October 2025
M T W T F S S
 12345
6789101112
13141516171819
20212223242526
2728293031  

Categories

October 2025
M T W T F S S
 12345
6789101112
13141516171819
20212223242526
2728293031  

Recompile Apache 2.4.2 and Apache 2.2.22

How to Install Apache 2.4.2 from Source on CentOS 6.3 with SSL

yum install gcc
yum install openssl-devel

yum install apr-devel
yum install apr-util-devel

yum install libtool

yum install gcc-c++

# APR
# http://mirrors.axint.net/apache//apr/apr-1.4.6.tar.gz

tar -xvzf apr-1.4.6.tar.gz

cd apr-1.4.6/

./configure

make

make install

cd ..

# APR Utils
# http://mirrors.axint.net/apache//apr/apr-util-1.4.1.tar.gz

tar -xvzf apr-util-1.4.1.tar.gz

cd apr-util-1.4.1

./configure –with-apr=/usr/local/apr

make

make install

cd ..

# pcre-8.20

ftp://ftp.csx.cam.ac.uk/pub/software/programming/pcre/pcre-8.20.tar.gz

tar zxvf pcre-8.20.tar.gz

cd pcre-8.20/

./configure

make

make install

# Apache

tar -zxvf apr-1.4.6.tar.gz
tar -zxvf apr-util-1.4.1.tar.gz
mv apr-1.4.6 httpd-2.4.2/srclib/apr
mv apr-util-1.4.1 httpd-2.4.2/srclib/apr-util

tar -xvzf httpd-2.4.2.tar.gz

cd httpd-2.4.2

./configure –prefix=/usr/local/apache2.4 –enable-ssl –enable-cgi –enable-vhost-alias –enable-rewrite –enable-proxy  –enable-so –enable-cache –enable-disk-cache –enable-mem-cache –enable-file-cache –enable-deflate –enable-expires –enable-headers  –enable-usertrack –enable-rewrite –with-included-apr –with-included-apr-util

make

make install

httpd-2.2.22

./configure –prefix=/usr/local/apache2.22  –enable-ssl –enable-cgi –enable-vhost-alias –enable-rewrite –enable-so –enable-proxy  –enable-so –enable-cache –enable-disk-cache –enable-mem-cache –enable-file-cache –enable-deflate –enable-expires –enable-headers  –enable-usertrack –enable-rewrite –with-included-apr –with-included-apr-util

LoadModule slotmem_module modules/mod_slotmem.so
LoadModule manager_module modules/mod_manager.so
LoadModule proxy_cluster_module modules/mod_proxy_cluster.so
LoadModule advertise_module modules/mod_advertise.so

cd ..
[root@HVWMOWB01 httpd-2.4.2]# /usr/local/apache2/bin/httpd -k start

[root@HVWMOWB01 httpd-2.4.2]# ps -ef|grep http
root     29757     1  0 15:48 ?        00:00:00 /usr/local/apache2/bin/httpd -k start
daemon   29758 29757  0 15:48 ?        00:00:00 /usr/local/apache2/bin/httpd -k start
daemon   29760 29757  0 15:48 ?        00:00:00 /usr/local/apache2/bin/httpd -k start
daemon   29762 29757  0 15:48 ?        00:00:00 /usr/local/apache2/bin/httpd -k start
root     29844  9441  0 15:48 pts/4    00:00:00 grep http

Openssl setup on the Server

Include conf/extra/httpd-ssl.conf

openssl genrsa -des3 -out server.key 1024
openssl req -new -key server.key -out server.csr
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
cp server.key server.key.org
openssl rsa -in  server.key -out servernopass.key

 

 

How to Compile Apache & Php in linux

Compiling PHP and Apache from source

Assuming Apache source and Php source are in /usr/src directory.

To compile Apache

$ cd /usr/src
$ tar -zxvf httpd-2.0.44.tar.gz
$ cd /usr/src/httpd-2.0.44
$ ./configure –prefix=/wwwroot –enable-so ( Dynamic Shared Object (DSO) Support ) this module is used to enable dso.
$ make
$ make install
$ /wwwroot/bin/apachectl start
Now test apache installation by going to http://localhost.
Stop apache for php installation.
$ /wwwroot/bin/apachectl stop

To compile PHP

$ cd /usr/src $ tar -zxvf php-4.3.0.tar.gz
$ cd /usr/src/php-4.3.0
$ ./configure –prefix=/wwwroot/php –with-apxs2=/wwwroot/bin/apxs –with-config-file-path=/wwwroot/php –with-mysql
$ make
$ make install
Now you have to edit Apache configuration file /wwwroot/conf/httpd.conf.
If LoadModule php4_module modules/libphp4.so line hasn’t been added by php install to /wwwroot/conf/httpd.conf, then you have to add it yourself. Add it somewhere below section named “Dynamic Shared Object (DSO) Support”
LoadModule php4_module modules/libphp4.so
Now add this line to /wwwroot/conf/httpd.conf file:
AddType application/x-httpd-php .php

 

Start Apache now:  $/wwwroot/bin/apachectl start
Now create a test PHP file using any text editor and add these lines to it:
<?php
phpinfo();

?>

Save it under /wwwroot/htdocs as info.php
Now test your PHP installation by accessing file info.php:
http://localhost/info.php

DSO

The modules can be statically compiled into the httpd binary when the server is built. Alternatively, modules can be compiled as Dynamic Shared Objects (DSOs) that exist separately from the main httpd binary file. DSO modules may be compiled at the time the server is built, or they may be compiled and added at a later time using the Apache Extension Tool (apxs).
apxs is a tool for building and installing extension modules for the Apache HyperText Transfer Protocol (HTTP) server. This is achieved by building a dynamic shared object (DSO) from one or more source or object files which then can be loaded into the Apache server under runtime via the LoadModule directive from mod_so.
So to use this extension mechanism your platform has to support the DSO feature and your Apache httpd binary has to be built with the mod_so module. The apxs tool automatically complains if this is not the case. You can check this yourself by manually running the command.
$ httpd -l
The module mod_so should be part of the displayed list. If these requirements are fulfilled you can easily extend your Apache server’s functionality by installing your own modules with the DSO mechanism by the help of this apxs tool:
$ apxs -i -a -c mod_foo.c
The arguments files can be any C source file (.c), a object file (.o) or even a library archive (.a). The apxs tool automatically recognizes these extensions and automatically used the C source files for compilation while just using the object and archive files for the linking phase.
DSO helps to add dynamic modules after we install apache.

 

 

 

 

August 14th, 2012 | Category: Apache | Leave a comment

Apache commands

# apachectl ­-k graceful
In a server environment, should use the command apachectl instead of /etc/init.d/httpd. apachectl command is used to control the apache httpd daemon.

# apachectl -­k restart
difference between apachectl -k graceful and apachectl -k restart is that in case of the former current requests are not aborted but in the latter case current requests are aborted.

# ps ­-ef | grep httpd
This command lists the httpd processes. -f option lists in full format. -e option lists all system processes. By using this command we can detect the processes that is causing trouble and those processes can be killed using the kill command.

# kill ­term ‘pid’
At a time there cannot be more than 50-60 child apache processes. If that is the case then it could probably be an attack. If we notice an apache attack then at once stop the apache service using the command.

# apachectl -­k stop
If we notice that it is a server attack, ie attacks like denial of service, flooding then at once disconnect the network cable.
 # locate httpd.pid
# cat /var/run/httpd.pid
This command lists the running apache process id. ie the id of the parent apache.
# ps -­auxf | grep httpd

This command lists all httpd processes in full format.

# vi /etc/init.d/httpd
This file is a sript used to run apache services.

# ps ­ef ­­–forest | grep httpd
This command lists the httpd processes. ie the parent apache and the childs in full format (-f option). Each child can have their children and so on.

# netstat -­tn
Prints the foreign connections to the server and the ports through which they are connected.

# netstat | grep 35296
Lists the details about this paricular port.

# lsof ­-i tcp:80
This command lists open files (lsof).

# lsof -­i tcp:80 | wc ­l
lists the number of files that listens to the tcp port 80.

# cat /etc/httpd/conf/httpd.conf | grep User
Lists the user/group who run httpd.

# top ­-u apache
Lists all processes run by user apache

# httpd -­l
List compiled in modules.

# httpd ­-M
Show all loaded modules.

# httpd ­-L
List available configuration directives.

# httpd ­-v
Show apache version.

August 14th, 2012 | Category: Apache | Leave a comment

Jboss Server 6

Jboos 6

 

ollow the installation steps for jboss server

1. Install jdk ——-> jdk-6u7-linux-i586.bin
2. install Jboss ——> jboss-as-distribution-6.0.0.Final.zip
First Install Java

 

# ./jdk-6u7-linux-i586.bin
# cd jdk1.6.0_07/
Export the java home and path in .profile files
# vim .bash_profile
export JAVA_HOME=/opt/jdk1.6.0_07
export PATH=$PATH:$JAVA_HOME/bin
# . .bash_profile
# vim /etc/profile
export JAVA_HOME=/opt/jdk1.6.0_07
export PATH=$PATH:$JAVA_HOME/bin
# . /etc/profile
Install Jboss after setup java
# cd /home/jboss/
# unzip jboss-as-distribution-6.0.0.Final.zip
# cd jboss-6.0.0.Final/
# vim .bash_profile
export JBOSS_HOME=/opt/jboss-6.0.0.Final
export PATH=$PATH:$JBOSS_HOME/bin
# . .bash_profile
# vim /etc/profile
export JBOSS_HOME=/opt/jboss-6.0.0.Final
export PATH=$PATH:$JBOSS_HOME/bin
# . /etc/profile
To start Jboss use any of these
**************************************
# cd /home/jboss/jboss-6.0.0.Final/bin/
# ./run.sh -b 192.168.0.142
# nohup sh run.sh -b localhost &
# nohup sh run.sh -b 0.0.0.0 & — to start in any network
# nohup sh run.sh -b 192.168.0.20 &
To Shutdown the jboss server
************************************
# cd /home/jboss/jboss-6.0.0.Final/bin/
#  sh shutdown.sh -S
Java Home contains the following directories
********************************************************
# ls /home/jboss/jboss-6.0.0.Final/bin/
 bin client common docs lib server
The Server folder contains the following directories
****************************************************************
# ls /home/jboss/jboss-6.0.0.Final/bin/server/
 all default jbossweb-standalone minimal standard
The Default Folder contains the directories
******************************************************
# ls /home/jboss/jboss-6.0.0.Final/server/default/
conf data deploy deployers lib log tmp work
The deploy folder contains the following directories
*****************************************************************
# ls /home/jboss/jboss-6.0.0.Final/server/default/deploy
this directory contains the data source and the war files created. To edit the jboss port here, just add port “8085”.To deploy application in jboss, configure data source and put the ear’s in this directory and restart the server, some time restarting is not required, wait for some time and it will deploy automatically.

 

# vim /opt/jboss-6.0.0.Final/server/default/deploy/jbossweb.sar/server.xml
<!– A HTTP/1.1 Connector on port 8080 –> [ default port 8080 ]
<Connector protocol=”HTTP/1.1″ port=”${jboss.web.http.port}” address=”${jboss.bind.address}”  redirectPort=”${jboss.web.https.port}” />
give the needed port number on the place port=”8085″.
Jboss ssl and SingleSignOn are created in this file,
<!– SSL/TLS Connector configuration using the admin devl guide keystore

Activate support for Single Sign-On

*******************************************

locate server.xml

Find the “Host” section, and uncomment the following Valve:

<Valve className=”org.apache.catalina.authenticator.SingleSignOn” />
Creating DataSource
**************************
Create a data source file with extension ” -ds.xml “. You can give any name but extension must be end with -ds.xml.
create any data source file and add the following, and everything inside a tag <datasources>
# vim data-ds.xml
 <datasources>
<local-tx-datasource>
<jndi-name>asDS</jndi-name>
<connection-url>jdbc:mysql://192.168.0.165:3306/jboss_TEST1</connection-url>
<driver-class>com.mysql.jdbc.Driver</driver-class>
<user-name>gydex</user-name>
<password>gydex</password>
<!– you can include connection properties that will get passed in the DriverManager.
<connection-property name=”char.encoding”>UTF-8</connection-property>
 <transaction-isolation>TRANSACTION_SERIALIZABLE</transaction-isolation>
<!–pooling parameters–>
<min-pool-size>15</min-pool-size>
<max-pool-size>30</max-pool-size>
<blocking-timeout-millis>5000</blocking-timeout-millis>
<idle-timeout-minutes>1</idle-timeout-minutes>
<!– sql to call when connection is created –>
<new-connection-sql>select 1</new-connection-sql>
<!– sql to call on an existing pooled connection when it is obtained from pool –>
<check-valid-connection-sql>select 1</check-valid-connection-sql>
<set-tx-query-timeout></set-tx-query-timeout>
<query-timeout>780</query-timeout>
        <!– maximum of 5 minutes for queries –>
</local-tx-datasource>
</datasources>
Main page
*************
# cd <jboss src>/server/default/deploy/ROOT.war/WEB-INF/
# vim jboss-web.xml
 <?xml version=”1.0″ encoding=”UTF-8″?>
  <jboss-web>
 <context-root>/admin</context-root>
<security-domain>java:/jaas/gateway_web_client_security
 </security-domain>
</jboss-web>
Login
********
# cd <jboss src>/server/default/conf/
# vim login-config.xml
<policy>
<application-policy name=”gateway_web_client_security”>
 <authentication>
 <login-module code=”org.jboss.security.ClientLoginModule” flag=”required” />
<login-module code=”com.pfx.security.GatewayJbossLoginModule” flag=”required” />
</authentication>
 </application-policy>
Adding Jboss Memory
***************************
# cd /home/jboss-6.0.0.Final/bin/
# vim run.conf
 if [ “x$JAVA_OPTS” = “x” ]; then
JAVA_OPTS=”-Xms3072m -Xmx18432m -XX:MaxPermSize=10240m -Dorg.jboss.resolver.warning=true -Dsun.rmi.dgc.client.gcInterval=3600000 -Dsun.rmi.dgc.server.gcInterval=3600000″
fi
Change file descriptor settings and reboot
****************************************************
 # vim /etc/security/limits.conf
jboss soft nofile 1024
jboss hard nofile 20000
To stop jboss messages print in nohup.out
*****************************************************
Added following lines to Jboss logging conf file
# vim /home/jboss/jboss-6.0.0.Final/server/default/deploy/jboss-logging.xml
<!– Limit DWR Logging –>
 <logger category=”org.directwebremoting”>
 <level name=”ERROR”/>
 </logger>
 <logger category=”org.apache.mina.filter.logging”>
 <level name=”ERROR”/>
 </logger>

This will curb all messages except ERROR messages after jboss is started.

Running JBoss on port 80 or 443
*******************************
Use tcp port forwarding. In this approach, you can basically forward traffic from one port to another. In this way, JBoss will be running on a higher port like 8080, but all traffic coming into port 80 will be automatically redirected to 8080.  In this way it will appear to clients that JBoss is runing on port 80.

 If you go this route, make sure that you setup the connector proxy port in
/opt/jboss-6.0.0.Final/server/default/deploy/jbossweb.sar/server.xml, so that any generated URLs will have the proxy port instead of the actual port.  Should look something like this below
 <Connector port=”8080″ …
      proxyName=”www.example.com”
proxyPort=”80″/>
 <!– A HTTP/1.1 Connector on port 8080 –>
<Connector port=”80″ address=”${jboss.bind.address}”  maxThreads=”250″ strategy=”ms” maxHttpHeaderSize=”8192″ emptySessionPath=”true” enableLookups=”false” redirectPort=”8443″ acceptCount=”100″ connectionTimeout=”20000″ disableUploadTimeout=”true”/>
Here are the linux commands required to setup port forwarding:
iptables -F
iptables -X
iptables -t nat -A OUTPUT -d localhost -p tcp –dport 80 -j REDIRECT  –to-ports 8080
iptables -t nat -A OUTPUT -d <network IP address> -p tcp –dport 80 -j REDIRECT  –to-ports 8080
iptables -t nat -A PREROUTING -d <nework IP address> -p tcp –dport 80 -j  REDIRECT –to-ports 8080
/etc/init.d/iptables save
/etc/init.d/iptables restart
August 14th, 2012 | Category: JBOSS | Leave a comment

BIND CHROOT

########################  DNS CONFIGURATION ########
1. DNS Server Name: rhel5test.linux.com (192.168.1.21) ;  domain: linux.com
2.  Download and Install Packages related to bind:
      yum install bind*
      bind-utils, bind-sdb, bind-libs, bind-9.3, bind-chroot, bind-libbind-devel
      yum install caching-nameserver
3.  Configure : name.conf file  ( main configuration file )
     cd /var/named/chroot/etc/
     cp  named.caching-nameserver.conf  named.conf
     vi named.conf
     options  {
listen­on port 53 {  127.0.0.1; 192.168.1.21;   };
listen­on­v6 port 53 { ::1; };
directory “/var/named”;
dump­file “/var/named/data/cache_dump.db”;
statistics­file “/var/named/data/named_stats.txt”;
memstatistics­file “/var/named/data/
named_mem_stats.txt”;
            query­source port 53;
            allow-query {  127.0.0.1; 192.168.1.0/24;  };
allow­query {  127.0.0.1;  192.168.1.0/24;  };
  allow­transfer {  127.0.0.1; 192.168.1.21;   };
forwarders {   127.0.0.1; 192.168.1.21;   };
forward only;
};
logging {
channel default_debug {
file “data/named.run”;
severity dynamic;
};
};
view localhost_resolver {
match­clients { localhost; 192.168.1.0/24; };
match­destinations { localhost; 192.168.1.0/24;  };
recursion yes;
include “/etc/named.rfc1912.zones”;
};
==>  Copy named.conf to /etc/ dir
4.  Configure Zone files
       vi  /etc/named.rfc1912.zones
zone “linux.com” IN   {
type master;
file “linux.com.fzone”;
allow-update  {  none;  };
allow-query    {   any;  };
};
           zone  “1.168.192.in-addr.arpa”  IN  {
type master;
file “linux.come.reverse”;
allow-update  {  none;  };
allow-query    {   any;  };
           };
5.     cd /var/named/chroot/var/named   ;;   cp localhost.zone  linux.com.fzone ;;  cp named.local linux.come.reverse
6.     Change ownership to root:named and permission to 755 for following files
        Both zone files ,  named.conf  (both at /etc/ and /var/named/chroot/etc/)
        /etc/named.rfc1912.zones
7.    Edit Forward zone file ( Take care of dots after fqdns )
     $TTL 86400
@ IN SOA rhel5test.linux.com. root. rhel5test.linux.com. ( 42 ; serial (d. adams)
3H ; refresh
15M ; retry
1W ; expiry
1D ) ; minimum
@ IN NS rhel5test.linux.com
.
rhel5test.linux.com. IN A 192.168.1.21
rhel6test.linux.com. IN A 192.168.1.22 # Client
8.   Edit Reverse Zone file  (Take care of dots after fqdns )
      $TTL 86400
@ IN SOA rhel5test.linux.com. rhel5test.linux.com. ( 1997022700 ; Serial
28800 ; Refresh
14400 ; Retry
3600000 ; Expire
86400 ) ; Minimum
@ IN NS rhel5test.linux.com.
21 IN PTR rhel5test.linux.com.
22 IN PTR rhel6test.linux.com. # Client
9..   Check config file :  service named configtest
10.  Restart named services
11.  Test DNS using  dig server name ;  dig -x  server IP , nslookup
12  Client SIDE :: Make changes in /etc/resolv.conf :::   search  linux.com
    nameserver  192.178.1.21
August 4th, 2012 | Category: DNS | Leave a comment

qmail-newu

SYNOPSIS
qmail-newu

DESCRIPTION
qmail-newu reads the assignments in /var/qmail/users/assign
and writes them into /var/qmail/users/cdb in a binary format
suited for quick access by qmail-lspawn.

August 4th, 2012 | Category: qmail | Leave a comment

Linux Hardening Script

#Please check a script regarding Linux Hardening, it may help you to configure your system

#######################################################
#!/bin/bash

#####LInux Hardening Script#####

#######################################################

# #

# Files involved in this script are as follow: #

# /etc/ssh/ssh_config #

# /etc/init.d/functions #

# /boot/grub/grub.conf #

# /etc/vsftpd/ftpusers #

# /etc/securetty #

# /etc/issue #

# /etc/motd #

# /etc/passwd #

# /etc/ssh/sshd_config #

#######################################################

HOSTNAME=`hostname`

HARD_LOG=”/var/log/`hostname`_hard_log”

echo “HOSTNAME:”$HOSTNAME >>${HARD_LOG}

date ‘+DATE: %m/%d/%y%nTIME:%H:%M:%S’ >>${HARD_LOG}

echo -n “Please Enter Your Name: ”

read NAME

echo “Unix Administrator:” $NAME >>${HARD_LOG}

echo “Please Enter Project Name: ”

read PROJECT

echo “Project Name:” $PROJECT >>${HARD_LOG}

echo “Please Enter the name of Owner/SPOC for the server: ”

read OWNER

echo “Owner/SPOC:” $OWNER >>${HARD_LOG}

echo “Please wait…..Hardening is in progess”

echo ” Creating Directory Called /etc/BackupSystemFiles for Backup of critical files and files copying are in progress” >> ${HARD_LOG}

mkdir /etc/BackupSystemFiles

cd /

tar -cvf /etc/BackupSystemFiles/etc.tar etc &>/dev/null

sleep 10

echo “Files have been copied to /etc/BackupSystemFiles ” >>${HARD_LOG}

echo “/etc/passwd,/etc/securetty,/etc/vsftpd/ftpusers,/boot/grub/grub.conf,/etc/init.d/functions,/etc/ssh/ssh_config & /etc/ssh/sshd_config files will be modified during the script execution” >>${HARD_LOG}

######Banner#####

echo “Updating the banner in /etc/issue.net file” >> ${HARD_LOG}

echo “********************************************************************************” >/etc/issue.net

echo “* *”>>/etc/issue.net

echo “* ATTENTION! PLEASE READ CAREFULLY. *”>>/etc/issue.net

echo “* *”>>/etc/issue.net

echo “* This system is the property of xyz. It is for authorized use only. *”>>/etc/issue.net

echo “* Users (authorized and unauthorized) have no explicit or implicit expectation *”>>/etc/issue.net

echo “* of privacy. Any or all uses of this system and all files on the this system *”>>/etc/issue.net

echo “* will be intercepted, monitored, recorded, copied, audited, inspected, and *”>>/etc/issue.net

echo “* disclosed to xyz management, and law enforcement personnel as *”>>/etc/issue.net

echo “* well as other authorized agencies. By using this system, the user consents *”>>/etc/issue.net

echo “* to such interception,monitoring, recording, copying, auditing, inspection, *”>>/etc/issue.net

echo “* and disclosure at the discretion of xyz. Unauthorized or improper *”>>/etc/issue.net

echo “* use of this system may result in administrative disciplinary action and civil*”>>/etc/issue.net

echo “* and criminal penalties. By continuing to use this system you indicate the *”>>/etc/issue.net

echo “* awareness of and consent to these terms and conditions of use. LOG OFF *”>>/etc/issue.net

echo “* IMMEDIATELY if you do not agree to the terms and conditions stated in this *”>>/etc/issue.net

echo “* warning. *”>>/etc/issue.net

echo “* *”>>/etc/issue.net

echo “********************************************************************************”>>/etc/issue.net

#######motd#######

echo “Updating the banner in /etc/motd file” >> ${HARD_LOG}

echo “********************************************************************************” >/etc/motd>> ${HARD_LOG}

echo “* *”>>/etc/motd>> ${HARD_LOG}

echo “* ATTENTION! PLEASE READ CAREFULLY. *”>>/etc/motd>> ${HARD_LOG}

echo “* *”>>/etc/motd>> ${HARD_LOG}

echo “* This system is the property of xyz. It is for authorized use only. *”>>/etc/motd>> ${HARD_LOG}

echo “* Users (authorized and unauthorized) have no explicit or implicit expectation *”>>/etc/motd>> ${HARD_LOG}

echo “* of privacy. Any or all uses of this system and all files on the this system *”>>/etc/motd>> ${HARD_LOG}

echo “* will be intercepted, monitored, recorded, copied, audited, inspected, and *”>>/etc/motd>> ${HARD_LOG}

echo “* disclosed to xyz, and law enforcement personnel as *”>>/etc/motd>> ${HARD_LOG}

echo “* well as other authorized agencies. By using this system, the user consents *”>>/etc/motd>> ${HARD_LOG}

echo “* to such interception,monitoring, recording, copying, auditing, inspection, *”>>/etc/motd>> ${HARD_LOG}

echo “* and disclosure at the discretion of xyz. Unauthorized or improper *”>>/etc/motd>> ${HARD_LOG}

echo “* use of this system may result in administrative disciplinary action and civil*”>>/etc/motd>> ${HARD_LOG}

echo “* and criminal penalties. By continuing to use this system you indicate the *”>>/etc/motd>> ${HARD_LOG}

echo “* awareness of and consent to these terms and conditions of use. LOG OFF *”>>/etc/motd>> ${HARD_LOG}

echo “* IMMEDIATELY if you do not agree to the terms and conditions stated in this *”>>/etc/motd>> ${HARD_LOG}

echo “* warning. *”>>/etc/motd>> ${HARD_LOG}

echo “* *”>>/etc/motd>> ${HARD_LOG}

echo “********************************************************************************”>>/etc/motd>> ${HARD_LOG}

echo “Above Banner is updated in the System ” >> ${HARD_LOG}

######Set Password Expiry Time for users#########

echo “Setting Password Expiry Time for users …” >> ${HARD_LOG}

cd /etc/

cp login.defs /etc/BackupSystemFiles/login.defs.prehard

sed -e ‘s/99999/30/g’ login.defs > login.defs1

cp login.defs login.defs.before

mv login.defs1 login.defs

sed -e ‘s/PASS_MIN_LEN 5/PASS_MIN_LEN 8/g’ login.defs > login.defs1

cp login.defs login.defs.before

mv login.defs1 login.defs

echo “********************************************************************************”>> ${HARD_LOG}

#####ssh configuration######

echo “Configuring SSH service” >>${HARD_LOG}

cd /etc/ssh

cp -p ssh_config /etc/BackupSystemFiles/ssh_config.prehard

cp -p sshd_config /etc/BackupSystemFiles/sshd_config.prehard

sed -e ‘s/#PermitRootLogin yes/PermitRootLogin no/g’ sshd_config >>sshd_config1

cp -p sshd_config sshd_config.before

mv sshd_config1 sshd_config

sed -e ‘s/#HostbasedAuthentication no/HostbasedAuthentication no/g’ sshd_config >>sshd_config1

cp -p sshd_config sshd_config.before

mv sshd_config1 sshd_config

sed -e ‘s/#RhostsRSAAuthentication no/RhostsRSAAuthentication no/g’ sshd_config >>sshd_config1

cp -p sshd_config sshd_config.before

mv sshd_config1 sshd_config

sed -e ‘s/#IgnoreRhosts yes/IgnoreRhosts yes/g’ sshd_config >>sshd_config1

cp -p sshd_config sshd_config.before

mv sshd_config1 sshd_config

sed -e ‘s/#PermitEmptyPasswords no/PermitEmptyPasswords no/g’ sshd_config >>sshd_config1

cp -p sshd_config sshd_config.before

mv sshd_config1 sshd_config

echo “Banner /etc/issue.net” >>sshd_config

echo “********************************************************************************”>> ${HARD_LOG}

######Set Daemon Umask######

cd /etc/init.d

cp -p functions /etc/BackupSystemFiles/functions.prehard

# edit the line with umask

sed -e ‘s/umask 022/umask 027/g’ functions >>functions1

cp -p functions functions.before

mv functions1 functions

######Stop Uneccessary Services#######

echo “Stoping Unneccessary Services” >> ${HARD_LOG}

for FILE in apmd canna dhcdbd FreeWnn gpm hpoj innd irda isdn kdcrotate lvs mars-nwe oki4daemon privoxy rstatd rusersd rwalld rwhod spamassassin wine

do

service $FILE stop &>/dev/null

chkconfig –list $FILE &>/dev/null 1>>/etc/BackupSystemFiles/boot.service.prehard

chkconfig $FILE off &>/dev/null

done

for FILE in nfs nfslock autofs ypbind ypserv yppasswdd \

portmap smb netfs lpd apache httpd tux snmpd \

named postgresql vsftpd mysqld webmin kudzu squid cups \

ip6tables iptables pcmcia bluetooth mDNSResponder

do

service $FILE stop &>/dev/null

chkconfig –list $FILE &>/dev/null 1>>/etc/BackupSystemFiles/boot.service.prehard

chkconfig $FILE off &>/dev/null

done

echo “********************************************************************************”>> ${HARD_LOG}

######Disable network services######

echo “Disabling unnecessary Network Services now.”>> ${HARD_LOG}

mkdir /etc/BackupSystemFiles/xinetd.d >> ${HARD_LOG}

cp -rf /etc/xinetd.d/* /etc/BackupSystemFiles/xinetd.d/ >> ${HARD_LOG}

cd /etc/xinetd.d >> ${HARD_LOG}

for FILE in chargen chargen-udp cups-lpd cups daytime \

daytime-udp echo echo-udp eklogin finger imap \

imaps ipop2 ipop3 klogin kshell ktalk ntalk \

pop3s rexec rsync servers services sgi_fam \

talk tftp time time-udp

do

chkconfig –list ${FILE} &>/dev/null 1>> /etc/BackupSystemFiles/standard.service.prehard

chkconfig ${FILE} off &>/dev/null

done

echo “********************************************************************************”>> ${HARD_LOG}

#######Lock the Unneccessary Accounts########

echo “Locking the Uneccessary Accounts”>>${HARD_LOG}

cp -p /etc/passwd /etc/BackupSystemFiles/passwd.prehard

for USERID in rpc rpcuser lp apache http httpd named dns \

mysql postgres squid news netdump

do

usermod -L -s /sbin/nologin $USERID &>/dev/null

done

echo “********************************************************************************”>> ${HARD_LOG}

#######Confirm Permissions On System Log files######

cd /var/log

ls -l > /etc/BackupSystemFiles/system.logfiles

chmod o-rwx boot.log* cron* dmesg ksyms* httpd/* maillog* messages* news/* pgsql rpmpkgs* samba/* sa/* scrollkeeper.log secure* spooler* squid/* vbox/* wtmp &>/dev/null

chmod o-rx boot.log* cron* maillog* messages* pgsql secure* spooler* squid/* sa/* &>/dev/null

chmod g-w boot.log* cron* dmesg httpd/* ksyms* maillog* messages* pgsql rpmpkgs* samba/* sa/* scrollkeeper.log secure* spooler* &>/dev/null

chmod g-rx boot.log* cron* maillog* messages* pgsql secure* spooler* &>/dev/null

chmod o-w gdm/ httpd/ news/ samba/ squid/ sa/ vbox/ &>/dev/null

chmod o-rx httpd/ samba/ squid/ sa/ &>/dev/null

chmod g-w gdm/ httpd/ news/ samba/ squid/ sa/ vbox/ &>/dev/null

chmod g-rx httpd/ samba/ sa/ &>/dev/null

chmod u-x kernel syslog loginlog &>/dev/null

chown -R root:root . &>/dev/null

chgrp utmp wtmp &>/dev/null

[ -e news ] && chown -R news:news news &>/dev/null

[ -e pgsql ] && chown postgres:postgres pgsql &>/dev/null

chown -R squid:squid squid &>/dev/null

######Verify passwd, shadow and group file permissions#######

cd /etc

ls -l > /etc/BackupSystemFiles/etc.files

chown root:root passwd shadow group

chmod 644 passwd group

chmod 400 shadow

cp -p /etc/vsftpd/ftpusers /etc/BackupSystemFiles/ftpusers.prehard

for NAME in `cut -d: -f1 /etc/passwd`; do

if [ `id -u $NAME` -lt 500 ]; then

echo $NAME >> /etc/ftpusers

fi

done

chown root:root /etc/vsftpd/ftpusers

chmod 600 /etc/vsftpd/ftpusers

#########Banner For FTP###################

cd /etc/vsftpd

cp -p vsftpd.conf /etc/BackupSystemFiles/vsftpd.conf.prehard

echo “ftpd_banner=Authorized users only. All activity \

may be monitored and reported.” >> vsftpd.conf

######Protect Grub With Password#######

cp -p /boot/grub/grub.conf /etc/BackupSystemFiles/grub.conf.prehard

sed -i ‘1ipassword password’ /boot/grub/grub.conf

chown root:root /etc/grub.conf

chmod 600 /etc/grub.conf

#######Restrict Root Logins To System Console By adding the entry called console in the file /etc/securetty#######

echo “Restricting root Logins to the System Console By adding the entry called console in the file /etc/securetty” >> ${HARD_LOG}

cp -p /etc/securetty /etc/BackupSystemFiles/securetty.prehard

for i in `seq 1 6`; do

echo tty$i >> /etc/securetty

done

for i in `seq 1 11`; do

echo vc/$i >> /etc/securetty

done

echo console >> /etc/securetty

chown root:root /etc/securetty

chmod 400 /etc/securetty

#######Block System Accounts#######

cp -p /etc/passwd /etc/BackupSystemFiles/passwd.prehard

for NAME in `cut -d: -f1 /etc/passwd`;

do

MyUID=`id -u $NAME`

if [ $MyUID -lt 500 -a $NAME != ‘root’ ]; then

usermod -L -s /sbin/nologin $NAME

fi

done

######Verify that no UID 0 Account exists Other than root######

echo “********************************************************************************”>> ${HARD_LOG}

awk -F: ‘($3 == 0) { print “UID 0 Accounts are Below. Please do block if its not neccessary\n” $1 }’ /etc/passwd>> ${HARD_LOG}

echo “********************************************************************************”>> ${HARD_LOG}

######Setting Password expiry (must expire after 42 days and warn 7 days) for root account#######

echo “Setting Password expiry (must expire after 30 days and warn 7 days) for root account” >> ${HARD_LOG}

passwd -x 30 -w 7 root >> ${HARD_LOG}

echo “All the activities are done by this script has been logged into $HARD_LOG”

echo “Request you to save the log file in the SharePoint portal URL http://sinbngpp001/TIM/UNIXServerReports/Forms/AllItems.aspx for the Audit”

echo “#———————————————————————#”

echo

echo ” END OF THE SCRIPT ”

echo

echo “#———————————————————————#”

August 3rd, 2012 | Category: Security on Centos | Leave a comment

TCP FineTuning on Linux/RedHat-CentOS-Debian

Here are some, very handy and kewl TCP Fine tunings, i guess i put this together from a few things… and, i would suggest reading my iptables article on here about maybe fine tuning that for anti icmp etc to but, you CAN achieve the same things with tuning the stack! So, we can even restrict our FS Open files, etc, thru the tcp/ip stack tuning, wich ill demonstrate a solid setup for here

##### Begin DoS Prevention #####
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo 1 > /proc/sys/net/ipv4/ip_forward

# the following two parametes will break at least emule and are way too low to make sense
#echo 1024 > /proc/sys/net/ipv4/ipfrag_high_thresh
#echo 512 > /proc/sys/net/ipv4/ipfrag_low_thresh
echo 64000 > /proc/sys/net/ipv4/ipfrag_high_thresh
echo 48000 > /proc/sys/net/ipv4/ipfrag_low_thresh

echo 10 > /proc/sys/net/ipv4/ipfrag_time
echo 5 > /proc/sys/net/ipv4/icmp_ratelimit
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo 0 > /proc/sys/net/ipv4/conf/eth0/accept_source_route
echo 0 > /proc/sys/net/ipv4/conf/eth0/accept_redirects
echo 1 > /proc/sys/net/ipv4/conf/eth0/log_martians
echo 10 > /proc/sys/net/ipv4/neigh/eth0/locktime
echo 0 > /proc/sys/net/ipv4/conf/eth0/proxy_arp
echo 50 > /proc/sys/net/ipv4/neigh/eth0/gc_stale_time

# The following entries secure the last bit and provide a
# moderate protection against man-in-the-middle attacks.
echo 0 > /proc/sys/net/ipv4/conf/eth0/send_redirects
echo 0 > /proc/sys/net/ipv4/conf/eth0/secure_redirects
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo 5 > /proc/sys/net/ipv4/igmp_max_memberships
echo 2 > /proc/sys/net/ipv4/igmp_max_msf
echo 1024 > /proc/sys/net/ipv4/tcp_max_orphans
echo 2 > /proc/sys/net/ipv4/tcp_syn_retries
echo 2 > /proc/sys/net/ipv4/tcp_synack_retries
echo 1 > /proc/sys/net/ipv4/tcp_abort_on_overflow
echo 10 > /proc/sys/net/ipv4/tcp_fin_timeout
echo 0 > /proc/sys/net/ipv4/route/redirect_number
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
echo 1 > /proc/sys/net/ipv4/conf/eth1/rp_filter
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
echo 61 > /proc/sys/net/ipv4/ip_default_ttl

# DoS protection by tweaking the timeouts
echo "1800" > /proc/sys/net/ipv4/tcp_keepalive_time
echo "0" > /proc/sys/net/ipv4/tcp_window_scaling
echo "0" > /proc/sys/net/ipv4/tcp_sack

# We pretend to be a Checkpoint firewall on Windows XP

:P

 ~
echo 4096 87380 4194304 >/proc/sys/net/ipv4/tcp_rmem
echo 4096 87380 4194304 >/proc/sys/net/ipv4/tcp_wmem

# Check network overload (explicit congestion notification)
echo 1 > /proc/sys/net/ipv4/tcp_ecn

# Change port range for outgoing traffic
echo "1000 60000" > /proc/sys/net/ipv4/ip_local_port_range

# Change default queue size
# Modified for DD-WRT because of missing proc entries
echo 4096 > /proc/sys/net/ipv4/ip_conntrack_max

# shut some DoS stuff down
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

# increase the SYN backlog queue
echo 2048 > /proc/sys/net/ipv4/tcp_max_syn_backlog
echo 0 > /proc/sys/net/ipv4/tcp_sack
echo 0 > /proc/sys/net/ipv4/tcp_timestamps

## stop forks - reducing Open FS files here.. sweet!
 echo 64000 > /proc/sys/fs/file-max
ulimit -n 64000

# Kernel sysctl configuration file for Red Hat Linux
#
# For binary values, 0 is disabled, 1 is enabled.  See sysctl(8) and
# sysctl.conf(5) for more details.

# Controls IP packet forwarding
net.ipv4.ip_forward = 0

# Controls source route verification
net.ipv4.conf.default.rp_filter = 1

# Do not accept source routing
net.ipv4.conf.default.accept_source_route = 0

# Controls the System Request debugging functionality of the kernel
kernel.sysrq = 1

# Controls whether core dumps will append the PID to the core filename.
# Useful for debugging multi-threaded applications.
kernel.core_uses_pid = 1

# Controls the use of TCP syncookies
net.ipv4.tcp_syncookies = 1

# Disable netfilter on bridges.
net.bridge.bridge-nf-call-ip6tables = 0
net.bridge.bridge-nf-call-iptables = 0
net.bridge.bridge-nf-call-arptables = 0

# Controls the maximum size of a message, in bytes
kernel.msgmnb = 65535

# Controls the default maxmimum size of a mesage queue
kernel.msgmax = 65535

# Controls the maximum shared segment size, in bytes
kernel.shmmax = 68719476736

# Controls the maximum number of shared memory segments, in pages
kernel.shmall = 4294967296
net.core.rmem_max = 33388608
net.core.wmem_max = 33388608
net.core.rmem_default = 33388608
net.core.wmem_default = 33388608
net.core.netdev_max_backlog = 20000
net.ipv4.tcp_max_syn_backlog = 2048
net.ipv4.tcp_rmem = 8192 4194304 33388608
net.ipv4.tcp_wmem = 32768 4194304 33388608
net.ipv4.tcp_timestamps = 1
net.ipv4.tcp_window_scaling = 1
net.ipv4.tcp_app_win = 0
net.ipv4.tcp_adv_win_scale = 4
net.ipv4.tcp_sack = 1
net.ipv4.tcp_ecn = 0
net.ipv4.igmp_max_memberships = 100
net.ipv4.tcp_slow_start_after_idle = 0
net.ipv4.tcp_no_metrics_save = 1
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
kernel.core_pattern = /opt/corefiles/core.%h.%e.%p
fs.suid_dumpable = 2
kernel.sem = 250 32000 32 256
kernel.msgmni = 512
August 3rd, 2012 | Category: Security on Centos | 6 comments

Blocking Nmap Scans using IPtables on Linux server

Below Rules will block few of the Nmap Scans on ur linux server

The default config files of IPtables for RHEL / CentOS / Fedora Linux are located here

  • /etc/sysconfig/iptables –

iptables -A INPUT -p tcp –tcp-flags ALL FIN -j DROP
iptables -A INPUT -p tcp –tcp-flags ALL NONE -j DROP
iptables -A INPUT -p tcp –tcp-flags ALL ALL -j DROP
iptables -A INPUT -p tcp –tcp-flags ALL FIN,PSH,URG -j DROP

echo 1 > /proc/sys/net/ipv4/ip_forward

#=====================
# Flush semua rules
#———————
/sbin/iptables -F
/sbin/iptables -t nat -F

#=====================
# Block
#———————

/sbin/iptables -t filter -A INPUT -p TCP -m state –state RELATED,ESTABLISHED -j ACCEPT
/sbin/iptables -t filter -A INPUT -p UDP -m state –state RELATED,ESTABLISHED -j ACCEPT
/sbin/iptables -t filter -A INPUT -p ICMP -m state –state RELATED,ESTABLISHED -j ACCEPT
/sbin/iptables -t filter -A INPUT -m state –state INVALID -j DROP

/sbin/iptables -t filter -A INPUT   -p tcp –tcp-flags ACK,FIN FIN -j LOG –log-prefix “FIN: ”
/sbin/iptables -t filter -A INPUT   -p tcp –tcp-flags ACK,FIN FIN -j DROP

/sbin/iptables -t filter -A INPUT   -p tcp –tcp-flags ACK,PSH PSH -j LOG –log-prefix “PSH: ”
/sbin/iptables -t filter -A INPUT   -p tcp –tcp-flags ACK,PSH PSH -j DROP

/sbin/iptables -t filter -A INPUT   -p tcp –tcp-flags ACK,URG URG -j LOG –log-prefix “URG: ”
/sbin/iptables -t filter -A INPUT   -p tcp –tcp-flags ACK,URG URG -j DROP

/sbin/iptables -t filter -A INPUT   -p tcp –tcp-flags ALL ALL -j LOG –log-prefix “XMAS scan: ”
/sbin/iptables -t filter -A INPUT   -p tcp –tcp-flags ALL ALL -j DROP

/sbin/iptables -t filter -A INPUT   -p tcp –tcp-flags ALL NONE -j LOG –log-prefix “NULL scan: ”
/sbin/iptables -t filter -A INPUT   -p tcp –tcp-flags ALL NONE -j DROP

/sbin/iptables -t filter -A INPUT   -p tcp –tcp-flags ALL SYN,RST,ACK,FIN,URG -j LOG –log-prefix “pscan: ”
/sbin/iptables -t filter -A INPUT   -p tcp –tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP

/sbin/iptables -t filter -A INPUT   -p tcp –tcp-flags SYN,FIN SYN,FIN -j LOG –log-prefix “pscan 2: ”
/sbin/iptables -t filter -A INPUT   -p tcp –tcp-flags SYN,FIN SYN,FIN -j DROP

/sbin/iptables -t filter -A INPUT   -p tcp –tcp-flags FIN,RST FIN,RST -j LOG –log-prefix “pscan 2: ”
/sbin/iptables -t filter -A INPUT   -p tcp –tcp-flags FIN,RST FIN,RST -j DROP

/sbin/iptables -t filter -A INPUT   -p tcp –tcp-flags ALL SYN,FIN -j LOG –log-prefix “SYNFIN-SCAN: ”
/sbin/iptables -t filter -A INPUT   -p tcp –tcp-flags ALL SYN,FIN -j DROP

/sbin/iptables -t filter -A INPUT   -p tcp –tcp-flags ALL URG,PSH,FIN -j LOG –log-prefix “NMAP-XMAS-SCAN: ”
/sbin/iptables -t filter -A INPUT   -p tcp –tcp-flags ALL URG,PSH,FIN -j DROP

/sbin/iptables -t filter -A INPUT   -p tcp –tcp-flags ALL FIN -j LOG –log-prefix “FIN-SCAN: ”
/sbin/iptables -t filter -A INPUT   -p tcp –tcp-flags ALL FIN -j DROP

/sbin/iptables -t filter -A INPUT   -p tcp –tcp-flags ALL URG,PSH,SYN,FIN -j LOG –log-prefix “NMAP-ID: ”
/sbin/iptables -t filter -A INPUT   -p tcp –tcp-flags ALL URG,PSH,SYN,FIN -j DROP
/sbin/iptables -t filter -A INPUT   -p tcp –tcp-flags SYN,RST SYN,RST -j LOG –log-prefix “SYN-RST: ”

 

 

 

Syn-flood protection

In this attack system is floods with a series of SYN packets. Each packets causes system to issue a SYN-ACK responses. Then system waits for ACK that follows the SYN+ACK (3 way handshake). Since attack never sends back ACK again entire system resources get fulled aka backlog queue. Once the queue is full system will ignored incoming request from legitimate users for services (http/mail etc). Hence it is necessary to stop this attack with iptables.

Force SYN packets check

Make sure NEW incoming tcp connections are SYN packets; otherwise we need to drop them:

iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP

Force Fragments packets check

Packets with incoming fragments drop them. This attack result into Linux server panic such data loss.

iptables -A INPUT -f -j DROP

XMAS packets

Incoming malformed XMAS packets drop them:

iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP

Drop all NULL packets

Incoming malformed NULL packets:

iptables -A INPIT -p tcp --tcp-flags ALL NONE -j DROP

Block Spoofing and bad addresses

Using iptables you can filter to drop suspicious source address. Network server should not accept packets claiming from the Internet that claim to originate from inside your network. Spoofing can be classified as:
a) IP spoofing – Disable the source address of authentication, for example rhosts based authentication. Filter RPC based services such as portmap and NFS,
b) DNS spoofing
Please see Iptables: How to avoid Spoofing and bad addresses attack tip for more information.

Also use NAT for your internal network. This makes difficult for attacker to spoof IP address from outside.

Filter incoming ICMP, PING traffic

It includes the ping of death attack and ICMP floods. You should block all ICMP and PING traffic for outside except for your own internal network (so that you can ping to see status of your own server) . See Linux : Iptables Allow or block ICMP ping request article.

Once system is secured, test your firewall with nmap or hping2 command:
# nmap -v -f FIREWALL-IP
# nmap -v -sX FIREWALL-IP
# nmap -v -sN FIREWALL-IP
# hping2 -X FIREWALL-IP

August 3rd, 2012 | Category: IPTABLES | Leave a comment

Securing /tmp Partition

If you are renting a server then chances are everything is lumped in / and a small amount partitioned for /boot and some for swap. With this current setup, you have no room for making more partitions unless you have a second hard-drive. Learn how to create a secure /tmp partition even while your server is already up and running.
Recently, I found out it would be worthwhile to give /tmp it’s own partition and mount it using noexec- This would protect your system from MANY local and remote exploits of rootkits being run from your /tmp folder.

What we are doing it creating a file that we will use to mount at /tmp. So log into SSH and SU to root so we may being!

code:

cd /dev

Create 100MB file for our /tmp partition. If you need more space, make count size larger.

code:

dd if=/dev/zero of=tmpMnt bs=1024 count=100000

Make an extended filesystem for our tmpMnt file

code:

/sbin/mke2fs /dev/tmpMnt

Backup your /tmp dir- I had mysql.sock file that I needed to recreate the symbolic link for. Other programs may use it to store cache files or whatever.

code:

cd /

code:

cp -R /tmp /tmp_backup

Mount the new /tmp filesystem with noexec

code:

mount -o loop,noexec,nosuid,rw /dev/tmpMnt /tmp

code:

chmod 1777 /tmp

Copy everything back to new /tmp and remove backup

code:

cp -R /tmp_backup/* /tmp/

code:

rm -rf /tmp_backup

Now we need to add this to fstab so it mounts automatically on reboots.

code:

pico -w /etc/fstab

You should see something like this:
code:
/dev/hda3 / ext3 defaults,usrquota 1 1
/dev/hda1 /boot ext3 defaults 1 2
none /dev/pts devpts gid=5,mode=620 0 0
none /proc proc defaults 0 0
none /dev/shm tmpfs defaults 0 0
/dev/hda2 swap swap defaults 0 0

At the bottom add
code:

/dev/tmpMnt /tmp ext2 loop,noexec,nosuid,rw 0 0

(Each space is a tab)
Save it!
Ctrl + X and Y

Your done- /tmp is now mounted as noexec. You can sleep a little bit safer tonight. I created a hello world c++ and compiled it then moved it to /tmp. Upon trying to run it (even chmod +x’ed), it gives the following error:

code:
bash: ./a.out: Permission denied

August 3rd, 2012 | Category: Security on Centos | Leave a comment

E-mail Alert on Root SSH Login

E-mail Alert on Root SSH Login

Want to be notified instantly when someone logs into your server as root? No problem, check out this nice tutorial on email notification for root logins. Keeping track of who logs into your server and when is very important, especially when you’re dealing with the super user account. We recommend that you use an email address not hosted on the server your sending the alert from.

 

So lets get started!

1. Login to your server and su to root, I know the irony!

2. cd /root

3. pico .bashrc

4. Scroll to the end of the file then add the following:
echo ‘ALERT – Root Shell Access (YourserverName) on:’ `date` `who` | mail -s “Alert: Root Access from `who | cut -d”(” -f2 | cut -d”)” -f1`” you@yourdomain.com

Replace YourServerName with the handle for your actual server
Replace you@yourdomain.com with your actual email address

August 3rd, 2012 | Category: Security on Centos | Leave a comment
« Newer Entries  
  Older Entries »