Categories
- Apache (3)
- Black Holes (2)
- Cpanel Hosting (29)
- DNS (1)
- Domains (2)
- ENSIM (1)
- EXIM (5)
- Fun (3)
- Googlism (4)
- Hacking Truths (5)
- Linux (25)
- MySQL (3)
- Open Source (1)
- Page Rank (3)
- Perl (1)
- PHP (2)
- Search Engine (2)
- SEO (5)
- Server Security (18)
- Uncategorized (5)
- VPS / OpenVZ (7)
- web Hosting (9)
- Web Technologies (4)
- Web-Crawler (4)
Recent Posts
- Firefox tweaks.
- Types of Proxies
- NASA Planning to setup City on the moon till 2024 ..
- How do I secure the pnTemp folder with .htaccess.
- How to block IP address on server using Iptables or Ipchains ?
- How to install ASP (Apache::ASP) on cPanel
- Email account disk usage incorrect
- What is Spam Assassin and How it is work ?
- How to convert mbox to maildir
- How to check DDos attack on server ?
Links
Types of Proxies
Posted on January 30th, 2007 by Admin.
Categories: Hacking Truths, Server Security, Web Technologies.
Types of Proxies :
1. Anonymous : Any proxy which does not spill information that could identify the real IP of the user.
2. SSL (HTTPS) : These proxies support SSL and with it are capable of logging into most sites. While connected to a host through SSL the proxy is always considered to be anonymous.
3. Transparent : Any proxy which through any number of factors spills the users IP to the target webserver.
4. Filtered : These proxies are filtered to remove Gateway duplicates .
How to block IP address on server using Iptables or Ipchains ?
Posted on December 29th, 2006 by Alex P..
Categories: Server Security.
Greetings,
If you want to block access to your server for whatever reason, you will need to log into the shell as root. Your server should either have ipchains or iptables to help accomplish this.
In this example, the attacking IP is 192.168.56.210 .
If you are using ipchains, type “ipchains -A input -j DENY -p all -l -s 192.168.56.210/32″
If you are using iptables, type “iptables -A INPUT -s 192.168.56.210/32 -j DROP”
If you just want to block access to one port from an ip :
iptables -A INPUT -s 192.168.56.210/32 -p tcp –destination-port 23 -j DROP
The above would drop all packets from 192.168.56.210/32 to port 23 (telnet) on the server.
Alex P.
How to check DDos attack on server ?
Posted on December 26th, 2006 by Alex P..
Categories: Server Security.
A quick and useful command for checking if a server is under ddos is:
netstat -anp |grep ‘tcp\|udp’ | awk ‘{print $5}’ | cut -d: -f1 | sort | uniq -c | sort -n
That will list the IPs taking the most amounts of connections to a server. It is important to remember that the ddos is becoming more sophisticated and they are using fewer connections with more attacking ips. If this is the case you will still get low number of connections even while you are under a DDOS.
Another very important thing to look at is how many active connections your server is currently processing.
netstat -n | grep :80 |wc -l
netstat -n | grep :80 | grep SYN |wc -l
The first command will show the number of active connections that are open to your server. Many of the attacks typically seen work by starting a connection to the server and then not sending any reply making the server wait for it to time out. The number of active connections from the first command is going to vary widely but if you are much above 500 you are probably having problems. If the second command is over 100 you are having trouble with a syn attack.
To Block a certain IP address that on server .Please use following commands
—————–command——————————
route add ipaddress reject
for example route add 192.168.0.168 reject
You can check whether given IP is blocked on server by using following command
route -n |grep IPaddress
—————–command——————————
OR
use follwoing command to block a ip with iptables on server
—————–command——————————
iptables -A INPUT -s IPADRESS -j DROP/REJECT
service iptables restart
service iptables save
—————–command——————————
Then KILL all httpd connection and restarted httpd service by using following command
killall -KILL httpd
service httpd startssl
Regard’s
Alex
Important command :: Rsync
Posted on December 26th, 2006 by Alex P..
Categories: Cpanel Hosting, Server Security, Linux.
What is Rsync?
Rsync is a very useful alternative to rcp written by Andrew Tridgell and Paul Mackerras. Rsync is a program, which is used for taking the backups on regular basis. However it can also be configured to upload large portals and any other data on the remote servers. . This is a great method for backups as it is low on bandwidth and it is also commonly used to keep clustered servers working together. It is very similar to rcp but with many more features. It is based on remote-update protocols, which means that it only sees the differences between the source and destination files and if the files has been changed, takes the backup otherwise leaves it without taking any backup. This difference may be the time stamp difference i.e. the date when it was modified or created is changed. By virtue of which it speeds up the file transfers even if it is of several gigabytes.
Rsync configuration files
There are three configuration files to run rsync server viz.
1. /etc/rsyncd.conf,
2. /etc/rsyncd.pid
3. /etc/rsyncd.secrets
1) /etc/rsyncd.conf
When you run Rsync with –daemon mode /etc/rsyncd.conf is the runtime configuration file through inetd daemon. This way rsync becomes an rsync server listening on TCP port 873. Connections from Rsync clients are accepted for either anonymous or authenticated Rsync sessions. The rsyncd.conf file controls authentication, access, logging and available modules.
2. The file /etc/rsyncd.secrets can be like this containing the username and password with a colon in between on the client side i.e.
username : yourpassword
3. To create an empty file /etc/rsyncd.pid to place the process related arguments.
The general form is:
rsync source destination
A few real life examples are:
rsync -vrplogDtH /old/var/named/ /var/named/
That will sync the /old/var/named/ directorty to the /var/named/ directory on the same server.
If you want to use rsync to go between servers then use the following:
rsync -ave ssh root@192.168.0.1:/backup/ /backup/
That will take the backup directory on 192.168.0.1 and copy it to the server the command is run from. The command will also accept a remote destination if you adjust the command line accordingly. Below is the readout of rsync –help which also shows more of the command options available:
Usage: rsync [OPTION]… SRC [SRC]… [USER@]HOST:DEST
or rsync [OPTION]… [USER@]HOST:SRC DEST
or rsync [OPTION]… SRC [SRC]… DEST
or rsync [OPTION]… [USER@]HOST::SRC [DEST]
or rsync [OPTION]… SRC [SRC]… [USER@]HOST::DEST
or rsync [OPTION]… rsync://[USER@]HOST[:PORT]/SRC [DEST]
or rsync [OPTION]… SRC [SRC]… rsync://[USER@]HOST[:PORT]/DEST
SRC on single-colon remote HOST will be expanded by remote shell
SRC on server remote HOST may contain shell wildcards or multiple
sources separated by space as long as they have same top-level
Useful command-line switches
v, –verbose increase verbosity
-q, –quiet decrease verbosity
-c, –checksum always checksum
-a, –archive archive mode, equivalent to -rlptgoD
-r, –recursive recurse into directories
-R, –relative use relative path names
-b, –backup make backups (default ~ suffix)
–backup-dir make backups into this directory
–suffix=SUFFIX override backup suffix
-u, –update update only (don’t overwrite newer files)
-l, –links copy symlinks as symlinks
-L, –copy-links copy the referent of symlinks
–copy-unsafe-links copy links outside the source tree
–safe-links ignore links outside the destination tree
-H, –hard-links preserve hard links
-p, –perms preserve permissions
-o, –owner preserve owner (root only)
-g, –group preserve group
-D, –devices preserve devices (root only)
-t, –times preserve times
-S, –sparse handle sparse files efficiently
-n, –dry-run show what would have been transferred
-W, –whole-file copy whole files, no incremental checks
–no-whole-file turn off –whole-file
-x, –one-file-system don’t cross filesystem boundaries
-B, –block-size=SIZE checksum blocking size (default 700)
-e, –rsh=COMMAND specify the remote shell
How to Block IPs with APF Firewall
Posted on November 26th, 2006 by Admin.
Categories: Server Security, Linux.
Blocking IPs with APF Firewall1) /etc/apf/apf -d IP Reason
–> The -d flag means DENY the IP address
–> IP is the IP address you wish to block
–> Reason is comments to why the IP is being blocked
Example:
./apf -d 267.14.188.1 TESTING
vi /etc/apf/deny_hosts.rules
Shows the following:
# added 267.14.188.1 on 08/23/05 01:25:55
# TESTING
267.14.188.1
2) pico /etc/apf/deny_hosts.rules
You can then just add a new line and enter the IP you wish to block. Before this becomes active though you’ll need to reload the APF ruleset.
/etc/apf/apf -r
How to Unblock IPs from APF Firewall
Posted on November 26th, 2006 by Admin.
Categories: Server Security, Linux.
Unblocking IPs with APF Firewall through below steps :1) pico /etc/apf/deny_hosts.rules
Find where the IP is listed and remove the line that has the IP.
After this is done save the file and reload apf to make the new changes active.
/etc/apf/apf -r
2) If the IP isn’t already listed in deny_hosts.rules and you wish to allow it, then,
/etc/apf/apf -a IP Reason
–> The -a flag means ALLOW the IP address
–> IP is the IP address you wish to allow
–> Reason is comments to why the IP is being unblocked
Example:
./apf -a 267.14.188.1 Reason
pico /etc/apf/allow_hosts.rules
# added 267.14.188.1 on 09/15/06 03:12:50
# UNBLOCKING
267.14.188.1
Installing and Configuring APF Firewall on Linux Server
Posted on November 26th, 2006 by Admin.
Categories: Server Security, Linux.
cd /usr/local/src
wget http://rfxnetworks.com/downloads/apf-current.tar.gz
tar -zxf apf-current.tar.gz
cd apf-0.*
./install.sh
Now edit config file
vi /etc/apf/conf.apf
Scroll down to the “Common ingress (inbound) TCP ports section. At this point you need to find the correct configuration for your control panel.
IG_TCP_CPORTS=”20,21,22,25,26,53,80,110,143,443,465,993,995,2082,2083,2086,2087,2095,2096″
IG_UDP_CPORTS=”21,53,873″
EGF=”1″
EG_TCP_CPORTS=”21,22,25,26,27,37,43,53,80,110,113,443,465,873,2089″
EG_UDP_CPORTS=”20,21,37,53,873″
save the file
start apf
apf -s
If everything still works then edit the config file and turn dev mode off. Make sure you can start a new ssh session before changing dev mode off. If you are kicked out you need to go back and look at what caused the problem!
DEVEL_MODE=”0″
restart APF
apf -r
How to Compile Linux Kernel
Posted on November 24th, 2006 by Admin.
Categories: Server Security, Linux.
Below are steps to compile Linux Kernel …
cd /usr/local/src/
wget http://www.kernel.org/pub/linux/kernel/v2.6/linux-2.6.11.12.tar.bz2
wget http://grsecurity.net/grsecurity-2.1.6-2.6.11.12-200506141713.patch.gz
tar xvfj linux-2.6.11.12.tar.bz2
gunzip grsecurity-2.1.6-2.6.11.12-200506141713.patch.gz
patch -p0 < grsecurity-2.1.6-2.6.11.12-200506141713.patch
cd linux-2.6.11.12
make clean
make mrproper
cp /boot/config-’uname -r’ .config
make oldconfig
make menuconfig
make dep
make modules_install
make install
grubby –bootloader-probe
pico /etc/grub.conf
grub-install /dev/hda
cat /boot/grub/device.map
shutdown -r now
TCP wrappers
Posted on October 12th, 2006 by Admin.
Categories: Cpanel Hosting, Server Security, Linux.
Greetings,
TCP Wrapper is a host-based network ACL system, used to filter network access to Internet protocol services run on Unix-like Operating Systems such as Linux or BSD. It allows host or subnetwork IP addresses names and/or query replies, to be used as tokens on which to filter for access control purposes .
First “/etc/hosts.allow” is check, and if there is an entry in this file, no more checking it done. If are no matches in “/etc/hosts.allow”, the “/etc/hosts.deny” file is checked and if a match is found, that service is blocked for that host.
Example “/etc/hosts.deny” file:
sshd: 192.168.1.1
The above file blocks access to computer 192.168.1.1 . It’s also possible to run commands when someone from this computer tries to ssh in.
This example sends mail.
sshd: 192.168.1.1: spawn (echo -e “%d %h %H %u”| /bin/mail -s ‘hosts.deny entry’ root)
Of course, you can also run commands in the “/etc/hosts.allow” if you wanted mail sent for a successful login.
Cheers 
How to install mod_security
Posted on September 25th, 2006 by Jason.
Categories: Cpanel Hosting, Server Security, Linux, web Hosting.
Hello,
First we will download and unzip mod_security.
—–command—–
wget http://www.modsecurity.org/download/modsecurity-apache_1.9.4.tar.gz
tar -zxf modsecurity-apache_1.9.4.tar.gz
—–command—–
If you are using Apache 1.3.x you need to go into the apache1 directory as shown below. Cpanel and ensim both use apache 1.3.x
—–command—–
cd modsecurity-apache_1.9.4/apache1
—–command—–
If you are using Apache 2.x you need to go into the apache 2 directory as shown below. Plesk uses apache 2.x and may require the httpd-devel rpm to be installed to get mod_security working.
—–command—–
cd modsecurity_1.9.4/apache2
—–command—–
Next compile mod_security at a module. One of the lines below should work to compile it.
—–command—–
/etc/httpd/bin/apxs -cia mod_security.c
—–command—–
If you get a file not found install httpd-devel using up2date then try to compile it again. This will work fine on Plesk and the newer versions of Ensim that do not use “ensimized” httpd rpms. If you are running below Ensim 4.0 you should not continue unless you are certain of what you are doing.
—–command—–
up2date -i httpd-devel
/usr/sbin/apxs -cia mod_security.c
—–command—–
Make a backup of your httpd.conf before touching anything so you have something to go back to if it does not work.
—–command—–
cp /etc/httpd/conf/httpd.conf /etc/httpd/conf/httpd.conf-mod_sec
—–command—–
Now edit the httpd.conf , even though Ensim has multiple httpd.conf files you can put it in the primary config.
—–command—–
pico -w /etc/httpd/conf/httpd.conf
—–command—–
If you are running Apache 1.3.x - cPanel and Pre 4.0 Ensim
Scroll down below the following line:
AddModule mod_security.c
If you do not have the addmodule line find where the rest of them are located and put it right below the others.
If you are running Apache 2.x (Plesk and Ensim 4.0+)
Scroll down below the following line at which point you can continue on and paste the ruleset.
LoadModule security_module modules/mod_security.so
Now you are going to paste in this ruleset. Please feel free to modify it as you see fit. I think that it is a very non-agreesive ruleset that will work fine on just about any server. Please post any problems you have with it below!
—-Ruleset—-
# Turn the filtering engine On or Off
SecFilterEngine On
# Change Server: string
SecServerSignature “Apache”
# This setting should be set to On only if the Web site is
# using the Unicode encoding. Otherwise it may interfere with
# the normal Web site operation.
SecFilterCheckUnicodeEncoding Off
# The audit engine works independently and
# can be turned On of Off on the per-server or
# on the per-directory basis. “On” will log everything,
# “DynamicOrRelevant” will log dynamic requests or violations,
# and “RelevantOnly” will only log policy violations
SecAuditEngine RelevantOnly
# The name of the audit log file
SecAuditLog logs/audit_log
# Should mod_security inspect POST payloads
SecFilterScanPOST On
# Action to take by default
SecFilterDefaultAction “deny,log,status:403″
## ## ## ## ## ## ## ## ## ##
## ## ## ## ## ## ## ## ## ##
# Require HTTP_USER_AGENT and HTTP_HOST in all requests
# SecFilterSelective “HTTP_USER_AGENT|HTTP_HOST” “^$”
# Require Content-Length to be provided with
# every POST request
SecFilterSelective REQUEST_METHOD “^POST$” chain
SecFilterSelective HTTP_Content-Length “^$”
# Don’t accept transfer encodings we know we don’t handle
# (and you don’t need it anyway)
SecFilterSelective HTTP_Transfer-Encoding “!^$”
# Protecting from XSS attacks through the PHP session cookie
SecFilterSelective ARG_PHPSESSID “!^[0-9a-z]*$”
SecFilterSelective COOKIE_PHPSESSID “!^[0-9a-z]*$”
SecFilter “viewtopic\.php\?” chain
SecFilter “chr\(([0-9]{1,3})\)” “deny,log”
# Block various methods of downloading files to a server
SecFilterSelective THE_REQUEST “wget ”
SecFilterSelective THE_REQUEST “lynx ”
SecFilterSelective THE_REQUEST “scp ”
SecFilterSelective THE_REQUEST “ftp ”
SecFilterSelective THE_REQUEST “cvs ”
SecFilterSelective THE_REQUEST “rcp ”
SecFilterSelective THE_REQUEST “curl ”
SecFilterSelective THE_REQUEST “telnet ”
SecFilterSelective THE_REQUEST “ssh ”
SecFilterSelective THE_REQUEST “echo ”
SecFilterSelective THE_REQUEST “links -dump ”
SecFilterSelective THE_REQUEST “links -dump-charset ”
SecFilterSelective THE_REQUEST “links -dump-width ”
SecFilterSelective THE_REQUEST “links http:// ”
SecFilterSelective THE_REQUEST “links ftp:// ”
SecFilterSelective THE_REQUEST “links -source ”
SecFilterSelective THE_REQUEST “mkdir ”
SecFilterSelective THE_REQUEST “cd /tmp ”
SecFilterSelective THE_REQUEST “cd /var/tmp ”
SecFilterSelective THE_REQUEST “cd /etc/httpd/proxy ”
SecFilterSelective THE_REQUEST “/config.php?v=1&DIR ”
SecFilterSelective THE_REQUEST “&highlight=%2527%252E ”
SecFilterSelective THE_REQUEST “changedir=%2Ftmp%2F.php ”
SecFilterSelective THE_REQUEST “arta\.zip ”
SecFilterSelective THE_REQUEST “cmd=cd\x20/var ”
SecFilterSelective THE_REQUEST “HCL_path=http ”
SecFilterSelective THE_REQUEST “clamav-partial ”
SecFilterSelective THE_REQUEST “vi\.recover ”
SecFilterSelective THE_REQUEST “netenberg ”
SecFilterSelective THE_REQUEST “psybnc ”
SecFilterSelective THE_REQUEST “fantastico_de_luxe ”
SecFilter “bcc:”
SecFilter “bcc\x3a”
SecFilter “cc:”
SecFilter “cc\x3a”
SecFilter “bcc:|Bcc:|BCC:” chain
SecFilter “[A-Z0-9._%-]+@[A-Z0-9._%-]+\.[A-Z]{2,4}\,\x20[A-Z0-9._%-]+@[A-Z0-9._%-]+\.[A-Z]{2,4}”
SecFilterSelective POST_PAYLOAD “Bcc:”
SecFilterSelective POST_PAYLOAD “Bcc:\x20″
SecFilterSelective POST_PAYLOAD “cc:”
SecFilterSelective POST_PAYLOAD “cc:\x20″
SecFilterSelective POST_PAYLOAD “bcc:”
SecFilterSelective POST_PAYLOAD “bcc:\x20″
SecFilterSelective POST_PAYLOAD “bcc: ”
SecFilterSelective THE_REQUEST “Bcc:”
SecFilterSelective THE_REQUEST “Bcc:\x20″
SecFilterSelective THE_REQUEST “cc:”
SecFilterSelective THE_REQUEST “cc:\x20″
SecFilterSelective THE_REQUEST “bcc:”
SecFilterSelective THE_REQUEST “bcc:\x20″
SecFilterSelective THE_REQUEST “bcc: ”
# WEB-PHP phpbb quick-reply.php arbitrary command attempt
SecFilterSelective THE_REQUEST “/quick-reply\.php” chain
SecFilter “phpbb_root_path=”
—/Ruleset—
Now simply restart apache to enable mod_security.
—–command—–
service httpd restart
—–command—–
If sites start to have problems look at error log.
/etc/httpd/logs/audit_log
If you need or want to remove mod_security at any time simply comment out (put a # in front of) the AddModule mod_security.c line and restart apache. This will disable all of the rules and not allow it to load into apache.
Ok mod_security is all setup. I would tail the audit log occasionally to see if it is causing any trouble with legit traffic. The ruleset above should not cause many problems though. Thanks to all that have helped with the rules for this especially ryan at rfxnetworks and err0r. I have also adapted some rules from suggestions on the netberg forums by HostMerit.
Enjoy..