05 Oct

C-Panel Server Security Hardening Script

Please execute the below script to harden your cpanel server

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
#!/bin/sh
#
# Please report any bugs/suggestions to : support@yourdomain.com
#
### TODO
# secure the libexec/htdocs directory for mrtg.
###
export LANG=C LC_ALL=C
export PATH="/sbin:/usr/sbin:/usr/local/sbin:/bin:/usr/bin:/usr/local/bin:/usr/k
erberos/sbin:/usr/kerberos/bin:/root/bin:/usr/X11R6/bin"
unalias -a
clear
#set -x
#### REVIEW THE VARIABLES BELOW ####
APF=apf-new.tar.gz
BFD=bfd-current.tar.gz #bfd-noapf.tar.gz will be installed on a dedicated server.
MODSEC=mod_security.tar.gz
#MODDOS=mod_evasive.tar.gz #Dont use this now.
CHKROOTKIT=chkrootkit.tar.gz
RKHUNTER=rkhunter.tar.gz
#Misc vars
MAILME=y
MAILADDR=support@yourdomain.com
#Set up vars
BASEDIR=/usr/src
BASEURL=acela.dizinc.com/utils
#Files
CPCONF=/var/cpanel/cpanel.config
HTTPCONF=/usr/local/apache/conf/httpd.conf
#LOG=/tmp/secure.log #Logging not implemented.
#Setting options
DEDSERVER=
INSTAPF=
INSTAOL=
DEFEXIMCONF=
# Colors. Just for fun Wink
RED='\033[01;31m'
GREEN='\033[01;32m'
YELLOW='\033[01;33m'
BLUE='\033[01;34m'
WHITE='\033[01;37m'
RESET='\033[0m'
TL='\t\t\n\n'
######## NOTES
# DO NOT UPGRADE OPENSSL ON SERVERS.
########
#Some checks
if [ "$UID" -ne "0" ]; then
echo -e "${TL}${GREEN}You must be root to run this script.${RESET}"
exit 1
fi

if [ ! -d /var/cpanel ]; then
echo -e "${TL}${GREEN}Are you sure this is a cpanel server?${RESET}"
exit 1
fi
#sed #Commented this out - dont need it since sed works fine on our centos ser
vers. have seen problems on some other linux distros though.
#echo "test=4" >$BASEDIR/testfile
#sed -i 's/^\(test=\).*/\14.1/' $BASEDIR/testfile
#if ! grep -q '4.1' $BASEDIR/testfile
#then
# echo -e "$GREEN"
# echo 'The sed installed on this machine does not support "-i".
# Quitting....'
# echo -e "$RESET"
# exit 1
#fi
#Print something
echo -e "$RED"
cat << EOF
This script is meant to be used on a fresh cPanel server to prepare it f
or deployment.

WARNING : TO BE USED ON A LINUX SERVER RUNNING CPANEL ONLY. USE AT YOUR
OWN RISK!!!
Rememer - YOU HAVE BEEN WARNED.

EOF
echo -e "$RESET"
sleep 2
#Some functions
defopts () {
rm -rfv /usr/src/secure.*
clear
echo -e "$BLUE"
cat <<EOF

Usage : $(basename $0) [-d] [-e] [-l] [-a]
Where
-d : Is a dedicated server
-e : Use custom exim.conf and exim.pl ( RBL and ACL'd )
-l : Install aol.pl
-a : Install APF ( Even if the server is a dedicated server )


EOF
echo -e "$RESET"
exit 1
}
# ======================================
#Checking opts
if [ "$#" -eq "0" ]; then
defopts
else
while getopts dela OPTION 2>/dev/null
do
case "$OPTION" in
d) DEDSERVER=y ;;
e) DEFEXIMCONF=y ;;
l) INSTAOL=y ;;
a) INSTAPF=y ;;
\?) defopts ;;
esac
done
fi
OPTIND=$((OPTIND -1))
shift $OPTIND

echo -e "${WHITE}We shall print out status information as we proceed.${RESET}"
# ==============================================================================
==========
# Rebuild /usr/src
cd /usr/src

for DIR in /usr/src/redhat/{BUILD,SPECS,RPMS/{athlon,noarch,i386,i486,i586,i686,
i786},SOURCES,SRPMS}
do
if [ ! -d $DIR ]; then
mkdir -p $DIR
fi
done
echo -e "${WHITE}/usr/src set up.${RESET}"
#Change BASEDIR #commented out - mktemp not working on some servers.
#BASEDIR=$(mktemp -d $BASEDIR/secure.XXXXXX) && export BASEDIR || echo "Unable t
o create ${BASEDIR}. Proceeding with $PWD as BASEDIR #Not using this since mktem
p does not work on some machines for unknown reasons.
DIRTEMP=secure.${RANDOM}
mkdir ${BASEDIR}/${DIRTEMP} && export BASEDIR=${BASEDIR}/${DIRTEMP}
cd $BASEDIR
echo -e "${WHITE}Directories set up.${RESET}"
# ==== Space for patches to be run before running the rest of the script ====
#patch for php 4.2, php 5 etc with mysql versions 4.1.18 - linker error about /u
sr/lib/mysql/libz.la - workaround by nishanth
#cd $BASEDIR
#if [ ! -f /usr/lib/mysql/libz.la ]
#then
# if [ ! -f /usr/lib/libzzip.la ]
# then
# wget http://layer1.cpanel.net/buildapache/1/ ... 0.13.38.ta
r.bz2
# tar jxf zziplib-0.13.38.tar.bz2
# cd zziplib-0.13.38
# ./configure --prefix=/usr
# make && make install
# fi
# ln -s /usr/lib/libzzip.la /usr/lib/mysql/libz.la
#fi

# ========================== pre patches end here ============================
#Find wget - may be needed on some machines.
#FILESLIST="/usr/bin/wget /usr/local/bin/wet /usr/bin/fetch /usr/local/bin/fetc
h"
#for FILE in ${FILESLIST}
#do
# if [ -x "$FILE" ] ; then
# WGET=${FILE}
# break 2
# fi
#echo "WGET not found...Quitting"
#exit 1
#done
#echo "Wget found at: $WGET"
#The following works as well.
#Ensure some RPM's are installed.
for RPM in wget lynx expect python-devel ncurses #Add any other rpms that may b
e needed
do
/scripts/ensurerpm ${RPM}
done
clear
if ! wget -q $BASEURL/test.html
then
echo "Unable to access $BASEURL. Please check resolver settings and fire
wall"
exit 1
fi
# =============== START HERE ============
# ========================================
#Some functions
#defopts () {
#rm -rfv /usr/src/secure.*
#clear
#echo -e "$BLUE"
#cat <<EOF
#
# Usage : $(basename $0) [-d] [-e] [-l] [-a] [-m]
# Where
# -d : Is a dedicated server
# -e : Use custom exim.conf and exim.pl ( RBL and ACL'd )
# -l : Install aol.pl
# -a : Install APF ( Even if the server is a dedicated server )
#
#
#EOF
#echo -e "$RESET"
#exit 1
#}
#
## ======================================
#
##Checking opts
#if [ "$#" -eq "0" ]; then
# defopts
#else
#
#while getopts dela OPTION 2>/dev/null
#do
# case "$OPTION" in
# d) DEDSERVER=y ;;
# e) DEFEXIMCONF=y ;;
# l) INSTAOL=y ;;
# a) INSTAPF=y ;;
# \?) defopts ;;
# esac
#done
#fi
#OPTIND=$((OPTIND -1))
#shift $OPTIND

# ========================================
#Run this in the background.
updatedb &

cd $BASEDIR
#Installing APF, BFD etc

if [ "$DEDSERVER" != "y" -o "$INSTAPF" = "y" ]; then
wget -q $BASEURL/$APF
if [ ! -f "$APF" ]; then
echo "APF not downloaded...Proceeding"
else
tar zxf $APF
cd apf-*
sh ./install
echo "APF installed and configured"
wget $BASEURL/port22to1291
/bin/sh port22to1291
echo "SSH Port for Shared Server is changed to 1291"
fi
fi
cd $BASEDIR

if [ ! -d /etc/apf ]; then
BFD=bfd-noapf.tar.gz
else
BFD=bfd-current.tar.gz
fi

wget -q $BASEURL/$BFD
if [ ! -f "$BFD" ]; then
echo "BFD not downloaded...Proceeding"
else
tar zxf $BFD
cd bfd-*
sh ./install.sh
echo "BFD installed and configured"
fi
cd $BASEDIR

#Installing MOD_SECURITY for apache
#wget -q $BASEURL/$MODSEC
#No need eas3 having default modsecurity
#if [ ! -f $MODSEC ]; then
# echo "MODSEC now downloaded...Proceeding"
#else
# tar zxf $MODSEC
# cd mod_sec*
# sh ./installer
# echo "mod_security installed"
# wget -q $BASEURL/secure/mod_security.conf-latest
# if [ -f mod_security.conf-latest ]; then
# mv -f mod_security.conf-latest /usr/local/apache/conf/mod_securi
ty.conf
# fi
# echo "mod_security configured with the latest config"
#fi
#cd $BASEDIR

#Commented out. We use Binish's scripts to block dos.
#Installing mod_dos
#wget -q $BASEURL/$MODDOS
#if [ ! -f $MODDOS ]; then
# echo "MODDOS now downloaded...Proceeding"
#else
# tar zxf $MODDOS
# cd mod_dos*
# sh ./install
# echo "mod_evasive installed"
#fi
#cd $BASEDIR

#Installing rkhunter
wget -q $BASEURL/$RKHUNTER
if [ ! -f $RKHUNTER ]; then
echo "Unable to download rkhunter...Proceeding"
else
tar zxf $RKHUNTER
cd rkhunter*
sh ./installer.sh
echo "rkhunter installed"
rkhunter --update
rkhunter -c -sk
fi
cd $BASEDIR

#And chkrootkit
wget -q $BASEURL/$CHKROOTKIT
if [ ! -f $CHKROOTKIT ]; then
echo "Unable to download chkrootkit"
else
tar zxf $CHKROOTKIT
cd chkrootkit*
make all
cd $BASEDIR
rm -fv $CHKROOTKIT
mv chkrootkit* /usr/local/
ln -sf /usr/local/chkrootkit*/chkrootkit /usr/local/sbin/
echo "Chkrootkit installed in /usr/local/"
fi
cd $BASEDIR

# ========================================

#Removing the securetmp entry if set
if mount | grep -q '/var/tmp'
then
sed -i 's/^\(\/scripts\/securetm.*\)/#\1/' /etc/rc.local
umount -l /var/tmp
rm -fv /usr/tmpDSK
fi

#Securing /tmp
cp -a /etc/fstab{,.bak}
sed -i '{/shm/d;/tmp/ s/defaults/noexec,nosuid,nodev,noatime/;}' /etc/fstab
umount -l /dev/shm
mv /var/tmp{,.old} && chmod 000 /var/tmp.old
ln -sf /tmp /var/
mount -o remount /tmp
#mount -a
echo "Securing /tmp and /var/tmp done"

#Now securing common vulnerable folders.
for DIR in "/var/spool/samba /var/mail/vbox /etc/httpd/proxy /var/cpanel/Counter
s /var/spool/vbox /usr/local/apache/proxy /usr/local/flash /dev/shm"
do
if [ -d "$DIR" ]; then
chmod 755 $DIR
chown root:root $DIR
fi
done

echo "Common vulnerable folders secured"
cd $BASEDIR

#Chattr these dirs
chattr +i /usr/local/flash

# =======================================

#Installing some scripts

cd $BASEDIR
mkdir /root/{bin,scripts}
for FILE in portwatch sniffer block block-noapf aolrem killmail
do
#wget -q bini.amalji.com/$FILE #binish's scripts have been copied over t
o BASEURL
wget -q $BASEURL/secure/$FILE
[ -f $FILE ] && chmod +x $FILE && cp -vf $FILE ~/bin/
echo "$FILE copied to bin"
done

cd $BASEDIR
#Install some monitoring tools
for FILE in loadmon watchssl checkd ipcs diskspace
do
wget -q $BASEURL/secure/$FILE
[ -f "$FILE" ] && chmod +x $FILE && cp -vf $FILE ~/scripts/
echo "$FILE copied to scripts"
done

#Install the daily and weekly crons
wget -q $BASEURL/secure/weeklycron
[ -f weeklycron ] && chmod +x weeklycron && cp -vf weeklycron /etc/cron.weekly/
wget -q $BASEURL/secure/dailycron
[ -f dailycron ] && chmod +x dailycron && cp -vf dailycron /etc/cron.daily/

#Deny nobody's cron
echo "nobody" > /etc/cron.deny

# ==========================================

#Harden cpanel settings.
cd $BASEDIR
# commented out the following block. We shall download the modified $CPCONF
wget -q $BASEURL/secure/cpanel.config-latest
if [ -f cpanel.config-latest ]; then
echo "Resetting cpanel config to defaults"
cp -vf cpanel.config-latest ${CPCONF}
fi


# Commented out - version is 4.1 by default on new installs.
#setup mysql version
sed -i 's/mysql-version.*/mysql-version=5.0/g' /var/cpanel/cpanel.config
/scripts/mysqlup --force
#/usr/local/cpanel/whostmgr/bin/whostmgr2 --updatetweaksettings

#if grep -q mysql-version $CPCONF
#then
# sed -i 's/^\(mysql-version=\).*$/\14.1/' $CPCONF
#else
# echo "mysql-version=4.1" >> $CPCONF
#fi

# Disable nobody mails
#if grep -q nobodyspam $CPCONF
#then
# sed -i 's/^\(nobodyspam=\).*$/\11/' $CPCONF
#else
# echo "nobodyspam=1" >> $CPCONF
#fi

#Change default mail action
#if grep -q defaultmailaction $CPCONF
#then
# sed -i 's/^\(defaultmailaction=\).*/\1fail/' $CPCONF
#else
# echo "defaultmailaction=fail" >> $CPCONF
#fi

#Other minor cpanel tweaks
#if grep -q awstatsbrowserupdate $CPCONF
#then
# sed -i 's/^\(awstatsbrowserupdate=\).*/\10/' $CPCONF
#else
# echo "awstatsbrowserupdate=0" >> $CPCONF
#fi

#Anti spam tweaks for cpanel
touch /etc/webspam /etc/eximmailtrap
/scripts/smtpmailgidonly on

#Set cpanel update to stable
# modified by sherin
cat > /etc/cpupdate.conf << EOF
BANDMINUP=inherit
COURIERUP=inherit
CPANEL=stable
EXIMUP=inherit
FTPUP=inherit
MYSQLUP=inherit
PYTHONUP=inherit
RPMUP=daily
SYSUP=daily
EOF

#Disable BoxTrapper
rm -rf /var/cpanel/version/boxtrapper
rm -rf /usr/local/cpanel/bin/boxtrapper*
#rm -rfv /home/*/etc/.boxtrapp*
#rm -rfv /home/*/etc/.boxtrapp*
#rm -rfv /home/*/etc/*/.boxtrapp*
#rm -rfv /home/*/etc/*/*/boxtrapp*

cat >$BASEDIR/upcp.sh << EOF
#!/bin/bash
perl /scripts/upcp --force
EOF
chmod 755 $BASEDIR/upcp.sh
bash -x $BASEDIR/upcp.sh
cat > /scripts/postupcp << EOF
#!/bin/sh
strip --strip-all /usr/local/cpanel/3rdparty/bin/php
#chattr -i /usr/local/cpanel/3rdparty/etc/php.ini
#/usr/local/cpanel/bin/checkphpini
#ln -s /usr/local/cpanel/3rdparty/fantastico /usr/local/cpanel/base/frontend/x
#ln -s /usr/local/cpanel/3rdparty/fantastico /usr/local/cpanel/base/frontend/blu
elagoon
#ln -s /usr/local/cpanel/3rdparty/fantastico /usr/local/cpanel/base/frontend/mon
soon
#chmod -R 0755 /usr/local/cpanel/3rdparty/etc/ixed
EOF
chmod +x /scripts/postupcp

#Fix for imap
ln -sf /usr/local/cpanel/3rdparty/bin/imapd /usr/sbin/
###fix spamassa
sa-compile
sa-update
/scripts/restartsrv exim
#Disable all pop's except cppop
#for FILE in $(find /etc/xinetd.d/*pop* | xargs grep -l 'disable = no')
#do
# sed -i 's/^\([ \t]disable.*\)/disable = yes/' $FILE
#done

# Am replacing the above code with this
echo -n "Disabling all xinetd services except cpimap.. "
cd /etc/xinetd.d
for i in *
do
[ "$i" != "cpimap" ] && sed -i 's/^[ \t]*disable.*/disable = yes/' /etc/
xinetd.d/$i
done
echo ".. Done"

cd $BASEDIR

# ====================================

#Install pure-ftpd by default
/scripts/ftpup pure-ftpd
#/scripts/ftpup --force
/scripts/ftpupdate

#Add PassivePortRange for use with APF
sed -i 's/^#[ \t]\(PassivePort.*\)/\1/' /etc/pure-ftpd.conf
service pure-ftpd restart
#Can also be done with
#echo "--passiveportrange=30000:50000" >> /etc/sysconfig/pure-ftpd
#For proftpd
#echo "PassivePorts 30000 50000" >> /etc/proftpd.conf

# =====================================

#Upgrade mysql
#eding it as followsm becasue have mysql5 as standard with huge conf - sheirn
/scripts/mysqlup --force
/scripts/perlinstaller --force Bundle:Big GrinBD::mysql
#rm -rf /root/.cpmysql* #remove old mysql mirrors
#/scripts/mysqlup --force
#/scripts/perlinstaller --force Bundle:Big GrinBD::mysql
#mysql_fix_privilege_tables

#Harden my.cnf
cp /etc/my.cnf{,.orig}
#echo "old-passwords" >> /etc/my.cnf
#echo "set-variable = max_user_connections=20" >> /etc/my.cnf
cat > /etc/my.cnf << NEOF
[mysqld]
skip-locking
key_buffer = 384M
max_allowed_packet = 1M
max_connections = 500
max_user_connections = 35
wait_timeout=40
connect_timeout=10
table_cache = 512
sort_buffer_size = 2M
read_buffer_size = 2M
read_rnd_buffer_size = 8M
myisam_sort_buffer_size = 64M
thread_cache_size = 8
query_cache_size = 32M
thread_concurrency = 8
server-id = 1

[mysqldump]
quick
max_allowed_packet = 16M

[mysql]
no-auto-rehash

[myisamchk]
key_buffer = 256M
sort_buffer_size = 256M
read_buffer = 2M
write_buffer = 2M

[mysqlhotcopy]
interactive-timeout
NEOF

killall -9 mysqld safe_mysqld mysqld_safe 2>/dev/null
pkill -9 mysql
pkill -9 mysqld
/scripts/restartsrv mysql
#/etc/init.d/mysql restart > /dev/null
#Commented out - cpanel seems to be doing this automatically now.
#Reset mysql root password
# MYSQLROOTPASS="q09D$RANDOM"

#MYSQLROOTPASS=$(mkpasswd -s 0 -l 15)
#/etc/init.d/mysql stop
#sleep 1
#killall -9 mysqld safe_mysqld mysqld_safe 2>/dev/null
#sleep 5
#safe_mysqld --skip-grant-tables --skip-networking --user=mysql &
#sleep 5
#mysqladmin -u root flush-privileges password "$MYSQLROOTPASS"
#/etc/init.d/mysql stop
#sleep 2
#killall -9 mysqld safe_mysqld mysqld_safe 2>/dev/null
#/etc/init.d/mysql start
#mysql_fix_privilege_tables --password="$MYSQLROOTPASS"
#cat > ~/.my.cnf << EOF
#[client]
#user=root
#pass=$MYSQLROOTPASS
#EOF
#chmod 700 ~/.my.cnf

echo "Mysql secured"

# =========================================
#Run this
/scripts/fixcommonproblems

#Now apache
cat > /scripts/postbuildapache << EOF
#!/bin/sh
### Ensure that you do not enter an interactive command here (like installzendop
t) -this is stupid Wink ###
strip --strip-all /usr/local/apache/libexec/libphp* /usr/bin/php /usr/local/bin/
php
#strip -strip-all /usr/local/apache/bin/httpd
EOF

chmod +x /scripts/postbuildapache

cp /usr/local/apache/conf/httpd.conf{,.orig}
echo "${RED}About to run easyapache with . Running easyapache from pre-build pro
file generated for new servers"
sleep 2

cd $BASEDIR
wget $BASEURL/secure/secureserver.yaml
cp $BASEDIR/secureserver.yaml /var/cpanel/
/scripts/easyapache --profile=/var/cpanel/secureserver.yaml --build
rm -f /var/cpanel/secureserver.yaml
#Tweaking apache
#/scripts/apachelimits #Commented out - causing problems
/scripts/userdirctl on
/scripts/phpopenbasectl on

# =========================================

#Advanced hardening
#Disable unnecessary services.
for SERVICE in cups cups-config-daemon xfs netfs irda isdn nfs nfslock rhnsd ana
cron tux atd ip6tables mdmonitor bluetooth audit auditd rpcidmapd rpcsvcgssd rp
cgssd canna iiim
do
service "$SERVICE" stop > /dev/null 2>&1
chkconfig "$SERVICE" off > /dev/null 2>&1
done

# cpanel's service manager tweak
cat >/etc/chkserv.d/chkservd.conf <<EOF
antirelayd:1
cpsrvd:1
entropychat:0
exim:1
exim-26:1
eximstats:1
ftpd:1
httpd:1
imap:1
interchange:0
melange:0
mysql:1
named:1
pop:1
spamd:1
syslogd:1
EOF

# Enable ftp conntrack if the server supports modules
if modprobe -al|grep -q ip_conntrack_ftp
then
echo modprobe ip_conntrack_ftp >> /etc/rc.local
modprobe ip_conntrack_ftp
sed -i 's/#\?[ \t]*IPTABLES_MODULES=\".*/IPTABLES_MODULES=\"ip_conntrack
_ftp\"/' /etc/sysconfig/iptables-config
fi

#Default Firewall rules. APF is preconfigured with these rules
iptables -F
iptables -I OUTPUT -p tcp --dport 22 -m owner ! --uid-owner root -j REJECT
for port in 6666 6667 6668 6669
do
iptables -I OUTPUT -p tcp --dport "$port" -j REJECT
done
/etc/init.d/iptables save
/etc/init.d/iptables restart

echo "Default rules saved"

# Enable DMA
/scripts/hdparmon && echo "/scripts/hdparmon" >> /etc/rc.local

# ==================================
#Exim

for FILE in /etc/rblwhitelist /etc/relayhosts /etc/rblbypass /etc/exim_deny /etc
/rblblacklist
do
touch $FILE
done

# fix for exigrep
if [ ! -f /usr/bin/zcat ]; then
ln -s <code>which zcat</code> /usr/bin/zcat
fi

/scripts/eximup --force
cp -a /etc/exim.conf{,.orig}
cp -a /etc/exim.pl{,.orig}

cd $BASEDIR
if [ "$DEDSERVER" != "y" -o "$DEFEXIMCONF" = "y" ]; then
wget -q $BASEURL/exim.conf-latest
if [ -f exim.conf-latest ]; then
cp -fv exim.conf-latest /etc/exim.conf
fi

wget -q $BASEURL/exim.pl-latest
if [ -f exim.pl-latest ]; then
cp -fv exim.pl-latest /etc/exim.pl
fi
service exim restart
fi

#Installing aol.pl
cd $BASEDIR
if [ "$DEDSERVER" != "y" -o "INSTAOL" = "y" ]; then
wget -q $BASEURL/secure/aolrem
if [ -f aolrem ]; then
chmod +x aolrem
cp -fv aolrem /etc/cron.hourly/aol.pl
fi
fi

# =====================================

#Hardening the binaries
for FILE in $(which lynx) $(which wget) $(which curl) $(which scp) $(which ssh)
do
chmod 750 $FILE
done

#Hardening sshd_config
echo " " >> /etc/ssh/sshd_config
echo "#Inserting rule to stop TCP forwarding " >> /etc/ssh/sshd_config
echo "AllowTcpForwarding no" >> /etc/ssh/sshd_config
echo "#AllowUsers " >> /etc/ssh/sshd_config
sed -i 's/^#\(Protocol\).*/\1 2/' /etc/ssh/sshd_config
/etc/init.d/sshd restart
sleep 2

if ! /sbin/pidof sshd >/dev/null
then
/scripts/installrpm --force sshd
fi

#Hardening host.conf
echo "nospoof on" >> /etc/host.conf
echo "multi on" >> /etc/host.conf

#sysctl hardening
cd $BASEDIR
wget -q $BASEURL/secure/sysctl.conf-latest
cp -f /etc/sysctl.conf{,.orig}
mv -f sysctl.conf-latest /etc/sysctl.conf
sysctl -e -p /etc/sysctl.conf

#Check if all the perlmodules needed for cpanel is installed.
/usr/local/cpanel/bin/checkperlmodules

#Misc
:> /tmp/cmdtemp && chattr +i /tmp/cmdtemp

if grep -q DAILY /etc/updatedb.conf
then
sed -i 's/\(DAILY_UPDATE=\).*/\1yes/' /etc/updatedb.conf
fi

# ====================================
#prefs
cat >> ~/.alias <<EOF
alias ls='ls -lap --color'
alias grep='grep --color=auto'
alias less='less -r'
alias vi='vim'
EOF

cat >> ~/.bashrc <<EOF
if [ -f ~/.alias ]; then
. ~/.alias
fi
export EDITOR=vim VISUAL=vim
EOF

# ====================================

#Install software
#Some rpms
for RPM in vim-enhanced iptraf ImageMagick
do
/scripts/installrpm --force $RPM > /dev/null 2>&1
done

#Install some more software and perl mdoules - Commented out - takes too much ti
me and are not really needed
#for PERLPACKAGE in Image::Magick Apache::ImageMagick CGI::ImageMagick CGI::Uplo
ader::Transform::ImageMagick PPresenter::Export::Images::ImageMagick
#do
# /scripts/perlinstaller $PERLPACKAGE
#done


# Enable register_globals

sed -i 's/^[\t ]*register_globals[\t ]*=[\t ]*Off/register_globals = On/g' /usr/
local/Zend/etc/php.ini
# ====================================

#Upgrading some stuff.

#cd $BASEDIR
#if [ -f /usr/src/ss2.sh ]; then
# echo "Updating some software"
# chmod +x /usr/src/ss2.sh
# /usr/src/ss2.sh "$BASEDIR"
#fi

# ====================================

for SERVICE in exim httpd mysql chkservd crond cpanel
do
service $SERVICE restart
done

clear

#
if ! /sbin/pidof httpd >/dev/null
then
echo "Unable to start HTTPD"
fi
if ! /sbin/pidof exim >/dev/null
then
echo "Unable to start exim"
fi
if ! /sbin/pidof mysqld >/dev/null
then
echo "Unable to start mysql"
fi

if [ "$MAILME" = "y" ]; then
mail -s "SS complete on $(hostname)" ${MAILADDR} <<EOF

Hi guys,

Secureserver has secured $(hostname).
Please check and verify.

EOF

fi

# =====================================

# ======================================
# SSH PORT

echo

echo -n "Would u like to change SSH port [y/n] ?"
read ans
case $ans in
y|Y|yes|Yes) echo -n "Please Enter New Port : "
read port
cp /etc/ssh/sshd_config /etc/ssh/sshd_config.original
cd /etc/ssh/
sed -i 's/^Port/#Port/' sshd_config
sed -i "12iPort $port" sshd_config
/etc/init.d/sshd stop
sleep 2
/etc/init.d/sshd start
;;
*) port=$(grep ^Port /etc/ssh/sshd_config| cut -d" " -f2)
echo "The SSH port is $port only. "
esac

# Disabling Allow_url fopen

echo
echo "Disabling allow_url_fopen................."

replace "allow_url_fopen = On" "allow_url_fopen = Off" -- /usr/local/lib/php.ini
grep allow_url_fopen /usr/local/lib/php.ini
/scripts/restartsrv httpd
/usr/local/cpanel/bin/rebuild_phpconf --current
#cleanup
# Final checks

echo -e "$RED URGENT ATTENTION!!!!"
cat <<EOF

Server securing is not complete yet!!!
There are some steps you need to do manually
Set up rDNS for the IP - $(hostname -i) to $(hostname)


EOF
echo -e "$RESET"

rm -rf /home/cpapachebuild /home/cpzendinstall
sync
rm -rf /usr/src/secure.* /usr/src/secureserver.sh
11 Aug

Dangerous WinHelp.exe – Dangerous

winhelp.exe

The W32.HLLW.Lovgate.O@mm worm is a variant of W32.HLLW.Lovgate@mm.
This variant is also a mass-mailing worm that attempts to reply to all the email messages in the Microsoft Outlook Inbox.
The “sender” of the email is spoofed and its subject line and message vary.
The attachment name varies with a .exe, .pif, or .scr file extension.
This worm also attempts to copy itself to all the computers on a local network using the weak passwords to attempt to log in as an Administrator
and to the Kazaa-shared folders.

Copies itself as the following: %Windir%\Systra.exe; %System%\iexplore.exe; %System%\Media32.exe; %System%\RAVMOND.exe; %System%\WinHelp.exe; %System%\Kernel66.dll

Creates a file named AUTORUN.INF in the root folder of all the drives, except the CD-ROM drives, and copies itself as COMMAND.EXE into that folder.
Creates a zip file . in the root folder of all the drives, unless the drive letter is A or B. For example: setup.rar or pass.zip.
Creates the following files: %System%\ODBC16.dll, %System%\msjdbc11.dll, %System%\MSSIGN30.DLL
These files are all the same—they are backdoor components of the worm.

Modifies the (Default) value of the registry key: HKEY_CLASSES_ROOT\exefile\shell\open\command
to: %System%\Media32.exe “%1” %* so that the worm runs when you execute any .exe files.
Terminates all the processes that contains any of the following strings:
KV, KAV, Duba, NAV, kill, RavMon.exe, Rfw.exe, Gate, McAfee, Symantec, SkyNet, rising

Manual removal:
In the key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
please delete the values:
“Program in Windows”=”%system%\iexplore.exe”
“VFW Encoder/Decoder Settings”=”RUNDLL32.exe MSSIGN30.DLL ondll_reg”
“Winhelp”=”%System%\WinHelp.exe”

Navigate to the key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
and delete the value:
“Systemtra”=”%Windir%\Systra.exe”

In the key:
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows
delete the value:
“run”=”RAVMOND.exe”

And delete the subkey, if exists:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ZMXLIB1

10 Aug

How to remove Orkut Virus: Muhaha!!

How to remove Orkut Virus: Muhaha!!

Well Last another friend got the Problem, with this problem i think this Virus again in Action.

Now how to get ride this.. A quick way for orkut addicted those who want a quick access to orkut is as follows..

Press alt+ctrl+del and goto processes tab

There you will see a list of processes under the different username, arrange the processes according to your username and search for the process svchost.exe

Right click and end process or end process tree. Make sure you end the imagename or process which are under your username and not that which are under LOCAL SERVICE OR NETWORK SERVICE.

This gives you instant access to orkut..

A Similar of this variant gives you error on opening firefox.

“I DNT HATE MOZILLA BUT USE IE OR ELSE…”, “USE INTERNET EXPLORER U DOPE”,

The above 4 Steps solution works for the same..

Now a fix to permanently get rid of this nuisance, this pulls the interest of my friends who called me up and took help to access their orkut accounts instantly..

Follow as :-

REPEAT THE ABOVE 4 STEPS AND THEN CONTINUE.

Click start->run type c:\heap41a and press Enter. You cannot find this folder by looking through windows explores i.e. My Computer, as this is a hidden folder.

Delete all the files under this folder by pressing ctrl+a followed by shift+del key

Now again goto Start->Run and write regedit, this opens registry editor for you.

Press ctrl+f , a find dialog box opens, type heap41a and let it show you some results

You should see “[winlogon] C:\heap41a\svchost.exe C:\heap(some number)\std.txt”

Now delete whatever you see there :D cause you love orkut .. hahahah

Well your PC/LP is cleaned up and now you can open your orkut account without that nuisance.

Make sure you delete all the .exe files which are present at the root of ur pendrive which got created automatically(which you never created). Rather scan your pen drive with a good antivirus.. That should allow you stealth your PC from the attack of MUHAHA

Other Effects

Well this worm/virus removes hidden folder options or you are unable to see hidden folders. so enable the hidden folder option follow the steps as :-

Goto Start->run type regedit again to open registry editor

traverse as HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer3.

There you will see a DWORD key as “NoFolderOptions” . Set its value to 0 or simply delete it