1) Basic Setup

a) change default root password to hard one
#passwd root

b) create user
# adduser sabin
# passwd sabin

ip address
yum update yum
yum install  yum-utils
yum install bind-utils
yum install fail2ban -y
yum install epel-release
yum install net-tools
yum install nmap
yum install telnet
yum install links

yum -y install ntpdate
ntpdate ntp1.jst.mfeed.ad.jp 
systemctl enable ntpdate

yum install rkhunter  chkrootkit
vi /etc/rkhunter.conf (MAIL-ON-WARNING=)
rkhunter --update
rkhunter --propupd
rkhunter --check
wget --passive-ftp ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz
tar xvfz chkrootkit.tar.gz
cd chkrootkit-*/
make sense

cd ..
mv chkrootkit-/ /usr/local/chkrootkit
ln -s /usr/local/chkrootkit/chkrootkit /usr/local/bin/chkrootkit
0 3 * * * /usr/sbin/chkrootkit 2>&1 | mail -s "chkrootkit output of my server" [email protected])

Lynis (formerly rkhunter)
wget https://cisofy.com/files/lynis-2.4.8.tar.gz
tar xvfz lynis-2.4.8.tar.gz
mv lynis /usr/local/
ln -s /usr/local/lynis/lynis /usr/local/bin/lynis
lynis update info
lynis audit system
lynis --quick
0 3 * * * /usr/local/bin/lynis --quick 2>&1 | mail -s "lynis output of my server" [email protected])

mkdir -p /usr/local/ispprotect
chown -R root:root /usr/local/ispprotect
chmod -R 750 /usr/local/ispprotect
cd /usr/local/ispprotect
wget http://www.ispprotect.com/download/ispp_scan.tar.gz
tar xzf ispp_scan.tar.gz
rm -f ispp_scan.tar.gz
ln -s /usr/local/ispprotect/ispp_scan /usr/local/bin/ispp_scan

nano /etc/cron.d/ispprotect
0 3  * * *   root	/usr/local/ispprotect/ispp_scan --update && /usr/local/ispprotect/ispp_scan --path=/var/www [email protected] --non-interactive --scan-key=AAA-BBB-CCC-DDD

c) setup root privileges
# /usr/sbin/visudo
sabin ALL=(ALL) ALL
check for /etc/passwd and change /sbin/bash to /bin/nologin (to other user except root and sabin user)


Postfix config

Setup mail server on centos 7

2) su setting

a) Add sabin to wheel group

# usermod -a -G wheel sabin
# system-config-users
# useradd -G wheel sabin
# id sabin  
# useradd -G admins,ftp,www,developers sabin

b) # vi /etc/pam.d/su 
uncomment 3 and 5 line 
c) # vi /etc/aliases 

3) Disable SELINUX

a) # getenforce

# vi /etc/selinux/config

set disabled

# vi /etc/security/limits.conf

* soft nofile 8192

* hard nofile 8192

4) SSH config

# vi /etc/ssh/sshd_config

Change port

b) Port 2000

c) PermitRootLogin no

d) UseDNS no

At the end

f)Limit the ciphers to those algorithms which are FIPS-approved.
Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc

g) Do disable remote auto login
IgnoreRhosts yes
HostbasedAuthentication no

AllowUsers sabin
AllowUsers sabin [email protected] sabin*@
AllowGroups wheel staff

# systemctl restart sshd 
# firewall-cmd --permanent --zone=public --add-service=sshd 
# firewall-cmd --permanent --zone=public --add-port=2000/tcp 
# firewall-cmd --reload 

https://www.digitalocean.com/community/tutorials/how-to-configure-ssh-key-based-authentication-on-a-linux-server https://www.digitalocean.com/community/tutorials/how-to-use-ssh-keys-with-putty-on-digitalocean-droplets-windows-users


a) # vi /etc/hostname
or  # hostnamectl set-hostname data.sabinshrestha.com.np
or # nmcli general hostname data.sabinshrestha.com.np

b) # vi /etc/hosts data.sabinshrestha.com.np

c) # hostname
d) # systemctl restart systemd-hostnamed

e) # vi /etc/sysconfig/network

f) # hostnamectl status or nmcli general hostname

6) Fedora Epl

#yum install epel-release

 # wget https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
 # rpm -Uvh epel-release-7.noarch.rpm
 # yum update yum
 # yum update

To list all available packages under a repo called epel, enter:
# yum --disablerepo="*" --enablerepo="epel" list available
# sudo yum --disablerepo="*" --enablerepo="epel" list available | grep 'package'
#sudo yum --disablerepo="*" --enablerepo="epel" list available | less
yum install dnstop (DNS Monitoring)
dnstop eno1
dnstop eth0
1: display the TLD distribution (e.g. com, net, org, info)
2: display the domain names distribution (e.g. ewhathow.com)
s: display the source IP address table
d: display the destination IP address table
t: display the breakdown of query types seen (e.g. A, AAAA, MX)
r: display the breakdown of response codes seen (e.g. NXDOMAIN, REFUSED)
o: display the breakdown of opcodes seen
^R: reset the counters
^X: exit the program
space: redraw
?: help
wget http://www.cipherdyne.com/psad/download/psad-2.4.2-1.x86_64.rpm
yum install psad-2.4.2-1.x86_64.rpm
vi /etc/psad/psad.conf
EMAIL_ADDRESSES - change this to your email address.
HOSTNAME - this is set during install - but double check and change to a FQDN if needed.
ENABLE_AUTO_IDS - set this to Y if you could like PSAD to take action - read configuration instructions before setting this to Y.
ENABLE_AUTO_IDS_EMAILS - set this to Y if you would like to receive email notifications of intrusions that are detected.
iptables -A INPUT -j LOG
iptables -A FORWARD -j LOG
ip6tables -A INPUT -j LOG
ip6tables -A FORWARD -j LOG

psad -R
psad --sig-update
psad -H

psad --Status

7) Mysql

# yum -y inst
all mariadb-server mariadb
# systemctl start mariadb.service
# systemctl enable mariadb.service
# mysql_secure_installation
#vi /etc/my.cnf
#vi /etc/my.cnf.d/server.cnf


# yum -y install httpd
# systemctl start httpd.service
# systemctl enable httpd.service
# firewall-cmd  --permanent  --zone=public  --add-service=http
#firewall-cmd  --permanent  --zone=public  --add-service=https
# firewall-cmd  --reload
# yum -y install php-mysql

# yum info php-module-name
# yum -y install php-gd php-ldap php-odbc php-pear php-xml php-xmlrpc php-mbstring php-snmp php-soap curl curl-devel
# systemctl restart httpd.service

# yum install phpMyAdmin

# vi /etc/httpd/conf.d/phpMyAdmin.conf

comment all first <directory> to </directory> and replace with below

<Directory /usr/share/phpMyAdmin/>
Options none
AllowOverride Limit
Require all granted

# vi /etc/phpMyAdmin/config.inc.php

$cfg['Servers'][$i]['auth_type'] = 'http';

change localhost to
$cfg['Servers'][$i]['host']          = ''; 

Tune apache
# apachectl -t -D DUMP_MODULES |grep deflate

ensure module is loaded in 
# vi /etc/httpd/conf.modules.d/00-base.conf 
LoadModule deflate_module modules/mod_deflate.so

create file
# vi /etc/httpd/conf.d/mod_deflate.conf

<filesMatch "\.(js|html|css)$">
 SetOutputFilter DEFLATE
<IfModule mod_deflate.c> 
SetOutputFilter DEFLATE
SetEnvIfNoCase Request_URI \.(?:gif|jpg|png|ico|zip|gz|mp4|flv)$ no-gzip

Donot zip php and image they are are already compressed
DeflateCompressionLevel=1 (if server performance is low 1-9)
# yum -y install webalizer awstats perl-DateTime-Format-HTTP perl-DateTime-Format-Builder
# systemctl restart  httpd.service

Secure Aapche

Disable timthumb in sites
# grep -nr timthumb.php * ( in public_html)

in wordpress with timthumb

# vi wp-config.php
define (‘WEBSHOT_ENABLED’, false);

** http://geekflare.com/apache-web-server-hardening-security/

hash (#) all the line in

# vi /etc/httpd/conf.d/welcome.conf
Add below line to disable Server Signature
ServerSignature Off
ServerTokens Prod
Server: Apache
User apache
Group apache

in mod security conf file
SecServerSignature sabin.com.np

Turn off directory browsing
Options -Indexes

Turn off server side includes
Options -Includes

Turn off CGI execution
Options -ExecCGI

Don't allow apache to follow symbolic links
Options -FollowSymLinks

Turning off multiple Options
Options None

Options -ExecCGI -Indexes -Includes
Disable any unnecessary modules
grep LoadModule httpd.conf
#LoadModule dav_module modules/mod_dav.so
#LoadModule dav_fs_module modules/mod_dav_fs.so
#Include conf/extra/httpd-dav.conf
#LoadModule info_module modules/mod_info.so

Lower the Timeout value
Timeout 40
Limiting large requests
LimitRequestBody 1048576 (1mb)

Limiting the size of an XML Body
LimitXMLRequestBody 10485760 (1mb)
Limiting Concurrency
MaxClients, MaxSpareServers, MaxRequestsPerChild ThreadsPerChild, ServerLimit MaxSpareThreads
Adjusting KeepAlive settings
MaxKeepAliveRequests 100
KeepAliveTimeout 15

It allows remote attackers to obtain sensitive information like inode number, multipart MIME boundary and child process through Etag header.
FileETag None

<Directory />
Options -Indexes
AllowOverride None

Default apache configuration support OPTIONS, GET, HEAD, POST, PUT, DELETE, TRACE, CONNECT method in HTTP 1.1 protocol. only allow get and post Add Inside Directory
Options FollowSymLinks
<LimitExcept GET POST HEAD>
deny from all

if not required remove
ScriptAlias /cgi-bin/ "/var/www/cgi-bin/"
<Directory "/var/www/cgi-bin">
AllowOverride None
Options None
Require all granted
Disable Trace HTTP Request
TraceEnable off

Set cookie with HttpOnly and Secure flag (if your site donot use cookie and will also block phpmyadmin)
Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure

Clickjacking Attack
Header always append X-Frame-Options SAMEORIGIN

Disable Server Side Include in all <directory> and upload folders
Options -Indexes -ExecCGI -Includes

Disable HTTP 1.0 Protocol in .htaccess file add below line
RewriteEngine On
RewriteCond %{THE_REQUEST} !HTTP/1.1$ RewriteRule .* - [F]

X-XSS Protection
Header set X-XSS-Protection "1; mode=block"

Disable File Information
Header unset Pragma
Header unset Last-Modified
Header unset Cache-Control
Header unset ETag
Header set Expires "Fri, 21 Dec 2012 00:00:00 GMT"
Header set Cache-Control "public, no-transform"
Access Logging To capture time taken to serve the request and SESSION ID in access log Add %T & %sessionID in httpd.conf under LogFormat directive

LogFormat "%h %l %u %t "%{sessionID}C" "%r" %>s %b %T" common

edit error message
# vi /usr/share/httpd/error/include/bottom.html
and delete 2 line inside <address> </address>

install pear mdb2

pear install MDB2-2.5.0b5
pear install MDB2_Driver_mysql-1.5.0b4


# yum -y install vsftpd
# vi /etc/vsftpd/vsftpd.conf
# line 109: uncomment
# line 114: change ( if use IPv4 )
# line 123: change ( turn to OFF if it's not need )
# add follows to the end
# specify root directory ( if don't specify, users' home directory become FTP home directory)
# use localtime

# systemctl restart vsftpd
# systemctl enable vsftpd
# firewall-cmd  --permanent --add-port=40000-40100/tcp
# firewall-cmd --permanent --add-port=21/tcp
# firewall-cmd --reload

# setsebool -P ftp_home_dir 1
# mkdir /etc/ssl/private
# openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout /etc/ssl/private/vsftpd.pem -out /etc/ssl/private/vsftpd.pem

#vi /etc/vsftpd/vsftpd.conf

Apache add domain

# adduser webserver 
# mkdir -p /home/webserver/public_html 
# chown -R sabin:sabin /home/webserver/public_html 
# chmod -R 755 /home/webserver 
# mkdir /etc/httpd/sites-available 
# mkdir /etc/httpd/sites-enabled 

# vi /etc/httpd/conf/httpd.conf at the end add below line 
IncludeOptional sites-enabled/*.conf 

# vi /etc/httpd/sites-available/webserver.conf 
<VirtualHost *:80> 
ServerName webserver.com 
ServerAlias www.webserver.com 
DocumentRoot /home/webserver/public_html 
ErrorLog /home/webserver/error.log 
CustomLog /home/webserver/requests.log combined 

# ln -s /etc/httpd/sites-available/webserver.conf /etc/httpd/sites-enabled/webserver.conf 

# systemctl restart  httpd.service


# vi /etc/yum.repos.d/webmin.repo 
name=Webmin Distribution Neutral 

# rpm --import http://www.webmin.com/jcameron-key.asc 
# yum check-update 
# yum install webmin -y 

# firewall-cmd  --permanent  --add-port=10000/tcp 
# systemctl restart webmin.service 
# systemctl enable webmin.service 
# yum -y install openssl openssl-devel perl perl-Net-SSLeay perl-Crypt-SSLeay


# yum install fail2ban -y

# cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

# vi /etc/fail2ban/jail.local ignoreip = (add your home ip)

# systemctl restart fail2ban.service

# systemctl enable fail2ban.service

Dont forget to add /etc/fail2ban/jail.local enabled = true
enabled = true

fail2ban-client status

fail2ban-client status sshd

The main reason a service is masked is to prevent accidental starting or enabling of a serive. For example firewalld can be masked with the following commad #systemctl mask firewalld If you ever want to start the firewalld service. you may get the error message Failed to issue method call: Unit firewalld.service is masked. To resolve this, unmask the firewall with the following command #systemctl unmask firewalld


rpm -Uvh http://repo.varnish-cache.org/redhat/varnish-3.0/el5/noarch/varnish-release/varnish-release-3.0-1.noarch.rpm

yum install varnish

vi /etc/sysconfig/varnish

Now remove all # in Alternative 2 config and # to disable others

DAEMON_OPTS="-a :80 \ -T localhost:6082 \ -f /etc/varnish/default.vcl \ -S /etc/varnish/secret \ -s malloc,256m"

vi /etc/varnish/default.vcl

change the port to 8080. backend default { .host = ""; .port = "8080"; }

vi /etc/httpd/conf/httpd.conf

search Listen 80 and change it to



also in Virtual Host

systemctl restart httpd.service

systemctl restart varnish.service

systemctl enable varnish.service

service httpd restart

service varnish restart

You can use Firebug to test response header or simply use Centralops domain scanner service and check mark the “service scan” Check performance varnishstat

Firewall firewall-cmd

yum -y install firewalld firewall-config

systemctl start firewalld.service

systemctl enable firewalld.service

systemctl status firewalld


stop and disable

systemctl stop firewalld.service

systemctl disable firewalld.service


#ls /usr/lib/firewalld/services/

#vi /etc/firewalld/zones/public.xml

# firewall-cmd --state # firewall-cmd --list-all

# firewall-cmd --list-interfaces # firewall-cmd --get-service

# firewall-cmd --query-service service_name

# firewall-cmd --add-port=8080/tcp

# firewall-cmd --get-active-zones

# firewall-cmd --get-service --permanent

# firewall-cmd --permanent --zone=public --list-sources * Add whitelist IP

#firewall-cmd --permanent --zone=public --add-source=

#firewall-cmd --permanent --zone=public --add-source= * Add whitelist Port range #firewall-cmd --permanent --zone=public --add-port=1-22/tcp

#firewall-cmd --permanent --zone=public --add-port=1-22/udp * Add Services

#firewall-cmd --permanent --zone=public --add-service=ssh

#firewall-cmd --zone=public --list-ports #firewall-cmd --permanent --zone=public --list-ports

#firewall-cmd --permanent --zone=public --remove-port=8080-8081/tcp * Add ip and port to allow

#firewall-cmd --permanent --zone=public --add-rich-rule="rule family="ipv4" \ source address="" \ port protocol="tcp" port="8080" accept"


* Add fixed or range ip to allow ssh

firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv4" source address="" service name="ssh" log prefix="ssh" level="info" accept'

firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv4" source address="" service name="ssh" log prefix="ssh" level="info" accept'

firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv4" source address="" service name="ssh" log prefix="ssh" level="info" accept'

firewall-cmd --permanent --zone=public --remove-service=ssh firewall-cmd --reload firewall-cmd --zone=public --list-all


Rich rules allow you to create more complex configurations. The following command allows you to open HTTP access to a specific IP address.

firewall-cmd --permanent --zone=public --add-rich-rule="rule family="ipv4" \ source address="" service name="ssh" accept"

The rule can be removed directly from the XML file, or removed using the "--remove-rich-rule" option.

# firewall-cmd --permanent --zone=public --remove-rich-rule="rule family="ipv4" \ source address="" service name="ssh" accept"


vi /etc/firewalld/zones/public.xml

<?xml version="1.0" encoding="utf-8"?> <zone> <short>Public</short> <description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description> <service name="dhcpv6-client"/> <service name="ssh"/> <rule family="ipv4"> <source address=""/> <service name="http"/> <accept/> </rule> </zone>


<?xml version="1.0" encoding="utf-8"?>



<description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>

<service name="http"/> <service name="https"/> <port protocol="tcp" port="21"/> <rule family="ipv4"> <source address=""/> <service name="ssh"/> <log prefix="ssh" level="info"/> <accept/> </rule> <rule family="ipv4"> <source address=""/> <service name="ssh"/> <log prefix="ssh" level="info"/> <accept/> </rule> </zone>


* Remove Service

firewall-cmd --list-all-zones

firewall-cmd --permanent --zone=public --remove-service=ssh

firewall-cmd --reload

firewall-cmd --list-all-zones


Upgrade Mysql to 5.6 replacing marine db

1) download mysql-community-release-el7-5.noarch.rpm from http://dev.mysql.com/downloads/repo/yum/ 

2) yum install mysql-community-release-el7-5.noarch.rpm 

3) yum repolist enabled | grep "mysql.*-community.*" 
4) yum install mysql-community-server 
5) systemctl status mysqld 
6) systemctl enable mysqld.service 
ln -s '/usr/lib/systemd/system/mysqls.service' '/etc/systemd/system/mysql.service' ln -s '/usr/lib/systemd/system/mysqls.service' '/etc/systemd/system/multi-user.target.wants/mysqld.service' 

cd  /etc 
mv my.cnf my1.cnf 
mv my.cnf.rpmnew my.cnf 

7) systemctl restart mysqld 
8) mysql -u root -p

SET PASSWORD FOR 'root'@'localhost' = PASSWORD('newpwd'); 
CREATE USER 'sabin'@'localhost' IDENTIFIED BY '***'; 

GRANT ALL PRIVILEGES ON `sabin`.* TO 'sabin'@'localhost'; 
GRANT ALL PRIVILEGES ON `sabin\_%`.* TO 'sabin'@'localhost';

Change Default MySQL Data Directory:
1) systemctl stop mysqld

2)Change Data Directory
cp -rap /var/lib/mysql /home/mysql 
chown mysql.mysql /home/mysql

3)vi /etc/my.cnf
Change From: 
Change To: 

End of file below line

in command prompt
ln -s /home/mysql/mysql.sock /var/lib/mysql/mysql.sock

chown -h mysql:mysql  /var/lib/mysql/mysql.sock


Install GitLab

sudo yum install curl openssh-server sudo systemctl enable sshd sudo systemctl start sshd sudo yum install postfix sudo systemctl enable postfix sudo systemctl start postfix sudo firewall-cmd --permanent --add-service=81/tcp sudo systemctl reload firewall curl https://packages.gitlab.com/install/repositories/gitlab/gitlab-ce/script.rpm.sh | sudo bash sudo yum install gitlab-ce

vi /etc/gitlab/gitlab.rb

external_url 'http://dev.sabinshrestha.com.np:81

sudo gitlab-ctl reconfigure

 Username: root Password: 5iveL!fe

Sample project

*Autodeploy your Gitlab projects



*Configure Runner


To Install docker
curl -sSL https://get.docker.com/ | sh

curl -L https://packages.gitlab.com/install/repositories/runner/gitlab-ci-multi-runner/script.rpm.sh | sudo bash
yum install gitlab-ci-multi-runner
gitlab-ci-multi-runner register

Please enter the gitlab-ci coordinator URL (e.g. https://gitlab.com/ci )
Please enter the gitlab-ci token for this runner
Please enter the gitlab-ci description for this runner
INFO[0034] fcf5c619 Registering runner... succeeded
Please enter the executor: shell, docker, docker-ssh, ssh?
INFO[0037] Runner registered successfully. Feel free to start it, but if it's
running already the config should be automatically reloaded

concurrent = 4

 url = "http://dev.sabinshrestha.com:81/ci"
 token = "9f6e7722431649fbbd5cb25f004117"
 tls-skip-verify = false
 tls-ca-file = ""
 name = "PHP Runner"
 executor = "shell"
 image = ""
 privileged = false
 base_name = ""

 url = "http://dev.sabinshrestha.com:81/ci"
 token = "4c89893a7bfff215517872d330af18"
 tls-skip-verify = false
 tls-ca-file = ""
 name = "Deploay"
 executor = "ssh"
 user = "web"
 password = "nepal"
 host = "dev.sabinshreshta.com"
 port = "2015"


* Compser (debug php gitlab)

curl -sS https://getcomposer.org/installer | php

mv composer.phar /usr/local/bin/composer

* Install PHPUNIT 5.1
composer global require "phpunit/phpunit=5.1"
cp /root/.composer/vendor/bin/phpunit /usr/local/bin

$composer install
Composer could not find a composer.json file in /root/.composer/vendor/bin
To initialize a project, please create a composer.json file as described in the https://getcomposer.org/ "Getting Started" section

For PHP code

  - composer install
  - test

  - php index.php
  - bash makelive.sh




if [ ! -d "$DIRECTORY1" ]; then
  git clone "$REPO"
  cd "$DIRECTORY1"
  git pull



    "require-dev": {
        "phpunit/phpunit": "5.1"

<!-- /phpunit.xml --> 
<?xml version="1.0" encoding="UTF-8"?>
<phpunit backupGlobals="false"
        <testsuite name="Test Suite">
            <directory suffix=".php">./wp-content/themes/sabintheme/</directory>

NOTE URL Reference

XWindows Minimal

1. Install CentOS-7 - Minimal (First entry point in list)
2. yum groupinstall "X Window System"
3. yum install gnome-classic-session gnome-terminal nautilus-open-terminal control-center liberation-mono-fonts
4. unlink /etc/systemd/system/default.target
5. ln -sf /lib/systemd/system/graphical.target /etc/systemd/system/default.target
6. reboot

Secure X Windows
Add id:3:initdefault: to /etc/inittab.
yum groupremove "X Window System"

Apf Firewall

cd /usr/src
wget http://www.rfxnetworks.com/downloads/apf-current.tar.gz

tar -xvzf apf-current.tar.gz

cd apf*

chkconfig --add apf
chkconfig --level 345 apf on


cd /etc/apf
2. IFACE_IN & IFACE_OUT (centos 7 do ifconfig check the interface name and change accordingly like (IFACE_IN="eno16777984")



IG_ICMP_TYPES="3,5,11,30" - inbound ICMP port numbers. I've removed ports 0 and 8 so the server won't answer any pings, what partially hides it on the network. Leave them in place if You or Your datacenter is using ping packets (ex. network monitoring).

EG_TCP_CPORTS="21,25,37,53,80,110,113,#123,443,43,873,953,2089,2703" - outbound TCP ports to open. At this point by blocking certain services like SSH we gain the possibility of stopping hackers that would break into our system and want to connect to other servers

EG_UDP_CPORTS="20,21,53,873,953,6277" - outbound UDP port numbers

5. EGF
It is recommended that you enable the outbound (egress) filtering as it provides a very robust level of protection and is a common practice to filtering outbound traffic.

This option tells the system that instead of looking for iptables modules, that we should expect them to be compiled directly into the kernel. If the APF produces error like “unable to load iptables module” you need to enable this.


TCP_STOP="DROP" - defines a reaction in case of TCP connections that violate the rules

UDP_STOP="DROP" - defines a reaction in case of UDP connections that violate the rules

ALL_STOP="DROP" - defines a reaction to any other connections

We can send a TCP/IP reset (RESET), drop the packet without answering (DROP), reject it (REJECT) or send icmp-host-prohibited answer (PROHIBIT) in case of UDP.

BLK_PRVNET="1" - blocks all private ipv4 addresses. If Your machine is behind NAT then set this to 0


After configuring APF properly, you need to restart it using the command

/etc/init.d/apf restart

apf –r
1. Deny an IP address

This will add the IP address to the file /etc/apf/deny_hosts.rules.
2. Allow (Trust) an IP address
apf –a IPaddress

This will add the IP address to the file /etc/apf/allow_hosts.rules
3. Remove an IP address
apf –u IPaddress

This will remove entries that match from allow_hosts.rules, deny_hosts.rules and the global extensions of these files.

-l - list statistics

-st - status of APF

-f - stop APF

-s - start APF


Install & Configure AWStats

1) yum install awstats -y

change the permission
vi /etc/httpd/conf.d/awstats.conf
<Directory "/usr/share/awstats/wwwroot">
Options None
AllowOverride Limit
Require all granted


cd /etc/awstats
cp awstats.sabinshrestha.com.np.conf awstats.test.sabinshrestha.com.np.conf

vi awstats.ap.sabinshrestha.com.np.conf


/usr/share/awstats/tools/awstats_updateall.pl now -confdir="/etc" -awstatsprog="/usr/share/awstats/wwwroot/cgi-bin/awstats.pl"


cd /usr/share/awstats/wwwroot/
cd /usr/share/
find ./awstats -type d -exec chmod 701 '{}' \;
find ./awstats -not -type d -exec chmod 404 '{}' \;

chmod 400 /etc/awstats/*.conf

7) secure it
htpasswd -c /etc/awstats/htpasswd.users sabin

cd /usr/share/awstats/wwwroot/
vi .htaccess
AuthName "STOP - Do not continue unless you are authorized to view this site! - Server Access"
AuthType Basic
AuthUserFile /etc/awstats/htpasswd.users
Require valid-user

to change password
htpasswd -c /etc/awstats/htpasswd.users sabin

chmod 404 .htaccess

================================= ======================================================

Log Watch

1)yum install -y logwatch
2) vi /usr/share/logwatch/default.conf/logwatch.conf
MailTo = root
MailTo = [email protected]

MailFrom = Logwatch

Range = yesterday //Today
Detail = Med
Service = All
(ls -l /usr/share/logwatch/scripts/services)
or individual service
Service = sendmail
Service = http
Service = identd
Service = sshd2
Service = sudo
DailyRepoty = No

vi /usr/share/logwatch/scripts/services/http.conf

logwatch Detail = Med
logwatch --service all
logwatch --detail Low --mailto [email protected] --service http --range today

define location of log file
vi /etc/logwatch/conf/logfiles/http.conf
Logfile = /var/log/httpd/downloads.foo.com-access_log
Logfile = /var/log/httpd/bb.foo.com-access_log


yum install nmon
yum install apachetop


Top 10 System Monitoring Tools

1. Top (overview of all the processes or threads running in the system) 2. htop (overview of all the processes or threads running in the system) 3. atop (Atop monitors all processes much like top and htop, unlike top and htop however it has daily logging of the processes for long-term analysis. It also shows resource consumption by all processes) 4. apachetop Apachetop monitors the overall performance of your apache webserver. It’s largely based on mytop. It displays current number of reads, writes and the overall number of requests processed. 5. ftptop ftptop gives you basic information of all the current ftp connections to your server such as the total amount of sessions, how many are uploading and downloading and who the client is. 6. mytop mytop is a neat tool for monitoring threads and performance of mysql. It gives you a live look into the database and what queries it’s processing in real time. 7. powertop powertop helps you diagnose issues that has to do with power consumption and power management. 8. iotop iotop checks the I/O usage information and gives you a top-like interface to that ==========================================================

Bash Auto Backup Script


OUTPUT="/home/sitebackup/`date +%Y%m%d`-backup"
OUTPUT1="/home/sitebackup/`date +%Y%m%d`-backup/mysql"
mkdir -p $OUTPUT
mkdir -p "$OUTPUT/mysql"

#rm "$OUTPUT/*gz" > /dev/null 2>&1

databases=`mysql --user=$USER --password=$PASSWORD -e "SHOW DATABASES;" | tr -d "| " | grep -v Database`

for db in $databases; do
if [[ "$db" != "information_schema" ]] && [[ "$db" != _* ]] ; then
echo "Dumping database: $db"
mysqldump --force --opt --user=$USER --password=$PASSWORD --databases $db > $OUTPUT1/`date +%Y%m%d`.$db.sql
gzip $OUTPUT1/`date +%Y%m%d`.$db.sql
tar -zcvf $OUTPUT/`date +%Y%m%d`-site.tar /home/sabin --exclude "/home/sabin/sitebackup"
tar -zcvf /home/sabin/sitebackup/`date +%Y%m%d`-site.tar.gz $OUTPUT

chown sabin:apache /home/sabin/sitebackup/`date +%Y%m%d`-site.tar.gz

rm -rf $OUTPUT


Configuring Mod Security and Mod_evasive Allowing Unicode

yum install mod_security mod_evasive

ls -l /etc/httpd/conf.d

Now, in order to integrate these two modules with Apache and have it load them when it starts, make sure the following lines appear in the top level section of mod_evasive.conf and mod_security.conf, respectively:
LoadModule evasive20_module modules/mod_evasive24.so
LoadModule security2_module modules/mod_security2.so

# cd /etc/httpd/modules
# pwd
# ls -l | grep -Ei '(evasive|security)'

config file: vi /etc/httpd/conf.d/mod_security.conf

mkdir /etc/httpd/crs-sabin
cd /etc/httpd/crs-sabin
wget https://github.com/SpiderLabs/owasp-modsecurity-crs/tarball/master
tar xzf master
mv SpiderLabs-owasp-modsecurity-crs-ebe8790 owasp-modsecurity-crs
cd owasp-modsecurity-crs
cp modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf

vi modsecurity_crs_10_setup.conf
enable utf8 inline 435 (remove #)
vi /etc/httpd/conf/httpd.conf
add below line end of httpd.conf file

<IfModule security2_module>
Include crs-sabin/owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
Include crs-sabin/owasp-modsecurity-crs/base_rules/*.conf

http://www.xxxx.com/?abc=../../ (check the log file if it is working or not)
cd /etc/httpd/conf.d/
wget -c https://github.com/SpiderLabs/ModSecurity/blob/master/unicode.mapping

vi /etc/httpd/crs-sabin/owasp-modsecurity-crs/abc.conf

SecGeoLookupDb /etc/httpd/crs-tecmint/GeoLiteCity.dat
//black list country
SecRule GEO:COUNTRY_CODE "@pm UA ID YU LT EG RO BG TR RU PK MY IL" "id:40,phase:1,t:none,log,pass,msg:'High Risk Fraud Location',setvar:tx.fraud_score=+10"

//block outside country
//SecRule REMOTE_ADDR "@geoLookup" "id:37,phase:1,t:none,pass,nolog"


SecRule ARGS "@contains <" "id:35,phase:1,t:none,t:urlDecodeUni,log,pass"
SecRule REQUEST_HEADERS:Range "bytes=0-" id:34,allow,log,t:none,ctl:ruleRemoveById=958291
SecRuleRemoveById 960024 //unicode unblock in url
SecRuleRemoveById 981318 //unicode unblock in url
SecRuleRemoveById 958291 //Allow pdf downloads

and rule
vi /etc/httpd/modsecurity.d/myconf.conf
<IfModule mod_security2.c>
SecRuleEngine On

SecUnicodeMapFile /etc/httpd/conf.d/unicode.mapping  ////unicode mapping
SecUnicodeCodePage 20127 //unicode mapping
SecRequestBodyAccess On
SecResponseBodyAccess On
SecResponseBodyMimeType text/plain text/html text/xml application/octet-stream
SecDataDir /tmp


nepali unicode issue in mod_security in url

vi /etc/httpd/crs-tecmint/owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf

go to line 37 and replace below
Replace \W{4,} to [^A-Za-z0-9-_ [email protected]#$%^*()शज्ञद्दघद्धछटठडढणङऊधभचतथगषयउृे्बकमानजवपिसुहअखदलफो।रऐध्भ्च्त्ञग्क्षइएद्वक्ँआन्ज्व्ईीस्ूह्मऋख्द्यल्ःौश्रओऔ०१२३४५६७८९ंैझ]{4,}

vi /etc/httpd/conf.d/mod_security.conf
SecPcreMatchLimit 90000
SecPcreMatchLimitRecursion 90000
Geo locaiton  increment score for black listed country

SecGeoLookupDb /etc/httpd/crs-tecmint/GeoLiteCity.dat
//black list country
SecRule GEO:COUNTRY_CODE "@pm UA ID YU LT EG RO BG TR RU PK MY IL" "id:40,phase:1,t:none,log,pass,msg:'High Risk Fraud Location',setvar:tx.fraud_score=+10"

//block outside country
//SecRule REMOTE_ADDR "@geoLookup" "id:37,phase:1,t:none,pass,nolog"

download free book from

To check noof hits per ip
cat requests.log | awk '{print $1}' | sort -n | uniq -c | sort -nr | head -20
Protect Apache Against Brute Force or DDoS Attacks Using Mod_Security and Mod_evasive Modules
https://www.linode.com/docs/websites/apache-tips-and-tricks/modsecurity-on-apache https://www.howtoforge.com/apache_mod_security_p2 http://hostinginstructions.com/harden-apache-with-mod_security-on-centos-7/ https://www.digitalocean.com/community/tutorials/how-to-set-up-mod_security-with-apache-on-debian-ubuntu https://www.trustwave.com/Resources/SpiderLabs-Blog/ModSecurity-Advanced-Topic-of-the-Week--(Updated)-Exception-Handling/ https://www.trustwave.com/Resources/SpiderLabs-Blog/ModSecurity-Advanced-Topic-of-the-Week--Inbound/Outbound-Correlation/ https://www.trustwave.com/Resources/SpiderLabs-Blog/ModSecurity-Advanced-Topic-of-the-Week--(Updated)-Exception-Handling/ https://www.trustwave.com/Resources/SpiderLabs-Blog/ModSecurity-Advanced-Topic-of-the-Week--Inbound/Outbound-Correlation/ Replace \W{4,} to [^A-Za-zА-Яа-я0-9_]{4,} http://stackoverflow.com/questions/14906232/regular-expressions-with-the-cyrillic-alphabet Another approach is to list all characters one-by-one. Simply find an authoritative reference for the alphabet that you want to put in a regexp, and put all characters for it into a pair of square brackets: [АБВГДЕЁЖЗИЙКЛМНОПРСТУФХЦЧШЩЪЫЬЭЮЯабвгдеёжзийклмнопрстуфхцчшщъыьэюя] [^A-Za-z0-9शज्ञद्दघद्धछटठडढणङऊधभचतथगषयउृे्बकमानजवपिसुहअखदलफो।रऐध्भ्च्त्ञग्क्षइएद्वक्ँआन्ज्व्ईीस्ूह्मऋख्द्यल्ःौश्रओऔ०१२३४५६७८९ंैझ] https://www.trustwave.com/Resources/SpiderLabs-Blog/Detecting-Malice-with-ModSecurity--GeoLocation-Data/ https://www.packtpub.com/books/content/blocking-common-attacks-using-modsecurity-25-part-3 ======== vi /etc/httpd/crs-sabin/owasp-modsecurity-crs/test.conf SecRuleRemoveById 960024 //unicode in url SecRuleRemoveById 981318 //unicode in url //Allow pdf download SecRuleRemoveById 958291 SecRule REQUEST_HEADERS:Range "bytes=0-" id:34,allow,log,t:none,ctl:ruleRemoveById=958291 SecRule ARGS "\\\\W{4,}" "id:44,phase:1,t:none,t:urlDecodeUni,log,pass" SetEnvIfNoCase Remote_Addr ^$ MODSEC_ENABLE=Off # You can use multiple SetEnvIf directives to control it further. # This only turns it off for your IP + a POST request method. # # SetEnvIf Remote_Addr ^$ MODSEC_ENABLE=Off # SetEnvIf Request_Method !^POST$ MODSEC_ENABLE=On # Make sure that URL encoding is valid SecFilterCheckURLEncoding On # Unicode encoding check SecFilterCheckUnicodeEncoding Off //sample rules SecRule ARGS_GET_NAMES "^(customerid|q)" "phase:1,pass,id:'90010', \ ctl:ruleRemoveTargetById=960024, \ ctl:ruleRemoveTargetById=981173" SecRule ARGS_POST_NAMES "^(customerid|q)" "phase:2,pass,id:'90011', \ ctl:ruleRemoveTargetById=960024, \ ctl:ruleRemoveTargetById=981173"

Mod Security for wordpress
Protecting WordPress with mod-security
Posted on February 11, 2015
This my blog and also other hosted websites running WordPress are target of bots trying passwords to wordpress admin and posting spam comments. I was unable to found simple plugin for comments dns blacklist, so I focused to mod-security.

This apache module is already packed in all common linux distributions. Problem is, that default rules are so huge and complicated. For example in debian after

apt-get install libapache-mod-security
a2enmod mod-security
installation like this, default rules will cause you many troubles with your websites. Default installation is useless..

I have deleted all default rules in /etc/apache2/mod-security/rules and my mod-security.conf contains only

SecDebugLog /var/log/apache2/mod-security.log
SecDebugLogLevel 1

# wp-login
# This has to be global, cannot exist within a directory or location clause . . .
SecAction phase:1,nolog,pass,initcol:ip=%{REMOTE_ADDR},initcol:user=%{REMOTE_ADDR}

# Setup brute force detection.
# React if block flag has been set.
SecRule user:bf_block "@gt 0" "deny,status:403,log,msg:'ip address blocked for 15 minutes, more than 15 login attempts in 5 minutes.'"
# Setup Tracking. On a successful login, a 302 redirect is performed, a 200 indicates login failed.
SecRule RESPONSE_STATUS "^302" "phase:5,t:none,nolog,pass,setvar:ip.bf_counter=0"
SecRule RESPONSE_STATUS "^200" "phase:5,chain,t:none,nolog,pass,setvar:ip.bf_counter=+1,deprecatevar:ip.bf_counter=1/300"
SecRule ip:bf_counter "@gt 15" "t:none,setvar:user.bf_block=1,expirevar:user.bf_block=900,setvar:ip.bf_counter=0"

#comments blacklist

SecAction "id:400000,phase:1,initcol:IP=%{REMOTE_ADDR},pass,nolog"
SecRule IP:spam "@gt 0" "id:400001,phase:1,chain,drop,msg:'Spam host %{REMOTE_ADDR} already blacklisted'"
SecRule REQUEST_URI "\/wp-(comments-post|trackback).php"
SecRule REQUEST_METHOD "POST" "id:'400010',chain,drop,log,msg:'Spam host detected by zen.spamhaus.org'"
SecRule REQUEST_URI "\/wp-(comments-post|trackback).php" chain
SecRule REMOTE_ADDR "@rbl zen.spamhaus.org" "setvar:IP.spam=1,expirevar:IP.spam=604800"
First rule protect from password guessting attacks to wp-login. Simple rate limit.
Second rule protects wordpress comments from spam, blocks comments from IPs on DNS blacklist zen.

I have found this rules on some blogs and they are very usefull and effective.
Now all wordpress sites on my server are protected.

WordPress – Mod_security problems with posts and comments fixed

vi whitelist.conf


  SecRuleRemoveById 300015 300016 300017 950907 950005 950006 960008 960011 960904

  SecRuleRemoveById 300015 300016 300017 950907 950005 950006 960008 960011 960904

  SecRuleRemoveById 300015 300016 300017 950907 950005 950006 960008 960011 960904

  SecRuleRemoveById 300015 300016 300017 950907 950005 950006 960008 960011 960904

  SecRuleRemoveById 300015 300016 300017 950907 950005 950006 960008 960011 960904

  SecRuleRemoveById 960010 960012 950006


  SecRuleRemoveById 300015 300016 300017 950907 950005 950006 960008 960011 960904

  SecRuleRemoveById 300015 300016 300017 950907 950005 950006 960008 960011 960904

  SecRuleRemoveById 300015 300016 300017 950907 950005 950006 960008 960011 960904

  SecRuleRemoveById 300015 300016 300017 950907 950005 950006 960008 960011 960904

  SecRuleRemoveById 300015 300016 300017 950907 950005 950006 960008 960011 960904

  SecRuleRemoveById 960010 960012 950006





mod_evasive to prevent DoS/ Brute-Force attacks block on CentOS Webserver

yum install mod_evasive -y
ls -al /etc/httpd/conf.d/mod_evasive.conf
systemctl reload httpd
sudo httpd -M | grep evasive
vi /etc/httpd/conf.d/mod_evasive.conf

DOSEmailNotify [email protected]
DOSPageCount 20
DOSSiteCount 100
DOSBlockingPeriod 300
mkdir /var/log/mod_evasive
chown -R apache:apache /var/log/mod_evasive
DOSLogDir "/var/log/mod_evasive"
systemctl restart httpd.service

For testing
vi /usr/share/doc/mod_evasive-1.10.1/test.pl
Replace 100 with 200:
for(0..200) {

perl /usr/share/doc/mod_evasive-1.10.1/test.pl


Secure php.ini

vi /etc/php.ini

Safe mode will also restrict executables that may be run by scripts in the same way it restricts file and directory access. Safe mode can also be configured so that only executables in a certain directory can be run. This can help limit exposure of shell commands to certain scripts.

safe_mode = On

n some cases you'll want to use a group to check ownership (for instance in the case that you have multiple people deploying web application scripts). To have safe mode check group permissions use:
safe_mode_gid = On

If you want to limit directories that can contain included files or executables use the following php.ini directives respectively:

safe_mode_include_dir = /path/to/dir
safe_mode_exec_dir = /path/to/exec/dir

don’t allow include outside this directory
open_basedir = /home/sabin/public_html:/home/sabin/subdomain:/home/sabin/subdoman1:/home/sabin/php_tmp:/usr/share/pear:/usr/share/php:/usr/share/phpMyAdmin:/etc/phpMyAdmin:/var/lib/phpMyAdmin:/usr/share/doc

Disabling Functionality  (php_uname == required for phpmyadmin)
disable_functions = getmyuid, getmypid, passthru, leak, listen, diskfreespace, tmpfile, link, ignore_user_abord, shell_exec, dl, set_time_limit, exec, system, highlight_file, source, show_source, fpaththru, virtual, posix_ctermid, posix_getcwd, posix_getegid, posix_geteuid, posix_getgid, posix_getgrgid, posix_getgrnam, posix_getgroups, posix_getlogin, posix_getpgid, posix_getpgrp, posix_getpid, posix, _getppid, posix_getpwnam, posix_getpwuid, posix_getrlimit, posix_getsid, posix_getuid, posix_isatty, posix_kill, posix_mkfifo, posix_setegid, posix_seteuid, posix_setgid, posix_setpgid, posix_setsid, posix_setuid, posix_times, posix_ttyname, posix_uname, proc_open, proc_close, proc_get_status, proc_nice, proc_terminate, phpinfo

Preventing Information Disclosure
display_errors = Off

Disable Globals
register_globals = Off

Disable Remote File Includes
allow_url_fopen = Off
allow_url_include = Off

Restrict File Uploads
file_uploads = Off

upload_tmp_dir = /home/sabin/php_tmp
upload_max_filezize = 2M

(mkdir -p /home/sabin/php_tmp  ; chown apache:apache /home/sabin/php_tmp)

Protect Sessions (Make sure that the web server can read and write to the location you specify)
session.save_path =/home/sabin/php_tmp
session.cookie_httponly = 1
session.referer_check = your_url.tld
session.use_strict_mode = 1

upload_tmp_dir = /var/php_tmp
upload_max_filezize = 2M

The following list of functions can be restricted in the case they aren’t necessary for your application:
Disallow HTTP file uploads file_uploads = Off
Disallow displaying the PHP error messages for the end-users display_errors = Off
Limit the external access to your PHP environment safe_mode_allowed_env_vars = PHP_
Restrict the sending back of PHP information expose_php = Off
Turn off the globals registration for input data register_globals = Off
Restrict remote files opening allow_url_fopen = Off
Restrict files opening allow_url_include = Off
sql.safe_mode = On

<Directory /home/sabin/public_html/uploads/>
Options None
AllowOverride None
php_admin_flag engine off
order deny,allow
deny from all

<Directory /home/sabin/public_html/userfiles/>
Options None
AllowOverride None
php_admin_flag engine off
order deny,allow
deny from all

<Directory /home/sabin/public_html/bills/user_photo/>
Options None
AllowOverride None
php_admin_flag engine off
order deny,allow
deny from all


Control POST Size

<Directory /home/sabin/public_html>
<LimitExcept GET POST>
Order allow,deny
## Add rest of the config goes here... ##

# set in seconds
max_execution_time = 30
max_input_time = 30
memory_limit = 40M


NTP Port(UDP 123)
yum install ntp ntpdate
chkconfig ntpd on
ntpdate pool.ntp.org
/etc/init.d/ntpd start


Disable Unwanted SUID and SGID Binaries

#See all set user id files:
find / -perm +4000
# See all group id files
find / -perm +2000
# Or combine both in a single command
find / \( -perm -4000 -o -perm -2000 \) -print
find / -path -prune -o -type f -perm +6000 -ls
World-Writable Files
find /dir -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print

Noowner Files
find /dir -xdev \( -nouser -o -nogroup \) -print


Linux Kernel /etc/sysctl.conf


# Turn on execshield
# Enable IP spoofing protection
# Disable IP source routing
# Ignoring broadcasts request
# Make sure spoofed packets get logged
net.ipv4.conf.all.log_martians = 1

net.ipv4.ip_forward = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.tcp_max_syn_backlog = 1280
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1
net.ipv4.tcp_syncookies = 1
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.tcp_timestamps = 0

Enable ExecShield

Helps prevent stack smashing / BOF.

Enable on current kernel: 
sysctl -w kernel.exec-shield=1

Add to /etc/sysctl.conf:
kernel.exec-shield =1

Check / Enable ASLR

Set runtime for kernel.randomize_va_space 
sysctl -q -n -w kernel.randomize_va_space=2

Add kernel.randomize_va_space = 2 to /etc/sysctl.conf if it does not already exist.


Disable Unwanted protocol

echo "install dccp /bin/false" > /etc/modprobe.d/dccp.conf
echo "install sctp /bin/false" > /etc/modprobe.d/sctp.conf
echo "install rds /bin/false" > /etc/modprobe.d/rds.conf
echo "install tipc /bin/false" > /etc/modprobe.d/tipc.con

Disable uncommon filesystems

echo "install cramfs /bin/false" > /etc/modprobe.d/cramfs.conf
echo "install freevxfs /bin/false" > /etc/modprobe.d/freevxfs.conf
echo "install jffs2 /bin/false" > /etc/modprobe.d/jffs2.conf
echo "install hfs /bin/false" > /etc/modprobe.d/hfs.conf
echo "install hfsplus /bin/false" > /etc/modprobe.d/hfsplus.conf
echo "install squashfs /bin/false" > /etc/modprobe.d/squashfs.conf
echo "install udf /bin/false" > /etc/modprobe.d/udf.conf

Disable IPv6 Support Automatically Loading

vi /etc/modprobe.d/disabled.conf
options ipv6 disable=1

vi /etc/sysconfig/network
add below line

vi /etc/netconfig
comment the below line
udp6 tpi_clts v inet6 udp - -
tcp6 tpi_cots_ord v inet6 tcp - -

Bulk Remove of Services

yum remove xinetd
yum remove telnet-server
yum remove rsh-server
yum remove telnet
yum remove rsh-server
yum remove rsh
yum remove ypbind
yum remove ypserv
yum remove tftp-server
yum remove bind
yum remove dovecot
yum remove squid
yum remove net-snmpd

Bulk Enable / Disable Services

systemctl disable xinetd
systemctl disable rexec
systemctl disable rsh
systemctl disable rlogin
systemctl disable ypbind
systemctl disable tftp
systemctl disable certmonger
systemctl disable cgconfig
systemctl disable cgred
systemctl disable cpuspeed
systemctl enable irqbalance
systemctl disable kdump
systemctl disable mdmonitor
systemctl disable messagebus
systemctl disable netconsole
systemctl disable oddjobd
systemctl disable portreserve
systemctl enable psacct
systemctl disable qpidd
systemctl disable quota_nld
systemctl disable rdisc
systemctl disable rhnsd
systemctl disable rhsmcertd
systemctl disable saslauthd
systemctl disable smartd
systemctl disable sysstat
systemctl enable crond
systemctl disable atd
systemctl disable nfslock
systemctl disable named
systemctl disable dovecot
systemctl disable squid
systemctl disable snmpd
systemctl disable rpcgssd
systemctl disable rpcsvcgssd
systemctl disable rpcidmapd
systemctl disable netfs
systemctl disable nfs
systemctl disable avahi-daemon
systemctl disable cups
systemctl disable dhcpd
systemctl disable xinetd
chkconfig --level 0123456 autofs off
service autofs stop

Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. This enables you to plug your laptop or computer into a network and instantly be able to view other people who you can chat with, find printers to print to or find files being shared. Compatible technology is found in Apple MacOS X

systemctl disable avahi-daemon

Auto backup all db code

#! /bin/bash

TIMESTAMP=$(date +"%F")

mkdir -p "$BACKUP_DIR/mysql"

databases=`$MYSQL --user=$MYSQL_USER -p$MYSQL_PASSWORD -e "SHOW DATABASES;" | grep -Ev "(Database|information_schema|performance_schema)"`

for db in $databases; do
$MYSQLDUMP --force --opt --user=$MYSQL_USER -p$MYSQL_PASSWORD --databases $db | gzip > "$BACKUP_DIR/mysql/$db.gz"

Bind Configureation

yum -y install bind-chroot
/usr/libexec/setup-named-chroot.sh /var/named/chroot on 
systemctl stop named 
systemctl disable named 
systemctl start named-chroot 
systemctl enable named-chroot 

mkdir -p /var/named/chroot/var/log/named/
touch  /var/named/chroot/var/log/named/bind.log
touch  /var/named/chroot/var/log/named/named.log
chown -R named:named /var/named/chroot/var/log/named/

firewall-cmd --add-port=53/ud
firewall-cmd --add-port=53/udp

ln -s /var/named/chroot/var/log/named/bind.log .
ln -s /var/named/chroot/var/log/named/named.log .

rndc-confgen -a -b 256 -c /var/named/chroot/etc/rndc.key

systemctl restart named-chroot
systemctl status named-chroot
/usr/sbin/named-checkconf -t /var/named/chroot -z /etc/named.conf

yum install nload
nload emo1
tcpdump -vvv -s 0 -l -n port 53


yum list audit audit-libs
vi /etc/audit/auditd.conf
max_log_file = 30
max_log_file_action = ROTATE
systemctl restart auditd

log file=/var/log/audit/audit.log

auditctl -w /etc/ssh/sshd_config -p rwxa -k sshconfigchange

ausyscall 2
ausyscall --dump
ausearch -m LOGIN --start today -i
ausearch -a 27020
ausearch -f /etc/ssh/sshd_config -i
aureport -x --summary
aureport --failed
aureport -f -i
aureport -f -i --summary


yum install tripwire
tripwire --init
vi /etc/tripwire/twpol.txt
tripwire --check > /etc/tripwire/report.txt
twadmin --create-polfile /etc/tripwire/twpol.txt && tripwire --init
40 2 * * * /usr/sbin/tripwire --check | mail -s "Mechi Tripwire report for `uname -n`" [email protected]
 twadmin --print-cfgfile

nmap -v -sT localhost
nmap -v -sS localhost


Upgrade MariaDB 5.5 to MariaDB 10.2

mysqldump -u root -ppassword --all-databases > /root/all-database.sql

systemctl stop mysql

 cp -a /var/lib/mysql/ /var/lib/mysql.bak
 yum update
 vim /etc/yum.repos.d/MariaDB10.repo
 # MariaDB 10.2 CentOS repository list - created 2017-07-28 17:34 UTC
# http://downloads.mariadb.org/mariadb/repositories/
name = MariaDB
baseurl = http://yum.mariadb.org/10.2/centos7-amd64

 yum remove mariadb-server mariadb mariadb-libs
  yum remove mysql-server mysql mysql-libs mysql-common mysql-devil
  yum clean all   
  yum -y install MariaDB-server MariaDB-client
  systemctl start mariadb
  systemctl enable mariadb
  mysql -V

Protect cpanel wordpress site

vi /usr/local/apache/conf/includes/post_virtualhost_2.conf
# Paste the following lines.
ErrorDocument 401 "Unauthorized Access"
ErrorDocument 403 "Forbidden"

AuthName "Authorized Only"
AuthType Basic
AuthUserFile /home/.wpadmin
require valid-user

[email protected] [~]# htpasswd -c /home/.wpadmin pressuser

[email protected] [~]# cat /home/.wpadmin # Verify correct username.

[email protected] [~]# chmod 755 /home/.wpadmin

[email protected] [~]# service httpd restart

Cpanel site details


The cPanel software comes with PHP, DNS, Web, Email, FTP, MySQL and other utility packages. In order to customize the behavior of almost any program or to troubleshoot any issue on linux system, we need to modify its configuration file.

Here I have collected a list of the configuration files and directories found on the Linux cPanel/WHM server.

I hope you will find this path reference useful 

Web server ( Apache ) :

Apache HTTP server configuration file :


Apache directory Structure :

• bin- apache binaries are stored here - httpd, apachectl, apxs
• conf - configuration files - httpd.conf - php.conf
• domlogs - domain access and stat log files are stored here for all domains
• htdocs - default apache DocumentRoot location
• include - header files
• libexec - shared object (.so) files eg. mod_rewrite.so
• logs - apache logs - access_log, error_log, suexec_log
• man - apache manual pages
• icons - icon/jpg/gif images
• modules - other shared object (.so)
• Init Script :/etc/rc.d/init.d/httpd or /usr/local/apache/bin/apachectl - apache start script
• Cpanel script to restart apache - /scripts/restartsrv_httpd
• /opt - Apache modules built here.

Mail Server and Webmail :

/etc/exim.conf - mail server configuration file

/etc/localdomains - exim related file. All the domains using the same server's MX, should be listed here to be able to send/receive emails.

/etc/valiases/domainname - catchall and forwarders are set here.
/etc/vfilters/domainname - email filters are set here.

/var/spool/exim/input - Mail queue.
/var/spool/exim/msglog - email message logs.

/var/cpanel/horde - version file, backups and logs stored here
/var/cpanel/roundcube - version file, backups and logs stored here
/var/cpanel/squirrelmail - version file stored here.

Courier :

• Program: /usr/lib/courier-imap/libexec/couriertcpd
• Init Script: /etc/init.d/courier : /scripts/restartsrv_courier
• Config: /usr/local/libexec/courier-imap

Dovecot :

• Program: /usr/sbin/dovecot
• Init Script: /etc/init.
• Config: /etc/dovecot.conf

DNS and Networking :

• Program: /usr/sbin/named
• Init Script: /etc/rc.d/init.d/named
• Config: /etc/named.conf
• Zone files:/var/named/

/etc/named.conf - ( name server (named) configuration file).
/etc/resolv.conf - (WHM -> Networking Setup–> Resolver Configuration).
/etc/ips - ip addresses on the server (WHM >> IP Functions–>Show IP Address Usage. Except the shared ip. ).
/etc/sysconfig/network - Networking Setup.
/etc/hosts - Contains hostname and other host entries.
/etc/nameserverips - (WHM -> Networking Setup–> Nameserver IPs, Resellers nameservers )
/etc/ipaddrpool - ip addresses which are free.
/etc/ips.dnsmaster - nameserver ips.
/etc/domainips - IP's set as dedicated for specific domains
/var/cpanel/cpanelsync - DNS Clustering files.

FTP Server :

/etc/proftpd.conf - proftpd server configuration file.
/etc/pure-ftpd.conf - pure-ftpd server configuration file.


/usr/local/lib/php.ini - PHP configuration file.

System PHP :

• Program :/usr/local/bin/php, /usr/bin/php, /usr/local/php4/bin/php
• php can be recomplied using /scripts/easyapache : /scripts/phpup using /var/cpanel/easy/apache/profile/

Internal PHP :
• Program : /usr/local/cpanel/3rdparty/bin/php : /var/cpanel/3rdparty/bin/php
• ini file: /usr/local/cpanel/3rdparty/etc/php.ini
• internal PHP can be recompiled using : /scripts/makecpphp using /var/cpanel/easy/apache/profile/makecpphp.profile.yaml
• /var/cpanel/3rdparty


/etc/my.cnf and /root/.my.cnf- mysql configuration file
/var/cpanel/databases - dbmapping files.

• Program : /usr/sbin/mysqld :/usr/bin/mysqld_safe
• Init Script : /etc/rc.d/init.d/mysql : service mysql start/stop : /scripts/restartsrv_mysql
• Data directory - /var/lib/mysql - Where all databases are stored.
• Socket file - /var/lib/mysql/mysql.sock, /tmp/mysql.sock.

PostgreSQL :

• Conf: /var/lib/pgsql/data/postgresql.conf & pg_hba.conf
• Data Directory: /var/lib/pgsql/data
• Log: /var/lib/pgsql/

Perl :

• Program :/usr/bin/perl or /usr/local/bin/perl (one should symlink to the other)
• Directory :/usr/lib/perl5/5.8.x/ or /usr/local/lib/perl5
• Version: perl -v
• Check: /scripts/checkperlmodules : /scripts/perlmods -s
• Installer: /scripts/perlinstaller : perl -MCPAN -e shell
• Build: /home/.cpan :/home/.cpcpan

Clamav :

/etc/clamav.conf - clamav (antivirus configuration file ).

Spamd :

• Directory: /etc/mail/spamassassin
• Program: /usr/bin/spamd & /usr/bin/spamc & /usr/bin/spamassassin
• Scripts: /scripts/installspam

EasyApache :

• /var/cpanel/easy/apache
• /var/cpanel/userdata
• /usr/local/apache/conf/
• /var/cpanel/templates/apache2
• /usr/local/cpanel/src/templates/apache2
• /home/cpeasyapache
• /opt
• /usr/local/cpanel/logs/easy/apache

ROR - Ruby on Rails:

• Directory: /home/username/rails_apps /home/username/.gem/ruby
• Scripts: /scripts/installruby

Tomcat :

• Directory: /usr/local/jakarta/tomcat
• Conf: /usr/local/jakarta/tomcat/conf/server.xml

Other cPanel system config :

/etc/userdomains - all primary, addons, parked,sub-domains along with their usernames are stored in this file.
/etc/cpbackup-userskip.conf - To skip files or certain accounts in backup.
/var/cpanel/resellers - Permissions for resellers.
/etc/chkserv.d - ( WHM >> Service Configuration >> Service Manager config file)
/etc/wwwacct.conf - Account creation defaults file in WHM (Basic cPanel/WHM Setup)
/etc/cpupdate.conf - cPanel Update Config (upcp)
/etc/cpbackup.conf - Backup Configuration.
/var/run/chkservd - (Main >> Server Status >> Service Status )
/var/log/dcpumon - Top log process. Daily Process logs.
/root/cpanel3-skel - Skeleton directory. (Eg: public_ftp, public_html)
/var/spool/cron - Cronjobs are stored here for all users.
/var/cpanel/users - cPanel user file that defines account settings.
/var/cpanel/users.cache - user cache files that are read by cPanel.
/var/cpanel/cpanel.config - cpanel configuration file ( Tweak Settings ).
/var/cpanel/counters - To get the counter of each users.
/var/cpanel/bandwidth - To get bandwith usage of domains.
/var/cpanel/userdata - Contains parked, addon, subdomains as well as virtualHost.
/var/cpanel/logs - transfer logs.
/var/cpanel/easy/apache - easyapache build files/profile.
/var/cpanel/userhomes - session home for cPanel, Horde, Roundcube, phpmyadmin.
/var/cpanel/serviceauth - chkservd service user/pass data.
/var/cpanel/updatelogs - The cPanel update (upcp ) daily logs.
/var/cpanel/packages - Default and custom packages created here.

All Cpanel Script files location


Rebiuild apache in cpanel
Type the following commands:
# cd /scripts
# ./updatenow
# ./easyapache
[from cpanel =Software - EasyApache]
cpanael sysadmin command
/scripts/adduser <=====> Add a user to the system
/scripts/buildeximconf <=====> Rebuilds exim.conf
/scripts/chpass <=====> change cpanel passwords to particular account
/scripts/courierup <=====> used to update/reinstall courier
/scripts/cpbackup --force <=====> to backup accounts (if backups enabled on WHM)
/scripts/easyapache <=====> recompile apache
/scripts/editquota <=====> to manually set a users quota limit
/scripts/eximup <=====> to update exim to latest version - will overwrite any manual changes which was made on exim.conf file
/scripts/fixcommonproblems <=====> fixes mailbox permissions, mailman, cgi scripts, ndc and quotas
/scripts/fixmailman <=====> fixes common mailman issues
/scripts/fixndc <=====> fixes rndc errors with named
/scripts/fixquotas <=====> fixes quota problems
/scripts/fullhordereset <=====> resets horde database to a fresh one - all previous user data are lost
/scripts/ftpup <=====> used to update/install FTP server (pureftpd or proftpd) to latest version
/scripts/generatemaildirsize <=====> generates new maildirsize for any or all users
/scripts/initquotas <=====> initializes quotas
/scripts/installzendopt <=====> installs zend optimizer via phpextensionmgr
/scripts/killacct <=====> terminate an account - make sure you take a backup of the account first
/scripts/killdns <=====> removes a DNS Zone
/scripts/mailperm <=====> fixes permission problems with mail directories
/scripts/makecpphp <=====> rebuilds internal PHP from /var/cpanel/easy/apache/profile/makecpphp.profile.yaml
/scripts/mysqlup <=====> used to update mysql to latest version specified in /var/cpanel/cpanel.config
/scripts/pkgacct <=====> to create an account backup
/scripts/phpup <=====> to update PHP only
/scripts/phpextensiomgr <=====> Installs IonCube, Zend Optimizer, SuHosin & eAccelerator
/scripts/rebuildnamedconf <=====> rebuilds /etc/named.conf with zones from /var/named/*.db
/scripts/restartsrv_$servicename <=====> restart script for services
/scripts/restorepkg <=====> restores an account from a backup file (pkgacct file)(must be in /home)
/scripts/runlogsnow <=====> update logs of all users
/scripts/runweblogs <=====> update stats for a particular user
/scripts/securetmp <=====> secures /tmp partition with options nosuexec and nosuid
/scripts/suspendacct <=====> suspends an account
/scripts/unsuspendacct <=====> unsuspends a suspended account
/scripts/upcp --force <=====> updates cpanel to the latest version
/scripts/updatenow <=====> updates the cpanel scripts
/scripts/updateuserdomains <=====> updates /etc/userdomains entries from /var/cpanel/users
/scripts/wwwacct <=====> to create new accounts (wwwacct domain.com user password)

how wordpress site is hacked watch video

How to Prevent File Upload Vulnerabilities



Install wpscan and msf

yum install yum-utils -y
yum-builddep -y ruby
git clone git://github.com/rapid7/metasploit-framework.git
cd metasploit-framework/

gpg2 --keyserver hkp://keys.gnupg.net --recv-keys 409B6B1796C275462A1703113804BB82D39DC0E3

curl -L get.rvm.io | bash -s stable

curl -L get.rvm.io | bash -s stable
#your actual directory must be metasploit-framework
source /etc/profile.d/rvm.sh

logout and login 

rvm install ruby-2.1.9
rvm use 2.1.9 --default

gem install rails
bundle install

**wpscan installation

Ruby >= 1.9.2 - Recommended: 2.3.0
Curl >= 7.21 - Recommended: latest - FYI the 7.29 has a segfault
RubyGems - Recommended: latest
yum -y install gcc ruby-devel rubygem-bundler libxml2 libxml2-devel libxslt libxslt-devel libcurl-devel patch git
mkdir -p /root/tools
cd /root/tools
git clone https://github.com/wpscanteam/wpscan.git
cd wpscan
gem install bundler && bundle install --without test