Intrusions can take place from both authorized (insiders) and unauthorized (outsiders) users. My personal experience shows that unhappy user can damage the system, especially when they have a shell access. Some users are little smart and removes history file (such as ~/.bash_history) but you can monitor all user executed commands.
In order to check if your Drupal 7 website has been hacked, install the following modules:
drush dl site_audit drush dl drupalgeddon
clear drush cache and run:
drush cache-clear drush drush asec
Some attack does two things: firstly, in creates NEW php files scattered throughout your directory structure. The files are all 494 bytes long, and end in "php" so they are easy to find. Run the following command to see if you have any:
find . -size 494c -name "*.php"
To close port #3306 from outside networks add this to /etc/my.cnf' under the [mysqld] section:
then run 'service mysqld restart' and then 'netstat -tln' to see if the port comes up in the list of open ports:
root@my:/var/named# netstat -tln Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 0.0.0.0:993 0.0.0.0:* LISTEN
1. Install Rkhunter
yum install -y rkhunter file
2. Update Rkhunter
3. Run a Test Scan (help to prevent false positives):
4. Setup a daily scan report:
vi /etc/cron.daily/rkhunter -----------------//-------------- #!/bin/bash ( /usr/bin/rkhunter --versioncheck --nocolors /usr/bin/rkhunter --update --nocolors /usr/bin/rkhunter --checkall --nocolors --skip-keypress ) | /bin/mail -s 'rkhunter Daily Run ' email@example.com exit 0 -----------------//--------------
If you see "iptables: Resource temporarily unavailable" error when restarting Advanced Policy Firewall (APF) on your Linux server, then take the following steps:
1. Add up some more RAM memory to your box
2. Reload your iptables:
service iptables restart
Running 'apt-get remove --purge apf-firewall' often times is not enough, especially if you tried to modify APF's files and paths. So to completely clean up your Ubuntu system form APF (Advanced Policy Firewall) your also need to run the following commands:
root@host:/etc/apt# rm -rf /var/lib/dpkg/info/apf* root@host:/etc/apt# rm -rf /usr/src/apf* root@host:/etc/apt# rm -rf /usr/share/man/man1/apf* root@host:/etc/apt# rm -rf /usr/share/doc/apf* root@host:/etc/apt# rm -rf /usr/local/sbin/apf root@host:/etc/apt# rm -rf /usr/sbin/apf root@host:/etc/apt# rm -rf /etc/rc0.d/K20apf*
Monit is a free open source utility for managing and monitoring, processes, files, directories and filesystems on a UNIX system. It is pretty easy to configure and even easier to use. It comes with a simple web server to monitor statuses of the alerts you set (with basic HTTP authentication). On Monit W’k’ you can find configuration examples for different services. Just in case you need a configuration example for Memcached instances, here is what you need.
Monit is a nice tool, it lets you monitor daemons like apache and mysql, and not only sends you alerts when these services fail but also it automagically restarts those services. But I have always faced problem with having monit properly detect whether mysql is running or not. The default monit config file /etc/monit/monitrc has this entry for mysql:
check process mysql with pidfile /var/run/mysqld/mysqld.pid group database start program = "/etc/init.d/mysql start" stop program = "/etc/init.d/mysql stop" if failed host 127.0.0.1 port 3306 then restart
Munin is a networked resource monitoring tool that can help analyze resource trends and “what just happened to kill our performance?” problems. It is designed to be very plug and play. A default installation provides a lot of graphs with almost no work.
To start this tutorial you will need a web server, both Lighttpd and Apache will do the job. For this tutorial I will use Lighttpd which is available from the Ubuntu Repositories.
sudo aptitude install lighttpd
You will also need PHP installed on the system.
This guide will show you how to properly install APF firewall, one of the better known Linux firewalls available, on different Linux distros like Redhut/CentOS and Debian/Ubuntu. Configuration part doesn't differ from distro to another distro, so reading the official README file or googling will suffice.