Local security measuresâ— Protecting against common remote attacksâ— What to do after an attack, cleanupâ— Having and following a Security Policy
Make sure existing users have decent passwords– Crack your own users' passwords using JTR,crack– Preferably run the crackers on a dedicated machine,not the server, due to load– Any passwords that crack in under a few hoursneed to have shell access removed until thepassword can be changed. This should be writteninto TOS/AUP which is “signed†by the client.
Turning off unneeded daemons in xinetd– Check /etc/xinetd.conf– Check /etc/xinetd.d/*◠Common ones are cupsd (printing daemon)◠nfs/statd (unless using nfs mounted FS)
Local Attacks:Running ProcessesFind locally running processes– Often script kiddies will launch backdoor scriptson the server using vulnerable php scripts– Bad clients or hacked accounts will be used tolaunch IRC bots / bouncers◠`ps auxww`◠`lsof -n`– Try to find processes hidden by a rootkit, such asSuckIt◠mpid=`sysctl kernel.pid_max | cut -d " " -f 3`; for i in`seq 1 $mpid`; do test -f /proc/$i/cmdline && (echo -n"[$i] "; strings /proc/$i/cmdline; echo); done
◠Setting login access definitions– /etc/login.defs◠Expire passwords after PASS_MAX_DAYS◠Set minimum password length to PASS_MIN_LEN◠Set number of days before pass expires to sendreminder with PASS_WARN_AGE◠There are more options that are well documented inthe default file– /etc/hosts.allow and /etc/hosts.deny◠Suggest to use firewall instead as it will protect allservices, not just the ones written to obey the rulesset in the hosts.* files
Setting resource limits for shell accounts– Set in /etc/security/limits.conf◠Protect against fork bombs and out of control applications,scripts◠Will want to start out very lax, make stricter after testingwith current settings; as need arises◠Example settings:– @users hard nofile 500– @users hard cpu 30– @users hard nproc 150– @users soft nproc 100– @users hard rss 50000– @users - maxlogins 3– nobody hard nofile 16384
◠Find all world writable files and directories– find / \( -perm -a+w \) ! -type l >> world_writable.txt◠reveals target locations an attacker can use to store their files◠fixing bad perms breaks some poorly written php/cgi scripts◠leave (/var)/tmp alone, secure it with /scripts/securetmp◠Find all setuid/gid files– find / \( -perm -4000 -o -perm -2000 \) -exec ls -ldb {} \; >>suid_files.txt◠Many files need these elevated permissions, do not “fix†withoutknowing exactly how it will affect the system.– sudo, su, mount, traceroute, etc◠Find all files with no owner/group– find / -nouser -o -nogroup
◠Use “nosuid†option when mounting /tmp and/home◠Consider “noexec†on /tmp after cPanelinstallation◠Use /scripts/securetmp to have /tmp bemounted nosuid,noexec on a temporary file
◠Tripwire– Monitors checksums of files, reports when they have changed.– A good way of helping ensure files are not replaced byrootkits/trojans/etc.– Commercial : http://www.tripwire.com– OSS Branch: http://sourceforge.net/projects/tripwire◠Chkrootkit– http://www.chkrootkit.org– Scans system for common signs of rootkits, backdoors, lkm, etc.◠Rkhunter– http://www.rootkit.nl/projects/rootkit_hunter.html– Same as chkrootkit◠Logwatch– http://www.logwatch.org– Scans through logs and emails a daily report of system activity
◠Find out what programs are listening on whatports◠netstat -nap– Backdoor scripts/irc apps are usually launchedfrom a writable directory, /tmp or in the user's ~directory.– Most will bind to a port and wait for connections,some will “call home†in an attempt to get aroundP/NAT firewalling
tcp syn cookies– sysctl -w net.ipv4.tcp_syncookies=1◠or– echo 1 > /proc/sys/net/ipv4/tcp_syncookies◠Helps protect against SYN flood DoS attacks– echo 999999 > /proc/sys/net/ipv4/neigh/eth0/locktime◠Exchange eth0 with primary outgoing ethernet device◠Increases the time that ARP caches will expire– Not needed if setting the ARP cache statically
◠Tools like ettercap make ARP cachepoisoning trivial.– Enables MITM attacks– Allows easy hijacking of SSL and SSH sessions,along with any other sort of connections◠Many datacenters are vulnerable to this dueto management difficulties of setting staticroutes– Set your own static route, assuming that theserver doesn't get moved often◠arp -s 192.168.1.1 00:0A:EB:D8:35:46– 192.168.1.1 = default gateway– 00:0A:EB:D8:35:46 = NIC's MAC address
◠ipchains/iptables– Suggest using APF or similar if not familiar withiptables for ease of use and quality protection◠Be sure to enable all the ports cPanel requires:– http://faq.cpanel.net/show.cgi?qa=108499296901804– Always be sure to leave yourself a way back in◠set crontab to disable firewall every 5-10 minuteswhile testing new rules◠have serial console over ip available◠call the DC and hope they don't charge extra to havea tech flush the rules
◠Most all attacks are against poorly codedwebbased applications– php makes poor programming easy to pull off,most target scripts are written in php– Backdoors, shell imitation scripts, etc can belaunched to give full shell access to the server,even if the account has no shell access itself◠Enable openbase_dir protection in WHM– will stop some scripts from accessing other useraccounts
◠Enable suexec for perl scripts, phpsuexec forphp scripts– Allows tracking of scripts and forces them to runas the user of the account, rather that the“nobody†user– Enforces sane permissions and environment,such as not running if world writable, or in aworld writable directory– Greatly helps when tracking exploited scriptsused by spammers– Keeps users from doing stuff like◠system("killall -11 httpd");
◠Enable “safe_mode†for php– Edit the relevant php.ini◠php -i |grep php.ini– safe_mode = On– Note that safe_mode is removed from php6 andlater◠Edit “disable_functions†for php– disable_functions = exec, shell_exec, system, passthru,popen,virtual, show_source, readfile, pclose◠Disable– enable_dl = Off◠disables loading modules from inside the script
Considerations– With php_suexec enabled, users can put aphp.ini in the script directory and override allsettings, including safe_mode anddisable_functions to run commands– Almost all scripting languages allow access tothe filesystem as part of the language, malicioususe of these functions is the real problem
◠Using mod_security– Can be installed in WHM in the addons section– Main website at http://www.modsecurity.org/– Good ruleset to use:◠http://www.hostmerit.com/modsec.user.conf– Allows realtime analysis of web requests andcan block malicious requests– One of the more powerful apache modules,especially where security is concerned
â— Give users a jailshell rather than a fullfledgedshellâ— Have clients use sftp, scp, smtp+ssl,pop+ssl, https://site.tld/cpanel wheneverpossible to avoid plain text passwordsâ— Use SSHv2 only, as SSHv1 is decryptable onthe fly.â— Change root/admin passwords frequently usinga mix of upper/lowercase letters, numbersand symbolsâ— Constantly monitor logs
â— Join mailing lists to find out about newattacks when the information is first availableâ— http://www.securityfocus.comâ— http://www.securityfocus.com/archiveâ— Bugtraqâ— Classic Listâ— Incidentsâ— Good for knowing about real security breeches in the wildâ— http://secunia.comâ— http://secunia.com/secunia_security_advisories/â— High volume list much like Bugtraqâ— http://lists.netsys.com/mailman/listinfo/full-disclosureâ— Full Disclosure list. Mostly unmoderated, one of the bestsources of current security issues
Â
A Beginner's Guide to Securing Your Server These are items inside of WHM/Cpanel that should be...
Recommended Security SettingsCopyright © 2009 cPanel, Inc.Revision HistoryRevision 1 Sept. 28,...
Physical SecurityLocal SecurityRemote Security Your server is just like your office.Keep a...
/tmp directoryA lot of the time malicious scripts will be installed intothe /tmp directoryYou...
Main TopicsDisabling toolsSYN cookiessysctlApache modulesWhat to do if your hacked. Disable...