Basics

cPanel required ports list

by

Cpanel required ports list

PortServiceProtocolDirectionNotes
20ftptcpinbound/outbound
21ftptcp,udpinbound/outbound
22sshtcpinbound
25smtptcpinbound/outbound
26smtptcpinbound/outbound
37rdatetcpoutbound
43whostcpoutbound
53DNStcp/udpinbound/outbound Inbound only needed if you run your own DNS server
80httptcpinbound/outbound
110pop3tcpinbound
113identtcpoutbound
143imap4tcpinbound
443httpstcpinbound
465smtptcp/ssl, tcp/udpinbound/outbound
873rsynctpc/udpoutbound
993imap4ssl tcpinbound
995pop3ssl tcpinbound
2082cpaneltcpinbound
2083cpanelssl tcpinbound
2086whmtcpinbound
2087whm ssltcpinbound
2089cp licensetcpoutbound
2095webmailtcpinbound
2096webmailssl tcpinbound
3306mysqltcpinboundOnly if you need to connect remotely
6666chattcpinbound

How do I get my mail headers?

by

Retrieving email headers is a very important step in reporting or troubleshooting any email issue. Here are the steps to get email headers from some of the more popular mail programs:

Eudora Pro

Double-click on the message to open it in a separate window.
Click on the button labeled “BLAH BLAH BLAH” at the top of the window. This will show the message headers.
You can then highlight and copy the headers into a new message.

Gmail

While viewing a message, click on “More Options”.
Click on “Show Original”.
This will display the headers for that message in a new window.
You can then highlight and copy the headers into a new message.

GoDaddy Webmail

Click on the message in your Inbox to open it
From the “Apply this Action” drop-down, select “View Full Header
Click “Apply
You can then highlight and copy the headers into a new message.

Hotmail

Once logged into hotmail, click on “Options”
Click “Mail“.
Click on “Mail Display Settings”.
Change the “Message Headers” section to “Advanced”.
Click “OK”.
Now when you read an e-mail, it should show you the full message headers.

Lotus Notes

Lotus Notes 4.6
Open the properties box on the message (in the default installation of the Notes Client, it will be the first smart icon on the left, but you can also right-click on the document and choose properties from that menu).
Choose the second tab on the properties box, which is a list of fields and their contents.
Scroll down to the field “Additional Headers“.
You should then be able to copy/paste the headers into a new message.

If Notes will not permit you to select the contents of the field, you’ll have to manually copy them to a new message – please be very careful in doing so.
Lotus Notes 5.x
Single click on the subject line without opening the document to full screen.
Select “File” (upper left) then select “Export
Name the file
Select “Export
Click on “Selected Documents
Select “OK
You can then attache the file to a new message.

OS X

After opening the “Mail” app, click the on the “Mail” drop-down menu and select “Preferences”.
Click on the “Viewing” icon.
Click on the arrow on the Show header detail and select All.
You will now see the full headers of each message you view.

Thunderbird

Double-click the e-mail you want to view the headers for.
Click on the “View” drop-down menu and select “Headers” and then select “All”.
This will show the headers for any message you view.

Microsoft Outlook

Microsoft Outlook 98, 2000, 2002, 2003

Double-click on the message to open it in a separate window.
Click on “View” and then “Options” on the drop-down menu at the top of the window.
Look for the section titled “Internet Headers” near the bottom of the Options window.
You can now copy/paste content from that section into a new message.

Microsoft Outlook Express 5 & 6

Right-click on the message and select Properties.
Select the Details tab.
You should see a section titled “Internet Headers” for this message.
You can now copy/paste content from that section into a new message.

Yahoo

Once you are logged in, click on “Mail Options”.
Click on “General Preferences”.
Under the “Messages” section, select “Show all headers” on incoming messages for the Headers option.
Click Save.
You should now see the full headers of every message you view.

Installing VMWare on CentOS 5.x (64-bit)

by

Installing is easy.Login to the server with the root user.

VMWare Install Preparation

First, we need to download the VMWare installer.You can get to the download via http://vmware.com/download/server/.Once here, click on the download link, accept the EULA, and download the LinuxTarball (VMware-server-1.0.3-44356.tar.gz in my case):

·Main Download Link: http://vmware.com/download/server/

·# wget –O vmware-server.tar.gz http://download3.vmware.com/software/vmserver/VMware-server-1.0.3-44356.tar.gz

After downloading the software, you will need to get a license key (which is free in the free version of VMWare Server).To register, just fill out the form at the following:

·http://register.vmware.com/content/registration.html

Next, extract the tarball:

·# tar -xzvf vmware-server.tar.gz

Before we actually get rolling on the install, let’s take care of some dependencies first:

·# yum update
# yum install libXtst.i386
# yum install libXrender.i386
# yum install xinetd

Installing VMWare Server

Once completed, now go into the directory:

·# cd vmware-server-distrib/

Next, run the vmware install script:

·# ./vmware-install.pl

Next, the install is going to ask you some basic questions and wanting to know what directories it wants you to create and install certain parts of VMWare into.From here, you would just take the defaults.When it asks you to accept the license agreement, please do so, so that you can proceed on with the install.

You will probably run across this question:

“None of the pre-built vmmon modules for VMware Server is suitable for your running kernel.Do you want this program to try to build the vmmon module for your system (you need to have a C compiler installed on your system)?”

You will need to answer “yes” to this question (which is the default).

VMWare Networking Setup

The next question is “Do you want networking for your virtual machines? (yes/no/help)”.Answer yes, as we want to create a network setup for your public network device, so that you can access the internet on your virtual machines.

The next question you will be asked is “Your computer has multiple ethernet network interfaces available: eth0, eth1. Which one do you want to bridge to vmnet0?”.This is a very important question.Remember, the way all Softlayer servers are setup and run are that the public network runs on eth1 and the private network runs off of eth0.In VMWare, the default bridge device for vmnet0is eth0, which is definaltely not what we are going to want to do, especially if we are wanting to have internet access from the virtual machines.So, instead of pressing enter, type in: eth1.

Bridging the Private Network (Softlayer Style)

The next question can either be answered as yes or no.The question is “Do you wish to configure another bridged network?”. If you plan on running services or other applications off of your private network, then you should probably actually proceed with “yes” to this question.So that everything is covered, go ahead and say “yes” (unless you know you won’t be using the private network), so that we can create a network bridge to your private network.Once, you type in “yes” and press enter, it will automatically use eth0 as the interface, as that is the only one left available (since you only have two network cards in the server).

Other Networking Settings

You will be presented with a few other questions regarding the network setup of VMWare Server.Please proceed with the following recommendations:

“Do you want to be able to use NAT networking in your virtual machines?”

·Proceed with “yes”

“Do you want this program to probe for an unused private subnet?”

·Proceed with “yes”

·Once this completes, make sure you do not configure another NAT network.

“Do you want to be able to use host-only networking in your virtual machines?”

·Proceed with “yes”

“Do you want this program to probe for an unused private subnet?”

·Proceed with “yes”

·Once this completes, make sure you do not configure another host-only network.

Specifying Listening Port

The next question it is going to ask is what port you are wanting VMWare server to listen on, and the default port is 904.Some people change this, but personally I keep it set to the default.

Where To Store The Virtual Machines

The next question that the installer asks is “In which directory do you want to keep your virtual machine files?”.The default place is /var/lib/vmware/Virtual Machines, however, I recommend that you place the virtual machines in a place where you have plenty of disk space, such as a redundant RAID array or a large secondary hard drive.Always make sure that you have enough room for a virtual machine.In this case, you could use a mount point /data/vm, that is mounted to a large disk.

Provide Serial Number for VMWare

The final part of the installation requires you to insert a VMWare license key/serial number.You should already have one, if you followed the instructions in this article.If you have not generated a license key,yet, please do by going to the URL mentioned at the beginning of this article.If you have the serial number for this VMWare server, please insert it into the prompt and then press enter.

You should see something similar to the following:

·“The configuration of VMware Server 1.0.3 build-44356 for Linux for this running kernel completed successfully.”

VMWare is now set up on your server.Now, all that is left to do is download the VMWare Server Console, which is the GUI client for your VMWare server that allows you to set up, configure, and install virtual machines.

Downloading VMWare Server Console

The VMWare Server Console is the client application for VMWare Server.It allows you to literally manage the VMWare server as a whole.You can create,configure, and install virtual machines, just with a click of some buttons. In order to get this installed, you actually have to download the VMware Server Windows client package, which is located on the same that you downloaded VMWare for Linux at the beginning of this article.This package is the .zip file.Once it has downloaded to the system, just extract the package wherever you find it convenient to and install the VMware-console-1.0.3-x file.When this has completed installing, you are done installing the VMWare Server Console and you are ready to configure your VMWare server.

Note: This article does not cover how to configure VMWare server or even set up virtual machines.Setting up virtual machines are somewhat self-explainatory, however, if you want some assistance in doing so, please open a support ticket and we can walk you through a few things, however, we do not currently support VMWare or any Virtualization products.

Logging into the VMWare Console

Open the VMWare Server Console from the computer you installed it on.When it loads you will be prompted with a “Switch Host” (login) screen.Use the following credentials (and use the screenshot for reference).VMWare Server uses the Linux system username/passwords to authenticate users, so you will need to use the usernames (root in particular) to login to VMWare.

Hostname: IP address plus port (e.g. 67.228.160.201:904)
User Name: root
Password: password (use the real root password of the system)

Configuring The Firewall Rules (IPTables)

If you have any issues actually connecting to the VMWare server, and it is not an authentication issue (if you get a username/password error then you have a bad user or password), then your firewall might be blocking you from connecting to the VMWare Server.To resolve this, try adding the following IPTable rule into your /etc/sysconfig/iptables file (and make sure that the naming convention follows your server configuation, as my rule might be slightly wrong if your chain is named differently):

·# -A FWALL-INPUT -p tcp -m tcp -s 0/0 –dport 904 -j ACCEPT

Wrapping Things Up

That just about wraps things up on how to install VMWare and at least get things started.Even though we currently do not yet support VMWare, any one of the Support Technicians will be more than happy to try to assist you and answer any questions you may have.

DoS: looking at open connections

by

Here is a command line to run on your server if you think your server is under attack. It prints our a list of open connections to your server and sorts them by ammount.

RedHat: netstat -ntu | awk ‘{print $5}’ | cut -d: -f1 | sort | uniq -c | sort -n

BSD: netstat -na |awk ‘{print $5}’ |cut -d “.” -f1,2,3,4 |sort |uniq -c |sort -n

You can also check for connections by running the following command.
netstat -plan | grep :80 | awk ‘{print $4 }’ | sort -n | uniq -c | sort

These are few step to be taken when you feel the server is under attack:
——————————————————————————-
Step 1: Check the load using the command “w”.
Step 2: Check which service is utilizing maximum CPU by “nice top”.
Step 3: Check which IP is taking maximum connection by netstat -anpl|grep :80|awk {‘print $5’}|cut -d”:” -f1|sort|uniq -c|sort -n
Step 4: Then block the IP using firewall (APF or iptables “apf -d < IP>” )
——————————————————————————-

You can also implement security features in your server like:

1) Install apache modules like mod_dosevasive and mod_security in your server.
2) Configure APF and IPTABLES to reduce the DDOS
3) Basic server securing steps :
===============================
http://www.linuxdevcenter.com/pub/a/linux/2006/03/23/secure-your-server.html?page=1
===============================
4) Configure sysctl parameters in your server to drop attacks.

You can block the IP which is attacking your server using Ipsec from command prompt.
=========
>> netsh ipsec static add filterlist name=myfilterlist
>> netsh ipsec static add filter filterlist=myfilterlist srcaddr=a.b.c.d dstaddr=Me
>> netsh ipsec static add filteraction name=myaction action=block
>> netsh ipsec static add policy name=mypolicy assign=yes
>> netsh ipsec static add rule name=myrule policy=mypolicy filterlist=myfilterlist filteraction=myaction
========

How do I permit specific users SSH access?

by

We will be primarily working with one configuration file in this article:

  • OpenSSH/etc/ssh/sshd_config

OpenSSH

For locking down which users may or may not access the server you will want to look into one, or more, of the following directives:

User/Group Based Access

AllowGroups

This keyword can be followed by a list of group name patterns, separated by spaces.If specified, login is allowed only for users whose primary group or supplementary group list matches one of the patterns.`*' and `?' can be used as wildcards in the patterns.Only group names are valid; a numerical group ID is not recognized.By default, login is allowed for all groups.

AllowUsers

This keyword can be followed by a list of user name patterns, separated by spaces.If specified, login is allowed only for user names that match one of the patterns.`*' and `?' can be used as wildcards in the patterns.Only user names are valid; a numerical user ID is not recognized.By default, login is allowed for all users.If the pattern takes the form USER@HOST then USER and HOST are separately checked, restricting logins to particular users from particular hosts.

DenyGroups

This keyword can be followed by a list of group name patterns, separated by spaces.Login is disallowed for users whose primary group or supplementary group list matches one of the patterns.
`*' and `?' can be used as wildcards in the patterns.Only group names are valid; a numerical group ID is not recognized. By default, login is allowed for all groups.

DenyUsers

This keyword can be followed by a list of user name patterns, separated by spaces.Login is disallowed for user names that match one of the patterns.`*' and `?' can be used as wildcards in the patterns.Only user names are valid; a numerical user ID is not recognized.By default, login is allowed for all users.
If the pattern takes the form USER@HOST then USER and HOST are separately checked, restricting logins to particular users from particular hosts.

The first thing to do is backup the original configuration file:

cp /etc/ssh/sshd_config /etc/ssh/sshd_config{,.`date +%s`}

We will now need to edit the configuration file with your favorite editor (vi/vim/ed/joe/nano/pico/emacs.)

An example of only allowing two specific users, admin and bob, to login to the server will be:

/etc/ssh/sshd_config:

AllowUsers admin bob

Ifyou would like to more easily control this for the future then you can create a Group on the server that will be allowed to login to the server, adding individual users as needed (replace username with the actual user):

shell:

groupadd –r sshusers

usermod –a –G sshusers username

With this we will no longer be using AllowUsers but AllowGroups

/etc/ssh/sshd_config:

AllowGroups sshusers

The alternatives to these directives are DenyGroups and DenyUsers which perform the exact opposite of the aforementioned AllowGroups and AllowUsers.
When complete you will want to make sure that sshd will read in the new configuration without breaking.

/usr/sbin/sshd –t

echo $?

We will want to see a 0 following the “echo $?’’ command.Otherwise we should also see an error stating what the erroneous data is:

sshd_config: line 112: Bad configuration option: allowuser
sshd_config: terminating, 1 bad configuration options

After verification we will simply need to restart sshd.This can be performed via many different methods, for which we will assume a sysv-compatible system:

/etc/init.d/sshd restart

Make sure to not disconnect your ssh session but create a new one as a ‘just incase’.
Verify that you can perform any required actions with this user(eg: su into root if you are not allowing root logins.)

Chrootkit help

by

SSH as admin to your server. DO NOT use telnet, it should be disabled anyways.

#Change to root
su –

#Type the following
wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz

# Check the MD5 SUM of the download for security:
ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.md5

md5sum chkrootkit.tar.gz

#Unpack the tarball using the command
tar xvzf chkrootkit.tar.gz

#Change to the directory it created
cd chkrootkit*

#Compile by typing
make sense

#To use chkrootkit, just type the command
./chkrootkit

#Everything it outputs should be ‘not found’ or ‘not infected’…

Important Note: If you see ‘Checking `bindshell’… INFECTED (PORTS:  465)’ read on.
I’m running PortSentry/klaxon. What’s wrong with the bindshell test?
If you’re running PortSentry/klaxon or another program that binds itself to unused ports probably chkrootkit will give you a false positive on the bindshell test
(ports 114/tcp, 465/tcp, 511/tcp, 1008/tcp, 1524/tcp, 1999/tcp, 3879/tcp, 4369/tcp, 5665/tcp, 10008/tcp, 12321/tcp, 23132/tcp, 27374/tcp, 29364/tcp, 31336/tcp,
31337/tcp, 45454/tcp, 47017/tcp, 47889/tcp, 60001/tcp).

#Now,
cd ..
#Then remove the .gz file
rm chkrootkit.tar.gz

Daily Automated System Scan that emails you a report

While in SSH run the following:
pico /etc/cron.daily/chkrootkit.sh

Insert the following to the new file:
#!/bin/bash
cd /yourinstallpath/chkrootkit-0.42b/
./chkrootkit | mail -s “Daily chkrootkit from Servername” [email protected]

Important:
1. Replace ‘yourinstallpath’ with the actual path to where you unpacked Chkrootkit.
2. Change ‘Servername’ to the server your running so you know where it’s coming from.
3. Change ‘[email protected]’ to your actual email address where the script will mail you.

Now save the file in SSH:
Ctrl+X then type Y

Change the file permissions so we can run it
chmod 755 /etc/cron.daily/chkrootkit.sh

Now if you like you can run a test report manually in SSH to see how it looks.
cd /etc/cron.daily/

./chkrootkit.sh

You’ll now receive a nice email with the report! This will now happen everyday so you don’t have to run it manually.

Rootkit help

by

RootKit — Spyware and Junkware detection and removal tool

Go to Rootkit Hunter homepage, and download the latest release. http://www.rootkit.nl/projects/rootkit_hunter.html

## Get the latest source and untar
# cd /usr/src/utils
# wget http://downloads.rootkit.nl/rkhunter-<version>.tar.gz
# tar xfz rkhunter-*.gz
# cd rkhunter
# ./installer.sh
## run rkhunter
# rkhunter -c
Setup automatic protection on System Reboot
## Edit /etc/rc.d/rc.local
##      (or similar file depending on Linux version)
## Add the following lines at the bottom of the file

/usr/local/sbin/apf –start
/usr/local/ddos/ddos.sh -c

URL injections information

by

URL Injection attacks typically mean the server for which the IP address of the attacker is bound is a compromised server.
Please check the server behind the IP address above for suspicious files in /tmp, /var/tmp, /dev/shm, along with checking the process tree (ps -efl or ps -auwx).
You may also want to check out http://www.chkrootkit.org/ and http://www.rootkit.nl/ as tools which should be used in addition to checking the directories and process tree.
Please use “ls -lab” for checking directories as sometimes compromised servers will have hidden files that a regular “ls” will not show.

(see http://en.wikipedia.org/wiki/Remote_File_Inclusion )

1) Installing some apache modules like mod_security and configuring it to prevent $GET requests (this is what happened from your server this time).
2) In order to prevent URL injection you can also :
# Turn off fopen url wrappers
# Disable wget / fetch / lynx binaries
3) Make use of all the utilities provided to you in the Security section of your WHM
4) You can also follow the steps outlined at : http://www.topwebhosts.org/tools/apf-bfd-ddos-rootkit.php
5) Schedule regular security audits on a timely basis – either monthly or weekly – where you can run chkrootkit and rkhunter and scan for vulnerabilities.

Securing the TMP Partition and Tracking Hacks

by

Are your temp partitions putting out behind your back? Anyone who’s ever administered a Linux server would know the risk of leaving the /tmp directory unsecured, moreso on a webserver that is shared among multiple websites.

The tmp directory is world-writeable and used by a majority of services on a machine — including the storage of PHP and MySQL session files. One issue that I’ve seen on older servers is that one customer’s poorly-coded website would get exploited and end up downloading a file into the /tmp directory, then have that hack file executed on the server as a nobody-owned process. Hack processes are the easiest to find, as they always have a little something extra.

This should go without saying, but hack processes can run from almost anywhere, not just /tmp. I’m mainly bringing up the tmp directory because it’s the most targeted location for hack files if it isn’t secured properly.

Identifying Hack Processes

To start out, log into your server as root as issue the following command to see all the nobody-owned processes running on the machine. This is assuming that Apache on your webserver runs as ‘nobody’:

root@localhost[~] ps -efw |grep nobody |more

A majority of the output will reflect legitimate Apache processes:

nobody 8748 25841 0 21:35 ? 00:00:00 /usr/local/apache/bin/httpd -DSSL
nobody 8785 25841 0 21:35 ? 00:00:01 /usr/local/apache/bin/httpd -DSSL
nobody 8988 25841 0 21:36 ? 00:00:00 /usr/local/apache/bin/httpd -DSSL

You’ll see that they all have the same parent process ID of ‘25841′ and all of the commands look about the same. However, you may see something that looks like this:

nobody 15707 26407 0 11:18 ? 00:00:00 [sh <defunct>]
nobody 15717 1 0 11:18 ? 00:00:04 /usr/bin/perl
nobody 13016 1 0 14:14 ? 00:00:00 /usr/bin/perl

nobody 8988 1 0 21:36 ? 00:00:00 /usr/local/apache/bin/httpd -DSSL -d3

All of these are hack processes. A few things to look for:

– Perl and shell (sh) processes on most systems run as the user that is executing them, not ‘nobody’. If this is true on your system, a nobody-owned perl process is probably a hack

– The parent ID of the process is different than all the others of the same service — these can be easily faked

– For Apache, an extra little switch on the end of the command (../httpd -DSSL -d3) – ‘d3′ is usually the name of the hack file that is being executed through Apache (not always).

Now I know you probably have the urge to kill -9 it, but don’t. Killing a hack process before determining what it is or where it came from is only going to let it happen again.

Tracking the process:

Once you know which processes should not be running, you need to know where they came from. The *easiest* way to track a process is through the lsof command. If you take the process ID (not the parent) and run an lsof it will tell you everything you want to know:

lsof -p 8748

From here I can see that this process is running from a folder in a user’s account. All I need to do now is kill it off, then remove the hack files from that user’s directory and let them know to update their shit.

TMP Directory Hacks

I’ve seen my fair share, but many hack processes will be spawned from the temp partitions of the server (like /tmp, /tmpDIR, /dev/shm), as these are usually set to 777 to allow programs to store their temporary files. When you first look in your TMP directory you’re going to see a lot of stuff — this is normal, but you’ll want to look for nobody-owned files that stand out. Just a hint, some hacks will try to trick you with their names. I have seen many that are named “…” or “httpd” to make them look legitimate, but I know that httpd (the service that runs Apache) should not be in the tmp directory…and that’s what makes it stand out.

Securing the tmp Partition

I’m not going to go too far into this here, because there’s already a very good website with this information available.

If you are on a cPanel server, you should run /scripts/securetmp in addition to following the instructions above.