{"id":2937,"date":"2010-04-19T03:22:18","date_gmt":"2010-04-19T07:22:18","guid":{"rendered":"http:\/\/g33kinfo.com\/info\/?p=2937"},"modified":"2010-04-19T03:22:18","modified_gmt":"2010-04-19T07:22:18","slug":"add-a-ninja-to-help-protect-your-server","status":"publish","type":"post","link":"https:\/\/g33kinfo.com\/info\/add-a-ninja-to-help-protect-your-server\/","title":{"rendered":"Use a ninja to help protect your server"},"content":{"rendered":"<p>From <a href=\"http:\/\/forkbomb.org\/ninja\/\" target=\"_blank\" rel=\"noopener noreferrer\">forkbomb.org\/ninja\/<\/a> and <a href=\"http:\/\/linuxpoison.blogspot.com\/2010\/04\/ninja-monitor-linux-system-for.html\" target=\"_blank\" rel=\"noopener noreferrer\">linuxpoison.blogspot.com<\/a><\/p>\n<p>DESCRIPTION<br \/>\nNinja is a privilege escalation detection  and  prevention system for GNU\/Linux hosts. While running, it will monitor process activity on the local host, and keep track of  all processes  running  as root.  If a process is spawned with UID or GID zero (root), ninja will log necessary  information  about  this process, and optionally kill the process if it was spawned by an unauthorized user.<\/p>\n<p>A &#8220;magic&#8221; group can be specified, allowing members of this group to run any setuid\/setgid root executable.<\/p>\n<p>Individual  executables  can be whitelisted.  Ninja uses a fine grained whitelist that lets you whitelist executables on  a  group  and\/or user basis. This can be used to allow specific groups or individual users access to  setuid\/setgid root programs, such as su(1) and passwd(1).<\/p>\n<p>EXTERNAL RESOURCES<br \/>\n<a href=\"http:\/\/blog.bodhizazen.net\/linux\/how-to-ninja\/\" target=\"_blank\" rel=\"noopener noreferrer\">How to Ninja<\/a> and <a href=\"http:\/\/blog.bodhizazen.net\/linux\/how-to-ninja-ubuntu-10-04\/\" target=\"_blank\" rel=\"noopener noreferrer\">How to Ninja &#8211; Ubuntu 10.04<\/a> by bodhi.zazen<\/p>\n<p>MAN PAGE<br \/>\nRead the online man page <a href=\"http:\/\/forkbomb.org\/ninja\/ninja.8.txt\" target=\"_blank\" rel=\"noopener noreferrer\">here<\/a>.<\/p>\n<p>CURRENT VERSION<br \/>\n0.1.3 &#8211; <a href=\"http:\/\/forkbomb.org\/ninja\/ChangeLog\" target=\"_blank\" rel=\"noopener noreferrer\">ChangeLog<\/a><\/p>\n<p>DOWNLOAD<br \/>\n<a href=\"http:\/\/forkbomb.org\/ninja\/src\/\">Source repository<\/a><\/p>\n<p>LICENSE<br \/>\nNinja is released under the General Public License (GPL) version 2 or higher<\/p>\n<p>INSTALL:<br \/>\nDownload ninja from &#8211; here<br \/>\nUntar the source, goto the ninja directory and type following command to compile and install the ninja:<br \/>\n<code><br \/>\n    make<br \/>\n    make install<br \/>\n<\/code><br \/>\ncopy the white-list file to the \/etc\/ninja directory<br \/>\n<code><br \/>\n    cp examples\/whitelist\/simple.wlist \/etc\/ninja\/<br \/>\n<\/code><br \/>\nConfiguration:<br \/>\nAdd group &#8220;ninja&#8221; (note down the group id):<br \/>\n<code><br \/>\n    groupadd ninja<br \/>\n<\/code><br \/>\nAdd user &#8216;root&#8217; and all other required users to this group:<br \/>\n<code><br \/>\n    usermod -G ninja nikesh<br \/>\n    usermod -G ninja root<br \/>\n<\/code><br \/>\nCreate the ninja log files:<br \/>\n<code><br \/>\n    touch \/var\/log\/ninja.log<br \/>\n<\/code><br \/>\nOpen the ninja configuration file:<br \/>\n<code><br \/>\nvi \/etc\/ninja\/default.conf<br \/>\n<\/code><br \/>\nand change the following settings<br \/>\n<code><br \/>\n    group=1000<br \/>\n    daemon = yes<br \/>\n    interval = 0<br \/>\n    logfile = \/var\/log\/ninja.log<br \/>\n    whitelist = \/etc\/ninja\/simple.wlist<br \/>\n    external_command = \/root\/bin\/alert<br \/>\n<\/code><br \/>\nHere you also need to create a simple script alert (\/root\/bin\/alert) with following entries<br \/>\n<code><br \/>\n#!\/bin\/bash<br \/>\necho 'Alert - Unauthorized Access to system.' | mail -s \"'Alert - Unauthorized Access to system.\" njauhari@cybage.com<br \/>\n<\/code><br \/>\nEdit the whitelist file located under the<br \/>\n<code><br \/>\n\/etc\/ninja\/simple.wlist<\/code><\/p>\n<p>The first field is the full path to the executable you wish to white-list. The second field  is  a comma  separated  list  of  groups  that should be granted access to the executable.  The third field is a comma separated list of users.<\/p>\n<p>    <executable>:<groups>:<users> <\/p>\n<p>The second or third field can be left empty.  Please refer to the example whitlist located in &#8220;examples\/whitelist\/&#8221;.<\/p>\n<p>Remember that it is a good idea to whitelist programs such as passwd and other regular  setuid  applications  that users require access to.<\/p>\n<p>Finally start ninja using following command:<br \/>\n<code><br \/>\n    \/usr\/local\/bin\/ninja \/etc\/ninja\/default.conf<br \/>\n<\/code><\/p>\n<p>Testing Ninja:<br \/>\nCreate a test user &#8216;test&#8217;<br \/>\nLogin to the system using this test user<br \/>\nnow attempt to become &#8216;root&#8217; user by typing command &#8216;su &#8211; &#8216;<br \/>\nHere ninja will come into action and will kill the entire session and dump the information into the log<br \/>\n<\/users><\/groups><\/executable><\/p>\n","protected":false},"excerpt":{"rendered":"<p>From forkbomb.org\/ninja\/ and linuxpoison.blogspot.com DESCRIPTION Ninja is a privilege escalation detection and prevention system for GNU\/Linux hosts. While running, it will monitor process activity on the local host, and keep track of all processes running as root. If a process is spawned with UID or GID zero (root), ninja will log necessary information about this&#8230; <\/p>\n<div class=\"read-more navbutton\"><a href=\"https:\/\/g33kinfo.com\/info\/add-a-ninja-to-help-protect-your-server\/\">Read More<i class=\"fa fa-angle-double-right\"><\/i><\/a><\/div>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[9],"tags":[],"class_list":["post-2937","post","type-post","status-publish","format-standard","hentry","category-info"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v28.0 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Use a ninja to help protect your server - Linux Shtuff<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/g33kinfo.com\/info\/add-a-ninja-to-help-protect-your-server\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Use a ninja to help protect your server - Linux Shtuff\" \/>\n<meta property=\"og:description\" content=\"From forkbomb.org\/ninja\/ and linuxpoison.blogspot.com DESCRIPTION Ninja is a privilege escalation detection and prevention system for GNU\/Linux hosts. While running, it will monitor process activity on the local host, and keep track of all processes running as root. If a process is spawned with UID or GID zero (root), ninja will log necessary information about this... Read More\" \/>\n<meta property=\"og:url\" content=\"https:\/\/g33kinfo.com\/info\/add-a-ninja-to-help-protect-your-server\/\" \/>\n<meta property=\"og:site_name\" content=\"Linux Shtuff\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/fb.me\/g33kinf0\" \/>\n<meta property=\"article:author\" content=\"https:\/\/fb.me\/g33kinf0\" \/>\n<meta property=\"article:published_time\" content=\"2010-04-19T07:22:18+00:00\" \/>\n<meta name=\"author\" content=\"g33kadmin\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@https:\/\/twitter.com\/drsinger1111\" \/>\n<meta name=\"twitter:site\" content=\"@drsinger1111\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/g33kinfo.com\\\/info\\\/add-a-ninja-to-help-protect-your-server\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/g33kinfo.com\\\/info\\\/add-a-ninja-to-help-protect-your-server\\\/\"},\"author\":{\"name\":\"g33kadmin\",\"@id\":\"https:\\\/\\\/g33kinfo.com\\\/info\\\/#\\\/schema\\\/person\\\/c022e4c40b13ea1b678e6f020756f547\"},\"headline\":\"Use a ninja to help protect your server\",\"datePublished\":\"2010-04-19T07:22:18+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/g33kinfo.com\\\/info\\\/add-a-ninja-to-help-protect-your-server\\\/\"},\"wordCount\":412,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/g33kinfo.com\\\/info\\\/#\\\/schema\\\/person\\\/c022e4c40b13ea1b678e6f020756f547\"},\"articleSection\":[\"General Info\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/g33kinfo.com\\\/info\\\/add-a-ninja-to-help-protect-your-server\\\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/g33kinfo.com\\\/info\\\/add-a-ninja-to-help-protect-your-server\\\/\",\"url\":\"https:\\\/\\\/g33kinfo.com\\\/info\\\/add-a-ninja-to-help-protect-your-server\\\/\",\"name\":\"Use a ninja to help protect your server - Linux Shtuff\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/g33kinfo.com\\\/info\\\/#website\"},\"datePublished\":\"2010-04-19T07:22:18+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/g33kinfo.com\\\/info\\\/add-a-ninja-to-help-protect-your-server\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/g33kinfo.com\\\/info\\\/add-a-ninja-to-help-protect-your-server\\\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/g33kinfo.com\\\/info\\\/add-a-ninja-to-help-protect-your-server\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/g33kinfo.com\\\/info\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Use a ninja to help protect your server\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/g33kinfo.com\\\/info\\\/#website\",\"url\":\"https:\\\/\\\/g33kinfo.com\\\/info\\\/\",\"name\":\"Linux Shtuff\",\"description\":\"Because I have CRS Syndrome...\",\"publisher\":{\"@id\":\"https:\\\/\\\/g33kinfo.com\\\/info\\\/#\\\/schema\\\/person\\\/c022e4c40b13ea1b678e6f020756f547\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/g33kinfo.com\\\/info\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":[\"Person\",\"Organization\"],\"@id\":\"https:\\\/\\\/g33kinfo.com\\\/info\\\/#\\\/schema\\\/person\\\/c022e4c40b13ea1b678e6f020756f547\",\"name\":\"g33kadmin\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/g33kinfo.com\\\/info\\\/wp-content\\\/uploads\\\/2022\\\/07\\\/minion-researchA.gif\",\"url\":\"https:\\\/\\\/g33kinfo.com\\\/info\\\/wp-content\\\/uploads\\\/2022\\\/07\\\/minion-researchA.gif\",\"contentUrl\":\"https:\\\/\\\/g33kinfo.com\\\/info\\\/wp-content\\\/uploads\\\/2022\\\/07\\\/minion-researchA.gif\",\"width\":512,\"height\":512,\"caption\":\"g33kadmin\"},\"logo\":{\"@id\":\"https:\\\/\\\/g33kinfo.com\\\/info\\\/wp-content\\\/uploads\\\/2022\\\/07\\\/minion-researchA.gif\"},\"description\":\"I am a g33k, Linux blogger, developer, student and Tech Writer for Liquidweb.com\\\/kb. My passion for all things tech drives my hunt for all the coolz. I often need a vacation after I get back from vacation....\",\"sameAs\":[\"https:\\\/\\\/thelinuxreport.com\",\"https:\\\/\\\/fb.me\\\/g33kinf0\",\"https:\\\/\\\/x.com\\\/https:\\\/\\\/twitter.com\\\/drsinger1111\"]}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Use a ninja to help protect your server - Linux Shtuff","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/g33kinfo.com\/info\/add-a-ninja-to-help-protect-your-server\/","og_locale":"en_US","og_type":"article","og_title":"Use a ninja to help protect your server - Linux Shtuff","og_description":"From forkbomb.org\/ninja\/ and linuxpoison.blogspot.com DESCRIPTION Ninja is a privilege escalation detection and prevention system for GNU\/Linux hosts. While running, it will monitor process activity on the local host, and keep track of all processes running as root. If a process is spawned with UID or GID zero (root), ninja will log necessary information about this... Read More","og_url":"https:\/\/g33kinfo.com\/info\/add-a-ninja-to-help-protect-your-server\/","og_site_name":"Linux Shtuff","article_publisher":"https:\/\/fb.me\/g33kinf0","article_author":"https:\/\/fb.me\/g33kinf0","article_published_time":"2010-04-19T07:22:18+00:00","author":"g33kadmin","twitter_card":"summary_large_image","twitter_creator":"@https:\/\/twitter.com\/drsinger1111","twitter_site":"@drsinger1111","schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/g33kinfo.com\/info\/add-a-ninja-to-help-protect-your-server\/#article","isPartOf":{"@id":"https:\/\/g33kinfo.com\/info\/add-a-ninja-to-help-protect-your-server\/"},"author":{"name":"g33kadmin","@id":"https:\/\/g33kinfo.com\/info\/#\/schema\/person\/c022e4c40b13ea1b678e6f020756f547"},"headline":"Use a ninja to help protect your server","datePublished":"2010-04-19T07:22:18+00:00","mainEntityOfPage":{"@id":"https:\/\/g33kinfo.com\/info\/add-a-ninja-to-help-protect-your-server\/"},"wordCount":412,"commentCount":0,"publisher":{"@id":"https:\/\/g33kinfo.com\/info\/#\/schema\/person\/c022e4c40b13ea1b678e6f020756f547"},"articleSection":["General Info"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/g33kinfo.com\/info\/add-a-ninja-to-help-protect-your-server\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/g33kinfo.com\/info\/add-a-ninja-to-help-protect-your-server\/","url":"https:\/\/g33kinfo.com\/info\/add-a-ninja-to-help-protect-your-server\/","name":"Use a ninja to help protect your server - Linux Shtuff","isPartOf":{"@id":"https:\/\/g33kinfo.com\/info\/#website"},"datePublished":"2010-04-19T07:22:18+00:00","breadcrumb":{"@id":"https:\/\/g33kinfo.com\/info\/add-a-ninja-to-help-protect-your-server\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/g33kinfo.com\/info\/add-a-ninja-to-help-protect-your-server\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/g33kinfo.com\/info\/add-a-ninja-to-help-protect-your-server\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/g33kinfo.com\/info\/"},{"@type":"ListItem","position":2,"name":"Use a ninja to help protect your server"}]},{"@type":"WebSite","@id":"https:\/\/g33kinfo.com\/info\/#website","url":"https:\/\/g33kinfo.com\/info\/","name":"Linux Shtuff","description":"Because I have CRS Syndrome...","publisher":{"@id":"https:\/\/g33kinfo.com\/info\/#\/schema\/person\/c022e4c40b13ea1b678e6f020756f547"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/g33kinfo.com\/info\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":["Person","Organization"],"@id":"https:\/\/g33kinfo.com\/info\/#\/schema\/person\/c022e4c40b13ea1b678e6f020756f547","name":"g33kadmin","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/g33kinfo.com\/info\/wp-content\/uploads\/2022\/07\/minion-researchA.gif","url":"https:\/\/g33kinfo.com\/info\/wp-content\/uploads\/2022\/07\/minion-researchA.gif","contentUrl":"https:\/\/g33kinfo.com\/info\/wp-content\/uploads\/2022\/07\/minion-researchA.gif","width":512,"height":512,"caption":"g33kadmin"},"logo":{"@id":"https:\/\/g33kinfo.com\/info\/wp-content\/uploads\/2022\/07\/minion-researchA.gif"},"description":"I am a g33k, Linux blogger, developer, student and Tech Writer for Liquidweb.com\/kb. My passion for all things tech drives my hunt for all the coolz. I often need a vacation after I get back from vacation....","sameAs":["https:\/\/thelinuxreport.com","https:\/\/fb.me\/g33kinf0","https:\/\/x.com\/https:\/\/twitter.com\/drsinger1111"]}]}},"_links":{"self":[{"href":"https:\/\/g33kinfo.com\/info\/wp-json\/wp\/v2\/posts\/2937","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/g33kinfo.com\/info\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/g33kinfo.com\/info\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/g33kinfo.com\/info\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/g33kinfo.com\/info\/wp-json\/wp\/v2\/comments?post=2937"}],"version-history":[{"count":0,"href":"https:\/\/g33kinfo.com\/info\/wp-json\/wp\/v2\/posts\/2937\/revisions"}],"wp:attachment":[{"href":"https:\/\/g33kinfo.com\/info\/wp-json\/wp\/v2\/media?parent=2937"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/g33kinfo.com\/info\/wp-json\/wp\/v2\/categories?post=2937"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/g33kinfo.com\/info\/wp-json\/wp\/v2\/tags?post=2937"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}