Pages

Showing posts with label server hardening. Show all posts
Showing posts with label server hardening. Show all posts

Tuesday, April 15, 2014

Openssl-heartbleed-fix

Downloading and updating the SSL.

cd /usr/src
wget http://www.openssl.org/source/openssl-1.0.1g.tar.gz
tar -zxf openssl-1.0.1g.tar.gz
cd openssl-1.0.1g
./config shared
make
make test
make install
cd /usr/src
rm -rf openssl-1.0.1g.tar.gz
rm -rf openssl-1.0.1g

to over write the current open ssl use the following config mode .


./config --prefix=/usr --openssldir=/usr/local/openssl shared

 

Friday, April 11, 2014

Mod-Security Installing Along with - Open Source Rules

Installing the Mod Security.

## For RHEL/CentOS 6.2/6.1/6/5.8 ##

Installing needed Modules

yum install gcc make
yum install libxml2 libxml2-devel httpd-devel pcre-devel curl-devel\

Installing the Mod-Security

## For RHEL/CentOS 6.2/6.1/6/5.8 ##
cd /usr/src
wget http://www.modsecurity.org/download/modsecurity-apache_2.6.6.tar.gz
tar xzf modsecurity-apache_2.6.6.tar.gz
cd modsecurity-apache_2.6.6
./configure
make install
cp modsecurity.conf-recommended /etc/httpd/conf.d/modsecurity.conf

Adding the Mod-security Module to the Apache

# vi /etc/httpd/conf/httpd.conf
LoadModule unique_id_module modules/mod_unique_id.so
LoadModule security2_module modules/mod_security2.so

[root@54 modsecurity-apache_2.6.6]# httpd -t -D DUMP_MODULES |grep sec
security2_module (shared)
Syntax OK
[root@54 modsecurity-apache_2.6.6]#

<IfModule security2_module>
Include conf.d/modsecurity.conf
</IfModule>

 

Adding new Mod-Security Rules ..

OWASP core rule set

wget http://pkgs.fedoraproject.org/repo/pkgs/mod_security_crs/modsecurity-crs_2.2.5.tar.gz/a
aeaa1124e8efc39eeb064fb47cfc0aa/modsecurity-crs_2.2.5.tar.gz
tar zxvf modsecurity-crs_2.2.5.tar.gz
mv modsecurity-crs_2.2.5 modsecurity-crs

mv modsecurity-crs /etc/httpd/conf.d/

Adding the rules to httpd

<IfModule security2_module>
Include conf.d/modsecurity.conf
Include conf.d/modsecurity-crs/activated_rules/*.conf
Include conf.d/modsecurity-crs/base_rules/*.conf
Include conf.d/modsecurity-crs/optional_rules/*.conf
Include conf.d/modsecurity-crs/slr_rules/*.conf
</IfModule>

More rules are available at
sudo wget -O SpiderLabs-owasp-modsecurity-crs.tar.gz https://github.com/SpiderLabs/owasp-modsecurity-crs/tarball/master

Now the Mod Security is in the detect mode . once we are set we need to move it to on mode


[root@54 conf]# cat /etc/httpd/conf.d/modsecurity.conf |grep SecRuleEngine -i

SecRuleEngine DetectionOnly

# when SecRuleEngine is set to DetectionOnly mode in order to minimize

[root@54 conf]#


Change to


SecRuleEngine on

 

Thursday, May 16, 2013

Atomic mod security rules

ConfigServer ModSecurity Control provides an easy way of monitoring which rules are being triggered on the server in real time but more importantly, you can whitelist certain rules either globally accross the entire server or on a per account/domain basis if some of the rules conflict with a particular script or functionality (e.g. FrontPage). To install CMC, run the following:

rm -fv cmc.tgz

wget http://www.configserver.com/free/cmc.tgz
tar -xzf cmc.tgz
cd cmc
sh install.sh
cd ..
rm -Rfv cmc/ cmc.tgz
If you log in to WHM you will now see “ConfigServer ModSec Control” under “Plugins”. It’s important that you click on it because when it’s run the first time, it will create the file “modsec2.whitelist.conf” if it doesn’t already exist. If that file doesn’t exist then you’ll find Apache won’t start when we come to the end of this guide. Also while you’re here, click on “Disable modsecparse.pl”. This will disable the cPanel cron job that processes and empties the mod_security log, allowing you to use the log watching tool built in to CMC.

As to help our VPS and Dedicated Server customers who might also be effected by this we have designed the following guide to make installing Atmoic Mod Security into cPanel with little to no fuss.

Stage 1: Run the following commands at command line:

mkdir /var/asl
mkdir /var/asl/tmp
mkdir /var/asl/data
mkdir /var/asl/data/msa
mkdir /var/asl/data/audit
mkdir /var/asl/data/suspicious
chown nobody.nobody /var/asl/data/msa
chown nobody.nobody /var/asl/data/audit
chown nobody.nobody /var/asl/data/suspicious
chmod o-rx -R /var/asl/data/*
chmod ug+rwx -R /var/asl/data/*
mkdir /var/asl/updates
mkdir /var/asl/rules/
mkdir /var/asl/rules/clamav
mkdir /etc/asl/
touch /etc/asl/whitelist
cd /usr/local/src/
wget http://updates.atomicorp.com/channels/rules/delayed/modsec-2.7-free-latest.tar.gz
tar zxvf modsec-2.7-free-latest.tar.gz
mkdir /usr/local/apache/conf/modsec_rules/
cp modsec/* /usr/local/apache/conf/modsec_rules/
These command will create the required directory’s and download the latest free version of the Atomic Mod Security rules. It will also directly install them into the location of Apache designed for cPanel and configure the permission.

Stage 2: Configure cPanel to use the Mod Security Rules

In this stage, you can do everything from WHM as long as you have Mod Security already installed as part of your EasyApache build. If you do not, you will need to rebuild apache with Mod Security.

In go to: WHM -> Plugins -> Mod Security and then click: Edit Config

In this section, delete all the current content and then paste in the following configuration:

SecRequestBodyAccess On
SecAuditLogType Concurrent
SecResponseBodyAccess On
SecResponseBodyMimeType (null) text/html text/plain text/xml
SecResponseBodyLimit 2621440
SecAuditLogRelevantStatus "^(?:5|4(?!04))"
SecServerSignature Apache
SecUploadDir /var/asl/data/suspicious
SecUploadKeepFiles Off
SecAuditLogParts ABIFHZ
SecArgumentSeparator "&"
SecCookieFormat 0
SecRequestBodyInMemoryLimit 131072
SecDataDir /var/asl/data/msa
SecTmpDir /tmp
SecAuditLogStorageDir /var/asl/data/audit
SecResponseBodyLimitAction ProcessPartial

Include /usr/local/apache/conf/modsec_rules/10_asl_antimalware.conf
Include /usr/local/apache/conf/modsec_rules/10_asl_rules.conf
Include /usr/local/apache/conf/modsec_rules/20_asl_useragents.conf
Include /usr/local/apache/conf/modsec_rules/30_asl_antispam.conf
Include /usr/local/apache/conf/modsec_rules/50_asl_rootkits.conf
Include /usr/local/apache/conf/modsec_rules/60_asl_recons.conf
Include /usr/local/apache/conf/modsec_rules/99_asl_jitp.conf
Include /usr/local/apache/conf/modsec2.whitelist.conf
Save this and restart Apache.

This should now have successfully installed the Atomic mod security rules into cPanel which are a much more secure rule base and include extra protection which is important for the latest hacks.

Testing

http://YOUR_HOST/foo.php?foo=http://www.example.com

should give 403

Friday, May 3, 2013

Hide Apache, PHP and Bind Versions

Hide Apache, PHP and Bind Versions
To Check Apache Version:

By default, Apache will send version and modules information like mod_php, mod_perl, mod_ssl in every HTTP header.

If you want to view Apache web server version and sofware of a remote server, follow this procedure.

# telnet example.com 80

Trying example.com...
Connected to example.com.
Escape character is ‘^]'.
HEAD / HTTP/1.0 <- after this press 2 times ENTER
HTTP/1.1 200 OK
Date: Sun, 07 Oct 2012 12:57:57 GMT
Server: Apache/2.2.21 (Unix) mod_ssl/2.2.21 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 JRun/4.0
Last-Modified: Tue, 03 Jan 2012 11:41:16 GMT
Connection: close
Content-Type: text/html; charset=UTF-8
Connection closed by foreign host.

In the above example it is showing all the details about your web server and php this is not recommended for security reasons.We need to hide this information with the following procedure.
To Hide Apache Information:
To hide the information, add the following two apache directives in Apache configuration file, (httpd.conf or apache2.conf)

ServerTokens ProductOnly

ServerSignature Off

# /etc/init.d/httpd restart

Now the output for apache header looks like below

Server: Apache
To Hide PHP Version Details

Locate php.ini loaded in the server.

Change the following option in php.ini

expose_php On

to

expose_php Off

# /etc/init.d/httpd restart
To Hide BIND Version
You can check the Bind version of a server by using the following command.

# dig +short @XXX.XXX.XXX.XXX -c CH -t txt version.bind
"9.3.6-P1-RedHat-9.3.6-20.P1.el5_8.4"

To hide your version of bind, change the version value in named.conf as like the following.
You can give any string for the version.

options {
directory "/var/named";
version "We Just Hide It";
};

# dig +short @XXX.XXX.XXX.XXX -c CH -t txt version.bind
"We Just Hide It"

Sunday, April 21, 2013

Security Update: Atomic Mod Security setup guide for cPanel

As to help our VPS and Dedicated Server customers who might also be effected by this we have designed the following guide to make installing Atmoic Mod Security into cPanel with little to no fuss.

Stage 1: Run the following commands at command line:

mkdir /var/asl
mkdir /var/asl/tmp
mkdir /var/asl/data
mkdir /var/asl/data/msa
mkdir /var/asl/data/audit
mkdir /var/asl/data/suspicious
chown nobody.nobody /var/asl/data/msa
chown nobody.nobody /var/asl/data/audit
chown nobody.nobody /var/asl/data/suspicious
chmod o-rx -R /var/asl/data/*
chmod ug+rwx -R /var/asl/data/*
mkdir /var/asl/updates
mkdir /var/asl/rules/
mkdir /var/asl/rules/clamav
mkdir /etc/asl/
touch /etc/asl/whitelist
cd /usr/local/src/
wget http://updates.atomicorp.com/channels/rules/delayed/modsec-2.7-free-latest.tar.gz
tar zxvf modsec-2.7-free-latest.tar.gz
mkdir /usr/local/apache/conf/modsec_rules/
cp modsec/* /usr/local/apache/conf/modsec_rules/
These command will create the required directory’s and download the latest free version of the Atomic Mod Security rules. It will also directly install them into the location of Apache designed for cPanel and configure the permission.

Stage 2: Configure cPanel to use the Mod Security Rules

In this stage, you can do everything from WHM as long as you have Mod Security already installed as part of your EasyApache build. If you do not, you will need to rebuild apache with Mod Security.

In go to: WHM -> Plugins -> Mod Security and then click: Edit Config

In this section, delete all the current content and then paste in the following configuration:

SecRequestBodyAccess On
SecAuditLogType Concurrent
SecResponseBodyAccess On
SecResponseBodyMimeType (null) text/html text/plain text/xml
SecResponseBodyLimit 2621440
SecAuditLogRelevantStatus "^(?:5|4(?!04))"
SecServerSignature Apache
SecUploadDir /var/asl/data/suspicious
SecUploadKeepFiles Off
SecAuditLogParts ABIFHZ
SecArgumentSeparator "&"
SecCookieFormat 0
SecRequestBodyInMemoryLimit 131072
SecDataDir /var/asl/data/msa
SecTmpDir /tmp
SecAuditLogStorageDir /var/asl/data/audit
SecResponseBodyLimitAction ProcessPartial

Include /usr/local/apache/conf/modsec_rules/10_asl_antimalware.conf
Include /usr/local/apache/conf/modsec_rules/10_asl_rules.conf
Include /usr/local/apache/conf/modsec_rules/20_asl_useragents.conf
Include /usr/local/apache/conf/modsec_rules/30_asl_antispam.conf
Include /usr/local/apache/conf/modsec_rules/50_asl_rootkits.conf
Include /usr/local/apache/conf/modsec_rules/60_asl_recons.conf
Include /usr/local/apache/conf/modsec_rules/99_asl_jitp.conf
Include /usr/local/apache/conf/modsec2.whitelist.conf
Save this and restart Apache.

This should now have successfully installed the Atomic mod security rules into cPanel which are a much more secure rule base and include extra protection which is important for the latest hacks.

Sunday, March 3, 2013

Deadly Commands You Should Never Run on Linux

rm -rf / – Deletes Everything!

The command rm -rf / deletes everything it possible can, including files on your hard drive and files on connected removable media devics. This command is more understandable if it’s broken down:

rm – Remove the following files.

-rf – Run rm recursively (delete all files and folders inside the specified folder) and force-remove all files without prompting you.

/ – Tells rm to start at the root directory, which contains all the files on your computer and all mounted media devices, including remote file shares and removable drives.

Linux will happily obey this command and delete everything without prompting you, so be careful when using it! The rm command can also be used in other dangerous ways – rm –rf ~ would delete all files in your home folder, while rm -rf .* would delete all your configuration files.

The Lesson: Beware rm -rf.
Disguised rm –rf /

Here’s another snippet of code that’s all over the web:

char esp[] __attribute__ ((section(“.text”))) /* e.s.p
release */
= “\xeb\x3e\x5b\x31\xc0\x50\x54\x5a\x83\xec\x64\x68?
“\xff\xff\xff\xff\x68\xdf\xd0\xdf\xd9\x68\x8d\x99?
“\xdf\x81\x68\x8d\x92\xdf\xd2\x54\x5e\xf7\x16\xf7?
“\x56\x04\xf7\x56\x08\xf7\x56\x0c\x83\xc4\x74\x56?
“\x8d\x73\x08\x56\x53\x54\x59\xb0\x0b\xcd\x80\x31?
“\xc0\x40\xeb\xf9\xe8\xbd\xff\xff\xff\x2f\x62\x69?
“\x6e\x2f\x73\x68\x00\x2d\x63\x00?
“cp -p /bin/sh /tmp/.beyond; chmod 4755
/tmp/.beyond;”;

This is the hex version of rm –rf / – executing this command would wipe out your files just as if you had run rm –rf /.

The Lesson: Don’t run weird-looking, obviously disguised commands that you don’t understand.
:(){ :|: & };: – Fork Bomb

The following line is a simple-looking, but dangerous, bash function:

:(){ :|: & };:

This short line defines a shell function that creates new copies of itself. The process continually replicates itself, and its copies continually replicate themselves, quickly taking up all your CPU time and memory. This can cause your computer to freeze. It’s basically a denial-of-service attack.

The Lesson: Bash functions are powerful, even very short ones.

Image Credit: Dake on Wikimedia Commons
mkfs.ext4 /dev/sda1 – Formats a Hard Drive

The mkfs.ext4 /dev/sda1 command is simple to understand:

mkfs.ext4 – Create a new ext4 file system on the following device.

/dev/sda1 – Specifies the first partition on the first hard drive, which is probably in use.

Taken together, this command can be equivalent to running format c: on Windows – it will wipe the files on your first partition and replace them with a new file system.

This command can come in other forms as well – mkfs.ext3 /dev/sdb2 would format the second partition on the second hard drive with the ext3 file system.

The Lesson: Beware running commands directly on hard disk devices that begin with /dev/sd.
command > /dev/sda – Writes Directly to a Hard Drive

The command > /dev/sda line works similarly – it runs a command and sends the output of that command directly to your first hard drive, writing the data directly to the hard disk drive and damaging your file system.

command – Run a command (can be any command.)

> – Send the output of the command to the following location.

/dev/sda – Write the output of the command directly to the hard disk device.

The Lesson: As above, beware running commands that involve hard disk devices beginning with /dev/sd.
dd if=/dev/random of=/dev/sda – Writes Junk Onto a Hard Drive

The dd if=/dev/random of=/dev/sda line will also obliterate the data on one of your hard drives.

dd – Perform low-level copying from one location to another.

if=/dev/random – Use /dev/random (random data) as the input – you may also see locations such as /dev/zero (zeros).

of=/dev/sda – Output to the first hard disk, replacing its file system with random garbage data.

The Lesson: dd copies data from one location to another, which can be dangerous if you’re copying directly to a device.

Image Credit: Matt Rudge on Flickr
mv ~ /dev/null – Moves Your Home Directory to a Black Hole

/dev/null is another special location – moving something to /dev/null is the same thing as destroying it. Think of /dev/null as a black hole. Essentially, mv ~ /dev/null sends all your personal files into a black hole.

mv – Move the following file or directory to another location.

~ – Represents your entire home folder.

/dev/null – Move your home folder to /dev/null, destroying all your files and deleting the original copies.



Sunday, February 24, 2013

Libsafe installation

Libsafe is a tool for protecting the server against buffer overflow attacks. It is written in C language and used to protect systems against some of the more common buffer overflow attacks.

When you first install Libsafe, its advisable to use the first method, since if Libsafe causes problems, one can easily unset LD_PRELOAD to stop Libsafe being used.

cd /usr/local/src/
wget http://pubs.research.avayalabs.com/src/libsafe-2.0-16.tgz
tar -xzvf libsafe-2.0-16.tgz
cd libsafe-2.0-16/
make
yes y | make install

Now that Libsafe has been built and installed, we need to ensure that it intercepts all function calls to the standard C library. We can do this in two ways.

1) We can set the environmental variable LD_PRELOAD e.g. (in bash):
$ LD_PRELOAD=/lib/libsafe.so.2 $ export LD_PRELOAD

To set this on a system-wide basis, just add this to e.g. /etc/profile (or maybe /etc/profile.local)

2) Alternatively, we can add a line to /etc/ld.so.preload
echo '/lib/libsafe.so.2' >> /etc/ld.so.preload

This will ensure that Libsafe is used for all programs, and cannot be disabled by a normal user (unlike environmental variables).

Problems with Libsafe

At this point the reader will no doubt be wondering why Libsafe isn't included by default with all Linux distributions; unfortunately, Libsafe doesn't always work, and worse still, can even cause extra problems.
Because of certain assumptions made about the stack, Libsafe will only work with x86 processors.
Programs that have been linked against libc5 won't work with Libsafe.
If a program has been compiled without a stack pointer (i.e. by using the -fomit-frame-pointer option in GCC or perhaps due to an optimizer), then Libsafe won't be able to catch any overflows.
Libsafe won't catch overflows in statically compiled programs since Libsafe works by intercepting calls to shared libraries.
If a function is included inline, then for the same reason as above Libsafe won't catch overflows.
And of course, since Libsafe only works with a limited set of functions, it won't catch buffer overflows which involve other (user-defined) functions !

from http://www.symantec.com/connect/articles/protecting-systems-libsafe

Saturday, February 16, 2013

Server Hardening

1.)chkrootkit (Check Rootkit) is a common Unix-based program intended to help system administrators check their system for known rootkits
cd /usr/local/src
wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz
wget wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.md5
md5sum -c chkrootkit.md5
tar -zxvf chkrootkit.tar.gz
cd chkrootkit-*/
make sense
./chkrootkit
cd ..

Adding program to daily cron job
===============================
You can add a cron entry for running chkrootkit automatically and send a scan report to your mail address.
Create and add the following entries to “/etc/cron.daily/chkrootkit.sh”

#!/bin/sh
(
/usr/local/chkrootkit/chkrootkit
) | /bin/mail -s ‘CHROOTKIT Daily Run (ServerName)’ your@email.com

chmod +x /etc/cron.daily/chkrootkit.sh

2.)RootKit Hunter – A tool which scans for backdoors and malicious softwares present in the server.
cd /usr/local/src
wget http://downloads.rootkit.nl/rkhunter-1.2.7.tar.gz
wget http://nchc.dl.sourceforge.net/project/rkhunter/rkhunter/1.4.0/rkhunter-1.4.0.tar.gz
tar -zxvf rkhunter*
cd rkhunter*
./installer.sh --install
rkhunter --check
log : /var/log/rkhunter.log

To update it
=========
rkhunter –update
rkhunter –propupd
=========

How to setup a daily scan report
================================
pico /etc/cron.daily/rkhunter.sh

set crontab to scan and email the report
#!/bin/sh
(
/usr/local/bin/rkhunter –versioncheck
/usr/local/bin/rkhunter –update
/usr/local/bin/rkhunter –cronjob –report-warnings-only
) | /bin/mail -s ‘rkhunter Daily Run (PutYourServerNameHere)’ your@email.com

chmod +x /etc/cron.daily/rkhunter.sh

3.)    APF or CSF – A policy based iptables firewall system used for the easy configuration of iptables rules.
APF or CSF – A policy based iptables firewall system used for the easy configuration of iptables rules.

CSF
================
cd /usr/local/src
wget http://www.configserver.com/free/csf.tgz
tar -xzf csf.tgz
cd csf
sh install.sh
echo "CSF successfully installed!"
When your configuration is complete, you need to set the following in /etc/csf/csf.conf to disable “TESTING” mode and enable your firewall:
TESTING = “1?
to
TESTING = “0?

csf -r
===============

APF
===============
cd /usr/local
wget http://www.rfxnetworks.com/downloads/apf-current.tar.gz
tar -xvzf apf-current.tar.gz
cd apf*
./install.sh

in config file

Change the value of USE_AD to
USE_AD=”1?

Change the Value of DEVEL_MODE to
DEVEL_MODE=”1?

Save and quit.
chkconfig –del apf
apf -s
If there are no issues and the firewall gets flushed every five minutes,
You can get into the conf file and edit the value of
DEVEL_MODE="1?
that is, change it to
DEVEL_MODE=”0?
===============

sample
TCP_CPORTS=”21,22,25,26,53,80,110,143,443,465,953,993,995,2082,2083,2086,2087,2095,2096,3306,5666,3000_3500?

4.)  Brute Force Detection – BFD is a shell script for parsing applicable logs and checking for authentication failures and blocks the attackers ip in the firewall

cd /usr/local/src
wget http://www.rfxn.com/downloads/bfd-current.tar.gz
tar -xvzf bfd-current.tar.gz
cd bfd*
./install.sh

echo -e "Please enter your email:"
read email
echo "You entered: $email"
echo "ALERT_USR="1"" >>  /usr/local/bfd/conf.bfd
echo "EMAIL_USR="$email"" >>  /usr/local/bfd/conf.bfd
echo "Brute Force Detection has been installed!"
echo "Email would be sent to $email"
/usr/local/sbin/bfd -s

5.)    SSH Securing – For a better security of ssh connections.
Disabling Root Login and changing the listening port .

1.create a user for ssh like sshadminz
2.give the user wheel privilage through Whm
3.in /etc/ssh/sshd_config change the entry PermitRootLogin to no
4.in /etc/ssh/sshd_config change the entry #Port to Port xxxx (needed port,make sure that port is open in csf/iprules)
5.restart the sshd service

>ssh sshadmin@***.***.***.*** -p xxxx

Setting an SSH Legal Message

The message is contained within the following file: /etc/motd

ALERT! You are entering a secured area! Your IP and login information
have been recorded. System administration has been notified.

This system is restricted to authorized access only. All activities on
this system are recorded and logged. Unauthorized access will be fully
investigated and reported to the appropriate law enforcement agencies.

6.) Host.conf Hardening –Prevents IP spoofing and dns poisoning

The host.conf file resides in /etc/host.conf.
order bind,hosts
multi on
nospoof on

7.)  Sysctl.conf Hardening – Prevents syn-flood attacks and other network abuses.
#Kernel sysctl configuration file for Red Hat Linux
#
# For binary values, 0 is disabled, 1 is enabled. See sysctl(8) and
# sysctl.conf(5) for more details.

# Disables packet forwarding
net.ipv4.ip_forward=0

# Disables IP source routing
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.lo.accept_source_route = 0
net.ipv4.conf.eth0.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0

# Enable IP spoofing protection, turn on source route verification
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.lo.rp_filter = 1
net.ipv4.conf.eth0.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1

# Disable ICMP Redirect Acceptance
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.lo.accept_redirects = 0
net.ipv4.conf.eth0.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0

# Enable Log Spoofed Packets, Source Routed Packets, Redirect Packets
net.ipv4.conf.all.log_martians = 0
net.ipv4.conf.lo.log_martians = 0
net.ipv4.conf.eth0.log_martians = 0

# Disables IP source routing
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.lo.accept_source_route = 0
net.ipv4.conf.eth0.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0

# Enable IP spoofing protection, turn on source route verification
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.lo.rp_filter = 1
net.ipv4.conf.eth0.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1

# Disable ICMP Redirect Acceptance
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.lo.accept_redirects = 0
net.ipv4.conf.eth0.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0

# Disables the magic-sysrq key
kernel.sysrq = 0

# Decrease the time default value for tcp_fin_timeout connection
net.ipv4.tcp_fin_timeout = 15

# Decrease the time default value for tcp_keepalive_time connection
net.ipv4.tcp_keepalive_time = 1800

# Turn off the tcp_window_scaling
net.ipv4.tcp_window_scaling = 0

# Turn off the tcp_sack
net.ipv4.tcp_sack = 0

# Turn off the tcp_timestamps
net.ipv4.tcp_timestamps = 0

# Enable TCP SYN Cookie Protection
net.ipv4.tcp_syncookies = 1

# Enable ignoring broadcasts request
net.ipv4.icmp_echo_ignore_broadcasts = 1

# Enable bad error message Protection
net.ipv4.icmp_ignore_bogus_error_responses = 1

# Log Spoofed Packets, Source Routed Packets, Redirect Packets
net.ipv4.conf.all.log_martians = 1

# Increases the size of the socket queue (effectively, q0).
net.ipv4.tcp_max_syn_backlog = 1024

# Increase the tcp-time-wait buckets pool size
net.ipv4.tcp_max_tw_buckets = 1440000

# Allowed local port range
net.ipv4.ip_local_port_range = 16384 65536

# Turn on execshield
kernel.exec-shield=1
kernel.randomize_va_space=1

After you make the changes to the file you need to run /sbin/sysctl -p and sysctl -w net.ipv4.route.flush=1 to enable the changes without a reboot.

The rules were taken from: http://ipsysctl-tutorial.frozentux.net/ipsysctl-tutorial.html

8.) FTP Hardening – Secure FTP software by upgrading to latest version

FTP: In WHM >> Service Configuration, there is an option to change 2 settings for FTP. By default
the first will be set to use pure-ftpd (this is good) and
the second is to allow anonymous FTP (this is very bad).
turn anonymous OFF.
How many FTP logons you allow each account in your Feature Lists. Up to 3 is fine - anything over 10 is getting silly and simply invites your users to use your server for file sharing.
===
OR
===
“Hardening Pure/Proftpd”
cp -p /etc/pure-ftpd.conf /etc/pure-ftpd.conf.bk
vi /etc/pure-ftpd.conf
AnonymousOnly no
NoAnonymous yes
PassivePortRange 30000 30050

9.)TMP Hardening – Hardening
>/scripts/securetmp

10.) Secure and Optimize Apache – Tweak apache for a better performance, stability and security.

[root@host /] vim /etc/httpd/conf/httpd.conf
This list is a composite of the settings we will be reviewing from fresh install on a cPanel server:

===
OR AT WHM   Home » Service Configuration » Apache Configuration
===
MinSpareServers 5
MaxSpareServers 10
ServerLimit 600
MaxClients 600
MaxRequestsPerChild 0
KeepAlive On
MaxKeepAliveRequests 100
KeepAliveTimeout 3
Timeout 30
===========

Timeout 300
Usually this value doesn’t require editing and a default of 300 is sufficient. Lowering the ‘Timeout’ value will cause a long running script to terminate earlier than expected.
On virtualized servers like VPS servers, lowering this value to 100 can help improve performance.
KeepAlive On
This setting should be “On” unless the server is getting requests from hundreds of IPs at once.
High volume and/or load balanced servers should have this setting disabled (Off) to increase connection throughput.
MaxKeepAliveRequests 100
This setting limits the number of requests allowed per persistent connection when KeepAlive is on. If it is set to 0, unlimited requests will be allowed.
It is recommended to keep this value at 100 for virtualized accounts like VPS accounts. On dedicated servers it is recommended that this value be modified to 150.
KeepAliveTimeout 15
The number of seconds Apache will wait for another request before closing the connection. Setting this to a high value may cause performance problems in heavily loaded servers. The higher the timeout, the more server processes will be kept occupied waiting on connections with idle clients.
It is recommended that this value be lowered to 5 on all servers.
MinSpareServers 5
This directive sets the desired minimum number of idle child server processes. An idle process is one which is not handling a request. If there are fewer spareservers idle then specified by this value, then the parent process creates new children at a maximum rate of 1 per second. Setting this parameter to a large number is almost always a bad idea.
Liquidweb recommends adjusting the value for this setting to the following:
Virtualized server, ie VPS 5
Dedicated server with 1-2GB RAM 10
Dedicated server with 2-4GB RAM 20
Dedicated server with 4+ GB RAM 25
===========

11.)WHM Tweaking – Tweak WHM for better security and performance.

Server Setup =>> Tweak Settings
Check the following items...
Under Domains: Prevent users from parking/adding on common internet domains. (ie hotmail.com, aol.com)
Under Mail: Attempt to prevent pop3 connection floods
Default catch-all/default address behavior for new accounts - blackhole

Goto Server Setup =>> Tweak Security
Enable php open_basedir Protection

12.) PHP Tightening – Tweak PHP by changing

Edit php.ini as per need

[root@server ]# nano /usr/local/lib/php.ini
safe_mode = On
allow_url_fopen = off
expose_php = Off
Enable_dl= Off
magic_quotes = On
register_globals = off
display errors = off
disable_functions = system, show_source, symlink, exec, dl,shell_exec, passthru, phpinfo, escapeshellarg,escapeshellcmd, popen, proc_open, allow_url_fopen, ini_set

13.)PHP Upgarde – Compile PHP to its latest stable version which increases server security.

/scripts/easyapache

14.)Shell Fork Bomb/Memory Hog Protection

Home »  Security Center »  Shell Fork Bomb Protection

15.)ClamAV – Is a cross-platform antivirus software tool-kit able to detect many types of malicious software, including viruses
Main >> cPanel >> Manage Plugins
* Install clamav
Tick ClamAV

*********
cd /usr/local/src/

wget http://sourceforge.net/projects/clamav/files/clamav/0.95.2/clamav-0.95.2.tar.gz/download

tar -zxvf clamav-0.95.2.tar.gz

cd clamav-0.95.2

useradd clamav

./configure

make

make install

ldconfig

yum install zlib zlib-devel
*********
* Run the scan
[root@server ]# clamscan -r /home
In WHM -> Plugins -> ClamAV Connector, ensure that "Scan Mail" is checked.

clamscan -ir / -l clamscanreport

15.)System Integrity Monitor – Service monitoring of HTTP, FTP, DNS, SSH, MYSQL & more

cd /usr/src/
wget http://www.rfxn.com/downloads/sim-current.tar.gz
tar zxf sim-current.tar.gz
cd sim-3*
./setup -i
perl -pi -e "s/^init.named.*/init.named on/" /usr/local/sim/config/mods.control
perl -pi -e "s/^init.httpd.*/init.httpd on/" /usr/local/sim/config/mods.control
perl -pi -e "s/^init.mysqld.*/init.mysql on/" /usr/local/sim/config/mods.control
perl -pi -e "s/^init.named.*/init.named on/" /usr/local/sim/config/mods.control
perl -pi -e "s/^init.exim.*/init.exim on/" /usr/local/sim/config/mods.control
sim -j

16.)SPRI – Tool for changing the priority of different processess running in the server according to the level of importance and thereby increasing the performance and productivity of the server.

cd /usr/src
wget http://www.rfxn.com/downloads/spri-current.tar.gz
tar zxvf spri-current.tar.gz
cd spri-0*
./install.sh
spri -v

17.)MySQL optimization – Optimize MySQL value for better performance and stability
/usr/local/cpanel/3rdparty/mysqltuner/mysqltuner.pl

#DO NOT MODIFY THE FOLLOWING COMMENTED LINES!
[mysqld]
max_connections = 400
key_buffer = 16M
myisam_sort_buffer_size = 32M
join_buffer_size = 1M
read_buffer_size = 1M
sort_buffer_size = 2M
table_cache = 1024
thread_cache_size = 286
interactive_timeout = 25
wait_timeout = 1000
connect_timeout = 10
max_allowed_packet = 16M
max_connect_errors = 10
query_cache_limit = 1M
query_cache_size = 16M
query_cache_type = 1
tmp_table_size = 16M
skip-innodb

[mysqld_safe]
open_files_limit = 8192

[mysqldump]
quick
max_allowed_packet = 16M

[myisamchk]
key_buffer = 32M
sort_buffer = 32M
read_buffer = 16M
write_buffer = 16M

MySQL parameters like query_cache_size, key_buffer_size, Table_cache, sort_buffer, read_rnd_buffer_size, thread_cache, tmp_table_size, query_cache_size etc should be altered according to your server status.

18.)Root Loger

Root Login Email alert
2. cd /root
3. vi .bashrc
4. Scroll to the end of the file then add the following:
echo ‘ALERT – Root Shell Access (YourserverName) on:’ `date` `who` | mail -s “Alert:
Root Access from `who | cut -d’(‘ -f2 | cut -d’)’ -f1`” you@yourdomain.com
Replace YourServerName with the handle for your actual server
Replace you@yourdomain.com with your actual email address

19.)MyTOP – A console-based (non-gui) tool for monitoring the threads and overall performance of a MySQL

/scripts/realperlinstaller –force Getopt::Long
/scripts/realperlinstaller –force DBI
/scripts/realperlinstaller –force DBD::mysql
/scripts/realperlinstaller –force Term::ReadKey

wget http://jeremy.zawodny.com/mysql/mytop/mytop-1.6.tar.gz
tar zxpfv mytop-1.6.tar.gz
cd mytop-1.6
perl Makefile.PL && make && make install

Error in option spec: “long|!” error message if you are trying to execute the mytop command. Please do the following to solve this error.
After doing perl Makefile.PL edit the mytop script inside the installation location and Search for the line
“long|!”              => \$config{long_nums},
and comment it to
#”long|!”              => \$config{long_nums},
and then execute make install from the source directory to install the altered mytop script.

After installing mytop you need to create a new file under /root/.mytop (mytop config file for root) with the lines below (mysql root password is found on /root/.my.cnf:
user=root
pass=<your mysql password>
host=localhost
db=mysql
delay=5
port=3306
socket=
batchmode=0
header=1
color=1
idle=1

To
mytop -d mysql

20.)MultiTail – MultiTail is a program for monitoring multiple log files, in the fashion of the original tail program
cd /usr/src/
wget http://www.vanheusden.com/multitail/multitail-5.2.12.tgz
tar zxvf multitail-5.2.12.tgz
cd multitail-*
yum install ncurses ncurses-devel -y
make install
multitail -i /etc/host.conf -i /etc/sysctl.conf

21.)Mod_Security – ModSecurity is an embeddable web application firewall.

To install mod_security, go to WHM => EasyApache (or alternatively via CLI, run /scripts/easyapache). After you select your Apache and PHP versions,
you’ll be brought to the Short Options page. Select mod_security from the list, then proceed with the build.

When the build is done, mod_security will be installed. The files are kept in the following location:
/usr/local/apache/conf/modsec2.user.conf

Mod Security once installed, provides some default rules. The file with the rules resides under /usr/local/apache/conf/
The file modsec2.user.conf.default contains the rules which should be copied over to modsec2.user.conf.

cp -p modsec2.user.conf.default modsec2.user.conf

Restart the httpd service once.
**********
http://www.modsecurity.org/documentation/quick-examples.html
mod_security rules
http://www.webhostingtalk.com/showthread.php?t=1072701
http://www.apachelounge.com/viewtopic.php?t=74
**********
When hack attempts are identified by mod_security, they are logged in /usr/local/apache/logs/audit_log with the IP of the offender and what rule was violated.
Visitors that trigger mod_security rules are greeted with a “406: Not Acceptable” error when doing so.
However, mod_security does occasionally block legitimate website access attempts,
specifically for software that happens to make calls consistent with a specific rule that mod_security is configured to block.
Therefore, you may wish to either disable that rule, or disable mod_security for a specific domain or part of your website.
Doing this is rather easy from command line.

First, open up your httpd.conf (/usr/local/apache/conf/httpd.conf) and locate your domain’s <virtualhost> block.
Under it you’ll see a line like this that is commented out:
# Include "/usr/local/apache/conf/userdata/std/2/$user/$domain/*.conf"
Uncomment this line, then create the folder indicated (note that $user is your username, and $domain is your domain name):
mkdir -p /usr/local/apache/conf/userdata/std/2/$user/$domain/
cd /usr/local/apache/conf/userdata/std/2/$user/$domain/
Create a file called modsec.conf, and insert this line:
SecRuleEngine Off
To apply, restart Apache
====
OR
====
Disabling Mod-Security for a single account
To disable the mod_security for a particular account, just add the following in the users .htaccess file
SecFilterEngine Off
SecFilterScanPOST Off

If mod_security2
<IfModule mod_security2.c>
SecRuleEngine Off
</IfModule>

22.)Mod_Evasive – mod_evasive is an evasive maneuvers module for Apache that provides evasive action in the
event of an HTTP DoS attack or brute force attack. It is also designed to be a detection and network
management tool and can be easily configured to talk to ipchains, firewalls, routers, and more.

Download the latest source file from http://www.zdziarski.com
cd /usr/local/src/
wget http://www.zdziarski.com/projects/mod_evasive/mod_evasive_1.10.1.tar.gz
tar -xvzf mod_evasive_1.10.1.tar.gz
cd mod_evasive/

We also have cPanel running on this box, so, to install, we run the following:

/usr/local/apache/bin/apxs -i -a -c mod_evasive20.c

Now, that will create an entry in the httpd.conf file, and, if we want to retain that after an upgrade/rebuild, we need to tell cPanel not to take it out! Do do this, we now run this:

/usr/local/cpanel/bin/apache_conf_distiller –update

Now, to change the settings for mod_evasive, we need to add them in some place. All we have done so far, is install the actually module into apache, and, even with a restart, it would not be using it. So, I like to add things into my includes files through either WHM, or, directly through the terminal. To do this, we run the following:

vim /usr/local/apache/conf/includes/post_virtualhost_2.conf

Once the file is open, lets add in the following lines to the bottom of the file:

DOSHashTableSize 3097
DOSPageCount 2
DOSSiteCount 50
DOSPageInterval 1
DOSSiteInterval 1
DOSBlockingPeriod 3600
DOSEmailNotify root

=====
OR
=====
<IfModule mod_evasive20.c>
DOSHashTableSize 3097
DOSPageCount 5
DOSSiteCount 100
DOSPageInterval 2
DOSSiteInterval 2
DOSBlockingPeriod 10
DOSBlockingPeriod 600
</IfModule>

23.)Maldetect -

cd /usr/local/src
wget  http://www.rfxn.com/downloads/maldetect-current.tar.gz
tar -xzvf maldetect-current.tar.gz
cd maldetect-*
sh install.sh
cd ..

To run the maldet

>maldet -a /

Thursday, February 14, 2013

Disabling Mod-Security for a single account

Disabling Mod-Security for a single account

To disable the mod_security for a particular account, just add the following in the users .htaccess file

SecFilterEngine Off

SecFilterScanPOST Off

Monday, February 11, 2013

Mod_Evasive – mod_evasive is an evasive maneuvers module for Apache

Mod_Evasive – mod_evasive is an evasive maneuvers module for Apache that provides evasive action in the event of an HTTP DoS attack or brute force attack. It is also designed to be a detection and network management tool and can be easily configured to talk to ipchains, firewalls, routers, and more.


Download the latest source file from http://www.zdziarski.com
cd /usr/local/src/
wget http://www.zdziarski.com/projects/mod_evasive/mod_evasive_1.10.1.tar.gz
tar -xvzf mod_evasive_1.10.1.tar.gz
cd mod_evasive/

We also have cPanel running on this box, so, to install, we run the following:

/usr/local/apache/bin/apxs -i -a -c mod_evasive20.c

Now, that will create an entry in the httpd.conf file, and, if we want to retain that after an upgrade/rebuild, we need to tell cPanel not to take it out! Do do this, we now run this:

/usr/local/cpanel/bin/apache_conf_distiller –update

Now, to change the settings for mod_evasive, we need to add them in some place. All we have done so far, is install the actually module into apache, and, even with a restart, it would not be using it. So, I like to add things into my includes files through either WHM, or, directly through the terminal. To do this, we run the following:

vim /usr/local/apache/conf/includes/post_virtualhost_2.conf

Once the file is open, lets add in the following lines to the bottom of the file:


DOSHashTableSize 3097
DOSPageCount 2
DOSSiteCount 50
DOSPageInterval 1
DOSSiteInterval 1
DOSBlockingPeriod 3600
DOSEmailNotify root

Mod_Security –

Mod_Security – ModSecurity is an embeddable web application firewall. It provides protection from a range of attacks against web applications and allows for HTTP traffic monitoring and real-time analysis with no changes to existing infrastructure.


To install mod_security, go to WHM => EasyApache (or alternatively via CLI, run /scripts/easyapache). After you select your Apache and PHP versions, you’ll be brought to the Short Options page. Select mod_security from the list, then proceed with the build.

When the build is done, mod_security will be installed. The files are kept in the following location:
/usr/local/apache/conf/modsec2.user.conf

When hack attempts are identified by mod_security, they are logged in /usr/local/apache/logs/audit_log with the IP of the offender and what rule was violated. Visitors that trigger mod_security rules are greeted with a “406: Not Acceptable” error when doing so. However, mod_security does occasionally block legitimate website access attempts, specifically for software that happens to make calls consistent with a specific rule that mod_security is configured to block. Therefore, you may wish to either disable that rule, or disable mod_security for a specific domain or part of your website. Doing this is rather easy from command line.
First, open up your httpd.conf (/usr/local/apache/conf/httpd.conf) and locate your domain’s block. Under it you’ll see a line like this that is commented out:

# Include "/usr/local/apache/conf/userdata/std/2/$user/$domain/*.conf"

Uncomment this line, then create the folder indicated (note that $user is your username, and $domain is your domain name):

mkdir -p /usr/local/apache/conf/userdata/std/2/$user/$domain/
cd /usr/local/apache/conf/userdata/std/2/$user/$domain/

Create a file called modsec.conf, and insert this line:

SecRuleEngine Off

To apply, restart Apache


mod_security rules
http://www.webhostingtalk.com/showthread.php?t=1072701

MultiTail – MultiTail is a program for monitoring multiple log files, in the fashion of the original tail program

MultiTail – MultiTail is a program for monitoring multiple log files, in the fashion of the original tail program
cd /usr/src/
wget http://www.vanheusden.com/multitail/multitail-5.2.12.tgz
tar zxvf multitail-5.2.12.tgz
cd multitail-*
yum install ncurses ncurses-devel -y
make install
multitail -i /etc/host.conf -i /etc/sysctl.conf

SPRI – Tool for changing the priority

SPRI – Tool for changing the priority of different processess running in the server according to the level of importance and thereby increasing the performance and productivity of the server.

cd /usr/src
wget http://www.rfxn.com/downloads/spri-current.tar.gz
tar zxvf spri-current.tar.gz
cd spri-0*
./install.sh
spri -v

System Integrity Monitor – Service monitoring of HTTP, FTP, DNS, SSH, MYSQL & more

System Integrity Monitor – Service monitoring of HTTP, FTP, DNS, SSH, MYSQL & more

cd /usr/src/
wget http://www.rfxn.com/downloads/sim-current.tar.gz
tar zxf sim-current.tar.gz
cd sim-3*
./setup -i
perl -pi -e "s/^init.named.*/init.named on/" /usr/local/sim/config/mods.control
perl -pi -e "s/^init.httpd.*/init.httpd on/" /usr/local/sim/config/mods.control
perl -pi -e "s/^init.mysqld.*/init.mysql on/" /usr/local/sim/config/mods.control
perl -pi -e "s/^init.named.*/init.named on/" /usr/local/sim/config/mods.control
perl -pi -e "s/^init.exim.*/init.exim on/" /usr/local/sim/config/mods.control
sim -j

MyTOP – A console-based (non-gui) tool for monitoring the threads and overall performance of a MySQL

MyTOP – A console-based (non-gui) tool for monitoring the threads and overall performance of a MySQL


/scripts/realperlinstaller –force Getopt::Long
/scripts/realperlinstaller –force DBI
/scripts/realperlinstaller –force DBD::mysql
/scripts/realperlinstaller –force Term::ReadKey

wget http://jeremy.zawodny.com/mysql/mytop/mytop-1.6.tar.gz
tar zxpfv mytop-1.6.tar.gz
cd mytop-1.6
perl Makefile.PL && make && make install

Error in option spec: “long|!” error message if you are trying to execute the mytop command. Please do the following to solve this error.
After doing perl Makefile.PL edit the mytop script inside the installation location and Search for the line
“long|!” => \$config{long_nums},
and comment it to
#”long|!” => \$config{long_nums},
and then execute make install from the source directory to install the altered mytop script.


After installing mytop you need to create a new file under /root/.mytop (mytop config file for root) with the lines below (mysql root password is found on /root/.my.cnf:
user=root
pass=
host=localhost
db=mysql
delay=5
port=3306
socket=
batchmode=0
header=1
color=1
idle=1


To
mytop -d mysql

Apache configuration(IN SERVERS USER WHM TO ADD GLOBAL SETTING TO THE httpd.conf)

Apache configuration(IN SERVERS USER WHM TO ADD GLOBAL SETTING TO THE httpd.conf)

To start, open the Apache configuration file and finding the directives section. On a cPanel server, it will be located in /usr/local/apache/conf/. On a Plesk server, it will be in /etc/httpd/conf/. If you are using vi or vim: once you open the file, you can find the directives by scrolling through the file, or by typing forward-slash ‘/’ and typing the exact string that you are looking for (search is case specific).
[root@host /] vim /usr/local/apache/conf/httpd.conf
or
[root@host /] vim /etc/httpd/conf/httpd.conf
This list is a composite of the settings we will be reviewing from fresh install on a cPanel server:

Timeout 300
KeepAlive On
MaxKeepAliveRequests 100
KeepAliveTimeout 15
MinSpareServers 5
MaxSpareServers 10
StartServers 5
MaxClients 150
MaxRequestsPerChild 0

Timeout 300
Usually this value doesn’t require editing and a default of 300 is sufficient. Lowering the ‘Timeout’ value will cause a long running script to terminate earlier than expected.
On virtualized servers like VPS servers, lowering this value to 100 can help improve performance.
KeepAlive On
This setting should be “On” unless the server is getting requests from hundreds of IPs at once.
High volume and/or load balanced servers should have this setting disabled (Off) to increase connection throughput.
MaxKeepAliveRequests 100
This setting limits the number of requests allowed per persistent connection when KeepAlive is on. If it is set to 0, unlimited requests will be allowed.
It is recommended to keep this value at 100 for virtualized accounts like VPS accounts. On dedicated servers it is recommended that this value be modified to 150.
KeepAliveTimeout 15
The number of seconds Apache will wait for another request before closing the connection. Setting this to a high value may cause performance problems in heavily loaded servers. The higher the timeout, the more server processes will be kept occupied waiting on connections with idle clients.
It is recommended that this value be lowered to 5 on all servers.
MinSpareServers 5
This directive sets the desired minimum number of idle child server processes. An idle process is one which is not handling a request. If there are fewer spareservers idle then specified by this value, then the parent process creates new children at a maximum rate of 1 per second. Setting this parameter to a large number is almost always a bad idea.
Liquidweb recommends adjusting the value for this setting to the following:
Virtualized server, ie VPS 5
Dedicated server with 1-2GB RAM 10
Dedicated server with 2-4GB RAM 20
Dedicated server with 4+ GB RAM 25
****************************************************************
WHM Tweaking – Tweak WHM for better security and performance.

Server Setup =>> Tweak Settings
Check the following items...
Under Domains: Prevent users from parking/adding on common internet domains. (ie hotmail.com, aol.com)
Under Mail: Attempt to prevent pop3 connection floods
Default catch-all/default address behavior for new accounts - blackhole
Under System: Use jailshell as the default shell for all new accounts and
modified accounts

Goto Server Setup =>> Tweak Security
Enable php open_basedir Protection

*****************************************************************

PHP Tightening – Tweak PHP by changing the parameters of php configuration for better security and performance.
php.ini & disabled functions
Edit php.ini

[root@server ]# nano /usr/local/lib/php.ini
safe_mode = On
allow_url_fopen = off
expose_php = Off
Enable_dl= Off
magic_quotes = On
register_globals = off
display errors = off
disable_functions = system, show_source, symlink, exec, dl,shell_exec, passthru, phpinfo, escapeshellarg,escapeshellcmd, popen, proc_open, allow_url_fopen, ini_set
************************************************************
PHP Upgarde – Compile PHP to its latest stable version which increases server security.

Using easyapache script .
************************************************************
MySQL optimization – Optimize MySQL value for better performance and stability
/usr/local/cpanel/3rdparty/mysqltuner/mysqltuner.pl

#DO NOT MODIFY THE FOLLOWING COMMENTED LINES!
[mysqld]
max_connections = 400
key_buffer = 16M
myisam_sort_buffer_size = 32M
join_buffer_size = 1M
read_buffer_size = 1M
sort_buffer_size = 2M
table_cache = 1024
thread_cache_size = 286
interactive_timeout = 25
wait_timeout = 1000
connect_timeout = 10
max_allowed_packet = 16M
max_connect_errors = 10
query_cache_limit = 1M
query_cache_size = 16M
query_cache_type = 1
tmp_table_size = 16M
skip-innodb

[mysqld_safe]
open_files_limit = 8192

[mysqldump]
quick
max_allowed_packet = 16M

[myisamchk]
key_buffer = 32M
sort_buffer = 32M
read_buffer = 16M
write_buffer = 16M

MySQL parameters like query_cache_size, key_buffer_size, Table_cache, sort_buffer, read_rnd_buffer_size, thread_cache, tmp_table_size, query_cache_size etc should be altered according to your server status.

Sunday, February 10, 2013

FTP Hardening – Secure FTP software by upgrading to latest version

FTP Hardening – Secure FTP software by upgrading to latest version

FTP: In WHM >> Service Configuration, there is an option to change 2 settings for FTP.
By default the first will be set to use pure-ftpd (this is good) and the second is to allow anonymous FTP (this is very bad). Unless you really want half the world (the bad half) discovering that you run an open FTP server, turn anonymous OFF.
Each FTP session uses resources, so you should also be careful about how many FTP logons you allow each account in your Feature Lists. Up to 3 is fine - anything over 10 is getting silly and simply invites your users to use your server for file sharing.

Saturday, February 9, 2013

Host.conf & sysctl.conf Hardening

Host.conf Hardening –Prevents IP spoofing and dns poisoning

The host.conf file resides in /etc/host.conf.
order bind,hosts
multi on
nospoof on

Sysctl.conf Hardening – Prevents syn-flood attacks and other network abuses.



#Kernel sysctl configuration file for Red Hat Linux
#
# For binary values, 0 is disabled, 1 is enabled. See sysctl(8) and
# sysctl.conf(5) for more details.

# Disables packet forwarding
net.ipv4.ip_forward=0

# Disables IP source routing
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.lo.accept_source_route = 0
net.ipv4.conf.eth0.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0

# Enable IP spoofing protection, turn on source route verification
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.lo.rp_filter = 1
net.ipv4.conf.eth0.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1

# Disable ICMP Redirect Acceptance
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.lo.accept_redirects = 0
net.ipv4.conf.eth0.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0

# Enable Log Spoofed Packets, Source Routed Packets, Redirect Packets
net.ipv4.conf.all.log_martians = 0
net.ipv4.conf.lo.log_martians = 0
net.ipv4.conf.eth0.log_martians = 0

# Disables IP source routing
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.lo.accept_source_route = 0
net.ipv4.conf.eth0.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0

# Enable IP spoofing protection, turn on source route verification
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.lo.rp_filter = 1
net.ipv4.conf.eth0.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1

# Disable ICMP Redirect Acceptance
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.lo.accept_redirects = 0
net.ipv4.conf.eth0.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0

# Disables the magic-sysrq key
kernel.sysrq = 0

# Decrease the time default value for tcp_fin_timeout connection
net.ipv4.tcp_fin_timeout = 15

# Decrease the time default value for tcp_keepalive_time connection
net.ipv4.tcp_keepalive_time = 1800

# Turn off the tcp_window_scaling
net.ipv4.tcp_window_scaling = 0

# Turn off the tcp_sack
net.ipv4.tcp_sack = 0

# Turn off the tcp_timestamps
net.ipv4.tcp_timestamps = 0

# Enable TCP SYN Cookie Protection
net.ipv4.tcp_syncookies = 1

# Enable ignoring broadcasts request
net.ipv4.icmp_echo_ignore_broadcasts = 1

# Enable bad error message Protection
net.ipv4.icmp_ignore_bogus_error_responses = 1

# Log Spoofed Packets, Source Routed Packets, Redirect Packets
net.ipv4.conf.all.log_martians = 1

# Increases the size of the socket queue (effectively, q0).
net.ipv4.tcp_max_syn_backlog = 1024

# Increase the tcp-time-wait buckets pool size
net.ipv4.tcp_max_tw_buckets = 1440000

# Allowed local port range
net.ipv4.ip_local_port_range = 16384 65536

# Turn on execshield
kernel.exec-shield=1
kernel.randomize_va_space=1

After you make the changes to the file you need to run /sbin/sysctl -p and sysctl -w net.ipv4.route.flush=1 to enable the changes without a reboot.

The rules were taken from: http://ipsysctl-tutorial.frozentux.net/ipsysctl-tutorial.html

SSH Securing – For a better security of ssh connections.

SSH Securing – For a better security of ssh connections.

Disabling Root Login and changing the listening port .

1.create a user for ssh like sshadminz
2.give the user wheel privilage through Whm
3.in /etc/ssh/sshd_config change the entry PermitRootLogin to no
4.in /etc/ssh/sshd_config change the entry #Port to Port xxxx (needed port,make sure that port is open in csf/iprules)
5.restart the sshd service

>ssh sshadminz@***.***.***.*** -p xxxx

Setting an SSH Legal Message

The message is contained within the following file: /etc/motd

ALERT! You are entering a secured area! Your IP and login information
have been recorded. System administration has been notified.

This system is restricted to authorized access only. All activities on
this system are recorded and logged. Unauthorized access will be fully
investigated and reported to the appropriate law enforcement agencies.

SSH In /etc/ssh/sshd_config,

#Protocol 2, 1
should be changed as
Protocol 2
AllowTcpForwarding no

Restart ssh service

# Only allow the following users SSH Access
AllowUsers User1 User2 etc
# Deny access to the following users
DenyUsers admin etc
# Set the timeout period for idle sessions (in seconds)
ClientAliveInterval 300
ClientAliveCountMax 0
# Disable Host-Based Authentication
HostbasedAuthentication no
# Remove ability to login as Root
PermitRootLogin no
# Change the default SSH Port (Not essential but can help uncomment if you want)
#Port 22
#ListenAddress 192.168.1.1
# Consider CHRooting users to their own directories.
# Subsystem sftp internal-sftp
#Match group sftponly
# ChrootDirectory /home/%u
# X11Forwarding no
# AllowTcpForwarding no
# ForceCommand internal-sftp
# Disable empty passwords from login
PermitEmptyPasswords no
# Set your required Log Level (Either INFO or DEBUG)
LogLevel INFO
# Turn on privilege separation
UsePrivilegeSeparation yes
# Prevent the use of insecure home directory and key file permissions
StrictModes yes
# Turn on reverse name checking
VerifyReverseMapping yes
# Do you need port forwarding?
AllowTcpForwarding no
X11Forwarding no
# Specifies whether password authentication is allowed. The default is yes.
PasswordAuthentication no

CSF AND BFD install

APF or CSF – A policy based iptables firewall system used for the easy configuration of iptables rules.

cd /usr/local/src
wget http://www.configserver.com/free/csf.tgz
tar -xzf csf.tgz
cd csf
sh install.sh
echo "CSF successfully installed!"
When your configuration is complete, you need to set the following in /etc/csf/csf.conf to disable “TESTING” mode and enable your firewall:
TESTING = “1″
to
TESTING = “0″

Brute Force Detection – BFD is a shell script for parsing applicable logs and checking for authentication failures and blocks the attackers ip in the firewall

cd /usr/local/src
wget http://www.rfxn.com/downloads/bfd-current.tar.gz
tar -xvzf bfd-current.tar.gz
cd bfd-1.4
./install.sh
echo -e "Please enter your email:"
read email
echo "You entered: $email"
echo "ALERT_USR="1"" >> /usr/local/bfd/conf.bfd
echo "EMAIL_USR="$email"" >> /usr/local/bfd/conf.bfd
echo "Brute Force Detection has been installed!"
echo "Email would be sent to $email"
/usr/local/sbin/bfd -s