A linux security wrapper

Here's a fun script (or vairation of) that I use on nearly all my servers to catch exploits and scriptkiddies:


#!/bin/sh
PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/bin/X11"
export PATH

hfile=`mktemp`
echo $hfile >> $hfile
echo "I was called with: $0 $*" >> $hfile
date >> $hfile

echo >> $hfile
echo "-- ps fax --">> $hfile
ps fax >>$hfile

echo >> $hfile
echo "-- ps auxwwwe --">> $hfile
ps auxwwwe >>$hfile

echo >> $hfile
echo "-- lsof --" >> $hfile
lsof >> $hfile

echo >> $hfile
echo "-- netstat -ptuna --" >> $hfile
netstat -ptuna >> $hfile

echo >> $hfile
echo "-- tail /var/log/messages --" >> $hfile
tail /var/log/messages >> $hfile

echo >> $hfile
echo "-- tail /var/log/daemon.log --" >> $hfile
tail /var/log/daemon.log >> $hfile

echo >> $hfile
echo "-- tail /var/log/auth.log --" >> $hfile
tail /var/log/auth.log >> $hfile

echo >> $hfile

cat $hfile | mail -s "HACK ATTEMPT" my@mydomain.com

echo Error: Connection Refused.


Save that script to say /usr/bin/wget or fetch, save the original binary with a different name such as wget.real or real.wg or wg, whatever. You should get enough information on what's going on to know where to start looking.

By no means should this be used instead of your host based IDS such as ossec or tripwire.

Postfix and LDAP

Postfix and LDAP

   One of the absolute most important pieces of a successful Linux migration is housing email. We chose Postfix for a number of reasons, one of them is it's very easy to work directly with ldap, or work from a cached map for more efficient.

   First let's look under the hood up postfix. It has 2 main files, main.cf and master.cf and any number of other configs that will contain hashes, maps, regex and other files mainly used as lists.

main.cf - As the name implies, this main config file to sets most options you'll ever need to tweak.

master.cf - The file that tells postfix what services to use and how to use them. It sets all the ports, 3rd party applications, plugins and whatever else would effect the main services postfix would use.

   In this section we're only going to touch on the main options you'll need to get postfix working in a corporate setting. Inside the main.cf file there is a handful of options that needs to be pointed out. They are: mynetworks, relay_recipient_maps, server_host, and an optional smtpd_tls_*

mynetworks - A list of IP networks allowed to send email (relay) mail through your server without authentication.
Example: mynetworks = 127.0.0.0/8, 192.168.0.0/16

relay_recipient_maps - This is used in the caching system mentioned above. It takes a filename as a parameter which contains your transport map.
Example: relay_recipient_maps = hash:/etc/postfix/addresses

The contents of /etc/postfix/addresses are in the format of:
tester@test.com OK
testuser@test.com OK
test123@beta.test.com OK

server_host- Tying directly to ldap. This is an expensive option, as it queries ldap in realtime as email comes in. As you can imagine, heavy volume can hinder preformance. I strongly suggest using a relay_recipient_maps as seen above.
Example: server_host = ldap://ldap.example.com:389

So you may be asking, if I want to run a cached version, how do I keep it updated? The solution is pretty simple, crontab and a quick shell script:

#!/bin/sh
PATH=/bin:/usr/bin:/usr/sbin

[ -f /tmp/addresses.1 ] && /bin/mv /tmp/addresses{.1,.2}
/bin/mv /tmp/addresses{,.1}

ldapsearch -x -LLL -h directory.mycompany.com -b dc=mycompany,dc=com -s sub objectClass=inetLocalMailRecipient mail mailLocalAddress|awk '/^mail/ {FS=" " ; print $2}' |sort -u |sed 's/$/ OK/' > /tmp/addresses

[ -s /tmp/addresses ] || exit 1

if [ -f /etc/postfix/maps/addresses ]; then
diff /etc/postfix/maps/addresses /tmp/addresses > /dev/null
RETVAL="$?"
else
mv /tmp/addresses /etc/postfix/maps/
RETVAL="1"
fi

if [ "$RETVAL" = "1" ] ; then
cd /etc/postfix/maps
/bin/cp /tmp/addresses /etc/postfix/maps/addresses
postmap /etc/postfix/maps/addresses
postfix reload
exit 0
else
exit 0
fi

I hope you find this post helpful. Please feel free to comment and correct me.