OSSEC for CentOS 7

OSSEC’s official documentation sucks. I managed to compile full installation steps (via RPM) for OSSEC in CentOS. Read more.

What is OSSEC? OSSEC is a scalable, multi-platform, open source Host-based Intrusion Detection System (HIDS). It has a powerful correlation and analysis engine, integrating log analysis, file integrity checking, Windows registry monitoring, centralized policy enforcement, rootkit detection, real-time alerting and active response.It runs on most operating systems, including Linux, OpenBSD, FreeBSD, MacOS, Solaris and Windows. (source : http://ossec.github.io/about.html)

OSSEC Server
1. sudo -i
2. yum install mysql-devel postgresql-devel
3. wget -q -O – https://updates.atomicorp.com/installers/atomic |sh
4. yum install -y ossec-hids ossec-hids-server
5. /var/ossec/bin/ossec-control start
6. firewall-cmd –permanent –add-port=1514/udp
7. firewall-cmd –reload
8. /var/ossec/bin/manage_agent # ASSIGN unique key for OSSEC AGENT
9. /var/ossec/bin/ossec-control restart

1. sudo -i
2. wget -q -O – https://updates.atomicorp.com/installers/atomic |sh
3. yum install -y ossec-hids ossec-hids-client
4. /var/ossec/bin/ossec-control start
5. firewall-cmd –permanent –add-port=1514/udp
6. firewall-cmd –reload
7. /var/ossec/bin/manage_client # ADD unique key from OSSEC SERVER for the agent
8. vi /var/ossec/etc/ossec-agent.conf # EDIT OSSEC SERVER IP <server-ip>XXX.XXX.XXX.XXX</server-ip>
9. /var/ossec/bin/ossec-control restart

Finding Duplicates with SQL

Here’s a handy query for finding duplicates in a table. Suppose you want to find all email addresses in a table that exist more than once :-
SELECT email,
COUNT(email) AS NumOccurrences
FROM users
GROUP BY email
HAVING ( COUNT(email) > 1 )
You could also use this technique to find rows that occur exactly once :-
SELECT email
FROM users
GROUP BY email
HAVING ( COUNT(email) = 1 )

Transfer Default MySQL Database Directory From /var To /usr

Default partition size for /var normally not enough to store databases, so we need to store it somewhere bigger (/usr). The steps will show how to transfer database from /var/db/mysql (default path installation for MySQL in FreeBSD) to /usr/local/mysql/data (suggested path). Steps as follows :-

[root@dev /var/db/mysql]# /usr/local/etc/rc.d/mysql-server stop
Stopping mysql.
Waiting for PIDS: 993.
[root@dev /var/db/mysql]# mkdir -p /usr/local/mysql/data
[root@dev /var/db/mysql]# mv * /usr/local/mysql/data/.
[root@dev /var/db/mysql]# cd ../
[root@dev /var/db]# rm -rf mysql
[root@dev /var/db]# ln -s /usr/local/mysql/data mysql
[root@dev /var/db]# chown -R mysql mysql
[root@dev /var/db]# chgrp -R mysql mysql
[root@dev /var/db]# cd /usr/local/
[root@dev /usr/local]# chown -R mysql mysql
[root@dev /usr/local]# chgrp -R mysql mysql
[root@dev /usr/local]# /usr/local/etc/rc.d/mysql-server start
Starting mysql.
[root@dev /usr/local]# ps aux | grep mysql
mysql    46491  0.1  1.1 208112 44860  ??  S     6:15AM   0:00.09 [mysqld]
mysql    46411  0.0  0.0  8264  1920  ??  Ss    6:15AM   0:00.01 /bin/sh /usr/local/bin/mysqld_safe –defaults-extra-file=/var/db/mysql/my.cnf –user=mysql –datadir=/var/db/mysql –pid-file=/var/db/my
root     46494  0.0  0.0  9092  1432   0  S+    6:15AM   0:00.00 grep mysql
[root@dev /usr/local]#


HowTo Install iStat in FreeBSD for Server Monitoring

iStats for iPhone can be used to remotely monitor your Mac or Mac server. See your iPhone’s stats for battery, memory, disk space, Wi-Fi and Cell IP addresses, uptime & load averages.
No only you can monitor you Mac, but also for other OS (Linux, Solaris & FreeBSD) as well. Assuming you’ve download the iStats app from iTunes App Store, here’s how you can access and monitor your FreeBSD server via these simple steps.
  1. Download the file here (http://github.com/tiwilliam/istatd/downloads)
  2. tar -vxzf istatsd-0.5.7.tar.gz #uncompress the package assuming you’ve downloaded iStats version 0.5.7
  3. cd istatd-0.5.7 #go into the uncompressed directory
  4. ./configure #start compiling
  5. make
  6. make install
  7. mkdir -p /var/{run,cache}/istat
  8. adduser istat #add user istat
  9. chown istat:istat /var/{run,cache}/istat #set permission of user & group for the created folder
  10. vi /etc/istat.conf #remember to change the server code (your password to access iStat)
  11. /usr/local/bin/istatd -d #start the iStat as daemon

P/S : The service is listening on port 5190 so please make sure the firewall allows it.

Official Site : http://bjango.com/apps/istat/
More info : http://www.google.com.my/search?client=safari&rls=en&q=istats+remote+monitoring&ie=UTF-8&oe=UTF-8&redir_esc=&ei=NN37S9ftMI-trAfhz-GuAg

HOWTO Delete Old Directory in UNIX

There are 2 ways u can do this. For example if u want to delete directory older than 7 days :

First method :
find /path/dir -type d -mtime +7 -exec rm -rf {} ;

Second method :
find /path/dir -type d -mtime +7 | xargs rm -rf {} ;

You can always change the +7 value to any number of days preferred.
FYI, this command is only for directory deletion, if u want to delete files, u can change the “-type d” (d means directory) to “-type f” (f means files).

Example :
find /path/dir/unl.txt -type f -mtime +7 | xargs rm -f {} ;

P/S : There’s an alternative command which we can use, tmpwatch (more info : http://linux.about.com/library/cmd/blcmdl8_tmpwatch.htm)

mod_dosevasive for Apache

mod_dosevasive is an evasive maneuvers module for Apache to provide evasive action in the event of an HTTP DoS or DDoS attack or brute force attack. It is also designed to be a detection and network management tool, and can be easily configured to talk to ipchains, firewalls, routers, and etcetera. mod_dosevasive presently reports abuses via email and syslog facilities.

Detection is performed by creating an internal dynamic hash table of IP Addresses and URIs, and denying any single IP address from any of the following:
  • Requesting the same page more than a few times per second
  • Making more than 50 concurrent requests on the same child per second
  • Making any requests while temporarily blacklisted (on a blocking list)
This method has worked well in both single-server script attacks as well as distributed attacks, but just like other evasive tools, is only as useful to the point of bandwidth and processor consumption (e.g. the amount of bandwidth and processor required to receive/process/respond to invalid requests), which is why it’s a good idea to integrate this with your firewalls and routers for maximum protection.