do the Linux!: February 2010

1)Never work with root accout.You can create an admin account.

useradd & passwd vpsadmin

add some basic permissions to the account. By adding the user to the wheel group we are giving it some administrative rights.

usermod -a -G wheel vpsadmin

2)SSH security

vim /etc/ssh/sshd_config

Port 12345

PermitRootLogin no

/etc/init.d/sshd restart

3)Install firewall (APF)

wget http://www.rfxnetworks.com/downloads/apf-current.tar.gz

tar -xvf apf-current.tar.gz

cd apf-current.tar.gz

./install.sh

vim /etc/apf/conf.ap

First look for the line that says

DEVEL_MODE=”1″

Leaving this option as “1″ will disable your firewall after 5 minutes, so make sure to change it to “0″.

So replace 1 eith 0 and it look like this:-

DEVEL_MODE=”0″

Next, take a look at the allowed inbound ports. You should see something like

IG_TCP_CPORTS=”22,80,443″

Notice that port 22, the default SSH port is open. We want to change this to the port we gave SSH earlier. You can leave port 80 (HTTP) and 443 (HTTPS) open if you plan on running a website.

If you want to open any port, you have to give an entry in to the above place.

By default, APF will not filter outbound traffic but if would like to change that look for the following line

EGF=”0″

And change this value to “1″. On the line directly below it you should see the allowed outbound ports

EG_TCP_CPORTS=”21,25,80,443″

Change these if you have enabled outbound filtering and save the firewall config. Now we should add the firewall to start when we reboot our VPS and enable it

chkconfig --add apf

chkconfig --level 345 apf on

/etc/init.d/apf start

4)SECURING CPANEL AND WHM

These are items inside of WHM/Cpanel that should be changed to secure your server.

Goto Server Setup =>> Tweak Settings

Check the following items...

Under Domains

Prevent users from parking/adding on common internet domains. (ie hotmail.com, aol.com)

Under Mail

Attempt to prevent pop3 connection floods

Default catch-all/default address behavior for new accounts - blackhole

(SET TO FAIL)

Under System

Use jailshell as the default shell for all new accounts and modified accounts

Goto Security =>> Security Center

Enable php open_basedir Protection

Enable mod_userdir Protection

Disabled Compilers for unprivileged users.

Goto Security =>> Manage Wheel Group Users

Remove all users except for root and your main account from the wheel group.

Goto Security =>> Security Center =>> Shell Fork Bomb Protection

Enable Shell Fork Bomb/Memory Protection

When setting up Feature Limits for resellers in Resellers =>> Reseller Center, under Privileges always disable Allow Creation of Packages with Shell Access and enable Never allow creation of accounts with shell access; under Root Access disable All Features.

Goto Service Configuration =>> FTP Configuration

Disable Anonymous FTP

Goto Account Functions =>> Manage Shell Access

Disable Shell Access for all users

Goto Mysql =>> MySQL Root Password

Change root password for MySQL (Use a very hard, random password that is not used elsewhere as the chances of actually using it are probably slim and actually using it for databases is a security risk.)

Goto Security and run Quick Security Scan and Scan for Trojan Horses often.

6)INSTALLING CSF

wget http://www.configserver.com/free/csf.tgz

tar -zxf csf.tar.gz

sh /csf/install.sh

If you want to remove apf or any other firewall,

sh /etc/csf/remove_apf_bfd.sh

For starting firewall---

csf -s

restart the firewall---

csf -r

flush the rules or stop the firewall.

csf -f

If you are running a VPS plan,

Open the /etc/csf/csf.conf and look for a line MONOLITHIC_KERNEL = "0" and change to

MONOLITHIC_KERNEL = "1"

Config Files

/etc/csf/csf.conf => CSF Firewall configuration file

/etc/csf/csf.allow => Config file to allow IPs

/etc/csf/csf.deny => Config file to deny IPs

/etc/csf/ => Alert files with TXT extension are stored within this directory

Harden the firewall security by performing the system security check. To do this go to Cpanel WHM > CSF Firewall & Security > Check System Security. There it will list WARNINGS based on your server.

-bash-3.2# chkconfig --add csf

-bash-3.2# chkconfig --level 345 csf on

-bash-3.2# chkconfig --list | grep csf

csf 0:off 1:off 2:on 3:on 4:on 5:on 6:off

-bash-3.2#

Remove the CSF Firewall

sh /etc/csf/uninstall.sh

7)Install a root breach DETECTOR and EMAIL WARNING

vim .bash_profile

add the following line..

echo 'ALERT - Root Shell Access (YourserverName) on:' `date` `who` | mail -s "Alert: Root Access from `who | cut -d"(" -f2 | cut -d")" -f1`" you@yourdomain.com

Set an SSH Legal Message

----------------------------

To an SSH legal message, SSH into server and login as root.

At command prompt type:

vim /etc/motd

Enter your message, save and exit.

Note: I use the following message…

ALERT! You are entering a secured area! Your IP and login information

have been recorded. System administration has been notified.

This system is restricted to authorized access only. All activities on

this system are recorded and logged. Unauthorized access will be fully

investigated and reported to the appropriate law enforcement agencies.

=========================================

9)) Securing /tmp

first check whether /tmp is exist or not using df -h

Finally, if you don’t have the ability to create a fresh /tmp partition on existing drives, you can use the loopback capabilities of the Linux kernel by creating a loopback filesystem that will be mounted as /tmp and can use the same restrictive mount options. To create a 1GB loopback filesystem, execute:

# dd if=/dev/zero of=/.tmpfs bs=1024 count=1000000

# mke2fs -j /.tmpfs

# cp -av /tmp /tmp.old

# mount -o loop,noexec,nosuid,rw /.tmpfs /tmp

# chmod 1777 /tmp

# mv -f /tmp.old/* /tmp/

# rmdir /tmp.old

Once this is complete, edit /etc/fstab to have the loopback filesystem mounted automatically at boot:

/.tmpfs /tmp ext3 loop,nosuid,noexec,rw 0 0

Little things like ensuring proper permissions and using restrictive mount options will prevent a lot of harm coming to the system. If a bot lands on a filesystem that is unable to execute, that bot is essentially worthless

10)securing /etc/sysctl.conf

------------------------------

vim /etc/sysctl.conf

1)If you're not forwarding traffic between interfaces or if you have only a single interface, its usually a good idea to disable forwarding:

/proc/sys/net/ipv4/ip_forward 0

2)rp_filter can reject incoming packets if their source does not match the networks interface from which they are arriving from. This is a good way to prevent IP spoofing (usually not a good idea if you have several IP addresses on different interfaces or if a single interface has multiple IP addys).

/proc/sys/net/ipv4/conf/all/rp_filter 1

3)Enable TCP SYN Cookie Protection

A "SYN Attack" is a denial of service attack that consumes all the resources on a machine. Any server that is connected to a network is potentially subject to this attack.

To enable TCP SYN Cookie Protection, edit the /etc/sysctl.conf file and add the following line:

net.ipv4.tcp_syncookies = 1

4)Disable IP Source Routing

Source Routing is used to specify a path or route through the network from source to destination. This feature can be used by network people for diagnosing problems. However, if an intruder was able to send a source routed packet into the network, then he could intercept the replies and your server might not know that it's not communicating with a trusted server.

To enable Source Route Verification, edit the /etc/sysctl.conf file and add the following line:

net.ipv4.conf.all.accept_source_route = 0

5)Disable ICMP Redirect Acceptance

ICMP redirects are used by routers

to tell the server that there is a better path to other networks than the one chosen by the server. However, an intruder could potentially use ICMP redirect packets to alter the hosts's routing table by causing traffic to use a path you didn't intend.

To disable ICMP Redirect Acceptance, edit the /etc/sysctl.conf file and add the following line:

net.ipv4.conf.all.accept_redirects = 0

6)Enable IP Spoofing Protection

IP spoofing is a technique where an intruder sends out packets which claim to be from another host by manipulating the source address. IP spoofing is very often used for denial of service attacks. For more information on IP Spoofing, I recommend the article IP Spoofing: Understanding the basics.

To enable IP Spoofing Protection, turn on Source Address Verification. Edit the /etc/sysctl.conf file and add the following line:

net.ipv4.conf.all.rp_filter = 1

7)Enable Ignoring Broadcasts Request

If you want or need Linux to ignore broadcast requests, edit the /etc/sysctl.conf file and add the following line:

net.ipv4.icmp_echo_ignore_broadcasts = 1

8)Enable Bad Error Message Protection

To alert you about bad error messages in the network, edit the /etc/sysctl.conf file and add the following line:

net.ipv4.icmp_ignore_bogus_error_responses = 1

9)Enable Logging of Spoofed Packets, Source Routed Packets, Redirect Packets

To turn on logging for Spoofed Packets, Source Routed Packets, and Redirect Packets, edit the /etc/sysctl.conf file and add the following line:

net.ipv4.conf.all.log_martians = 1

-----------------------------------------------------------------------

11)Securing /dev/shm

Rename it and create a symbolic link to /tmp:

mv /var/tmp /var/tmp1

ln -s /tmp /var/tmp

vim /etc/fstab

change:

"none /dev/shm tmpfs defaults,rw 0 0" to

"none /dev/shm tmpfs defaults,nosuid,noexec,rw 0 0"

mount -a

-----------------------------------------------------------

12) Harden host.conf

Log into each server as root.

Edit the /etc/host.conf file.

Ensure this file has the following settings:

# Lookup names via DNS first then fall back to etc/hosts.

order bind,hosts

# We have machines with multiple IP addresses.

multi on

# Check for IP address spoofing.

nospoof on

spoofalert on

Save the file.

for details see :--------

http://www.faqs.org/docs/securing/chap5sec39.html

--------------------------

13) Installing rootkit

RKHunter - (RootKit Hunter) Is a security scanning tool which will scan for rootkits, backdoors, and local exploits. RKHunter will ensure you about 99.9% that your dedicated web server is secure.

1. Login to your server via SSH as root.

Then Type: cd /usr/local/src/

2. Download RKHunter Version 1.1.4

Type: wget http://optusnet.dl.sourceforge.net/sourceforge/rkhunter/rkhunter-1.3.0.tar.gz

3. Extract files

Type: tar -xzvf rkhunter-1.3.0.tar.gz

4. Type: cd rkhunter-1.3.0.tar.gz

5. Type: ./installer.sh --help

The default should do

./installer.sh --layout /usr/local --install

vi /etc/cron.daily/rkhunter.sh

#!/bin/bash

(/usr/local/bin/rkhunter -c --cronjob 2>&1 | mail -s "Daily Rkhunter Scan

Report" email@domain.com)

chmod 700 /etc/cron.daily/rkhunter.sh

rkhunter --update

14)apache OPtimizing

change Timeout 300 to

Timeout 45

# change KeepAlive Off to

KeepAlive On

# MaxKeepAliveRequests: The maximum number of requests to allow

# during a persistent connection. Set to 0 to allow an unlimited amount.

# We recommend you leave this number high, for maximum performance.

# -- change MaxKeepAliveRequests 100 to 500

MaxKeepAliveRequests 500

# KeepAliveTimeout: Number of seconds to wait for the next request from the

# same client on the same connection.

# change KeepAliveTimeout 15 to

KeepAliveTimeout 5

# Increase MaxClients after benchmarking. mine is

MaxClients 200

# Turn off ServerSignature

ServerSignature Off

#ServerTokens Product

ServerTokens ProductOnly

More Details

http://www.mysql-apache-php.com/basic-linux-security.htm

15)APF in lxadmin

This may help, I have modified a tutorial for apf so it will work for LXAdmin. If you see any changes that need to be made let me know.

Important: Be sure Iptables were enabled when the VM was created (openvz)

1. cd /root/downloads or another temporary folder where you store your files.

2. wget http://www.rfxnetworks.com/downloads/apf-current.tar.gz

3. tar -xvzf apf-current.tar.gz

4. cd apf-0.9.6-2/ or whatever the latest version is.

5. Run the install file: ./install.sh

You will receive a message saying it has been installed

Installing APF 0.9.6-2: Completed.

Installation Details:

Install path: /etc/apf/

Config path: /etc/apf/conf.apf

Executable path: /usr/local/sbin/apf

AntiDos install path: /etc/apf/ad/

AntiDos config path: /etc/apf/ad/conf.antidos

DShield Client Parser: /etc/apf/extras/dshield/

Other Details:

Listening TCP ports: 1,21,22,25,53,80,110,111,143,443,465,993,995,7776,7777,7778, 7779,3306

Listening UDP ports: 53,55880

Note: These ports are not auto-configured; they are simply presented for information purposes. You must manually configure all port options.

6. Lets configure the firewall: pico /etc/apf/conf.apf (or nano /etc/apf/conf.apf)

We will go over the general configuration to get your firewall running. This isn't a complete detailed guide of every feature the firewall has. Look through the README and the configuration for an explanation of each feature.

We like to use DShield.org's "block" list of top networks that have exhibited

suspicious activity.

FIND: USE_DS="0"

CHANGE TO: USE_DS="1"

Find the following lines:

IFACE_IN="eth0"

IFACE_OUT="eth0"

and change them to

IFACE_IN="venet0"

IFACE_OUT="venet0"

7. Configuring Firewall Ports:

LxAdmin Servers

We like to use the following on our Cpanel Servers

Common ingress (inbound) ports

# Common ingress (inbound) TCP ports -3000_3500 = passive port range for Pure FTPD

IG_TCP_CPORTS="21,22,25,53,80,110,143,443,7777,7778,7779,3000_3500 "

# Common ingress (inbound) UDP ports

IG_UDP_CPORTS="53"

Common egress (outbound) ports

# Egress filtering [0 = Disabled / 1 = Enabled]

EGF="1"

# Common egress (outbound) TCP ports

EG_TCP_CPORTS="21,25,80,443,43,7777,7778,7779"

# Common egress (outbound) UDP ports

EG_UDP_CPORTS="20,21,53"

Save the changes: Ctrl+X then Y

8. Starting the firewall

/usr/local/sbin/apf -s

Other commands:

usage ./apf [OPTION]

-s|--start ......................... load firewall policies

-r|--restart ....................... flush & load firewall

-f|--flush|--stop .................. flush firewall

-l|--list .......................... list chain rules

-st|--status ....................... firewall status

-a HOST CMT|--allow HOST COMMENT ... add host (IP/FQDN) to allow_hosts.rules and

immediately load new rule into firewall

-d HOST CMT|--deny HOST COMMENT .... add host (IP/FQDN) to deny_hosts.rules and

immediately load new rule into firewall

9. After everything is fine, change the DEV option

Stop the firewall from automatically clearing itself every 5 minutes from cron.

We recommend changing this back to "0" after you've had a chance to ensure everything is working well and tested the server out.

pico /etc/apf/conf.apf

FIND: DEVM="1"

CHANGE TO: DEVM="0"

10. Configure AntiDOS for APF

Relatively new to APF is the new AntiDOS feature which can be found in: /etc/apf/ad

The log file will be located at /var/log/apfados_log so you might want to make note of it and watch it!

pico /etc/apf/ad/conf.antidos

There are various things you might want to fiddle with but I'll get the ones that will alert you by email.

# [E-Mail Alerts]

Under this heading we have the following:

# Organization name to display on outgoing alert emails

CONAME="Your Company"

Enter your company information name or server name..

# Send out user defined attack alerts [0=off,1=on]

USR_ALERT="0"

Change this to 1 to get email alerts

WordPress is an open source blog publishing application. WordPress is the official successor of b2\cafelog which was developed by Michel Valdrighi. The latest release of WordPress is version 2.7.1, released on 10 February 2009.WordPress has a templating system, which includes widgets that can be rearranged without editing PHP or HTML code, as well as themes that can be installed and switched between. The PHP and HTML code in themes can also be edited for more advanced customizations. WordPress also features integrated link management; a search engine-friendly, clean permalink structure; the ability to assign nested, multiple categories to articles; multiple author capability; and support for tagging of posts and articles. Automatic filters that provide for proper formatting and styling of text in articles (for example, converting regular quotes to smart quotes) are also included. WordPress also supports the Trackback and Pingback standards for displaying links to other sites that have themselves linked to a post or article. Finally, WordPress has a rich plugin architecture which allows users and developers to extend its functionality beyond the features that come as part of the base install.

The instllation of wordpress is quite simple.

1)Download the latest version of wordpress and extract it.

2)Place the WordPress files in the desired location on your web server,using FTP

* If you want to integrate WordPress into the root of your domain (e.g. http://example.com/), move or upload all contents of the unzipped WordPress directory (but excluding the directory itself) into the root directory of your web server.

* If you want to have your WordPress installation in its own subdirectory on your web site (e.g. http://example.com/blog/), rename the directory wordpress to the name you'd like the subdirectory to have and move or upload it to your web server. For example if you want the WordPress installation in a subdirectory called "blog", you should rename the directory called "wordpress" to "blog" and upload it to the root directory of your web server.

3)Here i am uploading the folder(blog) to public_html, using ftp. Make sure that you upload the folder as a user, not the root.

4)now goto the cpanel,and create a mysql user and a database.please remember the dbname, user and password.

5)then goto filemanager, inside the uploaded folder (blog), edit the file wp-config-sample.php

6)rename the wp-config-sample.php to wp-config.php.

7)edit the wp-config.php and insert the db details of the one which we have created.

Here is the default wp-config-sample.php, you will need to replace the default values in this file with your own specific database settings.

define('DB_NAME', 'putyourdbnamehere'); // The name of the database

define('DB_USER', 'usernamehere'); // Your MySQL username

define('DB_PASSWORD', 'yourpasswordhere'); // ...and password

define('DB_HOST', 'localhost'); // 99% chance you won't need to change this value

usually the DB_HOST must be 'localhost'.if it is not working contact your web hosting provider.

8)Run the WordPress installation script by accessing wp-admin/install.php in your favorite web browser.

* If you installed WordPress in the rootl directory, you should visit: http://example.com/wp-admin/install.php

* If you installed WordPress in its own subdirectory called blog, for example, you should visit: http://example.com/blog/wp-admin/install.php

9)The instllation process will now beging. The screen shots fir the instllation is given below.

10)goto www.yourdomain.com/blog/wp-login.php to login for the next time.

do the Linux!

Wednesday, February 17, 2010

Error "psa dead but subsys locked" is shown when check status of Parallels Plesk Panel from the command line

Error "psa dead but subsys locked" is shown when check status of Parallels Plesk Panel from the command line

Cause

Resolution

Monday, February 1, 2010

sysctl hardening

Securing Your Server

HyperVM/Kloxo

How to install wordpress!

Followers

Blog Archive

About Me