[prev in list] [next in list] [prev in thread] [next in thread]
List: firewalls-gc
Subject: Re: WWW Gaffiti Immunity (Off Topic)
From: The Unseen <ian () south-border ! com>
Date: 1997-01-01 17:28:52
[Download RAW message or body]
Corrected an obvious error... 8-) here's the latest one.
please let me know if you find other errors....
Ian
--------------
#!/usr/local/bin/perl
#
# The purpose of this script is to help secure our WWW files
# from grafitti. We are going to use tripwire to help us keep
# track of file signatures and alert us when there are major
# inconsistancies that may result from someone trying to hack
# our site.
#
# Ideal config consists of a WWW server mounting via NFS the
# document tree. This script is intended to be run on the
# NFS server.
#
# Feel free to distribute and/or alter this script as needed.
# But be kind and email me the changes... ian@south-border.com
package WWWcheck;
$Alert=0;
@SendData=();
$DoBoth=0;
$DoNFS=0;
$DoRmHttp=0;
# Specify the email address of the admin you want information
# mailed to.
$AdminUser="securityuser";
# Specify the metheod of emailing.
$SendmailCMD="/usr/lib/sendmail -t";
# The following variables define where tripwire is. Specify
# the correct database and config files to be given to tripwire
# as options. Tripwire will run in quiet mode to eliminate
# pass babble.
$TripCMD="/place/to/bin/tripwire";
$TripDatabase="/place/to/tripwire/www.database";
$TripConfigFile="/place/to/tripwire/WWW.conf";
# If your WWW server mounts it's document tree via NFS from
# a hardened server and this script and tripwire run on the
# NFS server, set DoNFSshare to 1. This will unshare the NFS
# directory after a grace period defined below.
$DoNFSshare=1;
$NFSunsharecmd="/usr/sbin/unshare";
$NFSwwwdir="/place/to/real/NFS/server/WWW";
# Change this to 1 to kill the httpd server remotely based on
# the outcome of tripwire. Be sure to review RemoteHttpKill,
# RemoteHost, and RemoteCMD. I like ssh because of the key
# exchange.
$DoRemoteKill=0;
# These are used when DoRemoteKill is set to 1
$RemoteCMD="/opt/PUBsshd/bin/ssh";
$RemoteHost="WWW";
$RemoteHttpKill="/etc/init.d/httpd stop";
# This defines how long to wait gracefully before proceeding
# with killing the httpd server and NFS server.
$SleepTime="sleep 3600";
#<----you do not need to change anything below here--->
# Issue tripwire command with options. Compile a list of
# changes that have occured from the last update of the
# tripwire database. Save these modifications to be sent
# as a notification to the admin.
sub BuildTripDatabase
{
open(Tripdata,"$TripCMD -d $TripDatabase -c $TripConfigFile -q|");
while(<Tripdata>) {
split;
chop;
push(@SendData,$_);
}
}
sub AlertAdmin
{
if(@SendData == " ") {
return;
}
open(ALERT,"|$SendmailCMD");
print ALERT "To:$AdminUser\n";
print ALERT "cc:\n";
print ALERT "subject: WWW server Document tree\n";
print ALERT "-------\n";
print ALERT "Has changed since the last tripwire database update. Here\n";
print ALERT "is a summery of the output from tripwire run at \n\n\n";
for(@SendData) {
print ALERT "$_\n";
}
print ALERT "\nThe following actions will be taken...\n\n";
if($DoNFSshare == '1' && $DoRemoteKill == '1') {
print ALERT "Your WWW server mounts it's document tree via NFS from\n";
print ALERT "this server and you have elected to kill the remote httpd\n";
print ALERT "daemon running on the WWW server. The following command will\n";
print ALERT "issued:\n\n";
print ALERT "$SleepTime ; $NFSunsharecmd $NFSwwwdir ; $RemoteCMD $RemoteHost '($RemoteHttpKill)\n\n";
close(ALERT);
$DoBoth=1;
return;
}
if($DoNFSshare == '1') {
# print STDERR `$SleepTime ; $NFSunsharecmd $NFSwwwdir 2>1 &`;
print ALERT "Your WWW server is mounting it's document tree via an NFS\n";
print ALERT "server which is this host according to variables set. The\n";
print ALERT "following command will be issued:\n\n";
print ALERT "$SleepTime ; $NFSunsharecmd $NFSwwwdir\n\n";
$DoNFS=1;
}
if($DoRemoteKill == '1') {
# print STDERR `$RemoteCMD $RemoteHost '($SleepTime ; $RemoteHttpKill) &'`;
print ALERT "According to our options you have elected to disable httpd\n";
print ALERT "service on the WWW server. the following command will be\n";
print ALERT "issued:\n\n";
print ALERT "$RemoteCMD $RemoteHost '($SleepTime ; $RemoteHttpKill)\n\n";
$DoRmHttp=1;
}
if($DoNFSshare == '0' && $DoRemoteKill == '0') {
print ALERT "Although we have detected differences that may indicate an\n";
print ALERT "attack, options set tell us that we are to take no action\n";
print ALERT "in response. YOU MUST CHECK to see if this is really the\n";
print ALERT "intended reaction to the tripwire output!\n\n";
}
close(ALERT);
}
sub PerformKill
{
if($DoBoth) {
print STDERR `$SleepTime ; $NFSunsharecmd $NFSwwwdir ; $RemoteCMD $RemoteHost '($RemoteHttpKill)'`;
return;
}
if($DoNFS) {
print STDERR `($SleepTime ; $NFSunsharecmd $NFSwwwdir)`;
}
if($DoRmHttp) {
print STDERR `$SleepTime ; $RemoteCMD $RemoteHost '($RemoteHttpKill)'`;
}
}
sub main
{
&BuildTripDatabase();
&AlertAdmin();
&PerformKill();
}
package main;
&WWWcheck'main();
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic