• Vulnerable files in /tmp : Secure /tmp

    June 15, 2011 Author: Admin
    No comment yet
    Email, RSS Follow

    Some times web servers will show abnormal load or  we will get some abuse alert from our DC regarding packet flood from our server. Most of the cases some naughty “.pl”  files may be causing this issue.

    I have added a new post  in security section, for more details about linux server security click here :Linux Server Security

    Usually the following will help you to fix these type of hacks permanently .

    Phase I  ( Find the cause )

    check the currently running  process  using top command

    $ nice top -c ( usually you can see some “a.pl / b. pl ” files are running and eating most of the server resources )

    Find the exact location of the vulnerable  process

    $ lsof -p <process id >  | more

    Null root the file location and move the files to backup for further investigation

    for example its running from /tmp/abc
    $ mv /tmp/abc /tmp/abc_bkp
    $chmod -R 000  /tmp/abc_bkp
    $ ps aux | grep .pl

    $kill -9 < pid’s >

    This will stop to execute the vulnerable file again

    Phase II (Prevention is better than cure )

    1) Secure /tmp

    /tmp is a public place with lots of privileges and permissions for  the intruders.

    If you are concerned about your webserver security then /tmp should be secured.

    $dd if=/dev/zero of=/dev/tmpFS bs=1M count=1024

    $/sbin/mkfs.ext3 /dev/tmpFS

    Create a backup copy of your current /tmp drive:
    $ cp -rpf /tmp /tmpbackup

    $mount -o loop,noexec,nosuid,rw /dev/tmpFS /tmp
    $chmod 1777 /tmp

    Copy the old data:
    $ cp -Rpf /tmpbackup/* /tmp/
    $ rm -rf /tmpbackup

    Permanent Mounting :-
    Edit /etc/fstab and add this:
    /dev/tmpFS  /tmp  ext3   loop,nosuid,noexec,rw 0 0
    $  mount -o remount /tmp

    Secure /var/tmp:

    $ mv /var/tmp /var/tmp1
    $  ln -s /tmp /var/tmp

    Copy the old data back:
    $ cp /var/tmp1/* /tmp/
    $ rm -rf /var/tmp1

    secure /dev/shm
    Change the following in /etc/fstab
    “none /dev/shm tmpfs defaults,rw 0 0” to
    “none /dev/shm tmpfs defaults,nosuid,noexec,rw 0 0”

    Remount /dev/shm:
    $ mount -o remount /dev/shm

    Note that you should restart the services which are using /tmp for their proper working ( eg:- mysql )

    2) Compile php as cgi

    3) Install apache mod_security

    4) Remove shell access for all the users like apache,mysql,nagios,nobody

    5)  Disable php functions from php.ini

    I have added a detailed post in security section : Linux Server Security

  • LAMP server setup

    June 8, 2011 Author: Admin
    No comment yet
    Email, RSS Follow

    LAMP stands for Linux Apache ,Mysql and PHP . As the name implies we should keep the same order while installing the softwares.

    This doc is explaining  the compilation of apache and  php from latest source.  Here apache is compiled as DSO and php  as apache module.

    Install latest softwares

    wget http://apache.oss.eznetsols.org//httpd/httpd-2.2.19.tar.gz
    wget http://dev.mysql.com/get/Downloads/MySQL-5.5/MySQL-5.5.13-1.linux2.6.i386.tar/from/http://mirror.csclub.uwaterloo.ca/mysql/
    wget http://sg.php.net/get/php-5.2.17.tar.gz/from/this/mirror

    Here i have used the above version’s , you can use the necessary versions from the below sites.

    http://httpd.apache.org/download.cgi    |    http://dev.mysql.com/downloads   |      http://php.net/downloads.php

    ####  Install and compile apache as DSO ####

    DSO stands for dynamic shared object.  If we compile apache as dso then we can add additional modules with out disturbing the working/production server . Here we are using the apache tool ” apxs – stands for apache extended service ” to achieve this . I will explain more about DSO later in this doc.

    # yum install gcc gcc-c++

    # tar -zxf httpd-2.2.19.tar.gz

    cd httpd-2.2.19

    make clean

    # ./configure --prefix=/usr/local/apache --enable-shared=max --enable-module=rewrite --enable-module=so

    ( configure will help to customize the installation and also it will check and confirm all the necessary packages and dependencies are installed )
    make

    (make will compile the necessary modules )

    make install

    ( make install will install the binary to the directory mentioned in prefix )

    Once everything is completed with out any error’s , that fine. You have completed apache installation .

    All the necessary configuration files and binaries  are will be in /usr/local/apache

    /usr/local/apache/bin/apachectl -k  start

    After starting apache  just confirm its running fine.
    ps aux | grep httpd

    If everything is fine then try to browse your web server ip  . You will get a apache default page ” its works ! ”

    If you want to tune your apache server for better performance then try this : Apache performance tuning

    ####  Install   Mysql #####

    Download necessary package (rpm) from the mysql website and install using rpm command.

    #   tar -xf  Mysql-*

    rm -f  *-test-*.rpm ( remove the test rpm )

    rpm -ivh *

    (Install rest of the rpm’s )

    Once you complete the installation as above , setup a root password for mysql using the command

    start mysql using

    /etc/init.d/mysql start

    After restarting the mysql service , set a root password for security purpose.

    /usr/bin/mysqladmin -u root password  ‘new root password’

    Test and confirm mysql installation is perfect

    # mysql -u root -p

    > create database admin;

    >exit

    Check and the database is created in /var/lib/mysql , which is the default data directory.

    #### Install and Compile php as apache module ####

    yum install gd   gd-devel   libxml2-devel   libpng-devel  libjpeg-devel

    tar -zxf php-5.2.17.tar.gz

    cd php-5.2.17

    ./configure --prefix=/usr/local/php5 --with-apxs2=/usr/local/apache/bin/apxs --disable-debug --enable-xml --with-gd  --with-gettext  --with-mysql=/usr

    make

    make install

    cp php.ini-dist   /usr/local/lib/php.ini

    ( copy the sample php configuration to /usr/local/lib)

    ln -s /usr/local/lib/php.ini   /etc/php.ini

    Once everything completed fine , then the php binaries will be installed in the prefix directory

    You can verify the installation using

    /usr/local/php5/bin/php -v
    PHP 5.2.17 (cli) (built: Jun  8 2011 04:45:05)
    Copyright (c) 1997-2010 The PHP Group
    Zend Engine v2.2.0, Copyright (c) 1998-2010 Zend Technologies

    ##### Test and confirm web server is able to load a php pages #####

    1)  Confirm php module is added to apache

    # grep php /usr/local/apache/conf/httpd.conf

    LoadModule php5_module        modules/libphp5.so

    2) Find the DocumentRoot of  your  apache and create a test php file

    grep DocumentRoot /usr/local/apache/conf/httpd.conf
    DocumentRoot “/usr/local/apache/htdocs”

    vi /usr/local/apache/htdocs/index.php
    <?
    phpinfo();
    ?>

    3) Now we need to add the following two directives to apache conf

    # vi /usr/local/apache/conf/httpd.conf

    ( search for ” AddType” and add the following in the next line , The AddType directive maps the given filename extensions onto the specified content type  )

    AddType application/x-httpd-php  .php

    (Search for DirectoryIndex and replace the line with following )

    DirectoryIndex index.html  index.php

    Restart apache and check the webserver is loading this index.php file ,

    http://192.168.1.2/index.php

    Its should display the phpinfo page as follows

    Hope this will helps you to setup a Lamp server  🙂  , If you are looking for a well tuned webserver then check this : Apache performance tuning

     

     

     

  • ssl configuration for webservers

    April 22, 2011 Author: Admin
    No comment yet
    Email, RSS Follow
    Today more and more people are becoming aware of the hazards of insufficient online security measures. Its time to become smart and start taking online security seriously. The first step towards this is to have a padlock icon and the prefix  https in the address bar, to ensure the safety of your online information

    An SSL Certificate, also abbreviated as Secure Socket Layer, is a digital certificate which authenticates the identity of a Website. It also encrypts the information before sending it to the server. An SSL Certificate acts as an online digital passport that contains the credentials of the online business. When an Internet user tries to send confidential information over the internet to the server, the users browser accesses the server’s digital certificate and establishes a secure connection

    How to purchase a ssl certificate.

    1) create a CSR and private key for your domain

    2) contact the ssl providers like www.verisign.com or www.thawte.com with this CSR and purchase ssl certificate. There are different types of ssl certs like secure server, extended valid etc.  For multiple domains you can use wild card ssl certificates and this can be used with all the domains under *.adminlogs.info .

    3) You need to install the purchased SSL certificate in your webserver

    For generating CSR and Key refer : SSL commands

    $ Configure ssl for Apache

    You should use a dedicated IP to configure ssl for your domain.

    <VirtualHost 192.168.0.10:443>
    DocumentRoot /home/admin/public_html
    ServerName www.adminlogs.info

    SSLEngine on
    SSLCertificateFile /usr/local/ssl/www.adminlogs.crt
    SSLCertificateKeyFile /usr/local/ssl/www.adminlogs.key
    SSLCertificateChainFile /usr/local/ssl/www.adminlogs.ca
    </VirtualHost>

    Adjust the file names to match your certificate files:

    * SSLCertificateFile should be your purchased certificate file .
    * SSLCertificateKeyFile should be the key file generated when you created the CSR.
    * SSLCertificateChainFile should be the intermediate certificate file provided by the SSL provider

    If the SSLCertificateChainFile directive does not work, try using the SSLCACertificateFile directive instead.

    $ restart apache

    Configure ssl for Resin web server

    ssl key file location is :  /usr/local/resin/keys/

    $ vi /usr/local/resin/resin.conf

    <server id=”www.adminlogs” address=”192.168.0.10″>
    <http id=”www.adminlogs” address=”192.168.0.10″ port=”8080″/>
    <http id=”www.adminlogs” address=”192.168.0.10″ port=”8443″>

    <openssl>
    <certificate-file>keys/www.adminlogs.crt</certificate-file>
    <certificate-key-file>keys/www.adminlogs.key</certificate-key-file>
    <certificate-chain-file>keys/inter-adminlogs.txt</certificate-chain-file>
    <password>pass</password>
    <protocol>-ALL +SSLv3 +TLSv1</protocol>
    <cipher-suite>ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM</cipher-suite>
    </openssl>
    </http>
    </server>

    Protocol & cipher-suite directives here used for disable sslv2 weak cipher suites.

    $ restart resin

    How to verify the installation

    You can check your ssl installation using the following url

    http://www.digicert.com/help/

  • Most Common OpenSSL Commands

    April 21, 2011 Author: Admin
    No comment yet
    Email, RSS Follow

    These commands allow you to generate CSRs, Certificates, Private Keys and do other miscellaneous tasks.

    ### Generate a new private key and Certificate Signing Request ###

    * Create Key

    openssl  genrsa  -des3  -out  www.adminlgos.info.key  2048

    * Create CSR

    openssl req -new -key www.adminlogs.info.key -out www.adminlogs.info.csr

    Or you can execute the above two commands in a single line as follows

    openssl req -out www.adminlogs.csr -new -newkey  rsa:2048  -nodes -keyout  www.adminlogs.key

    While creating CSR , you need to fill the following things

    Country, State (or Province), Locality (or City), Organization, Organizational Unit, and Common Name. Please note:

    1. The Country is a two-digit code — for the United States, it’s ‘US’.
    2. State and Locality are full names, i.e. ‘California’, ‘Los Angeles’.
    3. The Organization Name is your Full Legal Company or Personal Name, as legally registered in your locality.
    4. The Organizational Unit is whichever branch of your company is ordering the certificate such as accounting, marketing, etc.
    5. The Common Name is the Fully Qualified Domain Name (FQDN) for which you are requesting the ssl certificate.

    If you are generating a CSR for a Wildcard Certificate your common name must start with *. (for example: *.adminlogs.info). The wildcard character (*) will be able to assume any name that does not have a “dot” character in it.

    Once your CSR is created, you will be able to simply copy and paste the csr and contact your ssl provider for the CRT.

    *  Generate a self-signed certificate

    openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout www.adminlogs.key  -out www.adminlogs.crt

    *  Generate a certificate signing request (CSR) for an existing private key

    openssl req -out www.adminlogs.csr -key www.adminlogs.key -new

    *  Generate a certificate signing request based on an existing certificate

    openssl x509 -x509toreq -in www.adminlogs.crt -out www.adminlogs.csr -signkey www.adminlogs.key

    *  Remove a passphrase from a private key

    openssl rsa -in www.adminlogs.pem -out adminlogs.pem

    ###  Verify the key and cert Using OpenSSL command  ###

    If you need to check the information within a Certificate, CSR or Private Key, use these commands. You can also check CSRs and check certificates using our online tools.

    * Verify a Certificate Signing Request (CSR)

    openssl req -text -noout -verify -in www.adminlogs.csr

    * Verify a private key

    openssl rsa -in www.adminlogs.key -check

    * Verify a certificate

    openssl x509 -in www.adminlogs.crt -text -noout

    Also if you are facing any issues with SSL installation, then ensure the MODULUS and PUBLIC EXPONENT fields match for the public and private key.

    openssl x509 -noout -text -in  [path of certificate]

    openssl rsa -noout -text -in   [path of private key]

  • Installing APC for PHP 5.3.3

    August 10, 2010 Author: Admin
    No comment yet
    Email, RSS Follow

    I find most of the versions available for APC aren’t compatible with PHP 5.3 .  “make” command returns the following error :- 

    "make: *** [php_apc.lo] Error 1 
     ERROR: 'make' failed"

    APC has released a version which is compatible and you’ll need to install the PHP extension from source.

     $ cd /usr/local/src 
     $ wget http://pecl.php.net/get/APC-3.1.3p1.tgz 
     $ tar xzvf APC-3.1.3p1.tgz 
     $ cd APC-3.1.3p1 
     $ phpize 
     $ ./configure --enable-apc --enable-mmap 
     $ make
     $ make install

    After the extension successfully compiles,  move the apc.so into your extension directory . Make sure you are copying it to the correct extension directory .

    $ cp /usr/local/src/APC-3.1.3p1/modules/apc.so /usr/local/lib/php/extensions/no-debug-non-zts
    -20090626/

    Enable the extension in php.ini

    extension = apc.so

    To test that all is well , load a phpinfo page . You should have the APC PHP module displayed:

    apc

Previous Page