Thursday, August 12, 2010

Linux tips and tricks

1.) To get Hardware info in GUI mode by using special package.

yum install hardinfo(system profiler and Beenchmark

2.)Non-GUI mode

dmidcoder | less

Gives you the information of whole hardware.

If you want know about hardware property

dmidcoder -t which prompts you the keyword for search

Videos tutorials

1.) How to setup load balance for apache.

http://www.youtube.com/watch?v=-WuW27hpHWc&feature=related

2.)Control and manage swap partion

http://www.youtube.com/watch?v=1q_05tD2gzY&feature=related

3.)Root password Hacking

http://www.youtube.com/watch?v=nT8X3d2nUrs&feature=related

Wednesday, August 11, 2010

MYSQL Downgrade / Upgrade

MYSQL Downgrade / Upgrade
=========================

Steps
-----

1. Check the mysql version

rpm -qa | grep -i mysql

mysql -v

2. Change the version in configuration file

Before changing th version in config file, backup the same
(cp -arp /var/cpanel/cpanel.config /var/cpanel/cpanel.config.bak)

In /var/cpanel/cpanel.config

Check for the line

mysql-version= 4.1

Change the version as you wish for upgrade or downgrade

Upgrade

mysql-version= 5.0

Downgrade

mysql-version= 4.0

Note: cPanel version 11.24.5-STABLE_38506 supports only mysql versions 4.1 and above

( How to check cPanel Version

/usr/local/cpanel/cpanel version or

vi /usr/local/cpanel/version )

3. Back up the /var/lib/mysql folder

( cp -arp /var/lib/mysql /var/lib/mysql_back )

4. Run the below script using below command

/script/mysqlup -force or
/script/mysqlup -force --password=ROOTPASSWORD

5. check the version of mysql
( rpm -qa | grep -i mysql

mysql -v)

6. /etc/init.d/mysql restart


If the mysql successfully restarts then there is no problem. But if it shows the errors

1. MySQL is not running, but lock exists
2. MySQL PID file could not be found!
3. MYSQL Cannot start because PID file not FOUND

Check the following

/etc/init.d/mysql status

"mysql is not running but lock exists "

Solved by removing the lock file:

rm /var/lock/subsys/mysql

If this happens again it may also be necessary to remove the pid file from /var/lib/mysql

Saturday, August 7, 2010

Preventing nobody spammer in PHP

PHP and Apache has a history of not being able to track which users are sending out mail through the PHP mail function from the nobody user causing leaks in formmail scripts and malicious users to spam from your server without you knowing who or where.

Watching your exim_mainlog doesn’t exactly help, you see th email going out but you can’t track from which user or script is sending it. This is a quick and dirty way to get around the nobody spam problem on your Linux server.

If you check out your PHP.ini file you’ll notice that your mail program is set to: /usr/sbin/sendmail and 99.99% of PHP scripts will just use the built in mail(); function for PHP – so everything will go through /usr/sbin/sendmail =)

Requirements:
We assume you’re using Apache 1.3x, PHP 4.3x and Exim. This may work on other systems but we’re only tested it on a Cpanel/WHM Red Hat Enterprise system.

Time:
10 Minutes, Root access required.

Step 1)
Login to your server and su – to root.

Step 2)
Turn off exim while we do this so it doesn’t freak out.
/etc/init.d/exim stop

Step 3)
Backup your original /usr/sbin/sendmail file. On systems using Exim MTA, the sendmail file is just basically a pointer to Exim itself.
mv /usr/sbin/sendmail /usr/sbin/sendmail.hidden

Step 4)
Create the spam monitoring script for the new sendmail.
pico /usr/sbin/sendmail

Paste in the following:

#!/usr/local/bin/perl

# use strict;
use Env;
my $date = `date`;
chomp $date;
open (INFO, “>>/var/log/spam_log”) || die “Failed to open file ::$!”;
my $uid = $>;
my @info = getpwuid($uid);
if($REMOTE_ADDR) {
print INFO “$date – $REMOTE_ADDR ran $SCRIPT_NAME at $SERVER_NAME n”;
}
else {

print INFO “$date – $PWD – @infon”;

}
my $mailprog = ‘/usr/sbin/sendmail.hidden’;
foreach (@ARGV) {
$arg=”$arg” . ” $_”;
}

open (MAIL,”|$mailprog $arg”) || die “cannot open $mailprog: $!n”;
while ( ) {
print MAIL;
}
close (INFO);
close (MAIL);

Step 5)
Change the new sendmail permissions
chmod +x /usr/sbin/sendmail

Step 6)
Create a new log file to keep a history of all mail going out of the server using web scripts
touch /var/log/spam_log

chmod 0777 /var/log/spam_log

Step 7)
Start Exim up again.
/etc/init.d/exim start

Step 8) Monitor your spam_log file for spam, try using any formmail or script that uses a mail function – a message board, a contact script.
tail – f /var/log/spam_log

Sample Log Output

Mon Apr 11 07:12:21 EDT 2005 – /home/username/public_html/directory/subdirectory – nobody x 99 99 Nobody / /sbin/nologin

Log Rotation Details
Your spam_log file isn’t set to be rotated so it might get to be very large quickly. Keep an eye on it and consider adding it to your logrotation.

pico /etc/logrotate.conf

FIND:
# no packages own wtmp — we’ll rotate them here
/var/log/wtmp {
monthly
create 0664 root utmp
rotate 1
}

ADD BELOW:

# SPAM LOG rotation
/var/log/spam_log {
monthly
create 0777 root root
rotate 1
}

Notes:
You may also want to chattr + i /usr/sbin/sendmail so it doesn’t get overwritten.

Enjoy knowing you can see nobody is actually somebody =)

Thursday, August 5, 2010

Useful links

1.) http://www.mysql-apache-php.com
2.)http://niyaas.blogspot.com
3.)http://shebangme.blogspot.com
4.)http://txt.binnyva.com
5.)http://gnufreakz.wordpress.com
6.)http://linuxserverguide.wordpress.com
7.)http://gcharriere.com/blog/?p=339 - Load balance
8.)www.howtoforge.com
9.)http://www.linuxbaby.co.cc
10.)http://www.dedicatedserverhosting.com
11.)http://www.linuxmaza.com
12.)http://scriptmantra.info
13.)http://skullboxx.net
14.)http://www.onetforum.com/fourm/viewtopic.php?p=27
15.)http://mohammednv.wordpress.com/2008/04/17/how-to-integrate-spamassassin-with-qmail/
16.)http://www.fduran.com/blog/filtering-spam-with-qmail-and-spamassassin-on-red-hat-fedora-2/
17.)http://www.onetforum.com/fourm/viewtopic.php?p=27
18.)http://www.wipl.in/articles/category/whm/
19.)http://wiki.cpaneldirect.net/wiki/index.php/Main_Page
20.)http://forums.cpanel.net/f5/problem-connecting-mysql-through-jailshell-109641.html
21.)http://articles.assistanz.com/?View=entry&EntryID=504
22.)http://www.comptechdoc.org/os/linux/usersguide/linux_ugprocesses.html
23.)http://www.linux.org/lessons/tips/cmndline.html
24.) http://marcgrabanski.com/articles/plesk-multiple-ftp-accounts-per-domain - FTP subaccount
25.)http://kmaiti.blogspot.com
26.)netstat -apn |grep :80 |awk {'print $5'} |wc -l
27.)http://tools.pingdom.com
28.)http://www.thecpaneladmin.com
29.)http://apache-monitor.com/articles/basic-apache-performance-tuning-httpd.php
30)http://supportfacility.com/blog/plesk/plesk-paths-on-a-linux-dedicated-server/
31.)http://www.howtoforge.org/set-up-dkim-for-multiple-domains-on-postfix-with-dkim-milter-2.8.x-centos-5.3

32.) http://www.thegeekstuff.com/2011/01/tput-command-examples/ - apache optimization steps

33.)http://linuxhostingsupport.net
34.)http://kmaiti.blogspot.com/
35.)http://www.xpcdesign.com/2010/03/plesk-commands-and-paths/
36.)http://www.linuxbabu.net/category/plesk/

Server security links
======================

http://abinz.wordpress.com/security-installations/
http://abinz.wordpress.com/security-installtion-phase-2/
http://abinz.wordpress.com/security-installation-phase3/
http://abinz.wordpress.com/securing-your-server/
http://abinz.wordpress.com/common-cpanel-issues/

http://sythril.com/showthread.php?t=9403 - VNC installation steps

http://www.eukhost.com/forums/f15/enable-php-mssql-extension-whm-cpanel-linux-server-10699/ ---mssql module installation

http://adminsdiary.com/linux/enable-php-mssql-extension-on-cpanel-linux-server - mssql moduler installation steps

Linux server secure steps

How to Secure Linux Servers
Basic Linux Server Security

Install Firewall (APF or CSF Firewall with BFD)
ModSecurity (Web application firewall)
ModEvasive (Prevent DDOS attacks)
Harden SSH server
Fix Open DNS Recursion
Install RKhunter
Install ClamAV (Antivirus)
XInet Servers Hardening (Disable Telnet/Finger or unwanted services)
Securing PHP
PortsEntry (tool to detect portscans)
Harden host.conf (against IP spoofing)
Check User Uploaded files
Secure /tmp Folders (noexec, nosuid)



This tutorial guide covers only basic linux server security tips intended for linux learners. I am writing this guide assuming that you are running Centos 5 or later versions.
Install Firewall

The very first first step on securing a server is installing a firewall (atleast IP tables based) to close all unused or unwanted ports. Once the firewall is installed it is often considered 50% of work done. You can install CSF firewall or APF firewall. Often BFD (brute force detection) utilities comes with firewall.

We will install CSF (Config security firewall) as it is easy to install with plenty of features and easily integrated to CPanel (if you are running)

wget http://www.configserver.com/free/csf.tgz
tar zxf csf.tar.gz
sh /csf/install.sh

Follow the installer and once installed, you can start the firewall.

csf -s
// start the firewall
csf -r
// restart the firewall
csf -f
// flush the rules or stop the firewall.

You can see the full installing tutorial here
Harden SSH server

Very often you will see SSH attacks from various bots trying to get access to your server by connected to port 22 with unlimited number of login attempts to break in to your system. Imagine attacks coming from different IPs can put lot of load in you server. You can trace those failed attempts by checking your log file

cat /var/log/secure
cat /var/log/messages

To harden your SSH server,

* Run SSH on other port rather than default port 22
* Disable Root login
* Use only protocol 2
* Enable Public key authentication.

You can see the full SSH hardening tutorial here
Disable Telnet & Other Unused Services

You may want to disable services like telnet, finger and other unwanted services running on your server with xinet.

nano /etc/xinetd.d/telnet
// OR
nano /etc/xinetd.d/krb5-telnet

look for lines disable=no and change to disable=yes

chkconfig telnet off
Hardening PHP for Security

PHP is the most popular scripting language for apache and mysql. You will need to disable system level functions in the php configuration file.

nano /usr/local/lib/php.ini

Look for the lines and make sure you have the lines as below..

disable_functions = exec,system,shell_exec,passthru
register_globals = Off
expose_php = Off
magic_quotes_gpc = On

It is best to keep magic_quotes to on as otherwise you forms using POST may be used for SQL injection attacks.
Disable Open DNS Recursion (DNS Server)

If you are running bind DNS server, then you might want to check your dns server statistics with dnstools.com. You dont want to allow recursive lookups to performed on your server other than local IP. It can also slowdown your server.

nano /etc/named.conf

Under Options { place a line

Options {
recursion no;
.....

Then restart the bind

service named restart

You will also need to restrict zone transfers and notifications if you are running Bind 9. Refer to: dns server hardening
Install Mod_Security

ModSecurity is a free open source web application firewall which can help you to guard against LFI (local file inclusion attacks) and SQL injection vulnerabilities.

CPanel Installation:

Just go to Cpanel WHM > Plugins > Enable Mod_Security > Save

Source Installation:

That should install mod security in your cpanel. Under apache it should show under installed modules if you run test.php with phpinfo() in it. Try adding some mod security rules. Installing mod_security could be sometimes complicated. Dont use apxs for compiling mod_security as it causes number of problems.

Note: Mod_security needs libxml2 and http-devel libraries before it can be installed. It also requires mod_unique_id enabled in apache modules. To install mod_unique_id, you have to place

LoadModule unique_id_module modules/mod_unique_id.so

in your httpd.conf file.

yum install libxml2 libxml2-devel httpd-devel

Download the latest version of mod_security for apache2 from http://www.modsecurity.org

wget http://www.modsecurity.org/download/modsecurity-apache_2.1.7.tar.gz
tar zxf modsecurity-apache_2.5.4.tar.gz
cd modsecurity-apache_2.5.4
cd apache2

Then

If you cannot find ./configure then you will need to edit Makefile and make change to top_dir = /usr/lib/httpd (for centos)

make
make install

Next, copy the rule files depending on which you want (you can also select minimal rules file which comes with source). Make a directory named modsecurity under /etc/httpd/conf and copy all the modsecurity rules there. Finally include those files in the httpd.conf file

# /etc/httpd/conf/httpd.conf

LoadModule unique_id_module modules/mod_unique_id.so
LoadFile /usr/lib/libxml2.so
LoadModule security2_module modules/mod_security2.so
Include conf/modsecurity/*.conf

Then

/etc/init.d/httpd restart

Log Files

Watch for log files to detect any errors or intrusion activity

/var/log/httpd/modsec_audit
/var/log/httpd/error_log

If you get any errors, i have compiled a list of errors while compiling. see here
Install Mod_Evasive

ModEvasive module for apache offers protection against DDOS (denial of service attacks) in your server.

wget http://www.zdziarski.com/projects/mod_evasive/mod_evasive_1.10.1.tar.gz
tar zxf mode_evasive-1.10.1.tar.gz
cd mod_evasive

then run the following command for apache2...

> /usr/sbin/apxs -cia mod_evasive20.c

Once mod evasive is installed, place the following lines in your /etc/httpd/conf/httpd.conf


DOSHashTableSize 3097
DOSPageCount 2
DOSSiteCount 50
DOSPageInterval 1
DOSSiteInterval 1
DOSBlockingPeriod 10


Follow the instructions in the README for more tuning of mod_evasive. This will compile, install and activate the module in your server.
Install RkHunter (Rootkit)

RkHunter is a rootkit scanner scans for vulnerabilities, insecure files, backdoors in your system and reports it so that you can further harden the server. Installing RkHunter is very easy!

yum install rkhunter

To run checks in your system

rkhunter --checkall
OR
rkhunter -c

You can find what command options are available under rkhunter by issuing this help command

> rkhunter --help
Install PortsEntry

Portsentry is a tool to detect port scans and log it. Download the sorce package of portsentry from sourceforge.net

wget http://path/to/portsentry-1.2.tar.gz
tar zxf portsentry-1.2.tar.gz
make linux
make install

If you get errors like while compiling

make linux
SYSTYPE=linux
Making
gcc -O -Wall -DLINUX -DSUPPORT_STEALTH -o ./portsentry ./portsentry.c \
./portsentry_io.c ./portsentry_util.c
./portsentry.c: In function 'PortSentryModeTCP':
./portsentry.c:1187: warning: pointer targets in passing argument 3 of 'accept' differ in signedness
./portsentry.c: In function 'PortSentryModeUDP':
./portsentry.c:1384: warning: pointer targets in passing argument 6 of 'recvfrom' diffe r in signedness
./portsentry.c: In function 'Usage':
./portsentry.c:1584: error: missing terminating " character
./portsentry.c:1585: error: 'sourceforget' undeclared (first use in this function)
./portsentry.c:1585: error: (Each undeclared identifier is reported only once
./portsentry.c:1585: error: for each function it appears in.)
./portsentry.c:1585: error: expected ')' before 'dot'
./portsentry.c:1585: error: stray '\' in program
./portsentry.c:1585: error: missing terminating " character
./portsentry.c:1595: error: expected ';' before '}' token
make: *** [linux] Error 1

To fix:

Open portsentry.c and look for the following line. There will be a extra carriage return breaking the line and you have to delete the carriage return and make single line. It should look like below.

printf ("Copyright 1997-2003 Craig H. Rowland \n");

Then run make and make install. That should fix it!

To launch portsentry

/usr/local/psionic/portsentry/portsentry -stcp
/usr/local/psionic/portsentry/portsentry -sudp

check the log files /var/log/secure on what portsentry is active or not.
Prevent IP Spoofing

IP spoofing is a security exploit and can be prevented from placing nospoof on in host.conf file. Edit the host.conf file and place the following lines. If you run dns bind, give it preference.

order bind,hosts
nospoof on
Install ClamAV

Antivirus protection is the last thing you need for your security to protect against worms and trojans invading your mailbox and files! Just install clamav (a free open source antivirus software for linux). More information can be found on clamav website

yum install clamav

Once you have installed clamav in your centos…here are some of the basic commands using the software..

1. To update the antivirus database

> freshclam

2. To run antivirus

clamav -r /home

3. Running as Cron Daily Job

To run antivirus as a cron job (automatically scan daily) just run crontab -e from your command line. Then add the following line and save the file.

02 1 * * * root clamscan -R /var/www

This will run the cron job daily @ 1.02 AM by scanning the public html. You can change the folder to whatever you want for mail etc.

Thats it! Always keep an eye for log files for any attacks or error messages!

You can also post comments in my blog

Back to home

Tuesday, August 3, 2010

HTTPD

ipcs -s | grep apache | perl -e 'while () { @a=split(/\s+/); print `ipcrm sem $a[1]`}'
ipcs -s | grep apache | perl -e
ipcs -s | grep apache

ipcrm -s 16449538 16482307 16678916

netstat -lnp | grep '0.0.0.0:80'

fuser -v /usr/bin/perl

netstat -tn | grep :80