AIDE Installation
- AIDE Installation
This article details the installation and initial configuration of the Advanced Intrusion Detection Environment (AIDE) on a MediaWiki server. AIDE is a host-based intrusion detection system used to monitor file integrity. This guide assumes a Debian/Ubuntu-based system, but the principles apply to other Linux distributions with minor adjustments. Please review the System Security page before proceeding.
What is AIDE?
AIDE creates a database of file attributes (hashes, permissions, timestamps, etc.) for all critical system files. Periodically, AIDE scans the system and compares the current file attributes against the database. Any discrepancies indicate a potential intrusion or unintended modification. It's a crucial component of a comprehensive Server Security strategy.
Prerequisites
Before beginning, ensure you have the following:
- Root access to the server.
- A stable internet connection.
- Basic familiarity with the Linux command line.
- A properly functioning Backup System in case of accidental database corruption.
- Understanding of File Permissions and User Management.
Installation
AIDE is typically available in your distribution's package repositories.
Debian/Ubuntu:
```bash sudo apt update sudo apt install aide ```
CentOS/RHEL:
```bash sudo yum install aide ```
Initial Database Creation
After installation, you *must* create the initial database. This process can take a considerable amount of time, depending on the size of your filesystem. It's highly recommended to run this during off-peak hours.
1. Initialize the database:
```bash sudo aide --init ```
This command scans the entire filesystem and creates a database file, typically located at `/var/lib/aide/aide.db.new.gz`.
2. Review the configuration file:
The main configuration file is `/etc/aide.conf`. This file controls which directories and files AIDE monitors, and what attributes it checks. A default configuration is provided, but you will likely need to customize it to suit your specific environment. See the section below on Configuration Customization.
3. Move the new database:
Once the initialization is complete and you've reviewed the configuration, move the new database to the final location:
```bash sudo mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz ```
Configuration Customization
The `/etc/aide.conf` file is central to AIDE's functionality. Here's a breakdown of key configuration elements:
| Parameter | Description | Example |
|---|---|---|
| `database` | Specifies the location of the AIDE database. | `database = /var/lib/aide/aide.db.gz` |
| `database_out` | Specifies the output location for report files. | `database_out = /var/log/aide` |
| `report_flavor` | Defines the format of the report. | `report_flavor = new` (reports only new changes) |
| `rule` | Defines rules for specific files or directories. | `rule /etc/passwd p+i+n+u+g+s` (check permissions, inode, number of links, user, group, size) |
Important Rules to Consider:
- `/etc/passwd`: Critical system file. Monitor closely.
- `/etc/shadow`: Critical system file. Monitor closely.
- `/bin`, `/sbin`, `/usr/bin`, `/usr/sbin`: Essential system binaries.
- `/etc/httpd`, `/etc/apache2`: Web server configuration.
- `/var/www/html`: Web server document root.
- `/etc/mediawiki`: MediaWiki configuration files.
Running AIDE Checks
To perform a check, use the following command:
```bash sudo aide --check ```
This command compares the current system state against the database and generates a report. The report will list any files that have changed. Review this report carefully. False positives can occur, but should be investigated. See Troubleshooting AIDE for common issues.
Scheduled Checks
To automate AIDE checks, you can use `cron`. Here's an example `crontab` entry to run a check daily at 3:00 AM:
``` 0 3 * * * sudo aide --check ```
Edit your crontab using `crontab -e`. Ensure the `aide` database is protected with appropriate File Permissions.
Database Updates
Periodically, legitimate system updates will cause changes that AIDE flags. You need to update the database after such updates.
```bash sudo aide --update ```
Caution: Only update the database after you’ve confirmed the changes are legitimate and authorized!
Advanced Configuration and Rules
AIDE’s power lies in its customizable rules. The following table provides examples of common rule options:
| Option | Description | Example |
|---|---|---|
| `p` | Check permissions. | `rule /etc/passwd p` |
| `i` | Check inode. | `rule /etc/passwd i` |
| `n` | Check number of links. | `rule /etc/passwd n` |
| `u` | Check user ID. | `rule /etc/passwd u` |
| `g` | Check group ID. | `rule /etc/passwd g` |
| `s` | Check size. | `rule /etc/passwd s` |
| `m` | Check modification time. | `rule /etc/passwd m` |
| `c` | Check checksum (MD5, SHA1, SHA256, etc.). | `rule /etc/passwd c` |
Refer to the AIDE documentation for a complete list of options. Using regular expressions in rules can significantly increase flexibility. See Regular Expression Usage for further details.
Reporting
AIDE can generate reports in various formats. The `report_flavor` parameter in `/etc/aide.conf` controls the report type. Common options include:
- `new`: Reports only new changes.
- `full`: Reports all changes.
- `summary`: Provides a summarized report.
The reports are typically stored in `/var/log/aide`. Consider integrating AIDE reports with a Log Management System for centralized analysis.
System Security
Server Security
Backup System
File Permissions
User Management
Troubleshooting AIDE
Configuration Customization
Regular Expression Usage
Log Management System
Intrusion Detection Systems
Database Security
File Integrity Monitoring
Security Auditing
Cron Jobs
AIDE Documentation
MediaWiki Security
Intel-Based Server Configurations
| Configuration | Specifications | Benchmark |
|---|---|---|
| Core i7-6700K/7700 Server | 64 GB DDR4, NVMe SSD 2 x 512 GB | CPU Benchmark: 8046 |
| Core i7-8700 Server | 64 GB DDR4, NVMe SSD 2x1 TB | CPU Benchmark: 13124 |
| Core i9-9900K Server | 128 GB DDR4, NVMe SSD 2 x 1 TB | CPU Benchmark: 49969 |
| Core i9-13900 Server (64GB) | 64 GB RAM, 2x2 TB NVMe SSD | |
| Core i9-13900 Server (128GB) | 128 GB RAM, 2x2 TB NVMe SSD | |
| Core i5-13500 Server (64GB) | 64 GB RAM, 2x500 GB NVMe SSD | |
| Core i5-13500 Server (128GB) | 128 GB RAM, 2x500 GB NVMe SSD | |
| Core i5-13500 Workstation | 64 GB DDR5 RAM, 2 NVMe SSD, NVIDIA RTX 4000 |
AMD-Based Server Configurations
| Configuration | Specifications | Benchmark |
|---|---|---|
| Ryzen 5 3600 Server | 64 GB RAM, 2x480 GB NVMe | CPU Benchmark: 17849 |
| Ryzen 7 7700 Server | 64 GB DDR5 RAM, 2x1 TB NVMe | CPU Benchmark: 35224 |
| Ryzen 9 5950X Server | 128 GB RAM, 2x4 TB NVMe | CPU Benchmark: 46045 |
| Ryzen 9 7950X Server | 128 GB DDR5 ECC, 2x2 TB NVMe | CPU Benchmark: 63561 |
| EPYC 7502P Server (128GB/1TB) | 128 GB RAM, 1 TB NVMe | CPU Benchmark: 48021 |
| EPYC 7502P Server (128GB/2TB) | 128 GB RAM, 2 TB NVMe | CPU Benchmark: 48021 |
| EPYC 7502P Server (128GB/4TB) | 128 GB RAM, 2x2 TB NVMe | CPU Benchmark: 48021 |
| EPYC 7502P Server (256GB/1TB) | 256 GB RAM, 1 TB NVMe | CPU Benchmark: 48021 |
| EPYC 7502P Server (256GB/4TB) | 256 GB RAM, 2x2 TB NVMe | CPU Benchmark: 48021 |
| EPYC 9454P Server | 256 GB RAM, 2x2 TB NVMe |
Order Your Dedicated Server
Configure and order your ideal server configuration
Need Assistance?
- Telegram: @powervps Servers at a discounted price
⚠️ *Note: All benchmark scores are approximate and may vary based on configuration. Server availability subject to stock.* ⚠️