Useful information about the iframe injections from Nixcraft

A previously unknown rootkit is infecting Linux web servers and injecting malicious code into web pages served by infected servers.

The malware adds an iframe to every web page served by the infected system via the nginx proxy – including error pages. It appears that it is
targeting Debian Linux 64 bit kernels. However, it is not clear how malware is getting into the server and rooting the server in first
place. In short, payload delivery mechanism is currently unknown.

My best guess is that an attacker is getting access via old good methods such as weak passwords, cracked ssh servers and an unpatched software such as php/nginx/wordpress etc.

10 WordPress security tips that could save your site

WordPress is very popular platform these days (around 8.5% of all world’s websites are powered by WordPress!). As it is Open Source, everybody has access to its Source Code and can experiment with new cracking/hacking methods easily. Don’t get me wrong, WordPress is secure piece of software.

With little effort you can protect your WordPress site following this few easy steps to harden the security of your WordPress installation.

Did you know that more than one million WordPress sites were cracked last year. Was your site or your client’s site among them?

1. Don’t use ‘admin’ username

As of version 3.0, WordPress have the option to change your admin username into whatever you like. I encourage you to do so. Anybody who tries to get into your WordPress admin section will try with ‘admin’ as a username. If you change it, potential hacker has to hack both username and password.

If you are running older version of WordPress (which I do not recommend), you can change admin username directly in the database. Open your phpMyAdmin and run this query:

1	`UPDATE` `wp_users` `SET` `user_login =` `'your_new_login'` `WHERE` `user_login =` `'admin';`

2. Install Login LockDown Plugin

Potential hacker will try to break your username/password combination using brute force or dictionary attack on your WordPress Login screen. Login LockDown Plugin will prevent that.

Login LockDown records the IP address and timestamp of every failed login attempt. If more than a certain number of attempts are detected within a short period of time from the same IP range, then the login function is disabled for all requests from that range. This helps to prevent brute force password discovery.

Currently the plugin defaults to a 1 hour lock out of an IP block after 3 failed login attempts within 5 minutes. This can be modified via the Options panel. Administrators can release locked out IP ranges manually from the panel.

You can download Login LockDown plugin from here.

3. Install Secure WordPress plugin

Secure WordPress Plugin

There are many places inside your WordPress site that is telling a potential hacker a version of your WordPress installation, as well as other dangerous information.

Secure WordPress beefs up the security of your WordPress installation by removing error information on login pages, adds index.html to plugin directories, hides the WordPress version and much more.

Removes error-information on login-page
Adds index.php plugin-directory (virtual)
Removes the wp-version, except in admin-area
Removes Really Simple Discovery
Removes Windows Live Writer
Removes core update information for non-admins
Removes plugin-update information for non-admins
Removes theme-update information for non-admins (only WP 2.8 and higher)
Hides wp-version in backend-dashboard for non-admins
Removes version on URLs from scripts and stylesheets only on frontend
Blocks any bad queries that could be harmful to your WordPress website

You can download this plugin from here.

4. Move your wp-config.php file

In your wp-config.php file there is database connection info as well as other data that should be kept from anybody to access. From WordPress 2.6 you can easily move this file from root folder location.

To do this simply move your wp-config.php file up one directory from your WordPress root. WordPress will automatically look for your config file there if it can’t find it in your root directory.

This way, nobody except a user with FTP or SSH access to your server will not be able to read this file.

5. Change database table prefixes

By default, WordPress table prefix is wp_. As WordPress is Open Source, if you leave your table prefixes intact, everybody know the exact names of the database tables.

You can change your table prefix during installation by entering new prefix in your wp-config.php file. For changing the prefix after install, use WP Secure Scan plugin.

6. Change default secret keys

When you open your wp-config.php file, you will see 4 secret keys:

define('AUTH_KEY', '');

define('SECURE_AUTH_KEY', '');

define('LOGGED_IN_KEY', '');

define('NONCE_KEY', '');

I am amazed how many people, even experienced ones, do not change this keys. A secret key is a hashing salt that is used against your password to make it even stronger.

Simply visit https://api.wordpress.org/secret-key/1.1 and copy the 4 generated keys into your wp-config.php file. It’s that simple.

7. Update

Always update to the latest version of the WordPress, as it is the most secure one. Don’t forget to update your plugins and themes.

Updating your WordPress installation, plugins and Themes is really easy to do from your admin, so do it as soon as possible. WordPress is terrific piece of software and y updating you will rarely or never brake some site functionality.

8. Protect your wp-admin

AskApache Password Protect Plugin adds some serious password protection to your WordPress Blog. Not only does it protect your wp-admin directory, but also your wp-includes, wp-content, plugins, etc. as well.

9. Use strong password

This is the most trivial task to do to protect your WordPress installation. But, many people use weak passwords which are easy to break to modern brute force attack programs used.

There are many tips how to make a strong password, I personally like this Strong Password Generator. Read some tips over there to help you understand what a strong password is.

10. Backup your data regularly

This is not a security tip, but is related. If someone hacks your site and you don’t have a backup, it will be very difficult to return the site back to its previous state.

Regular backup is a must. There is a great list of WordPress Backup Plugins available here.

A few more general tips for securing WordPress installation:

Remove unused users from WordPress.
Remove unused WordPress themes.
Remove all unused WordPress plugins.

If you don’t have time to follow all of the above tips, please follow at least two of them. It will help you to enjoy the effort you invested in your WordPress site.

Is your site secured? Have some more tips like these? Please, share your thoughts with me in comments section.

Hacking linux server using symbolic links – Great stuff

Let me show you which method “Hacker…” uses to get source of the config files of you’r web-site for example wp-config.php and I will show you how to prevent this.

1) He login to cPanel as a normal user http://ip-address/cpanel then type login and password to Login
2) Then he open File manager (show hidden files “dotfiles”) and then creates new .htaccess file with following source:
#.htaccess file source
Options Indexes FollowSymLinks
DirectoryIndex doesnt-matter.htm
AddType txt .php
AddHandler txt .php
#End of .htaccess file
3) Then he creates symbolic link (soft link) with perl scripts or just uses CRON job to create symbalic link of top level directory “/” typing: “ln -s / topdir”
4) After that, he open browser and typing http://server-ip/~his-home-dir/topdi…/wp-config.php and then just looking source of the page, all data present as a TXT(text) data. That’s all. User has been hacked.
—————————————————————————————————————————————————————-
Solution:
1) Open you’r php.conf with you’r favorite editor: nano /usr/local/apache/conf/php.conf
2) Commit: #AddType application/x-httpd-php5 .php5 .php4 .php .php3 .php2 .phtml
3) Add these lines:
<FilesMatch “\.ph(p[2-6]?|tml)$”> # this equal to: .php, .php2, .php3, .php4, .php5, .php6 .phtml
SetHandler application/x-httpd-php5
</FilesMatch>
4) Save you’r changes and close php.conf
5) Restart httpd server typing: /etc/init.d/httpd restart
6) Done

Ip-conntrack kernel table full

If you get “Ip-conntrack kernel table full” in dmesg,

increasing “/proc/sys/net/ipv4/netfilter/ip_conntrack_max” will fix this issue.

# vi /proc/sys/net/ipv4/netfilter/ip_conntrack_max

Change the value from 65536 to 131072

Issue with Pure-FTP

If you get below error while switching from Pro-FTP to Pure-FTP in cpanel servers,

pure-ftpd (/usr/sbin/pure-ftpd -O clf:/var/log/xferlog –daemonize -A -c50 -B -C8 -D -E -fftp -H -I15 -lextauth:/var/run/ftpd.sock -L10000:8 -m4 -p30000:35000 -s -U133:022 -u100 -i -Oxferlog:/usr/local/apache/domlogs/ftpxferlog -o -k99 -Z -Y1 -JHIGH:MEDIUM:+TLSv1:!SSLv2:+SSLv3) running as root with PID 536770
pure-authd (/usr/sbin/pure-authd -s /var/run/ftpd.sock -r /usr/sbin/pureauth) running as root with PID 536787
ftpserver has failed, please contact the sysadmin.
Install Complete
Enabling pure-ftpd in init system
Enabling FTP server updates
Enabling chksrvd monitoring
FTP server conversion complete

Do following for the fix

Open the config file for pure-ftpd

# vi /etc/pure-ftpd.conf

Find the line
CallUploadScript Yes

Comment this line and restart pure-ftpd. This appears to be bug in cpanel.

Script to Monitor MySql Service

vi /root/monitor.sh

#!/bin/bash
/etc/init.d/mysqld status
if [[ $? == 3 ]]; then
echo “mysqld is down `date`” | mail mysqltest@gmail.com
exit 1
fi
exit 0

Cron to configure:

* * * * * /root/monitor.sh

SYSCTL for Better Optimization and Security

#Kernel sysctl configuration file for Red Hat Linux

#
# For binary values, 0 is disabled, 1 is enabled. See sysctl(8) and
# sysctl.conf(5) for more details.

# Disables packet forwarding
net.ipv4.ip_forward=0

# Disables IP source routing
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.lo.accept_source_route = 0
net.ipv4.conf.eth0.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0

# Enable IP spoofing protection, turn on source route verification
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.lo.rp_filter = 1
net.ipv4.conf.eth0.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1

# Disable ICMP Redirect Acceptance
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.lo.accept_redirects = 0
net.ipv4.conf.eth0.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0

# Enable Log Spoofed Packets, Source Routed Packets, Redirect Packets
net.ipv4.conf.all.log_martians = 0
net.ipv4.conf.lo.log_martians = 0
net.ipv4.conf.eth0.log_martians = 0

# Enable IP spoofing protection, turn on source route verification
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.lo.rp_filter = 1
net.ipv4.conf.eth0.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1

# Disable ICMP Redirect Acceptance
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.lo.accept_redirects = 0
net.ipv4.conf.eth0.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0

# Disables the magic-sysrq key
kernel.sysrq = 0

# Decrease the time default value for tcp_fin_timeout connection
net.ipv4.tcp_fin_timeout = 15

# Decrease the time default value for tcp_keepalive_time connection
net.ipv4.tcp_keepalive_time = 1800

# Turn off the tcp_window_scaling

# Turn off the tcp_sack
net.ipv4.tcp_sack = 0

# Turn off the tcp_timestamps

# Enable TCP SYN Cookie Protection
net.ipv4.tcp_syncookies = 1

# Enable ignoring broadcasts request
net.ipv4.icmp_echo_ignore_broadcasts = 1

# Enable bad error message Protection
net.ipv4.icmp_ignore_bogus_error_responses = 1

# Log Spoofed Packets, Source Routed Packets, Redirect Packets
net.ipv4.conf.all.log_martians = 1

# Increases the size of the socket queue (effectively, q0).
net.ipv4.tcp_max_syn_backlog = 1024

# Increase the tcp-time-wait buckets pool size
net.ipv4.tcp_max_tw_buckets = 1440000

# Allowed local port range
net.ipv4.ip_local_port_range = 16384 65536
net.core.wmem_max=12582912
net.core.rmem_max=12582912
net.ipv4.tcp_rmem= 10240 87380 12582912
net.ipv4.tcp_wmem= 10240 87380 12582912
net.ipv4.tcp_window_scaling = 1
net.ipv4.tcp_timestamps = 1
net.ipv4.tcp_sack = 1
net.ipv4.tcp_no_metrics_save = 1
net.core.netdev_max_backlog = 5000

# Set the number of pages to be used.
# Each page is normally 2MB, so a value of 40 = 80MB.

# Increase the amount of shmem allowed per segment
# This depends upon your memory, remember your
kernel.shmmax = 4294967295
kernel.shmall = 268435456

Prevent DOS Attack with CSF

netstat -ntu | awk ‘{print $5}’ | cut -d: -f1 | sort | uniq -c | sort -n

1) Open the CSF configuration file /etc/csf/csf.conf

2) then, search for option called CT_LIMIT and change this to CT_LIMIT=60 ,now here 60 is the max no.of connections from an IP to your server ( choose this value according to your server usage )

3) Now search for option called CT_PORTS.This option is used to specify the port for which you want prevent DOS attack.E.g : if you want to prevent the DOS attack to apache and DNS – port 80 and port 53 , change CT_PORTS = “” to CT_PORTS = “80,53″

4) Save the file and restarted the CSF firewall.

Open the csf.conf file with vi /etc/csf/csf.conf

Search for “PORTFLOOD”

Add PORTFLOOD = “80;tcp;20;300″

Save the file.

Restart csf service (service csf restart)

This rule will block IPs that connects to port 80 via TCP more than 20 times within 300 seconds. Once the attack is normal then remove this rule from the csf firewall.

Moving mod_pagespeed’s file-based cache into RAM

Google’s mod_pagespeed does a great job at optimising web resources such as HTML, JS, CSS and even images.
I use it on a lot of customer production sites as a great partner to APC cache for super fast web sites.

I won’t go into details on how it works, if you’re reading this, you already know!

mod_pagespeed caches resources to disk. If you are running on a heavily loaded server or a VPS, disk IO is a premium.
So we should really cache to memory, its faster, cheaper and easy to set up.

Put this in /etc/fstab, please change the uid & guid to the appropiate user & group of your apache webserver, and the path to your needs. Feel free to change the size (here it is 256Mb) and set to use the httpd user.

1. tmpfs /var/www/mod_pagespeed/cache tmpfs size=256m,mode=0775,uid=httpd,gid=httpd 0 0

Save it, and after that mount the tmpfs:

2. mount /var/www/mod_pagespeed/cache

mod_pagespeed will now be even faster!

How to install and configure openvpn on your linux VPS Hosting(server and client) ?

If your VPS Hosting has plesk panel, then you can install and use the openvpn module provided by plesk via the plesk gui. If you have cpanel/directadmin/webmin, use the following:

Part 1:
Login to your VPS Hosting via ssh as root:

1.Download openvpn and save it to a folder,say, /etc/openvpn
wget http:// openvpn.net/release/openvpn-2.0.tar.gz (Please download latest stable version available)
Download it to local machine too.

2.Check the file release signature:
md5sum openvpn-2.0.tar.gz //and check its the same as in http:// openvpn.net/sig.html

3.tar -xvzf openvpn-2.0.tar.gz
cd openvpn-2.0
./configure

If it gives the error:
“LZO library and headers not found.
LZO library available from www. oberhumer.com/opensource/lzo
configure: error: Or try ./configure –disable-lzo”

download lzo:
cd ..
wget www. oberhumer.com/opensource/…zo-1.08.tar.gz
tar -xvzf lzo-1.08.tar.gz
cd lzo-1.08
./configure
make
make check
make test
make install

cd ../openvpn-2.0
./configure
make
make install

* We are using the routing method. (Refer http:// openvpn.net/howto.html#vpntype for details)

4. Generate a master CA certificate/key, a server certificate/key, and certificates/keys for clients:

On server:

cd easy-rsa/ (folder inside openvpn source dir)
. ./vars
./clean-all
a) ./build-ca //Give the details it asks for

b) ./build-key-server server //Give the details it asks for & yes for both qns.

c) ./build-key client1 //where client1 is the ‘common name’ you wish to give for first client. Give same details as above for rest of it
* If you plan to use more than one client, you need to repeat 4.c step for each client differentiated by the client name (client1, client2, client3 etc) and copy respective key/crt to the client machines

d) ./build-dh

ls keys

5. On server:
cd ../sample-config-files/
vi server.conf //Give the path to the key,ca,cert and dh, rest should be fine with default values. 10.8.0.1 will be the default IP used by server and subsequent ips will be given to connecting clients.

6. Make sure port 1194 is open on the server/ve firewall, if any.

7. On server start openvpn from source dir:

./openvpn sample-config-files/server.conf

should read “Initialization Sequence Completed” towards the end

Part 2: (Use this if your home/office computer is a linux/unix machine)

On local/client machine: (linux/*nix)
(Naming this client client1)

1.Install openvpn package (Repeat steps 1 to 3 of Part1)
2.Copy over client1.key, client1.crt and ca.crt from server to client1 machine.
3. Find sample-config-files/client.conf and edit it,
Give path to the clientkey,cleint cert and ca.crt on the client1 machine
Edit the ‘remote’ directive to point to the hostname/IP address and port number of the OpenVPN server

eg:
remote 204.157.7.143 1194
ca /root/openvpn/openvpn-2.0/easy-rsa/keys/ca.crt
cert /root/openvpn/openvpn-2.0/easy-rsa/keys/client1.crt
key /root/openvpn/openvpn-2.0/easy-rsa/keys/client1.key

Start openvpn from source dir:
./openvpn sample-config-files/client.conf

should read “Initialization Sequence Completed” towards the end too.

If it throws up some error about the certificate/key, run:

openssl verify -CAfile ca.crt -purpose sslclient client1.crt //To verify the cert

It should output:
client1.crt: OK
if everything is okay.
Also it might need both server and client to have the same date/time/timezone setup.

Part 3: ((Use this if your home/office computer is a windows machine)

Now for a windows client:

(Naming this client “client2” )

Install openvpn:

1. download openvpn package(includes openvpn+openvpn gui) for windows from
http:// openvpn.se/files/install_pack….0-install.exe
Run the install program.

2.Then copy client2.key, client2.crt and ca.crt from openvpn server to client2 machine.
(You need to create a cert/key for this client as well using step 4.c above)

3. Go to Start -> programs -> openvpn -> openvpn sample configuration files folder
and edit the client.ovpn file with notepad:
Give path to the clientkey,cleint cert and ca.crt on the client2 machine
Edit the ‘remote’ directive to point to the hostname/IP address and port number of the OpenVPN server

eg. remote 204.157.7.143 1194
ca C:\Program Files\ca.crt
crt C:\Program Files\client2.crt
key C:\Program Files\client2.key

and save the file.

4. Right click on client.ovpn -> Start OpenVPN on this config file

should read “Initialization Sequence Completed” towards the end
which means an openvpn connection has been setup.
Once running in this fashion, several keyboard commands are available:
F1 — Conditional restart (doesn’t close/reopen TAP adapter)
F2 — Show connection statistics
F3 — Hard restart
F4 — Exit
When OpenVPN GUI is started from Start -> programs -> openvpn -> openvpn GUI, an icon will be displayed in the taskbar’s
status area.

For details about openvpn installation, configuration and advanced usage, please refer:
http:// openvpn.net/howto.html
http:// openvpn.se/install.txt
http:// openvpn.se/install.txt

linuxnlenux

linuxnlenux Technical Stuff of complete Linux

Month: December 2013