Archive for the ‘Security’ Category

Every system needs temporary folders that any user is able to read and write BUT these directories should not be able to execute programs or scripts. Though this will only protect you from somebody running the script directly it will help with a large portion of the automated rootkits and trojans that script kiddies use. They will still be able to put the files on the system but they will be unable to execute them and create the back door. One of the biggest problems is php injection via apache in which people will have apache download and then run an exploit. Securing the temp directories is probably the single biggest thing you can do towards securing your server.

This guide will work fine with cPanel, ensim, plesk, and of course with no control panel. It is designed for Redhat but should work on any linux varient.

The first step is to check if /tmp is already secure. Some datacenters do not create a /tmp partition while others do. use following command.

df -h |grep tmp

If that displays nothing then go below to create a tmp partition. If you do have a tmp partition you need to see if it mounted with noexec.

cat /etc/fstab |grep tmp

If there is a line that includes /tmp and noexec then it is already mounted as non-executable. If not follow the instructions below to create one without having to physically format your disk. Idealy you would make a real partition when the disk was originally formatted, that being said I have not had any trouble create a /tmp partition using the following method.

Create a 190Mb partition

cd /dev/; dd if=/dev/zero of=tmpMnt bs=1024 count=800000

Format the partion

mke2fs /dev/tmpMnt

When it asks about not being a block special device press Y

Make a backup of the old data

cp -Rp /tmp /tmp_backup

Mount the temp filesystem

mount -o loop,noexec,nosuid,rw /dev/tmpMnt /tmp

Set the permissions

chmod 0777 /tmp

Copy the old files back

cp -Rp /tmp_backup/* /tmp/

Once you do that go ahead and restart mysql and make sure it works ok. We do this because mysql places the mysql.sock in /tmp which needs to be moved. If not it might have trouble starting. If it does you can add this line to the bottom of the /etc/fstab to automatically have it mounted:

Open the file in nano:

nano -w /etc/fstab

Now add this single line at the bottom:

/dev/tmpMnt /tmp ext2 loop,noexec,nosuid,rw 0 0

While we are at it we are going to secure /dev/shm. Look for the mount line for /dev/shm and change it to the following:

none /dev/shm tmpfs noexec,nosuid 0 0

Umount and remount /dev/shm for the changes to take effect.

umount /dev/shm
mount /dev/shm

Next delete the old /var/tmp and create a link to /tmp

rm -rf /var/tmp/
ln -s /tmp/ /var/

If everything still works fine you can go ahead and delete the /tmp_backup directory.

rm -rf /tmp_backup

You /tmp, /var/tmp, and /dev/shm are now mounted in a way that no program can be directly run from these directories.

This guide is going to show you how to install and configure mod_security which will help protect your server from exploits that are passed though apache. Mod_security does this by inspecting the information sent in apache and filtering out all of the “bad” requests as determined by the set of rules specified in the httpd.conf. The ruleset that I use in this guide will block out most of the common exploits, including the nosanity phpbb worms. It should also block out most of the other common methods of hacking a server passed though php.

First we will download and unzip mod_security. Use following command to download and unzip.

tar -zxf modsecurity-1.8.7.tar.gz

If you are using Apache 1.3.x you need to go into the apache1 directory as shown below. Cpanel and ensim both use apache 1.3.x

cd modsecurity-1.8.7/apache1

If you are using Apache 2.x you need to go into the apache 2 directory as shown below. Plesk uses apache 2.x and may require the httpd-devel rpm to be installed to get mod_security working.

cd modsecurity-1.8.7/apache2

Next compile mod_security at a module. One of the lines below should work to compile it.

/etc/httpd/bin/apxs -cia mod_security.c

If you get a file not found install httpd-devel using up2date then try to compile it again. This will work fine on Plesk and the newer versions of Ensim that do not use “ensimized” httpd rpms. If you are running below Ensim 4.0 you should not continue unless you are certain of what you are doing.

up2date -i httpd-devel
/usr/sbin/apxs -cia mod_security.c

Make a backup of your httpd.conf before touching anything so you have something to go back to if it does not work.

cp /etc/httpd/conf/httpd.conf /etc/httpd/conf/httpd.conf-mod_sec

Now edit the httpd.conf , even though Ensim has multiple httpd.conf files you can put it in the primary config.

nano -w /etc/httpd/conf/httpd.conf

If you are running Apache 1.3.x – cPanel and Pre 4.0 Ensim
Scroll down below the following line:

AddModule mod_security.c

If you do not have the addmodule line find where the rest of them are located and put it right below the others.

If you are running Apache 2.x (Plesk and Ensim 4.0+)
Scroll down below the following line at which point you can continue on and paste the ruleset.

LoadModule security_module modules/

Now you are going to paste in this ruleset. Please feel free to modify it as you see fit. I think that it is a very non-agreesive ruleset that will work fine on just about any server. Please post any problems you have with it below!

# Turn the filtering engine On or Off
SecFilterEngine On

# Change Server: string
SecServerSignature “Apache”

# This setting should be set to On only if the Web site is
# using the Unicode encoding. Otherwise it may interfere with
# the normal Web site operation.
SecFilterCheckUnicodeEncoding Off

# The audit engine works independently and
# can be turned On of Off on the per-server or
# on the per-directory basis. “On” will log everything,
# “DynamicOrRelevant” will log dynamic requests or violations,
# and “RelevantOnly” will only log policy violations
SecAuditEngine RelevantOnly

# The name of the audit log file
SecAuditLog logs/audit_log

# Should mod_security inspect POST payloads
SecFilterScanPOST On

# Action to take by default
SecFilterDefaultAction “deny,log,status:403″

## ## ## ## ## ## ## ## ## ##
## ## ## ## ## ## ## ## ## ##

# Require HTTP_USER_AGENT and HTTP_HOST in all requests
# SecFilterSelective “HTTP_USER_AGENT|HTTP_HOST” “^$”

# Require Content-Length to be provided with
# every POST request
SecFilterSelective REQUEST_METHOD “^POST$” chain
SecFilterSelective HTTP_Content-Length “^$”

# Don’t accept transfer encodings we know we don’t handle
# (and you don’t need it anyway)
SecFilterSelective HTTP_Transfer-Encoding “!^$”

# Protecting from XSS attacks through the PHP session cookie
SecFilterSelective ARG_PHPSESSID “!^[0-9a-z]*$”
SecFilterSelective COOKIE_PHPSESSID “!^[0-9a-z]*$”

SecFilter “viewtopic\.php\?” chain
SecFilter “chr\(([0-9]{1,3})\)” “deny,log”

# Block various methods of downloading files to a server
SecFilterSelective THE_REQUEST “wget ”
SecFilterSelective THE_REQUEST “lynx ”
SecFilterSelective THE_REQUEST “scp ”
SecFilterSelective THE_REQUEST “ftp ”
SecFilterSelective THE_REQUEST “cvs ”
SecFilterSelective THE_REQUEST “rcp ”
SecFilterSelective THE_REQUEST “curl ”
SecFilterSelective THE_REQUEST “telnet ”
SecFilterSelective THE_REQUEST “ssh ”
SecFilterSelective THE_REQUEST “echo ”
SecFilterSelective THE_REQUEST “links -dump ”
SecFilterSelective THE_REQUEST “links -dump-charset ”
SecFilterSelective THE_REQUEST “links -dump-width ”
SecFilterSelective THE_REQUEST “links http:// ”
SecFilterSelective THE_REQUEST “links ftp:// ”
SecFilterSelective THE_REQUEST “links -source ”
SecFilterSelective THE_REQUEST “mkdir ”
SecFilterSelective THE_REQUEST “cd /tmp ”
SecFilterSelective THE_REQUEST “cd /var/tmp ”
SecFilterSelective THE_REQUEST “cd /etc/httpd/proxy ”

Now simply restart apache to enable mod_security.

service httpd restart

If sites start to have problems look at error log.


If you need or want to remove mod_security at any time simply comment out (put a # in front of) the AddModule mod_security.c line and restart apache. This will disable all of the rules and not allow it to load into apache.

Ok mod_security is all setup. I would tail the audit log occasionally to see if it is causing any trouble with legit traffic. The ruleset above should not cause many problems though.

Sysctl is an interface that allows you to make changes to a running Linux kernel. With /etc/sysctl.conf you can configure various Linux networking and system settings such as…

Read the rest of this entry »