Techfieldz: September 2011

Wednesday, September 7, 2011

Plesk password issue.

ERROR Message:
--------------
ERROR: PleskFatalException
Unable to connect to database: saved admin password is incorrect.

0: common_func.php3:108
psaerror(string 'Unable to connect to database: saved admin password is
incorrect.')
1: auth.php3:93

In order to fix such issue we need to put the right password into Plesk”s
database.

1. First access your server via SSH and switch to ”root”.

Stop the MySQL daemon. Under Linux systems this can be done with the
following command:

/etc/init.d/mysqld stop

# on Red Hat like Linux operating systems you can either use

# 'services' to stop the deamon

service mysqld stop

2. Now start it with no user information:

/usr/bin/safe_mysqld –skip-grant-tables &

Now you should be able to access the database without the root password.

3. To log in type :

mysql -u root

4. Then you will see ”mysql>” prompt. While you are there type the following:

UPDATE mysql.user SET Password=PASSWORD('new_pwd') WHERE User='admin';

Type the new password instead new_pwd. Keep the letters case and do not
forget to put ”;” at the end to finish the command line.

5. Once you are done you will need to flush the privileges:

FLUSH PRIVILEGES;

6. Quit ”mysql>” with exit command and restart the Plesk control panel.

7. Via SSH you can do that as typing:

service psa restart

Limit the maximum number mails of each domain can send out per hour.

Limit the maximum number mails of each domain can send out per hour

You can modifiy that in 'Tweak Settings' in WHM panel.

Server Configuration -> Tweak Settings -> The maximum each domain can send
out per hour (0 is unlimited)

FrontPage error: "Cannot run the FrontPage Server Extensions on this page"

I received this error when I try to submit a FrontPage form:

Cannot run the FrontPage Server Extensions on this page:

CAUSE

This problem occurs if you create a page in Microsoft FrontPage 2003 or Microsoft FrontPage 2002 by using the Feedback Form template and then you save the page to a subfolder instead of saving it to the root folder of the Web site. When you submit the form, the FrontPage Save Results component tries to save the results to the wrong location. For example, if you saved the feedback page to a subfolder named Test, the Save Results component tries to save the results to the Test/_private folder, which does not exist.

RESOLUTION

To resolve this problem, follow these steps:
1. Open your Web in FrontPage.
2. In the folder list, expand the _private folder that is in the root of your Web site.
3. Locate the Feedback.txt file. If you cannot locate this file, follow these steps:

>On the File menu, click New, and then click Page or Web.

The task pane opens.
>Under New from template, click Page Templates.
>On the General tab, click Normal Page, and then click OK.
>Switch to HTML view, and then delete all the HTML code.
>On the File menu, click Save.
>Locate and then double-click the _private folder that is in the root of your Web.
>In the Save as type box, click All Files (*.*).
>In the File name box, type Feedback.txt.
>Click Save.

4. Open the page that contains the feedback form.
5. Right-click the form, and then click Form Properties.

Note that the File name field shows that the results will be saved to the relative path of _private/Feedback.txt, which does not exist. (For example, if you saved the feedback page to a subfolder named Test in the root of your Web site, this path is /Test/_private/Feedback.txt.)
6. Click Browse.
7. Locate and then double-click the _private folder that is in the root of your Web.
8. Click the Feedback.txt file, and then click OK.
9. Save the form page.

MORE INFORMATION

By default, the Save Results component in the Feedback Form template saves the results to a text file named _private/Feedback.txt in the root of your Web. By default, if you save the feedback page to a subfolder, the Save Results component points to a _private folder relative to the subfolder--a _private folder that does not exist--instead of to the _private folder in the root of your Web.

Plesk the license key has expired.

Error:

The amount of Plesk Control Panel resources you operate with has exceeded the limits defined by your current product license. Please contact Parallels sales department in order to purchase a new licensed key.
OR
The amount of Plesk resources you operate with has exceeded the limits defined by your current product license. Please contact SWsoft, Inc. sales department in order to purchase a new licensed key
OR
the license key has expiered. please contact your service provider
Resolution:

Symptoms
Plesk cannot retrieve license key. The following error appears:

Key Update Status:
Unable to update Plesk Key. An error occurred while processing your key.

You can try to update it later. The key cannot be upgraded due to the network failure during connection with the Key Authority server. Please check that your Internet connection is configured, you can resolve and access ka.swsoft.com and your firewall enables outgoing connections to TCP port 5224.

However it is possible to telnet to ka.swsoft.com on port 5224.
Cause
When Plesk sends request to KA server it generates special XML packet. Data for this packet is taken from Plesk database `key_history` table.

In case the data is corrupted it cannot be retrieved.

Example of corrupted records in MySQL database:

mysql> select id, plesk_key_id from key_history;

+----+------------------------------------------------------------+

| id | plesk_key_id

+----+------------------------------------------------------------+

| 1 | plsk000000000000

| 2 | ?^uxi~Lг¦--¬a°Nx-?L¦»<a;?г*f5>-??+?@t?¦b-+i¦

| 3 | ?^uxi~Lг¦--¬a°Nx-?L¦»<a;?г*f5>-??+?@t?¦b-+i¦

| 4 | PLSK005268120000

| 5 | PLSK004332790001

| 6 | PLSK004332790002

+----+-----------------------------------------------------------+

6 rows in set (0.00 sec)

mysql>

Resolution
Records with ID 2 and 3 are corrupted. To fix the problem it is necessary to remove them. Use the following command to remove the problem records:

mysql> delete from key_history where id=2 or id=3;
Query OK, 2 rows affected(0.03 sec)

mysql>

Understanding Linux File Types.

There are seven basic types of file types in Linux.
Regular Files
Directories
Character Device Files
Block Device Files
Local Domain Sockets
Named Pipes
Symbolic Links

You can use the “ls -l” command to see the various types of files. In the following example, the first character in the output is a “-”, which indicates that it’s a regular file.

ls -la /var/log/messages
-rw——- 1 root root 204909 Jun 5 10:50 /var/log/messages

The next example shows that it is a directory as it starts with a “d”.

ls -ld /etc
drwxr-xr-x 105 root root 12288 Jun 5 08:36 .

File Type Encoding When Using ls
Regular file -
Directory d
Character Device c
Block Device b
Local Domain Socket s
Named Pipe p
Symbolic Link l

Device files facilitate the communication between hardware and software. The kernel manages modules that know how to communicate with system devices. These device drivers create a standard method of communication with the hardware. They look like regular files. When the kernel receives a request for a character or block device it contacts the right device driver to take care of the communication.

Device files are assigned both a “major” and a “minor” number. (An “ls -l” command will show you these instead of the file size that you’d see for regular files.) The major number refers to the device driver, and the minor number tells you which physical device goes with that file. For example, the device files “/dev/lp0″ and “/dev/lp1″ would both have a major number of “6″, indicating that they both represent parallel ports. Their minor numbers of “0″ and “1″, respectively, refer to two different “lp” devices on the same system.

Major and minor numbers are very important to understand when you are scripting for software RAID devices for example. RAID devices are indicated with md0, etc. The major device number is 9 and then minor device number starts with 0 and will have to be incremented as you will need to create new RAID devices in order to add more than one RAID device on a server.

Local Domain Sockets, often called “UNIX Domain Sockets”, allow local processes to communicate with each other. This is similar to how network sockets allow global communications with other hosts. You can use the netstat command to view domain sockets.

netstat
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
Active UNIX domain sockets (w/o servers)
Proto RefCnt Flags Type State I-Node Path
unix 2 [ ] DGRAM 1547 @/org/kernel/udev/udevd
unix 2 [ ] DGRAM 9009 @/org/freedesktop/hal/udev_event
unix 28 [ ] DGRAM 7384 /dev/log
unix 3 [ ] STREAM CONNECTED 23307 /tmp/orbit-mike/linc-151b-0-472aed0fe5012
unix 3 [ ] STREAM CONNECTED 23306
unix 3 [ ] STREAM CONNECTED 23285
unix 3 [ ] STREAM CONNECTED 23274 /tmp/orbit-mike/linc-151b-0-472aed0fe5012

Named pipes, also known as “FIFO” files, are another type of inter-process communications device.

Symbolic links are special files that point to either another file or to a directory.

Example:
ln -s /var/log/dmesg /home/mike/dmesg

Here you can see the link that was created.

lrwxrwxrwx 1 mike mike 14 Jun 5 14:13 dmesg -> /var/log/dmesg

Device nodes will allow users access to device files. These can be listed with:

ls -l /dev

ls -l /dev
total 0
crw——- 1 root root 36, 8 May 9 02:10 arpd
lrwxrwxrwx 1 root root 3 May 9 02:10 cdrom -> hdc
lrwxrwxrwx 1 root root 3 May 9 02:10 cdwriter -> hdc
crw——- 1 mike root 5, 1 May 9 08:10 console
lrwxrwxrwx 1 root root 11 May 9 02:10 core -> /proc/kcore
crw——- 1 root root 36, 14 May 9 02:10 dnrtmsg
lrwxrwxrwx 1 root root 3 May 9 02:10 dvd -> hdc
lrwxrwxrwx 1 root root 3 May 9 02:10 dvdwriter -> hdc
crw——- 1 root root 13, 64 May 9 02:10 event0
lrwxrwxrwx 1 root root 13 May 9 02:10 fd -> /proc/self/fd
brw-rw—- 1 mike floppy 2, 0 May 9 08:10 fd0
—cut—
lrwxrwxrwx 1 root root 3 May 9 08:10 floppy -> fd0
crw-rw-rw- 1 root root 1, 7 May 9 02:10 full
crw——- 1 root root 36, 3 May 9 02:10 fwmonitor
srwx—— 1 mike root 0 May 9 08:13 gpmctl
brw-rw—- 1 root disk 3, 0 May 9 02:10 hda
brw-rw—- 1 root disk 3, 1 May 9 02:10 hda1
brw-rw—- 1 root disk 3, 2 May 9 02:10 hda2
brw-rw—- 1 root disk 3, 3 May 9 02:10 hda3
brw-rw—- 1 root disk 3, 64 May 9 02:10 hdb
brw-rw—- 1 root disk 3, 65 May 9 02:10 hdb1
brw——- 1 mike disk 22, 0 May 9 02:10 hdc
brw-rw—- 1 root disk 22, 64 May 9 02:10 hdd
brw-rw—- 1 root disk 22, 65 May 9 02:10 hdd1

The device nodes consist of two types; character (stream-orientated) and block (random access). In the list you can see the “c” for character and the “b” for block at the start of each line. Again, note that file ownership and permissions are a part of the device nodes. In addition, each node has a major and minor number. The major number represents a specific device driver that is in the kernel while the minor number points to the device it indexes.

Device nodes can be created with the /bin/mknod command:

mknod device type major minor

mknod /dev/md1 b 9 1

This command would indicate that the device md1is a block device with a major number of 9, meaning it is a software RAID device, and a minor number of 1.

The kernel source contains a document called devices.txt which lists all of the major and minor numbers.

URL Masking.

Plesk reseller traffic not updateing properly.

Try to update the stats for all the domain using given below script were
done without any issue.

/usr/local/psa/admin/sbin/statistics --calculate-all

After completing the above process run the delow scrpit also,

/usr/local/psa/bin/sw-engine-pleskrun
/usr/local/psa/admin/plib/DailyMaintainance/script.php

This may fix the issue. If the above script is not successfull then we
have to check with the plesk upgrade.

How do I increase upload file limit from 2MB to 10MB under Apache 2 UNIX / Linux web server?

Your php installation putting limits on upload file size. The default will
restrict you to a max 2 MB upload file size. You need to set the following
two configuration options:

upload_max_filesize - The maximum size of an uploaded file.

memory_limit - This sets the maximum amount of memory in bytes that a
script is allowed to allocate. This helps prevent poorly written scripts
for eating up all available memory on a server. Note that to have no
memory limit, set this directive to -1.

post_max_size - Sets max size of post data allowed. This setting also
affects file upload. To upload large files, this value must be larger than
upload_max_filesize. If memory limit is enabled by your configure script,
memory_limit also affects file uploading. Generally speaking, memory_limit
should be larger than post_max_size.

There are two methods two fix this problem.

Method # 1: Edit php.ini

Edit your php.ini file (usually stored in /etc/php.ini or
/etc/php.d/cgi/php.ini or /usr/local/etc/php.ini):

# vi /etc/php.ini

Sample outputs:

memory_limit = 32M
upload_max_filesize = 10M
post_max_size = 20M

Save and close the file. Restart apache or lighttpd web server:

# service httpd restart

Method #2: Edit .htaccess

Edit .htaccess file in your root directory. This is useful when you do not
have access to php.ini file. In this example, /home/httpd/html is
considered as root directory (you can also create .htaccess file locally
and than upload it using ftp / sftp / scp client):
# vi /home/httpd/html/.htaccess

Append / modify setting as follows:

php_value upload_max_filesize 10M
php_value post_max_size 20M
php_value memory_limit 32M

Save and close the file.

A Note About Suhosin (Optional)

This is not installed by default on many servers (latest version of
Debian, Ubuntu, and FreeBSD does install Suhosin by default). Use
phpinfo() to find out if suhosin enabled or not (create test.php):

<?php
phpinfo();
?>

If you are using Suhosin which was designed to protect your servers
against a number of well known problems in PHP applications and on the
other hand against potential unknown vulnerabilities within these
applications or the PHP core itself. You need to edit
/etc/php.d/suhosin.ini to set correct memory and upload limit. As long
scripts are not running within safe_mode they are free to change the
memory_limit to whatever value they want.

suhosin.memory_limit=32M

How do I create a cron job?

A cron job (run by the cron daemon, or cron service) is a request for the
server to run a particular command and/or program via the command line and
set points during the hour, day, week, month or year.

The name is derived from Greek chronos , meaning time.

At the moment, there are two ways you can add, edit or delete cron jobs on
our servers. The first is the easiest and that's using the Plesk
interface. The second is more complex, using the crontab program, but if
you're used to using the SSH console and have knowledge of VIM, it's
available.

However, if you're not familiar with the way cronjobs are configured,
please read the following section which will explain the syntax and how
it's works.

What does a cron line and how does it work?

A cronjob line if a very simple line with six parts. The first five set
the day/time the job is/are run, while the last part is the command to be
run. For example:

0 * * * * php /var/www/vhosts/example.com/httpdocs/cron.php
will run the php command-line interpreter, processing the file cron.php
(on the website for example.com) at the start of every hour.

The date/time fields have the following meaning:

# +------------ Minute (0 - 59)
# | +---------- Hour (0 - 23)
# | | +-------- Day of the Month (1 - 31)
# | | | +------ Month (1 - 12)
# | | | | +---- Day of the Week (0 - 7) (Sunday is 0 or 7)
# | | | | |
# * * * * * command
Therefore, the option 0 * * * * (from the above example) means 'on the
zeroth minute of any hour on any day of the month, in any month, on any
day in the week, run this command'.

Although can you add a single value, the power of cron comes in it's
ability to allow a number of different syntax options for specifying
different values. The following examples will be based on the minutes
field, but they can be used in any of the five fields to specific month,
day, etc.:

0 - Run it when the minute is zero
* - Run it on any value (i.e. every minute)
0,15,30,45 - Run it when the minute is 0, 15, 30 or 45 (i.e. every 15 min)
*/15 - Same as above - run it when the minute is divisible by 15
10-15 - Run it every minute between 10 and 15 minutes
30-59/5 - Run it every fifth minute of 30 (i.e. 30, 35, 40, ...)
However, taking the last example, the divisor is not against the minute of
the hour, but against the minute within the period selected, therefore
while 30-59/5 is when the minute can be divided by 5 between 30 and 59,
the option 3-58/5 will not enact on 5, 10, etc., but on 3, 8, 13, etc.

Also, where as the first four fields must match to run the command (i.e.
when the minute, hour, day of the month and month match), if the fifth
field (day of the week) is also specified, the command will run when
either the day of the month OR day of the week match.

To finish off, here are a number of complete examples:

*/15 * * * * - Run every 15 minutes
3-58/5 * * * * - Run every 5 minutes on the 3rd and 8th minute
0 */2 * * * - Run every 2 hours, on the hour
25 8,17 * * * - Run at 08:25 and 17:25
0 6 * * 1 - Run at 06:00 every Monday
30 7 * 1 * - Run at 07:30 on the first day of the month
0 0 1 * 5 - Run at midnight on the first of the month OR a
Friday
*/30 9-17 * * 1-5 - Run every 30 minutes between 9 to 5, Monday to
Friday
Editing your crontab with Plesk

To add a cron job in Plesk:

Log onto Plesk using your username and password.
From your list of domains, click on the domain you would like to add the
cronjob to.
Click on Crontab.
If you have multiple users on this domain (i.e. you have setup different
FTP accounts for sub-domains or web users), from the drop-down select the
username you want to create the cronjob for, and then click Set.
Click on Add New Task.
For each of the first five fields, enter the value as it would be for the
cron line (i.e. the date/time fields). All fields are required, so if you
don't have a specific value in that field, enter *.
Finally, enter the full command into the Command field.
Click OK to save or Cancel to return.
If you return back to the page with any errors, please correct the errors
and click OK again.
By default, the sever will send any error messages or output from the
cronjobs to username@server, e.g. mysite33@gamma.jabservers.co.uk, which
will always come to us. If you want to see the output from your cronjob,
or notices if it doesn't run (for whatever reason), you'll need to change
the address the e-mail is set to.

To do this, goto the crontab page and select the user running the crontab,
click on Set, and then change Send Crontab messages to address to the
e-mail address you want them sent to. Click Set again to commit the
change.

Editing your Crontab via SSH

The main limitation with this option is that you can only edit the crontab
for the main domain, as you can only log on via SSH using the user for the
master FTP account. If you need to change the crontab for a web user or
sub-domain, you will have to use the Plesk interface.

To add a cron job via SSH:

Although we will take you through the steps of using VIM on the server,
knowledge of VIM is important for using the crontab program - if you do
not know how to use VIM, please see how to add a cronjob using Plesk
above.

Log onto SSH using your chosen program and the username/password for the
domain.
Run the command 'crontab -e' to edit the crontab.
Move to the end of the file, press i to enter Insertion mode, create a new
line and then enter the cron line.
Press Esc and then enter :wq to write (save) the changes and quit the
program.
If there is an error in the line, you will be notified and asked if you
want to re-edit your changes.
If there is no error, you will see the message 'crontab: installing new
crontab'.
Again, like with Plesk, any errors, notices or output from the cronjob
will go to username@server (e.g. mysite33@gamma.jabservers.co.uk), which,
as we manage server, or gamma.jabservers.co.uk in the example, the e-mails
will come to us.

To change this and tell the cron daemon to send the e-mails to you, add
the line 'MAILTO=example@example.com' to the top of your crontab.

Perl module installation.

Please follow the below steps to install the Perl module,

Login to server and enter the following commands,

#perl -MCPAN -e shell

>cpan

then provide below command

>install LWP::UserAgent

#perl -MCPAN -e shell

>cpan

then provide below command

>install HTML::LinkExtor

Commands to check the whether Perl module is installed in the server or not.

instmodsh or perl -MNet::Ping -e "print \"Module installed.\\n\";"

Mostly "instmodsh" this command is easy to check the whether Perl module.

perl -MNet::Ping -e "print \"Module installed.\\n\";"

instmodsh or perl -MNet::Ping -e "print \"Module installed.\\n\";"

Below commands are also used to install Perl modules.

yum install perl-HTML-Parser.x86_64
yum search perl-HTML-Parser.x86_64
yum search perl-HTML-Parser
yum search perl-LWP-UserAgent
yum install perl-LWP-UserAgent

URL redirect using PHP.

This is used for URL redirect in PHP. For this you need to add any
index.php or default.php. Then add it in the Directory Indexes.

<?php

   header( 'Location: http://www.yoursite.com/new_page.html' ) ;

?>

RDP port change on windows.

To change Remote desktop port on windows

1. Start Registry Editor.

2. Locate and then click the following registry subkey:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\TerminalServer\WinStations\RDP-Tcp\PortNumber

3. On the Edit menu, click Modify, and then click Decimal.

4. Type the new port number, and then click OK.

5. Quit Registry Editor.

6. Restart the computer.

Make sure the firewall has the new port opened! If you do not set access

enabled for that specific new port, you wont be able to have access via

remote computer.

Run apache specified users and group.

The following are the steps which you can run in apache virtual host with
the separate user/group privileges

#wget http://repo.webtatic.com/yum/centos/5/x86_64/httpd-itk-2.2.19-1.w5.x86_64.rpm

#rpm -ivh httpd-itk-2.2.19-1.w5.x86_64.rpm

#/etc/init.d/httpd stop

Then edit /etc/sysconfig/httpd and add the following line:

HTTPD=/usr/sbin/httpd.itk

Then edit httpd.conf file and make changes to the domain's Virtual host
entry as below

<VirtualHost *:80>
ServerName example.com
DocumentRoot /path/to/web/root

AssignUserId username groupname
</VirtualHost>

#/etc/init.d/httpd start

#chown username:groupname /path/to/webroot
#chmod o-rwx /path/to/webroot

Refence:http://www.webtatic.com/packages/httpd-itk/

Create user in Mysql DB and grant all privileges.

Ref: http://www.databasef1.com/tutorial/mysql-create-user.html

http://lists.mysql.com/mysql/206641

[root@b6253 ~]# mysql -u root -p
Enter password:
ERROR 1045 (28000): Access denied for user 'root'@'localhost' (using
password: YES)
[root@b6253 ~]# /etc/init.d/mysqld stop
Stopping MySQL: [ OK ]
[root@b6253 ~]# ps -ef | grep mysql
[root@b6253 ~]#
[root@b6253 ~]# mysqld_safe --skip-grant-tables &
[1] 14884
[root@b6253 ~]# Starting mysqld daemon with databases from /var/lib/mysql

[root@b6253 ~]#
[root@b6253 ~]# mysql
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 1
Server version: 5.0.77 Source distribution

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

mysql> UPDATE user SET Password=xxxxxxx('xxxxxx') where USER='root';
-> FLUSH PRIVILEGES;
ERROR 1046 (3D000): No database selected

ERROR 1290 (HY000): The MySQL server is running with the
--skip-grant-tables option so it cannot execute this statement

[root@b6253 ~]# /etc/init.d/mysqld restart

mysql> CREATE USER 'db-abc'@'localhost' IDENTIFIED BY 'bsa2206';
Query OK, 0 rows affected (0.00 sec)

mysql> GRANT ALL ON abc.* TO 'db-abc'@'localhost';
Query OK, 0 rows affected (0.00 sec)

mysql> select * from mysql.user;

18 STEPS FOR SERVER HARDENING - LINUX

1. Syctl.conf Hardening has been done help prevent spoofing and dos attacks.

Syctl.conf Hardening - Ref: http://www.eth0.us/sysctl

NOTICE: Make sure that eth0 is your primary interface, if it is not
replace eth0 with eth1 in the code below.

-----command-----
vi /etc/sysctl.conf
-----command-----

Basic:
------
# Turn on execshield
kernel.exec-shield=1
kernel.randomize_va_space=1
# Enable IP spoofing protection
net.ipv4.conf.all.rp_filter=1
# Disable IP source routing
net.ipv4.conf.all.accept_source_route=0
# Ignoring broadcasts request
net.ipv4.icmp_echo_ignore_broadcasts=1
net.ipv4.icmp_ignore_bogus_error_messages=1
# Make sure spoofed packets get logged
net.ipv4.conf.all.log_martians = 1

Now paste the following into the file, you can overwrite the current
information.

#Kernel sysctl configuration file for Red Hat Linux
#
# For binary values, 0 is disabled, 1 is enabled. See sysctl(8) and
# sysctl.conf(5) for more details.

# Disables packet forwarding
net.ipv4.ip_forward=0

# Disables IP source routing
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.lo.accept_source_route = 0
net.ipv4.conf.eth0.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0

# Enable IP spoofing protection, turn on source route verification
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.lo.rp_filter = 1
net.ipv4.conf.eth0.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1

# Disable ICMP Redirect Acceptance
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.lo.accept_redirects = 0
net.ipv4.conf.eth0.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0

# Enable Log Spoofed Packets, Source Routed Packets, Redirect Packets
net.ipv4.conf.all.log_martians = 0
net.ipv4.conf.lo.log_martians = 0
net.ipv4.conf.eth0.log_martians = 0

# Disables IP source routing
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.lo.accept_source_route = 0
net.ipv4.conf.eth0.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0

# Enable IP spoofing protection, turn on source route verification
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.lo.rp_filter = 1
net.ipv4.conf.eth0.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1

# Disable ICMP Redirect Acceptance
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.lo.accept_redirects = 0
net.ipv4.conf.eth0.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0

# Disables the magic-sysrq key
kernel.sysrq = 0

# Decrease the time default value for tcp_fin_timeout connection
net.ipv4.tcp_fin_timeout = 15

# Decrease the time default value for tcp_keepalive_time connection
net.ipv4.tcp_keepalive_time = 1800

# Turn off the tcp_window_scaling
net.ipv4.tcp_window_scaling = 0

# Turn off the tcp_sack
net.ipv4.tcp_sack = 0

# Turn off the tcp_timestamps
net.ipv4.tcp_timestamps = 0

# Enable TCP SYN Cookie Protection
net.ipv4.tcp_syncookies = 1

# Enable ignoring broadcasts request
net.ipv4.icmp_echo_ignore_broadcasts = 1

# Enable bad error message Protection
net.ipv4.icmp_ignore_bogus_error_responses = 1

# Log Spoofed Packets, Source Routed Packets, Redirect Packets
net.ipv4.conf.all.log_martians = 1

# Increases the size of the socket queue (effectively, q0).
net.ipv4.tcp_max_syn_backlog = 1024

# Increase the tcp-time-wait buckets pool size
net.ipv4.tcp_max_tw_buckets = 1440000

# Allowed local port range
net.ipv4.ip_local_port_range = 16384 65536

----------------------------------------------------------

After you make the changes to the file you need to run /sbin/sysctl -p and
sysctl -w net.ipv4.route.flush=1 to enable the changes without a reboot.

The rules were taken from:
http://ipsysctl-tutorial.frozentux.net/ipsysctl-tutorial.html

2. /tmp, /var/tmp, and /dev/shm are now mounted in a way that no program can
be directly run from these directories.

Ref:
http://sysadmingear.blogspot.com/2007/10/how-to-secure-tmp-and-devshm-partition.html

A. First you should secure /tmp:

Make a 1GB file for /tmp parition and an ext3 filesystem for tmp:
# dd if=/dev/zero of=/dev/tmpFS bs=1024 count=1000000
# /sbin/mkfs.ext3 /dev/tmpFS

Create a backup copy of your current /tmp drive:
# cp -Rpf /tmp /tmpbackup
Mount our new tmp parition and change permissions:
# mount -o loop,noexec,nosuid,rw /dev/tmpFS /tmp
# chmod 1777 /tmp
Copy the old data:
cp -Rpf /tmpbackup/* /tmp/
If you run the mount command and you should get something like this:
/dev/tmpMnt on /tmp type ext3 (rw,noexec,nosuid,loop=/dev/loop0)
Edit /etc/fstab and add this:
/dev/tmpMnt /tmp ext3 loop,nosuid,noexec,rw 0 0
Test your fstab entry:
# mount -o remount /tmp

You can test it runnig a script on /tmp partitio, if you get "permission
denied" it is fine :)

B. Secure /var/tmp:

It should be done because some applications use /var/tmp as the temporary
folder, and anything that's accessible by all, needs to be secured.
Rename it and create a symbolic link to /tmp:
# mv /var/tmp /var/tmp1
# ln -s /tmp /var/tmp
Copy the old data back:
# cp /var/tmpold/* /tmp/
Note: you should restart and services that uses /tmp partition

C. Securing /dev/shm:

To get all the work well done, you should secure /dev/shm to stop rootkits
running here.

Edit your /etc/fstab:
# nano /etc/fstab
change:
"none /dev/shm tmpfs defaults,rw 0 0" to
"none /dev/shm tmpfs defaults,nosuid,noexec,rw 0 0"
Remount /dev/shm:
# mount -o remount /dev/shm

3. Miscellaneous system tweaks has been done.
a. tcp_syncookies enabled which will will help with a few different types
of DOS style attacks.

b. Hardened the resolv.conf because if improperly configured it can be
used to spoof or create a DOS attack.

c. verified and setup the /etc/hosts, removed the additional entries.

d. SSHD has been secured

e. Changed the permission from 755 to 750 for few binaries

a. tcp_syncookies enabled which will will help with a few different types
of DOS style attacks.

vi sysctl.conf
# Enable TCP SYN Cookie Protection
net.ipv4.tcp_syncookies = 1

b. Hardened the resolv.conf because if improperly configured it can be
used to spoof or create a DOS attack.(only nameservers)

nameserver 10.0.80.11
nameserver 10.0.80.12

c. verified and setup the /etc/hosts, removed the additional entries.

127.0.0.1 localhost.localdomain localhost
75.126.147.142 newsj.sjservernew.com newsj

d. SSHD has been secured

Protocol 2
change the port number other than 22
SyslogFacility AUTHPRIV

e. Changed the permission from 755 to 750 for few binaries

chmod 750 /usr/bin/rcp
chmod 750 /usr/bin/wget
chmod 750 /usr/bin/lynx
chmod 750 /usr/bin/links
chmod 750 /usr/bin/scp

4. Hiddend the versions from apache, named and exim which will help prevent
against many automated attacks that attack based on version number.

Ref: http://www.cyberciti.biz/faq/rhel-centos-hide-httpd-version/
http://www.cyberciti.biz/faq/hide-bind9-dns-sever-version/
http://forums.cpanel.net/f43/security-annoyance-hide-exim-version-119521.html

HTTPD.CONF:
-----------
Open your httpd.conf - serversiganture off
ServerTokens Prod

/etc/init.d/httpd restart

NAMED.CONF:
-----------
Open your named.conf file, find out options { ... }; section,

options
{
query-source port 53;
query-source-v6 port 53;
listen-on { 174.ttt.xx.yy; };
directory "/var/named"; // the default
dump-file "data/cache_dump.db";
statistics-file "data/named_stats.txt";
memstatistics-file "data/named_mem_stats.txt";
dnssec-enable yes;
recursion no;
allow-notify { 174.zzz.yy.zz; 172.xx.yy.zz; };
version "BIND";
};

To hide your bind version:
version "YOUR Message";

OR
version "use fpdns to get version number ;)";

Save and close the file. Restart named, enter:

# service bind9 restart

OR

# service named restart

How do I see bind version?

Use dig command, enter

$ dig @ns1.softlayer.com -c CH -t txt version.bind

EXIM.CONF:
----------
Open the file /etc/exim.conf and find for smtp_banner.

The line would look like

smtp_banner = "${primary_hostname} ESMTP Exim ${version_number} \
Remove the "Exim ${version_number}" from the line. The modified line would
look like

smtp_banner = "${primary_hostname} ESMTP \

5. PHP has been secured by disabling few of its functions.(find / -name
php.ini)

vi /etc/php.ini

OR

vi /usr/bin/php/php.ini

expose_php = Off

6. Rkhunter has been installed which is a very useful tool that is used to
check for trojans, rootkits, and other security problems

Download:
http://downloads.sourceforge.net/project/rkhunter/rkhunter/1.3.8/rkhunter-1.3.8.tar.gz?r=http%3A%2F%2Fsourceforge.net%2Fprojects%2Frkhunter%2

1. Login to your server via SSH as root.
cd /usr/local/src/
2. Download latest RKHunter Version
wget
http://downloads.sourceforge.net/project/rkhunter/rkhunter/1.3.8/rkhunter-1.3.8.tar.gz?r=http%3A%2F%2Fsourceforge.net%2Fprojects%2Frkhunter%2
3. Extract files
tar -xzvf rkhunter-1.3.2.tar.gz
cd rkhunter-1.3.2
./installer.sh
4. Setup cron for RKHunter to e-mail you daily scan reports.
pico /etc/cron.daily/rkhunter.sh
Add The Following Lines:
#!/bin/bash
/usr/local/bin/rkhunter –update && /usr/local/bin/rkhunter -c –cronjob
2>&1 | mail -s "RKhunter Scan Details" support@domain.com (Replace the
e-mail above with your e-mail.)

Type: chmod 700 /etc/cron.daily/rkhunter.sh

7. CHKROOTKIT has been installed which is a powerful tool to scan Linux
server for trojans

Step 1: Downloading and Installing it:

1. Login to your server via SSH as root.
cd /usr/local/src
2. Download latest CHKROOTKIT Version
wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz
wget wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.md5
md5sum -c chkrootkit.md5
3. Extract files
tar -zxvf chkrootkit.tar.gz
4. Make directory
mkdir /usr/local/chkrootkit
mv /usr/local/src/chkrootkit*/* /usr/local/chkrootkit
cd /usr/local/chkrootkit
5. Install CHKROOTKIT
make sense

8. System Integrity Monitor has been installed which is a 24x7 Internal
Monitor that checks all services and restarts them if they are down.

System Integrity Monitor

Current Release:

http://www.rfxn.com/downloads/sim-current.tar.gz
http://www.rfxn.com/appdocs/README.sim
http://www.rfxn.com/appdocs/CHANGELOG.sim

9. host.conf hardenening has been done which will prevent dns lookup
poisoning & spoofing protection.

vi /etc/host.conf.

order bind,hosts
nospoof on

10. FTP hardening has been done.

11. Find Listening Network Ports

Ref: http://www.cyberciti.biz/tips/linux-security.html

a. Use the following command to list all open ports and associated programs:

netstat -tulpn

OR

nmap -sT -O localhost
nmap -sT -O server.example.com

Use iptables to close open ports or stop all unwanted network services
using above service and chkconfig commands.

12. Disable Unwanted SUID and SGID Binaries

#See all set user id files:
find / -perm +4000
# See all group id files
find / -perm +2000
# Or combine both in a single command
find / $ -perm -4000 -o -perm -2000 $ -print
find / -path -prune -o -type f -perm +6000 -ls

You need to investigate each reported file. See reported file man page for
further details.

13. Disable Unwanted Services

Disable all unnecessary services and daemons (services that runs in the
background). You need to remove all unwanted services from the system
start-up. Type the following command to list all services which are
started at boot time in run level # 3:

# chkconfig --list | grep '3:on'

To disable service, enter:

# service serviceName stop
# chkconfig serviceName off

14. Make Sure No Non-Root Accounts Have UID Set To 0

Only root account have UID 0 with full permissions to access the system.
Type the following command to display all accounts with UID set to 0:
# awk -F: '($3 == "0") {print}' /etc/passwd

You should only see one line as follows:

root:x:0:0:root:/root:/bin/bash
If you see other lines, delete them or make sure other accounts are
authorized by you to use UID 0.

15. How Do I Verify No Accounts Have Empty Passwords?

Type the following command
# awk -F: '($2 == "") {print}' /etc/shadow

Lock all empty password accounts:
# passwd -l accountName

16. LMD has been installed which is a malware detection tool.

Ref: http://www.rfxn.com/
Download: http://www.rfxn.com/downloads/maldetect-current.tar.gz

17. SSH has been secured and restricted the access.

host.allow

/etc/host.allow

sshd:122.165.59.183
sshd:122.183.241.126
sshd:58.68.29.210

hosts.deny

vi /etc/hosts.deny

sshd:ALL

18. Noowner Files

Files not owned by any user or group can pose a security problem. Just
find them with the following command which do not belong to a valid user
and a valid group
find /dir -xdev $ -nouser -o -nogroup $ -print

You need to investigate each reported file and either assign it to an
appropriate user and group or remove it.

Techfieldz

About Me