-hids
Or install OSSEC HIDS agent:
# apt-get install ossec-hids-agent
php artisan migratemake add_mycolumn_to_mytableA new migration file will be created.
Add the code that updates the schema (http://laravel.com/docs/5.1/migrations#modifying-columns).
Schema::table('mytable', function($table)
{
$table->integer('mycolumn');
}
The following command will update db schema.
php artisan migrate
http://www.webmin.com/deb.html
nano /etc/apt/sources.list
add the following:
deb http://download.webmin.com/download/repository sarge contrib
deb http://webmin.mirror.somersettechsolutions.co.uk/repository sarge contrib
save-exit
Fetch and install webmin GPG key with which the repository is signed, with the commands :
cd /root
wget http://www.webmin.com/jcameron-key.asc
apt-key add jcameron-key.asc
install webmin
apt-get update
apt-get install webmin
Wait for webmin to install – depending on your hardware, can take up to 30′.
Login to webmin as root, or as any user who can use sudo.
Copied from: http://www.ducea.com/2008/02/12/linux-tips-find-all-files-of-a-particular-size/
The Unix find command is a very powerful tool, and this short post is intended to show how easy you can achieve something that might look complicate: to find all the files of a particular size. Let’s assume you are searching for all the files of exactly 6579 bytes size inside the home directory. You will just have to run something like:
find /home/ -type f -size 6579c -exec ls {} \;As units you can use:
You can search for exact file size, or just for bigger (+) or smaller (–) files. For example all bigger than 512k files would be found with something like:
find /home/ -type f -size +512k -exec ls -lh {} \;I have added here -lh to the ls output so it will actually show the files with their sizes in a nice human readable format. Similar for smaller files you would use -size -512k.
http://iwatch.sourceforge.net/documentation.html
iWatch is a realtime filesystem monitoring program. Its purpose is to monitor any changes in a specific directory or file and send email notification immediately after the change. This can be very useful to watch a sensible file or directory against any changes, like files /etc/passwd,/etc/shadow or directory /bin or to monitor the root directory of a website against any unwanted changes.
apt-get install iwatch
nano /etc/default/iwatch
iwatch configuration file # START_DAEMON: # should iwatch start the iwatch daemon during boot? # change to "true" or "yes" if needed. START_DAEMON=true # CONFIG_FILE: # configuration file for iwatch daemon # CONFIG_FILE=/etc/iwatch/iwatch.xml
nano /etc/iwatch/iwatch.xml
http://serverfault.com/questions/185620/iwatch-doesnt-email-me-or-appear-to-doing-anything
Firstly if you don’t want it to email your local system then change:
<contactpoint email=”root@localhost” name=”Administrator”/>
to
<contactpoint email=”[email protected]” name=”Administrator”/>
If you are ok with that then the next step is check to see if it is running
ps aux | grep iwatch
Then start it with the service command, ie
service iwatch start
Check if it is running again
ps aux | grep iwatch
Now test it out by running
touch /etc/test
And you should get an email, good luck!
Here is a good example of a configuration file
https://github.com/kiwiroy/iwatch/blob/master/iwatch.xml.example
<?xml version=”1.0″ ?>
<!DOCTYPE config SYSTEM “/etc/iwatch.dtd” >
<!– iWatch configuration –>
<!–
You can create several watch lists, each with it’s own contact point
And in this watch list you can put all directories and files you want to monitor
The path type decide how a directory is monitored, recursively or as single
directory. But it will monitor all new created directory (after iwatch
started) recursively regardless of path type.
iWatch will send email alert with guard’s email address as sender
Don’t forget to set the correct email address here
–>
<config charset=”utf-8″>
<guard email=”root@localhost” name=”IWatch”/>
<watchlist>
<title>Public Website</title>
<contactpoint email=”webmaster@localhost” name=”Web Master”/>
<path type=”single” syslog=”on”>/var/www/localhost/htdocs</path>
<path type=”single” syslog=”off”>/var/www/localhost/htdocs/About</path>
<path type=”recursive”>/var/www/localhost/htdocs/Photos</path>
</watchlist>
<watchlist>
<title>Operating System</title>
<contactpoint email=”root@localhost” name=”Administrator”/>
<path type=”recursive”>/etc/apache2</path>
<path type=”single”>/bin</path>
<path type=”single” filter=”shadow|passwd”>/etc</path>
<path type=”recursive”>/etc/mail</path>
<path type=”exception”>/etc/mail/statistics</path>
</watchlist>
<watchlist>
<title>Only Test</title>
<contactpoint email=”root@localhost” name=”Administrator”/>
<path type=”single” alert=”off” exec=”(w;ps)|mail -s %f root@localhost”>/tmp/dir1</path>
<path type=”single” events=”access,close” alert=”off” exec=”(w;ps)|mail -s %f root@localhost”>/tmp/dir2</path>
<path type=”single” events=”default,access” alert=”off” exec=”(w;ps)|mail -s ‘%f is accessed at %{%H:%M:%S}d’ root@localhost”>/tmp/dir3</path>
<path type=”single” events=”all_events” alert=”off”>/tmp/dir4</path>
<path type=”recursive”>/data/projects</path>
<path type=”regexception”>\.svn</path>
</watchlist>
–no-check-certificate
Don’t check the server certificate against the available certificate authorities. Also don’t require the URL host name to match the common name presented by the certificate.
As of Wget 1.10, the default is to verify the server’s certificate against the recognized certificate authorities, breaking the SSL handshake and aborting the download if the verification fails. Although this provides more secure downloads, it does break interoperability with some sites that worked with previous Wget versions, particularly those using self-signed, expired, or otherwise invalid certificates. This option forces an “insecure” mode of operation that turns the certificate verification errors into warnings and allows you to proceed.
If you encounter “certificate verification” errors or ones saying that “common name doesn’t match requested host name”, you can use this option to bypass the verification and proceed with the download. Only use this option if you are otherwise convinced of the site’s authenticity, or if you really don’t care about the validity of its certificate. It is almost always a bad idea not to check the certificates when transmitting confidential or important data.
creating a file .user.ini in the web/ folder (should be found automatically) which contains
upload_max_filesize=20M
service apache2 restart
https://www.howtoforge.com/community/threads/upload_max_filesize-unchangeable.56787/
cp -rf . ..
rm -rf *