UnixServerAdmin

Server Administration & Management

General Iptables Firewall Rules

1. Delete all existing rules
# iptables -F

2. Set default chain policies
# iptables -P INPUT DROP
# iptables -P FORWARD DROP
# iptables -P OUTPUT DROP

3. Block a specific ip-address
BLOCK_THIS_IP=”x.x.x.x”
# iptables -A INPUT -s “$BLOCK_THIS_IP” -j DROP

4. Allow ALL incoming SSH
# iptables -A INPUT -i eth0 -p tcp –dport 22 -m state –state NEW,ESTABLISHED -j ACCEPT
# iptables -A OUTPUT -o eth0 -p tcp –sport 22 -m state –state ESTABLISHED -j ACCEPT

5. Allow incoming SSH only from a sepcific network
# iptables -A INPUT -i eth0 -p tcp -s 192.168.200.0/24 –dport 22 -m state –state NEW,ESTABLISHED -j ACCEPT
# iptables -A OUTPUT -o eth0 -p tcp –sport 22 -m state –state ESTABLISHED -j ACCEPT

6. Allow incoming HTTP
# iptables -A INPUT -i eth0 -p tcp –dport 80 -m state –state NEW,ESTABLISHED -j ACCEPT
# iptables -A OUTPUT -o eth0 -p tcp –sport 80 -m state –state ESTABLISHED -j ACCEPT

Allow incoming HTTPS
# iptables -A INPUT -i eth0 -p tcp –dport 443 -m state –state NEW,ESTABLISHED -j ACCEPT
# iptables -A OUTPUT -o eth0 -p tcp –sport 443 -m state –state ESTABLISHED -j ACCEPT

7. MultiPorts (Allow incoming SSH, HTTP, and HTTPS)
# iptables -A INPUT -i eth0 -p tcp -m multiport –dports 22,80,443 -m state –state NEW,ESTABLISHED -j ACCEPT
# iptables -A OUTPUT -o eth0 -p tcp -m multiport –sports 22,80,443 -m state –state ESTABLISHED -j ACCEPT

8. Allow outgoing SSH
# iptables -A OUTPUT -o eth0 -p tcp –dport 22 -m state –state NEW,ESTABLISHED -j ACCEPT
# iptables -A INPUT -i eth0 -p tcp –sport 22 -m state –state ESTABLISHED -j ACCEPT

9. Allow outgoing SSH only to a specific network
# iptables -A OUTPUT -o eth0 -p tcp -d 192.168.101.0/24 –dport 22 -m state –state NEW,ESTABLISHED -j ACCEPT
# iptables -A INPUT -i eth0 -p tcp –sport 22 -m state –state ESTABLISHED -j ACCEPT

10. Allow outgoing HTTPS
# iptables -A OUTPUT -o eth0 -p tcp –dport 443 -m state –state NEW,ESTABLISHED -j ACCEPT
# iptables -A INPUT -i eth0 -p tcp –sport 443 -m state –state ESTABLISHED -j ACCEPT

11. Load balance incoming HTTPS traffic
# iptables -A PREROUTING -i eth0 -p tcp –dport 443 -m state –state NEW -m nth –counter 0 –every 3 –packet 0 -j DNAT –to-destination 192.168.1.101:443
# iptables -A PREROUTING -i eth0 -p tcp –dport 443 -m state –state NEW -m nth –counter 0 –every 3 –packet 1 -j DNAT –to-destination 192.168.1.102:443
# iptables -A PREROUTING -i eth0 -p tcp –dport 443 -m state –state NEW -m nth –counter 0 –every 3 –packet 2 -j DNAT –to-destination 192.168.1.103:443

12. Ping from inside to outside
# iptables -A OUTPUT -p icmp –icmp-type echo-request -j ACCEPT
# iptables -A INPUT -p icmp –icmp-type echo-reply -j ACCEPT

13. Ping from outside to inside
# iptables -A INPUT -p icmp –icmp-type echo-request -j ACCEPT
# iptables -A OUTPUT -p icmp –icmp-type echo-reply -j ACCEPT

14. Allow loopback access
# iptables -A INPUT -i lo -j ACCEPT
# iptables -A OUTPUT -o lo -j ACCEPT

15. Allow packets from internal network to reach external network.
if eth1 is connected to external network (internet)
if eth0 is connected to internal network (192.168.1.x)
# iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT

16. Allow outbound DNS
# iptables -A OUTPUT -p udp -o eth0 –dport 53 -j ACCEPT
# iptables -A INPUT -p udp -i eth0 –sport 53 -j ACCEPT

17. Allow NIS Connections
rpcinfo -p | grep ypbind ; This port is 853 and 850
# iptables -A INPUT -p tcp –dport 111 -j ACCEPT
# iptables -A INPUT -p udp –dport 111 -j ACCEPT
# iptables -A INPUT -p tcp –dport 853 -j ACCEPT
# iptables -A INPUT -p udp –dport 853 -j ACCEPT
# iptables -A INPUT -p tcp –dport 850 -j ACCEPT
# iptables -A INPUT -p udp –dport 850 -j ACCEPT

18. Allow rsync from a specific network
# iptables -A INPUT -i eth0 -p tcp -s 192.168.101.0/24 –dport 873 -m state –state NEW,ESTABLISHED -j ACCEPT
# iptables -A OUTPUT -o eth0 -p tcp –sport 873 -m state –state ESTABLISHED -j ACCEPT

19. Allow MySQL connection only from a specific network
# iptables -A INPUT -i eth0 -p tcp -s 192.168.200.0/24 –dport 3306 -m state –state NEW,ESTABLISHED -j ACCEPT
# iptables -A OUTPUT -o eth0 -p tcp –sport 3306 -m state –state ESTABLISHED -j ACCEPT

20. Allow Sendmail or Postfix
# iptables -A INPUT -i eth0 -p tcp –dport 25 -m state –state NEW,ESTABLISHED -j ACCEPT
# iptables -A OUTPUT -o eth0 -p tcp –sport 25 -m state –state ESTABLISHED -j ACCEPT

21. Allow IMAP and IMAPS
# iptables -A INPUT -i eth0 -p tcp –dport 143 -m state –state NEW,ESTABLISHED -j ACCEPT
# iptables -A OUTPUT -o eth0 -p tcp –sport 143 -m state –state ESTABLISHED -j ACCEPT

# iptables -A INPUT -i eth0 -p tcp –dport 993 -m state –state NEW,ESTABLISHED -j ACCEPT
# iptables -A OUTPUT -o eth0 -p tcp –sport 993 -m state –state ESTABLISHED -j ACCEPT

22. Allow POP3 and POP3S
# iptables -A INPUT -i eth0 -p tcp –dport 110 -m state –state NEW,ESTABLISHED -j ACCEPT
# iptables -A OUTPUT -o eth0 -p tcp –sport 110 -m state –state ESTABLISHED -j ACCEPT

# iptables -A INPUT -i eth0 -p tcp –dport 995 -m state –state NEW,ESTABLISHED -j ACCEPT
# iptables -A OUTPUT -o eth0 -p tcp –sport 995 -m state –state ESTABLISHED -j ACCEPT

23. Prevent DoS attack
# iptables -A INPUT -p tcp –dport 80 -m limit –limit 25/minute –limit-burst 100 -j ACCEPT

24. Port forwarding 422 to 22
# iptables -t nat -A PREROUTING -p tcp -d 192.168.102.37 –dport 422 -j DNAT –to 192.168.102.37:22
# iptables -A INPUT -i eth0 -p tcp –dport 422 -m state –state NEW,ESTABLISHED -j ACCEPT
# iptables -A OUTPUT -o eth0 -p tcp –sport 422 -m state –state ESTABLISHED -j ACCEPT

25. Log dropped packets
# iptables -N LOGGING
# iptables -A INPUT -j LOGGING
# iptables -A LOGGING -m limit –limit 2/min -j LOG –log-prefix “IPTables Packet Dropped: ” –log-level 7
# iptables -A LOGGING -j DROP

Advertisements

February 18, 2012 Posted by | Firewall, Security | , , | Leave a comment

Protected: SYN_Flood Attack Protection

This content is password protected. To view it please enter your password below:

February 6, 2012 Posted by | Firewall, Security, Shell Script, Tips & Tricks | , , , , , | Enter your password to view comments.

How to generate a CSR for SSL Certificate without using Password

Here is following steps to generating a Certificate Signing Request (CSR) Generation Instructions – Apache 2.x Web server. When you have completed generating your CSR, cut/copy and paste it into the CSR field on the SSL certificate-request page.

1. Log in to your server’s terminal (SSH).

2. At the prompt, type the following command:

# openssl req -new -newkey rsa:2048 -nodes -keyout yourdomain.key -out yourdomain.csr

Replace yourdomain with the domain name you’re securing. For example, if your domain name is example.com, you would type example.key and example.csr

Enter the requested information:

Country: The two-letter International Organization for Standardization (ISO) format country code for where your organization is legally registered.

State or Province Name: Name of the state or province where your organization is located. Do not abbreviate.

City or Locality Name: Name of the city where your organization is registered/located. Do not abbreviate.

Organization Name: The legally-registered name for your business. If you are enrolling as an individual, enter the certificate requestor’s name.

Organization Unit Name: If applicable, enter the DBA (doing business as) name.

Common Name: The fully-qualified domain name, or URL, you’re securing. If you are requesting a Wildcard certificate, add an asterisk (*) to the left of the common name where you want the wildcard, for example *.coolexample.com.

If you do not want to enter a password for this SSL, you can leave the Passphrase field blank. However, please understand there might be additional risks. Open the CSR in a text editor and copy all of the text. Paste the full CSR into the SSL enrollment form in your account.

January 5, 2012 Posted by | Apache, Security, Tips & Tricks | , , , | Leave a comment

ssh-keygen: SSH login without using Password

System-1 :- 192.168.1.5
System-2 :- 192.168.1.10

ssh-keygen creates the public and private keys

ssh-copy-id copies the local-host’s public key to the remote-host’s authorized_keys file and also assigns proper permission to the remote-host’s home, ~/.ssh, and ~/.ssh/authorized_keys.

Step 1: Create public and private keys using ssh-key-gen on local-host –> 192.168.1.5

192.168.1.5# ssh-keygen -t rsa

Generating public/private dsa key pair.
Enter file in which to save the key (/root/.ssh/id_dsa): [Enter key]
Enter passphrase (empty for no passphrase): [Enter key]
Enter same passphrase again: [Enter key]
Your identification has been saved in /root/.ssh/id_dsa.
Your public key has been saved in /root/.ssh/id_dsa.pub.
The key fingerprint is: 93:58:20:56:72:d7:bd:14:86:9f:42:aa:82:3d:f8:e5 root@192.168.1.5

Step 2: Copy the public key to remote-host –> 192.168.1.10 using ssh-copy-id

192.168.1.5# ssh-copy-id -i ~/.ssh/id_rsa.pub 192.168.1.10

root@192.168.1.10’s password:
Now try logging into the machine, with “ssh ‘192.168.1.10’”, and check in:

.ssh/authorized_keys

to make sure we haven’t added extra keys that you weren’t expecting.

Note: ssh-copy-id appends the keys to the 192.168.1.10’s .ssh/authorized_key.

Step 3: Login to remote-host without entering the password

192.168.1.5# ssh 192.168.1.10
Last login: Sun Nov 16 17:22:33 2011 from 192.168.1.5
[Note: SSH did not ask for password.]

192.168.1.10#

[Note: You are on remote-host here]

January 1, 2012 Posted by | Security, SSH, Tips & Tricks | , , | Leave a comment

Preserving httpd.conf during EasyApache in cPanel

Issue : The apache configuration file (httpd.conf) has several custom entries which should not be over-written when an EasyApache is done for recompiling/adding a PHP/Apache extension.

Solution : Starting with cPanel 11.x, all the apache settings are also stored in a database and the configuration files
are recreated each time an account is added or a recompile is done.

1) To also save the changes in the database you will have to run:

# /usr/local/cpanel/bin/apache_conf_distiller –update

2) You can check to see if the changes were accepted and will not be discarded at the next apache recompile by running :

# /usr/local/cpanel/bin/build_apache_conf

November 3, 2011 Posted by | Apache, cPanel, Security | , , | Leave a comment

bandwidth.sh

###########################################################
## bandwidth.sh ##
###########################################################
## Make a Directory /REPORTS ##
## Make a file msg.txt under /REPORTS Directory ##
## Write Following in msg.txt file ##
###########################################################
## Hi, ##
## The Bndwidth Scan process the server has been completed. ##
## For Bandwidth Scan Report, please check the attached bandwidth Report. ##
## Thanks & Regards, ##
## Unixserveradmin.com Security Team ##
###########################################################
#! /bin/bash

/bin/echo “=========================================================” > /REPORTS/vnstat.log_$(date +%d%m%y)
/bin/echo “THE Bandwidth Report of virlnx3.Securehostdns.com at $(date)” >> /REPORTS/vnstat.log_$(date +%d%m%y)
/bin/echo “=========================================================” >> /REPORTS/vnstat.log_$(date +%d%m%y)

/bin/echo ”      ” >> /REPORTS/vnstat.log_$(date +%d%m%y)
/bin/echo ”      ” >> /REPORTS/vnstat.log_$(date +%d%m%y)
/bin/echo “========================================================” >> /REPORTS/vnstat.log_$(date +%d%m%y)
/bin/echo “Bandwidth Report by Day”  >> /REPORTS/vnstat.log_$(date +%d%m%y)
/bin/echo “————————–”  >> /REPORTS/vnstat.log_$(date +%d%m%y)
/usr/bin/vnstat -u -i eth0
/usr/bin/vnstat -d >> /REPORTS/vnstat.log_$(date +%d%m%y)
/bin/echo “——————————————————–” >> /REPORTS/vnstat.log_$(date +%d%m%y)

/bin/echo ”      ” >> /REPORTS/vnstat.log_$(date +%d%m%y)
/bin/echo ”      ” >> /REPORTS/vnstat.log_$(date +%d%m%y)
/bin/echo “========================================================” >> /REPORTS/vnstat.log_$(date +%d%m%y)
/bin/echo “Bandwidth Report by Hour”  >> /REPORTS/vnstat.log_$(date +%d%m%y)
/bin/echo “—————————”  >> /REPORTS/vnstat.log_$(date +%d%m%y)
/usr/bin/vnstat -h >> /REPORTS/vnstat.log_$(date +%d%m%y)
/bin/echo “——————————————————–” >> /REPORTS/vnstat.log_$(date +%d%m%y)

/bin/echo ”      ” >> /REPORTS/vnstat.log_$(date +%d%m%y)
/bin/echo ”      ” >> /REPORTS/vnstat.log_$(date +%d%m%y)
/bin/echo “========================================================” >> /REPORTS/vnstat.log_$(date +%d%m%y)
/bin/echo “Bandwidth Report by Month”  >> /REPORTS/vnstat.log_$(date +%d%m%y)
/bin/echo “—————————–”  >> /REPORTS/vnstat.log_$(date +%d%m%y)
/usr/bin/vnstat -m >> /REPORTS/vnstat.log_$(date +%d%m%y)
/bin/echo “—————————————————” >> /REPORTS/vnstat.log_$(date +%d%m%y)

mutt -s “Bandwidth Scan REPORT $(hostname | tr ‘a-z’ ‘A-Z’)” -a /REPORTS/vnstat.log_$(date +%d%m%y) unixserv@unixserveradmin.com < /REPORTS/msg.txt

mutt -s “Bandwidth Scan REPORT $(hostname | tr ‘a-z’ ‘A-Z’)” -a /REPORTS/vnstat.log_$(date +%d%m%y) info@unixserveradmin.com < /REPORTS/msg.txt

October 18, 2011 Posted by | Security, Shell Script, Tips & Tricks, Unix/Linux | , , , , , , | Leave a comment

How to Redirect your website to secure port

# iptables -t nat -A PREROUTING -i eth0 -p tcp –dport 80 -j REDIRECT –to-port 443

# /etc/init.d/iptables save

# chkconfig iptables on

September 12, 2011 Posted by | Apache, Security, SSH, Tips & Tricks | , , , | Leave a comment

How to Redirect Port no. 80 to 443.txt

# iptables -t nat -A PREROUTING -i eth0 -p tcp –dport 80 -j REDIRECT –to-port 443

# /etc/init.d/iptables save

# chkconfig iptables on

September 11, 2011 Posted by | Apache, Firewall, Security, Tips & Tricks | , , , | Leave a comment

How to Email Alert on Root SSH Login

If you want to receive email alert when someone makes a root login to the Server.

1. open the file /root/.bashrc

# vi /root/.bashrc

2. Scroll to the end of the file then add the following:

echo ‘ALERT – Root Shell Access (YourserverName) on:’ `date` `who` | mail -s “Alert: Root Access from `who | cut -d'(‘ -f2 | cut -d’)’ -f1`” you@yourdomain.com

September 10, 2011 Posted by | Mail, Security, SSH, Tips & Tricks | , , , , | 1 Comment

Hardening SSH Server

As with all security it comes in layers. The more layers you add the more difficult it will be to gain access to your server. One of the first things you will want to do is harden sshd as it is a primary avenue to gaining access to your server.

Step 1: First of all we need to make a regular user, since we are disabling direct root login:

# useradd admin

# passwd admin

Step 2: Backup your current sshd_config

# cp /etc/ssh/sshd_config  /etc/ssh/sshd_config.bak

Step 3: Edit  sshd_config file

# vi /etc/ssh/sshd_config

————————————————
## Change to other port is recommended, etc 8875
#Port 22
Port 8875
## Sets listening address on server. default=0.0.0.0
## ListenAddress 192.168.0.1
## Enforcing SSH Protocol 2 only
# Protocol 1,2
Protocol 2
## Disable direct root login, with no you need to login with admin user, then “su -” you into root
#PermitRootLogin Yes
PermitRootLogin no
##
UsePrivilegeSeparation yes
##
AllowTcpForwarding no
## Disables X11Forwarding
X11Forwarding no
## Checks users on their home directority and rhosts, that they arent world-writable
StrictModes yes
## The option IgnoreRhosts specifies whether rhosts or shosts files should not be used in authentication
IgnoreRhosts yes
##
HostbasedAuthentication no
## RhostsAuthentication specifies whether sshd can try to use rhosts based authentication.
RhostsRSAAuthentication no
## Adds a login banner that the user can see
Banner /etc/motd
## Enable / Disable sftp server
#Subsystem      sftp    /usr/libexec/openssh/sftp-server
## Add users that are allowed to log in
AllowUsers admin
————————————————

Save the Files

Step 4: Add text to MOTD Banner file (/etc/motd)

# vi /etc/motd

Step 5: Restart the SSHD Daemon

# service sshd restart

September 9, 2011 Posted by | Security, SSH | , | Leave a comment

How to setup SSH keys

If you are going to connect to a remote host computer using public-key authentication, you will have to generate your key pair before connecting.

Public-key authentication is based on the use of digital signatures. Each user creates a pair of ‘key’ files. One of these key files is the user’s public key, and the other is the user’s private key. The server knows the user’s public key, and only the user has the private key.

When the user tries to authenticate herself, the server checks for matching public keys and sends a challenge to the user end. The user is authenticated by signing the challenge using her private key.

Remember that your private key file is used to authenticate you. Never expose your private keys. If anyone else can access your private key file, they can attempt to login to the remote host computer as you, and claim to be you. Therefore it is extremely important that you keep your private key file in a secure place and make sure that no one else has access to it.

Do not use public-key authentication on a computer that is shared with other users. Generate keys only on your personal computer that no one else can access!

So lets get started, lets say you want to be able to ssh as your user “dude” to remote.com without passwords getting in your way…

# ssh root@unixserveradmin.com

and ssh will ask if you want to keep connecting, type “yes”, and then it should ask for your password and open a shell in dude’s home directory on remote.com, just like telnet. If this fails, there is a problem somewhere. Make sure ssh is installed on your end, and also make sure that remote.com is accepting ssh connections. If it’s not, you’re wasting your time.
Once ssh is functioning we will set up the keys so that it will no longer be necessary to send passwords. If you are curious about the theory of this then read up on “public key cryptography”.

Create your keys: You need to create private and public ssh keys and put them in the proper place with the proper permissions. In your home directory create a folder .ssh ($ mkdir .ssh), if there is none. Note that Windows may make it difficult for you to create a file starting with “.” if you try to do it with their tools; e.g. Windows Explorer. Next, create the keys with the command

# ssh-keygen -t dsa

The ssh-keygen program will ask for a passphrase, just hit the “Enter” key unless for some reason you know you want a passphrase. This creates the keys id_dsa and id_dsa.pub and puts them in .ssh/. The private key id_dsa must be readable only by you; change its permissions with

# chmod 600 .ssh/id_dsa

Put the public key on the remote computer: In this section we are assuming the remote computer is also running OpenSSH. Somehow, you must get the .ssh/id_dsa.pub key onto the remote computer, whether by email, ftp, carrying it over on a floppy (sneakernet), etc.; the cool way to do it is to use scp, which was installed along with ssh. Suppose the remote computer is named remote.com, and your account there is “dude”. To copy the file to remote, run

# scp .ssh/id_dsa.pub root@unixserveradmin.com:

Don’t forget the trailing colon. You will be asked for dude’s password on remote before the copying commences. The file will be copied to dude’s home directory on remote. Install the public key on the remote computer: (We assume the remote computer is running OpenSSH on Linux or UNIX!) Once id_dsa.pub is on the remote computer, login into the remote computer (you can use ssh to login with your password as described above). From your home directory (where you should see your newly arrived id_dsa.pub) create a .ssh folder if none exists. Then append your id_dsa.pub to a file in .ssh with

# cat id_dsa.pub >> .ssh/authorized_keys

This will create the file authorized_keys if none exists. The id_dsa.pub key may be removed from the remote computer’s home directory, if you like. The .ssh folder on the remote computer must have the correct permissions, you may set them with

# chmod 700 .ssh

Checking the password-less connection: Now the command

# ssh root@unixserveradmin.com

should give you a password-less connection to remote.com. Likewise, scp should be password-free. By the way, all the commands you do by first logging into the remote computer can be done remotely, one at a time, using ssh. For example, you can run run

# ssh root@unixserveradmin.com ls

and get a listing of your home directory files on the remote system.

September 8, 2011 Posted by | cPanel, Security, SSH, Tips & Tricks | , , , | Leave a comment

Securing SSH against Bruteforce attacks

By IPtables, We can secure SSH server against bruteforce attacks

:- Create a new table…

# iptables -N SSH_WHITELIST

:- On the input chain, mark new packets with the SSH ‘tag’

# iptables -A INPUT -p tcp –dport 22 -m state –state NEW -m recent –set –name SSH

:- Push new ssh connections through the SSH_WHITELIST table

# iptables -A INPUT -p tcp –dport 22 -m state –state NEW -j SSH_WHITELIST

:- Limit 4 connections from an ip per 60 seconds, to be more strict, use 300 seconds.
:- Log connections that go over this limit and drop the packets.

# iptables -A INPUT -p tcp –dport 22 -m state –state NEW -m recent –update –seconds 60 –hitcount 4 –rttl –name SSH -j ULOG –ulog-prefix SSH_brute_force

# iptables -A INPUT -p tcp –dport 22 -m state –state NEW -m recent –update –seconds 60 –hitcount 4 –rttl –name SSH -j DROP

:- Check source IPs, if they match trusted hosts, remove SSH ‘tag’ and accept the traffic.

# iptables -A SSH_WHITELIST -s 10.0.1.1 -m recent –remove –name SSH -j ACCEPT

# iptables -A SSH_WHITELIST -s 192.168.88.0/24 -m recent –remove –name SSH -j ACCEPT

# /etc/init.d/iptables save

# chkconfig iptables on

September 7, 2011 Posted by | Firewall, Security, SSH | , , | Leave a comment

How to install BFD (Brute Force Detection)

BFD is a modular shell script for parsing applicable logs and checking for authentication failures. There is not much complexity or detail to BFD yet and likewise it is very straight-forward in its installation, configuration and usage. The reason behind BFD is very simple; the fact there is little to no authentication and brute force auditing programs in the linux community that work in conjunction with a firewall or real-time facility to place bans. BFD is available at: http://www.rfxnetworks.com/bfd.php This guide will show you how to install and configure BFD to protect your system from brute force hack attempts.

Requirements:
:- You MUST have APF Firewall Installed before installing BFD, it works with APF and requires some APF files to operate.
:- Root SSH access to your server

# cd /usr/local/src/

# wget http://www.rfxnetworks.com/downloads/bfd-current.tar.gz

# tar -xvzf bfd-current.tar.gz

# cd bfd-*

# ./install.sh [Run the install file]

You will receive a message saying it has been installed
.: BFD installed
Install path:    /usr/local/bfd
Config path:     /usr/local/bfd/conf.bfd
Executable path: /usr/local/sbin/bfd

Edit the configuration file & Enable brute force hack attempt alerts

# vi /usr/local/bfd/conf.bfd

Find: EMAIL_USR=”root” CHANGE TO: EMAIL_USR=”unixserv@unixserveradmin.com”

# vi /usr/local/bfd/ignore.hosts  [Prevent locking yourself out and add your own trusted IPs]

# /usr/local/sbin/bfd -s [Run the program!]

Customize your applicatoins brute force configuration, Check out the rules directory in your /usr/local/bfd Here you’ll find all kinds of pre-made rules for popular services such as Apache, and PureFTPD w00t! If you have any clue about shell scripting you can customize them or create new rules for enhanced brute force detection and prevent attacks.

July 24, 2011 Posted by | CSF, Firewall, Security, Tips & Tricks, Unix/Linux | , , , , , | Leave a comment

cPanel & WHM 11.30 released to STABLE tier With CentOS/RHEL 6 Support

Stable Version of cPanel-WHM 11.30.08 Release on 14 July and its compatible with RHEL/CentOS 6

http://docs.cpanel.net/twiki/bin/view/11_30/InstallationGuide/SystemRequirements

Supported Operating Systems
(i386 and x86-64 ONLY)
CentOS versions 4.x, 5.x, 6.x
Red Hat® Enterprise Linux® versions 4.x, 5.x, 6.x
FreeBSD®-RELEASE versions 7.3, 8.0, 8.1
Operating System cPanel End of Life Date
CentOS 3.x, RedHat Enterprise Linux 3.x April 30, 2011
CentOS 4.x, RedHat Enterprise Linux 4.x August 31, 2012
CentOS 5.x, RedHat Enterprise Linux 5.x September 30, 2014
CentOS 6.x, RedHat Enterprise Linux 6.x May 31, 2018
FreeBSD 7.3 September 30, 2012
FreeBSD 8.0 May 31, 2011
FreeBSD 8.1 January 31, 2013

Notable Changes Include:

* RHEL 6 and CentOS 6
* Support for MySQL® 5.1 (with new VIEW and TRIGGER Permissions) is now available.
* We’ve made chkservd more precise. It no longer monitors services that have been voluntarily shut down, so it produces fewer false warnings about services failing.
* DNSONLY updates are now available concurrent with cPanel & WHM updates
* The number of SQL databases displayed within cPanel now includes both MySQL and PostgreSQL databases
* We’ve optimized cpanellogd , making stats processing and bandwidth gathering much faster.
* InnoDB engine is now enabled by default on VPS systems

Also CentOS 6 Version is Release Now.

Download Link at India Based :- http://mirrors.hns.net.in/centos/6.0/isos/

July 15, 2011 Posted by | cPanel, MySQL, Security, Tips & Tricks, Unix/Linux | , , , | Leave a comment

Linux OS Hardening Part-1

1. Secure /tmp and /var/tmp

If they are running cPanel (I usually look for the ‘/scripts’ directory) then run /scripts/securetmp This will remount the ‘/tmp’ and ‘/var/tmp’ as ‘noexec’.

# /scripts/securetmp

Sometimes cPanel has an issue with /tmp permissions. Run the following:

# ls -al /

if you see: drwxr-xr-x   5 root   root   xxxxx mon xx xx:xx /tmp
You’ll need to chmod the /tmp directory to 1777 in order to set the sticky bit.

# chmod 1777 /tmp

If they are not running cPanel you will manually need to mount the filesystems as nonexecutable. If the user has a separate partition for /tmp, you can simply remount it with noexec,nosuid options. You can edit /etc/fstab with this options, then type “mount –o remount /tmp”. You can then create a symbolic link from /var/tmp to /tmp (“ln –s /tmp /var/tmp”). Keep in mind you will need to backup any files in /var/tmp and move them to /tmp. Pay special attention to the MySQL socket, as it will like need to be recreated. After creating the symbolic link, remove the MySQL socket and recreate it:

# mount -o rw,noexec,nodev,nosuid,remount /tmp

# rm –rf /tmp/mysql.sock

# ln –s /var/lib/mysql/mysql.sock /tmp/mysql.sock

If they do not have a separate partition for /tmp, you will need to create a loopback filesystem. Issue the following series of commands:

# dd if=/dev/zero of=/dev/tmpMnt bs=1024 count=512000

# mke2fs /dev/tmpMnt

# mkdir /tmp.bak

# mv /tmp/* /tmp.bak/ (verify that dot-files are also moved)

# mount -o loop,noexec,nosuid,rw /dev/tmpMnt /tmp

# mv /tmp.bak/* /tmp/ (again, very that dot-files are also moved)

# rm -rf /tmp.bak

# chmod 1777 /tmp

# vi /etc/fstab (add: /dev/tmpMnt /tmp ext2 loop,nosuid,noexec,rw 0 0)

The above commands create a 512MB loopback filesystem for /tmp, then mounts it as non-executable. From here, you can create a symbolic link from /var/tmp as described above.

*******************************************************************************************************

2. Secure /usr/local/apache/proxy

Remove the directory and create a symbolic link from it to a secured /tmp:

# rm -rf /usr/local/apache/proxy

# ln -s /tmp /usr/local/apache/proxy

*******************************************************************************************************

3. Secure /dev/shm

/dev/shm is basically a ramfs. As it is world-writable we recommend unmount it or at least removing its permissions:

# umount /dev/shm (you cannot be in the directory when executing this command)

# vi /etc/fstab (comment out # the entry for /dev/shm)

OR

# chmod o-w /dev/shm

*******************************************************************************************************

4. Secure /var/spool/ directories

This will remove world write access.

# chmod -R o-w /var/spool

*******************************************************************************************************

5. Make sure the machine is current on patches

If the machine has cPanel on it please make sure the pkgSkipList contains the following (run /usr/sbin/up2date –configure):

kernel*;http*;perl*;mysql*;php*;mod_ssl*

You can run /scripts/checkup2date and it will add these automatically.

From here it is usually best to let cPanel install some of the needed RPM’s it knows it needs. You can accomplish this by running /scripts/rpmup

Now you can go ahead and run /usr/sbin/up2date -l to see what packages are available for install/upgrade.

Right under ‘Fetching rpm headers…’ will be all the packages available to the server. To update these run

# /usr/sbin/up2date -u

Now under ‘The following Packages were marked to be skipped by your configuration:’ it will list the packages available but are being skipped by the skiplist above. We are mostly worried about the kernel. If you see a kernel listed here, run:

# /usr/sbin/up2date -uf kernel kernel-smp kernel-utils kernel-source

Once this has completed you will want to make sure we are booting the correct kernel. Run /bin/uname -r to see which kernel is booting currently. From here run /bin/vi /boot/grub/grub.conf and you should see the newly installed kernel and more than likley others kernels that were previously installed. If the customer was already running a RedHat kernel (usually something like ‘2.4.21-15.0.4-EL’) than it is usually safe to change it to boot the new RedHat kernel you just installed. It should be listed as the very first kernel, if so all you would do is change the ‘default=x’ to ‘default=0’. If the customer was running a customer kernel (something like ‘2.6.6’ or ‘2.4.26-grsecvx’) than you would want to leave the ‘default=x’ line set to the kernel they were booting before.

If the server is running cPanel make sure it has the latest stable version by typing:

# /scripts/upcp

Make sure you restart cPanel after this (if it installed a newer version) by running: service cPanel restart

*******************************************************************************************************

6. Disable unnecessary services

Verify the runlevel that we are currently running in by running ‘runlevel’. This will more than likely be ‘3’. Run: /sbin/chkconfig –list | grep <insert runlevel number>:on

This will list all the services that are starting on boot for the runlevel.

Look for services that are not needed such as:

Isdn
ip6tables
nfslock
cups
xfs
canna
FreeWnn
pcmcia
telnet
ntalk
portmap

Note: do NOT disable ‘netfs’ as this will break /scripts/securetmp

Stop each service you find like so:

# /etc/init.d/<service name> stop

To disable the services run:

# /sbin/chkconfig –level 123456 <service name> off for each service.

*******************************************************************************************************

7. Check for who has shell access and restrict accordingly

This will return only the users that have a valid login shell to the machine.

for i in `/usr/bin/chsh –list-shells | grep -v ‘(noshell|nologin)’`; do grep $i /etc/passwd; done

To lock the appropriate accounts down do the following:

# /usr/bin/chsh -s /usr/local/cpanel/bin/noshell <insert username>

*******************************************************************************************************

8. Add new user for SSH login

# /usr/sbin/adduser -G wheel -d /home/<cxxxxx > -c “<cxxxxx>” -m < cXXXXX>

Change the Password for the new user to something random and hard to guess (letters and digits) (preferably 10 characters at least) You can use: password generator

Note: Make sure you tell the customer what you changed this to and update the hw object in Orbit.

*******************************************************************************************************

9. Disable root login with SSH

Run the following

#vi /etc/ssh/sshd_config

Change ‘PermitRootLogin yes’ to ‘PermitRootLogin no’ Make sure it is uncommented (take the ‘#’ out from the front of the line if it is there). This disables the ability to ssh into server as root. Customer must use newly created login and then ‘su’ to root if needed after login.

Change ssh port to 33988 to avoid Brute Force attacks on port 22.

Remove protocol 1 (leave the 2 next to protocol) and uncomment line.

Uncomment #Banner and change /some/path to /etc/motd

Save file and exit. (:x)

*******************************************************************************************************

10. Displaying Login Banners

To display a warning banner, vi the /etc/motd file and paste the following:

# vi /etc/motd

Only authorized users may log into this commercial computer system. Users (authorized or unauthorized) have no explicit or implicit expectation  of privacy. Any or all uses of this system and all files on this system may be intercepted, monitored, recorded, copied, audited,  inspected, and  disclosed to authorized sites, ISPs, and law enforcement personnel, as well as authorized officials of other agencies, domestic, foreign, and The Planet Information Security team. By using this system, the user consents to such interception, monitoring, recording, copying,  auditing, inspection, and disclosure at the discretion of authorized site or The Planet Information Security team. Unauthorized  or improper use of this system may result civil and criminal penalties. By continuing to use this system you indicate your awareness of  and consent to these terms and conditions of use.

LOG OFF IMMEDIATELY if you do not agree to the conditions stated in this  warning under  US CODE:  Title 18,  U.S.C.

*******************************************************************************************************

11. Create the btmp file

As root, run

# /bin/touch /var/log/btmp

This will allow the user to type ‘lastb’ and display all ‘bad’ logins to the server.

*******************************************************************************************************

12. /etc/securetty

The /etc/securetty file allows you to specify which TTY devices the root user is allowed to login on. Remove all ttys from /etc/securetty except tty1. Which means only root is allowed to login on tty1, forcing the user have to log in as wheel and su if they need more devices as root.

The file will look like this:

console

vc/1
vc/2
vc/3
vc/4
vc/5
vc/6
vc/7
vc/8
vc/9
vc/10
vc/11
tty1
ttS0

”’sometimes there will not be a ttS0.”’

*******************************************************************************************************

13. Root email

LogWatch: An email gets sent out everyday that contains basic information about the server such as free space, bad login attempts to the machine, etc. It sends this report to root@localhost. If the customer does not ever check the mail on the server locally they will never see these emails. If they DO NOT have cPanel do the following to ensure they get emailed these reports ‘vi /root/.forward’. In this file put the customers primary email address in the only line in this file and save it out. This essentually forwards all of root’s email to this email address.

Note that if they are running Qmail you may need to edit /root/.qmail. Qmail uses a slightly different syntax: an ampersand (&) is placed before the e-mail address:

echo “&user@host.com” > /root/.qmail

*******************************************************************************************************

14. Apache (optional)

Note: not entirely necessary since we are doing O/S Hardening and not application hardening

Run /bin/vi /etc/httpd/conf/httpd.conf (assuming this is where the running httpd.conf file is installed) and either add the following lines, or if they already exist, change them to reflect the following

ServerTokens Prod #This will tell Apache to hide all the modules it has installed and only report that they are running Apache as the webserver)

ServerSignature Off #This will tell Apache to not show what version of Apache is running on the server when someone hits a page not found,etc).

*******************************************************************************************************

15. Enabling Password Restrictions

The following files and parameters in the table are used when a new account is created with the useradd command. These settings are recorded for each user account in the /etc/shadow file. Therefore, make sure to configure the following parameters before you create any user accounts using the useradd command:

# vi /etc/login.defs

PASS_MAX_DAYS       60       Maximum number of days a password is valid.
PASS_MIN_DAYS       7         Minimum number of days before a user can change the password since the last change.
PASS_MIN_LEN         n/a      This parameter does not work. It is superseded by the PAM module “pam_cracklib”. See Setting  Password Restrictions for more information.
PASS_WARN_AGE      7         Number of days when the password change reminder starts.

/etc/default/useradd
INACTIVE       14       Number of days after password expiration that account is disabled.
EXPIRE                     Account expiration date in the format YYYY-MM-DD.

Ensure that the above parameters are changed in the /etc/login.defs and /etc/default/useradd files.

*******************************************************************************************************

16. Setting Password Restrictions

The following example shows how to enforce the following password rules:

Minimum length of password must be 8
Minimum number of lower case letters must be 1
Minimum number of upper case letters must be 1
Minimum number of digits must be 1
Minimum number of other characters must be 1
Restrict the use of previous passwords

pam_cracklib.so        minlen=8        Minimum length of password is 8
pam_cracklib.so        lcredit=-1       Minimum number of lower case letters is 1
pam_cracklib.so        ucredit=-1      Minimum number of upper case letters is 1
pam_cracklib.so        dcredit=-1      Minimum number of digits is 1
pam_cracklib.so        ocredit=-1      Minimum number of other characters is 1

/etc/pam.d/system-auth file and add/change the following pam_cracklib arguments highlighted in bold:

auth required /lib/security/$ISA/pam_env.so
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
auth required /lib/security/$ISA/pam_deny.so
account required /lib/security/$ISA/pam_unix.so
account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet
account required /lib/security/$ISA/pam_permit.so
password requisite /lib/security/$ISA/pam_cracklib.so retry=3 minlen=8 lcredit=-1 ucredit=-1 dcredit=-1 ocredit=-1 difok=3
password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow remember=26
password required /lib/security/$ISA/pam_deny.so
session required /lib/security/$ISA/pam_limits.so
session required /lib/security/$ISA/pam_unix.so

NOTE: If the /etc/security/opasswd doesn’t exist, create the file.

# ls -l /etc/security/opasswd

-rw——-  1 root root 0 Dec  8 06:54 /etc/security/opasswd

*******************************************************************************************************

17. SUID/SGID Audit

To search the entire system for SUID or SGID files, you can run the following command:

# find / -path /proc -prune -o -type f -perm +6000 -ls

To remove the setuid/gid bit for files do:

# chmod u-s (file) “OR”

# chmod g-s (file)

Only on the following files:

/bin/mount
/bin/umount
/usr/bin/chsh
/usr/sbin/adduser
/usr/bin
/usr/bin/chage

Also be sure to chmod 0 all the r-tools in /usr/bin. These are /usr/bin/rcp /rsh /rlogin, /telnet.

Then do ls –al (file) to confirm that suid/gid has been removed

*******************************************************************************************************

18. World Writable Directory Audit

To search entire system for world writable directories, you can run the following:

# find / -path /proc -prune -o -perm -2 ! -type l -ls

The “! -type l” parameter skips all symbolic links since symbolic links are always world-writable. However, this is not a problem as long as the target of the link is not world-writable, which is checked by the above find command.

Be sure to chmod wget and permissions on var/spool/samba,mail, and vbox (world writable directories). Also check permissions on system binaries (telnet, etc).

*******************************************************************************************************

19. Unowned Files Audit

# find / -path /proc -prune -o -nouser -o -nogroup

*******************************************************************************************************

20. Kernel Tunable Parameters

add to the /etc/sysctl.conf configuration file to make the change permanent after reboots.

# Enable TCP SYN Cookie Protection

net.ipv4.tcp_syncookies = 1

#Increase the backlog q size

net.ipv4.tcp_max_syn_backlog= 10240

#Decrease the total time we keep half-open connections in #the backlog q to 9 seconds

net.ipv4.tcp_synack_retries=1

#Disable IP Source Routing

net.ipv4.conf.all.accept_source_route = 0

#Enable IP Spoofing Protection

net.ipv4.conf.all.rp_filter = 1

#Enable Logging of Spoofed Packets, Source Routed #Packets, Redirect Packets

net.ipv4.conf.all.log_martians = 1

To activate the configured kernel parameters immediately at runtime, use: (you can copy and paste)

# sysctl -p

*******************************************************************************************************

21. Modify Permission/Ownership of sysctl.conf (Kernel Runtime Configurator)

# chown root:root /etc/sysctl.conf

# chmod 600 /etc/sysctl.conf

*******************************************************************************************************

22. Audit permissions on key system log files in var/log

# ls -al /var/log

Remove the “other” groups read and execute permissions on log files. Most of these log files are owned by root but an audit still needs to be done to ensure integrity of log files.

*******************************************************************************************************

23. Verify permissions on passwd, shadow, and group

# cd /etc

# ls -al group shadow passwd

Should return 644 permissions on passwd and group Should return 400 permissions on shadow (on cPanel boxes this should be 600)

*******************************************************************************************************

24. Cron permissions

Restrict cron/at to authorized users by creating the cron.allow file. The cron.allow file only controls administrative access to the crontab command for scheduling and modifying cron jobs

# echo root > cron.allow

# echo root > at.allow

# echo nobody >> cron.deny

# echo nobody >> at.deny

# chown root:root cron.allow at.allow

# chmod 400 cron.allow at.allow

The system crontab files are accessed by only the cron daemon (which runs with superuser privileges) and the crontab command (which has setuid to root). Allowing regular users to read or modify system crontab files can lead to elevated privileges. Therefore, do the following countermeasures:

# chown root:root /etc/crontab

# chmod 400 /etc/crontab

# chown -R root:root /var/spool/cron

# chmod -R go-rwx /var/spool/cron

May 28, 2011 Posted by | Apache, cPanel, Cron, Security, Tips & Tricks, Unix/Linux | , , , , , , , , | Leave a comment

clamav_scan.sh

###########################################################
## clamav_scan.sh ##
###########################################################
## Make a Directory /REPORTS ##
## Make a file msg.txt under /REPORTS Directory ##
## Write Following in msg.txt file ##
###########################################################
## Hi, ##
## The ClamAV Scan process of “/home” partition of the server has been completed. ##
## For ClamAV Scan Report, please check the attached clamav Report. ##
## Thanks & Regards, ##
## Unixserveradmin.com Security Team ##
###########################################################
#! /bin/bash

/bin/echo “==========================================================” > /REPORTS/clamav.log_$(date +%d%m%y)
/bin/echo “THE ClamAV Scan is started at $(date)” >> /REPORTS/clamav.log_$(date +%d%m%y)
/bin/echo “==========================================================” >> /REPORTS/clamav.log_$(date +%d%m%y)

/bin/echo ”      ” >> /REPORTS/clamav.log_$(date +%d%m%y)
/bin/echo ”      ” >> /REPORTS/clamav.log_$(date +%d%m%y)
/bin/echo “========================================================” >> /REPORTS/clamav.log_$(date +%d%m%y)
/bin/echo “ClamAV Update Logs:”  >> /REPORTS/clamav.log_$(date +%d%m%y)
/bin/echo “——————————————————–”  >> /REPORTS/clamav.log_$(date +%d%m%y)
/usr/bin/freshclam >> /REPORTS/clamav.log_$(date +%d%m%y)
/bin/echo “——————————————————–” >> /REPORTS/clamav.log_$(date +%d%m%y)

/bin/echo ”      ” >> /REPORTS/clamav.log_$(date +%d%m%y)
/bin/echo ”      ” >> /REPORTS/clamav.log_$(date +%d%m%y)
/bin/echo “========================================================” >> /REPORTS/clamav.log_$(date +%d%m%y)
/bin/echo “ClamAV Logs are as follows:”  >> /REPORTS/clamav.log_$(date +%d%m%y)
/bin/echo “——————————————————–”  >> /REPORTS/clamav.log_$(date +%d%m%y)
/usr/bin/clamdscan –remove /home/ >> /REPORTS/clamav.log_$(date +%d%m%y)
/bin/echo “——————————————————–” >> /REPORTS/clamav.log_$(date +%d%m%y)
/bin/echo “——————————————————–” >> /REPORTS/clamav.log_$(date +%d%m%y)

/bin/echo “==================================================================” >> /REPORTS/clamav.log_$(date +%d%m%y)
/bin/echo “THE ClamAV Scan has been completed at $(date)” >> /REPORTS/clamav.log_$(date +%d%m%y)
/bin/echo “==================================================================” >> /REPORTS/clamav.log_$(date +%d%m%y)

mutt -s “ClamAV Scan REPORT $(hostname | tr ‘a-z’ ‘A-Z’)” -a /REPORTS/clamav.log_$(date +%d%m%y) unixserv@unixserveradmin.com < /REPORTS/msg.txt

mutt -s “ClamAV Scan REPORT $(hostname | tr ‘a-z’ ‘A-Z’)” -a /REPORTS/clamav.log_$(date +%d%m%y) info@unixserveradmin.com < /REPORTS/msg.txt

May 6, 2011 Posted by | Security, Shell Script | , , | 2 Comments

flush_csf.sh

#################################################
# Script for IP Block Remove Due to CSF Firewall
#################################################
# flush_csf.sh
#################################################
##### CSF – Flush All Block IP #####
#!/bin/bash
echo Flush All Block IP..
cd /etc/csf/
rm -rvf csf.deny
rm -rvf csf.tempban
touch csf.deny
touch csf.tempban
exit
#################################################

May 3, 2011 Posted by | CSF, Firewall, Security, Shell Script | , , | 3 Comments

sysctl-tuner.sh

###############################################
# Script for sysctl tuner
###############################################

#!/bin/bash

function sysctlw {
if [ `grep -c $1 /etc/sysctl.conf` -eq 0 ]; then
echo “$1=$2” >> /etc/sysctl.conf
echo “Added sysctl preference ‘$1’=’$2′”
fi
}

echo “Tuning network stack..”

sysctlw    “net.ipv4.ip_forward”                “0”
sysctlw    “net.ipv4.conf.default.rp_filter”        “1”
sysctlw    “kernel.sysrq”                    “0”
sysctlw    “kernel.core_uses_pid”                “0”
sysctlw    “net.ipv4.ipfrag_time”                “30”
sysctlw    “net.core.rmem_default”                “262141”
sysctlw    “net.core.rmem_max”                “262141”
sysctlw    “net.ipv4.tcp_rmem”                “4096 87380 174760”
sysctlw    “net.core.wmem_default”                “262141”
sysctlw    “net.core.wmem_max”                “262141”
sysctlw    “net.ipv4.tcp_wmem”                “4096 16384 131072”
sysctlw    “net.ipv4.tcp_mem”                “195584 196096 196608”
sysctlw    “net.core.optmem_max”                “20480”
sysctlw    “net.ipv4.tcp_max_tw_buckets”            “360000”
sysctlw    “net.core.hot_list_length”            “256”
sysctlw    “net.core.netdev_max_backlog”            “262144”
sysctlw    “net.core.somaxconn”                “262144”
sysctlw    “net.ipv4.tcp_reordering”            “3”
sysctlw    “net.ipv4.icmp_echo_ignore_broadcasts”        “1”
sysctlw    “net.ipv4.icmp_ignore_bogus_error_responses”    “1”
sysctlw    “net.ipv4.tcp_synack_retries”            “2”
sysctlw    “net.ipv4.tcp_syn_retries”            “3”
sysctlw    “net.ipv4.tcp_syncookies”            “1”
sysctlw    “net.ipv4.tcp_timestamps”            “0”
sysctlw    “net.ipv4.tcp_sack”                “1”
sysctlw    “net.ipv4.tcp_window_scaling”            “1”
sysctlw    “net.ipv4.tcp_keepalive_time”            “1200”
sysctlw    “net.ipv4.tcp_fin_timeout”            “15”
sysctlw    “net.ipv4.tcp_tw_recycle”            “1”
sysctlw    “net.ipv4.conf.default.log_martians”        “1”
sysctlw    “net.ipv4.conf.all.log_martians”        “0”
sysctlw    “net.ipv4.conf.default.accept_redirects”    “0”
sysctlw    “net.ipv4.conf.all.accept_redirects”        “0”
sysctlw    “net.ipv4.conf.default.accept_source_route”    “0”
sysctlw    “net.ipv4.conf.all.accept_source_route”        “0”
sysctlw    “net.ipv4.conf.all.rp_filter”            “1”
sysctlw    “net.ipv4.conf.default.rp_filter”        “1”
sysctlw    “net.ipv4.conf.default.accept_source_route”    “0”
sysctlw    “net.ipv4.conf.default.send_redirects”        “0”
sysctlw    “net.ipv4.conf.default.mc_forwarding”        “0”
sysctlw    “net.ipv4.conf.default.forwarding”            “0”
sysctlw    “net.ipv4.conf.all.bootp_relay”                “0”
sysctlw    “net.ipv4.conf.all.proxy_arp”                “0”

#arp
sysctlw    “net.ipv4.neigh.default.gc_thresh3”        “2048”
sysctlw    “net.ipv4.neigh.default.gc_thresh2”        “1024”
sysctlw    “net.ipv4.neigh.default.gc_thresh1”        “32”
sysctlw    “net.ipv4.neigh.default.gc_interval”        “30”

sysctlw    “net.ipv4.neigh.default.proxy_qlen”        “96”
sysctlw    “net.ipv4.neigh.default.unres_qlen”        “6”

#tcp options
sysctlw    “net.ipv4.tcp_dsack”                    “0”
sysctlw    “net.ipv4.tcp_fack”                    “0”
sysctlw    “net.ipv4.tcp_ecn”                    “0”
sysctlw    “net.ipv4.tcp_max_syn_backlog”        “2048”
sysctlw    “net.ipv4.tcp_retries2”                “15”
sysctlw    “net.ipv4.tcp_retries1”                “3”
sysctlw    “net.ipv4.tcp_rfc1337”                “1”
sysctlw    “net.ipv4.netfilter.ip_conntrack_max”    “1048576”
sysctlw    “net.nf_conntrack_max”                “1048576”
sysctlw    “sunrpc.tcp_slot_table_entries”        “32”
sysctlw    “sunrpc.udp_slot_table_entries”        “32”
sysctlw    “net.unix.max_dgram_qlen”            “50”
sysctlw    “net.core.netdev_max_backlog”        “1024”
sysctlw    “net.core.dev_weight”                “64”

echo “Optimizing filesystem…”

sysctlw    “fs.file-max”                “209708”
sysctlw    “kernel.ctrl-alt-del”            “0”

echo “Optimizing kernel…”

sysctlw    “kernel.printk”                “4 4 1 7”
sysctlw    “kernel.maps_protect”            “1”
sysctlw    “vm.mmap_min_addr”            “65536”
sysctlw    “vm.page-cluster”            “6”
sysctlw    “kernel.shmmax”                “67108864”

echo “Setting up host.conf…”

cp /etc/host.conf /etc/host.conf.bak

cat <<HOSTCONF >/etc/host.conf
order bind,hosts
multi on
nospoof on
HOSTCONF

/sbin/sysctl -p &>/dev/null &
/sbin/sysctl -w net.ipv4.route.flush=1

echo “Disabling unneeded services…”

for i in acpid anacron auditd autofs avahi-daemon bluetooth cpuspeed
cups gpm ip6tables irqbalance mcstrans netfs nfslock pcscd
portmap rpcgssd rpcidmapd setroubleshoot xfs; do
service $i stop &>/dev/null
chkconfig –level 3 $i off &>/dev/null
done
###############################################

May 2, 2011 Posted by | Security, Shell Script | , | 4 Comments

How to block a country using CSF

Login to WHM-cPanel configuration via WHM

1. WHM
2. Plugins
3. ConfigServer Security & Firewall
4. Firewall Configuration)

“OR”

1. Login via SSH

# vi /etc/csf/csf.conf

What you are looking for is “CC_DENY

First, you will want to get a list of ISO Country Codes to allow.

http://www.countryipblocks.net/country-blocks/ “OR”

http://www.ipdeny.com/ipblocks/ “OR”

http://www.iana.org/domains/root/db/

For example, if you only wanted United States, Canada, Great Britian, Australia, and Mexico to be whitelisted, you would specify:

US,CA,CN,AU,MX

What this will do is download a list of IP ranges belonging to those countries, then add them to a deny list, that is, deny all specific countries’ IP ranges. So, United States, Canada, China will not be able to connect, etc..

Once you have change this in your configuration, don’t forget to restart your firewall to apply the new configuration.

May 1, 2011 Posted by | CSF, Firewall, Security | , , , | 3 Comments

How to allow only specific countries with CSF

Login to WHM-cPanel configuration via WHM

1. WHM
2. Plugins
3. ConfigServer Security & Firewall
4. Firewall Configuration)

“OR”

1. Login via SSH

# vi /etc/csf/csf.conf

What you are looking for is “CC_ALLOW_FILTER

First, you will want to get a list of ISO Country Codes to allow.

http://www.countryipblocks.net/country-blocks/ “OR”

http://www.ipdeny.com/ipblocks/ “OR”

http://www.iana.org/domains/root/db/

For example, if you only wanted United States, Canada, Great Britian, Australia, and Mexico to be whitelisted, you would specify:

US,CA,GB,AU,MX

What this will do is download a list of IP ranges belonging to those countries, then add them to a whitelist, and deny everything else, that is, deny all other countries’ IP ranges. So, India will not be able to connect to your server, Russia will not be able to connect, etc..

Once you have change this in your configuration, don’t forget to restart your firewall to apply the new configuration.

April 30, 2011 Posted by | CSF, Firewall, Security | , , , | 3 Comments