https://wiki.itadmins.net/ 2026-05-23T10:54:06+00:00 https://wiki.itadmins.net/ https://wiki.itadmins.net/lib/exe/fetch.php?media=wiki:dokuwiki.svg text/html 2020-02-24T10:16:01+00:00 Anonymous (anonymous@undisclosed.example.com) https://wiki.itadmins.net/doku.php?id=security:centralized_tripwire&rev=1582539361&do=diff Centralized Intrusion Detection Using Tripwire ;#; Large portions of this text was originally published by: Yunliang Yu <yu@math.duke.edu> from Duke University my changes are published here for reference only and is a work in progress to bring this up to date. ;#; Summary: text/html 2020-02-24T10:16:01+00:00 Anonymous (anonymous@undisclosed.example.com) https://wiki.itadmins.net/doku.php?id=security:communityid_openid&rev=1582539361&do=diff How to install Community-ID 2.0.0 RC3 The official site of Community-ID (Offline) New official site of Community-ID offers a series of simple tutorials for installation of the service but as of version 2.0.0 the installation process has changed a bit. This little howto is constructed from a tutorial that was based on the original tutorial modified and translating it into Spanish (by text/html 2020-02-24T10:16:01+00:00 Anonymous (anonymous@undisclosed.example.com) https://wiki.itadmins.net/doku.php?id=security:iptables&rev=1582539361&do=diff IPTables Tweeks ICMP Redirecting This error was driving me nuts for a while: Jan 29 15:11:45 zcn1 kernel: host 10.1.0.52/if5 ignores redirects for 10.1.0.51 to 10.1.0.51. Jan 29 15:21:45 zcn1 kernel: host 10.1.0.52/if5 ignores redirects for 10.1.0.51 to 10.1.0.51. Jan 29 15:31:45 zcn1 kernel: host 10.1.0.52/if5 ignores redirects for 10.1.0.51 to 10.1.0.51. Jan 29 15:41:45 zcn1 kernel: host 10.1.0.52/if5 ignores redirects for 10.1.0.51 to 10.1.0.51. Jan 29 15:51:45 zcn1 kernel: host 10.1.0.52… text/html 2020-02-24T10:16:01+00:00 Anonymous (anonymous@undisclosed.example.com) https://wiki.itadmins.net/doku.php?id=security:iwatch&rev=1582539361&do=diff IWatch With the introduction of IWatch things start to really get interesting in the world of live security monitoring. Unfortunately the documentation is VERY poor in one area. Generally you can watch a directory and send notifications as soon as anything happens, and you can monitor processes and get notified as soon as a process dies or you can monitor a log file and get notified when something with the file happens. For example, let's monitor the /etc directory recursively for any changes: text/html 2020-02-24T10:16:01+00:00 Anonymous (anonymous@undisclosed.example.com) https://wiki.itadmins.net/doku.php?id=security:logcheck&rev=1582539361&do=diff Logcheck Tweeks RSyslogd The rsyslogd syslog entries as follows will cause the default install of logcheck to trip: Sep 18 06:25:01 zcn1 kernel: imklog 3.18.6, log source = /proc/kmsg started. Sep 18 06:25:01 zcn1 rsyslogd: [origin software="rsyslogd" swVersion="3.18.6" x-pid="2097" x-info="http://www.rsyslog.com"] restart text/html 2026-04-08T15:25:50+00:00 Anonymous (anonymous@undisclosed.example.com) https://wiki.itadmins.net/doku.php?id=security:opnsense&rev=1775661950&do=diff OPNSense Extras Rollback to previous stable version This will rollback a production system to the last good version of OPNSense while keeping all configs. sh /usr/local/sbin/opnsense-bootstrap Search for package from cli pkg search packagename Install package from cli text/html 2020-02-24T10:16:01+00:00 Anonymous (anonymous@undisclosed.example.com) https://wiki.itadmins.net/doku.php?id=security:rkhunter&rev=1582539361&do=diff RootKit Hunter (rkhunter) tips Missing Kernel modules warning For those of you getting the following warning on Debian systems: Warning: The kernel modules directory '/lib/modules' is missing or empty. This is due to the fact that your kernel does support modules but there are none actually on the system and so rkhunter thinks there MAY be a problem. To get rid of the warning simple edit /etc/rkhunter.conf and change: text/html 2020-02-24T10:16:01+00:00 Anonymous (anonymous@undisclosed.example.com) https://wiki.itadmins.net/doku.php?id=security:server_solution&rev=1582539361&do=diff Server Solution 1 Overview * Log analysis/monitoring: Logdog/Logsurfer+/Logwatch * Rootkit/bot monitoring: rkhunter + chkrootkit * Preemptive Firewalling: Denyhosts * HIDS: * Tripwire & AIDE * Tripwire w/ tripwire monitoring & centralized control (OSSIM server) text/html 2026-04-08T13:13:27+00:00 Anonymous (anonymous@undisclosed.example.com) https://wiki.itadmins.net/doku.php?id=security:siemonster-suricata&rev=1775654007&do=diff Siemonster Suricata Integration * UPDATE 1: Uploaded correct Logstash configs.. * UPDATE 2: Uploaded corrected Logstash Suricata Stats template. After using OSSIM for years I was excited to hear about the release of Siemonster. Performance of the Community Edition of OSSIM is, and always was, a major problem for me. text/html 2020-02-24T10:16:01+00:00 Anonymous (anonymous@undisclosed.example.com) https://wiki.itadmins.net/doku.php?id=security:tiger&rev=1582539361&do=diff Tiger Scanner cgroup FS warnings I have a few servers running Tiger that were installed before I took over the IT Department where I work. These servers also run LXC and use the cgroup “filesystem” type and thus Tiger has a problem whenever it runs it's checks throwing the following error and thus making Cron send a mail about the situation: text/html 2020-02-24T10:16:01+00:00 Anonymous (anonymous@undisclosed.example.com) https://wiki.itadmins.net/doku.php?id=security:tripwire&rev=1582539361&do=diff Tripwire 1. Install Tripwire apt-get install tripwire * Site passphrase will secure the tw.cfg tripwire configuration file and tw.pol tripwire policy file. You have to assign a site passphrase even for a single instance tripwire. * Local passphrase will protect tripwire database and report files.