UnixServerAdmin

Server Administration & Management

How to kill Multiple Processes In Linux

There are many cases where you want to kill multiple processes that match a certain pattern in their command line strings. For example, suppose you want to kill all processes that are running commands with keyword “javaxyz” in their arguments.

# ps aux | grep javaxyz

Here is a single command that will kill all processes at once that are matched with grep.

# kill -9 `ps aux | grep javaxyz | grep -v grep | awk ‘{print $2}’`

The command line inside a pair of backtick characters (i.e., ps aux …. ‘{print $2}’) will print out a list of process IDs that are matched with grep. The result is then used by the outer command kill. The “grep -v grep” is to exclude a self match (i.e., grep command itself) from a list of matched processes.

One caveat with this command is that when you are running it in a shell script, make sure to use bash, not sh.

If you are running the following script with sh: you will get “kill: Illegal number:” error. The command line inside a pair of backticks is returning a multi-line response, and it appears that sh is not able to handle it. But bash can. So the following script should be okay.

#!/bin/bash
kill -9 `ps aux | grep javaxyz | grep -v grep | awk ‘{print $2}’`

Advertisements

May 30, 2014 Posted by | Security, Tips & Tricks, Unix/Linux | , , , | Leave a comment

How to disable WhatsApp Blue Ticks for Read Messages

Recently, WhatsApp quietly introduced a new feature that lets users know that their messages have been read, with the double grey ticks appearing in front of the messages turning blue and now, just as quietly, the mobile messaging service is letting users of its Android app disable the feature with the rollout of WhatsApp version 2.11.444. This version is available for users on WhatsApp’s website for now, and will eventually be rolled out to all users.

Here’s how you can disable the blue coloured read receipts’ with the message timestamp on WhatsApp’s Android app:-

1. Make sure that your smartphone is running on Android 2.1 or a newer version.

2. Go to settings menu and enable ‘Download from Unknown Sources‘ in the Security tab

3. Go to the WhatsApp website and download the APK (application) file available under http://www.whatsapp.com/android/

4. Once the APK file is downloaded to your device, tap the ‘Install‘ option.

5. Now that WhatsApp has been updated, select Settings –> Account –> Privacy.

6. Under the Privacy tab, uncheck the Read Receipts option.

whatsapp

This feature however doesn’t apply to group messages and will let other participants know when you’ve read a message. Also, once you disable this feature, you won’t be able to view blue double-check marks when you send a message as well. 


The feature that enabled the users to see when their messages were read didn’t go down too well with the users and with this update, WhatsApp seems to be taking steps to please users who were not happy with the new feature.

May 10, 2014 Posted by | Security, Tips & Tricks | , , | Leave a comment

zombie_process.sh

###########################################################
## zombie_process.sh ##
###########################################################
#!/bin/bash
x=0;
for x in `ps -ef | grep defunct | awk ‘{print $3}’` ; do
echo $x
kill -9 $x
done

November 20, 2013 Posted by | Security, Shell Script, Tips & Tricks, Unix/Linux | , , , , , | Leave a comment

How to Enable Secure SSL Protocol

A man-in-the-middle attacker can force the communication to a less secure level and then attempt to break the weak encryption. The attacker can also truncate encrypted messages. Because sometimes Servers use SSLv2 protocol with low encryption ciphers. There are known flaws in the SSLv2 protocol.  These flaws have been fixed in SSLv3 (or TLSv1). SSLv2 should be disabled and MEDIUM or HIGH encryption ciphers must be used. SSLV3 should be used instead of SSLv2.

# vim /etc/httpd/conf.d/ssl.conf

Remove or Comment on Following Lines

Line No. 93 :-  SSLProtocol all -SSLv2
Line No. 98 :-  SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW

Add Following Line

SSLProtocol -ALL +SSLv3 +TLSv1
SSLCipherSuite ALL:!aNull:!ADH:!eNULL:!LOW:!EXP:!RC4+RSA:+HIGH:+MEDIUM

# /etc/init.d/httpd restart

# chkconfig httpd on

September 20, 2013 Posted by | Apache, Security | , , | Leave a comment

service_server.sh

#################################
# Stop unwanted services ################
# service_server.sh ####################
################################
#!/bin/bash
echo “Task Start Now !!!”
chkconfig cups off –level 24
chkconfig rhnsd off –level 24
chkconfig gssd off –level 24
chkconfig rpcgssd off –level 24
chkconfig rpcidmapd off –level 24
chkconfig idmapd off –level 24
chkconfig acpid off –level 24
chkconfig iscsi off –level 24
chkconfig iscsid off –level 24
chkconfig kdump off –level 24
chkconfig cpuspeed off –level 24
chkconfig mcstrans off –level 24
chkconfig mdmonitor off –level 24
chkconfig microcode_ctl off –level 24
chkconfig multipathd off –level 24
chkconfig ntpd off –level 24
chkconfig avahi-daemon off –level 24
chkconfig httpd off –level 24
chkconfig mysqld off –level 24
chkconfig sshd off –level 24
chkconfig ipsec off –level 24
chkconfig lm_sensors off –level 24
chkconfig irqbalance off –level 24
chkconfig restorecond off –level 24
chkconfig yum-updatesd off –level 24
chkconfig xinetd off –level 24
chkconfig isdn off
chkconfig anacron off
chkconfig sendmail off
chkconfig autofs off
chkconfig portmap off
chkconfig readahead_early off
chkconfig readahead_later off
chkconfig nfs off
chkconfig ip6tables off
chkconfig smartd off
chkconfig kudzu off
chkconfig netfs off
chkconfig nfslock off
chkconfig xfs off
chkconfig apmd off
chkconfig bluetooth off
chkconfig gpm off
chkconfig hidd off
chkconfig pcscd off
chkconfig setroubleshoot off
chkconfig dovecot off
chkconfig haldaemon off
chkconfig chargen off
chkconfig ypbind off
chkconfig atd off
chkconfig canna off
chkconfig FreeWnn off
chkconfig iiim off
chkconfig mDNSResponder off
chkconfig rpcimpad off
chkconfig acpi off
echo “Task Successful Done !!!”

July 21, 2013 Posted by | Security, Shell Script | , | Leave a comment

What is the difference between MD5 and SHA

MD5: 128-bit/16-byte digest. Somewhat faster than SHA.
SHA: 160-bit/20-byte digest. More secure because stronger against brute force attacks.

MD5 was developed by Professor Rivest (1994).
SHA (actually SHA-1) was developed by NIST (1994).

The MD5 algorithm is slightly cheaper to compute, however MD5 is currently very vulnerable to collision attacks. Similarly SHA1 will most likely be very vulnerable to collision attacks in a few years since there are now some attacks, security experts consider SHA1 broken since collision attacks are feasible.

The MD5 hashing algorithm uses a hash code which is 16 bytes long whereas SHA1 uses a hash code which is 20 bytes long.

This means that MD5 executes faster but is less secure than SHA1.

However, the security of both these algorithms has been compromised in recent years.

Cryptography Research has received many inquiries about the hash collision attacks that were recently announced at the CRYPTO 2004 conference. This document attempts to address these questions.

(This document was updated on February 16, 2005 to reflect new collision results reported against the SHA-1 algorithm.)

Q: What hash functions are now broken?
A: Collisions were announced in SHA-0, MD4, MD5, HAVAL-128, and RIPEMD. Antoine Joux presented the collision in SHA-0. The collisions against MD4, MD5, HAVAL-128, and RIPEMD were found by the Chinese researcher Xiaoyun Wang with co-authors Dengguo Feng, Xuejia Lai, and Hongbo Yu. (See http://eprint.iacr.org/2004/199.pdf.) In February 2005, an (as-yet unimplemented) attack against SHA-1 was reported by Xiaoyun Wang, Lisa Yiqun Yin, and Hongbo Yu that can find collisions in SHA-1 with an estimated effort of 2^69 hash computations.

Q: What is a collision attack and a preimage attack?
A: A preimage attack would enable someone to find an input message that causes a hash function to produce a particular output. In contrast, a collision attack finds two messages with the same hash, but the attacker can’t pick what the hash will be. The attacks announced at CRYPTO 2004 are collision attacks, not preimage attacks.

Q: What is the connection between digital signatures and hash functions?
A: All major digital signature signing techniques (including DSA and RSA) involve first hashing the data then signing the hash. Raw message data is not signed because of both performance and security reasons.

Q: How might an attacker exploit a collision attack?
A: To exploit a collision attack, an adversary would typically begin by constructing two messages with the same hash where one message appears legitimate or innocuous. For example, suppose the attacker (Charlie) discovers that the message “I, Bob, agree to pay Charlie $ 5000.00 on 4/12/2005.” has the same hash as “I, Bob, agree to pay Charlie $18542841.54 on 9/27/2012.” Charlie could then try to get Bob (the victim) to digitally sign the first message (e.g., by purchasing $5000 of goods). Charlie would then claim that Bob actually signed the second message, and “prove” this assertion by showing that Bob’s signature matches the second message.

Q: What are the implications of collision attacks for code signing systems?
A: Collisions can be a problem for systems that involve signed code. In particular, a collision attack can enable adversaries to construct an innocuous program and a malicious program with the same hash. For example, a trusted compiler/verifier might accept and sign the innocuous program, which could then be substituted for the malicious one. Collision attacks do not allow tampering with arbitrary programs; this would require a preimage attack. (Note: Java accepts MD5 hashes in signatures on JAR files, e.g. see http://www.hmug.org/man/1/jarsigner.html.)

Q: What are the implications for certificate authorities, such as those issuing SSL web server certificates containing MD5 or SHA-1 hashes?
A: Collision attacks do not enable tampering with existing certificates. There is, however, a concern that an adversary might be able to construct a valid certificate request that had a corresponding hash collision with a certificate conferring greater or different powers. For example, a devastating attack would be one that enabled adversaries to obtain a legitimate server certificate with a collision to one containing a wildcard for the domain name and an expiration date far in the future. The use of unpredictable serial numbers early in the certificate data structure may prevent such attacks, but further research is required. From a cryptographic perspective, the best solution to this problem is to transition away from MD5, but this is difficult since many CAs and software programs currently support MD5.

Q: Are all hash functions broken?
A: No. The new attacks affect specific hash functions which happen to share a related class of vulnerabilities. In particular, these attacks are all based on the neutral bit technique of Biham and Chen (see http://eprint.iacr.org/2004/146.ps). There is no evidence suggesting that strong hash functions cannot be constructed.

Q: How hard would it be to find collisions in SHA-1?
A: The reported attacks require an estimated work factor of 2^69 (approximately 590 billion billion) hash computations. While this is well beyond what is currently feasible using a normal computer, this is potentially feasible for attackers who have specialized hardware. For example, with 10,000 custom ASICs that can each perform 2 billion hash operations per second, the attack would take about one year. Computing improvements predicted by Moore ‘s Law will make the attack more practical over time, e.g. making it possible for a wide-spread Internet virus to use compromised computers to mount such attacks as well. Once a collision has been found, additional collisions can be found trivially by concatenating data to the matching messages.

Q: Do these attacks break HMAC using MD5 or SHA-1?
A: No. Because of the way hash functions are used in the HMAC construction, the techniques used in these recent attacks do not apply.

Q: Do these attacks allow somebody to break tools that use MD5 or SHA-1 to check for malicious binaries?
A: Not usually, as this would require a preimage attack. It would, however, be possible for someone to construct an innocuous program and a malicious program with the same hash. If this adversary could get the innocuous version on the “good” list (e.g. by having a trusted authority sign the hash value), the malicious program would also be accepted.

Q: What is the difference between SHA-0 and SHA-1? Is SHA-0 widely used?
A: SHA-0 was initially proposed in FIPS 180 (May 1993) as hashing standard by the U.S. government, but was replaced by SHA-1 in FIPS 180-1 (April 1995). SHA-1 adds an additional circular shift operation that appears to have been specifically intended to address the weaknesses found in SHA-0. SHA-0 is not widely used and should not be used in new systems. In light of the new attacks, careful consideration should be made before using SHA-1 in new systems.

Q: Is SSL 3.0/TLS affected by these results?
A: The SSL 3.0 protocol (which was co-authored by Cryptography Research President & Chief Scientist Paul Kocher) uses MD5 and SHA-1 in a redundant fashion in the handshake protocol and also supports MD5 HMAC. Neither use is affected by these attacks. While there is also some concern that signing authorities could be affected (see the question above on certificate authorities), certificate formats and procedures are beyond the scope of the SSL/TLS protocol.

Q: Can the problem be solved by updating hash function implementations to detect the messages that produce collisions?
A: No. The attack methods are general and enable the construction of additional collisions.

June 16, 2013 Posted by | Shell Script, Tips & Tricks, Unix/Linux | , , | Leave a comment

How to hide web server version in Tomcat

Add the following attributes to the <Connector> in Tomcat’s server.xml to hide web server version in Tomcat at line no- 73 :-

# vim apache-tomcat/conf/server.xml

<Connector port=”8080″ protocol=”HTTP/1.1″
connectionTimeout=”20000″
redirectPort=”8443″
server=”Tomcat” />

April 7, 2013 Posted by | Security, Tips & Tricks, Tomcat | , , , , | 1 Comment

Protected: backup_script_encrypt.sh (in bzip2 format)

This content is password protected. To view it please enter your password below:

March 18, 2013 Posted by | Security, Shell Script | , | Enter your password to view comments.

Protected: backup_script_encrypt.sh (in tar.gz format)

This content is password protected. To view it please enter your password below:

March 13, 2013 Posted by | Security, Shell Script | , | Enter your password to view comments.

bzip2: (stdin): trailing garbage after EOF ignored

You may receive the following warning during extraction:

bzip2: (stdin): trailing garbage after EOF ignored

This seems harmless, you can get rid of it by either writing the archive to disk before transfer or using gzip instead of bzip2. The archive still decompresses fine, but tar is apparently outputting some additional garbage when using bzip2 and outputting to stdout. I personally still using bzip2 and stdout, as the advantages (greater compression ratio, no temp disk space required) outweigh the disadvantages.

March 8, 2013 Posted by | Security, Tips & Tricks, Unix/Linux | , , | Leave a comment

Protected: backup_dump_encrypt.sh (in tar.gz format)

This content is password protected. To view it please enter your password below:

March 3, 2013 Posted by | Security, Shell Script | , | Enter your password to view comments.

Protected: backup_dump_encrypt.sh (in Bzip2 format)

This content is password protected. To view it please enter your password below:

February 26, 2013 Posted by | Security, Shell Script | , | Enter your password to view comments.

TCP Wrappers – Send Mail after deny SSH login

TCP Wrappers gives the possibility to control and protect the network services, limiting the access and registering (if you want to) all the connections to make the work of detecting and resolving problems easier. To setup TCP Wrappers you work with two access control text files, they are called: /etc/hosts.allow & /etc/hosts.deny. The format to write into these files is: ” daemon_list : client_list [ : shell_command ]”

# vim /etc/hosts.allow

sshd : 192.168.10.12/255.255.255.0 : spawn (echo -e “Connected from IP %h” | mutt -s “SSH Connection is Successful” unixserv@unixserveradmin.com) : ALLOW

# vim /etc/hosts.deny

sshd : ALL : spawn (echo -e “Access denied to external SSH Connection from IP %h ” | mutt -s “Alert – SSH Connection Denied” unixserv@unixserveradmin.com) : DENY

February 21, 2013 Posted by | Security, SSH, Tips & Tricks, Unix/Linux | , , , | Leave a comment

How to disable users from loggin into the server, except the administrator(root)

In cases where you have to disable the login to all users,except root, for example when you have to do a backup, you have to use pam_nologin.so

1) Edit the pam file for the service you want to control, in this example i modify ssh pam control file, located in /etc/pam.d/sshd & Add the line :-

# vim /etc/pam.d/sshd

account required pam_nologin.so

2) Create the /etc/nologin file, just do “touch /etc/nologin”

# touch /etc/nologin

This should disable the login from ssh. If you want to disable the login from terminal, modify the /etc/pam.d/login file.

3) To re-enable the login just remove /etc/nologin

# rm -rvdf /etc/nologin

February 16, 2013 Posted by | Security, SSH, Tips & Tricks, Unix/Linux | , , , , | Leave a comment

Lynis – Security & System auditing tool

Lynis is an auditing tool for Unix (specialists). It scans the system configuration and creates an overview of system information and security issues usable by professional auditors. This software aims in assisting automated auditing of Unix based systems and can be used in addition to other software, like security scanners, system benchmarking and fine tuning tools.

Examples of audit tests:
– Available authentication methods
– Expired SSL certificates
– Outdated software
– User accounts without password
– Incorrect file permissions
– Firewall auditing

Steps to run Lynis without installing & Download the source from here

# wget http://www.rootkit.nl/files/lynis-1.3.0.tar.gz
# mkdir /usr/local/lynis
# tar -xvf lynis-1.3.0.tar.gz
# cd lynis-1.3.0
# sh lynis -c

Without parameters, Lynis will give you a valid list of parameters and return back to the shell prompt. At least the ‘-c’ (–check-all) parameter is needed, to start the scan process.

January 27, 2013 Posted by | Security, Tips & Tricks, Unix/Linux | , , , | Leave a comment

How to Check if antivirus software is working

To test if your anti-virus is working; create a new text file using notepad for example and paste the following line:

X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

Save the file as ‘eicar.com’; your anti-virus should alert you as virus infection if its working as it should.

The file itself is very safe and is just a standard way to test anti-virus. EICAR stands for ‘European Institute for Computer Anti-virus research’. If your anti-virus software did not alert you then it should at least prevent you from running the file.

September 14, 2012 Posted by | Security, Tips & Tricks | , , | Leave a comment

How to check duplicate IP adderss in your subnet

Create and execute a script as shown below to check for duplicate IP in example: 192.168.1.0/24 subnet.

###############################################################
# /bin/bash #######################################################
# duplicate.sh #####################################################
##############################################################
for i in $(seq 1 254);
do
echo “arping -q -D -I eth0 -c 2 172.16.1.${i}”; [ $? -ne 0 ] && echo “172.16.1.${i} duplicate”;
done
##############################################################

September 9, 2012 Posted by | Security, Shell Script, Tips & Tricks, Unix/Linux | , , , , | Leave a comment

sysctl-tunner-update.sh

##############################################################################
# sysctl is an interface that allows you to make changes to a running Linux kernel.    ####################### ####################
# With /etc/sysctl.conf you can configure various Linux networking and system settings such as: ########################################
###############################################################################
## 1. Limit network-transmitted configuration for IPv4 ################################################################
## 2. Limit network-transmitted configuration for IPv6 ################################################################
## 3. Turn on execshield protection ###########################################################################
## 4. Prevent against the common ‘syn flood attack’ ##################################################################
## 5. Turn on source IP address verification ######################################################################
## 6. Prevents a cracker from using a spoofing attack against the IP address of the server. ############################################
## 7. Logs several types of suspicious packets, such as spoofed packets, source-routed packets & redirects. ###################################
##############################################################################
# The sysctl command is used to modify kernel parameters at runtime. /etc/sysctl.conf is a text file containing sysctl values to be read in and set by sysct at boot time. ##
#!/bin/bash

function sysctlw {
if [ `grep -c $1 /etc/sysctl.conf` -eq 0 ]; then
echo “$1=$2“ >> /etc/sysctl.conf
echo “Added sysctl preference ‘$1‘=’$2‘”
fi
}

echo “Tuning network stack..”

# Controls IP packet forwarding
sysctlw    “net.ipv4.ip_forward”                “0“
sysctlw    “net.ipv4.conf.default.rp_filter”        “1“

# Controls the System Request debugging functionality of the kernel
sysctlw    “kernel.sysrq”                    “0“
sysctlw    “kernel.core_uses_pid”                “0“
sysctlw    “net.ipv4.ipfrag_time”                “30“
sysctlw    “net.core.rmem_default”                “262141“
sysctlw    “net.core.rmem_max”                “12582912“
sysctlw    “net.ipv4.tcp_rmem”                “10240 87380 12582912“
sysctlw    “net.core.wmem_default”                “262141“
sysctlw    “net.core.wmem_max”                “12582912“
sysctlw    “net.ipv4.tcp_wmem”                “10240 87380 12582912“
sysctlw    “net.ipv4.tcp_mem”                “195584 196096 196608“
sysctlw    “net.core.optmem_max”                “20480“
sysctlw    “net.ipv4.tcp_max_tw_buckets”            “360000“
sysctlw    “net.core.hot_list_length”            “256“

#Set maximum number of packets, queued on the INPUT side, when the interface receives packets faster than kernel can process them
sysctlw    “net.core.netdev_max_backlog”            “262144“
sysctlw    “net.core.somaxconn”                “262144“
sysctlw    “net.ipv4.tcp_reordering”            “3“

# Ignore all ICMP ECHO and TIMESTAMP requests sent to it via broadcast/multicast
sysctlw    “net.ipv4.icmp_echo_ignore_broadcasts”        “1“
sysctlw    “net.ipv4.icmp_ignore_bogus_error_responses”    “1“

# Controls the use of TCP syncookies
sysctlw    “net.ipv4.tcp_synack_retries”            “2“
sysctlw    “net.ipv4.tcp_syn_retries”            “3“

# Prevent against the common ‘syn flood attack’
sysctlw    “net.ipv4.tcp_syncookies”            “1“

#Enable timestamps as defined in RFC1323
sysctlw    “net.ipv4.tcp_timestamps”            “1“

#Enable select acknowledgments
sysctlw    “net.ipv4.tcp_sack”                “1“

#By default, TCP saves various connection metrics in the route cache when the connection closes,
#so that connections established in the near future can use these to set initial conditions. Usually,
#this increases overall performance, but may sometimes cause performance degradation.
#If set, TCP will not cache metrics on closing connections
sysctlw       “net.ipv4.tcp_no_metrics_save“     “1“

#Turn on window scaling which can be an option to enlarge the transfer window
sysctlw    “net.ipv4.tcp_window_scaling”            “1“
sysctlw    “net.ipv4.tcp_keepalive_time”            “1200“
sysctlw    “net.ipv4.tcp_fin_timeout”            “15“
sysctlw    “net.ipv4.tcp_tw_recycle”            “1“
sysctlw    “net.ipv4.conf.default.log_martians”        “1“

# Log packets with impossible addresses to kernel log? yes
sysctlw    “net.ipv4.conf.all.log_martians”        “1“
sysctlw    “net.ipv4.conf.default.accept_redirects”    “0“

# Accept Redirects? No, this is not router
sysctlw    “net.ipv4.conf.all.accept_redirects”        “0“
sysctlw    “net.ipv4.conf.all.secure_redirects“            “0“
sysctlw    “net.ipv4.conf.default.accept_source_route”    “0“

# Accept packets with SRR option? No
sysctlw    “net.ipv4.conf.all.accept_source_route”        “0“

# Enable source validation by reversed path, as specified in RFC1812
sysctlw    “net.ipv4.conf.all.rp_filter”            “1“

# Controls source route verification
sysctlw    “net.ipv4.conf.default.rp_filter”        “1“

# Do not accept source routing
sysctlw    “net.ipv4.conf.default.accept_source_route”    “0“

# Send redirects, if router, but this is just server
sysctlw    “net.ipv4.conf.default.send_redirects”        “0“
sysctlw    “net.ipv4.conf.default.mc_forwarding”        “0“
sysctlw    “net.ipv4.conf.default.forwarding”            “0“
sysctlw    “net.ipv4.conf.all.bootp_relay”                “0“
sysctlw    “net.ipv4.conf.all.proxy_arp”                “0“

#arp
sysctlw    “net.ipv4.neigh.default.gc_thresh3?        “2048“
sysctlw    “net.ipv4.neigh.default.gc_thresh2?        “1024“
sysctlw    “net.ipv4.neigh.default.gc_thresh1?        “32“
sysctlw    “net.ipv4.neigh.default.gc_interval”        “30“
sysctlw    “net.ipv4.neigh.default.proxy_qlen”        “96“
sysctlw    “net.ipv4.neigh.default.unres_qlen”        “6“

#tcp options
sysctlw    “net.ipv4.tcp_dsack”                    “0“
sysctlw    “net.ipv4.tcp_fack”                    “0“
sysctlw    “net.ipv4.tcp_ecn”                    “0“
sysctlw    “net.ipv4.tcp_max_syn_backlog”        “2048“
sysctlw    “net.ipv4.tcp_retries2?                “15“
sysctlw    “net.ipv4.tcp_retries1?                “3“
sysctlw    “net.ipv4.tcp_rfc1337?                “1“
sysctlw    “net.ipv4.netfilter.ip_conntrack_max”    “1048576“
sysctlw    “net.nf_conntrack_max”                “1048576“
sysctlw    “sunrpc.tcp_slot_table_entries”        “32“
sysctlw    “sunrpc.udp_slot_table_entries”        “32“
sysctlw    “net.unix.max_dgram_qlen”            “50“
sysctlw    “net.core.netdev_max_backlog”        “5000“
sysctlw    “net.core.dev_weight”                “64“

#Enable ExecShield protection
sysctlw       “kernel.exec-shield“      “1“
sysctlw       “kernel.randomize_va_space“        “1“

echo “Optimizing filesystem…”

sysctlw    “fs.file-max”                “209708“
sysctlw    “kernel.ctrl-alt-del”            “0“

echo “Optimizing kernel…”

sysctlw    “kernel.printk”                “4 4 1 7“
sysctlw    “kernel.maps_protect”            “1“
sysctlw    “vm.mmap_min_addr”            “65536“
sysctlw    “vm.page-cluster”            “6“
sysctlw    “kernel.shmmax”                “67108864“

echo “Setting up host.conf…”

cp /etc/host.conf /etc/host.conf.bak

cat <<HOSTCONF >/etc/host.conf
order bind,hosts
multi on
nospoof on
HOSTCONF

/sbin/sysctl -p &>/dev/null &
/sbin/sysctl -w net.ipv4.route.flush=1

echo “Disabling unneeded services…”

for i in acpid anacron auditd autofs avahi-daemon bluetooth cpuspeed \
gpm ip6tables irqbalance mcstrans netfs nfslock pcscd \
portmap rpcgssd rpcidmapd setroubleshoot xfs; do
service $i stop &>/dev/null
chkconfig –level 3 $i off &>/dev/null
done

August 10, 2012 Posted by | Security, Shell Script | , | Leave a comment

How to stop website to get injected from hackers using .htaccess

In now a days its very easy to inject any forum.You can secure your forum by using following code in your .htaccess

# Worm sign
BrowserMatchNoCase SpammerRobot bad_bot
BrowserMatchNoCase SecurityHoleRobot bad_bot

# spam bots
SetEnvIfNoCase User-Agent “^EmailSiphon” bad_bot
SetEnvIfNoCase User-Agent “^EmailWolf” bad_bot
SetEnvIfNoCase User-Agent “^ExtractorPro” bad_bot
SetEnvIfNoCase User-Agent “^CherryPicker” bad_bot
SetEnvIfNoCase User-Agent “^NICErsPRO” bad_bot
SetEnvIfNoCase User-Agent “^Teleport” bad_bot
SetEnvIfNoCase User-Agent “^EmailCollector” bad_bot

# plagarism bot
SetEnvIfNoCase User-Agent “^TurnitinBot” bad_bot

# IP bot
SetEnvIfNoCase User-Agent “^NPBot” bad_bot

# Worm sign
SetEnvIfNoCase User-Agent “^LWP::Simple” bad_bot
SetEnvIfNoCase User-Agent “^lwp-trivial” bad_bot
SetEnvIfNoCase User-Agent “^lwp” bad_bot
SetEnvIfNoCase User-Agent “^LWP” bad_bot

# Anti-Clickjacking Defence
Header append X-FRAME-OPTIONS “DENY”

# Worm sign
Order Deny,Allow
Deny from env=bad_bot

April 28, 2012 Posted by | htaccess, Security | , , | Leave a comment

How to detect domain being Attacked or Attacking Out in cPanel

What we can do to find out which domain being attacked or attacking out from/to the server. Its no matter how this could happen, we need to stop that from happenning and turn our server stable. Its better to do this process in real-time within the  time frame of server being attacked or the server  others to make sure we can gather enough information, prove and logs. Its also recommended to document  your process of troubleshooting for your reference. Believe me you will need it in future.

As for me, I will do basic checking as below:

1. Check overall server load summary using top command:

# top -c

2. Using the same command, we can monitor which process has taken high resource usage by sorting memory (Shift+M) or sorting CPU usage (Shift+P)

3. Check the network and analyse which connection flooding your server. Following command might be useful:

3.1 Check and sort number of network statistics connected to the server:

# netstat -anp |grep ‘tcp|udp’ | awk ‘{print $5}’ | cut -d: -f1 | sort | uniq -c | sort -n

3.2 If you have APFinstalled and using kernel older than 2.6.20, you can check the connection tracking table:

# cat /proc/net/ip_conntrack | cut -d ‘ ‘ -f 10 | cut -d ‘=’ -f 2 | sort | uniq -c | sort -nr | head -n 10

3.3 Do tcpdump to analyse packet that transmitted from/to your server. Following command might help to analyse any connection to eth0interface port 53 (DNS):

# tcpdump -vvxXlnni eth0 port 53 | grep A? | awk -F? ‘{print $2}’

4. Analyse Apache status page at WHM –> Server Status –> Apache Status. To do this via command line, you can run following command:

# service httpd fullstatus

5. Analyse Daily process logs at WHM –> Server Status –> Daily Process Logs. Find any top 5 users which consume most CPU percentage, memory and SQL process

After that, we should see some suspected account/process/user which occupied much resources either on CPU, memory or network connections.
Up until this part, we should shorlist any suspected account.

Then from the suspected account, we should do any step advised as below:

6. Scan the public_html directory of suspected user with anti virus. We can use clamav, but make sure the virus definition is updated before we do this:

6.1 Update clamavvirus definition:

# freshclam

6.2 Scan the public_html directory of the suspected user recursively with scan result logged to scanlog.txt:

# cd /home/user/public_html

# clamscan -i -r -l scanlog.txt &

6.3 Analyse any suspected files found by clamav and quarantine them. Make sure the file cannot be executed by chmod it to 600

7. Find any PHP files which contain suspicious characteristic like base64 encoded and store it into text file called scan_base64.txt.
Following command might help:

# cd /home/user/public_html

# grep -lir “eval(base64” *.php >  scan_base64.txt

8. Scan the Apacheaccess log from raw log for any suspicious activities. Following command might help to find any scripting
activities happened in all domains via Apache:

# find /usr/local/apache/domlogs -exec egrep -iH ‘(wget|curl|lynx|gcc|perl|sh|cd|mkdir|touch)%20’ {} ;

9. Analysing AWstats and bandwidth usage also get more clues. Go to cPanel > suspected domain > Logs > Awstats.
In the AWstats page, check the Hosts, Pages-URL or any related section. Example as below:

There are various way to help you in executing this task. As for me, above said steps should be enough to detect any domain/account
which attacking out or being attacked. Different administrator might using different approach in order to produce same result.

March 5, 2012 Posted by | cPanel, Security | , , | Leave a comment