Powered By Blogger

Search This Blog

22 February, 2013

Mod Security Rules Incorrectly Blocking Googlebot

Mod Security Rules Incorrectly Blocking Googlebot

Mod Security Rules Incorrectly Blocking Googlebot

http://forums.cpanel.net/f185/mod-security-rules-incorrectly-blocking-googlebot-315161.html
Hello everyone

I'm using CSF Firewall in my blog and the problem is the Mod_Security rules incorrectly blocks Googlebot regularly. It is happening almost every week.

In past I have removed a Mod Security rule which was blocking Googlebot and now a new Mod Security rule 950005 is blocking Googlebot.

Whenever it blocks Googlebot, I manually remove Googlebot IP address from deny list using WHM.

Is there any way to permanently stop this? How can I set Mod Security to not block Googlebot?

Solution :

If you are using CSF, you can add .googlebot.com to "/etc/csf/csf.rignore"

Code:
.googlebot.com

18 February, 2013

ApacheBooster cPanell/WHM

ApacheBooster is a integration of nginx and varnish, this Plugin will reduce the server load spike and memory usage. Also the plugin will provide the maximum performance of your websites.

Varnish

Varnish Cache is a web application accelerator also known as a caching HTTP reverse proxy. You install it in front of any server that speaks HTTP and configure it to cache the contents. Varnish Cache is really, really fast. It typically speeds up delivery with a factor of 300 – 1000x, depending on your architecture. A high level overview of what Varnish does can be seen in the video attached to this web. Varnish performs really, really well. It is usually bound by the speed of the network, effectivly turning performance into a non-issue. We’ve seen Varnish delivering 20 Gbps on regular off-the-shelf hardware.

Nginx

Nginx is known for its high performance, stability, rich feature set, simple configuration, and low resource consumption.

Unlike traditional servers, Nginx doesn’t rely on threads to handle requests. Instead it uses a much more scalable event-driven (asynchronous) architecture. This architecture uses small, but more importantly, predictable amounts of memory under load.

Features:

cPanel WHM Integration
Varnish Advanced Configuration
Opt-out Domain List Served Directly by Apache
VCL Script Compatibility

ApacheBooster Install instruction:
wget http://prajith.in/downloads/apachebooster.tar.gz
tar -zxf apachebooster.tar.gz
cd apachebooster
sh install.sh
ApacheBooster Uninstall instruction:
wget http://prajith.in/downloads/apachebooster.tar.gz
tar -zxf apachebooster.tar.gz
cd apachebooster
sh uninstall

Disable PHP mail function on cPanel server

Disable PHP mail function on cPanel server
There is a function available in PHP to send a mail via PHP script. The function is mail(). However, it is advisable to disable PHP mail() function on the shared hosting server to prevent spamming from the server and allow only SMTP authentication to send the emails via PHP script. You can disable PHP mail() function from WHM. You will just need to follow the below steps for that:

[1] Login to your WHM.
[2] Go to Tweak Settings.
[3] Select the option "Prevent the user "nobody" from sending out mail to remote addresses (PHP and CGI scripts generally run as nobody if you are not using PHPSuexec and Suexec respectively.)" and save it.

Regards,

07 February, 2013

Monitoring User/Application Activity with psacct

An excellent program for monitoring users and applications is psacct. This program will work in the background of your system recording what all users are doing on your system as well as the resources that are being consumed. I use it daily for resource abuse tracking, statistics generation, CPU usage trending, process identification and more.
The psacct package contains several utilities for monitoring process activities, including ac, lastcomm, accton and sa.
  • The ac command displays statistics about how long users have been logged on.
  • The lastcomm command displays information about previous executed commands.
  • The accton command turns process accounting on or off.
  • The sa command summarizes information about previously executed commmands.

Task: Install psacct or acct package

Use up2date command if you are using RHEL ver 4.0 or less
 # up2date psacct
Use yum command if you are using CentOS/Fedora Linux / RHEL 5:
# yum install psacctUse apt-get command if you are using Ubuntu / Debian Linux:
$ sudo apt-get install acctOR# apt-get install acct

Task: Start psacct/acct service

By default service is started on Ubuntu / Debian Linux by creating /var/account/pacct file. But under Red Hat /Fedora Core/Cent OS you need to start psacct service manually. Type the following two commands to create /var/account/pacct file and start services:
# chkconfig psacct on
# /etc/init.d/psacct start

If you are using Suse Linux, the name of service is acct. Type the following commands:
# chkconfig acct on
# /etc/init.d/acct start
Now let us see how to utilize these utilities to monitor user commands and time.
 

Task: Display statistics about users' connect time

ac command prints out a report of connect time in hours based on the logins/logouts. A total is also printed out. If you type ac without any argument it will display total connect time:
$ acOutput:
total       95.08
Display totals for each day rather than just one big total at the end:
$ ac -dOutput:
Nov  1  total        8.65
Nov  2  total        5.70
Nov  3  total       13.43
Nov  4  total        6.24
Nov  5  total       10.70
Nov  6  total        6.70
Nov  7  total       10.30
.....
..
...
Nov 12  total        3.42
Nov 13  total        4.55
Today   total        0.52
Display time totals for each user in addition to the usual everything-lumped-into-one value:
$ ac -pOutput:
        vivek                             87.49
        root                                 7.63
        total       95.11

Task: find out information about previously executed user commands

Use lastcomm command which print out information about previously executed commands. You can search command using usernames, tty names, or by command names itself.
Display command executed by vivek user:
$ lastcomm vivekOutput:
userhelper        S   X vivek  pts/0      0.00 secs Mon Nov 13 23:58
userhelper        S     vivek  pts/0      0.00 secs Mon Nov 13 23:45
rpmq                    vivek  pts/0      0.01 secs Mon Nov 13 23:45
rpmq                    vivek  pts/0      0.00 secs Mon Nov 13 23:45
rpmq                    vivek  pts/0      0.01 secs Mon Nov 13 23:45
gcc                     vivek  pts/0      0.00 secs Mon Nov 13 23:45
which                   vivek  pts/0      0.00 secs Mon Nov 13 23:44
bash               F    vivek  pts/0      0.00 secs Mon Nov 13 23:44
ls                      vivek  pts/0      0.00 secs Mon Nov 13 23:43
rm                      vivek  pts/0      0.00 secs Mon Nov 13 23:43
vi                      vivek  pts/0      0.00 secs Mon Nov 13 23:43
ping              S     vivek  pts/0      0.00 secs Mon Nov 13 23:42
ping              S     vivek  pts/0      0.00 secs Mon Nov 13 23:42
ping              S     vivek  pts/0      0.00 secs Mon Nov 13 23:42
cat                     vivek  pts/0      0.00 secs Mon Nov 13 23:42
netstat                 vivek  pts/0      0.07 secs Mon Nov 13 23:42
su                S     vivek  pts/0      0.00 secs Mon Nov 13 23:38
For each entry the following information is printed. Take example of first output line:
userhelper S X vivek pts/0 0.00 secs Mon Nov 13 23:58
Where,
  • userhelper is command name of the process
  • S and X are flags, as recorded by the system accounting routines. Following is the meaning of each flag:
    • S -- command executed by super-user
    • F -- command executed after a fork but without a following exec
    • D -- command terminated with the generation of a core file
    • X -- command was terminated with the signal SIGTERM
  • vivek the name of the user who ran the process
  • prts/0 terminal name
  • 0.00 secs - time the process exited
Search the accounting logs by command name:
$ lastcomm rm
$ lastcomm passwd
Output:
rm                S     root     pts/0      0.00 secs Tue Nov 14 00:39
rm                S     root     pts/0      0.00 secs Tue Nov 14 00:39
rm                S     root     pts/0      0.00 secs Tue Nov 14 00:38
rm                S     root     pts/0      0.00 secs Tue Nov 14 00:38
rm                S     root     pts/0      0.00 secs Tue Nov 14 00:36
rm                S     root     pts/0      0.00 secs Tue Nov 14 00:36
rm                S     root     pts/0      0.00 secs Tue Nov 14 00:35
rm                S     root     pts/0      0.00 secs Tue Nov 14 00:35
rm                      vivek    pts/0      0.00 secs Tue Nov 14 00:30
rm                      vivek    pts/1      0.00 secs Tue Nov 14 00:30
rm                      vivek    pts/1      0.00 secs Tue Nov 14 00:29
rm                      vivek    pts/1      0.00 secs Tue Nov 14 00:29
Search the accounting logs by terminal name pts/1
$ lastcomm pts/1

Task: summarizes accounting information

Use sa command to print summarizes information about previously executed commands. In addition, it condenses this data into a summary file named savacct which contains the number of times the command was called and the system resources used. The information can also be summarized on a per-user basis; sa will save this iinformation into a file named usracct.
# saOutput:
     579     222.81re       0.16cp     7220k
       4       0.36re       0.12cp    31156k   up2date
       8       0.02re       0.02cp    16976k   rpmq
       8       0.01re       0.01cp     2148k   netstat
      11       0.04re       0.00cp     8463k   grep
      18     100.71re       0.00cp    11111k   ***other*
       8       0.00re       0.00cp    14500k   troff
       5      12.32re       0.00cp    10696k   smtpd
       2       8.46re       0.00cp    13510k   bash
       8       9.52re       0.00cp     1018k   less
Take example of first line:
4 0.36re 0.12cp 31156k up2date
Where,
  • 0.36re "real time" in wall clock minutes
  • 0.12cp sum of system and user time in cpu minutes
  • 31156k cpu-time averaged core usage, in 1k units
  • up2date command name
Display output per-user:
# sa -uOutput:
root       0.00 cpu      595k mem accton
root       0.00 cpu    12488k mem initlog
root       0.00 cpu    12488k mem initlog
root       0.00 cpu    12482k mem touch
root       0.00 cpu    13226k mem psacct
root       0.00 cpu      595k mem consoletype
root       0.00 cpu    13192k mem psacct           *
root       0.00 cpu    13226k mem psacct
root       0.00 cpu    12492k mem chkconfig
postfix    0.02 cpu    10696k mem smtpd
vivek      0.00 cpu    19328k mem userhelper
vivek      0.00 cpu    13018k mem id
vivek      0.00 cpu    13460k mem bash             *
lighttpd   0.00 cpu    48240k mem php              *
Display the number of processes and number of CPU minutes on a per-user basis
# sa -mOutput:
                                      667     231.96re       0.17cp     7471k
root                                  544      51.61re       0.16cp     7174k
vivek                                 103      17.43re       0.01cp     8228k
postfix                                18     162.92re       0.00cp     7529k
lighttpd                                2       0.00re       0.00cp    48536k

Task: Find out who is eating CPU

By looking at re, k, cp/cpu (see above for output explanation) time you can find out suspicious activity or the name of user/command who is eating up all CPU. An increase in CPU/memory usage (command) is indication of problem.
Please note that above commands and packages also available on other UNIX like oses such as Sun Solaris and *BSD oses.

06 February, 2013

WHM/cPanel Server Hardening & Security

WHM/cPanel Hardening & Security

WHM – Account Functions:
Disable cPanel Demo Mode
Disable shell access for all accounts (except root)
MySQL:
Set MySQL password (Don’t set the same password like for the root access)
-If you didn’t set MySQL password someone will be able to login into the DB with
username “root” without password and delete/edit/download any db on the server.
WHM – Service Configuration – Apache Configuration – PHP and SuExec Configuration
Enable suEXEC – suEXEC = On
When PHP runs as an Apache Module it executes as the user/group of the
webserver which is usually “nobody” or “apache”. suEXEC changes this so
scripts are run as a CGI. Than means scripts are executed as the user
that created them. With suEXEC script permissions can’t be set to
777(read/write/execute at user/group/world level)
Optimization & Security
Keep all services and scripts up to date and make sure that you running the latest secured version.
# /scripts/updatenow  - Update /scripts
WHM -Tweak Security:
* Secure tmp
* Apache server signature turned off
* Disabled Directory Listing
* cPHulk Brute Force Protection
* Shell Fork Bomb Protection
* SMTP Tweak
* Compiler Access
* Apache mod_userdir Tweak
* PHP open_basedir Tweak
* Disable Compilers for all accounts (except root)
* Disable shell access for all other users.
FTP Server Configuration

* Allow Anonymous Logins - NO
* Allow Anonymous Uploads -  NO
* Allow Logins with Root Password - NO
PHP Security
php -i | grep php.ini

Configuration File (php.ini) Path => /usr/local/lib
Loaded Configuration File => /usr/local/lib/php.ini
It means you have to edit /usr/local/lib/php.ini
php.ini & disabled functions

safe_mode = On
expose_php = Off
Enable_dl= Off
magic_quotes = On
register_globals = off
display errors = off
disable_functions = system, show_source, symlink, exec, dl,
shell_exec, passthru, phpinfo, escapeshellarg,escapeshellcmd
symlink,shell_exec,exec,proc_close,proc_open,popen,system,dl,passthru,escapeshellarg,escapeshellcmd
#service httpd restart
Install Packages
Suhosin
Zend Optimizer
Mod_Evasive
Mod_Security
Firewall – DDoS Protection
CSF Installation
http://wp.me/p1UIdz-8G
========================>
Install Anti-Virus.
* Linux Malware Detect ( LMD ) what is LMD
http://wp.me/s1UIdz-552
* ClamAV

* Login to you WHM then go to the following and enable it cPanel > Manage Plugins
* Rootkit

* Use latest stable release
http://www.rootkit.nl/projects/rootkit_hunter.html
CHKRootKit


Linux Socket Monitor (LSM)
LSM is a network socket monitor, it is used to track changes to Network sockets and Unix domain sockets, effectively a port monitor. An alert e-mail is dispatched whenever new ports activate.
========================>
Secure SSH
http://wp.me/p1UIdz-5p
========================>
Recommended Security Tweak Settings Checklists
Blank referrer safety check On
Require SSL On
Enable HTTP Authentication Off
Security Tokens On
Cookie IP Validation On
Proxy Subdomain Creation Off
Block Common Domains Usage On
Initial default/catch-all forwarder destination Fail
Max hourly emails per domain - 100 emails per hour per domain
Enable SpamAssassin spam filter On
Additonal to that

How to install enable SPF & Domain keys using SSH

how to install SPF & Domain Keys using SSH


For : SPF Record (Sender Policy Framework)

For One Domain :

/usr/local/cpanel/bin/spf_installer user (type username here) to enable it

/usr/local/cpanel/bin/spf_uninstaller user (type username here) to disable it


this will uninstall SPF record from existing cPanel account (to disable it)
 

# for i in `ls /var/cpanel/users` ;do /usr/local/cpanel/bin/spf_uninstaller $i ;done
 this will install SPF record from existing cPanel account (to enable it)
 
# for i in `ls /var/cpanel/users` ;do /usr/local/cpanel/bin/spf_installer $i ;done

04 February, 2013

Disable Direct Root Login and change ssh port

Disable Direct Root Login and change ssh port

Disable Direct Root Login and change ssh port
Allowing the root user to login directly is a major security issue, we’ll show you how to disable it so you can still login as root but just not directly, reducing the security issue.
This will force a hacker to have to guess 2 seperate passwords to gain root access.
(you do have 2 seperate passwords for admin and root right?)
We also will be forcing the use of SSH protocol 2, which is a newer, more secure SSH protocol.
1. SSH into your server as root
——————————————–
2.Create a new user for disabling direct login
——————————————–
Here we are creating a user ‘admin’ with password.
# useradd admin -p 
——————————————–
3.Add that user to wheel group
# usermod -G wheel admin
eg: wheel:x:10:root,admin

——————————————–
4. Now edit the file for SSH logins
# vi /etc/ssh/sshd_config
5.Make following changes.
——————————————–
Port 9595 — ( you can specify any unused port )
Protocol 2
PermitRootLogin no
StrictModes yes

——————————————–
6. Save the file Ctrl+X then Y then enter
——————————————–
7. Now you can restart SSH
# /etc/rc.d/init.d/sshd restart
——————————————–
8. Add the specific ssh port no on csf configuration file
# vim /etc/csf/csf.conf
# Allow incoming TCP ports TCP_IN
# Allow outgoing TCP ports TCP_OUT

——————————————–
9. Restart the csf
# csf -r
Try to login to the server from an alternate terminal and check the working.
Now, no one will be able to login to root with out first login in as admin and ‘su -’ to root, and you will be forcing the use of a more secure protocol. Just make sure you remember both passwords!
SSH Legal Message
edit /etc/motd, write in motd something like this:
“ALERT! That is a secured area. Your IP is logged. Administrator has been notified”
When someone logins into SSH he will see that message:
ALERT! That is a secured area. Your IP is logged. Administrator has been notified
If you want to recieve an email every time when someone logins into SSH as root, edit .bash_profile(It’s located in /root directory) and put this at the end of file:
echo ‘ALERT – Root Shell Access on:’ `date` `who` | mail -s “Alert: Root Access from `who | awk ‘{print $6}’`” mail@something.com
service sshd restart
==================================================>

Common cPanel/WHM /Scripts

Hello Guys!
Here you can find some common cPanel scripts which are useful for the task given below.

Common cPanel /Scripts

/scripts/installzendopt -
Install Zend Optimizer /scripts/fixndc - Hostname A Entry Missing!  then restart bind and apache
Install Cron on New Server /scripts/installrpm anacron vixie-cron ; /etc/rc.d/init.d/crond start
/scripts/cleanbw -
Bandwidth issues /scripts/fixwebalizer (To fix problem in webalizer that stop updating stats)
/scripts/fixcommonproblems
/scripts/fixeverything
/usr/local/cpanel/bin/convertmailman2
- Fixing Mail List MailMan /scripts/reinstallmailman - Reinstall MailMan
/scripts/fixhome -
Fix Permissions on accountsEdit mySQL conf file: pico /etc/my.cnf
Edit php.ini: pico /usr/local/lib/php.ini
Edit Apache Conf: pico /etc/httpd/conf/httpd.conf
Checking Real Time Top Processes Login to SSH and run: top
Run cpanel backup /scripts/cpbackup
To try and fix domain controller: /scripts/fixndc

Quotas /scripts/initquotas – takes a while to run
/scripts/resetquotas
/scripts/fixquotas – takes a while to run

/scripts/adddns Add a Dns Entry
/scripts/addfpmail Install Frontpage Mail Exts
/scripts/addservlets Add JavaServlets to an account (jsp plugin required)
/scripts/adduser Add a User
/scripts/admin Run WHM Lite
/scripts/apachelimits Add Rlimits (cpu and mem limits) to apache.
/scripts/dnstransfer Resync with a master DNS Server
/scripts/editquota Edit A User’s Quota
/scripts/finddev Search For Trojans in /dev
/scripts/findtrojans Locate Trojan Horses
Suggest Usage
/scripts/findtrojans > /var/log/trojans
/scripts/fixtrojans /var/log/trojans
/scripts/fixcartwithsuexec Make Interchange work with suexec
/scripts/fixinterchange Fix Most Problems with Interchange
/scripts/fixtrojans Run on a trojans horse file created by findtrojans to remove them
/scripts/fixwebalizer Run this if a user’s stats stop working
/scripts/fixvaliases Fix a broken valias file
/scripts/hdparamify Turn on DMA and 32bit IDE hard drive access (once per boot)
/scripts/initquotas Re-scan quotas. Usually fixes Disk space display problems
/scripts/initsuexec Turn on SUEXEC (probably a bad idea)
/scripts/installzendopt Fetch + Install Zend Optimizer
/scripts/ipusage Display Ipusage Report
/scripts/killacct Terminate an Account
/scripts/killbadrpms Delete “Security Problem Infested RPMS”
/scripts/mailperm Fix Various Mail Permission Problems
/scripts/mailtroubleshoot Attempt to Troubleshoot a Mail Problem
/scripts/mysqlpasswd Change a Mysql Password
/scripts/quicksecure Kill Potential Security Problem Services
/scripts/rebuildippool Rebuild Ip Address Pool
/scripts/remdefssl Delete Nasty SSL entry in apache default httpd.conf
/scripts/restartsrv Restart a Service (valid services: httpd,proftpd,exim,sshd,cppop,bind,mysql)
/scripts/rpmup Syncup Security Updates from RedHat/Mandrake
/scripts/runlogsnow Force a webalizer/analog update.
/scripts/secureit Remove non-important suid binaries
/scripts/setupfp4 Install Frontpage 4+ on an account.
/scripts/simpleps Return a Simple process list. Useful for finding where cgi scripts are running from.
/scripts/suspendacct Suspend an account
/scripts/sysup Syncup Cpanel RPM Updates
/scripts/unblockip Unblock an IP
/scripts/unsuspendacct UnSuspend an account
/scripts/upcp Update Cpanel
/scripts/updatenow Update /scripts
/scripts/wwwacct Create a New Account

/scripts/runweblogs account username for awstats to run manually

Sometimes such behavior of apache/httpd (taking more and more memory until it dies or crashes the server) can be caused by corrupted MySQL database. Try to do the following:
1) Kill the mysql server
/etc/rc.d/init.d/mysql stop

2) Repair all SQL databases:
myisamchk -r /var/lib/mysql/*/*.MYI

3) Start mysql again:
/etc/rc.d/init.d/mysql start

How to install RkHunter on linux server / linux system / cPanel Server

Rkhunter is a very useful tool that is used to check for trojans, rootkits, and other
security problems.This tutorial will touch on installing and setting up a daily report
http://rkhunter.sourceforge.net/
# wget http://downloads.sourceforge.net/project/rkhunter/rkhunter/1.3.8/rkhunter-1.3.8.tar.gz
# wget http://sourceforge.net/projects/rkhunter/files/latest/download
# tar - xzvf rkhunter-1.3.8.tar.gz
# cd rkhunter-1.3.8.tar.gz OR  cd rkhunter-*
# ./installer.sh --layout default --install
# cd ..
# rm -Rf rkhunter*
# /usr/local/bin/rkhunter --update
# /usr/local/bin/rkhunter --propupd
Now cron it to run on daily basis and email you
 # nano -w /etc/cron.daily/rkhunter.sh
#!/bin/sh
(
/usr/local/bin/rkhunter --versioncheck
/usr/local/bin/rkhunter --update
/usr/local/bin/rkhunter --cronjob --report-warnings-only
) | /bin/mail -s 'rkhunter Daily Run (YourServer HostName Here)' your@email.com

Remember to change YourServerNameHere and your@email.com
 #chmod 700 /etc/cron.daily/rkhunter.sh
 You can update rootkit hunter to latest version using
# rkhunter --update
and you can do scan using
#/usr/local/bin/rkhunter -c OR rkhunter --check
Rkhunter Installation

http://www.webhostgear.com/141.html

Rkhunter is a very useful tool that is used to check for trojans, rootkits, and other
security problems.This tutorial will touch on installing and setting up a daily report

for rkhunter.

Installing:

wget http://downloads.rootkit.nl/rkhunter-1.2.7.tar.gz
tar -zxvf rkhunter-1.2.7.tar.gz
cd rkhunter-1.2.7
./installer.sh

Now you can run a test scan with the following command:

/usr/local/bin/rkhunter -c

How to setup a daily scan report?

pico /etc/cron.daily/rkhunter.sh

add the following replacing your email address:

#!/bin/bash
(/usr/local/bin/rkhunter -c --cronjob 2>&1 | mail -s "Daily Rkhunter Scan Report"
email@domain.com)

chmod +x /etc/cron.daily/rkhunter.sh

Updating rkhunter
gets the latest database updates from their central server and matches your OS
better to prevent false positives.

# rkhunter --update

I just got a false positive!! What do i do?False positives are warnings which indicates
there is a problem, but aren't really a problem. Example: some Linux distro updated
a few common used binaries like `ls` and `ps`. You (as a good sysadmin) update
the new packages and run (ofcourse) daily Rootkit Hunter. Rootkit Hunter isn't yet
aware of these new files and while scanning it resports some "bad" files. In this
case we have a false positive. You could always have your datacenter or a system
administrator check out the server to verify that it is not compromised.

More information on rkhunter can be found here: http://www.rootkit.nl

How to install RkHunter on linux server

wget http://downloads.rootkit.nl/rkhunter-1.2.7.tar.gz

tar -zxvf rkhunter-1.2.7.tar.gz

cd rkhunter-1.2.7

./installer.sh

Now you can run a test scan with the following command:

/usr/local/bin/rkhunter -c

How to setup a daily scan report?

vi /etc/cron.daily/rkhunter.sh

#!/bin/bash

(/usr/local/bin/rkhunter -c --cronjob 2>&1 | mail -s "Daily Rkhunter
Scan
Report" email@domain.com)

# chmod

# rkhunter --update

x /etc/cron.daily/rkhunter.sh