1) Basic Setup
a) change default root password to hard one #passwd root b) create user # adduser sabin # passwd sabin ip address yum update yum wget http://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm yum install yum-utils traceroute bind-utils fail2ban net-tools nmap telnet links chrony epel-release-latest-7 -y yum install -y https://yum.oracle.com/repo/OracleLinux/OL7/latest/x86_64/getPackage/oracle-database-preinstall-19c-1.0-1.el7.x86_64.rpm systemctl enable chronyd systemctl disable postfix hwclock date timedatectl timedatectl set-timezone "Asia/Kathmandu" yum install chrony -y systemctl enable chronyd systemctl start chronyd timedatectl set-ntp 1 cat /etc/chrony.conf Time synchronization can also be forced with the below chronyc commands. chronyc -a 'burst 4/4' chronyc -a makestep chronyc tracking chronyc sources chronyc sourcestats timedatectl set-time 15:58:30 hwclock --systohc yum -y install ntpdate ntpdate ntp1.jst.mfeed.ad.jp systemctl enable ntpdate ulimit -n vi /etc/sysctl.conf fs.file-max = 65535 vi /etc/security/limits.conf root soft nproc 65535 root hard nproc 65535 root soft nofile 65535 root hard nofile 65535 vi /etc/pam.d/common-session session required pam_limits.so yum install rkhunter chkrootkit vi /etc/rkhunter.conf (MAIL-ON-WARNING=) rkhunter --update rkhunter --propupd rkhunter --check ===================================== wget --passive-ftp ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz tar xvfz chkrootkit.tar.gz cd chkrootkit-*/ make sense cd .. mv chkrootkit-/ /usr/local/chkrootkit ln -s /usr/local/chkrootkit/chkrootkit /usr/local/bin/chkrootkit chkrootkit 0 3 * * * /usr/sbin/chkrootkit 2>&1 | mail -s "chkrootkit output of my server" you@yourdomain.com) Lynis (formerly rkhunter) wget https://cisofy.com/files/lynis-2.4.8.tar.gz tar xvfz lynis-2.4.8.tar.gz mv lynis /usr/local/ ln -s /usr/local/lynis/lynis /usr/local/bin/lynis lynis update info lynis audit system lynis --quick 0 3 * * * /usr/local/bin/lynis --quick 2>&1 | mail -s "lynis output of my server" you@yourdomain.com) mkdir -p /usr/local/ispprotect chown -R root:root /usr/local/ispprotect chmod -R 750 /usr/local/ispprotect cd /usr/local/ispprotect wget http://www.ispprotect.com/download/ispp_scan.tar.gz tar xzf ispp_scan.tar.gz rm -f ispp_scan.tar.gz ln -s /usr/local/ispprotect/ispp_scan /usr/local/bin/ispp_scan ispp_scan nano /etc/cron.d/ispprotect 0 3 * * * root /usr/local/ispprotect/ispp_scan --update && /usr/local/ispprotect/ispp_scan --path=/var/www --email-results=root@localhost --non-interactive --scan-key=AAA-BBB-CCC-DDD c) setup root privileges
# /usr/sbin/visudo sabin ALL=(ALL) ALL check for /etc/passwd and change /sbin/bash to /bin/nologin (to other user except root and sabin user)
https://highon.coffee/blog/security-harden-centos-7/
Postfix config
2) su setting
a) Add sabin to wheel group # usermod -a -G wheel sabin ( # system-config-users # useradd -G wheel sabin # id sabin # useradd -G admins,ftp,www,developers sabin ) b) # vi /etc/pam.d/su uncomment 3 and 5 line c) # vi /etc/aliases root:sabin
3) Disable SELINUX
a) # getenforce b) # vi /etc/selinux/config set disabled # vi /etc/security/limits.conf * soft nofile 8192 * hard nofile 8192
4) SSH config
a)
# vi /etc/ssh/sshd_config
Change port
b) Port 2000
c) PermitRootLogin no
d) UseDNS no
At the end
f)Limit the ciphers to those algorithms which are FIPS-approved.
Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc
g) Do disable remote auto login
IgnoreRhosts yes
HostbasedAuthentication no
h)
AllowUsers sabin
AllowUsers sabin subash@192.168.1.1 sabin*@192.168.1.1 192.168.1.0/24 192.168.1.1
AllowGroups wheel staff
i)
# systemctl restart sshd
# firewall-cmd --permanent --zone=public --add-service=sshd
# firewall-cmd --permanent --zone=public --add-port=2000/tcp
# firewall-cmd --reload
------------
firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv4" source address="10.1.1.0/24" accept'
firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv4" source address="10.0.0.0/8" service name="ssh" accept'
firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv4" source address="202.45.144.0/24" service name="ssh" accept'
firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv4" source address="202.45.145.0/24" service name="ssh" accept'
firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv4" source address="202.45.146.0/24" service name="ssh" accept'
firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv4" source address="202.45.147.0/24" service name="ssh" accept'
firewall-cmd --zone=public --remove-service=dhcpv6-client --permanent
firewall-cmd --zone=public --remove-service=ssh --permanent
firewall-cmd --reload
-----------------
<rule family="ipv4">
<source address="10.1.1.0/24"/>
<accept/>
</rule>
<rule family="ipv4">
<source address="10.1.1.0/24"/>
<port protocol="tcp" port="2000"/>
<accept/>
</rule>
<rule family="ipv4">
<source address="10.0.0.0/8"/>
<port protocol="tcp" port="2000"/>
<accept/>
</rule>
https://www.centos.org/docs/5/html/5.1/Deployment_Guide/s2-wstation-privileges-noroot.html https://www.digitalocean.com/community/tutorials/how-to-configure-ssh-key-based-authentication-on-a-linux-server https://www.digitalocean.com/community/tutorials/how-to-use-ssh-keys-with-putty-on-digitalocean-droplets-windows-users
5) HOSTNAME
a) # vi /etc/hostname or # hostnamectl set-hostname data.sabinshrestha.com.np or # nmcli general hostname data.sabinshrestha.com.np b) # vi /etc/hosts 192.168.0.1 data.sabinshrestha.com.np c) # hostname d) # systemctl restart systemd-hostnamed e) # vi /etc/sysconfig/network HOSTNAME=data.sabinshrestha.com.np f) # hostnamectl status or nmcli general hostname
6) Fedora Epl
#yum install epel-release or # wget https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm # rpm -Uvh epel-release-7.noarch.rpm # yum update yum # yum update To list all available packages under a repo called epel, enter: # yum --disablerepo="*" --enablerepo="epel" list available OR # sudo yum --disablerepo="*" --enablerepo="epel" list available | grep 'package' OR #sudo yum --disablerepo="*" --enablerepo="epel" list available | less ------------------------------------------------------------- yum install dnstop (DNS Monitoring) dnstop eno1 dnstop eth0 1: display the TLD distribution (e.g. com, net, org, info) 2: display the domain names distribution (e.g. ewhathow.com) s: display the source IP address table d: display the destination IP address table t: display the breakdown of query types seen (e.g. A, AAAA, MX) r: display the breakdown of response codes seen (e.g. NXDOMAIN, REFUSED) o: display the breakdown of opcodes seen ^R: reset the counters ^X: exit the program space: redraw ?: help ------------------------------ wget http://www.cipherdyne.com/psad/download/psad-2.4.2-1.x86_64.rpm yum install psad-2.4.2-1.x86_64.rpm vi /etc/psad/psad.conf EMAIL_ADDRESSES - change this to your email address. HOSTNAME - this is set during install - but double check and change to a FQDN if needed. ENABLE_AUTO_IDS - set this to Y if you could like PSAD to take action - read configuration instructions before setting this to Y. ENABLE_AUTO_IDS_EMAILS - set this to Y if you would like to receive email notifications of intrusions that are detected. iptables -A INPUT -j LOG iptables -A FORWARD -j LOG ip6tables -A INPUT -j LOG ip6tables -A FORWARD -j LOG psad -R psad --sig-update psad -H psad --Status
7) Mysql
a) # yum -y inst all mariadb-server mariadb b) # systemctl start mariadb.service # systemctl enable mariadb.service # mysql_secure_installation c) #vi /etc/my.cnf #vi /etc/my.cnf.d/server.cnf Create Database and User create database sabin; CREATE USER 'sabin'@'localhost' IDENTIFIED BY 'sabin123'; GRANT ALL PRIVILEGES ON sabin.* TO 'sabin'@'localhost'; FLUSH PRIVILEGES; vi /usr/lib/systemd/system/mariadb.service
ProtectHome=false
systemctl daemon-reload
systemctl start mariadb.service
Apache
# yum -y install httpd # systemctl start httpd.service # systemctl enable httpd.service # firewall-cmd --permanent --zone=public --add-service=http #firewall-cmd --permanent --zone=public --add-service=https # firewall-cmd --reload # yum -y install php-mysql # yum info php-module-name # yum -y install php-gd php-ldap php-odbc php-pear php-xml php-xmlrpc php-mbstring php-snmp php-soap curl curl-devel # systemctl restart httpd.service # yum install phpMyAdmin # vi /etc/httpd/conf.d/phpMyAdmin.conf comment all first <directory> to </directory> and replace with below <Directory /usr/share/phpMyAdmin/> Options none AllowOverride Limit Require all granted </Directory> # vi /etc/phpMyAdmin/config.inc.php $cfg['Servers'][$i]['auth_type'] = 'http'; if error: (CANNOT LOG IN TO THE MYSQL SERVER) change localhost to 127.0.0.1 $cfg['Servers'][$i]['host'] = '127.0.0.1'; Tune apache # apachectl -t -D DUMP_MODULES |grep deflate ensure module is loaded in # vi /etc/httpd/conf.modules.d/00-base.conf LoadModule deflate_module modules/mod_deflate.so create file # vi /etc/httpd/conf.d/mod_deflate.conf <filesMatch "\.(js|html|css)$"> SetOutputFilter DEFLATE </filesMatch> or <IfModule mod_deflate.c> SetOutputFilter DEFLATE SetEnvIfNoCase Request_URI \.(?:gif|jpg|png|ico|zip|gz|mp4|flv)$ no-gzip </IfModule> Donot zip php and image they are are already compressed DeflateCompressionLevel=1 (if server performance is low 1-9) DeflateMemLevel= DeflateWindowSize= ------------------------------------ # yum -y install webalizer awstats perl-DateTime-Format-HTTP perl-DateTime-Format-Builder # systemctl restart httpd.service
Secure Aapche
Disable timthumb in sites # grep -nr timthumb.php * ( in public_html) in wordpress with timthumb # vi wp-config.php define (‘WEBSHOT_ENABLED’, false); ** http://geekflare.com/apache-web-server-hardening-security/ hash (#) all the line in # vi /etc/httpd/conf.d/welcome.conf Add below line to disable Server Signature ServerSignature Off ServerTokens Prod Server: Apache User apache Group apache in mod security conf file SecServerSignature sabin.com.np Turn off directory browsing Options -Indexes Turn off server side includes Options -Includes Turn off CGI execution Options -ExecCGI Don't allow apache to follow symbolic links Options -FollowSymLinks Turning off multiple Options Options None Options -ExecCGI -Indexes -Includes Disable any unnecessary modules grep LoadModule httpd.conf #LoadModule dav_module modules/mod_dav.so #LoadModule dav_fs_module modules/mod_dav_fs.so #Include conf/extra/httpd-dav.conf #LoadModule info_module modules/mod_info.so Lower the Timeout value Timeout 40 Limiting large requests LimitRequestBody 1048576 (1mb) Limiting the size of an XML Body LimitXMLRequestBody 10485760 (1mb) Limiting Concurrency MaxClients, MaxSpareServers, MaxRequestsPerChild ThreadsPerChild, ServerLimit MaxSpareThreads Adjusting KeepAlive settings MaxKeepAliveRequests 100 KeepAliveTimeout 15 It allows remote attackers to obtain sensitive information like inode number, multipart MIME boundary and child process through Etag header. FileETag None <Directory /> Options -Indexes AllowOverride None </Directory> Default apache configuration support OPTIONS, GET, HEAD, POST, PUT, DELETE, TRACE, CONNECT method in HTTP 1.1 protocol. only allow get and post Add Inside Directory Options FollowSymLinks <LimitExcept GET POST HEAD> deny from all </LimitExcept> if not required remove ScriptAlias /cgi-bin/ "/var/www/cgi-bin/" <Directory "/var/www/cgi-bin"> AllowOverride None Options None Require all granted </Directory> Disable Trace HTTP Request TraceEnable off Set cookie with HttpOnly and Secure flag (if your site donot use cookie and will also block phpmyadmin) Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure Clickjacking Attack Header always append X-Frame-Options SAMEORIGIN Disable Server Side Include in all <directory> and upload folders Options -Indexes -ExecCGI -Includes Disable HTTP 1.0 Protocol in .htaccess file add below line RewriteEngine On RewriteCond %{THE_REQUEST} !HTTP/1.1$ RewriteRule .* - [F] X-XSS Protection Header set X-XSS-Protection "1; mode=block" Disable File Information Header unset Pragma Header unset Last-Modified Header unset Cache-Control Header unset ETag Header set Expires "Fri, 21 Dec 2012 00:00:00 GMT" Header set Cache-Control "public, no-transform" Access Logging To capture time taken to serve the request and SESSION ID in access log Add %T & %sessionID in httpd.conf under LogFormat directive LogFormat "%h %l %u %t "%{sessionID}C" "%r" %>s %b %T" common edit error message # vi /usr/share/httpd/error/include/bottom.html and delete 2 line inside <address> </address>
Install Latest Pear
yum -y remove php-pear wget http://pear.php.net/go-pear.phar /usr/local/bin/php -q php-phar pear -V PEAR::isError replace (new PEAR)->isError or install remi php56
rpm -e php-tcpdf-6.2.13-1.el7.noarch phpMyAdmin-4.4.15.10-2.el7.noarch php-imap-5.4.16-7.el7.x86_64 php-pear-Net-IDNA2-0.1.1-10.el7.noarch php-snmp-5.4.16-45.el7.x86_64 php-pecl-apcu-4.0.11-1.el7.x86_64 php-common-5.4.16-45.el7.x86_64 php-pdo-5.4.16-45.el7.x86_64 php-cli-5.4.16-45.el7.x86_64 php-pear-1.9.4-21.el7.noarch php-tidy-5.4.16-7.el7.x86_64 php-fedora-autoloader-1.0.0-1.el7.noarch php-tcpdf-dejavu-sans-fonts-6.2.13-1.el7.noarch php-mcrypt-5.4.16-7.el7.x86_64 php-pgsql-5.4.16-45.el7.x86_64 php-odbc-5.4.16-45.el7.x86_64 php-process-5.4.16-45.el7.x86_64 php-ldap-5.4.16-45.el7.x86_64 php-gd-5.4.16-45.el7.x86_64 php-fpm-5.4.16-45.el7.x86_64 php-xmlrpc-5.4.16-45.el7.x86_64 php-bcmath-5.4.16-45.el7.x86_64 php-php-gettext-1.0.12-1.el7.noarch php-intl-5.4.16-45.el7.x86_64 php-mysql-5.4.16-45.el7.x86_64 php-xml-5.4.16-45.el7.x86_64 php-soap-5.4.16-45.el7.x86_64 php-mbstring-5.4.16-45.el7.x86_64
yum install php-tcpdf phpMyAdmin php-imap php-pear-Net-IDNA2 php-snmp php-pecl-apcu php-common php-pdo php-cli php-pear php-tidy php-fedora-autoloader php-tcpdf-dejavu-sans-fonts php-mcrypt php-pgsql php-odbc php-process php-ldap php-gd php-fpm php-xmlrpc php-bcmath php-php-gettext php-intl php-mysql php-xml php-soap php-mbstring
yum install https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm yum install http://rpms.remirepo.net/enterprise/remi-release-7.rpm yum install yum-utils yum-config-manager --enable remi-php56 yum update yum install php56 yum --enablerepo=remi-php56 update php yum --enablerepo=remi-php56 install php-mbstring php-mcrypt php-pdo php-mysql php-gd php-xml https://blog.remirepo.net/post/2016/10/15/PHP-version-5.6.27-and-7.0.12 pear install Mail pear install Mail_Mime-1.10.2 pear install Net_SMTP pear install Net_IDNA2-0.2.0 pear install Crypt_GPG (for roundcube pgp keys) pear install MDB2-2.5.0b5 pear install MDB2_Driver_mysql-1.5.0b4 pear install MDB2_Driver_mysqli-1.5.0b4 vi /usr/share/pear/Net/SMTP.php //$this->socket_options = $socket_options; $this->socket_options = array('verify_peer_name' => false,'allow_self_signed' => true)); $this->socket_options = array('ssl' => array('verify_peer' => false,'verify_peer_name' => false,'allow_self_signed' => true)); // PHP >= 7.3 if(is_countable($searchdata)) { // Do something } // PHP >= 7.1 if(is_iterable($searchdata)) { // Do something } mdb2 826 line if(is_countable($dsn)) { if (!count($dsn)) { return $parsed; } }
PHP Error viewing php error report
ini_set('display_errors', 1);
ini_set('display_startup_errors', 1);
error_reporting(E_ALL);
Roundcube install and configure
yum install git cd /var/www git clone https://github.com/roundcube/roundcubemail.git cd roundcubemail/bin php install-jsdeps.sh cd .. cd skins git clone https://github.com/roundcube/elastic.git yum install nodejs-less cd elastic php bin/install-jsdeps.sh php bin/updatecss.sh --dir skins/elastic lessc -x styles/styles.less > styles/styles.css lessc -x styles/print.less > styles/print.css lessc -x styles/embed.less > styles/embed.css cd .. cd config cp config.inc.php.sample config.inc.php vi config.inc.php //Enable Install http://mail.abc.com/mail/installer/ chmod -R 755 installer SQL $config['enable_installer'] = true; //DEBUG $config['log_driver'] = 'syslog'; //Log Level Details $config['debug_level'] = 4; // Log SQL queries $config['sql_debug'] = true; // Log IMAP conversation $config['imap_debug'] = true; // skin name: folder from skins $config['skin'] = 'elastic'; ------------------------------------------- RoundCube enigma Plugins configuration cd roundcubemail1/plugins/enigma chown -R apache:apache home chmod -R 777 home cp config.inc.php.dist config.inc.php vi config.inc.php comment $config['enigma_pgp_homedir'] yum install php56-php-openssl yum install gnupgp pear install Crypt_GPG (if issue debug=ture /var/log/maillog)
Vsftpd
# yum -y install vsftpd # vi /etc/vsftpd/vsftpd.conf anonymous_enable=NO local_enable=YES write_enable=YES chroot_local_user=YES allow_writeable_chroot=YES # line 109: uncomment ls_recurse_enable=YES # line 114: change ( if use IPv4 ) listen=YES # line 123: change ( turn to OFF if it's not need ) listen_ipv6=NO # add follows to the end # specify root directory ( if don't specify, users' home directory become FTP home directory) local_root=public_html # use localtime use_localtime=YES pasv_enable=Yes pasv_min_port=40000 pasv_max_port=40100 # systemctl restart vsftpd # systemctl enable vsftpd # firewall-cmd --permanent --add-port=40000-40100/tcp # firewall-cmd --permanent --add-port=21/tcp # firewall-cmd --reload SE-linux # setsebool -P ftp_home_dir 1 Use SSL/TLS # mkdir /etc/ssl/private # openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout /etc/ssl/private/vsftpd.pem -out /etc/ssl/private/vsftpd.pem #vi /etc/vsftpd/vsftpd.conf rsa_cert_file=/etc/ssl/private/vsftpd.pem rsa_private_key_file=/etc/ssl/private/vsftpd.pem ssl_enable=YES allow_anon_ssl=NO force_local_data_ssl=YES force_local_logins_ssl=YES ssl_tlsv1=YES ssl_sslv2=NO ssl_sslv3=NO require_ssl_reuse=NO ssl_ciphers=HIGH
Apache add domain
# adduser webserver # mkdir -p /home/webserver/public_html # chown -R sabin:sabin /home/webserver/public_html # chmod -R 755 /home/webserver # mkdir /etc/httpd/sites-available # mkdir /etc/httpd/sites-enabled # vi /etc/httpd/conf/httpd.conf at the end add below line IncludeOptional sites-enabled/*.conf # vi /etc/httpd/sites-available/webserver.conf <VirtualHost *:80> ServerName webserver.com ServerAlias www.webserver.com DocumentRoot /home/webserver/public_html ErrorLog /home/webserver/error.log CustomLog /home/webserver/requests.log combined </VirtualHost> # ln -s /etc/httpd/sites-available/webserver.conf /etc/httpd/sites-enabled/webserver.conf # systemctl restart httpd.servicechown -R webserver:apache /var/www/html/ usermod -a -G apache webserver usermod -g apache webserver groups id find /var/www/html -type f -exec chmod 664 {} \; find /var/www/html -type d -exec chmod 775 {} \; chgrp -R apache /var/www/html/site/storage /var/www/html/new_election.gov.np/bootstrap/cache chmod -R ug+rwx /var/www/html/site/storage /var/www/html/new_election.gov.np/bootstrap/cache chmod 444 /var/www/html/site/public/index.php chmod 444 /var/www/html/site/public/web.config laravel https vi ./app/Providers/AppServiceProvider.php (inside boot method) if($this->app->environment('production')) { \URL::forceScheme('https'); }<VirtualHost *:80> ServerName www.sabin.gov.np ServerAlias sabin.gov.np DocumentRoot /home/webserver/public_html ErrorLog /var/log/httpd/logs/error_log CustomLog /var/log/httpd/logs/access_log combined <Directory /home/webserver/public_html > AddDefaultCharset UTF-8 Options FollowSymLinks AllowOverride All Require all granted </Directory> </VirtualHost> <VirtualHost _default_:443> ServerName sabin.gov.np ServerAlias www.sabin.gov.np DocumentRoot /home/webserver/public_html ErrorLog /home/webserver/logs/error_log CustomLog logs/ssl_request_log \ "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" <Directory /home/webserver/public_html/ > Options FollowSymLinks AllowOverride All Require all granted RewriteEngine On RewriteCond %{REQUEST_METHOD} ^TRACE RewriteRule .* - [F] </Directory> LogLevel warn SSLEngine on SSLProtocol all -TLSv1.1 -TLSv1 -SSLv2 -SSLv3 SSLCipherSuite ALL:+HIGH:!ADH:!EXP:!SSLv2:!SSLv3:!MEDIUM:!LOW:!NULL:!aNULL SSLHonorCipherOrder on SSLCertificateFile /etc/ssl/httpd/crt/sabin/abc.crt SSLCertificateKeyFile /etc/ssl/httpd/crt/sabin/abc.gov.np.key SSLCertificateChainFile /etc/ssl/httpd/crt/sabin/gd_bundle-g2-g1.crt <Files ~ "\.(cgi|shtml|phtml|php3?)$"> SSLOptions +StdEnvVars </Files> <Directory "/var/www/cgi-bin"> SSLOptions +StdEnvVars RewriteEngine On RewriteCond %{REQUEST_METHOD} ^TRACE RewriteRule .* - [F] </Directory> BrowserMatch "MSIE [2-5]" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 </VirtualHost>
Webmin
# vi /etc/yum.repos.d/webmin.repo [Webmin] name=Webmin Distribution Neutral #baseurl=http://download.webmin.com/download/yum mirrorlist=http://download.webmin.com/download/yum/mirrorlist enabled=1 # rpm --import http://www.webmin.com/jcameron-key.asc # yum check-update # yum install webmin -y # firewall-cmd --permanent --add-port=10000/tcp # systemctl restart webmin.service # systemctl enable webmin.service # yum -y install openssl openssl-devel perl perl-Net-SSLeay perl-Crypt-SSLeay
Fail2Ban
# yum install fail2ban -y # cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local # vi /etc/fail2ban/jail.local ignoreip = (add your home ip) # systemctl restart fail2ban.service # systemctl enable fail2ban.service Dont forget to add /etc/fail2ban/jail.local enabled = true
[sshd]
enabled = true fail2ban-client status fail2ban-client status sshd vi filter.d/weblogin.conf [Definition] failregex = ^
[weblogin]
enabled = true filter = weblogin action = iptables-multiport[name=NoAuthFailures, port=”http,https”] logpath = %(apache_access_log)s banTime = 360000 findtime = 60 maxRetry = 6 The main reason a service is masked is to prevent accidental starting or enabling of a serive. For example firewalld can be masked with the following commad #systemctl mask firewalld If you ever want to start the firewalld service. you may get the error message Failed to issue method call: Unit firewalld.service is masked. To resolve this, unmask the firewall with the following command #systemctl unmask firewalld
VARNISH 3
rpm -Uvh http://repo.varnish-cache.org/redhat/varnish-3.0/el5/noarch/varnish-release/varnish-release-3.0-1.noarch.rpm yum install varnish vi /etc/sysconfig/varnish Now remove all # in Alternative 2 config and # to disable others DAEMON_OPTS="-a :80 \ -T localhost:6082 \ -f /etc/varnish/default.vcl \ -S /etc/varnish/secret \ -s malloc,256m" vi /etc/varnish/default.vcl change the port to 8080. backend default { .host = "127.0.0.1"; .port = "8080"; } vi /etc/httpd/conf/httpd.conf search Listen 80 and change it to 127.0.0.1:8080 Listen 127.0.0.1:8080 NameVirtualHost 127.0.0.1:8080 also in Virtual Host systemctl restart httpd.service systemctl restart varnish.service systemctl enable varnish.service service httpd restart service varnish restart You can use Firebug to test response header or simply use Centralops domain scanner service and check mark the “service scan” Check performance varnishstat Firewall firewall-cmd yum -y install firewalld firewall-config systemctl start firewalld.service systemctl enable firewalld.service systemctl status firewalld ------ stop and disable systemctl stop firewalld.service systemctl disable firewalld.service --------- #ls /usr/lib/firewalld/services/ #vi /etc/firewalld/zones/public.xml # firewall-cmd --state # firewall-cmd --list-all # firewall-cmd --list-interfaces # firewall-cmd --get-service # firewall-cmd --query-service service_name # firewall-cmd --add-port=8080/tcp # firewall-cmd --get-active-zones # firewall-cmd --get-service --permanent # firewall-cmd --permanent --zone=public --list-sources * Add whitelist IP #firewall-cmd --permanent --zone=public --add-source=192.168.100.0/24 #firewall-cmd --permanent --zone=public --add-source=192.168.222.123/32 * Add whitelist Port range #firewall-cmd --permanent --zone=public --add-port=1-22/tcp #firewall-cmd --permanent --zone=public --add-port=1-22/udp * Add Services #firewall-cmd --permanent --zone=public --add-service=ssh #firewall-cmd --zone=public --list-ports #firewall-cmd --permanent --zone=public --list-ports #firewall-cmd --permanent --zone=public --remove-port=8080-8081/tcp * Add ip and port to allow #firewall-cmd --permanent --zone=public --add-rich-rule="rule family="ipv4" \ source address="192.168.0.4/24" \ port protocol="tcp" port="8080" accept" ===================== * Add fixed or range ip to allow ssh firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv4" source address="110.34.21.19" service name="ssh" log prefix="ssh" level="info" accept' firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv4" source address="70.32.68.10" service name="ssh" log prefix="ssh" level="info" accept' firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv4" source address="192.168.1.0/24" service name="ssh" log prefix="ssh" level="info" accept' firewall-cmd --permanent --zone=public --remove-service=ssh firewall-cmd --reload firewall-cmd --zone=public --list-all =========== Rich rules allow you to create more complex configurations. The following command allows you to open HTTP access to a specific IP address. firewall-cmd --permanent --zone=public --add-rich-rule="rule family="ipv4" \ source address="192.168.0.4/24" service name="ssh" accept" The rule can be removed directly from the XML file, or removed using the "--remove-rich-rule" option. # firewall-cmd --permanent --zone=public --remove-rich-rule="rule family="ipv4" \ source address="192.168.0.4/24" service name="ssh" accept" -------------------------------------------- vi /etc/firewalld/zones/public.xml <?xml version="1.0" encoding="utf-8"?> <zone> <short>Public</short> <description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description> <service name="dhcpv6-client"/> <service name="ssh"/> <rule family="ipv4"> <source address="192.168.0.4/24"/> <service name="http"/> <accept/> </rule> </zone> ---------------------------------------------- <?xml version="1.0" encoding="utf-8"?> <zone> <short>Public</short> <description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description> <service name="http"/> <service name="https"/> <port protocol="tcp" port="21"/> <rule family="ipv4"> <source address="70.32.68.10"/> <service name="ssh"/> <log prefix="ssh" level="info"/> <accept/> </rule> <rule family="ipv4"> <source address="110.34.21.19"/> <service name="ssh"/> <log prefix="ssh" level="info"/> <accept/> </rule> </zone> =============== * Remove Service firewall-cmd --list-all-zones firewall-cmd --permanent --zone=public --remove-service=ssh firewall-cmd --reload firewall-cmd --list-all-zones
==========
Upgrade Mysql to 5.6 replacing marine db
1) download mysql-community-release-el7-5.noarch.rpm from http://dev.mysql.com/downloads/repo/yum/ 2) yum install mysql-community-release-el7-5.noarch.rpm 3) yum repolist enabled | grep "mysql.*-community.*" 4) yum install mysql-community-server 5) systemctl status mysqld 6) systemctl enable mysqld.service ln -s '/usr/lib/systemd/system/mysqls.service' '/etc/systemd/system/mysql.service' ln -s '/usr/lib/systemd/system/mysqls.service' '/etc/systemd/system/multi-user.target.wants/mysqld.service' cd /etc mv my.cnf my1.cnf mv my.cnf.rpmnew my.cnf 7) systemctl restart mysqld 8) mysql -u root -p SET PASSWORD FOR 'root'@'localhost' = PASSWORD('newpwd'); CREATE USER 'sabin'@'localhost' IDENTIFIED BY '***'; GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, FILE, INDEX, ALTER, CREATE TEMPORARY TABLES, CREATE VIEW, EVENT, TRIGGER, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE, EXECUTE ON *.* TO 'sabin'@'localhost' IDENTIFIED BY '***' REQUIRE NONE WITH MAX_QUERIES_PER_HOUR 0 MAX_CONNECTIONS_PER_HOUR 0 MAX_UPDATES_PER_HOUR 0 MAX_USER_CONNECTIONS 0; CREATE DATABASE IF NOT EXISTS `sabin`; GRANT ALL PRIVILEGES ON `sabin`.* TO 'sabin'@'localhost'; GRANT ALL PRIVILEGES ON `sabin\_%`.* TO 'sabin'@'localhost'; Change Default MySQL Data Directory: 1) systemctl stop mysqld 2)Change Data Directory cp -rap /var/lib/mysql /home/mysql chown mysql.mysql /home/mysql 3)vi /etc/my.cnf Change From: datadir=/var/lib/mysql socket=/var/lib/mysql/mysql.sock Change To: datadir=/home/mysql socket=/home/mysql/mysql.sock End of file below line
[mysql]
socket=/home/mysql/mysql.sock in command prompt ln -s /home/mysql/mysql.sock /var/lib/mysql/mysql.sock chown -h mysql:mysql /var/lib/mysql/mysql.sock
Install GitLab
sudo yum install curl openssh-server sudo systemctl enable sshd sudo systemctl start sshd sudo yum install postfix sudo systemctl enable postfix sudo systemctl start postfix sudo firewall-cmd –permanent –add-service=81/tcp sudo systemctl reload firewall curl https://packages.gitlab.com/install/repositories/gitlab/gitlab-ce/script.rpm.sh | sudo bash sudo yum install gitlab-ce
vi /etc/gitlab/gitlab.rb
external_url ‘http://dev.sabinshrestha.com.np:81
sudo gitlab-ctl reconfigure
Username: root Password: 5iveL!fe
Sample project
http://doc.gitlab.com/ce/ci/languages/php.html#example-project
https://gitlab.com/gitlab-examples/php
*Autodeploy your Gitlab projects
https://johnflynn.me/autodeploy-your-gitlab-projects/
=======================================
*Configure Runner
https://gitlab.com/gitlab-org/gitlab-ci-multi-runner
To Install docker
curl -sSL https://get.docker.com/ | sh
curl -L https://packages.gitlab.com/install/repositories/runner/gitlab-ci-multi-runner/script.rpm.sh | sudo bash
yum install gitlab-ci-multi-runner
gitlab-ci-multi-runner register
Please enter the gitlab-ci coordinator URL (e.g. https://gitlab.com/ci )
http://dev.sabinshrestha.com.np:81/ci
Please enter the gitlab-ci token for this runner
xxxxxxxx
Please enter the gitlab-ci description for this runner
my-runner
INFO[0034] fcf5c619 Registering runner... succeeded
Please enter the executor: shell, docker, docker-ssh, ssh?
shell
INFO[0037] Runner registered successfully. Feel free to start it, but if it's
running already the config should be automatically reloaded
--------------------------
concurrent = 4
[[runners]]
url = "http://dev.sabinshrestha.com:81/ci"
token = "9f6e7722431649fbbd5cb25f004117"
tls-skip-verify = false
tls-ca-file = ""
name = "PHP Runner"
executor = "shell"
[runners.ssh]
[runners.docker]
image = “” privileged = false
[runners.parallels]
base_name = “” [[runners]] url = “http://dev.sabinshrestha.com:81/ci” token = “4c89893a7bfff215517872d330af18” tls-skip-verify = false tls-ca-file = “” name = “Deploay” executor = “ssh”
[runners.ssh]
user = “web” password = “nepal” host = “dev.sabinshreshta.com” port = “2015”
========================================
* Compser (debug php gitlab)
curl -sS https://getcomposer.org/installer | php
mv composer.phar /usr/local/bin/composer
* Install PHPUNIT 5.1
composer global require “phpunit/phpunit=5.1”
cp /root/.composer/vendor/bin/phpunit /usr/local/bin
$composer install
Composer could not find a composer.json file in /root/.composer/vendor/bin
To initialize a project, please create a composer.json file as described in the https://getcomposer.org/ “Getting Started” section
For PHP code
.gitlab-ci.yml
before_script: - composer install stages: - test test: script: - php index.php
- bash makelive.sh
——————————-
makelive.sh
DIRECTORY="/home/webserver/public_html"
DIRECTORY1="/home/webserver/public_html/myproject"
REPO="http://dev.rigorousweb.com:81/rigorousweb/myproject.git"
if [ ! -d "$DIRECTORY1" ]; then
cd "$DIRECTORY"
git clone "$REPO"
else
cd "$DIRECTORY1"
git pull
fi
——————-
composer.json
{
"require-dev": {
"phpunit/phpunit": "5.1"
}
}
<!-- /phpunit.xml -->
<?xml version="1.0" encoding="UTF-8"?>
<phpunit backupGlobals="false"
backupStaticAttributes="false"
colors="true"
convertErrorsToExceptions="true"
convertNoticesToExceptions="true"
convertWarningsToExceptions="true"
processIsolation="false"
stopOnFailure="false"
syntaxCheck="false"
>
<testsuites>
<testsuite name="Test Suite">
<directory suffix=".php">./wp-content/themes/sabintheme/</directory>
</testsuite>
</testsuites>
</phpunit>
NOTE URL Reference
https://codereviewvideos.com/course/your-own-private-github/video/php-continuous-integration-with-gitlab-ci
XWindows Minimal
1. Install CentOS-7 - Minimal (First entry point in list) 2. yum groupinstall "X Window System" 3. yum install gnome-classic-session gnome-terminal nautilus-open-terminal control-center liberation-mono-fonts 4. unlink /etc/systemd/system/default.target 5. ln -sf /lib/systemd/system/graphical.target /etc/systemd/system/default.target 6. reboot
Secure X Windows
Add id:3:initdefault: to /etc/inittab.
yum groupremove “X Window System”
Apf Firewall
cd /usr/src wget http://www.rfxnetworks.com/downloads/apf-current.tar.gz
tar -xvzf apf-current.tar.gz
cd apf*
./install.sh
chkconfig –add apf
chkconfig –level 345 apf on
Configuration
cd /etc/apf 1. DEVEL_MODE=”1” 2. IFACE_IN & IFACE_OUT (centos 7 do ifconfig check the interface name and change accordingly like (IFACE_IN="eno16777984") IFACE_IN="eth0" IFACE_OUT="eth0" 3. IG_TCP_CPORTS IG_TCP_CPORTS="21,22,25,53,80,110,143,443,465,993,995,3306,30000_35000" 4. IG_UDP_CPORTS IG_UDP_CPORTS="21,53,465,873" IG_ICMP_TYPES="3,5,11,30" - inbound ICMP port numbers. I've removed ports 0 and 8 so the server won't answer any pings, what partially hides it on the network. Leave them in place if You or Your datacenter is using ping packets (ex. network monitoring). EG_TCP_CPORTS="21,25,37,53,80,110,113,#123,443,43,873,953,2089,2703" - outbound TCP ports to open. At this point by blocking certain services like SSH we gain the possibility of stopping hackers that would break into our system and want to connect to other servers EG_UDP_CPORTS="20,21,53,873,953,6277" - outbound UDP port numbers 5. EGF It is recommended that you enable the outbound (egress) filtering as it provides a very robust level of protection and is a common practice to filtering outbound traffic. EGF="1" 6. SET_MONOKERN This option tells the system that instead of looking for iptables modules, that we should expect them to be compiled directly into the kernel. If the APF produces error like “unable to load iptables module” you need to enable this. SET_MONOKERN="0" TCP_STOP="DROP" - defines a reaction in case of TCP connections that violate the rules UDP_STOP="DROP" - defines a reaction in case of UDP connections that violate the rules ALL_STOP="DROP" - defines a reaction to any other connections We can send a TCP/IP reset (RESET), drop the packet without answering (DROP), reject it (REJECT) or send icmp-host-prohibited answer (PROHIBIT) in case of UDP. BLK_PRVNET="1" - blocks all private ipv4 addresses. If Your machine is behind NAT then set this to 0 After configuring APF properly, you need to restart it using the command /etc/init.d/apf restart Or apf –r 1. Deny an IP address apf –d IPADDRESS This will add the IP address to the file /etc/apf/deny_hosts.rules. 2. Allow (Trust) an IP address apf –a IPaddress This will add the IP address to the file /etc/apf/allow_hosts.rules 3. Remove an IP address apf –u IPaddress This will remove entries that match from allow_hosts.rules, deny_hosts.rules and the global extensions of these files. -l - list statistics -st - status of APF -f - stop APF -s - start APF
=================================================
Install & Configure AWStats
1) yum install awstats -y 2) change the permission vi /etc/httpd/conf.d/awstats.conf <Directory "/usr/share/awstats/wwwroot"> Options None AllowOverride Limit Require all granted </Directory> 3) cd /etc/awstats cp awstats.sabinshrestha.com.np.conf awstats.test.sabinshrestha.com.np.conf change vi awstats.ap.sabinshrestha.com.np.conf LogFile="/home/sabinshrestha/logs/ap-requests.log" 4) /usr/share/awstats/tools/awstats_updateall.pl now -confdir="/etc" -awstatsprog="/usr/share/awstats/wwwroot/cgi-bin/awstats.pl" 5) http://www.sabinshrestha.com.np/awstats/awstats.pl?config=www.sabinshrestha.com.np 6) cd /usr/share/awstats/wwwroot/ cd /usr/share/ find ./awstats -type d -exec chmod 701 '{}' \; find ./awstats -not -type d -exec chmod 404 '{}' \; chmod 400 /etc/awstats/*.conf 7) secure it htpasswd -c /etc/awstats/htpasswd.users sabin cd /usr/share/awstats/wwwroot/ vi .htaccess AuthName "STOP - Do not continue unless you are authorized to view this site! - Server Access" AuthType Basic AuthUserFile /etc/awstats/htpasswd.users Require valid-user to change password htpasswd -c /etc/awstats/htpasswd.users sabin chmod 404 .htaccess
================================= ======================================================
Log Watch
1)yum install -y logwatch 2) vi /usr/share/logwatch/default.conf/logwatch.conf MailTo = root MailTo = sabinshresth@gmail.com MailFrom = Logwatch Range = yesterday //Today Detail = Med Service = All (ls -l /usr/share/logwatch/scripts/services) or individual service Service = sendmail Service = http Service = identd Service = sshd2 Service = sudo DailyRepoty = No vi /usr/share/logwatch/scripts/services/http.conf $HTTP_IGNORE_ERROR_HACKS = 1 logwatch Detail = Med logwatch --service all logwatch --detail Low --mailto email@address --service http --range today define location of log file vi /etc/logwatch/conf/logfiles/http.conf Logfile = /var/log/httpd/downloads.foo.com-access_log Logfile = /var/log/httpd/bb.foo.com-access_log ======================================================= https://blog.serverdensity.com/80-linux-monitoring-tools-know/ yum install nmon yum install apachetop
Top 10 System Monitoring Tools
1. Top (overview of all the processes or threads running in the system) 2. htop (overview of all the processes or threads running in the system) 3. atop (Atop monitors all processes much like top and htop, unlike top and htop however it has daily logging of the processes for long-term analysis. It also shows resource consumption by all processes) 4. apachetop Apachetop monitors the overall performance of your apache webserver. It’s largely based on mytop. It displays current number of reads, writes and the overall number of requests processed. 5. ftptop ftptop gives you basic information of all the current ftp connections to your server such as the total amount of sessions, how many are uploading and downloading and who the client is. 6. mytop mytop is a neat tool for monitoring threads and performance of mysql. It gives you a live look into the database and what queries it’s processing in real time. 7. powertop powertop helps you diagnose issues that has to do with power consumption and power management. 8. iotop iotop checks the I/O usage information and gives you a top-like interface to that ==========================================================
Bash Auto Backup Script
#!/bin/bash USER="root" PASSWORD="aaaa" OUTPUT="/home/sitebackup/`date +%Y%m%d`-backup" OUTPUT1="/home/sitebackup/`date +%Y%m%d`-backup/mysql" mkdir -p $OUTPUT mkdir -p "$OUTPUT/mysql" #rm "$OUTPUT/*gz" > /dev/null 2>&1 databases=`mysql --user=$USER --password=$PASSWORD -e "SHOW DATABASES;" | tr -d "| " | grep -v Database` for db in $databases; do if [[ "$db" != "information_schema" ]] && [[ "$db" != _* ]] ; then echo "Dumping database: $db" mysqldump --force --opt --user=$USER --password=$PASSWORD --databases $db > $OUTPUT1/`date +%Y%m%d`.$db.sql gzip $OUTPUT1/`date +%Y%m%d`.$db.sql fi done tar -zcvf $OUTPUT/`date +%Y%m%d`-site.tar /home/sabin --exclude "/home/sabin/sitebackup" tar -zcvf /home/sabin/sitebackup/`date +%Y%m%d`-site.tar.gz $OUTPUT chown sabin:apache /home/sabin/sitebackup/`date +%Y%m%d`-site.tar.gz rm -rf $OUTPUT
====================================================
Configuring Mod Security and Mod_evasive Allowing Unicode
yum install mod_security mod_evasive ls -l /etc/httpd/conf.d (cpanel) yum install ea-apache24-mod_evasive /etc/apache2/conf.d/300-mod_evasive.conf DOSWhitelist 10.*.*.* Now, in order to integrate these two modules with Apache and have it load them when it starts, make sure the following lines appear in the top level section of mod_evasive.conf and mod_security.conf, respectively: LoadModule evasive20_module modules/mod_evasive24.so LoadModule security2_module modules/mod_security2.so # cd /etc/httpd/modules # pwd # ls -l | grep -Ei '(evasive|security)' config file: vi /etc/httpd/conf.d/mod_security.conf mkdir /etc/httpd/crs-sabin cd /etc/httpd/crs-sabin wget https://github.com/SpiderLabs/owasp-modsecurity-crs/tarball/master tar xzf master mv SpiderLabs-owasp-modsecurity-crs-ebe8790 owasp-modsecurity-crs cd owasp-modsecurity-crs cp modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf vi modsecurity_crs_10_setup.conf enable utf8 inline 435 (remove #) vi /etc/httpd/conf/httpd.conf add below line end of httpd.conf file <IfModule security2_module> Include crs-sabin/owasp-modsecurity-crs/modsecurity_crs_10_setup.conf Include crs-sabin/owasp-modsecurity-crs/base_rules/*.conf /etc/httpd/crs-sabin/owasp-modsecurity-crs/abc.conf </IfModule> http://www.xxxx.com/?abc=../../ (check the log file if it is working or not) modsecurity_crs_10_config.conf cd /etc/httpd/conf.d/ wget -c https://github.com/SpiderLabs/ModSecurity/blob/master/unicode.mapping vi /etc/httpd/crs-sabin/owasp-modsecurity-crs/abc.conf SecGeoLookupDb /etc/httpd/crs-tecmint/GeoLiteCity.dat //black list country SecRule GEO:COUNTRY_CODE "@pm UA ID YU LT EG RO BG TR RU PK MY IL" "id:40,phase:1,t:none,log,pass,msg:'High Risk Fraud Location',setvar:tx.fraud_score=+10" //block outside country //SecRule REMOTE_ADDR "@geoLookup" "id:37,phase:1,t:none,pass,nolog" SecRule ARGS "@contains <" "id:35,phase:1,t:none,t:urlDecodeUni,log,pass" SecRule REQUEST_HEADERS:Range "bytes=0-" id:34,allow,log,t:none,ctl:ruleRemoveById=958291 SecRuleRemoveById 960024 //unicode unblock in url SecRuleRemoveById 981318 //unicode unblock in url SecRuleRemoveById 958291 //Allow pdf downloads and rule vi /etc/httpd/modsecurity.d/myconf.conf <IfModule mod_security2.c> SecRuleEngine On SecUnicodeMapFile /etc/httpd/conf.d/unicode.mapping ////unicode mapping SecUnicodeCodePage 20127 //unicode mapping SecRequestBodyAccess On SecResponseBodyAccess On SecResponseBodyMimeType text/plain text/html text/xml application/octet-stream SecDataDir /tmp </IfModule> ---------------------- nepali unicode issue in mod_security in url vi /etc/httpd/crs-tecmint/owasp-modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf go to line 37 and replace below Replace \W{4,} to [^A-Za-z0-9-_ !@#$%^*()शज्ञद्दघद्धछटठडढणङऊधभचतथगषयउृे्बकमानजवपिसुहअखदलफो।रऐध्भ्च्त्ञग्क्षइएद्वक्ँआन्ज्व्ईीस्ूह्मऋख्द्यल्ःौश्रओऔ०१२३४५६७८९ंैझ]{4,} vi /etc/httpd/conf.d/mod_security.conf SecPcreMatchLimit 90000 SecPcreMatchLimitRecursion 90000 Geo locaiton increment score for black listed country SecGeoLookupDb /etc/httpd/crs-tecmint/GeoLiteCity.dat //black list country SecRule GEO:COUNTRY_CODE "@pm UA ID YU LT EG RO BG TR RU PK MY IL" "id:40,phase:1,t:none,log,pass,msg:'High Risk Fraud Location',setvar:tx.fraud_score=+10" //block outside country //SecRule REMOTE_ADDR "@geoLookup" "id:37,phase:1,t:none,pass,nolog" --------------------------- download free book from https://www.feistyduck.com/library/modsecurity-handbook-free/ To check noof hits per ip cat requests.log | awk '{print $1}' | sort -n | uniq -c | sort -nr | head -20 http://hostinginstructions.com/harden-apache-with-mod_security-on-centos-7/Protect Apache Against Brute Force or DDoS Attacks Using Mod_Security and Mod_evasive Moduleshttps://www.linode.com/docs/websites/apache-tips-and-tricks/modsecurity-on-apache https://www.howtoforge.com/apache_mod_security_p2 http://hostinginstructions.com/harden-apache-with-mod_security-on-centos-7/ https://www.digitalocean.com/community/tutorials/how-to-set-up-mod_security-with-apache-on-debian-ubuntu https://www.trustwave.com/Resources/SpiderLabs-Blog/ModSecurity-Advanced-Topic-of-the-Week--(Updated)-Exception-Handling/ https://www.trustwave.com/Resources/SpiderLabs-Blog/ModSecurity-Advanced-Topic-of-the-Week--Inbound/Outbound-Correlation/ https://www.trustwave.com/Resources/SpiderLabs-Blog/ModSecurity-Advanced-Topic-of-the-Week--(Updated)-Exception-Handling/ https://www.trustwave.com/Resources/SpiderLabs-Blog/ModSecurity-Advanced-Topic-of-the-Week--Inbound/Outbound-Correlation/ Replace \W{4,} to [^A-Za-zА-Яа-я0-9_]{4,} http://stackoverflow.com/questions/14906232/regular-expressions-with-the-cyrillic-alphabet Another approach is to list all characters one-by-one. Simply find an authoritative reference for the alphabet that you want to put in a regexp, and put all characters for it into a pair of square brackets: [АБВГДЕЁЖЗИЙКЛМНОПРСТУФХЦЧШЩЪЫЬЭЮЯабвгдеёжзийклмнопрстуфхцчшщъыьэюя] [^A-Za-z0-9शज्ञद्दघद्धछटठडढणङऊधभचतथगषयउृे्बकमानजवपिसुहअखदलफो।रऐध्भ्च्त्ञग्क्षइएद्वक्ँआन्ज्व्ईीस्ूह्मऋख्द्यल्ःौश्रओऔ०१२३४५६७८९ंैझ] https://www.trustwave.com/Resources/SpiderLabs-Blog/Detecting-Malice-with-ModSecurity--GeoLocation-Data/ https://www.packtpub.com/books/content/blocking-common-attacks-using-modsecurity-25-part-3 ======== vi /etc/httpd/crs-sabin/owasp-modsecurity-crs/test.conf SecRuleRemoveById 960024 //unicode in url SecRuleRemoveById 981318 //unicode in url //Allow pdf download SecRuleRemoveById 958291 SecRule REQUEST_HEADERS:Range "bytes=0-" id:34,allow,log,t:none,ctl:ruleRemoveById=958291 SecRule ARGS "\\\\W{4,}" "id:44,phase:1,t:none,t:urlDecodeUni,log,pass" SetEnvIfNoCase Remote_Addr ^208.113.183.103$ MODSEC_ENABLE=Off # You can use multiple SetEnvIf directives to control it further. # This only turns it off for your IP + a POST request method. # # SetEnvIf Remote_Addr ^208.113.183.103$ MODSEC_ENABLE=Off # SetEnvIf Request_Method !^POST$ MODSEC_ENABLE=On # Make sure that URL encoding is valid SecFilterCheckURLEncoding On # Unicode encoding check SecFilterCheckUnicodeEncoding Off //sample rules SecRule ARGS_GET_NAMES "^(customerid|q)" "phase:1,pass,id:'90010', \ ctl:ruleRemoveTargetById=960024, \ ctl:ruleRemoveTargetById=981173" SecRule ARGS_POST_NAMES "^(customerid|q)" "phase:2,pass,id:'90011', \ ctl:ruleRemoveTargetById=960024, \ ctl:ruleRemoveTargetById=981173"
Mod Security for wordpress
Protecting WordPress with mod-security
Posted on February 11, 2015
This my blog and also other hosted websites running WordPress are target of bots trying passwords to wordpress admin and posting spam comments. I was unable to found simple plugin for comments dns blacklist, so I focused to mod-security.
This apache module is already packed in all common linux distributions. Problem is, that default rules are so huge and complicated. For example in debian after
apt-get install libapache-mod-security
a2enmod mod-security
installation like this, default rules will cause you many troubles with your websites. Default installation is useless..
I have deleted all default rules in /etc/apache2/mod-security/rules and my mod-security.conf contains only
SecDebugLog /var/log/apache2/mod-security.log
SecDebugLogLevel 1
# wp-login
# This has to be global, cannot exist within a directory or location clause . . .
SecAction phase:1,nolog,pass,initcol:ip=%{REMOTE_ADDR},initcol:user=%{REMOTE_ADDR}
<Locationmatch “/wp-login.php”>
# Setup brute force detection.
# React if block flag has been set.
SecRule user:bf_block “@gt 0” “deny,status:403,log,msg:’ip address blocked for 15 minutes, more than 15 login attempts in 5 minutes.'”
# Setup Tracking. On a successful login, a 302 redirect is performed, a 200 indicates login failed.
SecRule RESPONSE_STATUS “^302” “phase:5,t:none,nolog,pass,setvar:ip.bf_counter=0”
SecRule RESPONSE_STATUS “^200” “phase:5,chain,t:none,nolog,pass,setvar:ip.bf_counter=+1,deprecatevar:ip.bf_counter=1/300”
SecRule ip:bf_counter “@gt 15” “t:none,setvar:user.bf_block=1,expirevar:user.bf_block=900,setvar:ip.bf_counter=0”
#comments blacklist
SecAction “id:400000,phase:1,initcol:IP=%{REMOTE_ADDR},pass,nolog”
SecRule IP:spam “@gt 0” “id:400001,phase:1,chain,drop,msg:’Spam host %{REMOTE_ADDR} already blacklisted'”
SecRule REQUEST_METHOD “POST” chain
SecRule REQUEST_URI “\/wp-(comments-post|trackback).php”
SecRule REQUEST_METHOD “POST” “id:’400010′,chain,drop,log,msg:’Spam host detected by zen.spamhaus.org'”
SecRule REQUEST_URI “\/wp-(comments-post|trackback).php” chain
SecRule REMOTE_ADDR “@rbl zen.spamhaus.org” “setvar:IP.spam=1,expirevar:IP.spam=604800”
First rule protect from password guessting attacks to wp-login. Simple rate limit.
Second rule protects wordpress comments from spam, blocks comments from IPs on DNS blacklist zen.
I have found this rules on some blogs and they are very usefull and effective.
Now all wordpress sites on my server are protected.
https://www.tweaking4all.com/web-development/wordpress/mod_security-fix/
vi whitelist.conf
---------------------- <LocationMatch "/wp-admin/post.php"> SecRuleRemoveById 300015 300016 300017 950907 950005 950006 960008 960011 960904 <LocationMatch "/wp-admin/admin-ajax.php"> SecRuleRemoveById 300015 300016 300017 950907 950005 950006 960008 960011 960904 <LocationMatch "/wp-admin/page.php"> SecRuleRemoveById 300015 300016 300017 950907 950005 950006 960008 960011 960904 <LocationMatch "/wp-admin/options.php"> SecRuleRemoveById 300015 300016 300017 950907 950005 950006 960008 960011 960904 <LocationMatch "/wp-admin/theme-editor.php"> SecRuleRemoveById 300015 300016 300017 950907 950005 950006 960008 960011 960904 <LocationMatch "/wp-includes/"> SecRuleRemoveById 960010 960012 950006 ---------------------------------------------------------------- <LocationMatch "/wp-admin/post.php"> SecRuleRemoveById 300015 300016 300017 950907 950005 950006 960008 960011 960904 <LocationMatch "/wp-admin/admin-ajax.php"> SecRuleRemoveById 300015 300016 300017 950907 950005 950006 960008 960011 960904 <LocationMatch "/wp-admin/page.php"> SecRuleRemoveById 300015 300016 300017 950907 950005 950006 960008 960011 960904 <LocationMatch "/wp-admin/options.php"> SecRuleRemoveById 300015 300016 300017 950907 950005 950006 960008 960011 960904 <LocationMatch "/wp-admin/theme-editor.php"> SecRuleRemoveById 300015 300016 300017 950907 950005 950006 960008 960011 960904 <LocationMatch "/wp-includes/"> SecRuleRemoveById 960010 960012 950006 ------------------------------------------------------------------------
http://www.regexr.com/
=================================================================
mod_evasive to prevent DoS/ Brute-Force attacks block on CentOS Webserver
yum install mod_evasive -y ls -al /etc/httpd/conf.d/mod_evasive.conf systemctl reload httpd sudo httpd -M | grep evasive vi /etc/httpd/conf.d/mod_evasive.conf DOSEmailNotify test@sabinshrestha.com.np DOSWhitelist 111.111.111.111 DOSWhitelist 222.222.222.222 DOSPageCount 20 DOSSiteCount 100 DOSBlockingPeriod 300 mkdir /var/log/mod_evasive chown -R apache:apache /var/log/mod_evasive DOSLogDir "/var/log/mod_evasive" systemctl restart httpd.service For testing vi /usr/share/doc/mod_evasive-1.10.1/test.pl Replace 100 with 200: for(0..200) { perl /usr/share/doc/mod_evasive-1.10.1/test.pl
===================================================
php code secure
filter_var(variable, filter, options)
use The ctype Extension
Functions return true or false.
In some functions, a space character may cause strings not to validate. Remove the space before validation.
Functions accept only a string or an integer. Anything else returns false.
Function Description
ctype_alnum() Check for alphanumeric characters (a–z, A–Z, 0–9)
ctype_alpha() Check for alphabetic characters (a–z, A–Z)
ctype_cntrl() Check for control characters (\n, \r, \t)
ctype_digit() Check for numeric characters (0–9)
ctype_graph() Check if all the characters in a string create visible output
ctype_lower() Check for lowercase characters (a–z)
ctype_print() Check for printable characters including space
ctype_punct() Check for printable characters other than alphanumeric or space
ctype_space() Check for spaces in a string
ctype_upper() Check for uppercase characters (A–Z)
ctype_xdigit() Check for hexadecimal characters
$search = htmlspecialchars($search, ENT_QUOTES, 'UTF-8');
Secure php.ini
vi /etc/php.ini expose_php = Off mail.add_x_header = Off session.cookie_httponly = On session.cookie_secure = On session.use_strict_mode = On allow_url_fopen = Off allow_url_include = Off $blacklist = array(".php", ".phtml", ".php3", ".php4", ".js", ".shtml", ".pl" ,".py"); foreach ($blacklist as $file) { if(preg_match("/$file\$/i", $_FILES['userfile']['name'])) { echo "ERROR: Uploading executable files Not Allowed\n"; exit; } check for double extension $condition = substr_count($sFileName, '.') > 1 function check_ext($filename){ function_exists('finfo_open')) { $finfo = finfo_open(FILEINFO_MIME); $mimetype = finfo_file($finfo, $filename); finfo_close($finfo); return $mimetype; } return ""; } limit file inclusion to the root directory by changing the open_basedir directive in the php.ini configuration file: open_basedir = /home/webserver upload_tmp_dir = /home/webserver/tmp/ Safe mode will also restrict executables that may be run by scripts in the same way it restricts file and directory access. Safe mode can also be configured so that only executables in a certain directory can be run. This can help limit exposure of shell commands to certain scripts. safe_mode = On n some cases you'll want to use a group to check ownership (for instance in the case that you have multiple people deploying web application scripts). To have safe mode check group permissions use: safe_mode_gid = On If you want to limit directories that can contain included files or executables use the following php.ini directives respectively: safe_mode_include_dir = /path/to/dir safe_mode_exec_dir = /path/to/exec/dir don’t allow include outside this directory open_basedir = /home/sabin/public_html:/home/sabin/subdomain:/home/sabin/subdoman1:/home/sabin/php_tmp:/usr/share/pear:/usr/share/php:/usr/share/phpMyAdmin:/etc/phpMyAdmin:/var/lib/phpMyAdmin:/usr/share/doc Disabling Functionality (php_uname == required for phpmyadmin) disable_functions = getmyuid, getmypid, passthru, leak, listen, diskfreespace, tmpfile, link, ignore_user_abord, shell_exec, dl, set_time_limit, exec, system, highlight_file, source, show_source, fpaththru, virtual, posix_ctermid, posix_getcwd, posix_getegid, posix_geteuid, posix_getgid, posix_getgrgid, posix_getgrnam, posix_getgroups, posix_getlogin, posix_getpgid, posix_getpgrp, posix_getpid, posix, _getppid, posix_getpwnam, posix_getpwuid, posix_getrlimit, posix_getsid, posix_getuid, posix_isatty, posix_kill, posix_mkfifo, posix_setegid, posix_seteuid, posix_setgid, posix_setpgid, posix_setsid, posix_setuid, posix_times, posix_ttyname, posix_uname, proc_open, proc_close, proc_get_status, proc_nice, proc_terminate, phpinfo disable_functions = posix_uname,eval,pcntl_wexitstatus,posix_getpwuid,xmlrpc_entity_decode,pcntl_wifstopped,pcntl_wifexited,pcntl_wifsignaled,phpAds_XmlRpc,pcntl_strerror,ftp_exec,pcntl_wtermsig,mysql_pconnect,proc_nice,pcntl_sigtimedwait,posix_kill,pcntl_sigprocmask,fput,phpinfo,system,phpAds_remoteInfo,ftp_login,inject_code,posix_mkfifo,highlight_file,escapeshellcmd,show_source,pcntl_wifcontinued,fp,pcntl_alarm,pcntl_wait,ini_alter,posix_setpgid,parse_ini_file,ftp_raw,pcntl_waitpid,pcntl_getpriority,ftp_connect,pcntl_signal_dispatch,pcntl_wstopsig,ini_restore,ftp_put,passthru,proc_terminate,posix_setsid,pcntl_signal,pcntl_setpriority,phpAds_xmlrpcEncode,pcntl_exec,ftp_nb_fput,ftp_get,phpAds_xmlrpcDecode,pcntl_sigwaitinfo,shell_exec,pcntl_get_last_error,ftp_rawlist,pcntl_fork,posix_setuid Preventing Information Disclosure display_errors = Off Disable Globals register_globals = Off Disable Remote File Includes allow_url_fopen = Off allow_url_include = Off Restrict File Uploads file_uploads = Off upload_tmp_dir = /home/sabin/php_tmp upload_max_filezize = 2M (mkdir -p /home/sabin/php_tmp ; chown apache:apache /home/sabin/php_tmp) Protect Sessions (Make sure that the web server can read and write to the location you specify) session.save_path =/home/sabin/php_tmp session.cookie_httponly = 1 session.referer_check = your_url.tld session.use_strict_mode = 1 expose_php=Off upload_tmp_dir = /var/php_tmp upload_max_filezize = 2M The following list of functions can be restricted in the case they aren’t necessary for your application: Disallow HTTP file uploads file_uploads = Off Disallow displaying the PHP error messages for the end-users display_errors = Off Limit the external access to your PHP environment safe_mode_allowed_env_vars = PHP_ Restrict the sending back of PHP information expose_php = Off Turn off the globals registration for input data register_globals = Off Restrict remote files opening allow_url_fopen = Off Restrict files opening allow_url_include = Off sql.safe_mode = On <Directory /home/sabin/public_html/uploads/> Options None AllowOverride None php_admin_flag engine off order deny,allow deny from all </Directory> <Directory /home/sabin/public_html/userfiles/> Options None AllowOverride None php_admin_flag engine off order deny,allow deny from all </Directory> <Directory /home/sabin/public_html/bills/user_photo/> Options None AllowOverride None php_admin_flag engine off order deny,allow deny from all </Directory> magic_quotes_gpc=Off Control POST Size post_max_size=1K <Directory /home/sabin/public_html> <LimitExcept GET POST> Order allow,deny </LimitExcept> ## Add rest of the config goes here... ## </Directory> # set in seconds max_execution_time = 30 max_input_time = 30 memory_limit = 40M
==================
NTP Port(UDP 123) yum install ntp ntpdate chkconfig ntpd on ntpdate pool.ntp.org /etc/init.d/ntpd start
===========================
Disable Unwanted SUID and SGID Binaries
#See all set user id files: find / -perm +4000 # See all group id files find / -perm +2000 # Or combine both in a single command find / \( -perm -4000 -o -perm -2000 \) -print find / -path -prune -o -type f -perm +6000 -ls World-Writable Files find /dir -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print Noowner Files find /dir -xdev \( -nouser -o -nogroup \) -print
=====================================
Linux Kernel /etc/sysctl.conf
kernel.kptr_restrict=2 kernel.randomize_va_space=2 kernel.sysrq=0 net.ipv4.conf.default.log_martians=1 net.ipv6.conf.all.accept_redirects=0 net.ipv6.conf.default.accept_redirects=0 # Turn on execshield kernel.exec-shield=1 kernel.randomize_va_space=1 # Enable IP spoofing protection net.ipv4.conf.all.rp_filter=1 # Disable IP source routing net.ipv4.conf.all.accept_source_route=0 # Ignoring broadcasts request net.ipv4.icmp_echo_ignore_broadcasts=1 net.ipv4.icmp_ignore_bogus_error_messages=1 # Make sure spoofed packets get logged net.ipv4.conf.all.log_martians = 1 net.ipv4.ip_forward = 0 net.ipv4.conf.all.send_redirects = 0 net.ipv4.conf.default.send_redirects = 0 net.ipv4.tcp_max_syn_backlog = 1280 net.ipv4.icmp_echo_ignore_broadcasts = 1 net.ipv4.conf.all.accept_source_route = 0 net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.all.secure_redirects = 0 net.ipv4.conf.all.log_martians = 1 net.ipv4.conf.default.accept_source_route = 0 net.ipv4.conf.default.accept_redirects = 0 net.ipv4.conf.default.secure_redirects = 0 net.ipv4.icmp_echo_ignore_broadcasts = 1 net.ipv4.icmp_ignore_bogus_error_responses = 1 net.ipv4.tcp_syncookies = 1 net.ipv4.conf.all.rp_filter = 1 net.ipv4.conf.default.rp_filter = 1 net.ipv4.tcp_timestamps = 0
Enable ExecShield
Helps prevent stack smashing / BOF. Enable on current kernel: sysctl -w kernel.exec-shield=1 Add to /etc/sysctl.conf: kernel.exec-shield =1 Check / Enable ASLR Set runtime for kernel.randomize_va_space sysctl -q -n -w kernel.randomize_va_space=2 Add kernel.randomize_va_space = 2 to /etc/sysctl.conf if it does not already exist.
—————————————————–
Disable Unwanted protocol
echo "install dccp /bin/false" > /etc/modprobe.d/dccp.conf echo "install sctp /bin/false" > /etc/modprobe.d/sctp.conf echo "install rds /bin/false" > /etc/modprobe.d/rds.conf echo "install tipc /bin/false" > /etc/modprobe.d/tipc.con
Disable uncommon filesystems
echo "install cramfs /bin/false" > /etc/modprobe.d/cramfs.conf echo "install freevxfs /bin/false" > /etc/modprobe.d/freevxfs.conf echo "install jffs2 /bin/false" > /etc/modprobe.d/jffs2.conf echo "install hfs /bin/false" > /etc/modprobe.d/hfs.conf echo "install hfsplus /bin/false" > /etc/modprobe.d/hfsplus.conf echo "install squashfs /bin/false" > /etc/modprobe.d/squashfs.conf echo "install udf /bin/false" > /etc/modprobe.d/udf.conf
Disable IPv6 Support Automatically Loading
vi /etc/modprobe.d/disabled.conf options ipv6 disable=1 vi /etc/sysconfig/network add below line NETWORKING_IPV6=no IPV6INIT=no vi /etc/netconfig comment the below line udp6 tpi_clts v inet6 udp - - tcp6 tpi_cots_ord v inet6 tcp - -
Bulk Remove of Services
yum remove xinetd yum remove telnet-server yum remove rsh-server yum remove telnet yum remove rsh-server yum remove rsh yum remove ypbind yum remove ypserv yum remove tftp-server yum remove bind yum remove dovecot yum remove squid yum remove net-snmpd
Bulk Enable / Disable Services
systemctl disable xinetd systemctl disable rexec systemctl disable rsh systemctl disable rlogin systemctl disable ypbind systemctl disable tftp systemctl disable certmonger systemctl disable cgconfig systemctl disable cgred systemctl disable cpuspeed systemctl enable irqbalance systemctl disable kdump systemctl disable mdmonitor systemctl disable messagebus systemctl disable netconsole systemctl disable oddjobd systemctl disable portreserve systemctl enable psacct systemctl disable qpidd systemctl disable quota_nld systemctl disable rdisc systemctl disable rhnsd systemctl disable rhsmcertd systemctl disable saslauthd systemctl disable smartd systemctl disable sysstat systemctl enable crond systemctl disable atd systemctl disable nfslock systemctl disable named systemctl disable dovecot systemctl disable squid systemctl disable snmpd systemctl disable rpcgssd systemctl disable rpcsvcgssd systemctl disable rpcidmapd systemctl disable netfs systemctl disable nfs systemctl disable avahi-daemon systemctl disable cups systemctl disable dhcpd systemctl disable xinetd chkconfig --level 0123456 autofs off service autofs stop
Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. This enables you to plug your laptop or computer into a network and instantly be able to view other people who you can chat with, find printers to print to or find files being shared. Compatible technology is found in Apple MacOS X
systemctl disable avahi-daemon
Auto backup all db code #! /bin/bash TIMESTAMP=$(date +"%F") BACKUP_DIR="/backup/$TIMESTAMP" MYSQL_USER="backup" MYSQL=/usr/bin/mysql MYSQL_PASSWORD="password" MYSQLDUMP=/usr/bin/mysqldump mkdir -p "$BACKUP_DIR/mysql" databases=`$MYSQL --user=$MYSQL_USER -p$MYSQL_PASSWORD -e "SHOW DATABASES;" | grep -Ev "(Database|information_schema|performance_schema)"` for db in $databases; do $MYSQLDUMP --force --opt --user=$MYSQL_USER -p$MYSQL_PASSWORD --databases $db | gzip > "$BACKUP_DIR/mysql/$db.gz" done
Bind Configureation
yum -y install bind-chroot /usr/libexec/setup-named-chroot.sh /var/named/chroot on systemctl stop named systemctl disable named systemctl start named-chroot systemctl enable named-chroot mkdir -p /var/named/chroot/var/log/named/ touch /var/named/chroot/var/log/named/bind.log touch /var/named/chroot/var/log/named/named.log chown -R named:named /var/named/chroot/var/log/named/ firewall-cmd --add-port=53/ud firewall-cmd --add-port=53/udp ln -s /var/named/chroot/var/log/named/bind.log . ln -s /var/named/chroot/var/log/named/named.log . rndc-confgen -a -b 256 -c /var/named/chroot/etc/rndc.key systemctl restart named-chroot systemctl status named-chroot /usr/sbin/named-checkconf -t /var/named/chroot -z /etc/named.conf yum install nload nload emo1 tcpdump -vvv -s 0 -l -n port 53
Audit
yum list audit audit-libs vi /etc/audit/auditd.conf num_logs=10 max_log_file = 30 max_log_file_action = ROTATE systemctl restart auditd /etc/audit/rules.d/audit.rules log file=/var/log/audit/audit.log auditctl -w /etc/ssh/sshd_config -p rwxa -k sshconfigchange ausyscall 2 ausyscall --dump ausearch -m LOGIN --start today -i ausearch -a 27020 ausearch -f /etc/ssh/sshd_config -i aureport -x --summary aureport --failed aureport -f -i aureport -f -i --summary
Tripwire
yum install tripwire tripwire-setup-keyfiles tripwire --init vi /etc/tripwire/twpol.txt tripwire --check > /etc/tripwire/report.txt twadmin --create-polfile /etc/tripwire/twpol.txt && tripwire --init 40 2 * * * /usr/sbin/tripwire --check | mail -s "Mechi Tripwire report for `uname -n`" your_email@linuxpitstop.com twadmin --print-cfgfile
nmap -v -sT localhost
nmap -v -sS localhost
Upgrade MariaDB 5.5 to MariaDB 10.2
mysqldump -u root -ppassword --all-databases > /root/all-database.sql systemctl stop mysql cp -a /var/lib/mysql/ /var/lib/mysql.bak yum update vim /etc/yum.repos.d/MariaDB10.repo # MariaDB 10.3 CentOS repository list - created 2018-09-10 19:28 UTC # http://downloads.mariadb.org/mariadb/repositories/
[mariadb]
name = MariaDB baseurl = http://yum.mariadb.org/10.3/centos7-amd64 gpgkey=https://yum.mariadb.org/RPM-GPG-KEY-MariaDB gpgcheck=1 yum remove mariadb-server mariadb mariadb-libs yum remove mysql-server mysql mysql-libs mysql-common mysql-devil yum clean all yum -y install MariaDB-server MariaDB-client MariaDB-devel systemctl start mariadb systemctl enable mariadb mysql_upgrade mysql -V rsync -avz –delete -e “ssh -p23” webserver@10.10.10.10:/home/server/public_html /home/server https://www.digitalocean.com/community/tutorials/how-to-set-up-ssh-keys–2
How to Setup MariaDB (Master-Slave) Replication in CentOS/RHEL 7 and Debian 8/9mariadb not starting (if set to home folder) vi /usr/lib/systemd/system/mariadb.service ProtectHome=false systemctl daemon-reload systemctl restart mariadb
How to Setup MariaDB (Master-Slave) Replication in CentOS/RHEL 7 and Debian 8/9
Protect cpanel wordpress site
vi /usr/local/apache/conf/includes/post_virtualhost_2.conf # Paste the following lines. ErrorDocument 401 "Unauthorized Access" ErrorDocument 403 "Forbidden" <FilesMatch "wp-login.php"> AuthName "Authorized Only" AuthType Basic AuthUserFile /home/.wpadmin require valid-user root@server [~]# htpasswd -c /home/.wpadmin pressuser root@server [~]# cat /home/.wpadmin # Verify correct username. root@server [~]# chmod 755 /home/.wpadmin root@server [~]# service httpd restart
Cpanel site details
sitedata=/home/sitename The cPanel software comes with PHP, DNS, Web, Email, FTP, MySQL and other utility packages. In order to customize the behavior of almost any program or to troubleshoot any issue on linux system, we need to modify its configuration file. Here I have collected a list of the configuration files and directories found on the Linux cPanel/WHM server. I hope you will find this path reference useful Web server ( Apache ) : Apache HTTP server configuration file : /usr/local/apache/conf/httpd.conf Apache directory Structure : /usr/local/apache/ • bin- apache binaries are stored here - httpd, apachectl, apxs • conf - configuration files - httpd.conf - php.conf • domlogs - domain access and stat log files are stored here for all domains • htdocs - default apache DocumentRoot location • include - header files • libexec - shared object (.so) files eg. mod_rewrite.so • logs - apache logs - access_log, error_log, suexec_log • man - apache manual pages • icons - icon/jpg/gif images • modules - other shared object (.so) • Init Script :/etc/rc.d/init.d/httpd or /usr/local/apache/bin/apachectl - apache start script • Cpanel script to restart apache - /scripts/restartsrv_httpd • /opt - Apache modules built here. Mail Server and Webmail : /etc/exim.conf - mail server configuration file /etc/localdomains - exim related file. All the domains using the same server's MX, should be listed here to be able to send/receive emails. /etc/valiases/domainname - catchall and forwarders are set here. /etc/vfilters/domainname - email filters are set here. /var/spool/exim/input - Mail queue. /var/spool/exim/msglog - email message logs. /var/cpanel/horde - version file, backups and logs stored here /var/cpanel/roundcube - version file, backups and logs stored here /var/cpanel/squirrelmail - version file stored here. Courier : • Program: /usr/lib/courier-imap/libexec/couriertcpd • Init Script: /etc/init.d/courier : /scripts/restartsrv_courier • Config: /usr/local/libexec/courier-imap Dovecot : • Program: /usr/sbin/dovecot • Init Script: /etc/init. • Config: /etc/dovecot.conf DNS and Networking : • Program: /usr/sbin/named • Init Script: /etc/rc.d/init.d/named • Config: /etc/named.conf • Zone files:/var/named/ /etc/named.conf - ( name server (named) configuration file). /etc/resolv.conf - (WHM -> Networking Setup–> Resolver Configuration). /etc/ips - ip addresses on the server (WHM >> IP Functions–>Show IP Address Usage. Except the shared ip. ). /etc/sysconfig/network - Networking Setup. /etc/hosts - Contains hostname and other host entries. /etc/nameserverips - (WHM -> Networking Setup–> Nameserver IPs, Resellers nameservers ) /etc/ipaddrpool - ip addresses which are free. /etc/ips.dnsmaster - nameserver ips. /etc/domainips - IP's set as dedicated for specific domains /var/cpanel/cpanelsync - DNS Clustering files. FTP Server : /etc/proftpd.conf - proftpd server configuration file. /etc/pure-ftpd.conf - pure-ftpd server configuration file. PHP : /usr/local/lib/php.ini - PHP configuration file. -------------------- System PHP : -------------------- • Program :/usr/local/bin/php, /usr/bin/php, /usr/local/php4/bin/php • php can be recomplied using /scripts/easyapache : /scripts/phpup using /var/cpanel/easy/apache/profile/ -------------------- Internal PHP : -------------------- • Program : /usr/local/cpanel/3rdparty/bin/php : /var/cpanel/3rdparty/bin/php • ini file: /usr/local/cpanel/3rdparty/etc/php.ini • internal PHP can be recompiled using : /scripts/makecpphp using /var/cpanel/easy/apache/profile/makecpphp.profile.yaml • /var/cpanel/3rdparty MySQL : /etc/my.cnf and /root/.my.cnf- mysql configuration file /var/cpanel/databases - dbmapping files. • Program : /usr/sbin/mysqld :/usr/bin/mysqld_safe • Init Script : /etc/rc.d/init.d/mysql : service mysql start/stop : /scripts/restartsrv_mysql • Data directory - /var/lib/mysql - Where all databases are stored. • Socket file - /var/lib/mysql/mysql.sock, /tmp/mysql.sock. PostgreSQL : • Conf: /var/lib/pgsql/data/postgresql.conf & pg_hba.conf • Data Directory: /var/lib/pgsql/data • Log: /var/lib/pgsql/ Perl : • Program :/usr/bin/perl or /usr/local/bin/perl (one should symlink to the other) • Directory :/usr/lib/perl5/5.8.x/ or /usr/local/lib/perl5 • Version: perl -v • Check: /scripts/checkperlmodules : /scripts/perlmods -s • Installer: /scripts/perlinstaller : perl -MCPAN -e shell • Build: /home/.cpan :/home/.cpcpan Clamav : /etc/clamav.conf - clamav (antivirus configuration file ). Spamd : • Directory: /etc/mail/spamassassin • Program: /usr/bin/spamd & /usr/bin/spamc & /usr/bin/spamassassin • Scripts: /scripts/installspam EasyApache : • /var/cpanel/easy/apache • /var/cpanel/userdata • /usr/local/apache/conf/ • /var/cpanel/templates/apache2 • /usr/local/cpanel/src/templates/apache2 • /home/cpeasyapache • /opt • /usr/local/cpanel/logs/easy/apache ROR - Ruby on Rails: • Directory: /home/username/rails_apps /home/username/.gem/ruby • Scripts: /scripts/installruby Tomcat : • Directory: /usr/local/jakarta/tomcat • Conf: /usr/local/jakarta/tomcat/conf/server.xml Other cPanel system config : /etc/userdomains - all primary, addons, parked,sub-domains along with their usernames are stored in this file. /etc/cpbackup-userskip.conf - To skip files or certain accounts in backup. /var/cpanel/resellers - Permissions for resellers. /etc/chkserv.d - ( WHM >> Service Configuration >> Service Manager config file) /etc/wwwacct.conf - Account creation defaults file in WHM (Basic cPanel/WHM Setup) /etc/cpupdate.conf - cPanel Update Config (upcp) /etc/cpbackup.conf - Backup Configuration. /var/run/chkservd - (Main >> Server Status >> Service Status ) /var/log/dcpumon - Top log process. Daily Process logs. /root/cpanel3-skel - Skeleton directory. (Eg: public_ftp, public_html) /var/spool/cron - Cronjobs are stored here for all users. /var/cpanel/users - cPanel user file that defines account settings. /var/cpanel/users.cache - user cache files that are read by cPanel. /var/cpanel/cpanel.config - cpanel configuration file ( Tweak Settings ). /var/cpanel/counters - To get the counter of each users. /var/cpanel/bandwidth - To get bandwith usage of domains. /var/cpanel/userdata - Contains parked, addon, subdomains as well as virtualHost. /var/cpanel/logs - transfer logs. /var/cpanel/easy/apache - easyapache build files/profile. /var/cpanel/userhomes - session home for cPanel, Horde, Roundcube, phpmyadmin. /var/cpanel/serviceauth - chkservd service user/pass data. /var/cpanel/updatelogs - The cPanel update (upcp ) daily logs. /var/cpanel/packages - Default and custom packages created here. All Cpanel Script files location /usr/local/cpanel/scripts https://documentation.cpanel.net/display/ALD/WHM+Scripts /usr/local/cpanel/scripts/upcp Rebiuild apache in cpanel Type the following commands: # cd /scripts # ./updatenow # ./easyapache
[from cpanel =Software – EasyApache]
/scripts/rebuildhttpdconf /scripts/restartsrv_apache ——————————– cpanael sysadmin command /scripts/adduser <=====> Add a user to the system /scripts/buildeximconf <=====> Rebuilds exim.conf /scripts/chpass <=====> change cpanel passwords to particular account /scripts/courierup <=====> used to update/reinstall courier /scripts/cpbackup –force <=====> to backup accounts (if backups enabled on WHM) /scripts/easyapache <=====> recompile apache /scripts/editquota <=====> to manually set a users quota limit /scripts/eximup <=====> to update exim to latest version – will overwrite any manual changes which was made on exim.conf file /scripts/fixcommonproblems <=====> fixes mailbox permissions, mailman, cgi scripts, ndc and quotas /scripts/fixmailman <=====> fixes common mailman issues /scripts/fixndc <=====> fixes rndc errors with named /scripts/fixquotas <=====> fixes quota problems /scripts/fullhordereset <=====> resets horde database to a fresh one – all previous user data are lost /scripts/ftpup <=====> used to update/install FTP server (pureftpd or proftpd) to latest version /scripts/generatemaildirsize <=====> generates new maildirsize for any or all users /scripts/initquotas <=====> initializes quotas /scripts/installzendopt <=====> installs zend optimizer via phpextensionmgr /scripts/killacct <=====> terminate an account – make sure you take a backup of the account first /scripts/killdns <=====> removes a DNS Zone /scripts/mailperm <=====> fixes permission problems with mail directories /scripts/makecpphp <=====> rebuilds internal PHP from /var/cpanel/easy/apache/profile/makecpphp.profile.yaml /scripts/mysqlup <=====> used to update mysql to latest version specified in /var/cpanel/cpanel.config /scripts/pkgacct <=====> to create an account backup /scripts/phpup <=====> to update PHP only /scripts/phpextensiomgr <=====> Installs IonCube, Zend Optimizer, SuHosin & eAccelerator /scripts/rebuildnamedconf <=====> rebuilds /etc/named.conf with zones from /var/named/*.db /scripts/restartsrv_$servicename <=====> restart script for services /scripts/restorepkg <=====> restores an account from a backup file (pkgacct file)(must be in /home) /scripts/runlogsnow <=====> update logs of all users /scripts/runweblogs <=====> update stats for a particular user /scripts/securetmp <=====> secures /tmp partition with options nosuexec and nosuid /scripts/suspendacct <=====> suspends an account /scripts/unsuspendacct <=====> unsuspends a suspended account /scripts/upcp –force <=====> updates cpanel to the latest version /scripts/updatenow <=====> updates the cpanel scripts /scripts/updateuserdomains <=====> updates /etc/userdomains entries from /var/cpanel/users /scripts/wwwacct <=====> to create new accounts (wwwacct domain.com user password)
how wordpress site is hacked watch video
https://www.wordfence.com/learn/how-to-prevent-file-upload-vulnerabilities/
https://www.youtube.com/playlist?list=PLrPWDrPbmnUv-mog5HSHl3Xp76KlfQskP
wpscan+msf
https://wpscan.org/
https://information.rapid7.com/metasploit-framework.html
Install wpscan and msf
yum install yum-utils -y yum-builddep -y ruby git clone git://github.com/rapid7/metasploit-framework.git cd metasploit-framework/ gpg2 --keyserver hkp://keys.gnupg.net --recv-keys 409B6B1796C275462A1703113804BB82D39DC0E3 curl -L get.rvm.io | bash -s stable curl -L get.rvm.io | bash -s stable #your actual directory must be metasploit-framework source /etc/profile.d/rvm.sh logout and login rvm install ruby-2.1.9 rvm use 2.1.9 --default gem install rails bundle install **wpscan installation Prerequisites: Ruby >= 1.9.2 - Recommended: 2.3.0 Curl >= 7.21 - Recommended: latest - FYI the 7.29 has a segfault RubyGems - Recommended: latest Git yum -y install gcc ruby-devel rubygem-bundler libxml2 libxml2-devel libxslt libxslt-devel libcurl-devel patch git mkdir -p /root/tools cd /root/tools git clone https://github.com/wpscanteam/wpscan.git cd wpscan gem install bundler && bundle install --without test
Install PHP File Manager
http://blog.filerun.com/how-to-install-filerun-on-centos-7/ filemanager http://mofa.gov.np/filerun/?username=admin&password=pass v0.4.2 (MySQL) Create database myfilemanager yum --enablerepo=remi-php56 install php-mbstring php-mcrypt php-pdo php-mysql php-gd php-xml cd /usr/lib64/php/modules wget -c http://downloads3.ioncube.com/loader_downloads/ioncube_loaders_lin_x86-64.tar.gz tar xvfz ioncube_loaders_lin_x86-64.tar.gz rm -rf ioncube_loaders_lin_x86-64.tar.gz vi /etc/php.d/filerun.ini expose_php = Off error_reporting = E_ALL & ~E_NOTICE display_errors = Off display_startup_errors = Off log_errors = On ignore_repeated_errors = Off allow_url_fopen = On allow_url_include = Off variables_order = "GPCS" allow_webdav_methods = On memory_limit = 128M max_execution_time = 300 output_buffering = Off output_handler = "" zlib.output_compression = Off zlib.output_handler = "" safe_mode = Off register_globals = Off magic_quotes_gpc = Off upload_max_filesize = 20M post_max_size = 20M enable_dl = Off disable_functions = "" disable_classes = "" session.save_handler = files session.use_cookies = 1 session.use_only_cookies = 1 session.auto_start = 0 session.cookie_lifetime = 0 session.cookie_httponly = 1 date.timezone = "UTC" zend_extension = /usr/lib64/php/modules/ioncube/ioncube_loader_lin_5.6.so systemctl restart httpd cd /home/webserver/public_html mkdir myfilemanager cd myfilemanager wget -O FileRun.zip http://www.filerun.com/download-latest unzip filerun.zip sudo chown -R apache:apache ../myfilemanager http://myip/myfilemanager Go to Setting Change password and home directory settings yum install ImageMagick* And enable it inside FileRun from the control panel, under the System configuration > Files > Image preview section, using the path /usr/bin/convert. REVOKE ALTER, DROP ON filerun.* FROM 'filerun'@'localhost'; FLUSH PRIVILEGES; GRANT ALTER, DROP ON filerun.* TO 'filerun'@'localhost'; FLUSH PRIVILEGES; secure file manager chown -R root:root /home/webserver/public_html/myfilemanager sudo chown -R apache:apache /home/webserver/public_html/myfilemanager/system/data AddDefaultCharset UTF-8 Options FollowSymLinks AllowOverride All Require all granted
Install telnet in windows
pkgmgr /iu:”TelnetClient”
Nslookup in windows
C:\> nslookup > server 202.45.144.2 > set q=mx > nepal.gov.np. >set type=txt > nepal.gov.np.
How To Set Up SSH Keys(auto login with same user in bothside)
How To Set Up SSH Keys(auto login with same user in bothside) Client Mechine $ssh-keygen -t rsa Enter file in which to save the key (/home/demo/.ssh/id_rsa): Enter passphrase (empty for no passphrase): $ssh-copy-id -P23 demo@198.51.100.0 or $cat ~/.ssh/id_rsa.pub | ssh demo@198.51.100.0 "mkdir -p ~/.ssh && chmod 700 ~/.ssh && cat >> ~/.ssh/authorized_keys" chmod go-w ~/ chmod 700 ~/.ssh chmod 600 ~/.ssh/authorized_keys ======================
Centos runlevl
* Change runlevel to rescue.target from a valid shell systemctl isolate rescue.target systemctl rescue or Grub edit then insert into last line in linux systemd.unit=rescue.target. or systemd.unit=emergency.target systemctl isolate emergency.target systemctl emergency systemd.unit=emergency.target
Increase VM disk size
pvcreate /dev/xvdb vgcreate centos-home /dev/xvdb lvcreate centos-home -n home -l100%FREE mkfs -t ext4 /dev/centos-home/home vi /etcfstab /dev/centos-home/home /home ext4 defaults 0 0 extend pvcreate /dev/xvdf vgextend VolGroup00 /dev/xvdf (newdisk) lvextend -L100%FREE /dev/Volgroup00/rpmbuild resize2fs /dev/VolGroup00/rpmbuild resize2fs /dev/mapper/centos-root
https://support.nagios.com/kb/article/resizing-the-vm-disk-size-for-centos-7-814.html
https://blue42.net/linux/5-steps-linux-lvm-extend-volume-no-reboot/
echo 1 > /sys/block/sda/device/rescan
fdisk /dev/sda
pvdisplay
pvresize /dev/sda2 pvdisplay
lvdisplay
lvextend -l +100%FREE /dev/centos/root lvdisplay
df -h
xfs_growfs /dev/mapper/centos-root df -h
(stop vm and increase disk size) df -h boot in runlevel1 fdisk -l (verify size /dev/xvdb) vgdisplay pvs pvresize /dev/xvdb pvs vgs vgdisplay lvdisplay lvextend -L+50G /dev/mapper/centos--home-home lvdisplay lvs resize2fs /dev/mapper/centos--home-home df -h========================
yum repo epel-release wget http://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm Sing user modeHow To Reset Root User Password In CentOS/RHEL 7rd.break (edit grub) ctrl+x mount -o remount,rw /sysroot chroot /sysroot Grub use old Kernal awk -F\' '$1=="menuentry " {print $2}' /etc/grub2.cfg grub2-set-default 1 grub2-mkconfig -o /boot/grub2/grub.cfg
Upgrade to Centos 8
https://www.tecmint.com/upgrade-centos-7-to-centos-8/
WordPress Security
#X-XSS-Protection Header set X-XSS-Protection “1; mode=block” #X-Frame-Options Header set X-Frame-Options “SAMEORIGIN” #X-Content-Type-Options Header set X-Content-Type-Options “nosniff” #Strict-Transport-Security Header always set Strict-Transport-Security “max-age=63072000; includeSubDomains” #Referrer-Policy Header set Referrer-Policy “same-origin” #Feature-Policy Header set Feature-Policy “geolocation ‘self’; vibrate ‘none'”
<FilesMatch “xmlrpc.php$”>
order deny,allow
deny from all
allow from 127.0.0.1
</FilesMatch>
<FilesMatch “wp-cron.php$”>
order deny,allow
deny from all
allow from 127.0.0.1
</FilesMatch>
Disable Php Execution on upload folder
<FilesMatch “.(php|phps.)$”>
Order Allow,Deny
Deny from all
</FilesMatch>
Options All –Indexes
Disable Php Execution on upload folder
Order Allow,Deny Deny from all
php disable hot linking
.htaccess
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http(s)?://(www.)?yourdomain.com [NC]
RewriteRule .(jpg|jpeg|png|gif)$ http://dropbox.com/hotlink-placeholder.jpg [NC,R,L]
install perfmatters plugins
perfmatters
security plugins Sucuri Security
iThemes Security
WordFence Security
WP fail2ban
SecuPress
define(‘DISABLE_WP_CRON’, true);
define( ‘WP_AUTO_UPDATE_CORE’, true );
Cpanel VM add backup disk
fdisk -l
$lsblk
Format the disk partition. Get the device name from the previous lsblk output
$fdisk /dev/sdc
See the screenshot for the options you should pick
n (new partition)
p (primary)
(Press ENTER) (Use default partition number)
(Press ENTER) (Use default first sector)
(Press ENTER) (Use default last sector)
t (change the partition type)
8e (Linux LVM)
w (write)
$ lsblk
Initialize the physical volume
$ pvs
$ pvcreate /dev/sdc1
$ pvs
Create the volume group
$ vgs
$ vgcreate vgBackup /dev/sdc1
$ vgs
Create the logical volume for the volume group
$ lvs
lvcreate -n lvBackup -l +100%FREE vgBackup
$ lvs
format partition
mkfs.xfs /dev/vgBackup/lvBackup
Mount a Unix directory to the logical volume
vi /etc/fstab
/dev/vgBackup/lvBackup /backup xfs defaults 1 2
mkdir -p /backup
mount /backup
df -h
https://documentation.cpanel.net/display/CKB/How+to+Run+a+Manual+Backup
/usr/local/cpanel/bin/backup –force
curl -w ‘\n’ -s http://myip.cpanel.net:2089/v1.0/
curl -w ‘\n’ -s http://myip.cpanel.net:2089/v1.0/
/usr/local/cpanel/cpkeyclt
timedatectl
host auth.cpanel.net
IIS install asp
DISM /Online /Enable-Feature /FeatureName:NetFx3 /All /LimitAccess /Source:d:\sources\sxs (d:\sources\sxs is a windows installation cd)
Install oracle in php
https://www.oracle.com/database/technologies/instant-client.html
https://www.oracle.com/database/technologies/instant-client/linux-x86-64-downloads.html
https://pecl.php.net/package/oci8
https://blogs.oracle.com/opal/post/installing-xampp-on-macos-for-php-and-oracle-database
wget -c https://download.oracle.com/otn_software/linux/instantclient/216000/oracle-instantclient-basic-21.6.0.0.0-1.x86_64.rpm
https://www.oracle.com/database/technologies/instant-client/macos-intel-x86-downloads.html
yum install oracle-instantclient-basic-21.6.0.0.0-1.x86_64.rpm
yum install php-oci8
./pecl install oci8-2.2.0
./pear install MDB2_Driver_oci8-1.5.0b4
The OCI8 extension lets you access Oracle Database.
Use ‘pecl install oci8’ to install for PHP 8.1
Use ‘pecl install oci8-3.0.1’ to install for PHP 8.0.
Use ‘pecl install oci8-2.2.0’ to install for PHP 7.
Use ‘pecl install oci8-2.0.12’ to install for PHP 5.2 – PHP 5.6.
Use ‘pecl install oci8-1.4.10’ to install for PHP 4.3.9 – PHP 5.1.