Server Securing

Securing Your Server

Below given are some of the steps that can be used to secure your server.

Disable identification output for Apache

To disable the version output for proftp, SSH into server and login as root.

At command prompt type: pico /etc/httpd/conf/httpd.conf

Scroll (way) down and change the following line to

ServerSignature Off

Restart Apache

At command prompt type: /etc/rc.d/init.d/httpd restart

These are applications that will help to secure your server.

Install and run chkrootkit

To install chrootkit, SSH into server and login as root.

At command prompt type: cd /root/

At command prompt type: wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz

At command prompt type: tar xvzf chkrootkit.tar.gz

At command prompt type: cd chkrootkit-0.44

At command prompt type: make sense

To run chkrootkit

At command prompt type: /root/chkrootkit-0.44/chkrootkit

Make sure you run it on a regular basis, perhaps including it in a cron job.

Install APF Firewall

To install APF, SSH into server and login as root.

At command prompt type: cd /root/

At command prompt type: wget http://www.rfxnetworks.com/downloads/apf-current.tar.gz

At command prompt type: tar -xvzf apf-current.tar.gz

At command prompt type: rm -f apf-current.tar.gz

At command prompt type: cd apf-0.9.4-6

At command prompt type: sh ./install.sh

After APF has been installed, you need to edit the configuration file.

At command prompt type: cd /etc/apf

At command prompt type: pico -w conf.apf

Scroll down and find

USE_DS=”0″

change it to

USE_DS=”1″

Now scroll down and configure the Ports. The following ports are required for CPanel:

Code:

Common ingress (inbound) TCP ports
IG_TCP_CPORTS=”21,22,25,53,80,110,143,465,953,993,995,2082,2083,2084,2086,2087,2095,2096,3306,6666,7786,3000_3500″

Note: If you changed the port for SSH, be sure to include that port and remove port 22.

—–
21 FTP (TCP)
22 SSH (TCP)
25 SMTP (TCP)
53 DNS – Domain Name Server (TCP)
80 HTTP (TCP)
110 POP3 (TCP)
143 IMAP (TCP)
443 HTTPS (TCP)
465 sSMTP (TCP)
953 ??BIND??
993 IMAP4 protocol over TLS/SSL (TCP)
995 POP3 protocol over TLS/SSL (was spop3) (TCP)
2082 CPANEL (http://sitename.com:2082) (TCP)
2083 CPANEL SSL (https://sitename.com:2083) (TCP)
2084 entropychat server (disable from CPANEL service manager if not used) (TCP)
2086 WHM (http://sitename.com:2086) (TCP)
2087 WHM SSL (https://sitename.com:2087) (TCP)
2095 WebMail (http://sitename.com:2095) (TCP)
2096 WebMail SSL (https://sitename.com:2096)
3306 mySQL remote access (TCP)
6666 Melange chat Server (disable from CPANEL service manager if not used) (TCP)
7786 Interchange (TCP)
3000_3500
—–
5100 for ASP,
8080 and 8443 for JSP if you use them.
—–

Code:

Common ingress (inbound) UDP ports
IG_UDP_CPORTS=”53,6277

—–
53 DNS – Domain Name Server
6277 SpamAssassin / DCC (email scanning)
—–

Code:

Common ICMP (inbound) types
IG_ICMP_TYPES=”3,5,11,0,30,8″

—–
0 Echo Reply
3 Destination Unreachable
5 Destination Unreachable
8 Echo
11 Time Exceeded
30 Traceroute
—–

Code:

Common egress (outbound) TCP ports
EG_TCP_CPORTS=”21,25,37,53,80,110,113,#123,443,43,873,953,2089,2703,3306″

—–
21 FTP
25 SMTP
37 Required for CPANEL Licensing
53 DNS – Domain Name Server
80 HTTP
110 POP3 (if you have scripts that need to retrieve email via POP, e.g. HelpDesk)
113 Authentication Protocol (AUTH)
123 NTP (Network Time)
443 HTTPS
43 WHOIS
873 rsync (CPanel updates)
953 BIND ??
2089 Required for CPANEL Licensing
2703 Razor (email scanning)
3306 mySQL remote access
—–

Code:

Common egress (outbound) UDP ports
EG_UDP_CPORTS=”20,21,53,873,953,6277″

—–
20 ftp-data
21 FTP
53 DNS – Domain Name Server
873 rsync
953 BIND ??
6277 SpamAssassin / DCC (email scanning)
—–

Code:

Common ICMP (outbound) types
EG_ICMP_TYPES=”all”

Save the changes then exit.

To start APF

At command prompt type: /usr/local/sbin/apf -s

APF commands are:

-s start
-r restart
-f flush – stop
-l list
-st status
-a HOST allow HOST
-d HOST deny HOST

Log out of SSH and then login again.

After you are sure everything is working fine, change the DEV option

At command prompt type: cd /etc/apf

At command prompt type: pico -w conf.apf

Scroll down and find

DEVM=”1″

change it to

DEVM=”0″

Save changes, exit and then restart firewall,

At command prompt type: /usr/local/sbin/apf -r

Install BFD (Brute Force Detection)

To install BFD, SSH into server and login as root.

At command prompt type: cd /root/

At command prompt type: wget http://www.rfxnetworks.com/downloads/bfd-current.tar.gz

At command prompt type: tar -xvzf bfd-current.tar.gz

At command prompt type: cd bfd-0.4

At command prompt type: ./install.sh

After BFD has been installed, you need to edit the configuration file.

At command prompt type: pico /usr/local/bfd/conf.bfd

Under Enable brute force hack attempt alerts:

Find

ALERT_USR=”0″

and change it to

ALERT_USR=”1″

Find

EMAIL_USR=”root”

and change it to

EMAIL_USR=”your@email.com”

Save the changes then exit.

To start BFD

At command prompt type: /usr/local/sbin/bfd -s

Modify LogWatch

Logwatch is a customizable log analysis system. It parses through your system’s logs for a given period of time and creates a report analyzing areas that you specify, in as much detail as you require. Logwatch is already installed on most CPanel servers.

To modify LogWatch, SSH into server and login as root.

At command prompt type: pico -w /etc/log.d/conf/logwatch.conf

Scroll down to

MailTo = root

and change to

Mailto = your@email.com

Note: Set the e-mail address to an offsite account incase you get hacked.

Now scroll down to

Detail = Low

Change that to Medium, or High…

Detail = 5 or Detail = 10

Note: High will give you more detailed logs with all actions.

Save and exit.
These are measures that can be taken to secure your server, with SSH access.

Udate OS, Apache and CPanel to the latest stable versions.

This can be done from WHM/CPanel.

Restrict SSH Access

To restrict and secure SSH access, bind sshd to a single IP that is different than the main IP to the server, and on a different port than port 22.

SSH into server and login as root.

Note: You can download Putty by Clicking Here. It’s a clean running application that will not require installation on Windows-boxes.

At command prompt type: pico /etc/ssh/sshd_config

Scroll down to the section of the file that looks like this:

Code:

#Port 22
#Protocol 2, 1
#ListenAddress 0.0.0.0
#ListenAddress ::

Uncomment and change

#Port 22

to look like

Port 5678 (choose your own 4 to 5 digit port number (49151 is the highest port number)

Uncomment and change

#Protocol 2, 1

to look like

Protocol 2

Uncomment and change

#ListenAddress 0.0.0.0

to look like

ListenAddress 123.123.123.15 (use one of your own IP Addresses that has been assigned to your server)

Note 1: If you would like to disable direct Root Login, scroll down until you find

#PermitRootLogin yes

and uncomment it and make it look like

PermitRootLogin no

Save by pressing Ctrl o on your keyboard, and then exit by pressing Ctrl x on your keyboard.

Note 2: You can also create a custome nameserver specifically for your new SSH IP address. Just create one called something like ssh.xyz.com or whatever. Be sure to add an A address to your zone file for the new nameserver.

Now restart SSH

At command prompt type: [b]/etc/rc.d/init.d/sshd restart[b]

Exit out of SSH, and then re-login to SSH using the new IP or nameserver, and the new port.

Note: If you should have any problems, just Telnet into your server, fix the problem, then SSH in again. Telnet is a very unsecure protocol, so change your root password after you use it.

Disable Telnet

To disable telnet, SSH into server and login as root.

At command prompt type: pico -w /etc/xinetd.d/telnet

change disable = no to disable = yes

Save and Exit

At command prompt type: /etc/init.d/xinetd restart

Server e-mail everytime someone logs in as root

To have the server e-mail you everytime someone logs in as root, SSH into server and login as root.

At command prompt type: pico .bash_profile

Scroll down to the end of the file and add the following line:

echo ‘ALERT – Root Shell Access on:’ `date` `who` | mail -s “Alert: Root Access from `who | awk ‘{print $6}’`” your@email.com

Save and exit.

Set an SSH Legal Message

To an SSH legal message, SSH into server and login as root.

At command prompt type: pico /etc/motd

Enter your message, save and exit.

Note: I use the following message…

Code:

ALERT! You are entering a secured area! Your IP and login information
have been recorded. System administration has been notified.

This system is restricted to authorized access only. All activities on
this system are recorded and logged. Unauthorized access will be fully
investigated and reported to the appropriate law enforcement agencies.

Now everytime someone logs in as root, they will see this message… go ahead a try it.

Disable Shell Accounts

To disable any shell accounts hosted on your server SSH into server and login as root.

At command prompt type: locate shell.php

Also check for:

locate irc
locate eggdrop
locate bnc
locate BNC
locate ptlink
locate BitchX
locate guardservices
locate psyBNC
locate .rhosts

These are items inside of WHM/Cpanel that should be changed to secure your server.

Goto Server Setup =>> Tweak Settings

Check the following items…

Under Domains

Prevent users from parking/adding on common internet domains. (ie hotmail.com, aol.com)

Under Mail

Attempt to prevent pop3 connection floods
Default catch-all/default address behavior for new accounts – blackhole

Under System

Use jailshell as the default shell for all new accounts and modified accounts

Goto Server Setup =>> Tweak Security

Enable php open_basedir Protection

Enable mod_userdir Protection

Disabled Compilers for unprivileged users.

Goto Server Setup =>> Manage Wheel Group Users

Remove all users except for root and your main account from the wheel group.

Goto Server Setup =>> Shell Fork Bomb Protection

Enable Shell Fork Bomb/Memory Protection

When setting up Feature Limits for resellers in Resellers =>> Reseller Center, under Privileges always disable Allow Creation of Packages with Shell Access and enable Never allow creation of accounts with shell access; under Root Access disable All Features.

Goto Service Configuration =>> FTP Configuration

Disable Anonymous FTP

Goto Account Functions =>> Manage Shell Access

Disable Shell Access for all users (except yourself)

Goto Mysql =>> MySQL Root Password

Change root password for MySQL

Goto Security and run Quick Security Scan and Scan for Trojan Horses often. The following and similar items are not Trojans:

/sbin/depmod
/sbin/insmod
/sbin/insmod.static
/sbin/modinfo
/sbin/modprobe
/sbin/rmmod
Reply With Quote Multi-Quote This Message
000000000
View Public Profile
Send a private message to 000000000
Visit 000000000’s homepage!
Find all posts by 000000000
Add 000000000 to Your Buddy List
#2 Add to 000000000’s Reputation Report Post
Old 10-02-2004, 08:56 PM
000000000 000000000 is offline
Registered User

Note: There will be several listings that will be OS/CPanel related. Examples are

/home/cpapachebuild/buildapache/php-4.3.1/ext/ircg
/usr/local/cpanel/etc/sym/eggdrop.sym
/usr/local/cpanel/etc/sym/bnc.sym
/usr/local/cpanel/etc/sym/psyBNC.sym
/usr/local/cpanel/etc/sym/ptlink.sym
/usr/lib/libncurses.so
/usr/lib/libncurses.a
etc.

Apache Optimization

MaxClients
—————

The number of worker processes is limited by the parameter MaxClients.

MaxClients = Total RAM dedicated to the web server / Max child process size.

The default value of  MaxClients is 150.

If we have a server with 1gb of ram and  child process take an average size
of 20 mb.

We can set the  MaxClients as 1024/20 = 52

—————————————————————

StartServers
—————-

The StartServers directive sets the number of child server processes created
on startup. As the number of processes is dynamically controlled depending on
the load, there is usually little reason to adjust this parameter.

The default value is 5, which is enough for most of the situations. We can
try lowering this value in extreme cases.

—————————————————————

MinSpareServers
————————
The MinSpareServers directive sets the desired minimum number of idle child
server processes. An idle process is one which is not handling a request. If
there are fewer than MinSpareServers idle, then the parent process creates
new children at a maximum rate of 1 per second.

Tuning of this parameter should only be necessary on very busy sites. Setting
this parameter to a large number is almost always a bad idea.

The default value is 5. We can try lowering this value inorder to reduce the
load.

——————————————————————————-
MaxSpareServers
————————

The MaxSpareServers directive sets the desired maximum number of idle child
server processes. An idle process is one which is not handling a request. If
there are more than MaxSpareServers idle, then the parent process will kill
off the excess processes.

Tuning of this parameter should only be necessary on very busy sites. Setting
this parameter to a large number is almost always a bad idea. If you are
trying to set the value lower than MinSpareServers, Apache will automatically
adjust it to MinSpareServers + 1.

The default value is 10.

———————————————————————————–

MaxRequestsPerChild
—————————–

The MaxRequestsPerChild directive sets the limit on the number of requests
that an individual child server process will handle. After
MaxRequestsPerChild requests, the child process will die. If
MaxRequestsPerChild is 0, then the process will never expire.

The default option is set as 0, that is the process will never expire.
Usually setting this value as 250-500 is preferable.

————————————————————–

KeepAlive
————-

The Keep-Alive extension  allow multiple requests to be sent over the same TCP
connection. In some cases this has been shown to result in an almost 50%
speedup in latency times for HTML documents with many images. To enable
Keep-Alive connections, set KeepAlive On.

The dynamic content such as CGI output, SSI pages, and server-generated
directory listings will generally not use Keep-Alive connections .

If we are getting too many connection timedd out error it is better to turn
this option off.

————————————————————–

KeepAliveTimeout
————————

The number of seconds Apache will wait for a subsequent request before closing
the connection. Once a request has been received, the timeout value specified
by the Timeout directive applies.

Setting KeepAliveTimeout to a high value may cause performance problems in
heavily loaded servers. The higher the timeout, the more server processes
will be kept occupied waiting on connections with idle clients.

—————————————————————–

HostnameLookups
————————-

Determines whether Apache does a reverse DNS lookup on
client addresses so it can write hostnames in the logfile.

A lot of people turn this on so they can have country reports
etc in their traffic reports.

The default is Off in order to save the network traffic for those sites that
don’t truly need the reverse lookups done. It is also better for the end
users because they don’t have to suffer the extra latency that a lookup
entails.

Heavily loaded sites should leave this directive Off, since DNS lookups can
take considerable amounts of time. The utility logresolve, compiled by
default to the bin subdirectory of your installation directory, can be used
to look up host names from logged IP addresses offline.

HyperVM

Master configuration

Run the script from /root

————————————————————–

#!/bin/sh

if ! [ -f /usr/bin/yum ] ; then
echo You at least need yum installed for this to work…
echo Please contact our support personnel Or visit the forum at
http://forum.lxlabs.com
echo ”               ”
exit
fi

if [ -f /usr/bin/yum ] ; then
yum -y install php wget zip unzip
else
up2date –nox –nosig php wget zip unzip
fi

if ! [ -f /usr/bin/php ] ; then
echo installing php failed. Please fix yum/up2date.
exit
fi

rm -f program-install.zip
wget http://download.lxlabs.com/download/program-install.zip

export PATH=/usr/sbin:/sbin:$PATH
unzip -oq program-install.zip
cd program-install/hypervm-linux
php lxins.php –install-type=master $* | tee hypervm_install.log

————————————————————–

Slave Configuration

Run the script from /root

————————————————————–

#!/bin/sh

if ! [ -f /usr/bin/yum ] ; then
echo You at least need yum installed for this to work…
echo Please contact our support personnel Or visit the forum at
http://forum.lxlabs.com
echo ”                                ”
exit
fi

if [ -f /usr/bin/yum ] ; then
yum -y install php wget zip unzip
else
up2date –nox –nosig php wget zip unzip
fi

if ! [ -f /usr/bin/php ] ; then
echo installing php failed. Please fix yum.
exit
fi

rm -f program-install.zip
wget http://download.lxlabs.com/download/program-install.zip

export PATH=/usr/sbin:/sbin:$PATH
unzip -oq program-install.zip
cd program-install/hypervm-linux
php lxins.php –install-type=slave $* | tee hypervm_install.log

————————————————————–

Open VZ installation

With reference : http://wiki.openvz.org

Requirements

This guide assumes you are running recent release of Fedora Core (like FC5) or RHEL/CentOS 4. Currently, OpenVZ kernel tries to support the same hardware that Red Hat kernels support. For full hardware compatibility list, see Virtuozzo HCL.

Filesystems

It is recommended to use a separate partition for container’s private directories (by default /vz/private/<veid>). The reason why you should do so is that if you wish to use OpenVZ per-container disk quota, you won’t be able to use usual Linux disk quotas on the same partition. Bear in mind, that per-container quota in this context includes not only pure per-container quota, but also usual Linux disk quota used in containers, not on HN.

At least try to avoid using the root partition for containers, because the root user of a container will be able to overcome the 5% disk space barrier in some situations. This way the HN root partition can be completely filled and it will break the system.

OpenVZ per-container disk quota is supported only for ext2/ext3 filesystems. So use one of these filesystems (ext3 is recommended) if you need per-container disk quota.

rpm or yum?

In case you have yum utility available on your system, you may want to use it effectively to install and update OpenVZ packages. In case you don’t have yum, or don’t want to use it, you can use plain old rpm. Instructions for both rpm and yum are provided below.

yum pre-setup

If you want to use yum, you should set up OpenVZ yum repository first.

Download openvz.repo file and put it to your /etc/yum.repos.d/ repository. This can be achieved by the following commands, as root:

# cd /etc/yum.repos.d
# wget http://download.openvz.org/openvz.repo
# rpm --import  http://download.openvz.org/RPM-GPG-Key-OpenVZ

In case you can not cd to /etc/yum.repos.d, it means either yum is not installed on your system, or yum version is too old. In that case, just stick to rpm installation method.

Kernel installation

Note: In case you want to recompile the kernel yourself rather than use the one provided by OpenVZ, see kernel build.

First, you need to choose what “flavor” of the kernel you want to install. Please refer to Kernel flavors for more information.

Using yum

Run the following command

# yum install ovzkernel[-flavor]

Here [-flavor] is optional, and can be -smp or -enterprise. Refer to kernel flavors for more info.

Note: if you need to install x86_64 kernel and yum offers to install both x86_64 and i686 kernels, answer No and specify architecture manually, like this: yum install ovzkernel[-flavor].x86_64. This is fixed in newer yum versions.

Using rpm

Get the kernel binary RPM from the Download/kernel page. You only need one kernel RPM so please choose the appropriate one depending on your hardware.

Next, install the kernel RPM you chose:

# rpm -ihv ovzkernel[-flavor]*.rpm

Here [-flavor] is optional, and can be -smp or -enterprise. Refer to kernel flavors for more info.

Note: rpm -U (where -U stands for upgrade) should not be used, otherwise all currently installed kernels will be uninstalled.

Configuring the bootloader

In case GRUB is used as the boot loader, it will be configured automatically: lines similar to these will be added to the /boot/grub/grub.conf file:

title Fedora Core (2.6.8-022stab029.1)
       root (hd0,0)
       kernel /vmlinuz-2.6.8-022stab029.1 ro root=/dev/sda5 quiet rhgb vga=0x31B
       initrd /initrd-2.6.8-022stab029.1.img

Change Fedora Core to OpenVZ (just for clarity reasons, so the OpenVZ kernels will not be mixed up with non-OpenVZ ones). Remove extra arguments from the kernel line, leaving only the root=... parameter. The modifed portion of /etc/grub.conf should look like this:

title OpenVZ (2.6.8-022stab029.1)
        root (hd0,0)
        kernel /vmlinuz-2.6.8-022stab029.1 ro root=/dev/sda5
        initrd /initrd-2.6.8-022stab029.1.img

Configuring

Please make sure the following steps are performed before rebooting into OpenVZ kernel.

sysctl

There are a number of kernel parameters that should be set for OpenVZ to work correctly. These parameters are stored in /etc/sysctl.conf file. Here are the relevant portions of the file; please edit accordingly.

# On Hardware Node we generally need
# packet forwarding enabled and proxy arp disabled
net.ipv4.ip_forward = 1
net.ipv4.conf.default.proxy_arp = 0

# Enables source route verification
net.ipv4.conf.all.rp_filter = 1

# Enables the magic-sysrq key
kernel.sysrq = 1

# We do not want all our interfaces to send redirects
net.ipv4.conf.default.send_redirects = 1
net.ipv4.conf.all.send_redirects = 0

SELinux

SELinux should be disabled. To that effect, put the following line to /etc/sysconfig/selinux:

SELINUX=disabled

Conntracks

In the stable OpenVZ kernels (those that are 2.6.8-based) netfilter connection tracking for CT0 is disabled by default. If you have a stateful firewall enabled on the host node (it is there by default) you should either disable it, or enable connection tracking for CT0.

To enable conntracks for CT0, add the following line to /etc/modprobe.conf file:

options ip_conntrack ip_conntrack_enable_ve0=1

Note: In kernels later than 2.6.8, connection tracking is enabled by default.

Rebooting into OpenVZ kernel

Now reboot the machine and choose “OpenVZ” on the boot loader menu. If the OpenVZ kernel has been booted successfully, proceed to installing the user-level tools for OpenVZ. If you are installing on x86_64 CentOS or Fedora system, you may want to continue the setup process using the x86_64 guide.

Installing the utilities

OpenVZ needs some user-level tools installed. Those are:

vzctl

A utility to control OpenVZ containers (create, destroy, start, stop, set parameters etc.)

vzquota

A utility to manage quotas for containers. Mostly used indirectly (by vzctl).

Using yum

# yum install vzctl vzquota

Using rpm

Download the binary RPMs of these utilities from Download/utils. Install them:

# rpm -Uhv vzctl*.rpm vzquota*.rpm

If rpm complains about unresolved dependencies, you’ll have to satisfy them first, then repeat the installation.

When all the tools are installed, start the OpenVZ subsystem.

Starting OpenVZ

As root, execute the following command:

# /sbin/service vz start

This will load all the needed OpenVZ kernel modules. This script should also start all the containers marked to be auto-started on machine boot (there aren’t any yet).

During the next reboot, this script should be executed automatically.

Next steps

OpenVZ is now set up on your machine. To load OpenVZ kernel by default, edit the default line in the /boot/grub/grub.conf file to point to the OpenVZ kernel. For example, if the OpenVZ kernel is the first kernel mentioned in the file, put it as default 0. See man grub.conf for more details.

Installing RV Sitebuilder

Installing RVSiteBuilder:

# cd /usr/local/cpanel/whostmgr/docroot/cgi/
# rm -f rvsitebuilderinstaller.tar
# wget http://download.rvglobalsoft.com/rvsitebuilderinstaller.tar
# tar -xvf rvsitebuilderinstaller.tar
# chmod 755 addon_rvsitebuilder.cgi

Now open WHM, ->> Add-ons section ->> RVSiteBuilder Installer menu. Click RVSiteBuilder Installer to begin the installation process.

DNS caching poisioning

BIND 9 Vulnerability And Solution – Patch BIND To Avoid Cache Poisoning (Fedora/CentOS)

I am pretty sure most of you guys have hard about the Vulnerability in BIND. Dan Kaminsky earlier this month announced a massive, multi-vendor issue with DNS that could allow attackers to compromise any name server – clients, too.

I thought I would share with you all one of the quickest solutions systems administrators running BIND 9 can use to help solve this vulnerability in case their systems are vulnerable.

After 3 days of testing and playing around with my DNS servers, I discovered something that seemed to solve my problem hence deciding to share with you all.

I am not sure if this really solved the problem, though it has worked for me as the test results are great. But your suggestions and comments are welcome.

My finding as simple as it may look, only applies to those folks running BIND 9 on Centos 4 or 5 and Fedora core systems and above… I tested on all this boxes in my office.

Let.s start.shall we?

Prerequisites And Assumptions

* Your firewall (iptables NAT/PAT or PIX) must have port 53 open in such a way that it will allow random port selection.
* You must be running BIND 9 on Centos 4 or 5 or any Fedora core system.
* Bind must be running in chrooted mode though not a prerequisite but a best practice.
* In your /etc/named/named.conf OR /etc/named.conf files….One must disable recursive querying and also add an acl to only allow their networks to do recursive requests. With this, the system administrator will have reduced chances of cache poisoning down to their own known networks.

acl “mynetworks” {
127/8;  172.16.0.0/12;  10.0.0.0/8;  192.168.0.0/16

view “internal” {
match-clients { mynetwork; };
allow-query { mynetwork; };
allow-recursion { mynetwork; };
match-recursive-only yes;

view “external” {
match-clients { any; };
allow-query { any; };
allow-recursion { none; };
match-recursive-only no;

And Now To Fix The BIND Vulnerability

The first step is for one to check if their system is vulnerable…by running the commands below replacing ns1.youdomain.co.tz with their organization’s TLD or ccTLD.

dig +short @ns1.youdomain.co.tz porttest.dns-oarc.net TXT

z.y.x.w.v.u.t.s.r.q.p.o.n.m.l.k.j.i.h.g.f.e.d.c.b.a.pt.dns-oarc.net.
“192.168.1.3 is POOR: 26 queries in 20.0 seconds from 1 ports with std dev 0.00”

POOR—–> definitely indicates that the name-server or system in question is vulnerable and of course the BIND software running is also old and needs to be PATCHED …

Solution

For those who run CentOS OR Fedora systems…..yum can be used to patch the systems. The CentOS 5 developers have already released a patch for BIND software and the current one is: bind-9.3.4-6.0.2.P1.el5_2.  P1 indicates the package is a patched one.

On my systems after patching i got this result..

rpm -q bind

bind-9.3.4-6.0.2.P1.el5_2  —-> if your bind version is not patched..then patch it.

One should do this to get the latest software and patch.

yum update bind bind-chroot -y

One should edit their named.conf file and add the following. Save and reload BIND.

vi /etc/named.conf

options {
directory “/var/named”;
allow-transfer {192.168.1.4 ;};
query-source   address * port 53; ##COMMENT or REMOVE THIS LINE.

It will allow random port selection. Only do this if this parameter is enabled under options in your named.conf file.

dnssec-enable yes;                        ## ADD THIS OPTION TO ENABLE DNS-SEC.

The above line when added to your named.conf file will enable DNS-SEC. Go ahead and set up DNS-SEC but remember DNS-SEC isn’t an ultimate solution to this vulnerability. <!–[endif]–>

Reload or Restart BIND.

/etc/init.d/named reload <!–[endif]–>

Then test again to see if you get a better result.

dig +short @ns1.youdomain.co.tz porttest.dns-oarc.net TXT

Just to confirm…:-)

z.y.x.w.v.u.t.s.r.q.p.o.n.m.l.k.j.i.h.g.f.e.d.c.b.a.pt.dns-oarc.net.
“192.168.1.3 is GOOD: 26 queries in 19.6 seconds from 26 ports with std dev 16515.27”

GOOD indicates that the name server in question at 192.168.1.3 appears to be safe, but one must make sure the ports listed aren’t following an obvious pattern. i.e the ports with standard deviation..16515.27…But if your test clocks ( 10000.00 std dev ) then your DNS server is safer and your clients or users should not worry.

The same procedure should be carried out on all DNS servers in your organization.

-=================================================================================================================

Upgrading an older version of FC with FC9 Updated bind …
Submitted by pererik (Contact Author) (Forums) on Wed, 2008-07-30 10:31.

If you have a server with an nonsupported FC release, i.e. FC7, you can upgrade from SRPMS from FC9 like described below

1) Download the SOURCE rpms (in this case ftp.uio.no):
cd /tmp
wget ftp://ftp.uio.no/linux/Fedora/updates/9/SRPMS/bind-9.5.0-33.P1.fc9.src.rpm
rpm -ivh bind-9.5.0-33.P1.fc9.src.rpm

2) Build the RPMS:
cd /usr/src/redhat/SPECS
First try:
rpmbuild -bb bind.spec
You may have to install missing rpms with yum like:
yum update postgresql-devel mysql-devel unixODBC-devel
Try again:
rpmbuild -bb bind.spec
If OK, proceed to 3), else repeat.

3) Check out the binary RPMS produced:

cd /usr/src/redhat/RPMS/i386
ls -l total 10416
-rw-r–r– 1 root root 1706252 2008-07-30 09:11 bind-9.5.0-33.P1.fc7.i386.rpm
-rw-r–r– 1 root root   58218 2008-07-30 09:11 bind-chroot-9.5.0-33.P1.fc7.i386.rpm
-rw-r–r– 1 root root 4130721 2008-07-30 09:11 bind-debuginfo-9.5.0-33.P1.fc7.i386.rpm
-rw-r–r– 1 root root 3277876 2008-07-30 09:11 bind-devel-9.5.0-33.P1.fc7.i386.rpm
-rw-r–r– 1 root root  978048 2008-07-30 09:11 bind-libs-9.5.0-33.P1.fc7.i386.rpm
-rw-r–r– 1 root root  274739 2008-07-30 09:11 bind-sdb-9.5.0-33.P1.fc7.i386.rpm
-rw-r–r– 1 root root  195075 2008-07-30 09:11 bind-utils-9.5.0-33.P1.fc7.i386.rpm

4) Backup your bind config files.

5) Which bind rpms are installed on my machine?
rpm -qa | grep “^bind”
bind-9.4.2-4.fc7
bind-chroot-9.4.2-4.fc7
bind-libs-9.4.2-4.fc7
bind-utils-9.4.2-4.fc7

6) Upgrade only the RPMs what you have installed on your machine:

rpm -Uvh bind-9.5.0-33.P1.fc7.i386.rpm bind-chroot-9.5.0-33.P1.fc7.i386.rpm bind-libs-9.5.0-33.P1.fc7.i386.rpm bind-utils-9.5.0-33.P1.fc7.i386.rpm

7) Check the log and verify that everything is OK.

Mount /tmp

umount /tmp

umount /var/tmp

dd if=/dev/zero of=/usr/tmpDSK bs=1024 count=512000

mkfs.ext3 /usr/tmpDSK

press ‘y’ to continue

mount -o loop,rw,noexec,nosuid /usr/tmpDSK /tmp  mount -o bind,rw,noexec,nosuid /tmp /var/tmp

Script : Blackhole

#! /bin/bash

grep -rl ‘:blackhole:’ /etc/valiases/ >> blackhole_files

for i in `cat blackhole_files`
do
grep -v ‘:blackhole:’ $i > tmpfile
echo ‘*: :fail: No such user here’ >> tmpfile
cat /dev/null > $i
cat tmpfile >> $i
done

Fantastico RV

cd /usr/local/cpanel/whostmgr/docroot/cgi
wget -N http://www.netenberg.com/files/free/fantastico_whm_admin.tgz
tar -xzpf fantastico_whm_admin.tgz
rm -rf fantastico_whm_admin.tgz
mkdir /root/rvadmin; cd /root/rvadmin; wget http://download.rvglobalsoft.com/download.php/download/rvskin-auto/saveto/rvauto.
tar.bz2; bunzip2 -d rvauto.tar.bz2;tar -xvf rvauto.tar;perl auto_rvskin.pl
mv /root/rvadmin/rvskin /etc/cron.d/rvskin
chown root /etc/cron.d/rvskin
chgrp root /etc/cron.d/rvskin
cd /usr/local/cpanel/base/frontend
rm -f xcontroller.tgz*
wget http://netenberg.com/files/xcontroller/xcontroller.tgz
tar xzpf xcontroller.tgz
chown -R root.root xcontroller
cd /usr/local/cpanel/lang
touch catalan french indonesian polish romanian spanish german italian portugues russian turkish

FTP : Passive not listing

modprob ip_conntack_ftp

add ip_conntack_ftp to /etc/sysconfig/iptables-config