12 Jan

Configure and administering UFW using commands

Administering UFW

UFW or uncomplicated firewall is for managing firewall rules in Ubuntu, Debian and Arch Linux. You can use the below commands for administering UFW.

To install UFW, please execute the below command,

1
sudo apt-get install ufw
UFW InstallAllow Rules

Always make sure to add allow rule fo SSH as priority,

1
sudo ufw allow ssh

or

1
sudo ufw allow 22

You can allow or deny a service based on protocol. For example, to allow TCP on port 80, please execute,

1
sudo ufw allow 80/tcp

or

1
sudo ufw allow http/tcp

To allow https on port 443, please execute,

1
sudo ufw allow 443/tcp

or

1
sudo ufw allow https/tcp

UFW AllowIf you wish to allow UDP protocol on port 1234, please execute,

1
sudo ufw allow 1234/udp

If you wish to allow traffic from a specific IP address 111.222.333.444, please execute,

1
sudo ufw allow from 111.222.333.444

If you wish to allow traffic from a specific subnet, then execute,

If you wish to allow a particular IP address to access a specific port, say port 80, then execute,

If you wish to allow a particular subnet address to access a specific port, say port 80, then execute,

 

Block Traffic

To deny traffic from a particular IP address,

1
sudo ufw deny from 111.222.333.444

If you wish to deny traffic from a particular IP address to a specific network interface, please execute,

1
sudo ufw deny in on eth1 from 111.222.333.444

If you wish to allow a particular service to a private ethernet interface, say eth1,

Allow Traffic to network interface using UFW
1
sudo ufw allow in on eth1 to any port 3306

To list the rules set in UFW, please execute,

1
sudo ufw status

To Action From
— —— —-
22 ALLOW Anywhere
8080/tcp ALLOW Anywhere
3306 ALLOW Anywhere
80 ALLOW Anywhere
443 ALLOW Anywhere
22 (v6) ALLOW Anywhere (v6)
8080/tcp (v6) ALLOW Anywhere (v6)
3306 (v6) ALLOW Anywhere (v6)
80 (v6) ALLOW Anywhere (v6)
443 (v6) ALLOW Anywhere (v6)

administering UFW statusTo enable the UFW firewall, please execute,

1
sudo ufw enable

To disble the UFW firewall, please execute,

1
sudo ufw disable

To enable the UFW logging, please execute,

1
sudo ufw logging on

Refer : https://en.wikipedia.org/wiki/Uncomplicated_Firewall

11 Jan

Linux network performance tuning

Why we need a fine tuning of network settings?

Usually the default network parameters supplied along with the OS should be able to handle the regular traffic. But if you are managing a high traffic server and if you are experiencing sluggishness in accessing your application, then it is recommended to do a linux network performance tuning of your linux operating system.

TCP Connection Establishment

As you know, web servers\application servers generally use Transmission Control Protocol(TCP) for their client-server communication. TCP is a connection oriented protocol, which means, the sender and receiver needs to establish a reliable connection between them to transmit the data. As the first step of establishing the connection, the sender will send a connection request to the receiver. If the receiver is ready to accept the data, then it will send back an acknowledgement(ACK) back with SYN bit set. Now the sender will acknowledges the receiver’s initial sequence Number and its ACK. Now the sender will start its data transfer.

performance tuningFlow Control & Window Scaling

Since the sender and receiver may not be having same network speed, the TCP uses a flow control mechanism named sliding window protocol, so that the sender and receiver will be transmitting the data at same rate. The receiver and the sender will exchange the information about the amount of data, they can accept, using a TCP segment field called receive window. The receiver updates the filed with the amount of data, that it can accept.

Upon seeing the value, the sender will adjust is data transmission, so that it will not send data above this window size, until an acknowledgement is received from the receiver. Once an acknowledgement is received and once the new receive window size is declared by the receiver, the sender can transmit the next set of data. Earlier, the maximum receive window size that can be mentioned in a TCP frame was 65,535 bytes. Now using a new feature called, Window Scaling, the limit is increased to a maximum of 1,073,725,440 bytes(1Gb)

Bandwidth Delay Product – BDP, the bits of data in transit between hosts is equal to Bandwidth * RTT

or in other words,

BDP (bytes) = total bandwidth (KBytes/sec) x round trip time (ms)

The network throughput of that network <= (TCP buffer size / RTT)

The TCP Windows size needs to be large enough to accommodate network bandwidth x maximum expected delay

or

TCP window size needs to be >= BW * RTT

On a 100 Mbps network with round trip time(RTT) value of 150 ms and with a TCP buffer size of 128 KB, the Bandwidth Delay Product will be 1.88 MB. The maximum throughput value will be <= 6.99 Mbps. To use the 100 Mbps with RTT 150ms, the TCP buffer size should be >= 1831.1 KB

Window Scaling

In our above mentioned network, we are wasting 1815 Kilo Bytes of window size(1880-65). So we need to enable the Window Scaling feature. We can modify the window scaling parameter in linux by editing the sysctl.conf file. You need to set the below parameter to 1.

1
net.ipv4.tcp_window_scaling = 1

You can do the same by executing the below command,

1
echo 'net.ipv4.tcp_window_scaling = 1' >> /etc/sysctl.conf

Obtain TCP Memory Values

Now obtain the TCP memory values by executing the below commands,

1
cat /proc/sys/net/ipv4/tcp_mem

To view receive socket memory size, please execute the below two commands,

1
2
cat /proc/sys/net/core/rmem_max
cat /proc/sys/net/core/rmem_default

To view the send socket memory size, please execute the below two commands. The first command will give its maximum value and the second command will provide you its default value.

1
2
cat /proc/sys/net/core/wmem_max
cat /proc/sys/net/core/wmem_default

To view the maximum amount of option memory buffers, please execute the below command,

1
cat /proc/sys/net/core/optmem_max

Performance Tuning

If the receive socket memory size is small, then sender will be able to send data equal to the receiver socket memory size. So we need to increase this value to a higher value,say 32MB. Likewise, we need the send socket memory size, also to be large, say 32MB.For a network with RTT value, 100ms and 10Gbps network, the value can be as higher as 64MB. If the RTT value is 50ms, then it can be increased to 128MB.

1
2
echo 'net.core.wmem_max=33554432' >> /etc/sysctl.conf
echo 'net.core.rmem_max=33554432' >> /etc/sysctl.conf

Next step is to increase the linux autotuning TCP buffer limit to 16MB. Here, we can set minimum amount of receive window size, which will be set to each TCP connection, even if the server is having a high load. The default value will be allocated against each TCP connection. Since we are employing the window scaling feature, the window size will grow dynamically till the maximum receive window size, set in bytes, 16777216. For a network with RTT value, 100ms and 10Gbps network, the value can be as higher as 32MB.If the RTT value is 50ms, then it can be increased to 128MB.

1
2
echo 'net.ipv4.tcp_rmem = 4096 87380 16777216' >> /etc/sysctl.conf
echo 'net.ipv4.tcp_wmem = 4096 65536 16777216' >> /etc/sysctl.conf

Also recommended to set net.ipv4.tcp_timestamps and net.ipv4.tcp_sack to 1, so that it can reduce the CPU load.

1
2
echo 'net.ipv4.tcp_timestamps = 1' >> /etc/sysctl.conf
echo 'net.ipv4.tcp_sack = 1' >> /etc/sysctl.conf

View congestion control algorithms

To view the available list of congestion control algorithms available for your machine, please execute the bwlo command. It is recommended to set htcp as the congestion control mechanism.

1
sysctl net.ipv4.tcp_available_congestion_control

To set htcp as your congestion control alogithm, please execute the below command,

1
sysctl -w net.ipv4.tcp_congestion_control=htcp

It is recommended to increase number of incoming connections backlog queue Sets the maximum number of packets, queued on the INPUT side, when the interface receives packets faster than kernel can process them.

1
echo 'net.core.netdev_max_backlog = 65536' >> /etc/sysctl.conf

View the performance tuning done

To save and reload, please execute the below command,

1
sysctl -p

We can use the tcpdump to view the changes on eth1, if eth1 is your NIC.

1
tcpdump -ni eth1
07 Jan

Commands to delete files older than X days

Delete files older than X days

To delete files older than X days, please execute the below commands. The below commands will remove files from a specific folder location in your machine\server. If you want to change the day, then just change value of 90 with your value,

1
find /directory/path/to/your/file -mindepth 1 -mtime +90 -delete

or

1
find /directory/path/to/your/file -type f -mtime +90 -exec rm {} \;

or

1
find /directory/path/to/your/file -mindepth 1 -type f -mtime +90 | xargs rm

Before executing the script,

delete files older than X days

After executing the script

delete files older than X days

 

07 Jan

Samba Slow – Oplock break failed for file

Oplock break failed – Slow copying of files in Samba

If you are facing sluggishness in copying files to your samba drive, there is a good chance that, it may be because the error “Oplock break failed for file” in your /var/log/syslog(Ubuntu) and /var/log/messages(In other linux distributions)

To resolve this, you may need to add the below entries to the [global] section of your smb.conf(/etc/samba/smb.conf)

1
2
3
4
5
6
[global]
.......
.......
kernel oplocks = no
nt acl support = no
strict locking = no

Then add the below entries under [your share name] section of smb.conf

1
2
3
4
5
6
7
8
9
10
[your share name]
........
........
oplocks = no
share modes = no
locking = no
acl check permissions = false
level2 oplocks = no
strict locking = no
blocking locks = no
26 Jul

Remove broken packages in Ubuntu

Remove broken packages in Ubuntu

In order to remove broken packages in Ubuntu, please execute the below steps,

Step 1 : To update your package list.

sudo apt-get update

Then to clean up any partial packages, execute,

sudo apt-get autoclean

To clean up the apt cache, please execute,

sudo apt-get clean

To clean up any unneeded dependencies, please execute,

sudo apt-get autoremove

Finally to identify the broken package and to forcefully remove it, please execute the below command,

sudo dpkg –remove -force –force-remove-reinstreq package name

In case you are facing any issues, please try,

sudo dpkg –remove –force-remove-reinstreq package name

Also, remove any dependent packages, if any.

Alternatively, you may try the below as well,

sudo apt-get update -fix-missing

then execute,

sudo dpkg -configure -a

Once done, please exsecute,

sudo apt-get install -f

05 Oct

C-Panel Server Security Hardening Script

Please execute the below script to harden your cpanel server

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
#!/bin/sh
#
# Please report any bugs/suggestions to : support@yourdomain.com
#
### TODO
# secure the libexec/htdocs directory for mrtg.
###
export LANG=C LC_ALL=C
export PATH="/sbin:/usr/sbin:/usr/local/sbin:/bin:/usr/bin:/usr/local/bin:/usr/k
erberos/sbin:/usr/kerberos/bin:/root/bin:/usr/X11R6/bin"
unalias -a
clear
#set -x
#### REVIEW THE VARIABLES BELOW ####
APF=apf-new.tar.gz
BFD=bfd-current.tar.gz #bfd-noapf.tar.gz will be installed on a dedicated server.
MODSEC=mod_security.tar.gz
#MODDOS=mod_evasive.tar.gz #Dont use this now.
CHKROOTKIT=chkrootkit.tar.gz
RKHUNTER=rkhunter.tar.gz
#Misc vars
MAILME=y
MAILADDR=support@yourdomain.com
#Set up vars
BASEDIR=/usr/src
BASEURL=acela.dizinc.com/utils
#Files
CPCONF=/var/cpanel/cpanel.config
HTTPCONF=/usr/local/apache/conf/httpd.conf
#LOG=/tmp/secure.log #Logging not implemented.
#Setting options
DEDSERVER=
INSTAPF=
INSTAOL=
DEFEXIMCONF=
# Colors. Just for fun Wink
RED='\033[01;31m'
GREEN='\033[01;32m'
YELLOW='\033[01;33m'
BLUE='\033[01;34m'
WHITE='\033[01;37m'
RESET='\033[0m'
TL='\t\t\n\n'
######## NOTES
# DO NOT UPGRADE OPENSSL ON SERVERS.
########
#Some checks
if [ "$UID" -ne "0" ]; then
echo -e "${TL}${GREEN}You must be root to run this script.${RESET}"
exit 1
fi

if [ ! -d /var/cpanel ]; then
echo -e "${TL}${GREEN}Are you sure this is a cpanel server?${RESET}"
exit 1
fi
#sed #Commented this out - dont need it since sed works fine on our centos ser
vers. have seen problems on some other linux distros though.
#echo "test=4" >$BASEDIR/testfile
#sed -i 's/^\(test=\).*/\14.1/' $BASEDIR/testfile
#if ! grep -q '4.1' $BASEDIR/testfile
#then
# echo -e "$GREEN"
# echo 'The sed installed on this machine does not support "-i".
# Quitting....'
# echo -e "$RESET"
# exit 1
#fi
#Print something
echo -e "$RED"
cat << EOF
This script is meant to be used on a fresh cPanel server to prepare it f
or deployment.

WARNING : TO BE USED ON A LINUX SERVER RUNNING CPANEL ONLY. USE AT YOUR
OWN RISK!!!
Rememer - YOU HAVE BEEN WARNED.

EOF
echo -e "$RESET"
sleep 2
#Some functions
defopts () {
rm -rfv /usr/src/secure.*
clear
echo -e "$BLUE"
cat <<EOF

Usage : $(basename $0) [-d] [-e] [-l] [-a]
Where
-d : Is a dedicated server
-e : Use custom exim.conf and exim.pl ( RBL and ACL'd )
-l : Install aol.pl
-a : Install APF ( Even if the server is a dedicated server )


EOF
echo -e "$RESET"
exit 1
}
# ======================================
#Checking opts
if [ "$#" -eq "0" ]; then
defopts
else
while getopts dela OPTION 2>/dev/null
do
case "$OPTION" in
d) DEDSERVER=y ;;
e) DEFEXIMCONF=y ;;
l) INSTAOL=y ;;
a) INSTAPF=y ;;
\?) defopts ;;
esac
done
fi
OPTIND=$((OPTIND -1))
shift $OPTIND

echo -e "${WHITE}We shall print out status information as we proceed.${RESET}"
# ==============================================================================
==========
# Rebuild /usr/src
cd /usr/src

for DIR in /usr/src/redhat/{BUILD,SPECS,RPMS/{athlon,noarch,i386,i486,i586,i686,
i786},SOURCES,SRPMS}
do
if [ ! -d $DIR ]; then
mkdir -p $DIR
fi
done
echo -e "${WHITE}/usr/src set up.${RESET}"
#Change BASEDIR #commented out - mktemp not working on some servers.
#BASEDIR=$(mktemp -d $BASEDIR/secure.XXXXXX) && export BASEDIR || echo "Unable t
o create ${BASEDIR}. Proceeding with $PWD as BASEDIR #Not using this since mktem
p does not work on some machines for unknown reasons.
DIRTEMP=secure.${RANDOM}
mkdir ${BASEDIR}/${DIRTEMP} && export BASEDIR=${BASEDIR}/${DIRTEMP}
cd $BASEDIR
echo -e "${WHITE}Directories set up.${RESET}"
# ==== Space for patches to be run before running the rest of the script ====
#patch for php 4.2, php 5 etc with mysql versions 4.1.18 - linker error about /u
sr/lib/mysql/libz.la - workaround by nishanth
#cd $BASEDIR
#if [ ! -f /usr/lib/mysql/libz.la ]
#then
# if [ ! -f /usr/lib/libzzip.la ]
# then
# wget http://layer1.cpanel.net/buildapache/1/ ... 0.13.38.ta
r.bz2
# tar jxf zziplib-0.13.38.tar.bz2
# cd zziplib-0.13.38
# ./configure --prefix=/usr
# make && make install
# fi
# ln -s /usr/lib/libzzip.la /usr/lib/mysql/libz.la
#fi

# ========================== pre patches end here ============================
#Find wget - may be needed on some machines.
#FILESLIST="/usr/bin/wget /usr/local/bin/wet /usr/bin/fetch /usr/local/bin/fetc
h"
#for FILE in ${FILESLIST}
#do
# if [ -x "$FILE" ] ; then
# WGET=${FILE}
# break 2
# fi
#echo "WGET not found...Quitting"
#exit 1
#done
#echo "Wget found at: $WGET"
#The following works as well.
#Ensure some RPM's are installed.
for RPM in wget lynx expect python-devel ncurses #Add any other rpms that may b
e needed
do
/scripts/ensurerpm ${RPM}
done
clear
if ! wget -q $BASEURL/test.html
then
echo "Unable to access $BASEURL. Please check resolver settings and fire
wall"
exit 1
fi
# =============== START HERE ============
# ========================================
#Some functions
#defopts () {
#rm -rfv /usr/src/secure.*
#clear
#echo -e "$BLUE"
#cat <<EOF
#
# Usage : $(basename $0) [-d] [-e] [-l] [-a] [-m]
# Where
# -d : Is a dedicated server
# -e : Use custom exim.conf and exim.pl ( RBL and ACL'd )
# -l : Install aol.pl
# -a : Install APF ( Even if the server is a dedicated server )
#
#
#EOF
#echo -e "$RESET"
#exit 1
#}
#
## ======================================
#
##Checking opts
#if [ "$#" -eq "0" ]; then
# defopts
#else
#
#while getopts dela OPTION 2>/dev/null
#do
# case "$OPTION" in
# d) DEDSERVER=y ;;
# e) DEFEXIMCONF=y ;;
# l) INSTAOL=y ;;
# a) INSTAPF=y ;;
# \?) defopts ;;
# esac
#done
#fi
#OPTIND=$((OPTIND -1))
#shift $OPTIND

# ========================================
#Run this in the background.
updatedb &

cd $BASEDIR
#Installing APF, BFD etc

if [ "$DEDSERVER" != "y" -o "$INSTAPF" = "y" ]; then
wget -q $BASEURL/$APF
if [ ! -f "$APF" ]; then
echo "APF not downloaded...Proceeding"
else
tar zxf $APF
cd apf-*
sh ./install
echo "APF installed and configured"
wget $BASEURL/port22to1291
/bin/sh port22to1291
echo "SSH Port for Shared Server is changed to 1291"
fi
fi
cd $BASEDIR

if [ ! -d /etc/apf ]; then
BFD=bfd-noapf.tar.gz
else
BFD=bfd-current.tar.gz
fi

wget -q $BASEURL/$BFD
if [ ! -f "$BFD" ]; then
echo "BFD not downloaded...Proceeding"
else
tar zxf $BFD
cd bfd-*
sh ./install.sh
echo "BFD installed and configured"
fi
cd $BASEDIR

#Installing MOD_SECURITY for apache
#wget -q $BASEURL/$MODSEC
#No need eas3 having default modsecurity
#if [ ! -f $MODSEC ]; then
# echo "MODSEC now downloaded...Proceeding"
#else
# tar zxf $MODSEC
# cd mod_sec*
# sh ./installer
# echo "mod_security installed"
# wget -q $BASEURL/secure/mod_security.conf-latest
# if [ -f mod_security.conf-latest ]; then
# mv -f mod_security.conf-latest /usr/local/apache/conf/mod_securi
ty.conf
# fi
# echo "mod_security configured with the latest config"
#fi
#cd $BASEDIR

#Commented out. We use Binish's scripts to block dos.
#Installing mod_dos
#wget -q $BASEURL/$MODDOS
#if [ ! -f $MODDOS ]; then
# echo "MODDOS now downloaded...Proceeding"
#else
# tar zxf $MODDOS
# cd mod_dos*
# sh ./install
# echo "mod_evasive installed"
#fi
#cd $BASEDIR

#Installing rkhunter
wget -q $BASEURL/$RKHUNTER
if [ ! -f $RKHUNTER ]; then
echo "Unable to download rkhunter...Proceeding"
else
tar zxf $RKHUNTER
cd rkhunter*
sh ./installer.sh
echo "rkhunter installed"
rkhunter --update
rkhunter -c -sk
fi
cd $BASEDIR

#And chkrootkit
wget -q $BASEURL/$CHKROOTKIT
if [ ! -f $CHKROOTKIT ]; then
echo "Unable to download chkrootkit"
else
tar zxf $CHKROOTKIT
cd chkrootkit*
make all
cd $BASEDIR
rm -fv $CHKROOTKIT
mv chkrootkit* /usr/local/
ln -sf /usr/local/chkrootkit*/chkrootkit /usr/local/sbin/
echo "Chkrootkit installed in /usr/local/"
fi
cd $BASEDIR

# ========================================

#Removing the securetmp entry if set
if mount | grep -q '/var/tmp'
then
sed -i 's/^\(\/scripts\/securetm.*\)/#\1/' /etc/rc.local
umount -l /var/tmp
rm -fv /usr/tmpDSK
fi

#Securing /tmp
cp -a /etc/fstab{,.bak}
sed -i '{/shm/d;/tmp/ s/defaults/noexec,nosuid,nodev,noatime/;}' /etc/fstab
umount -l /dev/shm
mv /var/tmp{,.old} && chmod 000 /var/tmp.old
ln -sf /tmp /var/
mount -o remount /tmp
#mount -a
echo "Securing /tmp and /var/tmp done"

#Now securing common vulnerable folders.
for DIR in "/var/spool/samba /var/mail/vbox /etc/httpd/proxy /var/cpanel/Counter
s /var/spool/vbox /usr/local/apache/proxy /usr/local/flash /dev/shm"
do
if [ -d "$DIR" ]; then
chmod 755 $DIR
chown root:root $DIR
fi
done

echo "Common vulnerable folders secured"
cd $BASEDIR

#Chattr these dirs
chattr +i /usr/local/flash

# =======================================

#Installing some scripts

cd $BASEDIR
mkdir /root/{bin,scripts}
for FILE in portwatch sniffer block block-noapf aolrem killmail
do
#wget -q bini.amalji.com/$FILE #binish's scripts have been copied over t
o BASEURL
wget -q $BASEURL/secure/$FILE
[ -f $FILE ] && chmod +x $FILE && cp -vf $FILE ~/bin/
echo "$FILE copied to bin"
done

cd $BASEDIR
#Install some monitoring tools
for FILE in loadmon watchssl checkd ipcs diskspace
do
wget -q $BASEURL/secure/$FILE
[ -f "$FILE" ] && chmod +x $FILE && cp -vf $FILE ~/scripts/
echo "$FILE copied to scripts"
done

#Install the daily and weekly crons
wget -q $BASEURL/secure/weeklycron
[ -f weeklycron ] && chmod +x weeklycron && cp -vf weeklycron /etc/cron.weekly/
wget -q $BASEURL/secure/dailycron
[ -f dailycron ] && chmod +x dailycron && cp -vf dailycron /etc/cron.daily/

#Deny nobody's cron
echo "nobody" > /etc/cron.deny

# ==========================================

#Harden cpanel settings.
cd $BASEDIR
# commented out the following block. We shall download the modified $CPCONF
wget -q $BASEURL/secure/cpanel.config-latest
if [ -f cpanel.config-latest ]; then
echo "Resetting cpanel config to defaults"
cp -vf cpanel.config-latest ${CPCONF}
fi


# Commented out - version is 4.1 by default on new installs.
#setup mysql version
sed -i 's/mysql-version.*/mysql-version=5.0/g' /var/cpanel/cpanel.config
/scripts/mysqlup --force
#/usr/local/cpanel/whostmgr/bin/whostmgr2 --updatetweaksettings

#if grep -q mysql-version $CPCONF
#then
# sed -i 's/^\(mysql-version=\).*$/\14.1/' $CPCONF
#else
# echo "mysql-version=4.1" >> $CPCONF
#fi

# Disable nobody mails
#if grep -q nobodyspam $CPCONF
#then
# sed -i 's/^\(nobodyspam=\).*$/\11/' $CPCONF
#else
# echo "nobodyspam=1" >> $CPCONF
#fi

#Change default mail action
#if grep -q defaultmailaction $CPCONF
#then
# sed -i 's/^\(defaultmailaction=\).*/\1fail/' $CPCONF
#else
# echo "defaultmailaction=fail" >> $CPCONF
#fi

#Other minor cpanel tweaks
#if grep -q awstatsbrowserupdate $CPCONF
#then
# sed -i 's/^\(awstatsbrowserupdate=\).*/\10/' $CPCONF
#else
# echo "awstatsbrowserupdate=0" >> $CPCONF
#fi

#Anti spam tweaks for cpanel
touch /etc/webspam /etc/eximmailtrap
/scripts/smtpmailgidonly on

#Set cpanel update to stable
# modified by sherin
cat > /etc/cpupdate.conf << EOF
BANDMINUP=inherit
COURIERUP=inherit
CPANEL=stable
EXIMUP=inherit
FTPUP=inherit
MYSQLUP=inherit
PYTHONUP=inherit
RPMUP=daily
SYSUP=daily
EOF

#Disable BoxTrapper
rm -rf /var/cpanel/version/boxtrapper
rm -rf /usr/local/cpanel/bin/boxtrapper*
#rm -rfv /home/*/etc/.boxtrapp*
#rm -rfv /home/*/etc/.boxtrapp*
#rm -rfv /home/*/etc/*/.boxtrapp*
#rm -rfv /home/*/etc/*/*/boxtrapp*

cat >$BASEDIR/upcp.sh << EOF
#!/bin/bash
perl /scripts/upcp --force
EOF
chmod 755 $BASEDIR/upcp.sh
bash -x $BASEDIR/upcp.sh
cat > /scripts/postupcp << EOF
#!/bin/sh
strip --strip-all /usr/local/cpanel/3rdparty/bin/php
#chattr -i /usr/local/cpanel/3rdparty/etc/php.ini
#/usr/local/cpanel/bin/checkphpini
#ln -s /usr/local/cpanel/3rdparty/fantastico /usr/local/cpanel/base/frontend/x
#ln -s /usr/local/cpanel/3rdparty/fantastico /usr/local/cpanel/base/frontend/blu
elagoon
#ln -s /usr/local/cpanel/3rdparty/fantastico /usr/local/cpanel/base/frontend/mon
soon
#chmod -R 0755 /usr/local/cpanel/3rdparty/etc/ixed
EOF
chmod +x /scripts/postupcp

#Fix for imap
ln -sf /usr/local/cpanel/3rdparty/bin/imapd /usr/sbin/
###fix spamassa
sa-compile
sa-update
/scripts/restartsrv exim
#Disable all pop's except cppop
#for FILE in $(find /etc/xinetd.d/*pop* | xargs grep -l 'disable = no')
#do
# sed -i 's/^\([ \t]disable.*\)/disable = yes/' $FILE
#done

# Am replacing the above code with this
echo -n "Disabling all xinetd services except cpimap.. "
cd /etc/xinetd.d
for i in *
do
[ "$i" != "cpimap" ] && sed -i 's/^[ \t]*disable.*/disable = yes/' /etc/
xinetd.d/$i
done
echo ".. Done"

cd $BASEDIR

# ====================================

#Install pure-ftpd by default
/scripts/ftpup pure-ftpd
#/scripts/ftpup --force
/scripts/ftpupdate

#Add PassivePortRange for use with APF
sed -i 's/^#[ \t]\(PassivePort.*\)/\1/' /etc/pure-ftpd.conf
service pure-ftpd restart
#Can also be done with
#echo "--passiveportrange=30000:50000" >> /etc/sysconfig/pure-ftpd
#For proftpd
#echo "PassivePorts 30000 50000" >> /etc/proftpd.conf

# =====================================

#Upgrade mysql
#eding it as followsm becasue have mysql5 as standard with huge conf - sheirn
/scripts/mysqlup --force
/scripts/perlinstaller --force Bundle:Big GrinBD::mysql
#rm -rf /root/.cpmysql* #remove old mysql mirrors
#/scripts/mysqlup --force
#/scripts/perlinstaller --force Bundle:Big GrinBD::mysql
#mysql_fix_privilege_tables

#Harden my.cnf
cp /etc/my.cnf{,.orig}
#echo "old-passwords" >> /etc/my.cnf
#echo "set-variable = max_user_connections=20" >> /etc/my.cnf
cat > /etc/my.cnf << NEOF
[mysqld]
skip-locking
key_buffer = 384M
max_allowed_packet = 1M
max_connections = 500
max_user_connections = 35
wait_timeout=40
connect_timeout=10
table_cache = 512
sort_buffer_size = 2M
read_buffer_size = 2M
read_rnd_buffer_size = 8M
myisam_sort_buffer_size = 64M
thread_cache_size = 8
query_cache_size = 32M
thread_concurrency = 8
server-id = 1

[mysqldump]
quick
max_allowed_packet = 16M

[mysql]
no-auto-rehash

[myisamchk]
key_buffer = 256M
sort_buffer_size = 256M
read_buffer = 2M
write_buffer = 2M

[mysqlhotcopy]
interactive-timeout
NEOF

killall -9 mysqld safe_mysqld mysqld_safe 2>/dev/null
pkill -9 mysql
pkill -9 mysqld
/scripts/restartsrv mysql
#/etc/init.d/mysql restart > /dev/null
#Commented out - cpanel seems to be doing this automatically now.
#Reset mysql root password
# MYSQLROOTPASS="q09D$RANDOM"

#MYSQLROOTPASS=$(mkpasswd -s 0 -l 15)
#/etc/init.d/mysql stop
#sleep 1
#killall -9 mysqld safe_mysqld mysqld_safe 2>/dev/null
#sleep 5
#safe_mysqld --skip-grant-tables --skip-networking --user=mysql &
#sleep 5
#mysqladmin -u root flush-privileges password "$MYSQLROOTPASS"
#/etc/init.d/mysql stop
#sleep 2
#killall -9 mysqld safe_mysqld mysqld_safe 2>/dev/null
#/etc/init.d/mysql start
#mysql_fix_privilege_tables --password="$MYSQLROOTPASS"
#cat > ~/.my.cnf << EOF
#[client]
#user=root
#pass=$MYSQLROOTPASS
#EOF
#chmod 700 ~/.my.cnf

echo "Mysql secured"

# =========================================
#Run this
/scripts/fixcommonproblems

#Now apache
cat > /scripts/postbuildapache << EOF
#!/bin/sh
### Ensure that you do not enter an interactive command here (like installzendop
t) -this is stupid Wink ###
strip --strip-all /usr/local/apache/libexec/libphp* /usr/bin/php /usr/local/bin/
php
#strip -strip-all /usr/local/apache/bin/httpd
EOF

chmod +x /scripts/postbuildapache

cp /usr/local/apache/conf/httpd.conf{,.orig}
echo "${RED}About to run easyapache with . Running easyapache from pre-build pro
file generated for new servers"
sleep 2

cd $BASEDIR
wget $BASEURL/secure/secureserver.yaml
cp $BASEDIR/secureserver.yaml /var/cpanel/
/scripts/easyapache --profile=/var/cpanel/secureserver.yaml --build
rm -f /var/cpanel/secureserver.yaml
#Tweaking apache
#/scripts/apachelimits #Commented out - causing problems
/scripts/userdirctl on
/scripts/phpopenbasectl on

# =========================================

#Advanced hardening
#Disable unnecessary services.
for SERVICE in cups cups-config-daemon xfs netfs irda isdn nfs nfslock rhnsd ana
cron tux atd ip6tables mdmonitor bluetooth audit auditd rpcidmapd rpcsvcgssd rp
cgssd canna iiim
do
service "$SERVICE" stop > /dev/null 2>&1
chkconfig "$SERVICE" off > /dev/null 2>&1
done

# cpanel's service manager tweak
cat >/etc/chkserv.d/chkservd.conf <<EOF
antirelayd:1
cpsrvd:1
entropychat:0
exim:1
exim-26:1
eximstats:1
ftpd:1
httpd:1
imap:1
interchange:0
melange:0
mysql:1
named:1
pop:1
spamd:1
syslogd:1
EOF

# Enable ftp conntrack if the server supports modules
if modprobe -al|grep -q ip_conntrack_ftp
then
echo modprobe ip_conntrack_ftp >> /etc/rc.local
modprobe ip_conntrack_ftp
sed -i 's/#\?[ \t]*IPTABLES_MODULES=\".*/IPTABLES_MODULES=\"ip_conntrack
_ftp\"/' /etc/sysconfig/iptables-config
fi

#Default Firewall rules. APF is preconfigured with these rules
iptables -F
iptables -I OUTPUT -p tcp --dport 22 -m owner ! --uid-owner root -j REJECT
for port in 6666 6667 6668 6669
do
iptables -I OUTPUT -p tcp --dport "$port" -j REJECT
done
/etc/init.d/iptables save
/etc/init.d/iptables restart

echo "Default rules saved"

# Enable DMA
/scripts/hdparmon && echo "/scripts/hdparmon" >> /etc/rc.local

# ==================================
#Exim

for FILE in /etc/rblwhitelist /etc/relayhosts /etc/rblbypass /etc/exim_deny /etc
/rblblacklist
do
touch $FILE
done

# fix for exigrep
if [ ! -f /usr/bin/zcat ]; then
ln -s <code>which zcat</code> /usr/bin/zcat
fi

/scripts/eximup --force
cp -a /etc/exim.conf{,.orig}
cp -a /etc/exim.pl{,.orig}

cd $BASEDIR
if [ "$DEDSERVER" != "y" -o "$DEFEXIMCONF" = "y" ]; then
wget -q $BASEURL/exim.conf-latest
if [ -f exim.conf-latest ]; then
cp -fv exim.conf-latest /etc/exim.conf
fi

wget -q $BASEURL/exim.pl-latest
if [ -f exim.pl-latest ]; then
cp -fv exim.pl-latest /etc/exim.pl
fi
service exim restart
fi

#Installing aol.pl
cd $BASEDIR
if [ "$DEDSERVER" != "y" -o "INSTAOL" = "y" ]; then
wget -q $BASEURL/secure/aolrem
if [ -f aolrem ]; then
chmod +x aolrem
cp -fv aolrem /etc/cron.hourly/aol.pl
fi
fi

# =====================================

#Hardening the binaries
for FILE in $(which lynx) $(which wget) $(which curl) $(which scp) $(which ssh)
do
chmod 750 $FILE
done

#Hardening sshd_config
echo " " >> /etc/ssh/sshd_config
echo "#Inserting rule to stop TCP forwarding " >> /etc/ssh/sshd_config
echo "AllowTcpForwarding no" >> /etc/ssh/sshd_config
echo "#AllowUsers " >> /etc/ssh/sshd_config
sed -i 's/^#\(Protocol\).*/\1 2/' /etc/ssh/sshd_config
/etc/init.d/sshd restart
sleep 2

if ! /sbin/pidof sshd >/dev/null
then
/scripts/installrpm --force sshd
fi

#Hardening host.conf
echo "nospoof on" >> /etc/host.conf
echo "multi on" >> /etc/host.conf

#sysctl hardening
cd $BASEDIR
wget -q $BASEURL/secure/sysctl.conf-latest
cp -f /etc/sysctl.conf{,.orig}
mv -f sysctl.conf-latest /etc/sysctl.conf
sysctl -e -p /etc/sysctl.conf

#Check if all the perlmodules needed for cpanel is installed.
/usr/local/cpanel/bin/checkperlmodules

#Misc
:> /tmp/cmdtemp && chattr +i /tmp/cmdtemp

if grep -q DAILY /etc/updatedb.conf
then
sed -i 's/\(DAILY_UPDATE=\).*/\1yes/' /etc/updatedb.conf
fi

# ====================================
#prefs
cat >> ~/.alias <<EOF
alias ls='ls -lap --color'
alias grep='grep --color=auto'
alias less='less -r'
alias vi='vim'
EOF

cat >> ~/.bashrc <<EOF
if [ -f ~/.alias ]; then
. ~/.alias
fi
export EDITOR=vim VISUAL=vim
EOF

# ====================================

#Install software
#Some rpms
for RPM in vim-enhanced iptraf ImageMagick
do
/scripts/installrpm --force $RPM > /dev/null 2>&1
done

#Install some more software and perl mdoules - Commented out - takes too much ti
me and are not really needed
#for PERLPACKAGE in Image::Magick Apache::ImageMagick CGI::ImageMagick CGI::Uplo
ader::Transform::ImageMagick PPresenter::Export::Images::ImageMagick
#do
# /scripts/perlinstaller $PERLPACKAGE
#done


# Enable register_globals

sed -i 's/^[\t ]*register_globals[\t ]*=[\t ]*Off/register_globals = On/g' /usr/
local/Zend/etc/php.ini
# ====================================

#Upgrading some stuff.

#cd $BASEDIR
#if [ -f /usr/src/ss2.sh ]; then
# echo "Updating some software"
# chmod +x /usr/src/ss2.sh
# /usr/src/ss2.sh "$BASEDIR"
#fi

# ====================================

for SERVICE in exim httpd mysql chkservd crond cpanel
do
service $SERVICE restart
done

clear

#
if ! /sbin/pidof httpd >/dev/null
then
echo "Unable to start HTTPD"
fi
if ! /sbin/pidof exim >/dev/null
then
echo "Unable to start exim"
fi
if ! /sbin/pidof mysqld >/dev/null
then
echo "Unable to start mysql"
fi

if [ "$MAILME" = "y" ]; then
mail -s "SS complete on $(hostname)" ${MAILADDR} <<EOF

Hi guys,

Secureserver has secured $(hostname).
Please check and verify.

EOF

fi

# =====================================

# ======================================
# SSH PORT

echo

echo -n "Would u like to change SSH port [y/n] ?"
read ans
case $ans in
y|Y|yes|Yes) echo -n "Please Enter New Port : "
read port
cp /etc/ssh/sshd_config /etc/ssh/sshd_config.original
cd /etc/ssh/
sed -i 's/^Port/#Port/' sshd_config
sed -i "12iPort $port" sshd_config
/etc/init.d/sshd stop
sleep 2
/etc/init.d/sshd start
;;
*) port=$(grep ^Port /etc/ssh/sshd_config| cut -d" " -f2)
echo "The SSH port is $port only. "
esac

# Disabling Allow_url fopen

echo
echo "Disabling allow_url_fopen................."

replace "allow_url_fopen = On" "allow_url_fopen = Off" -- /usr/local/lib/php.ini
grep allow_url_fopen /usr/local/lib/php.ini
/scripts/restartsrv httpd
/usr/local/cpanel/bin/rebuild_phpconf --current
#cleanup
# Final checks

echo -e "$RED URGENT ATTENTION!!!!"
cat <<EOF

Server securing is not complete yet!!!
There are some steps you need to do manually
Set up rDNS for the IP - $(hostname -i) to $(hostname)


EOF
echo -e "$RESET"

rm -rf /home/cpapachebuild /home/cpzendinstall
sync
rm -rf /usr/src/secure.* /usr/src/secureserver.sh
18 Apr

OpenSwan, XL2TPD, RADIUS based IPSec VPN configuration

OpenSwan, XL2TPD, RADIUS based IPSec VPN configuration

Download and Install the OpenSwan from its respective sites.

IPSEC, OPENSWAN:

You can get the different versions of OpenSwan from the below URL:
http://www.openswan.org/code/
We highly reccomend to go for the version: 2.6.33 from the below loc:
http://www.openswan.org/download/openswan-2.6.33.tar.gz
Go for the normal mode of source code installation:
-untarring
-cd dir
-make programs install

Before proceeding to installing the ipsec, please make sure that gcc, make, iproute, flex, bison, libgmp3-dev (libgmp2-dev might also work)
These are all available in the yum repo(if you are using the RHEL based server)

Ina debian based server, you can get it done by running the apt-get-install

After installing the IPSEC restart the service from the init, then please try the below command to check the working:

should give you something of the sort:

In IPsec there are several ways to use different IPs from their end to connect to the VPN, we use the below mechanism in our explanation:

* One Preshared Key (PSK) shared by every user

Preshared Key

A Preshared Key is a secret password that is shared by both sides of the IPsec tunnel. All users with dynamic IP addresses will have to share the same PSK (“group secret”). This is of course a significant security risk: if one user leaves the company or loses his laptop, all the other users will have to get a new PSK. The alternative would be to give every user a different PSK, but this is only supported in IPsec if all users have fixed (= static) IP addresses.

After the installation of the IPSEC in the server, you may please specify the PSK in the server at: ‘/etc/ipsec.secrets’ in the following format:

Then adjust the config file according to your needs: /etc/ipsec.conf

#NOTE: Please specify the directive ‘pfs=no‘ THis is because,
This parameter is required because Apple’s and Microsoft’s L2TP/IPsec clients do not enable PFS. Openswan, on the other hand, enables PFS by default.

Now please configure IPSEC/L2TP client( please check URL to see ways to do it: at your local end and try to create and initiate a connection to the server
Please check the /var/log/secure, if you see the below log:

 

If this log is obtained, then IPSEC is working fine in the server.

The IPsec connection you just configured is to be used for tunnelling the L2TP protocol,
So basically l2tp authenticates/initiates the connection and then IPSEC creates the encrypted tunnelling between the server and the clients

l2tpd configuration

Going on to the l2tpd section:

There are many l2tp daemons to work with like:

-l2tpd
-xl2tpd
-rp-l2tp
-openl2tp

for l2tp and rp-l2tp, the development has been stalled. openl2tp is an option. In our example, we will go for the xl2tpd as its ‘Xelerance'(xl2tpd) that has been sponsoring the continued development of Openswan since version 1.0
Xelerance Corporation currently also maintains a version of the Layer 2 Tunneling Protocol (L2TP) daemon: XL2TPD

XL2TPD:

You can get the latest version of the xl2tpd from the below location:

http://www.xelerance.com/wp-content/uploads/software/xl2tpd/xl2tpd-1.2.7.tar.gz

installation as usual follows the common steps:
==
untarring the source code
make
make install
then copying the binary(formed at the pwd) from the current location to /usr/local/sbin(binary location)
==
the installation is pretty simple and straight forward

#NOTE: make sure to install the latest xl2tpd as per availability at xalerence site(http://www.xelerance.com/services/software/xl2tpd/) current version at the time of writing this is xl2tpd 1.2.7

you can do a dry run to check the xl2tpd installation by running the below command:

Should give you an output in the similar lines as:

 

And if no errors are reported then cancel the above process and then start the xl2tpd by running the binary directly by executing the command:

xl2tpd Configuration

There are multiple config files included in the configuration. The main config file is: l2tpd.conf. The default example config file can be found with the sourcecode(if you are using the source code) in the docs directory: xl2tpd-1.2.7/doc/l2tpd.conf.sample
Edit the config file as per need

PPP installation and configuration

Once the L2TP connection is up, it hands over control to the PPP daemon
the authentication details are given in the ppp daemon conf file: /etc/ppp/chap-secrets in the below format:
==
client server secret IP addresses
<username> pptpd <passwd> *
==

the xl2tpd/ppp configurations(connection properties are specified at: /etc/ppp/options.xl2tpd

LOGGING:

The IPSEC logging are enabled in /var/log/secure by default
The xl2tpd logging are enabled in /var/log/messages

Once it is installed, please check the following configuration files.

/etc/ipsec.conf

Input the below code into that file and then wq! to save it.

Input the following code  to the mentioned file ‘test.secrets’.

y.y.y.y – > The IP address of the VPN server.

Eg :
77.88.99.11 %any: PSK “support”
——————————————————–

Input the below values to the file /etc/ipsec.d/l2tp-psk.conf
——————————————————–

Install XL2TPD

The next step is to install the xl2tpd. Once the installation is over, open the file /etc/xl2tpd/xl2tpd.conf and input the below values in that file.

 

The next step is to open the file /etc/ppp/options.xl2tpd and input the below values in that file. Add the plug-in radius.so if you are going to use radius.

The next step is to open the file /etc/xl2tpd/l2tp-secrets and input the below values in that file, if we are NOT going to use the RADIUS based authentication

The next step is to open the file /etc/ppp/chap-secrets and input the below values in that file, if we are NOT going to use the RADIUS based authentication

user_name_of_VPN pptpd Password_of_VPN *

The final step of configuring the VPN is to add the route in the iptables

 

Or

y.y.y.y – > The IP address of the VPN server
——————————————————–

RADIUS SERVER SIDE CONFIGURATION

Step :

Add the VPN server in the client.conf file of the radius server.

Check the SQL.conf

Step :

We need to add the new client(OpenSwan VPN) to the radius server for authenticating.

Format
——

y.y.y.y -> The IP address of the VPN server.

short_name_of_VPN_Server -> short name of VPN Server

secret_set_in_servers -> secret set in both the servers.

Eg :

Step :

Verify the client is added properly to the database.

Eg :

Final Step :

Select the radius user from the radius database

 

18 Feb

How to retrieve Plesk control panel password for domain on a Plesk server?

1. Login to server through SSH.
2. Now login to mysql using command below.

# mysql -uadmin -p  -P8306

mysql> use psa

Database changed
mysql>
3. Now use query below to retrieve the Plesk control panel password for the particular account. You should know the domain name and replace ‘DomainName.com’ in the following query with exact domain name.
SELECT name as DOMAIN_NAME, password AS PASSWORD
FROM accounts, dom_level_usrs, domains
WHERE accounts.id=dom_level_usrs.account_id
AND dom_level_usrs.dom_id=domains.id and domains.name= ‘DomainName.com’;