[magicalhippo]

After my Wordpress site got hacked way back through an exploit in one of the WP files, I set up a cron job that compared the hash of the static files with expected hash, and would fire off an email if they differed.

The script lived above the web root, so they'd have to escape that to tamper with it, and was generated by another script.

Saved me a couple of times since, well worth the 15 minutes I spent on setting it up.

[michaelt]

Back in the 1990s, there was a tool called ‘tripwire’ that checked key files against expected checksums.

As I recall, they recommended putting the expected values on a floppy disk and setting the ‘write protect’ tab, so the checksums couldn’t be changed.

[FuriouslyAdrift]

tripwire was the orginal file integrity anti-virus/anti-tampering software from the security group (which turned into CERIAS) at Purdue led by Dr. Eugene "Spaff" Spafford.

https://docs.lib.purdue.edu/cstech/1084/

[nineteen999]

A different "network-aware" concept of this was "aide", that allowed the checksums to be stored on a server, for mutiple clients. [1]

Had some drawbacks compared to using offline media of course, but in day to day operation on an air-gapped network it had its uses.

Also worth knowing is the "-V" (for very parameter) of rpm.

[1] https://docs.redhat.com/en/documentation/red_hat_enterprise_...

[Bender]

For some time a number of people and companies have been using OSSEC for that job. [1] There are a couple versions of it free open source and enterprise. There are a handful of other programs that also keep an eye on checksums.

If tinkering with OSSEC one of the first steps should be to configure whitelisting for IP ranges and CIDR blocks used by your company, SNAT addresses and bastion IP's so that someone does not lock everyone out. It does a lot more than checksums.

[1] - https://www.ossec.net/

[Terr_]

Back in the 90s I fantasized about a hard drive bay with a physical write-protect switch on the cover plate.

[kqgnkqgn]

In the mid-2000's I briefly worked for a company that did this at a firmware level ("write-blocked firmware") for USB drive adapters (IDE / SATA / whatever IDE variant laptops were using / etc). This was apparently very valuable for police and investigative services, so they could collect evidence, while being able to show that they did not tamper with the original drive.

[kjs3]

Tenable makes some "read only" adapters for hard disks (SATA, PATA, SCSI & FW at least). They're usually sold as part of a forensic analysis kit. I have a couple and they definitely work. I believe there are a couple of other vendors (Wiebetech?) make similar devices.

The alternative (tho not practical in many cases) would be RO media like RW-DVD.

[DarkUranium]

You mean DVD-R? DVD-RW is rewritable, which means it's not really RO. The semi-obscure DVD-RAM takes this a step further by making it work a lot like a hard/flash drive (at the user level, not technical).

[kjs3]

I think it's clear what I meant, even with a typo.

[monocasa]

A flash drive with a port on each side (one RO and the other RW) would be neat.

[DarkUranium]

Why not a simple switch, not unlike on SD cards (but implemented on the device, not host/reader, and enforced by said device)?

Though yes, two USB ports would definitely work; it's just that the concept might be better served by providing two different connectors (e.g. USB-A & USB-C), as is common nowadays.

[daneel_w]

Related: OpenBSD does this daily as part of running security(8) and its coverage can be expanded to include pretty much anything.

https://man.openbsd.org/security

[embedding-shape]

> Saved me a couple of times since

Wait, how often does your Wordpress site get successfully hacked like that?

[magicalhippo]

Keep in mind the first time was about 20 years ago.

One time the hosting provider got compromised, FTP server exploit IIRC, they ran a recursive search and replace from root directory of the server.

[Beretta_Vexee]

It depends on how long you've been using WordPress, whether you use plugins, whether they're well-maintained or not, and so on.

Back around 2010, there were security vulnerabilities in WordPress or its popular plugins almost every month.