December 18, 2009

Some useful tips

find /usr/local/apache/domlogs -exec egrep -iH
'(wget|curl|lynx|gcc|perl|sh|cd|mkdir|touch)%20' {} \;

in php.ini

disable_functions =
"exec,system,passthru,readfile,shell_exec,escapeshellarg,escapeshellcmd,
proc_close,proc_open,ini_alter,dl,popen,parse_ini_file,show_source,curl_exec"

1) The attacker finds a hole in your users local PHP script
2) The inject their own PHP code from a remote file making it run as if
they uploade the page by regular FTP.
3) There are numerous ways you can easily collect the usernames of
accounts, very very very easy.
4) You can start to then brute guess passwords of user accounts
5) You can then start scouring the server for local exploits and use them
to your advantage. EG: The script you metioned in that include checks to
see if wget, gcc and other system binaries are on the system and asssible
for the attacker to use.
6) With a list of whats installed and what they can use, they can now
download hacks and start trying to crack your machine and compiling code
attempting to gain root, etc.
7) They can search any and all 777 permission files/directories and inject
whatever they feel like. Good times for them, crappy time for the site
owners and server owners to clean up the mess.


Preventing this is a combination of things that I won't go into complete
details about but I'll brief over so you get the idea.
1) Lock your system binaries, like wget, gcc, and others to stop anyone
from using them.
2) Secure PHP by disabling functions used such as: proc_open, exec,
system, passthru and so on.
3) Make sure PHP/Apache is up to date
4) Install mod_security and have CURRENT ruleset! Mod_security through
cPanel install has NO ruleset! I have rulesets I give all my clients which
are tried, tested and true.
5) Have a current kernel installed, there are many exploits that still
work on a lot of providers.

Reference :

http://forums.cpanel.net/showthread.php?t=62821&highlight=all+index+page+got+hacked

more is below..

===========================================================================
secure your linux server:

==============================================================================================
1. Kernel recompile with GR security
2. firewall = CSF
3. Stop unnecessary processes
4. Logcheck
5. Logwatch

Optimizing host.conf and sysctl.conf
http://www.eth0.us/node/104
To modify LogWatch, SSH into server and login as root.
At command prompt type: pico -w /etc/log.d/conf/logwatch.conf
Scroll down to
MailTo = root
and change to
Mailto = your@email.com
Note: Set the e-mail address to an offsite account incase you get hacked.
Now scroll down to
Detail = Low
Change that to Medium, or High...
Detail = 5 or Detail = 10
Note: High will give you more detailed logs with all actions.
Save and exit.
6. WHM configuration check
7. OpenSSH configuration check
8. Switch from proftpd to pure-ftpd
9. Rootkit Hunter
rkhunter:
-----------
1. Login to your server via SSH as root.
Then Type: cd /usr/local/src/
2. Download RKHunter Version 1.1.4
Type: wget http://downloads.rootkit.nl/rkhunter-1.1.4.tar.gz
3. Extract files
Type: tar -xzvf rkhunter-1.1.4.tar.gz
4. Type: cd rkhunter
5. Type: ./installer.sh
6. Lets setup RKHunter to e-mail you you daily scan reports.
Type: pico -w /etc/cron.daily/rkhunter.sh
Add The Following:
#!/bin/bash
(/usr/local/bin/rkhunter -c --cronjob 2>&1 | mail -s "RKhunter Scan
Details" replace-this@with-your-email.com)
Replace the e-mail above with your e-mail!!
It is best to send the e-mail to an e-mail off-site so that
if the box IS compromised the hacker can't erase the scan report unless he
hacks another server too.
Type: chmod +x /etc/cron.daily/rkhunter.sh
10. Chkrootkit
Installing chkrootkit
------------------
[root@server ~]# wget
>>ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz
[root@server ~]# tar xvfz chkrootkit.tar.gz
[root@server ~]# ./chkrootkit*/chkrootkit
11. mod_security
12. mod_evasive
13. Host spoof protection
14. Operating System check
15. Name server configuration check
16. Disk check
17. Kernel check
18. Apache tune and check
19. MySQL tune and check
20. Enhanced log rotation
21. Day of the week backup rotations
22. Secure /tmp /var/tmp /dev/shm
23. Libsafe for 2.4 kernels
24. Exploit check
25. Delete unnecessary OS users
26. Disable open DNS recursion
27. Enhanced path protection
28. Remove SUID/GUID from binaries
29. PHP hardening
30. phpsuexec
31. Disable vulnerable phpBB installs
32. Initial cPanel configuration
33. Check iptables is configured
34. Check incoming MySQL port
35. Check /etc/cron.daily/logrotate
36. Check /etc/resolv.conf for localhost entry
37. Check /etc/named.conf for recursion restrictions
38. Check server runlevel
39. Check nobody cron
40. Check Operating System support
41. Check SSHv1 is disabled
42. Check SSH on non-standard port
43. Check SSH PasswordAuthentication
44. Check telnet port 23 is not in use
45. Check shell limits
46. Check Background Process Killer
47. Check root forwarder
48. Check exim for extended logging
49. Check php for enable_dl = enable_dl = Off
50. Check php for disable_functions=
disable_functions = show_source, system, shell_exec, passthru, exec,
phpinfo, popen,
proc_open, allow_url_fopen
51. Check php for register_globals register_globals = Off
52. Check php open_basedir protection
53. Check phpsuexec
54. Check cPanel login is SSL only
55. Check boxtrapper is disabled
56. Check max emails per hour is set
57. Check whether users can reset passwords via email
58. Check whether native cPanel SSL is enabled
59. Check compilers
60. Check Anonymous FTP access
61. Check allow remote domains
62. Check block common domains
63. Check allow park domains
64. Check package updates
65. Check security updates
66. Check melange chat server
67. service cups stop; chkconfig cups off
68. service xfs stop; chkconfig xfs off
69. service atd stop; chkconfig atd off
70. service nfslock stop; chkconfig nfslock off
71. service canna stop; chkconfig canna off
72. service FreeWnn stop; chkconfig FreeWnn off
73. service cups-config-daemon stop; chkconfig cups-config-daemon off
74. service iiim stop; chkconfig iiim off
75. service mDNSResponder stop; chkconfig mDNSResponder off
76. service nifd stop; chkconfig nifd off
77. service rpcidmapd stop; chkconfig rpcidmapd off
78. service bluetooth stop; chkconfig bluetooth off
79. service anacron stop; chkconfig anacron off
80. service gpm stop; chkconfig gpm off
81. service saslauthd stop; chkconfig saslauthd off
82. service avahi-daemon stop; chkconfig avahi-daemon off
83. service avahi-dnsconfd stop; chkconfig avahi-dnsconfd off
84. service hidd stop; chkconfig hidd off
85. service pcscd stop; chkconfig pcscd off
86. service sbadm stop; chkconfig sbadm off
87. service webmin stop; chkconfig webmin off
88. Add Load Alert Scripts with 1 min cron

#!/bin/bash
#uptime alerti script ..
UP=`uptime|awk '{print $(NF-2)}'|cut -d. -f1`
if test $UP -gt 4
then
`uptime| mail -s "**SERVER LOAD is $UP" mailadd@mail.com`
fi

89. ignore ping :

# iptables -A INPUT -p icmp -j DROP

echo 1>/proc/sys/net/ipv4/icmp_echo_ignore_all

vi /etc/sysctl.conf
Append following line:
net.ipv4.icmp_echo_ignore_all = 1

90. Find directory with 777 permission.

find . -type d -perm 777
91.Check for open ports using nmap command.
92. Disable identification output for Apache
To disable the version output for proftp, SSH into server and login as root.
At command prompt type: pico /etc/httpd/conf/httpd.conf
Scroll (way) down and change the following line to
ServerSignature Off
Restart Apache
At command prompt type: /etc/rc.d/init.d/httpd restart
93.Change ssh ListenAddress /etc/ssh/sshd_config
94.PermitRootLogin no
95.Add root login alert
vi .bash_profile
echo 'ALERT - Root Shell Access on:' `date` `who`
| mail -s "Alert: Root Access from `who | awk '{print $6}'`" your@email.com
96.Set an SSH Legal Message in /etc/motd
97.Locate.
locate shell.php
locate irc
locate eggdrop
locate bnc
locate BNC
locate ptlink
locate BitchX
locate guardservices
locate psyBNC
locate .rhosts
98.Perform some udp and tcp scan here :
http://www.hackerwatch.org/probe/
This site is not bad too : https://grc.com/x/ne.dll?bh0bkyd2
99.Check /var/log/secure , /var/log/messages and other log files of
services running to see if there are any issues.

100.Check your box to see if your performance has degraded or if your
machine is being over used.
For that, use the commands
vmstat
Displays information about memory, cpu and disk.
Ex: bash# vmstat 1 4 (where 1 is delay and 4 is count)
mpstat
Displays statistics about cpu utilization. This will help us to see if
your cpu is over worked or not.
Ex: bash# mpstat 1 4 (where 1 is delay and 4 is count)
iostat
This command displays statistics about the disk system.
Useful options:
-d - Gives the device utilization report.
-k - Display statistics in kilobytes per second.
Ex: bash# iostat -dk 1 4 (where 1 is delay and 4 is count)
sar
Displays overall system performance.
Check to see if your server has any hidden processes running.
ps
Displays the status of all known processes.
lsof

101.
List all open files. In Linux everything is considered a file, so you will
be able to see
almost all of the activity on your system with this command.
chmod -R 700 /etc/rc.d/init.d/*
Use rpm -Va to find out if an rpm is modified
* Apply security patches to vulnerable software (ie. patch -p1 < patch
file)
* Remove all unneeded ttys and console logins by removing the entry
from /etc/securetty
* Check system logs (eg: /var/log/messages, /var/log/secure, etc.)
* Set a password on the boot loader (lilo and grub both support this)
* Monitor the system (nagios or big brother)

102. Install AIDE (Advanced Intrusion Detection Environment) is a free
replacement for Tripwire. = http://www.cs.tut.fi/~rammer/aide.html

103. Testing phase
Use tools like nessus, nikto, and nmap to do a penetration test and see
how well your server is secured. Also do a stress test.

100. Reference

* What is spoofing ? : http://en.wikipedia.org/wiki/Spoofing_attack
* What is icmp ?: http://en.wikipedia.org/wiki/Icmp
* For amule : http://www.amule.org/wiki/index.php/Firewall
* SANS Top-20 Internet Security Attack Targets: http://www.sans.org/top20/
* http://ubuntuforums.org/showthread.php?t=159661&highlight=firewall
* http://www.hostlibrary.com/Areyourserverssecure.html

No comments:

Post a Comment