Eset
From Logicalwebhost-Wiki
ESET just released a new series of apps for Linux, they have a Mail Server, File Server and Gateway Product. Here's some tips on setting up several aspects of them.
Here's roughly how the install will go:
- you'll get an e-mail with the username/password to download the file(s) you need along with a download link. Download the file.
- transfer the 2 files to whatever box you'll be installing them on
- Install the software
- Update the latest virus definitions
- Scan stuff
At this point I'm starting with Redhat(RHEL, CentOS, Fedora), later on I'll get to Debian (Debian, Ubuntu, Kubuntu, Knoppix), since they behave slightly different, especially if you get dazuko running. After that I'll probably do one for BSD. If you have questions let me know at howto AT logicalwebhost .. com
Contents |
[edit] Redhat
| Do this | What it does |
| download puTTY from the internet and install it | from here: http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html this will allow you to login to your installation box from a Windows machine, or if you're sitting in front of your Linux box, nevermind this and the next step |
| download WinSCP from the internet and install it | from here: http://winscp.net/eng/download.php this will allow you to copy the program/license files to your linux box using drag and drop from your Windows box...tasty and secure over ssh just like your puTTY :) |
| open a terminal/puTTy | from now on you'll be in command line world...relax |
| su | switch to root user, you don't have to, but, uh, it makes the rest of this works, and it's easier. Alternately you could do sudo whatevercommand, but that's up to you. |
| cd /usr/src/ | |
| download the esets.i386.rpm.bin file | or transfer it to your box, this is the main program file |
| chmod 755 esets.i386.rpm.bin | |
| ./esets.i386.rpm.bin | makes an rpm after you agree to the license terms |
| rpm -i esets-2.71.2.i386.rpm | installs the program |
| download the nod32.lic file | this is the license you need |
| cp nod32.lic /etc/esets/license/ | puts your licenses in the right place |
| vi /etc/esets/esets.cfg | this is the master configuration file where you have to put the username/password you got from Eset |
| /username | searches using vi and gets you near the username line |
| insert username/password | in the 2 lines that show username="" to username="Axxxxxxxx" and enter the same for password several lines below |
| /usr/sbin/esets_update -u username -p password --mirror-dir /var/lib/esets/mirror | updates your virus definitions / sets up your local mirror |
| /etc/init.d/esets_daemon start | starts up the system scanner |
Now the basic program is set up, now you can do a few thing, set it up as a file scanner, e-mail scanner and/or a gateway, first we'll start with the File Scanner module.
[edit] Run File Scanner
| Do this | What it does |
| /usr/sbin/esets_scan --all -l -o /whateverfolder -- -/proc -/sys & | will do a manual scan of whateverfolder and give you a report to your in the log file for later grepping, the & on the end will run this in the background, then you can look at what's happening by running the next command |
| tail -f /var/log/esets/scan.log | let's you watch the above scan while it's taking place, at the end it will tell you if you have any viruses, which might be scrolling by fast on the screen |
| awk '/virus/ && !/OK/' /var/log/esets/scan.log | awk '!/virus=""/' > /var/log/esets/viruses_found | searches the logfile you generated and tells you what kind of viruses it found |
| update_esets.sh | script I made that will update your esets definitions |
| #!/bin/bash /usr/sbin/esets_update -u username -p password --mirror-dir /var/lib/esets/mirror | |
| change username and password to actual values, chmod 755 update_esets.sh and put it somewhere you can remember | |
| automate update to happen nightly 1:15a.m. run crontab -e | # m h dom mon dow command 15 1 * * * /wheveryouputyourscript/update_esets.sh > /dev/null |
| scan_whole_system.sh | script I made that will scan your whole system and put the results in a logfile at /var/log/esets/scan.log, then you can automate this to happen every night if you want |
| #!/bin/bash /usr/sbin/esets_scan -l -o --all / & | |
| chmod 755 scan_whole_system.sh and put it somewhere you'll remember, I use /home/myhomedirectory/scan_whole_system.sh | |
| automate scan to happen nightly 1:32a.m. run crontab -e | # m h dom mon dow command 32 1 * * * /whereveryouputyourscript/scan_whole_system.sh > /dev/null |
[edit] Install File Scanner with Dazuko support
Now you want to enable it to scan for nasties in some directory, no matter what kind of file or filesystem they are? ...Well, you have to install Dazuko first :( The good news is you should just be able to cut/paste the directions below and get it to work, if not, run away screaming :)
[edit] Compile Kernel from Sources
This is a seemingly daunting task, especially for new users, but this should help you do it for RHEL/CentOS 5, might work on others, but don't be stupid. If you get stuck, google is your friend, if not, contact me and I'll help you get headed in the right direction. Essentially what you are doing is flipping some obscure switch in the guts of your computer that will allow us to use a helper module that will send/receive information to/from Eset 3.0 to allow it to scan all different types of files and filesystems.
| Do this | What it does |
| open a terminal | |
| su | switch to root user, you don't have to, but, uh, it makes the rest of this works, and it's easier |
| wget http://ftp.osuosl.org/pub/centos/5.0/os/SRPMS/kernel-2.6.18-8.el5.src.rpm | gets the source kernel, you might have to go here http://ftp.osuosl.org/pub/centos/5.0/os/SRPMS/ to verify the kernel version number, they change |
| yum install yum-utils rpmdevtools redhat-rpm-config rpm-build gcc ncurses-devel | gets yum set up to download src stuff |
| cd /usr/src/ | this is where we'll be doing everything |
| /usr/src/yum-builddep kernel-<version>.src.rpm | builds the rpm for ya, just insert the correct version #'s |
| /usr/src/rpm -Uvh kernel-<version>.src.rpm | installs it in /usr/src/redhat/SOURCES/, just insert the correct version #'s |
| warning: user brewbuilder does not exist - using root | ignore this |
| warning: group brewbuilder does not exist - using root | ignore this too |
| cd /usr/src/redhat/SPECS/ | here's where you get the spec file to build stuff |
| vi kernel-2.6.spec | add something to the end of the "define version" line like wahoooo, this will help you identify it later, after you forget which kernel to pick when the computer boots |
| rpmbuild -bp --target=`uname -m` kernel-2.6.spec | builds your rpm |
| cd /usr/src/redhat/BUILD/kernel-2.6.21/linux-2.6.21.i686/ | |
| make menuconfig | this lets you choose which options you want in the kernel, in this case Look under Security Options > Default Linux Capabilities <M> (it probably was checked with a * , then hit esc twice to return to main menu, then esc 2x again, that should allow you to save your config |
| make | builds the new kernel with the option you just specified |
| make modules_install | sets up your modules to install |
| make install | get stuff ready to actually install |
| vi /boot/grub/menu.1st | change which kernel will boot when you restart |
| default=0 | look for that line (which shows which kernel to boot as default) which probably says 1, you should see your new kernel listed as the top entrant (starting with title CentOS or similar) as the new kernel you just built, that's the one you want to boot |
| /sbin/shutdown -r now | reboot into your new kernel :) You should see the bootloader (GRUB) showing your new kernel with the wahooo (or whatever you named it) extension on it |
| modprobe commoncap | tells you whether dazuko will happily install, if not, you'll have to install that module, but it's probably there already |
| cd /usr/src/ | okay, we're ready to install dazuko now |
| wget http://www.dazuko.de/files/dazuko-2.3.3.tar.gz | download the latest stable release of dazuko, they might change the version #, so check it out if you get errors |
| tar xfvz dazuko-2.3.3.tar.gz | unzip it to dazuko-2.3.3 folder |
| cd dazuko-2.3.3 | |
| ./configure | sets things up for your specific system |
| make | sets up dazuko and makes some sample files for you to test it |
| /sbin/insmod dazuko.ko | puts the dazuko module in your kernel, whew! Now you have dazuko :)...er, not quite, now you have to make your machine boot with dazuko running |
| less /proc/devices | you should see something in there about dazuko |
| cd /usr/src/dazuko-2.3.3/example_c/ | |
| make | makes an example file in c that you can test dazuko with |
| ./example /home/whateverdirectoryyouwantomonitor | this will start watching some directory for changes |
| open another terminal | while keeping your old one open, then navigate to whateverdirectoryyouwantomonitor |
| touch sometestfile | creates a new empty file, you should see something in the other terminal that shows you created a new file, this is "A Good Thing" :) |
| vi /etc/init.d/esets_daemon | insert the following 2 lines right above the first line that says PATH=/usr/local...... |
| modprobe commoncap insmod /usr/src/dazuko-2.3.3/dazuko.ko | makes sure dazuko gets loaded while booting |
| /usr/sbin/shutdown -r now | reboot and make sure dazuko is still happily working |
| vi /etc/esets/esets.cfg | you may want to play with the settings in the File Scanner section to determine what trigger events you want to invoke the Eset scanner, but those sections are commented pretty well. Don't forget to restart the program |
| /etc/init.d/esets_daemon restart | restarts the program to put your changes in effect |
[edit] Gateway Scanner
[edit] Installation
- download and install the correct package
- copy license into /etc/esets/license/
- input your username/password into /etc/esets/esets.cfg
- update the mirrors and start it
/usr/sbin/esets_update -u username -p password --mirror-dir /var/lib/esets/mirror /etc/init.d/esets_daemon start ps -C esets_daemon
you should see it download a bunch of stuff, start and then you should see something like this for the last command
PID TTY TIME CMD 6643 ? 00:00:00 esets_daemon 6644 ? 00:00:00 esets_daemon
[edit] Configuration
if you want to be notified of an infiltration event modify /etc/esets/esets.cfg on the line:
#exec_script = yes
this will automatically send an e-mail to whoever root is, if you want to change that, add this line to the bottom of /etc/aliases
root: whoever@yourdomain.com
then run
newaliases
to have it take effect. To test if your server is sending e-mail like it should, run this
echo "text of the body of the message here" | sendmail -t "whoever@wherever.com" "subject line"
