1.) To get Hardware info in GUI mode by using special package.
yum install hardinfo(system profiler and Beenchmark
2.)Non-GUI mode
dmidcoder | less
Gives you the information of whole hardware.
If you want know about hardware property
dmidcoder -t which prompts you the keyword for search
Thursday, August 12, 2010
Videos tutorials
1.) How to setup load balance for apache.
http://www.youtube.com/watch?v=-WuW27hpHWc&feature=related
2.)Control and manage swap partion
http://www.youtube.com/watch?v=1q_05tD2gzY&feature=related
3.)Root password Hacking
http://www.youtube.com/watch?v=nT8X3d2nUrs&feature=related
http://www.youtube.com/watch?v=-WuW27hpHWc&feature=related
2.)Control and manage swap partion
http://www.youtube.com/watch?v=1q_05tD2gzY&feature=related
3.)Root password Hacking
http://www.youtube.com/watch?v=nT8X3d2nUrs&feature=related
Wednesday, August 11, 2010
MYSQL Downgrade / Upgrade
MYSQL Downgrade / Upgrade
=========================
Steps
-----
1. Check the mysql version
rpm -qa | grep -i mysql
mysql -v
2. Change the version in configuration file
Before changing th version in config file, backup the same
(cp -arp /var/cpanel/cpanel.config /var/cpanel/cpanel.config.bak)
In /var/cpanel/cpanel.config
Check for the line
mysql-version= 4.1
Change the version as you wish for upgrade or downgrade
Upgrade
mysql-version= 5.0
Downgrade
mysql-version= 4.0
Note: cPanel version 11.24.5-STABLE_38506 supports only mysql versions 4.1 and above
( How to check cPanel Version
/usr/local/cpanel/cpanel version or
vi /usr/local/cpanel/version )
3. Back up the /var/lib/mysql folder
( cp -arp /var/lib/mysql /var/lib/mysql_back )
4. Run the below script using below command
/script/mysqlup -force or
/script/mysqlup -force --password=ROOTPASSWORD
5. check the version of mysql
( rpm -qa | grep -i mysql
mysql -v)
6. /etc/init.d/mysql restart
If the mysql successfully restarts then there is no problem. But if it shows the errors
1. MySQL is not running, but lock exists
2. MySQL PID file could not be found!
3. MYSQL Cannot start because PID file not FOUND
Check the following
/etc/init.d/mysql status
"mysql is not running but lock exists "
Solved by removing the lock file:
rm /var/lock/subsys/mysql
If this happens again it may also be necessary to remove the pid file from /var/lib/mysql
=========================
Steps
-----
1. Check the mysql version
rpm -qa | grep -i mysql
mysql -v
2. Change the version in configuration file
Before changing th version in config file, backup the same
(cp -arp /var/cpanel/cpanel.config /var/cpanel/cpanel.config.bak)
In /var/cpanel/cpanel.config
Check for the line
mysql-version= 4.1
Change the version as you wish for upgrade or downgrade
Upgrade
mysql-version= 5.0
Downgrade
mysql-version= 4.0
Note: cPanel version 11.24.5-STABLE_38506 supports only mysql versions 4.1 and above
( How to check cPanel Version
/usr/local/cpanel/cpanel version or
vi /usr/local/cpanel/version )
3. Back up the /var/lib/mysql folder
( cp -arp /var/lib/mysql /var/lib/mysql_back )
4. Run the below script using below command
/script/mysqlup -force or
/script/mysqlup -force --password=ROOTPASSWORD
5. check the version of mysql
( rpm -qa | grep -i mysql
mysql -v)
6. /etc/init.d/mysql restart
If the mysql successfully restarts then there is no problem. But if it shows the errors
1. MySQL is not running, but lock exists
2. MySQL PID file could not be found!
3. MYSQL Cannot start because PID file not FOUND
Check the following
/etc/init.d/mysql status
"mysql is not running but lock exists "
Solved by removing the lock file:
rm /var/lock/subsys/mysql
If this happens again it may also be necessary to remove the pid file from /var/lib/mysql
Saturday, August 7, 2010
Preventing nobody spammer in PHP
PHP and Apache has a history of not being able to track which users are sending out mail through the PHP mail function from the nobody user causing leaks in formmail scripts and malicious users to spam from your server without you knowing who or where.
Watching your exim_mainlog doesn’t exactly help, you see th email going out but you can’t track from which user or script is sending it. This is a quick and dirty way to get around the nobody spam problem on your Linux server.
If you check out your PHP.ini file you’ll notice that your mail program is set to: /usr/sbin/sendmail and 99.99% of PHP scripts will just use the built in mail(); function for PHP – so everything will go through /usr/sbin/sendmail =)
Requirements:
We assume you’re using Apache 1.3x, PHP 4.3x and Exim. This may work on other systems but we’re only tested it on a Cpanel/WHM Red Hat Enterprise system.
Time:
10 Minutes, Root access required.
Step 1)
Login to your server and su – to root.
Step 2)
Turn off exim while we do this so it doesn’t freak out.
/etc/init.d/exim stop
Step 3)
Backup your original /usr/sbin/sendmail file. On systems using Exim MTA, the sendmail file is just basically a pointer to Exim itself.
mv /usr/sbin/sendmail /usr/sbin/sendmail.hidden
Step 4)
Create the spam monitoring script for the new sendmail.
pico /usr/sbin/sendmail
Paste in the following:
#!/usr/local/bin/perl
# use strict;
use Env;
my $date = `date`;
chomp $date;
open (INFO, “>>/var/log/spam_log”) || die “Failed to open file ::$!”;
my $uid = $>;
my @info = getpwuid($uid);
if($REMOTE_ADDR) {
print INFO “$date – $REMOTE_ADDR ran $SCRIPT_NAME at $SERVER_NAME n”;
}
else {
print INFO “$date – $PWD – @infon”;
}
my $mailprog = ‘/usr/sbin/sendmail.hidden’;
foreach (@ARGV) {
$arg=”$arg” . ” $_”;
}
open (MAIL,”|$mailprog $arg”) || die “cannot open $mailprog: $!n”;
while ( ) {
print MAIL;
}
close (INFO);
close (MAIL);
Step 5)
Change the new sendmail permissions
chmod +x /usr/sbin/sendmail
Step 6)
Create a new log file to keep a history of all mail going out of the server using web scripts
touch /var/log/spam_log
chmod 0777 /var/log/spam_log
Step 7)
Start Exim up again.
/etc/init.d/exim start
Step 8) Monitor your spam_log file for spam, try using any formmail or script that uses a mail function – a message board, a contact script.
tail – f /var/log/spam_log
Sample Log Output
Mon Apr 11 07:12:21 EDT 2005 – /home/username/public_html/directory/subdirectory – nobody x 99 99 Nobody / /sbin/nologin
Log Rotation Details
Your spam_log file isn’t set to be rotated so it might get to be very large quickly. Keep an eye on it and consider adding it to your logrotation.
pico /etc/logrotate.conf
FIND:
# no packages own wtmp — we’ll rotate them here
/var/log/wtmp {
monthly
create 0664 root utmp
rotate 1
}
ADD BELOW:
# SPAM LOG rotation
/var/log/spam_log {
monthly
create 0777 root root
rotate 1
}
Notes:
You may also want to chattr + i /usr/sbin/sendmail so it doesn’t get overwritten.
Enjoy knowing you can see nobody is actually somebody =)
Watching your exim_mainlog doesn’t exactly help, you see th email going out but you can’t track from which user or script is sending it. This is a quick and dirty way to get around the nobody spam problem on your Linux server.
If you check out your PHP.ini file you’ll notice that your mail program is set to: /usr/sbin/sendmail and 99.99% of PHP scripts will just use the built in mail(); function for PHP – so everything will go through /usr/sbin/sendmail =)
Requirements:
We assume you’re using Apache 1.3x, PHP 4.3x and Exim. This may work on other systems but we’re only tested it on a Cpanel/WHM Red Hat Enterprise system.
Time:
10 Minutes, Root access required.
Step 1)
Login to your server and su – to root.
Step 2)
Turn off exim while we do this so it doesn’t freak out.
/etc/init.d/exim stop
Step 3)
Backup your original /usr/sbin/sendmail file. On systems using Exim MTA, the sendmail file is just basically a pointer to Exim itself.
mv /usr/sbin/sendmail /usr/sbin/sendmail.hidden
Step 4)
Create the spam monitoring script for the new sendmail.
pico /usr/sbin/sendmail
Paste in the following:
#!/usr/local/bin/perl
# use strict;
use Env;
my $date = `date`;
chomp $date;
open (INFO, “>>/var/log/spam_log”) || die “Failed to open file ::$!”;
my $uid = $>;
my @info = getpwuid($uid);
if($REMOTE_ADDR) {
print INFO “$date – $REMOTE_ADDR ran $SCRIPT_NAME at $SERVER_NAME n”;
}
else {
print INFO “$date – $PWD – @infon”;
}
my $mailprog = ‘/usr/sbin/sendmail.hidden’;
foreach (@ARGV) {
$arg=”$arg” . ” $_”;
}
open (MAIL,”|$mailprog $arg”) || die “cannot open $mailprog: $!n”;
while ( ) {
print MAIL;
}
close (INFO);
close (MAIL);
Step 5)
Change the new sendmail permissions
chmod +x /usr/sbin/sendmail
Step 6)
Create a new log file to keep a history of all mail going out of the server using web scripts
touch /var/log/spam_log
chmod 0777 /var/log/spam_log
Step 7)
Start Exim up again.
/etc/init.d/exim start
Step 8) Monitor your spam_log file for spam, try using any formmail or script that uses a mail function – a message board, a contact script.
tail – f /var/log/spam_log
Sample Log Output
Mon Apr 11 07:12:21 EDT 2005 – /home/username/public_html/directory/subdirectory – nobody x 99 99 Nobody / /sbin/nologin
Log Rotation Details
Your spam_log file isn’t set to be rotated so it might get to be very large quickly. Keep an eye on it and consider adding it to your logrotation.
pico /etc/logrotate.conf
FIND:
# no packages own wtmp — we’ll rotate them here
/var/log/wtmp {
monthly
create 0664 root utmp
rotate 1
}
ADD BELOW:
# SPAM LOG rotation
/var/log/spam_log {
monthly
create 0777 root root
rotate 1
}
Notes:
You may also want to chattr + i /usr/sbin/sendmail so it doesn’t get overwritten.
Enjoy knowing you can see nobody is actually somebody =)
Thursday, August 5, 2010
Useful links
1.) http://www.mysql-apache-php.com
2.)http://niyaas.blogspot.com
3.)http://shebangme.blogspot.com
4.)http://txt.binnyva.com
5.)http://gnufreakz.wordpress.com
6.)http://linuxserverguide.wordpress.com
7.)http://gcharriere.com/blog/?p=339 - Load balance
8.)www.howtoforge.com
9.)http://www.linuxbaby.co.cc
10.)http://www.dedicatedserverhosting.com
11.)http://www.linuxmaza.com
12.)http://scriptmantra.info
13.)http://skullboxx.net
14.)http://www.onetforum.com/fourm/viewtopic.php?p=27
15.)http://mohammednv.wordpress.com/2008/04/17/how-to-integrate-spamassassin-with-qmail/
16.)http://www.fduran.com/blog/filtering-spam-with-qmail-and-spamassassin-on-red-hat-fedora-2/
17.)http://www.onetforum.com/fourm/viewtopic.php?p=27
18.)http://www.wipl.in/articles/category/whm/
19.)http://wiki.cpaneldirect.net/wiki/index.php/Main_Page
20.)http://forums.cpanel.net/f5/problem-connecting-mysql-through-jailshell-109641.html
21.)http://articles.assistanz.com/?View=entry&EntryID=504
22.)http://www.comptechdoc.org/os/linux/usersguide/linux_ugprocesses.html
23.)http://www.linux.org/lessons/tips/cmndline.html
24.) http://marcgrabanski.com/articles/plesk-multiple-ftp-accounts-per-domain - FTP subaccount
25.)http://kmaiti.blogspot.com
26.)netstat -apn |grep :80 |awk {'print $5'} |wc -l
27.)http://tools.pingdom.com
28.)http://www.thecpaneladmin.com
29.)http://apache-monitor.com/articles/basic-apache-performance-tuning-httpd.php
30)http://supportfacility.com/blog/plesk/plesk-paths-on-a-linux-dedicated-server/
31.)http://www.howtoforge.org/set-up-dkim-for-multiple-domains-on-postfix-with-dkim-milter-2.8.x-centos-5.3
32.) http://www.thegeekstuff.com/2011/01/tput-command-examples/ - apache optimization steps
33.)http://linuxhostingsupport.net
34.)http://kmaiti.blogspot.com/
35.)http://www.xpcdesign.com/2010/03/plesk-commands-and-paths/
36.)http://www.linuxbabu.net/category/plesk/
Server security links
======================
http://abinz.wordpress.com/security-installations/
http://abinz.wordpress.com/security-installtion-phase-2/
http://abinz.wordpress.com/security-installation-phase3/
http://abinz.wordpress.com/securing-your-server/
http://abinz.wordpress.com/common-cpanel-issues/
http://sythril.com/showthread.php?t=9403 - VNC installation steps
http://www.eukhost.com/forums/f15/enable-php-mssql-extension-whm-cpanel-linux-server-10699/ ---mssql module installation
http://adminsdiary.com/linux/enable-php-mssql-extension-on-cpanel-linux-server - mssql moduler installation steps
2.)http://niyaas.blogspot.com
3.)http://shebangme.blogspot.com
4.)http://txt.binnyva.com
5.)http://gnufreakz.wordpress.com
6.)http://linuxserverguide.wordpress.com
7.)http://gcharriere.com/blog/?p=339 - Load balance
8.)www.howtoforge.com
9.)http://www.linuxbaby.co.cc
10.)http://www.dedicatedserverhosting.com
11.)http://www.linuxmaza.com
12.)http://scriptmantra.info
13.)http://skullboxx.net
14.)http://www.onetforum.com/fourm/viewtopic.php?p=27
15.)http://mohammednv.wordpress.com/2008/04/17/how-to-integrate-spamassassin-with-qmail/
16.)http://www.fduran.com/blog/filtering-spam-with-qmail-and-spamassassin-on-red-hat-fedora-2/
17.)http://www.onetforum.com/fourm/viewtopic.php?p=27
18.)http://www.wipl.in/articles/category/whm/
19.)http://wiki.cpaneldirect.net/wiki/index.php/Main_Page
20.)http://forums.cpanel.net/f5/problem-connecting-mysql-through-jailshell-109641.html
21.)http://articles.assistanz.com/?View=entry&EntryID=504
22.)http://www.comptechdoc.org/os/linux/usersguide/linux_ugprocesses.html
23.)http://www.linux.org/lessons/tips/cmndline.html
24.) http://marcgrabanski.com/articles/plesk-multiple-ftp-accounts-per-domain - FTP subaccount
25.)http://kmaiti.blogspot.com
26.)netstat -apn |grep :80 |awk {'print $5'} |wc -l
27.)http://tools.pingdom.com
28.)http://www.thecpaneladmin.com
29.)http://apache-monitor.com/articles/basic-apache-performance-tuning-httpd.php
30)http://supportfacility.com/blog/plesk/plesk-paths-on-a-linux-dedicated-server/
31.)http://www.howtoforge.org/set-up-dkim-for-multiple-domains-on-postfix-with-dkim-milter-2.8.x-centos-5.3
32.) http://www.thegeekstuff.com/2011/01/tput-command-examples/ - apache optimization steps
33.)http://linuxhostingsupport.net
34.)http://kmaiti.blogspot.com/
35.)http://www.xpcdesign.com/2010/03/plesk-commands-and-paths/
36.)http://www.linuxbabu.net/category/plesk/
Server security links
======================
http://abinz.wordpress.com/security-installations/
http://abinz.wordpress.com/security-installtion-phase-2/
http://abinz.wordpress.com/security-installation-phase3/
http://abinz.wordpress.com/securing-your-server/
http://abinz.wordpress.com/common-cpanel-issues/
http://sythril.com/showthread.php?t=9403 - VNC installation steps
http://www.eukhost.com/forums/f15/enable-php-mssql-extension-whm-cpanel-linux-server-10699/ ---mssql module installation
http://adminsdiary.com/linux/enable-php-mssql-extension-on-cpanel-linux-server - mssql moduler installation steps
Linux server secure steps
How to Secure Linux Servers
Basic Linux Server Security
Install Firewall (APF or CSF Firewall with BFD)
ModSecurity (Web application firewall)
ModEvasive (Prevent DDOS attacks)
Harden SSH server
Fix Open DNS Recursion
Install RKhunter
Install ClamAV (Antivirus)
XInet Servers Hardening (Disable Telnet/Finger or unwanted services)
Securing PHP
PortsEntry (tool to detect portscans)
Harden host.conf (against IP spoofing)
Check User Uploaded files
Secure /tmp Folders (noexec, nosuid)
This tutorial guide covers only basic linux server security tips intended for linux learners. I am writing this guide assuming that you are running Centos 5 or later versions.
Install Firewall
The very first first step on securing a server is installing a firewall (atleast IP tables based) to close all unused or unwanted ports. Once the firewall is installed it is often considered 50% of work done. You can install CSF firewall or APF firewall. Often BFD (brute force detection) utilities comes with firewall.
We will install CSF (Config security firewall) as it is easy to install with plenty of features and easily integrated to CPanel (if you are running)
wget http://www.configserver.com/free/csf.tgz
tar zxf csf.tar.gz
sh /csf/install.sh
Follow the installer and once installed, you can start the firewall.
csf -s
// start the firewall
csf -r
// restart the firewall
csf -f
// flush the rules or stop the firewall.
You can see the full installing tutorial here
Harden SSH server
Very often you will see SSH attacks from various bots trying to get access to your server by connected to port 22 with unlimited number of login attempts to break in to your system. Imagine attacks coming from different IPs can put lot of load in you server. You can trace those failed attempts by checking your log file
cat /var/log/secure
cat /var/log/messages
To harden your SSH server,
* Run SSH on other port rather than default port 22
* Disable Root login
* Use only protocol 2
* Enable Public key authentication.
You can see the full SSH hardening tutorial here
Disable Telnet & Other Unused Services
You may want to disable services like telnet, finger and other unwanted services running on your server with xinet.
nano /etc/xinetd.d/telnet
// OR
nano /etc/xinetd.d/krb5-telnet
look for lines disable=no and change to disable=yes
chkconfig telnet off
Hardening PHP for Security
PHP is the most popular scripting language for apache and mysql. You will need to disable system level functions in the php configuration file.
nano /usr/local/lib/php.ini
Look for the lines and make sure you have the lines as below..
disable_functions = exec,system,shell_exec,passthru
register_globals = Off
expose_php = Off
magic_quotes_gpc = On
It is best to keep magic_quotes to on as otherwise you forms using POST may be used for SQL injection attacks.
Disable Open DNS Recursion (DNS Server)
If you are running bind DNS server, then you might want to check your dns server statistics with dnstools.com. You dont want to allow recursive lookups to performed on your server other than local IP. It can also slowdown your server.
nano /etc/named.conf
Under Options { place a line
Options {
recursion no;
.....
Then restart the bind
service named restart
You will also need to restrict zone transfers and notifications if you are running Bind 9. Refer to: dns server hardening
Install Mod_Security
ModSecurity is a free open source web application firewall which can help you to guard against LFI (local file inclusion attacks) and SQL injection vulnerabilities.
CPanel Installation:
Just go to Cpanel WHM > Plugins > Enable Mod_Security > Save
Source Installation:
That should install mod security in your cpanel. Under apache it should show under installed modules if you run test.php with phpinfo() in it. Try adding some mod security rules. Installing mod_security could be sometimes complicated. Dont use apxs for compiling mod_security as it causes number of problems.
Note: Mod_security needs libxml2 and http-devel libraries before it can be installed. It also requires mod_unique_id enabled in apache modules. To install mod_unique_id, you have to place
LoadModule unique_id_module modules/mod_unique_id.so
in your httpd.conf file.
yum install libxml2 libxml2-devel httpd-devel
Download the latest version of mod_security for apache2 from http://www.modsecurity.org
wget http://www.modsecurity.org/download/modsecurity-apache_2.1.7.tar.gz
tar zxf modsecurity-apache_2.5.4.tar.gz
cd modsecurity-apache_2.5.4
cd apache2
Then
If you cannot find ./configure then you will need to edit Makefile and make change to top_dir = /usr/lib/httpd (for centos)
make
make install
Next, copy the rule files depending on which you want (you can also select minimal rules file which comes with source). Make a directory named modsecurity under /etc/httpd/conf and copy all the modsecurity rules there. Finally include those files in the httpd.conf file
# /etc/httpd/conf/httpd.conf
LoadModule unique_id_module modules/mod_unique_id.so
LoadFile /usr/lib/libxml2.so
LoadModule security2_module modules/mod_security2.so
Include conf/modsecurity/*.conf
Then
/etc/init.d/httpd restart
Log Files
Watch for log files to detect any errors or intrusion activity
/var/log/httpd/modsec_audit
/var/log/httpd/error_log
If you get any errors, i have compiled a list of errors while compiling. see here
Install Mod_Evasive
ModEvasive module for apache offers protection against DDOS (denial of service attacks) in your server.
wget http://www.zdziarski.com/projects/mod_evasive/mod_evasive_1.10.1.tar.gz
tar zxf mode_evasive-1.10.1.tar.gz
cd mod_evasive
then run the following command for apache2...
> /usr/sbin/apxs -cia mod_evasive20.c
Once mod evasive is installed, place the following lines in your /etc/httpd/conf/httpd.conf
DOSHashTableSize 3097
DOSPageCount 2
DOSSiteCount 50
DOSPageInterval 1
DOSSiteInterval 1
DOSBlockingPeriod 10
Follow the instructions in the README for more tuning of mod_evasive. This will compile, install and activate the module in your server.
Install RkHunter (Rootkit)
RkHunter is a rootkit scanner scans for vulnerabilities, insecure files, backdoors in your system and reports it so that you can further harden the server. Installing RkHunter is very easy!
yum install rkhunter
To run checks in your system
rkhunter --checkall
OR
rkhunter -c
You can find what command options are available under rkhunter by issuing this help command
> rkhunter --help
Install PortsEntry
Portsentry is a tool to detect port scans and log it. Download the sorce package of portsentry from sourceforge.net
wget http://path/to/portsentry-1.2.tar.gz
tar zxf portsentry-1.2.tar.gz
make linux
make install
If you get errors like while compiling
make linux
SYSTYPE=linux
Making
gcc -O -Wall -DLINUX -DSUPPORT_STEALTH -o ./portsentry ./portsentry.c \
./portsentry_io.c ./portsentry_util.c
./portsentry.c: In function 'PortSentryModeTCP':
./portsentry.c:1187: warning: pointer targets in passing argument 3 of 'accept' differ in signedness
./portsentry.c: In function 'PortSentryModeUDP':
./portsentry.c:1384: warning: pointer targets in passing argument 6 of 'recvfrom' diffe r in signedness
./portsentry.c: In function 'Usage':
./portsentry.c:1584: error: missing terminating " character
./portsentry.c:1585: error: 'sourceforget' undeclared (first use in this function)
./portsentry.c:1585: error: (Each undeclared identifier is reported only once
./portsentry.c:1585: error: for each function it appears in.)
./portsentry.c:1585: error: expected ')' before 'dot'
./portsentry.c:1585: error: stray '\' in program
./portsentry.c:1585: error: missing terminating " character
./portsentry.c:1595: error: expected ';' before '}' token
make: *** [linux] Error 1
To fix:
Open portsentry.c and look for the following line. There will be a extra carriage return breaking the line and you have to delete the carriage return and make single line. It should look like below.
printf ("Copyright 1997-2003 Craig H. Rowland\n");
Then run make and make install. That should fix it!
To launch portsentry
/usr/local/psionic/portsentry/portsentry -stcp
/usr/local/psionic/portsentry/portsentry -sudp
check the log files /var/log/secure on what portsentry is active or not.
Prevent IP Spoofing
IP spoofing is a security exploit and can be prevented from placing nospoof on in host.conf file. Edit the host.conf file and place the following lines. If you run dns bind, give it preference.
order bind,hosts
nospoof on
Install ClamAV
Antivirus protection is the last thing you need for your security to protect against worms and trojans invading your mailbox and files! Just install clamav (a free open source antivirus software for linux). More information can be found on clamav website
yum install clamav
Once you have installed clamav in your centos…here are some of the basic commands using the software..
1. To update the antivirus database
> freshclam
2. To run antivirus
clamav -r /home
3. Running as Cron Daily Job
To run antivirus as a cron job (automatically scan daily) just run crontab -e from your command line. Then add the following line and save the file.
02 1 * * * root clamscan -R /var/www
This will run the cron job daily @ 1.02 AM by scanning the public html. You can change the folder to whatever you want for mail etc.
Thats it! Always keep an eye for log files for any attacks or error messages!
You can also post comments in my blog
Back to home
Basic Linux Server Security
Install Firewall (APF or CSF Firewall with BFD)
ModSecurity (Web application firewall)
ModEvasive (Prevent DDOS attacks)
Harden SSH server
Fix Open DNS Recursion
Install RKhunter
Install ClamAV (Antivirus)
XInet Servers Hardening (Disable Telnet/Finger or unwanted services)
Securing PHP
PortsEntry (tool to detect portscans)
Harden host.conf (against IP spoofing)
Check User Uploaded files
Secure /tmp Folders (noexec, nosuid)
This tutorial guide covers only basic linux server security tips intended for linux learners. I am writing this guide assuming that you are running Centos 5 or later versions.
Install Firewall
The very first first step on securing a server is installing a firewall (atleast IP tables based) to close all unused or unwanted ports. Once the firewall is installed it is often considered 50% of work done. You can install CSF firewall or APF firewall. Often BFD (brute force detection) utilities comes with firewall.
We will install CSF (Config security firewall) as it is easy to install with plenty of features and easily integrated to CPanel (if you are running)
wget http://www.configserver.com/free/csf.tgz
tar zxf csf.tar.gz
sh /csf/install.sh
Follow the installer and once installed, you can start the firewall.
csf -s
// start the firewall
csf -r
// restart the firewall
csf -f
// flush the rules or stop the firewall.
You can see the full installing tutorial here
Harden SSH server
Very often you will see SSH attacks from various bots trying to get access to your server by connected to port 22 with unlimited number of login attempts to break in to your system. Imagine attacks coming from different IPs can put lot of load in you server. You can trace those failed attempts by checking your log file
cat /var/log/secure
cat /var/log/messages
To harden your SSH server,
* Run SSH on other port rather than default port 22
* Disable Root login
* Use only protocol 2
* Enable Public key authentication.
You can see the full SSH hardening tutorial here
Disable Telnet & Other Unused Services
You may want to disable services like telnet, finger and other unwanted services running on your server with xinet.
nano /etc/xinetd.d/telnet
// OR
nano /etc/xinetd.d/krb5-telnet
look for lines disable=no and change to disable=yes
chkconfig telnet off
Hardening PHP for Security
PHP is the most popular scripting language for apache and mysql. You will need to disable system level functions in the php configuration file.
nano /usr/local/lib/php.ini
Look for the lines and make sure you have the lines as below..
disable_functions = exec,system,shell_exec,passthru
register_globals = Off
expose_php = Off
magic_quotes_gpc = On
It is best to keep magic_quotes to on as otherwise you forms using POST may be used for SQL injection attacks.
Disable Open DNS Recursion (DNS Server)
If you are running bind DNS server, then you might want to check your dns server statistics with dnstools.com. You dont want to allow recursive lookups to performed on your server other than local IP. It can also slowdown your server.
nano /etc/named.conf
Under Options { place a line
Options {
recursion no;
.....
Then restart the bind
service named restart
You will also need to restrict zone transfers and notifications if you are running Bind 9. Refer to: dns server hardening
Install Mod_Security
ModSecurity is a free open source web application firewall which can help you to guard against LFI (local file inclusion attacks) and SQL injection vulnerabilities.
CPanel Installation:
Just go to Cpanel WHM > Plugins > Enable Mod_Security > Save
Source Installation:
That should install mod security in your cpanel. Under apache it should show under installed modules if you run test.php with phpinfo() in it. Try adding some mod security rules. Installing mod_security could be sometimes complicated. Dont use apxs for compiling mod_security as it causes number of problems.
Note: Mod_security needs libxml2 and http-devel libraries before it can be installed. It also requires mod_unique_id enabled in apache modules. To install mod_unique_id, you have to place
LoadModule unique_id_module modules/mod_unique_id.so
in your httpd.conf file.
yum install libxml2 libxml2-devel httpd-devel
Download the latest version of mod_security for apache2 from http://www.modsecurity.org
wget http://www.modsecurity.org/download/modsecurity-apache_2.1.7.tar.gz
tar zxf modsecurity-apache_2.5.4.tar.gz
cd modsecurity-apache_2.5.4
cd apache2
Then
If you cannot find ./configure then you will need to edit Makefile and make change to top_dir = /usr/lib/httpd (for centos)
make
make install
Next, copy the rule files depending on which you want (you can also select minimal rules file which comes with source). Make a directory named modsecurity under /etc/httpd/conf and copy all the modsecurity rules there. Finally include those files in the httpd.conf file
# /etc/httpd/conf/httpd.conf
LoadModule unique_id_module modules/mod_unique_id.so
LoadFile /usr/lib/libxml2.so
LoadModule security2_module modules/mod_security2.so
Include conf/modsecurity/*.conf
Then
/etc/init.d/httpd restart
Log Files
Watch for log files to detect any errors or intrusion activity
/var/log/httpd/modsec_audit
/var/log/httpd/error_log
If you get any errors, i have compiled a list of errors while compiling. see here
Install Mod_Evasive
ModEvasive module for apache offers protection against DDOS (denial of service attacks) in your server.
wget http://www.zdziarski.com/projects/mod_evasive/mod_evasive_1.10.1.tar.gz
tar zxf mode_evasive-1.10.1.tar.gz
cd mod_evasive
then run the following command for apache2...
> /usr/sbin/apxs -cia mod_evasive20.c
Once mod evasive is installed, place the following lines in your /etc/httpd/conf/httpd.conf
DOSHashTableSize 3097
DOSPageCount 2
DOSSiteCount 50
DOSPageInterval 1
DOSSiteInterval 1
DOSBlockingPeriod 10
Follow the instructions in the README for more tuning of mod_evasive. This will compile, install and activate the module in your server.
Install RkHunter (Rootkit)
RkHunter is a rootkit scanner scans for vulnerabilities, insecure files, backdoors in your system and reports it so that you can further harden the server. Installing RkHunter is very easy!
yum install rkhunter
To run checks in your system
rkhunter --checkall
OR
rkhunter -c
You can find what command options are available under rkhunter by issuing this help command
> rkhunter --help
Install PortsEntry
Portsentry is a tool to detect port scans and log it. Download the sorce package of portsentry from sourceforge.net
wget http://path/to/portsentry-1.2.tar.gz
tar zxf portsentry-1.2.tar.gz
make linux
make install
If you get errors like while compiling
make linux
SYSTYPE=linux
Making
gcc -O -Wall -DLINUX -DSUPPORT_STEALTH -o ./portsentry ./portsentry.c \
./portsentry_io.c ./portsentry_util.c
./portsentry.c: In function 'PortSentryModeTCP':
./portsentry.c:1187: warning: pointer targets in passing argument 3 of 'accept' differ in signedness
./portsentry.c: In function 'PortSentryModeUDP':
./portsentry.c:1384: warning: pointer targets in passing argument 6 of 'recvfrom' diffe r in signedness
./portsentry.c: In function 'Usage':
./portsentry.c:1584: error: missing terminating " character
./portsentry.c:1585: error: 'sourceforget' undeclared (first use in this function)
./portsentry.c:1585: error: (Each undeclared identifier is reported only once
./portsentry.c:1585: error: for each function it appears in.)
./portsentry.c:1585: error: expected ')' before 'dot'
./portsentry.c:1585: error: stray '\' in program
./portsentry.c:1585: error: missing terminating " character
./portsentry.c:1595: error: expected ';' before '}' token
make: *** [linux] Error 1
To fix:
Open portsentry.c and look for the following line. There will be a extra carriage return breaking the line and you have to delete the carriage return and make single line. It should look like below.
printf ("Copyright 1997-2003 Craig H. Rowland
Then run make and make install. That should fix it!
To launch portsentry
/usr/local/psionic/portsentry/portsentry -stcp
/usr/local/psionic/portsentry/portsentry -sudp
check the log files /var/log/secure on what portsentry is active or not.
Prevent IP Spoofing
IP spoofing is a security exploit and can be prevented from placing nospoof on in host.conf file. Edit the host.conf file and place the following lines. If you run dns bind, give it preference.
order bind,hosts
nospoof on
Install ClamAV
Antivirus protection is the last thing you need for your security to protect against worms and trojans invading your mailbox and files! Just install clamav (a free open source antivirus software for linux). More information can be found on clamav website
yum install clamav
Once you have installed clamav in your centos…here are some of the basic commands using the software..
1. To update the antivirus database
> freshclam
2. To run antivirus
clamav -r /home
3. Running as Cron Daily Job
To run antivirus as a cron job (automatically scan daily) just run crontab -e from your command line. Then add the following line and save the file.
02 1 * * * root clamscan -R /var/www
This will run the cron job daily @ 1.02 AM by scanning the public html. You can change the folder to whatever you want for mail etc.
Thats it! Always keep an eye for log files for any attacks or error messages!
You can also post comments in my blog
Back to home
Tuesday, August 3, 2010
HTTPD
ipcs -s | grep apache | perl -e 'while () { @a=split(/\s+/); print `ipcrm sem $a[1]`}'
ipcs -s | grep apache | perl -e
ipcs -s | grep apache
ipcrm -s 16449538 16482307 16678916
netstat -lnp | grep '0.0.0.0:80'
fuser -v /usr/bin/perl
netstat -tn | grep :80
ipcs -s | grep apache | perl -e
ipcs -s | grep apache
ipcrm -s 16449538 16482307 16678916
netstat -lnp | grep '0.0.0.0:80'
fuser -v /usr/bin/perl
netstat -tn | grep :80
Subscribe to:
Posts (Atom)