aide intrusion detection centos 7

A guide to installing and configuring aide intrusion detection on RHEL/CentOS 7 Linux. To become Red Hat Certified Specialist in Security: Linux you will need to know how to use the aide intrusion detection system for Red Hat or derivative Os’s.

Double hyphens – are not showing for an unknown reason at this time so if you see -flag i.e ssh rot@server -p 999 thats ok but if you see a COMMAND NEEDS DOUBLE HYPHEN it will need another – prefixed to the arguments.

To install aide on a CentOS server you will first need to install the EPEL repo which is the Extra Packages For Enterprise Linux.

yum install epel-release

yum install aide

To create the initial aide database to check against when changes occur.


You will need to then replace the old database with the new one.

mv -v /var/lib/aide/ /var/lib/aide/aide.db.gz

Add a cronjob to make aide check for changes every 24 hours.

crontab -e

add to run at midnight see man cron for more instructions.


0 0 * * * /usr/sbin/aide –check –verbose=4 COMMAND NEEDS DOUBLE HYPHEN

You will then get a mail report from cron every time aide detects changes and maybe everyday due to the default verbose level, I tried redirecting 1> /dev/null but this suppressed all output from cron emails as nothing was going to stderr. Update adding –verbose=4 stops things going to stdout if no changes. COMMAND NEEDS DOUBLE HYPHEN.

Every time there is an update required on the aide database you will need to run this assuming you have already run a /usr/sbin/aide –check COMMAND NEEDS DOUBLE HYPHEN

/usr/sbin/aide –update COMMAND NEEDS DOUBLE HYPHEN

Once the aide update has completed run the following to update the aide database.

mv -v /var/lib/aide/ /var/lib/aide/aide.db.gz

Linux, red hat certification, rhcsa, Security , , , , , , ,

Installing Psad Intrusion Detection CentOS 6

Psad is  a iptables log analysis and IDS tool, this guide shows how to install and basically configure this for a CentOS 6 box.

Install psad from the EPEL repo (Extra packages for enterprise Linux provided by the Fedora project)

Add the EPEL repo.

 yum install epel-release

Install psad.

 yum install psad

Change some settings in the psad.conf.

 nano -w /etc/psad/psad.conf 

EMAIL_ADDRESSES to_your_email;

Optional settings. This sets psad to auto enforce. The official documentation for Auto IDS is here

### If “Y”, enable automated IDS response (auto manages
### firewall rulesets).

Add the logging to iptables.

iptables -I INPUT -j LOG
iptables -I FORWARD -j LOG

Now restart psad update the sinature file and load in the new signatures (the below is prettified as it obfuscates the –.

psad -R

psad --sig-update

psad -H

Add a cronjob to update the signatures.

crontab -e

And add the following

0       0       *       *       7       /usr/sbin/psad –sig-update && /usr/sbin/psad -H

The official documentation for psad can be found here

Linux, Security , , ,

Issues installing/upgrading Flash Ubuntu 12.04 behind a proxy.

I recently came across an issue whilst updating the flashplugin-installer on Ubuntu 12.04 behind a network proxy (apt was configured to use the proxy and all other updates worked fine just not Flash).

I got the following error whilst attempting to update,

Preparing to replace flashplugin-installer (using …/flashplugin-installer_11.2.202.310ubuntu0.12.04.1_amd64.deb) …
Unpacking replacement flashplugin-installer …
Processing triggers for update-notifier-common …
flashplugin-installer: downloading
Traceback (most recent call last):
File “/usr/lib/update-notifier/package-data-downloader”, line 234, in process_download_requests
dest_file = urllib.urlretrieve(files[i])[0]

File “/usr/lib/python2.7/”, line 93, in urlretrieve
return _urlopener.retrieve(url, filename, reporthook, data)
File “/usr/lib/python2.7/”, line 239, in retrieve
fp =, data)
File “/usr/lib/python2.7/”, line 207, in open
return getattr(self, name)(url)
File “/usr/lib/python2.7/”, line 344, in open_http
File “/usr/lib/python2.7/”, line 954, in endheaders
File “/usr/lib/python2.7/”, line 814, in _send_output
File “/usr/lib/python2.7/”, line 776, in send
File “/usr/lib/python2.7/”, line 757, in connect
self.timeout, self.source_address)
File “/usr/lib/python2.7/”, line 571, in create_connection
raise err
IOError: [Errno socket error] [Errno 110] Connection timed out
Setting up flashplugin-installer ( …

The fix was to download the file manually.


Then modifying /usr/lib/update-notifier/package-data-downloader.

You might want to back this file up first. The ‘x’ represent version numbers.

cp -v /usr/lib/update-notifier/package-data-downloader /usr/lib/update-notifier/package-data-downloader.bak

Then open the file and look for dest_file = urllib.urlretrieve(files[i])[0]

And replace with dest_file = urllib.urlretrieve(“/pathtofile/adobe-flashplugin_xx.x.x.x.orig.tar.gz”)[0]

Now run,

aptitude install flashplugin-installer

to install Flash using the recently downloaded source.


Linux, Ubuntu , ,

ClamAV detected duplicate datbases.

ClamAV detected duplicate datbases

If you restart the clamav service and you receive the following warning or you get an email from crond after updating because ClamAV detected duplicate datbases.

[LibClamAV] Detected duplicate databases /var/lib/clamav/main.cvd and /var/lib/clamav/main.cld, please manually remove one of them

Just remove the oldest of the two files and restart clamd.

#cd /var/lib/clamav
# ls -l
total 249272
clam clam 345088 Oct 5 03:37 bytecode.cld
clam clam 26438656 Oct 17 03:16 daily.cld
clam clam 163468288 Sep 18 10:02 main.cld
clam clam 64720632 Sep 27 00:14 main.cvd
clam clam 156 Oct 17 10:00 mirrors.dat
#rm -rf main.cld 

Depending on your distro of Linux (CentOS in this example)

#service clamd restart
Linux , ,

Linux Tee command examples

Linux Tee command examples.

In Linux Tee is a command to redirect standard out (stdout) to a file as well as the terminal.

Tee redirects to the terminal as well as to standard out (stdout) so its activity can be visual as well as redirected to a log file, for later viewing. Using yum in this example and compiling from source and a way of keeping track of updates. (The default yum log should do this but just an example). If you are compiling from source this could be invaluable as nothing keeps track off compiled packages (check install is an exception).

yum update -y | tee yumupdate.txt

An example compiling from source.

This example assumes you have all the dependencies, but you can check the logs outputted by tee for dependency errors.

Youve downloaded the needed source and you have cd into that directory.

./configure | tee configure.txt
make | tee make.txt
make install | tee install.txt

This can help if any of the outputs overrun your terminal buffer and you cant scroll back to see enough but also a log you can look back to incase of any future issues, you can check the configure make and install files for any errors as well as where the files were installed to.

Bash Scripting, Linux

SCP bash script

SCP bash script

A SCP bash script I wrote for SCP transfer via SSH. Any explanations needed please post a comment.

Have been really busy lately so haven’t done many updates so am sharing a script I wrote, although the script can be useful for automating scp its aimed as howto use scp example as well as learning howto use a Linux (Bash) shell.


echo “Enter Filename  if in the same directory (relative path) if not use the full path to the file (absolute path) i.e /bin/bash instead of bash”


echo “Enter destination server”


echo “Enter destination directory, must include / i.e /root not root”


echo “SSH Port?”

read PORT

echo “Username?”

read USER

In English or direct syntax to enter would be.

scp -P 22 file

Bash Scripting, Linux , , ,

Plesk stale pidfile control panel failing to start Linux

Plesk stale pidfile error Plesk wont start or gives 500 error on loading in browser.

service sw-cp-server start

You will see.

Starting SWsoft control panels server… stale pidfile. [FAILED]

Check the Plesk error log /var/log/sw-cp-server/error_log.

tail -f /var/log/sw-cp-server/error_log

2012-06-02 11:43:27: (network.c.300) can’t bind to port: 10001 Address already in use
2012-06-02 11:43:27: (log.c.75) server started
2012-06-02 11:43:27: (network.c.300) can’t bind to port: 10001 Address already in use
2012-06-02 11:43:31: (log.c.75) server started
2012-06-02 11:43:31: (network.c.300) can’t bind to port: 10001 Address already in use
2012-06-02 11:43:31: (log.c.75) server started
2012-06-02 11:43:31: (network.c.300) can’t bind to port: 10001 Address already in use

Check what is open on port 10001.

lsof -i tcp:10001

sw-cp-ser 3179 sw-cp-server 5u IPv4 9026 TCP localhost.localdomain:scp-config (LISTEN)

Stop The Plesk service.

service sw-cp-server stop

Stoppping SWsoft control panels server… not running. [ OK ]

Remove the Plesk PID.

rm -rf /var/run/

Check if the Plesk process is still running.
ps ax | grep sw-cp-server | grep -v grep
3179 ? S 0:23 /usr/sbin/sw-cp-serverd -f /etc/sw-cp-server/config

Kill the process.
ps ax | grep sw-cp-server | grep -v grep | awk {‘print $1’} | xargs kill -9
Start Plesk.

service sw-cp-server start

Linux, Plesk Linux, Virtual & Dedicated Servers ,

Reset Linux root password. Guide to reset Linux root password.

Reset Linux root password

Resetting Linux root password. Guide to reset Linux root password.

First off you need some sort of “physical access to this box” to be able to reset linux root password if its not your desktop then some sort of remote kvm access (kvm keyboard video and mouse)

Note these instructions are based on CentOS so should work for any Red Hat based distro although may differ.

At the grub prompt press e to enter edit mode.

Select the second line press e again.

At the end of a similar entry, Your Grub entry will probablly not look the same as this.

kernel /vmlinuz-2.6.18-308.4.1.el5 ro root=/dev/sda3

Add init=/bin/sh (The steps so far should work on Debian/Ubuntu although with Debian/Ubuntu you might need to use /bin/bash instead of /bin/sh, due to Debian/Ubuntu symlinking /bin/sh to /bin/dash rather than /bin/bash)

kernel /vmlinuz-2.6.18-308.4.1.el5 ro root=/dev/sda3 init=/bin/sh

Now press the enter key and then b to boot.

This will take you into single user mode.

Now mount the root partition in read and write mode so that the changes can be committed.

mount -o remount,rw /

Once the file system is mounted type the following.

passwd root

You will prompted for the new password and then to confirm.

You have now reset Linux root password so reboot.

Alternatively this can be done with a livecd.

1. Boot the livecd.

2. Mount the partition (replace * with the drive letter).

mount /dev/sd* /mnt/point

3. Use chroot to reset the root password on the disk (rather than the livecd)

chroot /mnt/point passwd root

You will now be prompted to change password, but as this is chrooted it only affects the partition you mounted and not the host. So you could do this from a desktop or server also over nfs and maybe samba.


chroot creates a isolated environment. So if you chroot /mnt/mountpoint it locks /mount/mountpoint into a chroot jail (so the same as a htdocs basically. Restricts the user to a directory that is “there root” they cant go above).

So chroot /mnt/point yum check-update (If yum is installed within /mnt/mountpoint)

Would check for updates to the mounted chroot jail .

So if you ran  chroot /mnt/point yum check-update && yum update, the system you mounted it on will not be updated. But the system that’s within the chroot jail will.

Linux, Virtual & Dedicated Servers , , , , , , ,

Disabling phpMyAdmin Plesk Linux

Disabling phpMyAdmin Plesk Linux.

In the Plesk control panel I have never been able to find an option to disable it within the panel. This guide will show how to prevent it from running or howto remove.

To disable.

Login via ssh and run the following.

chmod 000 /usr/local/psa/admin/htdocs/domains/databases/phpMyAdmin

To re-enable.

chmod 755 /usr/local/psa/admin/htdocs/domains/databases/phpMyAdmin

To remove.

rm /usr/local/psa/admin/htdocs/domains/databases/phpMyAdmin

Bash script to enable/disable.


#Author Phil Bond box-admin

echo “Permissions currently set on Plesk phpMyAdmin”

stat /usr/local/psa/admin/htdocs/domains/databases/phpMyAdmin

echo “Usage enter enable to enable phpMyAdin or disable to disable it”


case $CHOICE in

disable) chmod 000 /usr/local/psa/admin/htdocs/domains/databases/phpMyAdmin;;
enable) chmod 755 /usr/local/psa/admin/htdocs/domains/databases/phpMyAdmin;;

echo “Permissions now set on Plesk phpMyAdmin”

stat /usr/local/psa/admin/htdocs/domains/databases/phpMyAdmin

exit 0

Bash Scripting, Linux, Plesk Linux, Virtual & Dedicated Servers , ,

Unable to get webmail password at login to AtMail, Linux Plesk.

If you get the following error on logging into the AtMail webmail for Plesk control panel “Unable to get webmail password!”, heres the fix.

Edit /etc/httpd/conf.d/zzz_atmail_vhost.conf.

nano -w /etc/httpd/conf.d/zzz_atmail_vhost.conf

Search for (all on one line)

php_admin_value open_basedir “/var/www/atmail:/var/log/atmail:/etc/psa:/tmp:/var/tmp”

Append :/etc/psa-webmail/atmail


php_admin_value open_basedir “/var/www/atmail:/var/log/atmail:/etc/psa:/tmp:/var/tmp:/etc/psa-webmail/atmail”

Now restart Apache.

service httpd restart

Email, Linux, Plesk Linux, Virtual & Dedicated Servers , , , , ,