September 24, 2019
Open firewall port on CentOS 7
June 14, 2016
cPanel dan Webmail Forbidden di Litespeed
Whitelist rule id 981246 di whm > ConfigServer ModSecurity Control
November 21, 2013
wordpressslog@yandex.com
Cara menemukan script atau plugins wordpress yang mengirim email ke wordpressslog@yandex.com
cd /home/usercp/public_html/wp-content/plugins/ grep -H -r "d29yZHByZXNzc2xvZ0B5YW5kZXguY29t" /home/usercp/public_html/wp-content/plugins/
d29yZHByZXNzc2xvZ0B5YW5kZXguY29t adalah encoding base64 untuk wordpressslog@yandex.com
referensi: http://wordpress.org/support/topic/rogue-emails-to-wordpressslogyandexcom?replies=4#post-4409743
September 1, 2013
Check Mod Security Version
/scripts/restartsrv_httpd
grep "modsecurity" /usr/local/apache/logs/error_log
Output:
[Mon Sep 02 00:32:46 2013] [notice] ModSecurity for Apache/2.7.5 (http://www.modsecurity.org/) configured.
January 9, 2012
Linux Malware Detect
source:
- http://www.rfxn.com/projects/linux-malware-detect/
- http://www.webhostingtalk.com/wiki/Linux_Malware_Detect
Installation
wget http://www.rfxn.com/downloads/maldetect-current.tar.gz
tar xfz maldetect-current.tar.gz
cd maldetect-*
./install.sh
Configure Linux Malware Detect
vi /usr/local/maldetect/conf.maldet
Manual Scan
maldet --scan-all /home?/?/public_html
Cron Job
vi /etc/cron.daily/maldet
June 8, 2009
Mass Change Permission
Go to your directory
to change permission from one to other
find -perm 777 -exec chmod 755 {} \; -print
To change all directory permission
find -type d -perm 777 -exec chmod 755 {} \; -print
To change all public_html permission
cd /home; find -name "public_html" -exec chmod 711 {} \;
April 19, 2009
Closing Open DNS Servers
Allowing DNS Recursion is like running an Open SMTP Relay. You allow anyone to query your DNS server and this can easily lead to abuse.
You can fix this by disabling recursive lookups for not authorized IP’s.
This article will teach you step by step how to do this.
- Login to your server as root
- Edit /etc/named.conf
pico /etc/named.confAdd before options {} the fallowing:
acl “trusted” {
MAIN_IP;
SECONDARY_IP;
127.0.0.1;
};Where MAIN_IP and SECONDARY_IP are the IP’s of your nameservers on that server.
Now you have to add in the same file /etc/named.conf in the options {} part of the file the fallowing:
allow-recursion { trusted; };
allow-notify { trusted; };
allow-transfer { trusted; }; - Now save and restart named
service named restart
Source:
http://www.cpanelconfig.com/cpanel-security-related-articles/closing-open-dns-servers/
February 5, 2009
Secure Temporary Directories
Every system needs temporary folders that any user is able to read and write BUT these directories should not be able to execute programs or scripts. Though this will only protect you from somebody running the script directly it will help with a large portion of the automated rootkits and trojans that script kiddies use. They will still be able to put the files on the system but they will be unable to execute them and create the back door. One of the biggest problems is php injection via apache in which people will have apache download and then run an exploit. Securing the temp directories is probably the single biggest thing you can do towards securing your server.
This guide will work fine with cPanel, ensim, plesk, and of course with no control panel. It is designed for Redhat but should work on any linux varient.
The first step is to check if /tmp is already secure. Some datacenters do not create a /tmp partition while others do.
—–command—–
df -h |grep tmp
—–command—–
If that displays nothing then go below to create a tmp partition. If you do have a tmp partition you need to see if it mounted with noexec.
—–command—–
cat /etc/fstab |grep tmp
—–command—–
If there is a line that includes /tmp and noexec then it is already mounted as non-executable. If not follow the instructions below to create one without having to physically format your disk. Idealy you would make a real partition when the disk was originally formated, that being said I have not had any trouble create a /tmp partition using the following method.
Create a ~800Mb partition
—–command—–
cd /dev/; dd if=/dev/zero of=tmpMnt bs=1024 count=800000
—–command—–
Format the partion
—–command—–
mkfs.ext2 /dev/tmpMnt
—–command—–
When it asks about not being a block special device press Y
Make a backup of the old data
—–command—–
cp -Rp /tmp /tmp_backu
—–command—–
Mount the temp filesystem
—–command—–
mount -o loop,noexec,nosuid,rw /dev/tmpMnt /tmp
—–command—–
Set the permissions
—–command—–
chmod 0777 /tmp
—–command—–
Copy the old files back
—–command—–
cp -Rp /tmp_backup/* /tmp/
—–command—–
Once you do that go ahead and restart mysql and make sure it works ok. We do this because mysql places the mysql.sock in /tmp which neeeds to be moved. If not it migth have trouble starting. If it does you can add this line to the bottom of the /etc/fstab to automatically have it mounted:
Open the file in pico:
—–command—–
pico -w /etc/fstab
—–command—–
Now add this single line at the bottom:
/dev/tmpMnt /tmp ext2 loop,noexec,nosuid,rw 0 0
While we are at it we are going to secure /dev/shm. Look for the mount line for /dev/shm and change it to the following:
none /dev/shm tmpfs noexec,nosuid 0 0
Umount and remount /dev/shm for the changes to take effect.
—–command—–
umount /dev/shm
mount /dev/shm
—–command—–
Next delete the old /var/tmp and create a link to /tmp
—–command—–
rm -rf /var/tmp/
ln -s /tmp/ /var/
—–command—–
If everything still works fine you can go ahead and delete the /tmp_backup directory.
—–command—–
rm -rf /tmp_backup
—–command—–
You /tmp, /var/tmp, and /dev/shm are now mounted in a way that no program can be directly run from these directories. Like I have said in other articles there are still ways in but this is one of the many layers of security you should have on your system.
Source: http://www.eth0.us/tmp