Libsafe is a tool for protecting the server against buffer overflow attacks. It is written in C language and used to protect systems against some of the more common buffer overflow attacks.
When you first install Libsafe, its advisable to use the first method, since if Libsafe causes problems, one can easily unset LD_PRELOAD to stop Libsafe being used.
cd /usr/local/src/
wget http://pubs.research.avayalabs.com/src/libsafe-2.0-16.tgz
tar -xzvf libsafe-2.0-16.tgz
cd libsafe-2.0-16/
make
yes y | make install
Now that Libsafe has been built and installed, we need to ensure that it intercepts all function calls to the standard C library. We can do this in two ways.
1) We can set the environmental variable LD_PRELOAD e.g. (in bash):
$ LD_PRELOAD=/lib/libsafe.so.2 $ export LD_PRELOAD
To set this on a system-wide basis, just add this to e.g. /etc/profile (or maybe /etc/profile.local)
2) Alternatively, we can add a line to /etc/ld.so.preload
echo '/lib/libsafe.so.2' >> /etc/ld.so.preload
This will ensure that Libsafe is used for all programs, and cannot be disabled by a normal user (unlike environmental variables).
Problems with Libsafe
At this point the reader will no doubt be wondering why Libsafe isn't included by default with all Linux distributions; unfortunately, Libsafe doesn't always work, and worse still, can even cause extra problems.
Because of certain assumptions made about the stack, Libsafe will only work with x86 processors.
Programs that have been linked against libc5 won't work with Libsafe.
If a program has been compiled without a stack pointer (i.e. by using the -fomit-frame-pointer option in GCC or perhaps due to an optimizer), then Libsafe won't be able to catch any overflows.
Libsafe won't catch overflows in statically compiled programs since Libsafe works by intercepting calls to shared libraries.
If a function is included inline, then for the same reason as above Libsafe won't catch overflows.
And of course, since Libsafe only works with a limited set of functions, it won't catch buffer overflows which involve other (user-defined) functions !
from http://www.symantec.com/connect/articles/protecting-systems-libsafe
Sunday, February 24, 2013
Tuesday, February 19, 2013
Linux Sed Command
Linux Sed Command
sed command to change all occurrences of one string to another within a file, just like the search-and-replace feature of your word processor. The
sed command can also delete a range of lines from a file. Since
sed is a stream editor, it takes the file given as input, and sends the output to the screen, unless you redirect output to a file. In other words,
sed does not change the input file. The general forms of the
sed command are as follows:
Substitution sed 's/<oldstring>/<newstri ng>/g' <file>
Deletion sed '<start>,<end>d' < file>
Let's start with a substitution example. If you want to change all occurrences of lamb to ham in the poem.txt file in the grep example, enter this:
sed 's/lamb/ham/g' poem.txt
Mary had a little ham
Mary fried a lot of spam
Jack ate a Spam sandwich
Jill had a ham spamwich
In the quoted string, the "s" means substitute, and the "g" means make a global change. You can also leave off the "g" (to change only the first occurrence on each line) or specify a number instead (to change the first n occurrences on each line).
Now let's try an example involving deletion of lines. The values for start and end can be either a line number or a pattern to match. All lines from the start line to the end line are removed from the output. This example will delete starting at line 2, up to and including line 3:
sed '2,3d' poem.txt
Mary had a little lamb
Jill had a lamb spamwich
This example will delete starting at line 1, up to and including the next line containing Jack:
sed '1,/Jack/d' poem.txt
Jill had a lamb spamwich
The most common use of sed is to change one string of text to another string of text. But I should mention that the strings that sed uses for search and delete are actually regular expressions. This means you can use pattern matching, just as with grep. Although you'll probably never need to do anything like this, here's an example anyway. To change any occurrences of lamb at the end of a line to ham, and save the results in a new file, enter this:
sed 's/lamb$/ham/g' poem.txt > new.file
Since we directed output to a file, sed didn't print anything on the screen. If you look at the contents of new.file it will show these lines:
Mary had a little ham
Mary fried a lot of spam
Jack ate a Spam sandwich
Jill had a lamb spamwich
Use the man sed command for more information on using sed.
Connecting wireless through command line
The first command you need to use is ifconfig. With this command you are going to enable your wireless device. Most likely your device will be called wlan0. So in order to enable this you would enter the command (as root):
ifconfig wlan0 up
You won’t see any feedback unless there is a problem.
The next step is to scan for your wireless network to make sure it is available. Do this with the following command:
iwlist wlan0 scan
With this command you will see output like the following:
So you know this network is available. From the above output you can also see this network is employing WPA2, so you will need a passkey. If you don’t know that passkey, you are out of luck (which would be the case no matter if you were using a front end in Linux, Windows, or Mac.)
Now it’s time to configure your connection. To do this issue the command:
iwconfig wlan0 essid NETWORK_ID key WIRELESS_KEY
Where NETWORK_ID is the ESSID of the network with which you want to connect and WIRELESS_KEY is the security key needed to connect to the wireless access point.
Note: iwconfig defaults to using a HEX key. If you want to use an ascii key you will have to add the “s:” prefix to your key like so:
iwconfig wlan0 essid NETWORK_ID key s:WIRELESS_KEY
Now that you have your configuration set, it’s time to get an IP address with the help of dhclient. Issue the command:
dhclient wlan0
If no output is reported there are no errors. You should now be up and running.
Make it a script
Of course who wants to type out all of those commands. Instead of doing this you could create a script for this like so:
Where NETWORK_ID is the actually essid of the network and WIRELESS_KEY is the security key for that network. Save this script with the filename wireless_up.sh and then make this script executable with the command:
chmod u+x wireless_up.sh
You can make this a global command by placing this script in /usr/local/bin. You can now issue the command wireless_up.sh from anywhere in your directory structure and it will run, connecting you to the configured wireless access point.
Or by running:
ifconfig wlan0 up
You won’t see any feedback unless there is a problem.
The next step is to scan for your wireless network to make sure it is available. Do this with the following command:
iwlist wlan0 scan
With this command you will see output like the following:
Cell 01 - Address: 00:21:43:4E:9B:F0
ESSID:"HAIR STROBEL"
Mode:Master
Channel:5
Frequency:2.432 GHz (Channel 5)
Quality=100/100? Signal level:-45 dBm? Noise level=-95 dBm
Encryption key:on
IE: WPA Version 1
Group Cipher : TKIP
Pairwise Ciphers (1) : TKIP
Authentication Suites (1) : PSK
IE: IEEE 802.11i/WPA2 Version 1
Group Cipher : TKIP
Pairwise Ciphers (1) : CCMP
Authentication Suites (1) : PSK
Bit Rates:1 Mb/s; 2 Mb/s; 5.5 Mb/s; 11 Mb/s; 22 Mb/s
6 Mb/s; 9 Mb/s; 12 Mb/s; 18 Mb/s; 24 Mb/s
36 Mb/s; 48 Mb/s; 54 Mb/s
Extra:tsf=000002f1d9be01b7So you know this network is available. From the above output you can also see this network is employing WPA2, so you will need a passkey. If you don’t know that passkey, you are out of luck (which would be the case no matter if you were using a front end in Linux, Windows, or Mac.)
Now it’s time to configure your connection. To do this issue the command:
iwconfig wlan0 essid NETWORK_ID key WIRELESS_KEY
Where NETWORK_ID is the ESSID of the network with which you want to connect and WIRELESS_KEY is the security key needed to connect to the wireless access point.
Note: iwconfig defaults to using a HEX key. If you want to use an ascii key you will have to add the “s:” prefix to your key like so:
iwconfig wlan0 essid NETWORK_ID key s:WIRELESS_KEY
Now that you have your configuration set, it’s time to get an IP address with the help of dhclient. Issue the command:
dhclient wlan0
If no output is reported there are no errors. You should now be up and running.
Make it a script
Of course who wants to type out all of those commands. Instead of doing this you could create a script for this like so:
#! /bin/bash
ifconfig wlan0
iwconfig wlan0 essid NETWORK_ID key WIRELESS_KEY
dhclient wlan0Where NETWORK_ID is the actually essid of the network and WIRELESS_KEY is the security key for that network. Save this script with the filename wireless_up.sh and then make this script executable with the command:
chmod u+x wireless_up.sh
You can make this a global command by placing this script in /usr/local/bin. You can now issue the command wireless_up.sh from anywhere in your directory structure and it will run, connecting you to the configured wireless access point.
sudo iwconfig wlan0 freq 2.422G
Or by running:
sudo iwconfig wlan0 channel 3ifconfig wlan0 down
iwconfig wlan0 mode managed
ifconfig wlan0 up
iwconfig wlan0 channel 3
iwconfig wlan0 key xxxxxxxxxx
iwconfig wlan0 key restricted
iwconfig wlan0 essid "Blah Blah Foo Bar"
iwconfig wlan0 ap xx:yy:zz:aa:bb:cc
sleep 5
dhcpcd -d wlan0
Hosts file in linux and windows
The hosts file is a computer file used by an operating system to map hostnames to IP addresses. The hosts file is a plain text file, and is conventionally named hosts.
The hosts file is one of several system facilities that assists in addressing network nodes in a computer network. It is a common part of an operating system's Internet Protocol (IP) implementation, and serves the function of translating human-friendly hostnames into numeric protocol addresses, called IP addresses, that identify and locate a host in an IP network.
In some operating systems, the hosts file's content is used preferentially to other methods, such as the Domain Name System (DNS), but many systems implement name service switches (e.g., nsswitch.conf for Linux and Unix) to provide customization. Unlike the DNS, the hosts file is under the direct control of the local computer's administrator
The hosts file is one of several system facilities that assists in addressing network nodes in a computer network. It is a common part of an operating system's Internet Protocol (IP) implementation, and serves the function of translating human-friendly hostnames into numeric protocol addresses, called IP addresses, that identify and locate a host in an IP network.
In some operating systems, the hosts file's content is used preferentially to other methods, such as the Domain Name System (DNS), but many systems implement name service switches (e.g., nsswitch.conf for Linux and Unix) to provide customization. Unlike the DNS, the hosts file is under the direct control of the local computer's administrator
| Operating System | Version(s) | Location |
|---|---|---|
| Unix, Unix-like, POSIX | /etc/hosts[2] | |
| Microsoft Windows | 3.1 | %WinDir%\HOSTS |
| 95, 98/98SE, Me | %WinDir%\hosts[3] | |
| NT, 2000, XP (x86 & x64),[4] 2003, Vista, 7 and 8 | %SystemRoot%\system32\drivers\etc\hosts [5] | |
| Windows Mobile | Registry key under HKEY_LOCAL_MACHINE\Comm\Tcpip\Hosts | |
| Apple Macintosh | 9 and earlier | |
| Mac OS X 10.0 – 10.1.5 [6] | (Added through NetInfo or niload) | |
| Mac OS X 10.2 and newer | /etc/hosts (a symbolic link to /private/etc/hosts)[6] | |
| Novell NetWare | SYS:etc\hosts | |
| OS/2 & eComStation | "bootdrive":\mptn\etc\ | |
| Symbian | Symbian OS 6.1–9.0 | C:\system\data\hosts |
| Symbian OS 9.1+ | C:\private\10000882\hosts | |
| MorphOS | NetStack | ENVARC:sys/net/hosts |
| AmigaOS | 4 | DEVS:Internet/hosts |
| Android | /etc/hosts (a symbolic link to /system/etc/hosts) | |
| iOS | iOS 2.0 and newer | /etc/hosts (a symbolic link to /private/etc/hosts) |
| TOPS-20 | ||
| Plan 9 | /lib/ndb/hosts | |
| BeOS | /boot/beos/etc/hosts[7] | |
| Haiku | /boot/common/settings/network/hosts[7] | |
| OpenVMS | UCX | UCX$HOST |
| TCPware | TCPIP$HOST |
Saturday, February 16, 2013
update RVSiteBuilder
For cPanel
Go to root WHM / Add-ons / RVSiteBuilder Manager. On the Manager homepage, if you are not on the latest version, it will show you the link 'Upgrade to latest version'. Following the link will upgrade your RVSiteBuilder.
If you cannot access to RVSiteBuilder Manager interface, you can update using command line here.
perl /usr/local/cpanel/whostmgr/docroot/cgi/rvsitebuilderinstaller/autoinstaller.cgi
Server Hardening
1.)chkrootkit (Check Rootkit) is a common Unix-based program intended to help system administrators check their system for known rootkits
cd /usr/local/src
wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz
wget wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.md5
md5sum -c chkrootkit.md5
tar -zxvf chkrootkit.tar.gz
cd chkrootkit-*/
make sense
./chkrootkit
cd ..
Adding program to daily cron job
===============================
You can add a cron entry for running chkrootkit automatically and send a scan report to your mail address.
Create and add the following entries to “/etc/cron.daily/chkrootkit.sh”
#!/bin/sh
(
/usr/local/chkrootkit/chkrootkit
) | /bin/mail -s ‘CHROOTKIT Daily Run (ServerName)’ your@email.com
chmod +x /etc/cron.daily/chkrootkit.sh
2.)RootKit Hunter – A tool which scans for backdoors and malicious softwares present in the server.
cd /usr/local/src
wget http://downloads.rootkit.nl/rkhunter-1.2.7.tar.gz
wget http://nchc.dl.sourceforge.net/project/rkhunter/rkhunter/1.4.0/rkhunter-1.4.0.tar.gz
tar -zxvf rkhunter*
cd rkhunter*
./installer.sh --install
rkhunter --check
log : /var/log/rkhunter.log
To update it
=========
rkhunter –update
rkhunter –propupd
=========
How to setup a daily scan report
================================
pico /etc/cron.daily/rkhunter.sh
set crontab to scan and email the report
#!/bin/sh
(
/usr/local/bin/rkhunter –versioncheck
/usr/local/bin/rkhunter –update
/usr/local/bin/rkhunter –cronjob –report-warnings-only
) | /bin/mail -s ‘rkhunter Daily Run (PutYourServerNameHere)’ your@email.com
chmod +x /etc/cron.daily/rkhunter.sh
3.) APF or CSF – A policy based iptables firewall system used for the easy configuration of iptables rules.
APF or CSF – A policy based iptables firewall system used for the easy configuration of iptables rules.
CSF
================
cd /usr/local/src
wget http://www.configserver.com/free/csf.tgz
tar -xzf csf.tgz
cd csf
sh install.sh
echo "CSF successfully installed!"
When your configuration is complete, you need to set the following in /etc/csf/csf.conf to disable “TESTING” mode and enable your firewall:
TESTING = “1?
to
TESTING = “0?
csf -r
===============
APF
===============
cd /usr/local
wget http://www.rfxnetworks.com/downloads/apf-current.tar.gz
tar -xvzf apf-current.tar.gz
cd apf*
./install.sh
in config file
Change the value of USE_AD to
USE_AD=”1?
Change the Value of DEVEL_MODE to
DEVEL_MODE=”1?
Save and quit.
chkconfig –del apf
apf -s
If there are no issues and the firewall gets flushed every five minutes,
You can get into the conf file and edit the value of
DEVEL_MODE="1?
that is, change it to
DEVEL_MODE=”0?
===============
sample
TCP_CPORTS=”21,22,25,26,53,80,110,143,443,465,953,993,995,2082,2083,2086,2087,2095,2096,3306,5666,3000_3500?
4.) Brute Force Detection – BFD is a shell script for parsing applicable logs and checking for authentication failures and blocks the attackers ip in the firewall
cd /usr/local/src
wget http://www.rfxn.com/downloads/bfd-current.tar.gz
tar -xvzf bfd-current.tar.gz
cd bfd*
./install.sh
echo -e "Please enter your email:"
read email
echo "You entered: $email"
echo "ALERT_USR="1"" >> /usr/local/bfd/conf.bfd
echo "EMAIL_USR="$email"" >> /usr/local/bfd/conf.bfd
echo "Brute Force Detection has been installed!"
echo "Email would be sent to $email"
/usr/local/sbin/bfd -s
5.) SSH Securing – For a better security of ssh connections.
Disabling Root Login and changing the listening port .
1.create a user for ssh like sshadminz
2.give the user wheel privilage through Whm
3.in /etc/ssh/sshd_config change the entry PermitRootLogin to no
4.in /etc/ssh/sshd_config change the entry #Port to Port xxxx (needed port,make sure that port is open in csf/iprules)
5.restart the sshd service
>ssh sshadmin@***.***.***.*** -p xxxx
Setting an SSH Legal Message
The message is contained within the following file: /etc/motd
ALERT! You are entering a secured area! Your IP and login information
have been recorded. System administration has been notified.
This system is restricted to authorized access only. All activities on
this system are recorded and logged. Unauthorized access will be fully
investigated and reported to the appropriate law enforcement agencies.
6.) Host.conf Hardening –Prevents IP spoofing and dns poisoning
The host.conf file resides in /etc/host.conf.
order bind,hosts
multi on
nospoof on
7.) Sysctl.conf Hardening – Prevents syn-flood attacks and other network abuses.
#Kernel sysctl configuration file for Red Hat Linux
#
# For binary values, 0 is disabled, 1 is enabled. See sysctl(8) and
# sysctl.conf(5) for more details.
# Disables packet forwarding
net.ipv4.ip_forward=0
# Disables IP source routing
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.lo.accept_source_route = 0
net.ipv4.conf.eth0.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
# Enable IP spoofing protection, turn on source route verification
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.lo.rp_filter = 1
net.ipv4.conf.eth0.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
# Disable ICMP Redirect Acceptance
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.lo.accept_redirects = 0
net.ipv4.conf.eth0.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
# Enable Log Spoofed Packets, Source Routed Packets, Redirect Packets
net.ipv4.conf.all.log_martians = 0
net.ipv4.conf.lo.log_martians = 0
net.ipv4.conf.eth0.log_martians = 0
# Disables IP source routing
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.lo.accept_source_route = 0
net.ipv4.conf.eth0.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
# Enable IP spoofing protection, turn on source route verification
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.lo.rp_filter = 1
net.ipv4.conf.eth0.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
# Disable ICMP Redirect Acceptance
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.lo.accept_redirects = 0
net.ipv4.conf.eth0.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
# Disables the magic-sysrq key
kernel.sysrq = 0
# Decrease the time default value for tcp_fin_timeout connection
net.ipv4.tcp_fin_timeout = 15
# Decrease the time default value for tcp_keepalive_time connection
net.ipv4.tcp_keepalive_time = 1800
# Turn off the tcp_window_scaling
net.ipv4.tcp_window_scaling = 0
# Turn off the tcp_sack
net.ipv4.tcp_sack = 0
# Turn off the tcp_timestamps
net.ipv4.tcp_timestamps = 0
# Enable TCP SYN Cookie Protection
net.ipv4.tcp_syncookies = 1
# Enable ignoring broadcasts request
net.ipv4.icmp_echo_ignore_broadcasts = 1
# Enable bad error message Protection
net.ipv4.icmp_ignore_bogus_error_responses = 1
# Log Spoofed Packets, Source Routed Packets, Redirect Packets
net.ipv4.conf.all.log_martians = 1
# Increases the size of the socket queue (effectively, q0).
net.ipv4.tcp_max_syn_backlog = 1024
# Increase the tcp-time-wait buckets pool size
net.ipv4.tcp_max_tw_buckets = 1440000
# Allowed local port range
net.ipv4.ip_local_port_range = 16384 65536
# Turn on execshield
kernel.exec-shield=1
kernel.randomize_va_space=1
After you make the changes to the file you need to run /sbin/sysctl -p and sysctl -w net.ipv4.route.flush=1 to enable the changes without a reboot.
The rules were taken from: http://ipsysctl-tutorial.frozentux.net/ipsysctl-tutorial.html
8.) FTP Hardening – Secure FTP software by upgrading to latest version
FTP: In WHM >> Service Configuration, there is an option to change 2 settings for FTP. By default
the first will be set to use pure-ftpd (this is good) and
the second is to allow anonymous FTP (this is very bad).
turn anonymous OFF.
How many FTP logons you allow each account in your Feature Lists. Up to 3 is fine - anything over 10 is getting silly and simply invites your users to use your server for file sharing.
===
OR
===
“Hardening Pure/Proftpd”
cp -p /etc/pure-ftpd.conf /etc/pure-ftpd.conf.bk
vi /etc/pure-ftpd.conf
AnonymousOnly no
NoAnonymous yes
PassivePortRange 30000 30050
9.)TMP Hardening – Hardening
>/scripts/securetmp
10.) Secure and Optimize Apache – Tweak apache for a better performance, stability and security.
[root@host /] vim /etc/httpd/conf/httpd.conf
This list is a composite of the settings we will be reviewing from fresh install on a cPanel server:
===
OR AT WHM Home » Service Configuration » Apache Configuration
===
MinSpareServers 5
MaxSpareServers 10
ServerLimit 600
MaxClients 600
MaxRequestsPerChild 0
KeepAlive On
MaxKeepAliveRequests 100
KeepAliveTimeout 3
Timeout 30
===========
Timeout 300
Usually this value doesn’t require editing and a default of 300 is sufficient. Lowering the ‘Timeout’ value will cause a long running script to terminate earlier than expected.
On virtualized servers like VPS servers, lowering this value to 100 can help improve performance.
KeepAlive On
This setting should be “On” unless the server is getting requests from hundreds of IPs at once.
High volume and/or load balanced servers should have this setting disabled (Off) to increase connection throughput.
MaxKeepAliveRequests 100
This setting limits the number of requests allowed per persistent connection when KeepAlive is on. If it is set to 0, unlimited requests will be allowed.
It is recommended to keep this value at 100 for virtualized accounts like VPS accounts. On dedicated servers it is recommended that this value be modified to 150.
KeepAliveTimeout 15
The number of seconds Apache will wait for another request before closing the connection. Setting this to a high value may cause performance problems in heavily loaded servers. The higher the timeout, the more server processes will be kept occupied waiting on connections with idle clients.
It is recommended that this value be lowered to 5 on all servers.
MinSpareServers 5
This directive sets the desired minimum number of idle child server processes. An idle process is one which is not handling a request. If there are fewer spareservers idle then specified by this value, then the parent process creates new children at a maximum rate of 1 per second. Setting this parameter to a large number is almost always a bad idea.
Liquidweb recommends adjusting the value for this setting to the following:
Virtualized server, ie VPS 5
Dedicated server with 1-2GB RAM 10
Dedicated server with 2-4GB RAM 20
Dedicated server with 4+ GB RAM 25
===========
11.)WHM Tweaking – Tweak WHM for better security and performance.
Server Setup =>> Tweak Settings
Check the following items...
Under Domains: Prevent users from parking/adding on common internet domains. (ie hotmail.com, aol.com)
Under Mail: Attempt to prevent pop3 connection floods
Default catch-all/default address behavior for new accounts - blackhole
Goto Server Setup =>> Tweak Security
Enable php open_basedir Protection
12.) PHP Tightening – Tweak PHP by changing
Edit php.ini as per need
[root@server ]# nano /usr/local/lib/php.ini
safe_mode = On
allow_url_fopen = off
expose_php = Off
Enable_dl= Off
magic_quotes = On
register_globals = off
display errors = off
disable_functions = system, show_source, symlink, exec, dl,shell_exec, passthru, phpinfo, escapeshellarg,escapeshellcmd, popen, proc_open, allow_url_fopen, ini_set
13.)PHP Upgarde – Compile PHP to its latest stable version which increases server security.
/scripts/easyapache
14.)Shell Fork Bomb/Memory Hog Protection
Home » Security Center » Shell Fork Bomb Protection
15.)ClamAV – Is a cross-platform antivirus software tool-kit able to detect many types of malicious software, including viruses
Main >> cPanel >> Manage Plugins
* Install clamav
Tick ClamAV
*********
cd /usr/local/src/
wget http://sourceforge.net/projects/clamav/files/clamav/0.95.2/clamav-0.95.2.tar.gz/download
tar -zxvf clamav-0.95.2.tar.gz
cd clamav-0.95.2
useradd clamav
./configure
make
make install
ldconfig
yum install zlib zlib-devel
*********
* Run the scan
[root@server ]# clamscan -r /home
In WHM -> Plugins -> ClamAV Connector, ensure that "Scan Mail" is checked.
clamscan -ir / -l clamscanreport
15.)System Integrity Monitor – Service monitoring of HTTP, FTP, DNS, SSH, MYSQL & more
cd /usr/src/
wget http://www.rfxn.com/downloads/sim-current.tar.gz
tar zxf sim-current.tar.gz
cd sim-3*
./setup -i
perl -pi -e "s/^init.named.*/init.named on/" /usr/local/sim/config/mods.control
perl -pi -e "s/^init.httpd.*/init.httpd on/" /usr/local/sim/config/mods.control
perl -pi -e "s/^init.mysqld.*/init.mysql on/" /usr/local/sim/config/mods.control
perl -pi -e "s/^init.named.*/init.named on/" /usr/local/sim/config/mods.control
perl -pi -e "s/^init.exim.*/init.exim on/" /usr/local/sim/config/mods.control
sim -j
16.)SPRI – Tool for changing the priority of different processess running in the server according to the level of importance and thereby increasing the performance and productivity of the server.
cd /usr/src
wget http://www.rfxn.com/downloads/spri-current.tar.gz
tar zxvf spri-current.tar.gz
cd spri-0*
./install.sh
spri -v
17.)MySQL optimization – Optimize MySQL value for better performance and stability
/usr/local/cpanel/3rdparty/mysqltuner/mysqltuner.pl
#DO NOT MODIFY THE FOLLOWING COMMENTED LINES!
[mysqld]
max_connections = 400
key_buffer = 16M
myisam_sort_buffer_size = 32M
join_buffer_size = 1M
read_buffer_size = 1M
sort_buffer_size = 2M
table_cache = 1024
thread_cache_size = 286
interactive_timeout = 25
wait_timeout = 1000
connect_timeout = 10
max_allowed_packet = 16M
max_connect_errors = 10
query_cache_limit = 1M
query_cache_size = 16M
query_cache_type = 1
tmp_table_size = 16M
skip-innodb
[mysqld_safe]
open_files_limit = 8192
[mysqldump]
quick
max_allowed_packet = 16M
[myisamchk]
key_buffer = 32M
sort_buffer = 32M
read_buffer = 16M
write_buffer = 16M
MySQL parameters like query_cache_size, key_buffer_size, Table_cache, sort_buffer, read_rnd_buffer_size, thread_cache, tmp_table_size, query_cache_size etc should be altered according to your server status.
18.)Root Loger
Root Login Email alert
2. cd /root
3. vi .bashrc
4. Scroll to the end of the file then add the following:
echo ‘ALERT – Root Shell Access (YourserverName) on:’ `date` `who` | mail -s “Alert:
Root Access from `who | cut -d’(‘ -f2 | cut -d’)’ -f1`” you@yourdomain.com
Replace YourServerName with the handle for your actual server
Replace you@yourdomain.com with your actual email address
19.)MyTOP – A console-based (non-gui) tool for monitoring the threads and overall performance of a MySQL
/scripts/realperlinstaller –force Getopt::Long
/scripts/realperlinstaller –force DBI
/scripts/realperlinstaller –force DBD::mysql
/scripts/realperlinstaller –force Term::ReadKey
wget http://jeremy.zawodny.com/mysql/mytop/mytop-1.6.tar.gz
tar zxpfv mytop-1.6.tar.gz
cd mytop-1.6
perl Makefile.PL && make && make install
Error in option spec: “long|!” error message if you are trying to execute the mytop command. Please do the following to solve this error.
After doing perl Makefile.PL edit the mytop script inside the installation location and Search for the line
“long|!” => \$config{long_nums},
and comment it to
#”long|!” => \$config{long_nums},
and then execute make install from the source directory to install the altered mytop script.
After installing mytop you need to create a new file under /root/.mytop (mytop config file for root) with the lines below (mysql root password is found on /root/.my.cnf:
user=root
pass=<your mysql password>
host=localhost
db=mysql
delay=5
port=3306
socket=
batchmode=0
header=1
color=1
idle=1
To
mytop -d mysql
20.)MultiTail – MultiTail is a program for monitoring multiple log files, in the fashion of the original tail program
cd /usr/src/
wget http://www.vanheusden.com/multitail/multitail-5.2.12.tgz
tar zxvf multitail-5.2.12.tgz
cd multitail-*
yum install ncurses ncurses-devel -y
make install
multitail -i /etc/host.conf -i /etc/sysctl.conf
21.)Mod_Security – ModSecurity is an embeddable web application firewall.
To install mod_security, go to WHM => EasyApache (or alternatively via CLI, run /scripts/easyapache). After you select your Apache and PHP versions,
you’ll be brought to the Short Options page. Select mod_security from the list, then proceed with the build.
When the build is done, mod_security will be installed. The files are kept in the following location:
/usr/local/apache/conf/modsec2.user.conf
Mod Security once installed, provides some default rules. The file with the rules resides under /usr/local/apache/conf/
The file modsec2.user.conf.default contains the rules which should be copied over to modsec2.user.conf.
cp -p modsec2.user.conf.default modsec2.user.conf
Restart the httpd service once.
**********
http://www.modsecurity.org/documentation/quick-examples.html
mod_security rules
http://www.webhostingtalk.com/showthread.php?t=1072701
http://www.apachelounge.com/viewtopic.php?t=74
**********
When hack attempts are identified by mod_security, they are logged in /usr/local/apache/logs/audit_log with the IP of the offender and what rule was violated.
Visitors that trigger mod_security rules are greeted with a “406: Not Acceptable” error when doing so.
However, mod_security does occasionally block legitimate website access attempts,
specifically for software that happens to make calls consistent with a specific rule that mod_security is configured to block.
Therefore, you may wish to either disable that rule, or disable mod_security for a specific domain or part of your website.
Doing this is rather easy from command line.
First, open up your httpd.conf (/usr/local/apache/conf/httpd.conf) and locate your domain’s <virtualhost> block.
Under it you’ll see a line like this that is commented out:
# Include "/usr/local/apache/conf/userdata/std/2/$user/$domain/*.conf"
Uncomment this line, then create the folder indicated (note that $user is your username, and $domain is your domain name):
mkdir -p /usr/local/apache/conf/userdata/std/2/$user/$domain/
cd /usr/local/apache/conf/userdata/std/2/$user/$domain/
Create a file called modsec.conf, and insert this line:
SecRuleEngine Off
To apply, restart Apache
====
OR
====
Disabling Mod-Security for a single account
To disable the mod_security for a particular account, just add the following in the users .htaccess file
SecFilterEngine Off
SecFilterScanPOST Off
If mod_security2
<IfModule mod_security2.c>
SecRuleEngine Off
</IfModule>
22.)Mod_Evasive – mod_evasive is an evasive maneuvers module for Apache that provides evasive action in the
event of an HTTP DoS attack or brute force attack. It is also designed to be a detection and network
management tool and can be easily configured to talk to ipchains, firewalls, routers, and more.
Download the latest source file from http://www.zdziarski.com
cd /usr/local/src/
wget http://www.zdziarski.com/projects/mod_evasive/mod_evasive_1.10.1.tar.gz
tar -xvzf mod_evasive_1.10.1.tar.gz
cd mod_evasive/
We also have cPanel running on this box, so, to install, we run the following:
/usr/local/apache/bin/apxs -i -a -c mod_evasive20.c
Now, that will create an entry in the httpd.conf file, and, if we want to retain that after an upgrade/rebuild, we need to tell cPanel not to take it out! Do do this, we now run this:
/usr/local/cpanel/bin/apache_conf_distiller –update
Now, to change the settings for mod_evasive, we need to add them in some place. All we have done so far, is install the actually module into apache, and, even with a restart, it would not be using it. So, I like to add things into my includes files through either WHM, or, directly through the terminal. To do this, we run the following:
vim /usr/local/apache/conf/includes/post_virtualhost_2.conf
Once the file is open, lets add in the following lines to the bottom of the file:
DOSHashTableSize 3097
DOSPageCount 2
DOSSiteCount 50
DOSPageInterval 1
DOSSiteInterval 1
DOSBlockingPeriod 3600
DOSEmailNotify root
=====
OR
=====
<IfModule mod_evasive20.c>
DOSHashTableSize 3097
DOSPageCount 5
DOSSiteCount 100
DOSPageInterval 2
DOSSiteInterval 2
DOSBlockingPeriod 10
DOSBlockingPeriod 600
</IfModule>
23.)Maldetect -
cd /usr/local/src
wget http://www.rfxn.com/downloads/maldetect-current.tar.gz
tar -xzvf maldetect-current.tar.gz
cd maldetect-*
sh install.sh
cd ..
To run the maldet
>maldet -a /
cd /usr/local/src
wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz
wget wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.md5
md5sum -c chkrootkit.md5
tar -zxvf chkrootkit.tar.gz
cd chkrootkit-*/
make sense
./chkrootkit
cd ..
Adding program to daily cron job
===============================
You can add a cron entry for running chkrootkit automatically and send a scan report to your mail address.
Create and add the following entries to “/etc/cron.daily/chkrootkit.sh”
#!/bin/sh
(
/usr/local/chkrootkit/chkrootkit
) | /bin/mail -s ‘CHROOTKIT Daily Run (ServerName)’ your@email.com
chmod +x /etc/cron.daily/chkrootkit.sh
2.)RootKit Hunter – A tool which scans for backdoors and malicious softwares present in the server.
cd /usr/local/src
wget http://downloads.rootkit.nl/rkhunter-1.2.7.tar.gz
wget http://nchc.dl.sourceforge.net/project/rkhunter/rkhunter/1.4.0/rkhunter-1.4.0.tar.gz
tar -zxvf rkhunter*
cd rkhunter*
./installer.sh --install
rkhunter --check
log : /var/log/rkhunter.log
To update it
=========
rkhunter –update
rkhunter –propupd
=========
How to setup a daily scan report
================================
pico /etc/cron.daily/rkhunter.sh
set crontab to scan and email the report
#!/bin/sh
(
/usr/local/bin/rkhunter –versioncheck
/usr/local/bin/rkhunter –update
/usr/local/bin/rkhunter –cronjob –report-warnings-only
) | /bin/mail -s ‘rkhunter Daily Run (PutYourServerNameHere)’ your@email.com
chmod +x /etc/cron.daily/rkhunter.sh
3.) APF or CSF – A policy based iptables firewall system used for the easy configuration of iptables rules.
APF or CSF – A policy based iptables firewall system used for the easy configuration of iptables rules.
CSF
================
cd /usr/local/src
wget http://www.configserver.com/free/csf.tgz
tar -xzf csf.tgz
cd csf
sh install.sh
echo "CSF successfully installed!"
When your configuration is complete, you need to set the following in /etc/csf/csf.conf to disable “TESTING” mode and enable your firewall:
TESTING = “1?
to
TESTING = “0?
csf -r
===============
APF
===============
cd /usr/local
wget http://www.rfxnetworks.com/downloads/apf-current.tar.gz
tar -xvzf apf-current.tar.gz
cd apf*
./install.sh
in config file
Change the value of USE_AD to
USE_AD=”1?
Change the Value of DEVEL_MODE to
DEVEL_MODE=”1?
Save and quit.
chkconfig –del apf
apf -s
If there are no issues and the firewall gets flushed every five minutes,
You can get into the conf file and edit the value of
DEVEL_MODE="1?
that is, change it to
DEVEL_MODE=”0?
===============
sample
TCP_CPORTS=”21,22,25,26,53,80,110,143,443,465,953,993,995,2082,2083,2086,2087,2095,2096,3306,5666,3000_3500?
4.) Brute Force Detection – BFD is a shell script for parsing applicable logs and checking for authentication failures and blocks the attackers ip in the firewall
cd /usr/local/src
wget http://www.rfxn.com/downloads/bfd-current.tar.gz
tar -xvzf bfd-current.tar.gz
cd bfd*
./install.sh
echo -e "Please enter your email:"
read email
echo "You entered: $email"
echo "ALERT_USR="1"" >> /usr/local/bfd/conf.bfd
echo "EMAIL_USR="$email"" >> /usr/local/bfd/conf.bfd
echo "Brute Force Detection has been installed!"
echo "Email would be sent to $email"
/usr/local/sbin/bfd -s
5.) SSH Securing – For a better security of ssh connections.
Disabling Root Login and changing the listening port .
1.create a user for ssh like sshadminz
2.give the user wheel privilage through Whm
3.in /etc/ssh/sshd_config change the entry PermitRootLogin to no
4.in /etc/ssh/sshd_config change the entry #Port to Port xxxx (needed port,make sure that port is open in csf/iprules)
5.restart the sshd service
>ssh sshadmin@***.***.***.*** -p xxxx
Setting an SSH Legal Message
The message is contained within the following file: /etc/motd
ALERT! You are entering a secured area! Your IP and login information
have been recorded. System administration has been notified.
This system is restricted to authorized access only. All activities on
this system are recorded and logged. Unauthorized access will be fully
investigated and reported to the appropriate law enforcement agencies.
6.) Host.conf Hardening –Prevents IP spoofing and dns poisoning
The host.conf file resides in /etc/host.conf.
order bind,hosts
multi on
nospoof on
7.) Sysctl.conf Hardening – Prevents syn-flood attacks and other network abuses.
#Kernel sysctl configuration file for Red Hat Linux
#
# For binary values, 0 is disabled, 1 is enabled. See sysctl(8) and
# sysctl.conf(5) for more details.
# Disables packet forwarding
net.ipv4.ip_forward=0
# Disables IP source routing
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.lo.accept_source_route = 0
net.ipv4.conf.eth0.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
# Enable IP spoofing protection, turn on source route verification
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.lo.rp_filter = 1
net.ipv4.conf.eth0.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
# Disable ICMP Redirect Acceptance
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.lo.accept_redirects = 0
net.ipv4.conf.eth0.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
# Enable Log Spoofed Packets, Source Routed Packets, Redirect Packets
net.ipv4.conf.all.log_martians = 0
net.ipv4.conf.lo.log_martians = 0
net.ipv4.conf.eth0.log_martians = 0
# Disables IP source routing
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.lo.accept_source_route = 0
net.ipv4.conf.eth0.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
# Enable IP spoofing protection, turn on source route verification
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.lo.rp_filter = 1
net.ipv4.conf.eth0.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
# Disable ICMP Redirect Acceptance
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.lo.accept_redirects = 0
net.ipv4.conf.eth0.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
# Disables the magic-sysrq key
kernel.sysrq = 0
# Decrease the time default value for tcp_fin_timeout connection
net.ipv4.tcp_fin_timeout = 15
# Decrease the time default value for tcp_keepalive_time connection
net.ipv4.tcp_keepalive_time = 1800
# Turn off the tcp_window_scaling
net.ipv4.tcp_window_scaling = 0
# Turn off the tcp_sack
net.ipv4.tcp_sack = 0
# Turn off the tcp_timestamps
net.ipv4.tcp_timestamps = 0
# Enable TCP SYN Cookie Protection
net.ipv4.tcp_syncookies = 1
# Enable ignoring broadcasts request
net.ipv4.icmp_echo_ignore_broadcasts = 1
# Enable bad error message Protection
net.ipv4.icmp_ignore_bogus_error_responses = 1
# Log Spoofed Packets, Source Routed Packets, Redirect Packets
net.ipv4.conf.all.log_martians = 1
# Increases the size of the socket queue (effectively, q0).
net.ipv4.tcp_max_syn_backlog = 1024
# Increase the tcp-time-wait buckets pool size
net.ipv4.tcp_max_tw_buckets = 1440000
# Allowed local port range
net.ipv4.ip_local_port_range = 16384 65536
# Turn on execshield
kernel.exec-shield=1
kernel.randomize_va_space=1
After you make the changes to the file you need to run /sbin/sysctl -p and sysctl -w net.ipv4.route.flush=1 to enable the changes without a reboot.
The rules were taken from: http://ipsysctl-tutorial.frozentux.net/ipsysctl-tutorial.html
8.) FTP Hardening – Secure FTP software by upgrading to latest version
FTP: In WHM >> Service Configuration, there is an option to change 2 settings for FTP. By default
the first will be set to use pure-ftpd (this is good) and
the second is to allow anonymous FTP (this is very bad).
turn anonymous OFF.
How many FTP logons you allow each account in your Feature Lists. Up to 3 is fine - anything over 10 is getting silly and simply invites your users to use your server for file sharing.
===
OR
===
“Hardening Pure/Proftpd”
cp -p /etc/pure-ftpd.conf /etc/pure-ftpd.conf.bk
vi /etc/pure-ftpd.conf
AnonymousOnly no
NoAnonymous yes
PassivePortRange 30000 30050
9.)TMP Hardening – Hardening
>/scripts/securetmp
10.) Secure and Optimize Apache – Tweak apache for a better performance, stability and security.
[root@host /] vim /etc/httpd/conf/httpd.conf
This list is a composite of the settings we will be reviewing from fresh install on a cPanel server:
===
OR AT WHM Home » Service Configuration » Apache Configuration
===
MinSpareServers 5
MaxSpareServers 10
ServerLimit 600
MaxClients 600
MaxRequestsPerChild 0
KeepAlive On
MaxKeepAliveRequests 100
KeepAliveTimeout 3
Timeout 30
===========
Timeout 300
Usually this value doesn’t require editing and a default of 300 is sufficient. Lowering the ‘Timeout’ value will cause a long running script to terminate earlier than expected.
On virtualized servers like VPS servers, lowering this value to 100 can help improve performance.
KeepAlive On
This setting should be “On” unless the server is getting requests from hundreds of IPs at once.
High volume and/or load balanced servers should have this setting disabled (Off) to increase connection throughput.
MaxKeepAliveRequests 100
This setting limits the number of requests allowed per persistent connection when KeepAlive is on. If it is set to 0, unlimited requests will be allowed.
It is recommended to keep this value at 100 for virtualized accounts like VPS accounts. On dedicated servers it is recommended that this value be modified to 150.
KeepAliveTimeout 15
The number of seconds Apache will wait for another request before closing the connection. Setting this to a high value may cause performance problems in heavily loaded servers. The higher the timeout, the more server processes will be kept occupied waiting on connections with idle clients.
It is recommended that this value be lowered to 5 on all servers.
MinSpareServers 5
This directive sets the desired minimum number of idle child server processes. An idle process is one which is not handling a request. If there are fewer spareservers idle then specified by this value, then the parent process creates new children at a maximum rate of 1 per second. Setting this parameter to a large number is almost always a bad idea.
Liquidweb recommends adjusting the value for this setting to the following:
Virtualized server, ie VPS 5
Dedicated server with 1-2GB RAM 10
Dedicated server with 2-4GB RAM 20
Dedicated server with 4+ GB RAM 25
===========
11.)WHM Tweaking – Tweak WHM for better security and performance.
Server Setup =>> Tweak Settings
Check the following items...
Under Domains: Prevent users from parking/adding on common internet domains. (ie hotmail.com, aol.com)
Under Mail: Attempt to prevent pop3 connection floods
Default catch-all/default address behavior for new accounts - blackhole
Goto Server Setup =>> Tweak Security
Enable php open_basedir Protection
12.) PHP Tightening – Tweak PHP by changing
Edit php.ini as per need
[root@server ]# nano /usr/local/lib/php.ini
safe_mode = On
allow_url_fopen = off
expose_php = Off
Enable_dl= Off
magic_quotes = On
register_globals = off
display errors = off
disable_functions = system, show_source, symlink, exec, dl,shell_exec, passthru, phpinfo, escapeshellarg,escapeshellcmd, popen, proc_open, allow_url_fopen, ini_set
13.)PHP Upgarde – Compile PHP to its latest stable version which increases server security.
/scripts/easyapache
14.)Shell Fork Bomb/Memory Hog Protection
Home » Security Center » Shell Fork Bomb Protection
15.)ClamAV – Is a cross-platform antivirus software tool-kit able to detect many types of malicious software, including viruses
Main >> cPanel >> Manage Plugins
* Install clamav
Tick ClamAV
*********
cd /usr/local/src/
wget http://sourceforge.net/projects/clamav/files/clamav/0.95.2/clamav-0.95.2.tar.gz/download
tar -zxvf clamav-0.95.2.tar.gz
cd clamav-0.95.2
useradd clamav
./configure
make
make install
ldconfig
yum install zlib zlib-devel
*********
* Run the scan
[root@server ]# clamscan -r /home
In WHM -> Plugins -> ClamAV Connector, ensure that "Scan Mail" is checked.
clamscan -ir / -l clamscanreport
15.)System Integrity Monitor – Service monitoring of HTTP, FTP, DNS, SSH, MYSQL & more
cd /usr/src/
wget http://www.rfxn.com/downloads/sim-current.tar.gz
tar zxf sim-current.tar.gz
cd sim-3*
./setup -i
perl -pi -e "s/^init.named.*/init.named on/" /usr/local/sim/config/mods.control
perl -pi -e "s/^init.httpd.*/init.httpd on/" /usr/local/sim/config/mods.control
perl -pi -e "s/^init.mysqld.*/init.mysql on/" /usr/local/sim/config/mods.control
perl -pi -e "s/^init.named.*/init.named on/" /usr/local/sim/config/mods.control
perl -pi -e "s/^init.exim.*/init.exim on/" /usr/local/sim/config/mods.control
sim -j
16.)SPRI – Tool for changing the priority of different processess running in the server according to the level of importance and thereby increasing the performance and productivity of the server.
cd /usr/src
wget http://www.rfxn.com/downloads/spri-current.tar.gz
tar zxvf spri-current.tar.gz
cd spri-0*
./install.sh
spri -v
17.)MySQL optimization – Optimize MySQL value for better performance and stability
/usr/local/cpanel/3rdparty/mysqltuner/mysqltuner.pl
#DO NOT MODIFY THE FOLLOWING COMMENTED LINES!
[mysqld]
max_connections = 400
key_buffer = 16M
myisam_sort_buffer_size = 32M
join_buffer_size = 1M
read_buffer_size = 1M
sort_buffer_size = 2M
table_cache = 1024
thread_cache_size = 286
interactive_timeout = 25
wait_timeout = 1000
connect_timeout = 10
max_allowed_packet = 16M
max_connect_errors = 10
query_cache_limit = 1M
query_cache_size = 16M
query_cache_type = 1
tmp_table_size = 16M
skip-innodb
[mysqld_safe]
open_files_limit = 8192
[mysqldump]
quick
max_allowed_packet = 16M
[myisamchk]
key_buffer = 32M
sort_buffer = 32M
read_buffer = 16M
write_buffer = 16M
MySQL parameters like query_cache_size, key_buffer_size, Table_cache, sort_buffer, read_rnd_buffer_size, thread_cache, tmp_table_size, query_cache_size etc should be altered according to your server status.
18.)Root Loger
Root Login Email alert
2. cd /root
3. vi .bashrc
4. Scroll to the end of the file then add the following:
echo ‘ALERT – Root Shell Access (YourserverName) on:’ `date` `who` | mail -s “Alert:
Root Access from `who | cut -d’(‘ -f2 | cut -d’)’ -f1`” you@yourdomain.com
Replace YourServerName with the handle for your actual server
Replace you@yourdomain.com with your actual email address
19.)MyTOP – A console-based (non-gui) tool for monitoring the threads and overall performance of a MySQL
/scripts/realperlinstaller –force Getopt::Long
/scripts/realperlinstaller –force DBI
/scripts/realperlinstaller –force DBD::mysql
/scripts/realperlinstaller –force Term::ReadKey
wget http://jeremy.zawodny.com/mysql/mytop/mytop-1.6.tar.gz
tar zxpfv mytop-1.6.tar.gz
cd mytop-1.6
perl Makefile.PL && make && make install
Error in option spec: “long|!” error message if you are trying to execute the mytop command. Please do the following to solve this error.
After doing perl Makefile.PL edit the mytop script inside the installation location and Search for the line
“long|!” => \$config{long_nums},
and comment it to
#”long|!” => \$config{long_nums},
and then execute make install from the source directory to install the altered mytop script.
After installing mytop you need to create a new file under /root/.mytop (mytop config file for root) with the lines below (mysql root password is found on /root/.my.cnf:
user=root
pass=<your mysql password>
host=localhost
db=mysql
delay=5
port=3306
socket=
batchmode=0
header=1
color=1
idle=1
To
mytop -d mysql
20.)MultiTail – MultiTail is a program for monitoring multiple log files, in the fashion of the original tail program
cd /usr/src/
wget http://www.vanheusden.com/multitail/multitail-5.2.12.tgz
tar zxvf multitail-5.2.12.tgz
cd multitail-*
yum install ncurses ncurses-devel -y
make install
multitail -i /etc/host.conf -i /etc/sysctl.conf
21.)Mod_Security – ModSecurity is an embeddable web application firewall.
To install mod_security, go to WHM => EasyApache (or alternatively via CLI, run /scripts/easyapache). After you select your Apache and PHP versions,
you’ll be brought to the Short Options page. Select mod_security from the list, then proceed with the build.
When the build is done, mod_security will be installed. The files are kept in the following location:
/usr/local/apache/conf/modsec2.user.conf
Mod Security once installed, provides some default rules. The file with the rules resides under /usr/local/apache/conf/
The file modsec2.user.conf.default contains the rules which should be copied over to modsec2.user.conf.
cp -p modsec2.user.conf.default modsec2.user.conf
Restart the httpd service once.
**********
http://www.modsecurity.org/documentation/quick-examples.html
mod_security rules
http://www.webhostingtalk.com/showthread.php?t=1072701
http://www.apachelounge.com/viewtopic.php?t=74
**********
When hack attempts are identified by mod_security, they are logged in /usr/local/apache/logs/audit_log with the IP of the offender and what rule was violated.
Visitors that trigger mod_security rules are greeted with a “406: Not Acceptable” error when doing so.
However, mod_security does occasionally block legitimate website access attempts,
specifically for software that happens to make calls consistent with a specific rule that mod_security is configured to block.
Therefore, you may wish to either disable that rule, or disable mod_security for a specific domain or part of your website.
Doing this is rather easy from command line.
First, open up your httpd.conf (/usr/local/apache/conf/httpd.conf) and locate your domain’s <virtualhost> block.
Under it you’ll see a line like this that is commented out:
# Include "/usr/local/apache/conf/userdata/std/2/$user/$domain/*.conf"
Uncomment this line, then create the folder indicated (note that $user is your username, and $domain is your domain name):
mkdir -p /usr/local/apache/conf/userdata/std/2/$user/$domain/
cd /usr/local/apache/conf/userdata/std/2/$user/$domain/
Create a file called modsec.conf, and insert this line:
SecRuleEngine Off
To apply, restart Apache
====
OR
====
Disabling Mod-Security for a single account
To disable the mod_security for a particular account, just add the following in the users .htaccess file
SecFilterEngine Off
SecFilterScanPOST Off
If mod_security2
<IfModule mod_security2.c>
SecRuleEngine Off
</IfModule>
22.)Mod_Evasive – mod_evasive is an evasive maneuvers module for Apache that provides evasive action in the
event of an HTTP DoS attack or brute force attack. It is also designed to be a detection and network
management tool and can be easily configured to talk to ipchains, firewalls, routers, and more.
Download the latest source file from http://www.zdziarski.com
cd /usr/local/src/
wget http://www.zdziarski.com/projects/mod_evasive/mod_evasive_1.10.1.tar.gz
tar -xvzf mod_evasive_1.10.1.tar.gz
cd mod_evasive/
We also have cPanel running on this box, so, to install, we run the following:
/usr/local/apache/bin/apxs -i -a -c mod_evasive20.c
Now, that will create an entry in the httpd.conf file, and, if we want to retain that after an upgrade/rebuild, we need to tell cPanel not to take it out! Do do this, we now run this:
/usr/local/cpanel/bin/apache_conf_distiller –update
Now, to change the settings for mod_evasive, we need to add them in some place. All we have done so far, is install the actually module into apache, and, even with a restart, it would not be using it. So, I like to add things into my includes files through either WHM, or, directly through the terminal. To do this, we run the following:
vim /usr/local/apache/conf/includes/post_virtualhost_2.conf
Once the file is open, lets add in the following lines to the bottom of the file:
DOSHashTableSize 3097
DOSPageCount 2
DOSSiteCount 50
DOSPageInterval 1
DOSSiteInterval 1
DOSBlockingPeriod 3600
DOSEmailNotify root
=====
OR
=====
<IfModule mod_evasive20.c>
DOSHashTableSize 3097
DOSPageCount 5
DOSSiteCount 100
DOSPageInterval 2
DOSSiteInterval 2
DOSBlockingPeriod 10
DOSBlockingPeriod 600
</IfModule>
23.)Maldetect -
cd /usr/local/src
wget http://www.rfxn.com/downloads/maldetect-current.tar.gz
tar -xzvf maldetect-current.tar.gz
cd maldetect-*
sh install.sh
cd ..
To run the maldet
>maldet -a /
Friday, February 15, 2013
DomainKeys (DKIM) and SPF Installations cpanel
DomainKeys (DKIM) and SPF records are becoming a common, and annoying, demand among email providers, mainly Yahoo and Hotmail. In short, both are methods of email authentication designed to verify email integrity, by linking a sender to a specific server or hostname. In other words, DomainKeys and SPF records specify what servers can send email on behalf of a domain name.
/usr/local/cpanel/bin/domain_keys_installer $user
/usr/local/cpanel/bin/spf_installer $user
# /usr/local/cpanel/bin/dkim_keys_install <CPANELUSER>
# /usr/local/cpanel/bin/spf_installer <CPANELUSER>
for user in `ls -A /var/cpanel/users` ; do /usr/local/cpanel/bin/dkim_keys_installer $user && /usr/local/cpanel/bin/spf_installer $user ; done
To verify an SPF record and/or DomainKey, you can run a DNS check:
dig default._domainkey.$domain TXT
dig $domain TXT
SPF
domain.co 14400 IN TXT "v=spf1 +a +mx +ip4:108.163.165.58 ?all"
%domain%. IN TXT "v=spf1 a mx ptr ~all"
This put
domain.extension. IN TXT "v=spf1 a mx ip4:XXX.XXX.XXX.XXX ?all"
XXX.XXX.XXX.XXX it's primary IP forn netcard interface, and not IP for shared or dedicated hosting.
DKIM
default._domainkey 14400 IN TXT "v=DKIM1\; k=rsa\; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDAJXzC1vhEoH7yfJfusEWNkFz6DbcS1Ij/fAGi30HltiprZowdlCKIXq1TIWFjJE2vOOxJCnOSYMjxiLYXBzrDN9jVH8sd8H/ZpVMdvV7PUVPWOlbRYIqLwqBM8dvnxzmEvvrXP1r2nNviWrALARt1kJDr5EI+xzCNvfDxXKGDzwIDAQAB\;"
Subscribe to:
Posts (Atom)