$Id: README,v 1.5 2005/12/26 17:53:46 bbrazil Exp $ BrMon 0.1 Copyright Brian Brazil 2005 This is a set of scripts intended to detect unknown daemons and break-ins via ssh and Apache. If something is found an email will be sent to root. Mostly as a side effect it can also detect runaway Apache requests, daemons that should be running but aren't and general leftover processes (lynx seems to be somewhat common). Software requirements are standard UNIX tools (sort, cut, sed, ps, pgrep etc.) and gawk. These scripts were developed on Solaris 8 and ported to also work on Debian Sarge GNU/Linux. Output format may vary slightly between platforms. These are released under version 2 of the Gnu Public License. ************* * Rationale * ************* Website compromises usually start some processes hanging off PHP. These can be detected as they'll have been running longer than a PHP script should be running (a few seconds). Alternatively they could start a daemon. For ssh brute force attacks you see a lot of attempts to login from one IP address. If there's a successful login from that IP, then that account has been compromised. ******************** * ssh_brute_finder * ******************** This looks at your sshd.log for hosts that had over a certain threshold of failed passwords and/or invalid users. Once that threshold is crossed it's deemed to be an attacker, and any successful logins from that IP address are flagged. Also, if any user has had more than 10 failed passwords they will be flagged. Note that this requires a 'LogLevel VERBOSE' in your sshd_config. I suggest rotating your sshd.log daily and running this on the previous day's log via logrotate. Running John the Ripper regularly is also advised as a preventative measure. *********************** * long_running_apache * *********************** This looks for process spawned by apache that started (by default) over 10 minutes ago. It'll then list these, and their children (if any). Note that this is different from PHP's max-execution-time, which only counts user time, not wall time. An easy way to test this is to run the following 1 line PHP script from Apache: ****************** * daemon_monitor * ****************** This looks for all processes with a PPID of 1. First it checks that all your system daemons are running. Then it looks for non-system processes that aren't known to it. This script has 2 configuration files. One specifies the system daemons, the other the known daemons. These files must be sorted with sort(1), the format is the same as the output of daemon_monitor. ********* * Notes * ********* All these programs are in some way configurable. In addition you can specify a filter for long_running_apache and daemon_monitor for it to ignore certain processes. Examples are included in the source.