Sysctl.conf hardening

The purpose of syctl hardening is to help prevent spoofing and dos attacks. This short guide will show what I have found to be a good configuration for the sysctl.conf configuration file. The most important of the variables listed below is the enabling of syn cookie protection. Only place the bottom two if you do not want your server to respond to ICMP echo, commonly referred to as ICMP ping or just ping requests.

Open /etc/sysctl.conf for editing in your favorite text editor:

pico -w /etc/sysctl.conf

And simply copy/paste this into the file replacing any existing values:

#Kernel sysctl configuration file for Red Hat Linux
#
# For binary values, 0 is disabled, 1 is enabled. See sysctl(8) and
# sysctl.conf(5) for more details.

# Disables packet forwarding
net.ipv4.ip_forward=0

# Disables IP source routing
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.lo.accept_source_route = 0
net.ipv4.conf.eth0.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0

# Enable IP spoofing protection, turn on source route verification
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.lo.rp_filter = 1
net.ipv4.conf.eth0.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1

# Disable ICMP Redirect Acceptance
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.lo.accept_redirects = 0
net.ipv4.conf.eth0.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0

# Enable Log Spoofed Packets, Source Routed Packets, Redirect Packets
net.ipv4.conf.all.log_martians = 0
net.ipv4.conf.lo.log_martians = 0
net.ipv4.conf.eth0.log_martians = 0

# Disables IP source routing
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.lo.accept_source_route = 0
net.ipv4.conf.eth0.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0

# Enable IP spoofing protection, turn on source route verification
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.lo.rp_filter = 1
net.ipv4.conf.eth0.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1

# Disable ICMP Redirect Acceptance
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.lo.accept_redirects = 0
net.ipv4.conf.eth0.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0

# Disables the magic-sysrq key
kernel.sysrq = 0

# Decrease the time default value for tcp_fin_timeout connection
net.ipv4.tcp_fin_timeout = 15

# Decrease the time default value for tcp_keepalive_time connection
net.ipv4.tcp_keepalive_time = 1800

# Turn off the tcp_window_scaling
net.ipv4.tcp_window_scaling = 0

# Turn off the tcp_sack
net.ipv4.tcp_sack = 0

# Turn off the tcp_timestamps
net.ipv4.tcp_timestamps = 0

# Enable TCP SYN Cookie Protection
net.ipv4.tcp_syncookies = 1

# Enable ignoring broadcasts request
net.ipv4.icmp_echo_ignore_broadcasts = 1

# Enable bad error message Protection
net.ipv4.icmp_ignore_bogus_error_responses = 1

# Log Spoofed Packets, Source Routed Packets, Redirect Packets
net.ipv4.conf.all.log_martians = 1

# Increases the size of the socket queue (effectively, q0).
net.ipv4.tcp_max_syn_backlog = 1024

# Increase the tcp-time-wait buckets pool size
net.ipv4.tcp_max_tw_buckets = 1440000

# Allowed local port range
net.ipv4.ip_local_port_range = 16384 65536

After you make the changes to the file you need to run

/sbin/sysctl -p 

and

sysctl -w net.ipv4.route.flush=1

to enable the changes without a reboot.

Notes
– Make sure that eth0 is your primary interface. If it is not replace eth0 with eth1 in the code below.
– Make sure you have backup of your original syctl.conf file before making any changes
– These settings might be old (outdated) or wrong for your system setup. Use them at your own risk!

Continue Reading

Tags: sysctl conf, accept_source_route, net ipv4 conf all rp_filter, sysctl hardening, net ipv4 conf default rp_filter, Sysctl confhardening|GeekTipsnTricks, sysctl conf hardening

Big file downloads stops at random

After migrating a site to new server I run into a strange problem with big file downloads that just stop/break without any specific reason at anytime. Downloads are not direct than are done using PHP (I’ll write more about that soon and I’ll link to that post from in here when I do) suddenly break without any notice. Browser reports that file has been successfully downloaded, Apache doesn’t report any errors but file is broken and not downloaded entirely.

I was pulling my hair for days, since sometimes downloads were working fine but sometimes they would just stop. Things got worse in case of downloading multiple files at the same time. Sometimes one or two downloads would break, sometimes all, sometimes none. It was driving me mad. Since I have been traveling those days across Northern Europe, I have been able to test the file download from multiple locations/countries and various connection types (ADSL, Cable, WiFi hot spots) and was still experienced same problems.

The setup on that server was bit complex and it used Apache to serve dynamic content, separate web server for static content. Downloads were done using PHP or using mod_xsendfile but either way problem persisted. So I figured out that something must be timing out and that is braking the connection. Since it would happen that out of 4-5 simultaneous downloads one or two would break and few would download normally. Finally, I tried increasing Apache timeout from 10 seconds to 30 seconds and it worked out! I was so pissed of and happy at the same time… The solution was so easy and in front of my nose but I needed so much time to figure it out… I felt so stupid for a second but then I solved the problem and I’ve learned something new…

It turns out that if there were no communication between server and client for 10 seconds the Apache would simply close connection and download would break. Nothing will be reported on both sides since it’s “normal” way to end the communication. This was also going on when mod_xsendfile was used to serve/download files. The problem was even greater when internet connection was worse (WiFi) and when I was downloading more files at once since than the connection would have to be split on few files.

So if you’re making a download server for larger files make sure you setup your Apache timeout to some reasonable value (30 seconds or more). Under term “larger files” I consider everything larger than pictures, but basically 50mb file could be called “larger file” since for it’s download it is required some time and of course open connection.

Tags: apache large file download timeout, downloads stop randomly

How to whitelist your IP at CPHulk

My IP got banned by CPHulk few times and it is really not a pleasant thing knowing that you need to access your server but you just can’t because CPHulk blacklisted your IP. Great way around it is to white list your IP address in front so you don’t end up in that situation. It’s quite easy, all you need to do is to login at SSH and execute this lines:

cd /scripts
./cphulkdwhitelist xxx.xxx.xxx.xxx

Just don’t forge to replace xxx.xxx.xxx.xxx with your IP address 🙂

Tags: cphulk

How to change proftp FTP password from SSH shell

Today I have got a request from a client that has a server with no control panel on it to change one ftp password. Server is using proftpd as it’s ftp server. This is really easy task to do if proftp is setup by default and uses /etc/passwd for storing it’s passwords.

If you know username all you need to do is type in

passwd USERNAME

(replace USERNAME with actual username), enter new password two times and you’re done.

If you however don’t know the username (and that can happen too) you can open /etc/passwd file and try and locate it in there.

Tags: proftpd change password, proftpd change user password, change proftpd password, proftpd password change, change ftp password proftpd, change password proftpd, proftpd default password, get password in proftpd

How to install CSF firewall

In order to protect your server the best way possible, beside running iptables you should install some additional software. I can recommend ConfigServer Security & Firewall. I’m using it on couple of servers right now and it’s prove it self to be stable and low on resource usage. It also has WHM/cPanel plugin that helps you managing your firewall even if you’re not very experienced user/admnin.

Before installing you must be sure that you do not have any other firewalls installed (such as APF)
Installation is really simple. You just need to run those couple of commands in SSH:

cd /usr/local/src
wget http://www.configserver.com/free/csf.tgz
tar -xzf csf.tgz
cd csf
sh install.sh

Don’t forget to disable testing flag by setting TESTING = 0.
You can do that easily in WHM/cPanel: after logging in at WHM and in Plugins section of sidebar you’ll find “ConfigServer Security&Firewall”. Then click on Firewall Configuration and change testing value. Save it and restart firewall and there you go! Your CSF firewall is up and running!

csf firewall cpanel plugin

Continue Reading


Web host is adding ?PHPSESSID to the end of all URLs

Today I a customer of mine came to me with a problem with web site that he have just moved from one host to another. And on that new host all his links on his site suddenly had ?PHPSESSID=k234j2knk… in the end. Since that is totally unusable since that site doesn’t even uses sessions and could affect his search engine rankings, he wanted it out of the way. The new host he moved that site to was shared and it doesn’t allow editing of php.ini any way so I had to make some other solution.

After failing with adding one of those on top of php files, as suggested on most pages that I found on Google:

// stop PHP from automatically embedding PHPSESSID on local URLs
ini_set('session.use_trans_sid', false);

// only use cookies (no url based sessions)
ini_set('session.use_only_cookies', true);

I suggested him to just switch hosts again, but he said he already paid up front for the whole year… and that it’s not an option… and that he wants that off his site… So, I’ve Googled some more and finally found a simple solution (that doesn’t require editing of 100’s of files in his case because of poorly programmed site). All I had to do is just put one line of code in .htaccess file and BOOM! All those nasty ?PHPSESSID were gone!

php_flag session.use_trans_sid off

How to setup and use iptables

What’s iptables?
Iptables is the current Linux firewall and routing service. It controls incoming and outgoing network

How to stop/start/restart iptables?
Basically just like any other Linux service:

# service iptables start
# service iptables stop
# service iptables restart

How to check if iptables is currently running?
Simply call service status and take a look at the result:

# service iptables status
Firewall is stopped.

If you run “service iptables status” and get “Firewall is stopped.” that means that iptables are not running and you should start it with “sertvice iptables start”. If you get some tables with bunch of geek stuff that means that iptables are running.

How to automatically start iptables service on Linux boot?
To enable iptables starting on boot run

# chkconfig iptables on

or run code below to disable it

# chkconfig iptables off

How to block IP address using iptables?
This will block IP from accessing your server. Be careful not to block your IP address.
In command below replace “192.168.0.4” with correct IP address.

# iptables -A INPUT -s 192.168.0.4 -j DROP

After blocking the IP address (adding it to the iptable rules) you must restart iptables calling:

# service iptables restart

How to unblock IP address using iptables?
Similar to blocking, just use ACCEPT instead of DROP:

# iptables -A INPUT -s 192.168.0.4 -j ACCEPT

And after allowing that IP you must also restart iptables:

# service iptables restart

You can also flush your iptables rules by using:

# iptables -F

This will remove all custom added rules.

How to see current rules?
Simply by running following command:

# iptables -L

How to save iptable rules?
Rules created with the iptables command are stored in memory. If the system is restarted before saving the iptables rule set, all rules are lost. For rules to persist through a system reboot, they need to be saved. To save rules, type the following command:

# iptables-save > /etc/iptables.rules

How to load iptable rules?
To load previously saved rules execute:

# iptables--restore < /etc/iptables.rules

How to load iptable rules on Linux boot?
There are few ways and can be different on different Linux distributions. This should work on CentOS. To load rules on system boot make file /etc/init.d/iptableslr

# vi /etc/init.d/iptableslr

and add these two lines to it:

#!/bin/bash
/sbin/iptables-restore < /etc/iptables.rules

The file needs to be executable so change the permissions:

# chmod +x /etc/init.d/iptables
Tags: service iptables status, how to check if iptables is enabled

Security by obscurity

This simple guide will help you secure your server in indirect way by hiding software versions from possible attackers. This can help you prevent many automated attacks and attacks based on software version number. If a hacker want’s to probe your system for hole he’ll start from collecting all version numbers from your running services. This guide will teach you setup common services not to give away their version numbers. This is called Security by obscurity and it’s not something to rely on but it can lower chances of getting your system hacked.

Apache (Web Server)
Let’s start with Apache first. It’s config file should at path

/etc/httpd/conf/httpd.conf

Open that with an editor of choice. I allways suggest Midnihgt Commander but you can use ant other editor like pico or vi. In Midnignt Commander open file for editing by pressing F4 while the file is selected.

Locate those two lines and set it as follows. If you cant find them – add them.

ServerSignature Off
ServerTokens Prod

Server Signature will remove the identification of Apache version from error pages, and ServerTokens will identify Apache as “apache” without version number or OS information. Save the file and restart the Apache.

service httpd restart

Named (DNS Server)
Next we will disable named from giving away his version. Open named config file at path

/etc/named.conf

Search for line

query-source address * port 53;

Add a line right below it with add (if it doesn’t exist)

version "Named";

Save and restart named using

service named restart

Exim (Email Server)
Next we will disable the version numbers in Exim. If you are not running Exim there is no need to do this section. Exim config is at path

/etc/exim.conf

and if it could not be located, it probably means that you do not use Exim. Search for

smtp_banner = "${primary_hostname

This is the welcome message for the email server. You can put anything in here. Here’s a sample message

smtp_banner = "${primary_hostname} MailServer \n\We do not authorize the use of this system to transport unsolicited, \n\and/or bulk e-mail."

Save the config and restart Exim.

service exim restart

Remeber this is just security though obscurity and you still need to keep the server updated! This is just going to stop some people from finding your server in the first place by automated scanning. It will not help at all if somebody is trying to actually hack the server.

Continue Reading


How to install Midnight Commander?

Whats Midnight Commander?
Midnight Commander is Shell application (visual file manager) for SSH like Norton Commander, that older geeks may remember from the time of DOS, or like Total Commander, the most advanced Shell application today.

Why do I need Midnight Commander?
Midnight Commander will help you move more easily trough server files/folders, edit config files, copy/move/delete files/folders/whole directory trees, pack and unpack archives, search for files, run commands in subshell… You can also use MC to connect to other server’s FTP and copy files from/to other servers. (can be useful when migrating from one server to another)

How to install Midnight Commander?
If you have yum installed on server all you need to do is execute one command and it will install Midnight Commander and all it’s dependencies

yum install mc

If you don’t have yum on server – you’ll have to download it and compile it by hand.

wget http://www.ibiblio.org/pub/Linux/utils/file/managers/mc/mc-4.6.1.tar.gz
tar -zxvf mc-4.6.1.tar.gz.tar
cd mc-4.6./1
./configure
make
make install

How to start Midnight Commander?
Simply enter mc and press enter in SSH

mc (and press Enter)

and you should see it running and looking like on the picture below.

Midnight Commander

Continue Reading

Tags: yum install mc, install midnight commander, install mc, how to install midnight commander, midnight commander install, midnight commander linux, midnight commander fedora, yum install midnight commander, linux install mc, yum midnight commander, wget mc, how to install mc, wget midnight commander, midnight commander linux install, linux mc install, mc install, midnight commander installieren, linux midnight commander, fedora install mc, install midnight commander linux, install mc linux, how to install midnight commander linux, install mc on linux, fedora midnight commander, fedora mc install, yum mc, linux install midnight commander, midnight commander, linux midnight commander install, midnight commander wget, fedora isntall mc, redhat install mc, fedora install midnight commander, midnight commander installieren linux, midnight commander linux installieren