SECURING CPANEL - WHM - AND ROOT on a VPS
This will help but as mentioned in previous posts, with a VPS you do not have access to your kernal. That is good in some ways, because if you don't have access to it, neither to hackers or spammers (which limits what they can do). Its bad in ways, because you lose control and if you secure your box as much as possible, you are still at risk because you cannot control your kernal.
At any rate, here are some helpful hints :)
=========================================
Checking for formmail
=========================================
Form mail is used by hackers to send out spam email, by relay and injection methods. If you are using matts script or a version of it, you may be in jeopardy.
Command to find pesky form mails:
find / -name "[Ff]orm[mM]ai*"
CGIemail is also a security risk:
find / -name "[Cc]giemai*"
Command to disable form mails:
chmod a-rwx /path/to/filename
(a-rwx translates to all types, no read, write or execute permissions).
(this disables all form mail)
If a client or someone on your vps installs form mail, you will have to let them know you are disabling their script and give them an alternative.
=========================================
Root kit checker - http://www.chkrootkit.org/ (http://www.chkrootkit.org/)
=========================================
Check for root kits and even set a root kit on a cron job. This will show you if anyone has compromised your root. Always update chrootkit to get the latest root kit checker. Hackers and spammers will try to find insecure upload forms on your box and then with injection methods, try to upload the root kit on your server. If he can run it, it will modify *alot* of files, possibly causing you to have to reinstall.
To install chrootkit, SSH into server and login as root.
At command prompt type:
cd /root/
wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz
tar xvzf chkrootkit.tar.gz
cd chkrootkit-0.44
make sense
To run chkrootkit
At command prompt type:
/root/chkrootkit-0.44/chkrootkit
Make sure you run it on a regular basis, perhaps including it in a cron job.
Execution
I use these three commands the most.
./chkrootkit
./chkrootkit -q
./chkrootkit -x | more
=========================================
Install a root breach DETECTOR and EMAIL WARNING
=========================================
If someone does happen to get root, be warned quickly by installing a detector and warning at your box. You will at least get the hackers/spammers ip address and be warned someone is in there.
Server e-mail everytime someone logs in as root
To have the server e-mail you everytime someone logs in as root, SSH into server and login as root.
At command prompt type:
pico .bash_profile
Scroll down to the end of the file and add the following line:
echo 'ALERT - Root Shell Access on:' `date` `who` | mail -s "Alert: Root Access from `who | awk '{print $6}'`" your@email.com
Save and exit.
Set an SSH Legal Message
To an SSH legal message, SSH into server and login as root.
At command prompt type:
pico /etc/motd
Enter your message, save and exit.
Note: I use the following message...
ALERT! You are entering a secured area! Your IP and login information
have been recorded. System administration has been notified.
This system is restricted to authorized access only. All activities on
this system are recorded and logged. Unauthorized access will be fully
investigated and reported to the appropriate law enforcement agencies.
=========================================
Web Host manager and CPANEL mods.
=========================================
These are items inside of WHM/Cpanel that should be changed to secure your server.
Goto Server Setup =>> Tweak Settings
Check the following items...
Under Domains
Prevent users from parking/adding on common internet domains. (ie hotmail.com, aol.com)
Under Mail
Attempt to prevent pop3 connection floods
Default catch-all/default address behavior for new accounts - blackhole
(according to ELIX - set this to FAIL, which is what I am going to do to reduce server load)
Under System
Use jailshell as the default shell for all new accounts and modified accounts
Goto Server Setup =>> Tweak Security
Enable php open_basedir Protection
Enable mod_userdir Protection
Disabled Compilers for unprivileged users.
Goto Server Setup =>> Manage Wheel Group Users
Remove all users except for root and your main account from the wheel group.
Goto Server Setup =>> Shell Fork Bomb Protection
Enable Shell Fork Bomb/Memory Protection
When setting up Feature Limits for resellers in Resellers =>> Reseller Center, under Privileges always disable Allow Creation of Packages with Shell Access and enable Never allow creation of accounts with shell access; under Root Access disable All Features.
Goto Service Configuration =>> FTP Configuration
Disable Anonymous FTP
Goto Account Functions =>> Manage Shell Access
Disable Shell Access for all users (except yourself)
Goto Mysql =>> MySQL Root Password
Change root password for MySQL
Goto Security and run Quick Security Scan and Scan for Trojan Horses often. The following and similar items are not Trojans:
/sbin/depmod
/sbin/insmod
/sbin/insmod.static
/sbin/modinfo
/sbin/modprobe
/sbin/rmmod
=========================================
More Security Measures
=========================================
These are measures that can be taken to secure your server, with SSH access.
Update OS, Apache and CPanel to the latest stable versions.
This can be done from WHM/CPanel.
Restrict SSH Access
To restrict and secure SSH access, bind sshd to a single IP that is different than the main IP to the server, and on a different port than port 22.
SSH into server and login as root.
Note: You can download Putty by Clicking Here (http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html). It's a clean running application that will not require installation on Windows-boxes.
At command prompt type:
pico /etc/ssh/sshd_config
Scroll down to the section of the file that looks like this:
#Port 22
#Protocol 2, 1
#ListenAddress 0.0.0.0
#ListenAddress ::
Uncomment and change
#Port 22
to look like
Port 5678 (choose your own 4 to 5 digit port number (49151 is the highest port number AND do not use 5678 :) lol )
Uncomment and change
#Protocol 2, 1
to look like
Protocol 2
Uncomment and change
#ListenAddress 0.0.0.0
to look like
ListenAddress 123.123.123.15 (use one of your own IP Addresses that has been assigned to your server)
Note 1: If you would like to disable direct Root Login, scroll down until you find
#PermitRootLogin yes
and uncomment it and make it look like
PermitRootLogin no
Save by pressing Ctrl o on your keyboard, and then exit by pressing Ctrl x on your keyboard.
Note 2: You can also create a custome nameserver specifically for your new SSH IP address. Just create one called something like ssh.xyz.com or whatever. Be sure to add an A address to your zone file for the new nameserver.
Now restart SSH
At command prompt type:
/etc/rc.d/init.d/sshd restart
Exit out of SSH, and then re-login to SSH using the new IP or nameserver, and the new port.
Note: If you should have any problems, just Telnet into your server, fix the problem, then SSH in again. Telnet is a very unsecure protocol, so change your root password after you use it.
After SSH has been redirected, disable telnet.
Disable Telnet
To disable telnet, SSH into server and login as root.
At command prompt type: pico -w /etc/xinetd.d/telnet
change disable = no to disable = yes
Save and Exit
At command prompt type: /etc/init.d/xinetd restart
Disable Shell Accounts
To disable any shell accounts hosted on your server SSH into server and login as root.
At command prompt type: locate shell.php
Also check for:
locate irc
locate eggdrop
locate bnc
locate BNC
locate ptlink
locate BitchX
locate guardservices
locate psyBNC
locate .rhosts
Note: There will be several listings that will be OS/CPanel related. Examples are
/home/cpapachebuild/buildapache/php-4.3.1/ext/ircg
/usr/local/cpanel/etc/sym/eggdrop.sym
/usr/local/cpanel/etc/sym/bnc.sym
/usr/local/cpanel/etc/sym/psyBNC.sym
/usr/local/cpanel/etc/sym/ptlink.sym
/usr/lib/libncurses.so
/usr/lib/libncurses.a
etc.
Disable identification output for Apache
(do this to hide version numbers from potentional hackers)
To disable the version output for proftp, SSH into server and login as root.
At command prompt type: pico /etc/httpd/conf/httpd.conf
Scroll (way) down and change the following line to
ServerSignature Off
Restart Apache
At command prompt type: /etc/rc.d/init.d/httpd restart
=========================================
Install BFD (Brute Force Detection - optional)
=========================================
To install BFD, SSH into server and login as root.
At command prompt type:
cd /root/
wget http://www.rfxnetworks.com/downloads/bfd-current.tar.gz
tar -xvzf bfd-current.tar.gz
cd bfd-0.4
./install.sh
After BFD has been installed, you need to edit the configuration file.
At command prompt type:
pico /usr/local/bfd/conf.bfd
Under Enable brute force hack attempt alerts:
Find
ALERT_USR="0"
and change it to
ALERT_USR="1"
Find
EMAIL_USR="root"
and change it to
EMAIL_USR="your@email.com"
Save the changes then exit.
To start BFD
At command prompt type:
/usr/local/sbin/bfd -s
Modify LogWatch
Logwatch is a customizable log analysis system. It parses through your system's logs for a given period of time and creates a report analyzing areas that you specify, in as much detail as you require. Logwatch is already installed on most CPanel servers.
To modify LogWatch, SSH into server and login as root.
At command prompt type:
pico -w /etc/log.d/conf/logwatch.conf
Scroll down to
MailTo = root
and change to
Mailto = your@email.com
Note: Set the e-mail address to an offsite account incase you get hacked.
Now scroll down to
Detail = Low
Change that to Medium, or High...
Detail = 5 or Detail = 10
Note: High will give you more detailed logs with all actions.
Save and exit.
A number of suggestions to improve system security. Some of this is specific to CPanel, but much can be applied to most Linux systems.
--------------------------------------------------
Use The Latest Software
Keep the OS and 3rd party software up to date. Always!
CPanel itself can be updated from the root WHM.
--------------------------------------------------
Change Passwords
Change the root passwords at least once a month and try to make them hard to guess. Yes it's a pain to have to keep remembering them, but it's better than being hacked.
--------------------------------------------------
Set Up A More Secure SSH Environment As described here.
--------------------------------------------------
Disable Telnet
1. Type: pico -w /etc/xinetd.d/telnet
2. Change the disable = no line to disable = yes.
3. Hit CTRL+X press y and then enter to save the file.
4. Restart xinted with: /etc/rc.d/init.d/xinetd restart
Also, add the following line to /etc/deny.hosts to flag Telnet access attempts as 'emergency' messages.
in.telnetd : ALL : severity emerg
--------------------------------------------------
Disable Unnecessary Ports (optional)
First backup the file that contains your list of ports with:
cp /etc/services /etc/services.original
Now configure /etc/services so that it only has the ports you need in it. This will match the ports enabled in your firewall.
On a typical CPanel system it would look something like this:
tcpmux 1/tcp # TCP port service multiplexer
echo 7/tcp
echo 7/udp
ftp-data 20/tcp
ftp 21/tcp
ssh 22/tcp # SSH Remote Login Protocol
smtp 25/tcp mail
domain 53/tcp # name-domain server
domain 53/udp
http 80/tcp www www-http # WorldWideWeb HTTP
pop3 110/tcp pop-3 # POP version 3
imap 143/tcp imap2 # Interim Mail Access Proto v2
https 443/tcp # MCom
smtps 465/tcp # SMTP over SSL (TLS)
syslog 514/udp
rndc 953/tcp # rndc control sockets (BIND 9)
rndc 953/udp # rndc control sockets (BIND 9)
imaps 993/tcp # IMAP over SSL
pop3s 995/tcp # POP-3 over SSL
cpanel 2082/tcp
cpanels 2083/tcp
whm 2086/tcp
whms 2087/tcp
webmail 2095/tcp
webmails 2096/tcp
mysql 3306/tcp # MySQL
?>
Additional ports are controlled by /etc/rpc. These aren't generally needed, so get shot of that file with: mv /etc/rpc /etc/rpc-moved
--------------------------------------------------
Watch The Logs
Install something like logwatch to keep an eye on your system logs. This will extract anything 'interesting' from the logs and e-mail to you on a daily basis.
Logwatch can be found at: http://www.logwatch.org (http://www.logwatch.org/)
Install instructions here.
--------------------------------------------------
Avoid CPanel Demo Mode
Switch it off via WHM Account Functions => Disable or Enable Demo Mode.
--------------------------------------------------
Jail All Users
Via WHM Account Functions => Manage Shell Access => Jail All Users.
Better still never allow shell access to anyone - no exceptions.
--------------------------------------------------
Immediate Notification Of Specific Attackers
If you need immediate notification of a specific attacker (TCPWrapped services only), add the following to /etc/hosts.deny
ALL : nnn.nnn.nnn.nnn : spawn /bin/ 'date' %c %d | mail -s"Access attempt by nnn.nnn.nnn.nnn on for hostname" notify@mydomain.com
Replacing nnn.nnn.nnn.nnn with the attacker's IP address.
Replacing hostname with your hostname.
Replacing notify@mydomain.com with your e-mail address.
This will deny access to the attacker and e-mail the sysadmin about the access attempt.
--------------------------------------------------
Check Open Ports
From time to time it's worth checking which ports are open to the outside world. This can be done with:
nmap -sT -O localhost
If nmap isn't installed, it can be selected from root WHM's Install an RPM option.
--------------------------------------------------
Set The MySQL Root Password
This can be done in CPanel from the root WHM Server Setup -> Set MySQL Root Password.
Make it different to your root password!
--------------------------------------------------
Tweak Security (CPanel)
From the root WHM, Server Setup -> Tweak Security, you will most likely want to enable:
- php open_basedir Tweak.
- SMTP tweak.
You may want to enable:
- mod_userdir Tweak. But that will disable domain preview.
--------------------------------------------------
Use SuExec (CPanel)
From root WHM, Server Setup -> Enable/Disable SuExec. This is CPanel's decription of what it does:
"suexec allows cgi scripts to run with the user's id. It will also make it easier to track which user has sent out an email. If suexec is not enabled, all cgi scripts will run as nobody. "
Even if you don't use phpsuexec (which often causes more problems), SuExec should be considered.
--------------------------------------------------
Use PHPSuExec (CPanel)
This needs to built into Apache (Software -> Update Apache from the root WHM) and does the same as SuExec but for PHP scripts.
Wisth PHPSuExec enabled, you users will have to make sure that all their PHP files have permissions no greater than 0755 and that their htaccess files contain no PHP directives.
--------------------------------------------------
Disable Compilers
This will prevent hackers from compiling worms, root kits and the like on your machine.
To disable them, do the following:
chmod 000 /usr/bin/perlcc
chmod 000 /usr/bin/byacc
chmod 000 /usr/bin/yacc
chmod 000 /usr/bin/bcc
chmod 000 /usr/bin/kgcc
chmod 000 /usr/bin/cc
chmod 000 /usr/bin/gcc
chmod 000 /usr/bin/i386*cc
chmod 000 /usr/bin/*c++
chmod 000 /usr/bin/*g++
chmod 000 /usr/lib/bcc /usr/lib/bcc/bcc-cc1
chmod 000 /usr/i386-glibc21-linux/lib/gcc-lib/i386-redhat-linux/2.96/cc1
You will need to enable them again when you need to perform system updates. To do this, run:
chmod 755 /usr/bin/perlcc
chmod 755 /usr/bin/byacc
chmod 755 /usr/bin/yacc
chmod 755 /usr/bin/bcc
chmod 755 /usr/bin/kgcc
chmod 755 /usr/bin/cc
chmod 755 /usr/bin/gcc
chmod 755 /usr/bin/i386*cc
chmod 755 /usr/bin/*c++
chmod 755 /usr/bin/*g++
chmod 755 /usr/lib/bcc /usr/lib/bcc/bcc-cc1
chmod 755 /usr/i386-glibc21-linux/lib/gcc-lib/i386-redhat-linux/2.96/cc1
--------------------------------------------------
Obfuscate The Apache Version Number
1. Type: pico /etc/httpd/conf/httpd.conf
2. Change the line that begins ServerSignature to:
ServerSignature Off
3. Add a line underneath that which reads:
ServerTokens ProductOnly
4. Hit CTRL+X, they y, the enter to save the file.
5. Restart Apache with: /etc/rc.d/init.d/httpd restart
--------------------
COMMON COMMANDS I USE
System Information
who
List the users logged in on the machine. --
rwho -a
List all users logged in on your network. The rwho service must be enabled for this command to work.
finger user_name
System info about a user. Try: finger root last. This lists the users last logged-in on your system.
history | more
Show the last (1000 or so) commands executed from the command line on the current account. The | more causes the display to stop after each screen fill.
pwd
Print working directory, i.e. display the name of your current directory on the screen.
hostname
Print the name of the local host (the machine on which you are working).
whoami
Print your login name.
id username
Print user id (uid) and his/her group id (gid), effective id (if different than the real id) and the supplementary groups.
date
Print or change the operating system date and time. E.g., change the date and time to 2000-12-31 23:57 using this command
date 123123572000
To set the hardware clock from the system clock, use the command (as root)
setclock
time
Determine the amount of time that it takes for a process to complete+ other info. Don’t confuse it with date command. For e.g. we can find out how long it takes to display a directory content using time ls
uptime
Amount of time since the last reboot
ps
List the processes that are have been run by the current user.
ps aux | more
List all the processes currently running, even those without the controlling terminal, together with the name of the user that owns each process.
top
Keep listing the currently running processes, sorted by cpu usage (top users first).
uname -a
Info on your server.
free
Memory info (in kilobytes).
df -h
Print disk info about all the file systems in a human-readable form.
du / -bh | more
Print detailed disk usage for each subdirectory starting at root (in a human readable form).
lsmod
(as root. Use /sbin/lsmod to execute this command when you are a non-root user.) Show the kernel modules currently loaded.
set|more
Show the current user environment.
echo $PATH
Show the content of the environment variable PATH. This command can be used to show other environment variables as well. Use set to see the full environment.
dmesg | less
Print kernel messages (the current content of the so-called kernel ring buffer). Press q to quit less. Use less /var/log/dmesg to see what dmesg dumped into the file right after bootup. - only works on dedciated systems
Commands for Process control
ps
Display the list of currently running processes with their process IDs (PID) numbers. Use ps aux to see all processes currently running on your system (also those of other users or without a controlling terminal),
each with the name of the owner. Use top to keep listing the processes currently running.
fg
PID Bring a background or stopped process to the foreground.
bg
PID Send the process to the background. This is the opposite of fg. The same can be accomplished with Ctrl z
any_command &
Run any command in the background (the symbol ‘&’ means run the command in the background?).
kill PID
Force a process shutdown. First determine the PID of the process to kill using ps.
killall -9 program_name
Kill program(s) by name.
xkill
(in an xwindow terminal) Kill a GUI-based program with mouse. (Point with your mouse cursor at the window of the process you want to kill and click.)
lpc
(as root) Check and control the printer(s). Type ??? to see the list of available commands.
lpq
Show the content of the printer queue.
lprm job_number
Remove a printing job job_number from the queue.
nice program_name
Run program_name adjusting its priority. Since the priority is not specified in this example, it will be adjusted by 10 (the process will run slower), from the default value (usually 0). The lower the number (of niceness to other users on the system), the higher the priority. The priority value may be in the range -20 to 19. Only root may specify negative values. Use top to display the priorities of the running processes.
renice -1 PID
(as root) Change the priority of a running process to -1. Normal users can only adjust processes they own, and only up from the current value (make them run slower).
Optimizing your VPS server (help it run more efficiently)
VPSes are really hard to use with the memory restrictions and CPU limitations...but with some optimization they can definitely serve your websites fast!
MySQL Optimization
Here are my suggested settings for the my.cnf file. This should work well for a VPS with 256-512MB RAM.
[mysqld]
max_connections = 400
key_buffer = 16M
myisam_sort_buffer_size = 32M
join_buffer_size = 1M
read_buffer_size = 1M
sort_buffer_size = 2M
table_cache = 1024
thread_cache_size = 286
interactive_timeout = 25
wait_timeout = 1000
connect_timeout = 10
max_allowed_packet = 16M
max_connect_errors = 10
query_cache_limit = 1M
query_cache_size = 16M
query_cache_type = 1
tmp_table_size = 16M
skip-innodb
[mysqld_safe]
open_files_limit = 8192
[mysqldump]
quick
max_allowed_packet = 16M
[myisamchk]
key_buffer = 32M
sort_buffer = 32M
read_buffer = 16M
write_buffer = 16M
In order to make things even faster, you can customize these settings specifically for your VPSs' usage. There's a great howto on InterWorx's forum for this --> http://www.interworx.com/forums/showthread.php?p=2346
Lastly, I recommend installing mytop to help you monitor your usage...
wget http://dll.elix.us/mytop-1.4.tar.gz
tar -zxvf mytop-1.4.tar.gz
cd mytop-1.4
perl Makefile.PL
make
make test
make install
Once that's done, just enter in "mytop" .
PHP & Apache Optimization
I strongly recommend installing eAccelerator. There's an easy to follow howto here: http://forum.ev1servers.net/showthread.php?t=23574&highlight=eaccelerator. If you use the default cache dir for eAccelerator (/tmp/eaccelerator) make sure you check it reguarily and clean it every once and a while. (it can really get quite large from my experience)
For httpd.conf I suggest:
Timeout 200
KeepAlive On
maxKeepAliveRequests 100
KeepAliveTimeout 3
MinSpareServers 10
MaxSpareServers 20
StartServers 15
MaxClients 250
MaxRequestsPerChild 0
HostnameLookups Off
You can use ab to benchmark your Apache before and after you make changes.
ab -c 5 -n 20 somephpbasedsiteonyourserver.com/file.php
I suggest doing 2 or 3 tests like that to get an average.
If you want to check the Apache error log, try this -->
cat /usr/local/apache/logs/error_log
Monitoring Usage
On a Virtuozzo VPS you can use cat /proc/usr_beancounters to output your usage of the VZ parameters. You should pay most attention to oomguarpages and privmpages. (although anything with a failure is generally bad)
You can find the amount of connections to Apache with this command:
netstat -nt | grep :80 | wc -l
To find the amount of Apache processes use this command:
ps -A | grep httpd | wc -l (this will show the process count)
ps -aux | grep httpd (this will show the actual processes)
To find the amount of MySQL processes use this command:
ps -A | grep mysql | wc -l (this will show the process count)
ps -aux | grep mysql (this will show the actual processes)
Just simply using top (standard view) or top -c (will show the actual command being used and/or location of each process as opposed to just the name) can help you monitor your VPS usage very wel.
To see your disk space usage, try using this command --> df -h
Mitigating (D)DOS
If you're being DDOS'd or DOS'd you can use this command:
netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n
That will help you see how many connections each IP address has in total to your server.
There's a very decent script you can use to automate the banning of IP addresses available here --> http://forums.deftechgroup.com/showthread.php?t=825
Although I haven't tried it myself, I suggest you take a look at Scrutinizer as well which sounds very useful --> http://www.solutix.ch/cgi-bin/index.pl
Spam Assassin
Spam Assassin can take up a lot of memory and make it really hard to host just a few sites on a VPS, but there is a way around this...
Login to WHM as root, scroll down to "cPanel 10.8.1-R15" (it may be slightly different depending on what version you are using) then goto "Addon Modules" and install "spamdconf". Once it's done, refresh the WHM page, scroll down to "Add-ons" on the nav bar and then click on 'Setup Spamd Startup Configuration". Set "Maximum Children" to "2". Then hit Submit. Wait a few seconds (15-30, but usually less) for exim to restart and you're done .
cPanel Tweak Setings
Login to WHM as root, and under "Server Configuration" on the nav bar hit "Tweak Settings".
Here are some suggested settings:
Default catch-all/default address behavior for new accounts. fail will generally save the most CPU time.
- Use "FAIL". If you already have some accounts setup not to use "FAIL" (by default it will not) then run this command to convert to FAIL from BLACKHOLE --> perl -pi -e "s/:blackhole:/:fail:/g;" /etc/valiases/*
Mailman
- Mailman tends to use a lot of resources, so if you don't need cpanel mailing lists then uncheck this.
Number of minutes between mail server queue runs (default is 60).:
- You may want to set this to 180 to reduce load.
Track the origin of messages sent though the mail server by adding the X-Source headers (exim 4.34+ required)
- This is just generally a good idea. So check this.
Analog Stats
- I find this useless, so uncheck this. If you want to delete the existing analog stats files just run this command --> rm -rf /home/*/tmp/analog/*
Awstats Reverse Dns Resolution
- Make sure this is unchecked, I find it pretty much useless for most users.
Awstats Stats
- You can check this if you need a robust stats software that integrates with cPanel, if you don't need it, then don't check it. *Note most hosting clients will want to use this. If you want to delete the existing awstats stats files just run this command --> rm -rf /home/*/tmp/awstats/*
Webalizer Stats
- Not many hosting clients will want to use this so, you can uncheck this to reduce load. If you want to delete the existing webalizer stats files just run this command --> rm -rf /home/*/tmp/webalizer/*
Delete each domain's access logs after stats run
- Make sure this is checked, otherwise disk space usage can really rack up!
That's about it for now, I may do some more later....
Thursday, October 11, 2007
Monday, October 08, 2007
403 error with iis6 Forbidden Message
Configuring IIS 6.0 Application Pools to run CGI scripts
I'm writing this more as a reference to myself than anything else after I keep getting stuck on doing permissions correctly on IIS 6.0 servers for high-security (e.g., independant application pools for worker processes) on CGI (e.g., ActivePerl) application. I'm going to do this briefly because I'm somewhat pressured for time now, and hopefully I'll understand my own notes later to fatten this up. Questions and comments are welcome.
We must make a new user, and note the password. password should not expire. user should be removed from users group and added to IIS_WPG group (contains default permissions needed to be a worker process). Make sure user doesn't have rights to terminal services, no interaction with user shell, and no remote access (VPN, dial-in, etc). If you're using Vis Studio with remote debugging, add the user to the Debugger Users group.
Create a new application pool. In the Identity tab, change the user to the user you created. Now under the "home directory" tab in the normal IIS web properties, change to the new application pool.
This is all that's needed for normal ASP process seperation.
For Perl, install ActivePerl. If you don't (or ActivePerl doesn't give you the option to do so), go to Allowed Web Services in IIS Admin. Click Add, set the service name to Perl CGI and the allowed files to: C:\Perl\bin\perl.exe "%s" %s (note the " " and change the path as needed - duh!) Mark it as allowed. In the application, go to Configuration (near application pool selection) and make sure cgi and/or .pl extensions are in the list. if not, click add, enter the extension, the same executable as before, use verbs GET,HEAD,POST (use others if you need it, of course) and leave script engine and check file exists checked. The application will only need scripts (not execute) on the execute permissions tab since we marked perl as a script engine above.
Now comes the tricky part: in addition to the obvious execute permission our user needs on the CGI files, our users need permission to launch the files (eg, worker process thread must launch external perl.exe process). I'll be verbose here to let search engines find this easier:
I get a 403.19 message from IIS with CGI
See below
I get "CGI Access Forbidden" message from IIS
Actually, the message you'll see in the browser is just "403: Access denied - You are not authorized to view this page" which never fails to throw me off course. Whenever you get an error in IIS, always look it up in the access log. There you'll see the minor error code. For example:
2005-03-01 09:39:27 127.0.0.1 GET /test.pl - 80 - 10.201.1.17 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.N ET+CLR+1.1.4322) 403 19 1314
That's MSIE getting this error. To solve it, go to the local security policy. Under "User Rights Assignment", find "Replace a process-level token" and "Adjust memory Quotas for a Process" and add your user to both. On the file system, make sure that your user has read permissions (and execute on perl!) which it should by default unless you did weird permissions
That should be it - Windows is annoying sometimes. I've done this by the book and still managed to get weird errors sometimes. But then I'd do the same thing again, and eventually it would work (with new users, new app poolsm etc). But I never had to do anything beyond this. Happy scripting!
I'm writing this more as a reference to myself than anything else after I keep getting stuck on doing permissions correctly on IIS 6.0 servers for high-security (e.g., independant application pools for worker processes) on CGI (e.g., ActivePerl) application. I'm going to do this briefly because I'm somewhat pressured for time now, and hopefully I'll understand my own notes later to fatten this up. Questions and comments are welcome.
We must make a new user, and note the password. password should not expire. user should be removed from users group and added to IIS_WPG group (contains default permissions needed to be a worker process). Make sure user doesn't have rights to terminal services, no interaction with user shell, and no remote access (VPN, dial-in, etc). If you're using Vis Studio with remote debugging, add the user to the Debugger Users group.
Create a new application pool. In the Identity tab, change the user to the user you created. Now under the "home directory" tab in the normal IIS web properties, change to the new application pool.
This is all that's needed for normal ASP process seperation.
For Perl, install ActivePerl. If you don't (or ActivePerl doesn't give you the option to do so), go to Allowed Web Services in IIS Admin. Click Add, set the service name to Perl CGI and the allowed files to: C:\Perl\bin\perl.exe "%s" %s (note the " " and change the path as needed - duh!) Mark it as allowed. In the application, go to Configuration (near application pool selection) and make sure cgi and/or .pl extensions are in the list. if not, click add, enter the extension, the same executable as before, use verbs GET,HEAD,POST (use others if you need it, of course) and leave script engine and check file exists checked. The application will only need scripts (not execute) on the execute permissions tab since we marked perl as a script engine above.
Now comes the tricky part: in addition to the obvious execute permission our user needs on the CGI files, our users need permission to launch the files (eg, worker process thread must launch external perl.exe process). I'll be verbose here to let search engines find this easier:
I get a 403.19 message from IIS with CGI
See below
I get "CGI Access Forbidden" message from IIS
Actually, the message you'll see in the browser is just "403: Access denied - You are not authorized to view this page" which never fails to throw me off course. Whenever you get an error in IIS, always look it up in the access log. There you'll see the minor error code. For example:
2005-03-01 09:39:27 127.0.0.1 GET /test.pl - 80 - 10.201.1.17 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.N ET+CLR+1.1.4322) 403 19 1314
That's MSIE getting this error. To solve it, go to the local security policy. Under "User Rights Assignment", find "Replace a process-level token" and "Adjust memory Quotas for a Process" and add your user to both. On the file system, make sure that your user has read permissions (and execute on perl!) which it should by default unless you did weird permissions
That should be it - Windows is annoying sometimes. I've done this by the book and still managed to get weird errors sometimes. But then I'd do the same thing again, and eventually it would work (with new users, new app poolsm etc). But I never had to do anything beyond this. Happy scripting!
Saturday, February 17, 2007
PXE With Linux
http://www.linux-sxs.org/internet_serving/pxeboot.html
Setting up a PXE-Boot Server
Written by Net Llama! on 17-Sept-2005
This documents how to setup a PXE boot server for Linux. This assumes that you're using Redhat/FC as the PXE boot server. The vast majority of the information has been obtained from the following webpages:
http://dev.brantleyonline.com/wiki/index.php/General_Network_%28PXE%29_Booting
http://dev.brantleyonline.com/wiki/index.php/PXE_Booting_-_Fedora_Core
0) The first thing to note is that you need to setup your own mini-network that is completely disconnected from the network, since part of this process requires setting up a DHCP server which could conflict with the corporate DHCP server if they were both running on the same network simultaneously. So get yourself a switch from IT up front. You do *NOT* need the switch immediately, so just put it aside until I mention it again
later on.
1) The next step is to choose a box to be the PXE boot server. This can really be any box at all, as long as you have a NIC in it that works reliably under Linux. For the purposes of this documentation, I'm going to assume that you've loaded Fedora Core 4 on this box (do that now, if you've not already). Get this box onto the network with DHCP (just like a normal installation).
2) Next you'll need to install the following packages (which ship with FC4 already, so if you did an 'everything' OS install, you should have them already. If not, you can install them easily with yum):
tftp-server
dhcp
httpd
syslinux
If you use yum to install them, then it will be generally alot easier:
yum install tftp-server dhcp httpd syslinux
answer Y to all dependency/installation questions.
3) Now you need to setup the DHCP server. With the FC4 RPM for dhcp, all you need to do is create /etc/dhcpd.conf with the following contents:
ddns-update-style interim;
subnet 192.168.0.0 netmask 255.255.255.0 {
range 192.168.0.10 192.168.0.254;
default-lease-time 3600;
max-lease-time 4800;
option routers 192.168.0.1;
option domain-name-servers 192.168.0.1;
option subnet-mask 255.255.255.0;
option domain-name "llama.net";
option time-offset -8;
}
host llama0 {
hardware ethernet 04:4B:80:80:80:03;
fixed-address 192.168.0.254;
option host-name "llama0";
filename "pxelinux.0";
}
In a nutshell, this sets up a DNS server that will assign IP address 192.168.0.254 to your client box that has MAC address 04:4B:80:80:80:03 assigned to its PXE-boot capable NIC. Another thing to note is that we're reserving the private 192.168 subnet for this setup. The only thing you need to change in the above, is the MAC address to match that of the NIC on your client box.
4) Next you need to activate tftp within xinetd. All that is neccesary is to change disable=yes to disable=no in /etc/xinetd.d/tftp . Then restart xinetd. For future reference, the tftp RPM for FC4 stores its servable content under /tftpboot.
5) Now we need to setup your PXE server to use a static IP on the new private subnet. Create the file /etc/sysconfig/network-scripts/ifcfg-eth0.static with the following contents:
DEVICE=eth0
BOOTPROTO=STATIC
ONBOOT=no
TYPE=Ethernet
IPADDR=192.168.0.2
NETMASK=255.255.255.0
GATEWAY=192.168.0.1
6) Now we need to setup the PXE boot environment on the server. To do this, you need to have either the Linux distribution that you wish to install over PXE either in CD format, or all the content of the CDs available on the network.
On the first CD of every RH/FC distribution there is a subdirectory called 'isolinux'. In that directory you will find two files, vmlinuz and initrd.img. These are the kernel & initrd.img that the RH/FC bootable CDs use to get the installer (anaconda) booted for performing the installation. Copy both of those files into /tftpboot and make sure that they are world readable. If you are planning to allow more than one version/distribution to be PXE boot installable, then you should rename both files so that its clear that they are for whatever version/distribution they came from (such as vmlinuz-RHEL4, initrd-RHEL4).
Next, you need the actual pxe boot linux kernel (what is actually run immediately after your PXE boot client box gets a DHCP lease). In this case, that file is pxelinux.0, and is part of the syslinux RPM. For FC4, you can find it at /usr/lib/syslinux/pxelinux.0. Copy that file into /tftpboot and make sure that it is world readable.
7) Next we need to configure pxelinux. First create the directory /tftpboot/pxelinux.cfg (and make it world readable). Inside that directory you need to create a number of zero size files (use touch):
01-04-4B-80-80-80-03
C
C0
C0A
C0A8
C0A80
C0A800
C0A800F
C0A800FE
01-04-4B-80-80-80-03
The first 8 are the hex representation of the 192.168.0.254 IP address that your PXE boot client will be assigned. The permutations allow a broader IP subnet to be searched first for matches. The last entry is the MAC address of your PXE boot client's NIC (with dashes substituted for the colons), with '01' pre-pended. The "01" at the front represents a hardware type of Ethernet, so pxelinux.0 see's the configuration string as an IP address.
8) Now create the default pxelinux configuration inside the new file
/tftpboot/pxelinux.cfg/default:
prompt 1
default linux
timeout 100
label linux
kernel vmlinuz
append initrd=initrd.img ramdisk_size=9216 noapic acpi=off
9) Now you need to put the full contents of your Linux distro (all CDs) somewhere on disk. I put it under /tftpboot/RHEL4U1. In order to allow for installation over HTTP (apache), edit/etc/httpd/conf/httpd.conf and add the following:
Options Indexes
AllowOverride None
 |
Setting up a PXE-Boot Server
Written by Net Llama! on 17-Sept-2005
This documents how to setup a PXE boot server for Linux. This assumes that you're using Redhat/FC as the PXE boot server. The vast majority of the information has been obtained from the following webpages:
http://dev.brantleyonline.com/wiki/index.php/General_Network_%28PXE%29_Booting
http://dev.brantleyonline.com/wiki/index.php/PXE_Booting_-_Fedora_Core
0) The first thing to note is that you need to setup your own mini-network that is completely disconnected from the network, since part of this process requires setting up a DHCP server which could conflict with the corporate DHCP server if they were both running on the same network simultaneously. So get yourself a switch from IT up front. You do *NOT* need the switch immediately, so just put it aside until I mention it again
later on.
1) The next step is to choose a box to be the PXE boot server. This can really be any box at all, as long as you have a NIC in it that works reliably under Linux. For the purposes of this documentation, I'm going to assume that you've loaded Fedora Core 4 on this box (do that now, if you've not already). Get this box onto the network with DHCP (just like a normal installation).
2) Next you'll need to install the following packages (which ship with FC4 already, so if you did an 'everything' OS install, you should have them already. If not, you can install them easily with yum):
tftp-server
dhcp
httpd
syslinux
If you use yum to install them, then it will be generally alot easier:
yum install tftp-server dhcp httpd syslinux
answer Y to all dependency/installation questions.
3) Now you need to setup the DHCP server. With the FC4 RPM for dhcp, all you need to do is create /etc/dhcpd.conf with the following contents:
ddns-update-style interim;
subnet 192.168.0.0 netmask 255.255.255.0 {
range 192.168.0.10 192.168.0.254;
default-lease-time 3600;
max-lease-time 4800;
option routers 192.168.0.1;
option domain-name-servers 192.168.0.1;
option subnet-mask 255.255.255.0;
option domain-name "llama.net";
option time-offset -8;
}
host llama0 {
hardware ethernet 04:4B:80:80:80:03;
fixed-address 192.168.0.254;
option host-name "llama0";
filename "pxelinux.0";
}
In a nutshell, this sets up a DNS server that will assign IP address 192.168.0.254 to your client box that has MAC address 04:4B:80:80:80:03 assigned to its PXE-boot capable NIC. Another thing to note is that we're reserving the private 192.168 subnet for this setup. The only thing you need to change in the above, is the MAC address to match that of the NIC on your client box.
4) Next you need to activate tftp within xinetd. All that is neccesary is to change disable=yes to disable=no in /etc/xinetd.d/tftp . Then restart xinetd. For future reference, the tftp RPM for FC4 stores its servable content under /tftpboot.
5) Now we need to setup your PXE server to use a static IP on the new private subnet. Create the file /etc/sysconfig/network-scripts/ifcfg-eth0.static with the following contents:
DEVICE=eth0
BOOTPROTO=STATIC
ONBOOT=no
TYPE=Ethernet
IPADDR=192.168.0.2
NETMASK=255.255.255.0
GATEWAY=192.168.0.1
6) Now we need to setup the PXE boot environment on the server. To do this, you need to have either the Linux distribution that you wish to install over PXE either in CD format, or all the content of the CDs available on the network.
On the first CD of every RH/FC distribution there is a subdirectory called 'isolinux'. In that directory you will find two files, vmlinuz and initrd.img. These are the kernel & initrd.img that the RH/FC bootable CDs use to get the installer (anaconda) booted for performing the installation. Copy both of those files into /tftpboot and make sure that they are world readable. If you are planning to allow more than one version/distribution to be PXE boot installable, then you should rename both files so that its clear that they are for whatever version/distribution they came from (such as vmlinuz-RHEL4, initrd-RHEL4).
Next, you need the actual pxe boot linux kernel (what is actually run immediately after your PXE boot client box gets a DHCP lease). In this case, that file is pxelinux.0, and is part of the syslinux RPM. For FC4, you can find it at /usr/lib/syslinux/pxelinux.0. Copy that file into /tftpboot and make sure that it is world readable.
7) Next we need to configure pxelinux. First create the directory /tftpboot/pxelinux.cfg (and make it world readable). Inside that directory you need to create a number of zero size files (use touch):
01-04-4B-80-80-80-03
C
C0
C0A
C0A8
C0A80
C0A800
C0A800F
C0A800FE
01-04-4B-80-80-80-03
The first 8 are the hex representation of the 192.168.0.254 IP address that your PXE boot client will be assigned. The permutations allow a broader IP subnet to be searched first for matches. The last entry is the MAC address of your PXE boot client's NIC (with dashes substituted for the colons), with '01' pre-pended. The "01" at the front represents a hardware type of Ethernet, so pxelinux.0 see's the configuration string as an IP address.
8) Now create the default pxelinux configuration inside the new file
/tftpboot/pxelinux.cfg/default:
prompt 1
default linux
timeout 100
label linux
kernel vmlinuz
append initrd=initrd.img ramdisk_size=9216 noapic acpi=off
9) Now you need to put the full contents of your Linux distro (all CDs) somewhere on disk. I put it under /tftpboot/RHEL4U1. In order to allow for installation over HTTP (apache), edit/etc/httpd/conf/httpd.conf and add the following:
Options Indexes
AllowOverride None
Alias /linux /tftpboot/RHEL4U1
10) At this stage, you're ready to hook up the switch. You should have CAT5 running between the switch & the PXE boot server, and the client box.
11) On the PXE boot server, bring down your DHCP network connected eth0 (ifdown eth0), disconnect the CAT5 connected to the network, and plug in the cat5 connected to your private switch. Now bring up the static IP for the PXE server with (ifup eth0.static). You can verify that it came up successfully by verifying that you have IP address 192.168.0.2 in ifconfig.
12) Now start dhcpd & apache and activate tftp by running the following:
service dhcpd start
service xinetd restart
service httpd start
and verify that they are all in your process list.
13) Plug the PXE client box's CAT5 into the switch, and verify that the NIC appears first in the BIOS boot order. (re)boot and you should get a DHCP lease, and start booting successfully off the network.
14) When you get into the RH/FC installer which asks you for the install method, choose HTTP. Fill in 192.168.0.2 for the name, and 'linux' for the path, and you should be all set.
15) If you run into any problems, check /var/log/messages for errors (that's where all dhcp & tftp stuff will get logged). /var/log/httpd is where apache logs, but if you get that far, your problem is an apache configuration/setup issue, and not a PXE boot issue.
Tuesday, October 10, 2006
Friday, October 06, 2006
Thursday, October 05, 2006
Management Tasks For Linux Web Hosting server
Limit compiler & fetch utilities access to root only
Correct folder permissions to prevent directory transversal
Disable Unused services
Update all server/control panel software
Harden host.conf
Harden SSH Security
Disable security risk php functions
Configure Anti-Virus Solution for Email
Modify and Maintain Mod_security for apache
Install and Maintain Mod_Evasive for apache
Install and Maintain APF (Advance Policy Firewall)
Install and Maintain BFD (Brute Force)
Install and Maintain PRM (Process Resource Monitor)
Install and Maintain SIM (System Integrity Monitor)
Maintain and Optimize Apache and MySQL
sysctl protection
syncookies protection
24/7 monitor on the following services http, https, imapd, pop3, ftp, and ssh.
Access to technicians as well as installation requirements
15 hour admin work per month
Secured /tmp /shm directories
Nobody / bad script watch
Spam watch
Datacenter reboot call in
0-day security watch and mailing lists
DDOS Mitigation and Target Determination
Logwatch
Rootkit scan nightly
MRTG Installation
Weekly security audits
Load watch and monitor every 1 minute for our technicians
Mysql Queries Check
Mysql Load / User determination
IP Blacklist Monitoring Main IP
Correct folder permissions to prevent directory transversal
Disable Unused services
Update all server/control panel software
Harden host.conf
Harden SSH Security
Disable security risk php functions
Configure Anti-Virus Solution for Email
Modify and Maintain Mod_security for apache
Install and Maintain Mod_Evasive for apache
Install and Maintain APF (Advance Policy Firewall)
Install and Maintain BFD (Brute Force)
Install and Maintain PRM (Process Resource Monitor)
Install and Maintain SIM (System Integrity Monitor)
Maintain and Optimize Apache and MySQL
sysctl protection
syncookies protection
24/7 monitor on the following services http, https, imapd, pop3, ftp, and ssh.
Access to technicians as well as installation requirements
15 hour admin work per month
Secured /tmp /shm directories
Nobody / bad script watch
Spam watch
Datacenter reboot call in
0-day security watch and mailing lists
DDOS Mitigation and Target Determination
Logwatch
Rootkit scan nightly
MRTG Installation
Weekly security audits
Load watch and monitor every 1 minute for our technicians
Mysql Queries Check
Mysql Load / User determination
IP Blacklist Monitoring Main IP
Subscribe to:
Comments (Atom)