After you've secured your server with routine tasks like changing your SSH port and setting firewall rules - you're mostly safe. Though, there is a chance that an attacker gains access to your server. When this happens, your next defense is learning when files are modified on your server. With AIDE, you're notified when certain files are modified on your server.
This article will teach you how to install AIDE to better protect your server on CentOS 6.
Installing the software is quite simple. Just run the following command as the root user:
yum install -y aide
That's all you need to do for installation.
This is the harder part. In order for AIDE to work, we need to compile a database of folders/files that we want notifications about. We will use the AIDE defaults. Setting up monitoring on specific folders/files is outside the scope of this tutorial. Refer to AIDE documentation if you need that type of configuration.
First, we need to initialize AIDE. Run the following command as root:
That will create the database for the first time. Then, run these commands as root:
cd /var/lib/aide mv aide.db.new.gz aide.db.gz
Unfortunately, this step is required as AIDE will not work without it.
We need to have AIDE inspect our files for the first time as well, so execute these commands as root:
aide --check aide --update
Go back to the
/var/lib/aide directory, and you should find another new database. Remove the first one without the new part in the file name, by running:
Move over the new database:
mv aide.db.new.gz aide.db.gz
Since the default configuration already fits for most of our files, we should be fine using it. All that's left is to have AIDE send you an email if there are any unauthorized changes. For this article, we'll be using nano as our text editor.
Find the section with
MAILTO=root and change
root to your email address. Then, run:
Add this to the file:
0 1 * * * /usr/sbin/aide --check
This will make AIDE check and send you an email once per day if it detects that a file has been modified.
This ensures your security in most cases; however, you must update the database every time you modify system files, or anything in your web directory. If an attacker places malware on your system, AIDE will notify you where it is, and you'll be able to disinfect your system.