How to get alert when a file changes?

Umair

Hello,

Is there a way I can get alert when a file (lets say WP theme file) is changed or edited on my server?? I can setup script in server running Centos if there is a way to get email about it.

If we can track any change in directory, that will be even better. But if I have to, I can setup a cron job for every file.

Thanks

Lm85H4gFkh3wk3

http://aide.sourceforge.net/

energytech

Have a look at Wordfence, we use it on a few sites and it seems to be working well over the past month.

geekalot

@Umair:

• Monit
• LFD from CSF
• Various scripts

SegmentationFault

inotify-tools and a simple bash script would do the job nicely

mikho

If this is pure WP, wordfence is the plugin your after

raindog308

I use a python inotify-based library at home. It's pyinotify but I need to switch to something else as it has some implementation issues. Maybe this:

https://pypi.python.org/pypi/python-inotify/0.6-test

Question: can you use the kernel's inotify service on all types of VPS? OvZ?

socials

Something I did real quick:

#!/bin/bash
#
# usage:
# checkdir.sh [directory] [rec]
#
# directory - specify directory (default .)
# rec - recursive
#

mailto="[email protected] [email protected]"

if [[ ! -z $1 ]]; then
    directory=$1
else
    directory="."
fi

if [[ -z $2 ]]; then
    rec="-maxdepth 1"
fi

function doAlert {
    for mail in $mailto; do
        echo "$(date) - changes detected on $file" | mail -r [email protected] -s "changes detected" $mail
    done
}

declare -A checksums

for file in $(find $directory $rec -type f); do
    checksum=$(md5sum $file | cut -d" " -f1)
    checksums[$file]=$checksum
done

while true; do
    for file in ${!checksums[@]}; do

        checksum_a=${checksums[$file]}
        checksum_b=$(md5sum $file | cut -d" " -f1)

        if [[ $checksum_a != $checksum_b ]]; then
            doAlert
            checksums[$file]=$checksum_b            
        fi

    done
    sleep 0.5s
done

Note that
1) this does not show the changes
2) files added after the initial array population (when the script starts) are not checked

BOXCWebsites

Codeguard is really nice. Every time something changes on your website it makes a backup of it and notifies you.

doughmanes

Tripwire, AFICK, too many to name

socials

Decided to continue my little script I posted in this thread previously and I got a bit carried away.

So, I don't know if anyone cares, since there's probably much more "professional" solutions available, but here's my take on this:

http://git.socials.xyz/diffchecker.git/tree/master/

Here's what it does/is/has:

• recursively monitor all files in the specified directory
• checks if a file changes (does a backup of the previous version)
• checks if a file is deleted (does a backup of the file)
• checks if a file is added
• ability to exclude files/folders based on regex patterns
• notifies via mail if something was added/removed/modified
• cron friendly
• a simple bash script
• some bugs
• messy code

Edit: Oh, and this script syncs a "master" copy of the directory you want to monitor, so it will take twice as much disk space. So if you're thinking of monitoring your 500GB music collection (why would you, anyway?), don't.

ricardo

+1 for inotify. I use it on some C-based daemons I run on VPS'.

howardsl2

Install inotify-tools:

apt-get install inotify-tools

For monitoring file changes:

inotifywait -m --timefmt '%Y-%m-%d %H:%M:%S%z' --format '%T %w' -e modify FILE_TO_MONITOR | while read date time file; do    
... put here your code to run each time the file changes  ...    
done

For monitoring folder changes:

inotifywait -m --timefmt '%Y-%m-%d %H:%M:%S%z' --format '%T %w' -e modify -e create -e moved_to --exclude "SOME_REGEX" FOLDER_TO_MONITOR | while read date time file; do    
... put here your code to run each time any file in the folder changes ...       
done

Disclaimer: For your information only, use at your own risk.

coolice

if you do not want files to change (for example wp theme and plugins) why do not make them read only 444 ?

BOXCWebsites

@coolice said:
if you do not want file to change (for example wp theme and plugins) why do not make them read only 444 ?

Because if someone can get through your FTP then 444 doesn't matter anymore.

cidero

This is called "File integrity monitoring" and there are several (free) products implementing this, for example AIDE, Tripwire, OSSEC...

coolice

@makanenzo10 said:
Because if someone can get through your FTP then 444 doesn't matter anymore.

I'm sure that 80+% of vps owners here do not install ftp/s server when they have ssh/sftp... It's too much hassle to get something insecure when you have default secure alternative already installed...

And If someone get ssh access file change monitoring does not matter...

raindog308

@cidero said:
This is called "File integrity monitoring" and there are several (free) products implementing this, for example AIDE, Tripwire, OSSEC...

There's really two different approaches mentioned here.

One is the inotify-based approach, in which you get notifications via kernel events.

The other is more of an audit/tripwire-esque approach, where you save hashes of files and periodically check them.

The inotify-based approach has many uses. The tripwire-based method I've only seen used in a security context.