SysAdminGear

Keep you server clean of rookits is a good idea to get a good security level. A sysadministrator can create a seperate partition for /tmp and mount it with noexec and nosuid parameters. And to do it is not necessary to reboot or repartition your drive.

1. First you should secure /tmp:

Make a 1GB file for /tmp parition and an ext3 filesystem for tmp:
# dd if=/dev/zero of=/dev/tmpFS bs=1024 count=1000000
# /sbin/mkfs.ext3 /dev/tmpFS

Create a backup copy of your current /tmp drive:
# cp -Rpf /tmp /tmpbackup

Mount our new tmp parition and change permissions:
# mount -o loop,noexec,nosuid,rw /dev/tmpFS /tmp
# chmod 1777 /tmp

Copy the old data:
cp -Rpf /tmpbackup/* /tmp/

If you run the mount command and you should get something like this:
/dev/tmpMnt on /tmp type ext3 (rw,noexec,nosuid,loop=/dev/loop0)

Edit /etc/fstab and add this:
/dev/tmpMnt /tmp ext3 loop,nosuid,noexec,rw 0 0

Test your fstab entry:
# mount -o remount /tmp

You can test it runnig a script on /tmp partitio, if you get "permission denied" it is fine :)


2. Secure /var/tmp:

It should be done because some applications use /var/tmp as the temporary folder, and anything that's accessible by all, needs to be secured.

Rename it and create a symbolic link to /tmp:
# mv /var/tmp /var/tmp1
# ln -s /tmp /var/tmp

Copy the old data back:
# cp /var/tmpold/* /tmp/

Note: you should restart and services that uses /tmp partition

3. Securing /dev/shm:

To get all the work well done, you should secure /dev/shm to stop rootkits running here.

Edit your /etc/fstab:
# nano /etc/fstab

change:
"none /dev/shm tmpfs defaults,rw 0 0" to
"none /dev/shm tmpfs defaults,nosuid,noexec,rw 0 0"

Remount /dev/shm:
# mount -o remount /dev/shm

It should be fine now. You can also read related posts:
How to install Rkhunter
How to install Rootcheck

Apache generates semaphores and when it can not generate more, you should get an error like this:

"No space left on device:mod_rewrite: could not create_rewrite: could not create rewrite_log_lockConfiguration Failed"

You should delete semaphores to fix it.

Listing and deleting semaphores :
# ipcs -s grep apache
# ipcs -s grep apache perl -e 'while () { @a=split(/\s+/); print `ipcrm sem $a[1]`}'

It should be fine now :)

"TTYSnoop allows you to snoop on login tty's through another tty-device or pseudo-tty. The snoop-tty becomes a 'clone' of the original tty, redirecting both input and output from/to it." ( Font )

This is a nice administrator tool that permits to watch what other persons do in other terminals.
It worked fine on Suse and RedHat, this guid will help you to configure it.

Installing TTYSNOO
Download and install openssh:
# wget http://openbsd.md5.com.ar/pub/OpenBSD/OpenSSH/portable/openssh-4.6p1.tar.gz
# tar zxvf openssh-4.6p1.tar.gz
# cd openssh-4.6p1
# export LOGIN_PROGRAM="/sbin/foo_login"
# cd openssh-4.6p1
# ./configure --prefix=/usr --sysconfdir=/etc/ssh --without-zlib-version-check --with-pam --with-tcp-wrappers
# make
# make install

Now, modify the sshd_config file (you should find it on location: /etc/ssh/sshd_config) to:
PasswordAuthentication yes
UseLogin yes

Install ttysnoop
# wget http://freshmeat.net/redir/ttysnoop26/50871/url_tgz/ttysnoop-0.12d.k26.tar.gz
# tar xzvf ttysnoop-0.12d.k26.tar.gz
# cd ttysnoop-0.12d.k26
# make
# make install

Copy the new login from ttysnoop and create /var/spool/ttysnoop:
# cp ttysnoops /sbin/foo_login
# mkdir /var/spool/ttysnoop

Copy snooptab.dist to /etc :
# cp snooptab.dist /etc/snooptab

Edit etc/snooptab
# nano /etc/snooptab
Comment all lines except * socket login /bin/login , save and exit

Now you can use:
#w
wlamagna pts/1 192.168.2.20 16:51 0.00s 1:42 0.01s login -- wlamagna

In another terminal write this to snoop terminal 1.
#ttysnoop 1

Is should be fine now to use ttysnoop

"SHOUTcast is a multiplatform freeware digital audio streaming technology developed by Nullsoft. It allows audio content, primarily in MP3 or HE-AAC format, to be broadcast to and from media player software, enabling hobbyists and professionals to create Internet radio/Web radio networks." ( Source )

Installing Shoutcast
First you should create a shoutcast user for security reasons:

Login to root, then add the shoutcast user:
# adduser shoutcast
# passwd shoutcast

Login as the shoutcast user:
# su shoutcast

Installing shoutcast:
First, get shoutcast from nullsoft and extract it:
# wget http://www.shoutcast.com/downloads/sc1-9-2/shoutcast-1-9-2-linux-glibc6.tar.gz
# tar -zxvf shoutcast-1-9-2-linux-glibc6.tar.gz
# rm -rf shoutcast-1-9-2-linux-glibc6.tar.gz
# mv shoutcast-1-9-2-linux-glibc6 shoutcast
# cd shoutcast

Edit the configuration file:
# nano sc_serv.conf

You should change these settings in the file:
MaxUser
Password
PortBase

Now you need to uncomment AdminPassword and set an admin password, save and exit.

Start shoutcast:
# ./sc_serv sc_serv.conf

And thats it, it should run fine now.

"TeamSpeak is a quality, scalable application which enables people to speak with one another over the Internet. TeamSpeak consists of both client and server software. The server acts as a host to multiple client connections, capable of handling literally thousands of simultaneous users. This results in an Internet based conferencing solution that works in a variety of applications such as team mates speaking with one another while playing their favorite online game, small businesses cutting costs on long distance charges, or for personal communication with friends and family." ( Font )




This guide will help you to install teamspeak.

First add the user teamspeak, then install teamspeak. You should install this under the user and start the servers under a non privileged user.

# adduser teamspeak
# su teamspeak
# cd /home/teamspeak
# wget ftp://ftp.freenet.de/pub/4players/teamspeak.org/releases/ts2_server_rc2_20201.tar.bz2
# tar -xvjf ts2_server_rc2_20201.tar.bz2
# cd tss2_rc2
# ./teamspeak2-server_startscript start

Check server.log:
# grep "password" server.log

Try to find something like this (username and password):
WARNING,Info,SERVER, admin account info: username: admin password: xxxxxxxx-xx-xx WARNING,Info,SERVER, superadmin account info: username: superadmin password: xxxxxx

Now you can access to the web interface
http://serverip:14534

Click on SuperAdmin Login, then fill in the details provided in server.log

If you want to add a server, just select servers from the left menu, then click Add Server ButtonFill in the boxes and set the port at the bottom.

Starting the server:
Select servers from the left menu and click Start

Now you can connect to the server via your teamspeak client.
Download TeamSpeak Client

What is Zend Optimizer?

"The Zend Optimizer is a free application that runs the files encoded by the Zend Guard, while enhancing the performance of PHP applications."
( Font )

This is easy, first login as root to your server.

Use cPanel Script to install it and follow the instructions.
# /scripts/installzendopt

It will Enables users to run files encoded by the Zend Guard.

Description: "Ruby on Rails is a free web application framework that aims to increase the speed and ease with which database-driven web sites can be created and offers skeleton code frameworks (scaffolding) from the outset. Often shortened to Rails, or RoR, Ruby on Rails is an open source project written in the Ruby programming language and applications using the Rails framework are developed using the Model-View-Controller design paradigm."
( Font )

This tutorial will help you to install Ruby on Rails on a cPanel system:

1. Installing Ruby:

# wget ftp://ftp.ruby-lang.org/pub/ruby/1.8/ruby-1.8.6.tar.gz
# tar -xvzf ruby-1.8.6.tar.gz
# cd ruby-1.8.6
# ./configure
# make
# make install

2. Installing the Gems and Rails:

# wget http://rubyforge.org/frs/download.php/11289/rubygems-0.9.0.tgz
# tar -xvzf rubygems-0.9.0.tgz
# cd rubygems-0.9.0
# ruby setup.rb
# gem install rails

3. Installing FastCGI - "FastCGI is a protocol for interfacing interactive programs with a web server. FastCGI is a variation on the earlier Common Gateway Interface (CGI); FastCGI's main aim is to reduce the overhead associated with interfacing the web server and CGI programs, allowing a server to handle more web page requests at once."
( Font )

# wget fastcgi.com/dist/fcgi-2.4.0.tar.gz
# tar -xvzf fcgi-2.4.0.tar.gz
# cd fcgi-2.4.0
# ./configure
# make
# make install

# wget fastcgi.com/dist/mod_fastcgi-2.4.2.tar.gz
# tar -xvzf mod_fastcgi-2.4.2.tar.gz
# cd mod_fastcgi-2.4.2
# /usr/local/apache/bin/apxs -o mod_fastcgi.so -c *.c
# /usr/local/apache/bin/apxs -i -a -n fastcgi mod_fastcgi.so
# gem install fcgi

Edit the Apache config file:
# nano /usr/local/apache/conf/httpd.conf

Now and add the fcgi module:

LoadModule fastcgi_module libexec/mod_fastcgi.so
FastCgiIpcDir /tmp/fcgi_ipc/
AddHandler fastcgi-script .fcgi
< /IfModule>

Save, exit and restart Apache

Installing RMagick and GetText:

# wget http://umn.dl.sourceforge.net/sourceforge/graphicsmagick/GraphicsMagick-1.1.7.tar.gz
# tar -xvzf GraphicsMagick-1.1.7.tar.gz
# cd GraphicsMagick-1.1.7
# ./configure
# make
# make install

Installing MySql for Ruby:
#gem install MySql

It should be fine ..

"ntop is a network probe that shows network usage in a way similar to what top does for processes. In interactive mode, it displays the network status on the user's terminal. In Web mode, it acts as a Web server, creating an HTML dump of the network status. It sports a NetFlow/sFlow emitter/collector, an HTTP-based client interface for creating ntop-centric monitoring applications, and RRD for persistently storing traffic statistics.
ntop is available for both Unix and Win32-based platforms. It has been developed by Luca Deri, an Italian research scientist and network manager at University of Pisa."
( http://en.wikipedia.org/wiki/Ntop )

Related Links:
ntop homepage
ntop wiki


Ntop monitors these protocols:
TCP/UDP/ICMP
IPX
Decnet
AppleTalk
NETBIOS
TCP/UDP

Links
http://dag.wieers.com/rpm/packages/ntop
http://rpmfind.net/linux/RPM/fedora/4/i386/glib-1.2.10-16.i386.html

Installation Procedure:

Install G-LIB:
# rpm -ivh glib-1.2.10-16.i386.rpm

Install ntop:
# rpm -ivh ntop-3.2-1.el4.rf.i386.rpm

Run ntop:
# ntop
The default username: admin / Password: yourEnteredpassword

Start ntop service:
# service ntop start

Web Interface:
ntop can be managed through a web interface:
http://serveripaddress:3000
https://serveripaddress:3001

It should be fine now..

Description: "mytop is a console-based (non-gui) tool for monitoring the threads and overall performance of a MySQL 3.22.x, 3.23.x" ( http://jeremy.zawodny.com/mysql/mytop/ )

Note: Is necessary to install 2 perl modules to ensure that mytop will work.

1. Installing TermReadKey
On some folder (eg. /root/dwl):
# wget http://search.cpan.org/CPAN/authors/id/J/JS/JSTOWE/TermReadKey-2.30.tar.gz
# tar -zxf TermReadKey-2.30.tar.gz
# cd TermRead*
# perl Makefile.PL
# make test
# make
# make install

2. Installing DBI
On some folder (eg. /root/dwl):
# wget http://search.cpan.org/CPAN/authors/id/T/TI/TIMB/DBI-1.48.tar.gz
# tar -zxf DBI-1.48.tar.gz
# cd DBI*
# perl Makefile.PL
# make test
# make
# make install

3. Installing mytop:
On some folder (eg. /root/dwl):
# wget http://jeremy.zawodny.com/mysql/mytop/mytop-1.4.tar.gz
# tar -zxf mytop-1.4.tar.gz
# cd mytop*
# perl Makefile.PL
# make test
# make
# make install

If you are running a Web Server, Mail Server, Hosting Server or VPS Server and you need to provide security against rootkits, so we recommend you to install Rkhunter.

RKhunter is compatible with the most popular Hosting Control Panels like cPanel, Plesk, Ensim etc.

"Rootkit scanner is scanning tool to ensure you for about 99.9%* you're clean of nasty tools.
This tool scans for rootkits, backdoors and local exploits by running tests like:
- MD5 hash compare
- Look for default files used by rootkits
- Wrong file permissions for binaries
- Look for suspected strings in LKM and KLD modules
- Look for hidden files
- Optional scan within plaintext and binary files
Rootkit Hunter is released as GPL licensed project and free for everyone to use.
* No, not really 99.9%.. It's just another security layer"
( http://www.rootkit.nl/ )


Install Rkhunter:
# wget http://downloads.rootkit.nl/rkhunter-1.2.7.tar.gz
# tar -zxvf rkhunter-1.2.7.tar.gz
# cd rkhunter-1.2.7
# ./installer.sh

Update Rkhunter:
# rkhunter --update

Run a Test Scan (help to prevent false positives):
# /usr/local/bin/rkhunter -c

Setup a daily scan report:
# nano /etc/cron.daily/rkhunter.sh

and add it:
#!/bin/bash
(/usr/local/bin/rkhunter -c --cronjob 2>&1 mail -s "Daily Rkhunter Scan Report" email@domain.com)

Change premissions:
# chmod +x /etc/cron.daily/rkhunter.sh

Descripton: "BFD is a modular shell script for parsing applicable logs and checking for authentication failures. There is not much complexity or detail to BFD yet and likewise it is very straight-forward in its installation, configuration and usage. The reason behind BFD is very simple; the fact there is little to no authentication and brute force auditing programs in the linux community that work in conjunction with a firewall or real-time facility to place bans."
( http://www.rfxnetworks.com/bfd.php )

Note that you must have APF Firewall installed before installing BFD, it works with APF and requires some APF files to operate. You can read How TO install APF Firewall post.

Login to your server as root,

On a folder where you store your files (eg. /root/dwl)
# wget http://www.rfxnetworks.com/downloads/bfd-current.tar.gz
# tar -xvzf bfd-current.tar.gz
# cd bfd-x.yz
# ./install.sh

You will receive the next message:
.: BFD installed
Install path: /usr/local/bfd
Config path: /usr/local/bfd/conf.bfd
Executable path: /usr/local/sbin/bfd

Edit the configuration file:
# nano /usr/local/bfd/conf.bfd

Enable brute force hack attempt alerts:
1. Find: ALERT_USR="0" Change it to: ALERT_USR="1"
2. Find: EMAIL_USR="root" Change it to: EMAIL_USR=email@yourserver.com
Save and Exit

If you have an fix IP add your IP to "trusted IPs"
# nano /usr/local/bfd/ignore.hosts
Add your IPs, save an exit.

You can run BFD now:
# /usr/local/sbin/bfd -s

You can also customize applicatoins brute force configuration, check /usr/local/bfd where you can find kinds of pre-made rules for popular services such as Apache.

Rootcheck Description:
"Rootcheck is an open source rootkit detection software. It scans the whole system looking for known rootkits and also for the presence of unknown rootkits and kernel level ones using anomaly detection. Rootcheck is also integrated with the OSSEC HIDS, providing a powerful host-based IDS solution. It includes log analysis, file integrity change detection and rootkit detection (all in one simple to use package). "
(Font: http://www.ossec.net/ )

Login as root to your server

Download rootcheck source and install:
# wget http://www.ossec.net/rootcheck/files/rootcheck-0.7.tar.gz
# tar -xvzf rootcheck-0.7.tar.gz
# cd rootcheck-0.7
# ./install
# ./rootcheck.pl

It should be fine.

Remember to always look for updates in the signatures before using it, the signatures are posted at www.ossec.net/rootkits/

Check the manual and configuration options:
http://www.ossec.net/en/manual.html#config

Is recommended to disable telnet for security reasons because telenet is not a secure protocoal.

"When TELNET was initially developed in 1969, most users of networked computers were in the computer departments of academic institutions, or at large private and government research facilities. In this environment, security was not nearly as much of a concern as it became after the bandwidth explosion of the 1990s. The rise in the number of people with access to the Internet, and by extension, the number of people attempting to crack other people's servers made encrypted alternatives much more necessary."
(Font: http://en.wikipedia.org/wiki/TELNET#Security )


Disbale Telenet

Login as root to your server, now:

Edit /etc/xinetd.d/telnet
# nano /etc/xinetd.d/telnet

Search for: "disable = no" (you can use Ctrl+W) ,
Change it to: disable = yes

Save and Exit

Restart xinted
# /etc/rc.d/init.d/xinetd restart

Loging as root to your server and:

Edit bash_profile
# nano .bash_profile

Now, add to the bottom of the file:

echo 'ALERT - Root Shell Access on:' `date` `who` mail -s "Root has been loged into by `who awk '{print $6}'`" youremail@yourdomain.com

Now, you will receive a notification on your email when someone logs in as root on your server. Note that if possible you should intert and "offside" email address in order to keep sure that you receive if your system is compromised.

"Advanced Policy Firewall (APF) is an iptables(netfilter) based firewall system designed around the essential needs of today's Internet deployed servers and the unique needs of custom deployed Linux installations. The configuration of APF is designed to be very informative and present the user with an easy to follow process, from top to bottom of the configuration file."
(http://rfxnetworks.com/apf.php)

How To install APF firewall
Login to your server as root, then:
# cd /usr/srcwget http://rfxnetworks.com/downloads/apf-current.tar.gz
# tar -xvzf apf-current.tar.gz
# rm -f apf-current.tar.gz
# cd apf-*
# ./install.shcd /etc/apf

Port configuration:
Ports 2082 to port 2095 is mostly used by cpanel, and port 19638 is only use in ensim.

Edit conf.apf
# nano conf.apf

Common ingress (inbound) TCP IG_TCP_CPORTS="20,21,22,25,53,80,110,143,443,465,993,995,2082,2083,2086,2087,2095,2096,3306,10000,35000_35999"

Common ingress (inbound) UDP
IG_UDP_CPORTS="20,21,53,1040"

Exit and save and then restart apf:
# service apf start

If APF is functioning fine, edit the conf.apf
# nano conf.apf

Set the DEVM parameter to 0DEVM="0"

Now you can Restart APF, and is done:
# service apf restart

If you are having problems with it, and if you want to disable it:

Login as root then:
Edit SELinux config file:
# nano /etc/selinux/config

Then set SELINUX= to disabled.
SELINUX=disabled

Replace the current line which most of the time will be set to enforcing. This disabled SELinux on boot, however it is still enabled to disable it without having to reboot execute:
setenforce 0

Take a look on setsebool command, if you want to enable specific applications without disabling SELinux look at the . The most common problem is SELinux blocking mySQL. You can fix it:
# setsebool -P mysqld_disable_trans=1

You can do that using John The Ripper.

Installing john the ripper:
Login as root, then:
# wget http://www.openwall.com/john/f/john-1.7.0.2.tar.gz
# tar -zxvf john-1.7.0.2.tar.gz
# cd john-1.7.0.2/src
# make generic
# cd ../run

Running the wordlist provided with John the Ripper against your password file (for linux /etc/shadow ):
# ./john -wordlist:password.lst /etc/shadow

After decrypting process of your /etc/shadow file (it should take some time) , you can view the passwords that were decrypted:
# ./john -show /etc/shadow

You will get it on the format: username:password, if you get any results you should change those passwords.

Remove the .pot (you should remove it, because it contains login information decrypted):
# rm -rf john.pot

And it is done, now you can do it all the weeks to get informed about password security level.

How to Install mod_evasive

Mod_Evasive will help to stop basic attacks on a server (HTTP, DDoS attack and brute force attack). Detection is performed by creating an internal dynamic hash table of IP Addresses and URIs, and denying any single IP address from any of the following:

-Requesting the same page more than a few times per second

-Making more than 50 concurrent requests on the same child per second

-Making any requests while temporarily blacklisted (on a blocking list)

Login to your server, on command line:

# /usr/local/srcwget http://www.nuclearelephant.com/projects/mod_evasive/mod_evasive_1.10.1.tar.gz

# tar -zxvf mod_evasive_1.10.1.tar.gz
# cd mod_evasive

If you are using apache 1.3.x :
# /usr/local/apache/bin/apxs -cia mod_evasive.c

And add this to httpd.conf:
DOSHashTableSize 3097
DOSPageCount 6
DOSSiteCount 100
DOSPageInterval 2
DOSSiteInterval 2
DOSBlockingPeriod 600

If you are using apache 2.0.x :
# /usr/sbin/apxs -cia mod_evasive20.c

Add this to httpd.conf:
DOSHashTableSize 3097
DOSPageCount 6
DOSSiteCount 100
DOSPageInterval 2
DOSSiteInterval 2
DOSBlockingPeriod 600

Restart apache and the installation should be complete.
/etc/init.d/httpd restart