Revision [1176]
Last edited on 2006-08-24 09:54:43 by JasonRAdditions:
===Anti-Spam===
See [[http://www.rvskin.com/index.php?page=public/antispam rvskin]] - and [[AntiSpam Text Archived here]]
See [[http://www.rvskin.com/index.php?page=public/antispam rvskin]] - and [[AntiSpam Text Archived here]]
Revision [1175]
Edited on 2006-08-24 09:41:46 by JasonRAdditions:
~-Prevent the user 'nobody' from sending out mail to remote addresses (php and cgi scripts generally run as nobody if you are not using phpsuexec and suexec respectively.)
~~-MAKE SURE YOU ARE RUNNING phpSuExec if you do this!!!
~~-MAKE SURE YOU ARE RUNNING phpSuExec if you do this!!!
Deletions:
Revision [1174]
Edited on 2006-08-24 09:38:50 by JasonRAdditions:
==Exploit Removal Instructions==
From [[http://layer0.layeredtech.com/showthread.php?t=4428 LT's Forums]]
From [[http://layer0.layeredtech.com/showthread.php?t=4428 LT's Forums]]
Deletions:
Additions:
#%Main#% > #%Server Configuration#% > #%Tweak Settings#%
Deletions:
Revision [1172]
Edited on 2006-08-24 09:37:19 by JasonRAdditions:
~~This tool scans for rootkits, backdoors and local exploits by running tests like:
~~~-MD5/SHA1 hash compare
~~~-Look for default files used by rootkits
~~~-Wrong file permissions for binaries
~~~-Look for suspected strings in LKM and KLD modules
~~~-Look for hidden files
~~~-Optional scan within plaintext and binary files
~~~-MD5/SHA1 hash compare
~~~-Look for default files used by rootkits
~~~-Wrong file permissions for binaries
~~~-Look for suspected strings in LKM and KLD modules
~~~-Look for hidden files
~~~-Optional scan within plaintext and binary files
Deletions:
~~-MD5/SHA1 hash compare
~~-Look for default files used by rootkits
~~-Wrong file permissions for binaries
~~-Look for suspected strings in LKM and KLD modules
~~-Look for hidden files
~~-Optional scan within plaintext and binary files
Revision [1171]
Edited on 2006-08-24 09:35:39 by JasonRAdditions:
~-This tool scans for rootkits, backdoors and local exploits by running tests like:
~~-MD5/SHA1 hash compare
~~-Look for default files used by rootkits
~~-Wrong file permissions for binaries
~~-Look for suspected strings in LKM and KLD modules
~~-Look for hidden files
~~-Optional scan within plaintext and binary files
~~-MD5/SHA1 hash compare
~~-Look for default files used by rootkits
~~-Wrong file permissions for binaries
~~-Look for suspected strings in LKM and KLD modules
~~-Look for hidden files
~~-Optional scan within plaintext and binary files
Deletions:
~-MD5/SHA1 hash compare
~-Look for default files used by rootkits
~-Wrong file permissions for binaries
~-Look for suspected strings in LKM and KLD modules
~-Look for hidden files
~-Optional scan within plaintext and binary files
Revision [1170]
Edited on 2006-08-24 09:34:59 by JasonRAdditions:
~-MD5/SHA1 hash compare
~-Look for default files used by rootkits
~-Wrong file permissions for binaries
~-Look for suspected strings in LKM and KLD modules
~-Look for hidden files
~-Optional scan within plaintext and binary files
#%Main#% > #%Security#% > #%Fix Insecure Permissions (Scripts)#%
#%Main#% > #%Security#% > #%Tweak Security#%
#%Main#% > #%Service Configuration#% > #%Enable/Disable SuExec#%
#%Main#% > #%Account Functions#% > #%Disable or Enable Demo Mode#%
~-Look for default files used by rootkits
~-Wrong file permissions for binaries
~-Look for suspected strings in LKM and KLD modules
~-Look for hidden files
~-Optional scan within plaintext and binary files
#%Main#% > #%Security#% > #%Fix Insecure Permissions (Scripts)#%
#%Main#% > #%Security#% > #%Tweak Security#%
#%Main#% > #%Service Configuration#% > #%Enable/Disable SuExec#%
#%Main#% > #%Account Functions#% > #%Disable or Enable Demo Mode#%
Deletions:
~~-Look for default files used by rootkits
~~-Wrong file permissions for binaries
~~-Look for suspected strings in LKM and KLD modules
~~-Look for hidden files
~~-Optional scan within plaintext and binary files
#%Main#% >> #%Security#% >> #%Fix Insecure Permissions (Scripts)#%
#%Main#% >> #%Security#% >> #%Tweak Security#%
#%Main#% >> #%Service Configuration#% >> #%Enable/Disable SuExec#%
#%Main#% >> #%Account Functions#% >> #%Disable or Enable Demo Mode#%
Revision [1169]
Edited on 2006-08-24 09:34:02 by JasonRAdditions:
#%Main#% >> #%Server Configuration#% >> #%Tweak Settings#%
~-Prevent the user 'nobody' from sending out mail to remote addresses (php and cgi scripts generally run as nobody if you are not using phpsuexec and suexec respectively.)
~-Track the origin of messages sent though the mail server by adding the X-Source headers (exim 4.34+ required)
#%Main#% >> #%Security#% >> #%Fix Insecure Permissions (Scripts)#%
#%Main#% >> #%Security#% >> #%Tweak Security#%
~"Compilers are disabled for unpriviledge users"
#%Main#% >> #%Service Configuration#% >> #%Enable/Disable SuExec#%
~suexec Status "enabled"
#%Main#% >> #%Account Functions#% >> #%Disable or Enable Demo Mode#%
~Select from "Users" the "demo" account and click "Modify" then click "Disable" if it exists
~-Prevent the user 'nobody' from sending out mail to remote addresses (php and cgi scripts generally run as nobody if you are not using phpsuexec and suexec respectively.)
~-Track the origin of messages sent though the mail server by adding the X-Source headers (exim 4.34+ required)
#%Main#% >> #%Security#% >> #%Fix Insecure Permissions (Scripts)#%
#%Main#% >> #%Security#% >> #%Tweak Security#%
~"Compilers are disabled for unpriviledge users"
#%Main#% >> #%Service Configuration#% >> #%Enable/Disable SuExec#%
~suexec Status "enabled"
#%Main#% >> #%Account Functions#% >> #%Disable or Enable Demo Mode#%
~Select from "Users" the "demo" account and click "Modify" then click "Disable" if it exists
Deletions:
[x] Prevent the user 'nobody' from sending out mail to remote addresses (php and cgi scripts generally run as nobody if you are not using phpsuexec and suexec respectively.)
[x] Track the origin of messages sent though the mail server by adding the X-Source headers (exim 4.34+ required)
Main >> Security >> Fix Insecure Permissions (Scripts)
Main >> Security >> Tweak Security
"Compilers are disabled for unpriviledge users"
Main >> Service Configuration >> Enable/Disable SuExec
suexec Status "enabled"
Main >> Account Functions >> Disable or Enable Demo Mode
Select from "Users" the "demo" account and click "Modify" then click "Disable" if it exists
Additions:
====cPanel Admin Help====
===Server Hardening===
==Exploit Removal Instructions==
The following is a first step in finding and removing exploits and root kits on a Linux or BSD system.
~1)EXECUTE THE FOLLOWING COMMANDS TO HELP PREVENT UPLOADS OF EXPLOITS:
~~%%(ssh)chmod 0750 `which curl` 2>&-; chmod 0750 `which fetch` 2>&-; chmod 0750 `which wget` 2>&-%%
~1)EXECUTE THE FOLLOWING COMMANDS TO CHECK FOR POSSIBLE EXISTING EXPLOITS:
~~%%(ssh)
sh
for x in "/dev/shm /tmp /usr/local/apache/proxy /var/spool /var/tmp"; do ls -loAFR $x 2>&- | grep -E "^$|^/| apache | nobody | unknown | www | web | htdocs " | grep -E "^$|^/|/$|\\\\*$|\\\\.pl$" | grep -Ev "sess_" | tee exploits.txt; done; echo -e "\\\\n\\\\nPossible Exploit Files and Directories: `grep -Ev "^$|^/" exploits.txt | wc -l | tr -d ' '`" | tee -a exploits.txt
exit
%%
~~Lines ending with an asterisk '*', '.pl', or a slash '/' are possible exploit files or directories which should be investigated and removed followed by rebooting the server to kill any running exploit processes. You can refer to the exploits.txt file generated by the above commands for later reference.
~3) You should also install and run the progam called rkhunter.
~~Rootkit Hunter is scanning tool to ensure you for about 99.9% you're clean of nasty tools.
~~This tool scans for rootkits, backdoors and local exploits by running tests like:
~~-MD5/SHA1 hash compare
~~-Look for default files used by rootkits
~~-Wrong file permissions for binaries
~~-Look for suspected strings in LKM and KLD modules
~~-Look for hidden files
~~-Optional scan within plaintext and binary files
~~WWW: http://www.rootkit.nl/
~~~**On BSD sytems:**
~~~%%(sh)cd /usr/ports/security/rkhunter; make install clean; rehash; rkhunter -c%%
~~~~(or for help with rkhunter arguments do: rkhunter -h)
~~~**On RedHat, Fedora, CentOS systems:**
~~~%%(sh)yum -y install rkhunter; rkhunter -c%%
~~~~(or for help with rkhunter arguments do: rkhunter -h)
If you cannot do this have a 3rd party company to do it.
If you cannot secure your server, and it is compromised, you should issue a Reload Request of your system.
==WHM (CPanel) Hardening Guide==
You should configure the following in your WHM (CPanel):
Main >> Server Configuration >> Tweak Settings
[x] Prevent the user 'nobody' from sending out mail to remote addresses (php and cgi scripts generally run as nobody if you are not using phpsuexec and suexec respectively.)
[x] Track the origin of messages sent though the mail server by adding the X-Source headers (exim 4.34+ required)
Main >> Security >> Fix Insecure Permissions (Scripts)
Main >> Security >> Tweak Security
"Compilers are disabled for unpriviledge users"
Main >> Service Configuration >> Enable/Disable SuExec
suexec Status "enabled"
Main >> Account Functions >> Disable or Enable Demo Mode
Select from "Users" the "demo" account and click "Modify" then click "Disable" if it exists
===External mail===
===Server Hardening===
==Exploit Removal Instructions==
The following is a first step in finding and removing exploits and root kits on a Linux or BSD system.
~1)EXECUTE THE FOLLOWING COMMANDS TO HELP PREVENT UPLOADS OF EXPLOITS:
~~%%(ssh)chmod 0750 `which curl` 2>&-; chmod 0750 `which fetch` 2>&-; chmod 0750 `which wget` 2>&-%%
~1)EXECUTE THE FOLLOWING COMMANDS TO CHECK FOR POSSIBLE EXISTING EXPLOITS:
~~%%(ssh)
sh
for x in "/dev/shm /tmp /usr/local/apache/proxy /var/spool /var/tmp"; do ls -loAFR $x 2>&- | grep -E "^$|^/| apache | nobody | unknown | www | web | htdocs " | grep -E "^$|^/|/$|\\\\*$|\\\\.pl$" | grep -Ev "sess_" | tee exploits.txt; done; echo -e "\\\\n\\\\nPossible Exploit Files and Directories: `grep -Ev "^$|^/" exploits.txt | wc -l | tr -d ' '`" | tee -a exploits.txt
exit
%%
~~Lines ending with an asterisk '*', '.pl', or a slash '/' are possible exploit files or directories which should be investigated and removed followed by rebooting the server to kill any running exploit processes. You can refer to the exploits.txt file generated by the above commands for later reference.
~3) You should also install and run the progam called rkhunter.
~~Rootkit Hunter is scanning tool to ensure you for about 99.9% you're clean of nasty tools.
~~This tool scans for rootkits, backdoors and local exploits by running tests like:
~~-MD5/SHA1 hash compare
~~-Look for default files used by rootkits
~~-Wrong file permissions for binaries
~~-Look for suspected strings in LKM and KLD modules
~~-Look for hidden files
~~-Optional scan within plaintext and binary files
~~WWW: http://www.rootkit.nl/
~~~**On BSD sytems:**
~~~%%(sh)cd /usr/ports/security/rkhunter; make install clean; rehash; rkhunter -c%%
~~~~(or for help with rkhunter arguments do: rkhunter -h)
~~~**On RedHat, Fedora, CentOS systems:**
~~~%%(sh)yum -y install rkhunter; rkhunter -c%%
~~~~(or for help with rkhunter arguments do: rkhunter -h)
If you cannot do this have a 3rd party company to do it.
If you cannot secure your server, and it is compromised, you should issue a Reload Request of your system.
==WHM (CPanel) Hardening Guide==
You should configure the following in your WHM (CPanel):
Main >> Server Configuration >> Tweak Settings
[x] Prevent the user 'nobody' from sending out mail to remote addresses (php and cgi scripts generally run as nobody if you are not using phpsuexec and suexec respectively.)
[x] Track the origin of messages sent though the mail server by adding the X-Source headers (exim 4.34+ required)
Main >> Security >> Fix Insecure Permissions (Scripts)
Main >> Security >> Tweak Security
"Compilers are disabled for unpriviledge users"
Main >> Service Configuration >> Enable/Disable SuExec
suexec Status "enabled"
Main >> Account Functions >> Disable or Enable Demo Mode
Select from "Users" the "demo" account and click "Modify" then click "Disable" if it exists
===External mail===
Deletions:
==External mail==
