You will see one of the basics of security for managing your web applications . The monitoring of changes to your files . Indeed if you have a site in production the modifications of the source files will be few. And if there is, it will be easy for you to distinguish between your work and a plugin update that you have carried out. You will see how in 5 minutes to set up this monitoring . You will have basic surveillance, but oh how effective.

What do you need ?

I reassure you right away no need to know how to program , or spend hours on your terminal. You are going to need an SSH client ( putty on Windows), an e-mail box to receive alerts and that’s it!

Yes, because this method is native to linux distributions so you will not need to install any additional library.

What will surveillance be set up with?

Before giving you the lines to copy / paste I will explain what you are going to do. On your server you will create a bash script (which is simply a file with the extension .sh). The script will contain the linux command which will be used to list the modified files.

Once the file is in place, all you have to do is add a rule to your server for the script to be launched periodically.

Ultra simple version of the script

To organize yourself a bit, I advise you to create a “scripts” directory at the root of root:

mkdir /root/scripts

In this directory we will create our files which will be a bash script and a txt file. The txt file will be used for sending by e-mail. First, let’s create our txt file:

touch /root/scripts/liste-fichiers-modifies.txt

Here we are done then create our script to be able to modify it and insert the necessary commands:

nano /root/scripts/monitoring_www.sh

The nano editor will open if you are used to using another, it does not matter. You will therefore be able to copy the following lines into the file and save it, I will explain it right after their meanings:

#!/bin/bash
 #
 echo -e "--------------------------------------- -------------------
 PHP, HTML & JS
 v 2.0 file monitoring program
 contact: https://www.kanjian.fr
 -------- -------------------------------------------------- "
Subject = "[SRV-001] File monitoring report: php, html, js, conf, htaccess"
find /var/www/ -name -ls -o -regex '. *. (php | htaccess | conf | html | js). *' -mtime 0 | xargs ls -lah> modified-files-list.txt
mail -s "$ Subject" "[email protected]" <modified-files-list.txt

Explanation of the main lines:

#!/bin/bash:
This line is used by the server to find out which language is used in the script, more precisely which shell it will use. I invite you to read the Wikipedia page on linux shells .

Subject = “[SRV-001] File monitoring report: php, html, js, conf, htaccess”:
This line defines the subject of the email which will be sent as a report at the end of the script.

find /var/www/ -name -ls -o -regex ‘. *. (php | htaccess | conf | html | js). *’ -mtime 0 | xargs ls -lah> list-files-modified.txt:
This penultimate line is the most complex. The find command will fetch all the files found in the “/var/www/” directory as well as these subdirectories. The “-regex” option of the command will specify that we only want files that include in their names one of the following elements:

  • .htaccess
  • .php
  • .conf
  • .html
  • js

We then specify with the option “-mtime 0” that we want the files whose modification dates back at the latest 24 hours ago . The option “-name” requests the search on the name of the files, “-ls” to escape certain annoying characters like spaces.

Find will display a list of modified files , if it finds any, but we need to return this list to our text file. Anything returned by the find command will be sent to “xargs” via the “|”. Xargs will execute the command “ls -lah” for each given file and return the display of “ls” to our text file.

mail -s “$ Subject” “[email protected]” <modified-files-list.txt:
And this last one will send an e-mail to [email protected] with as subject what we have defined more top and for content that of our text file.

Do not forget to make the script executable via the command: 

chmod + x /root/scripts/monitoring_www.sh

You can now test it by running it with the command: 

sh /root/scripts/monitoring_www.sh

For further :

What I advise you if you have cache systems on your sites is to exclude them from the find search. To do this, you must add exclusion paths, here is an example:

! -path "* /wp-content/cache/wp-rocket/ *"

This addition will ask not to list the files whose path contains “/ wp-content / cache / wp-rocket /”, and this regardless of the site in question. Which gives the modified command:

find /var/www/ -name -ls -o -regex '. *. (php | htaccess | conf | html | js). *' ! -path "* / wp-content / cache / wp-rocket / *" -mtime 0 | xargs ls -lah> modified-files-list.txt

You can of course add as many as you want. I often have 5 or 6 moreover depending on the servers.

Here is an example what you will receive by email:

-rw-r - r-- 1 user group 1177 Dec 21 09:52 /var/www/wp-content/plugins/wordpress-seo/admin/import/class-import-wpseo-hooks.php 
-rw-r - r-- 1 user group 38 Dec 21 09:52 /var/www/wp-content/plugins/wordpress-seo/admin/index.php 
-rw-r - r-- 1 user group 1544 Dec 21 09:52 /var/www/wp-content/plugins/wordpress-seo/admin/metabox/class-metabox-add-keyword-tab.php 
-rw-r - r-- 1 user group 903 Dec 21 09:52 /var/www/wp-content/plugins/wordpress-seo/admin/metabox/class-metabox-addon-section.php 

Planning the script launch 

You no longer have to plan the launch of the script via crontab . The idea is to launch it regularly, but be careful depending on the size of your server and the sites installed it may require some server resources . An execution every 2/3 hours seems to me a good compromise and do not hesitate to put much less if you have a sensitive application.

Besides, if this is the case, it is better to have a script dedicated to monitoring this sensitive application . You can resume the script above with a modification on the find path.

Here is what you need to add in your crontab so that the script launches every 2 hours: 

0 * / 2 * * * sh /root/scripts/monitoring_www.sh> / dev / null 2> & 1 

Conclusion

Now you will be notified by e-mail of the file modification on your server. For the record, this piece of code that I use on some of my servers has saved me a number of times . It will allow you, like me, to detect the beginning of an attack and to react quickly to stem it.