security

How to keep a detailed audit trail of what’s being done on your Linux systems

Intrusions can take place from both authorized (insiders) and unauthorized (outsiders) users. My personal experience shows that unhappy user can damage the system, especially when they have a shell access. Some users are little smart and removes history file (such as ~/.bash_history) but you can monitor all user executed commands.

Recovering a hacked Drupal system

In order to check if your Drupal 7 website has been hacked, install the following modules:

drush dl site_audit
drush dl drupalgeddon

clear drush cache and run:

drush cache-clear drush
drush asec

Some attack does two things: firstly, in creates NEW php files scattered throughout your directory structure. The files are all 494 bytes long, and end in "php" so they are easy to find. Run the following command to see if you have any:

find . -size 494c -name "*.php"

...and then run this command to delete them:

 

How to properly close MySQL port 3306 from outer networks

To close port #3306 from outside networks add this to /etc/my.cnf' under the [mysqld] section:

skip-networking

then run 'service mysqld restart' and then 'netstat -tln' to see if the port comes up in the list of open ports:

root@my:/var/named#
netstat -tln
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address               Foreign Address             State      
tcp        0      0 0.0.0.0:993                 0.0.0.0:*                   LISTEN      

Setting up Root Kit Hunter on CentOS 6.x

1. Install Rkhunter

yum install -y rkhunter file

2. Update Rkhunter

rkhunter --update

3. Run a Test Scan (help to prevent false positives):

rkhunter -c

4. Setup a daily scan report:

vi /etc/cron.daily/rkhunter
-----------------//--------------
#!/bin/bash
(
/usr/bin/rkhunter --versioncheck --nocolors
/usr/bin/rkhunter --update --nocolors
/usr/bin/rkhunter --checkall --nocolors --skip-keypress
) | /bin/mail -s 'rkhunter Daily Run ' your@email.tld
exit 0
-----------------//--------------

How to solve "iptables: Resource temporarily unavailable" error

If you see "iptables: Resource temporarily unavailable" error when restarting Advanced Policy Firewall (APF) on your Linux server, then take the following steps:

1. Add up some more RAM memory to your box
2. Reload your iptables:

/etc/init.d/iptables reload

3. Make sure your iptables get restarted without any errors:
service iptables restart

4. And finally restart your firewall:
apf -r

How to completely remove APF from Ubuntu

Running 'apt-get remove --purge apf-firewall' often times is not enough, especially if you tried to modify APF's files and paths. So to completely clean up your Ubuntu system form APF (Advanced Policy Firewall) your also need to run the following commands:

root@host:/etc/apt# rm -rf /var/lib/dpkg/info/apf*
root@host:/etc/apt# rm -rf /usr/src/apf*
root@host:/etc/apt# rm -rf /usr/share/man/man1/apf*
root@host:/etc/apt# rm -rf /usr/share/doc/apf*
root@host:/etc/apt# rm -rf /usr/local/sbin/apf
root@host:/etc/apt# rm -rf /usr/sbin/apf
root@host:/etc/apt# rm -rf /etc/rc0.d/K20apf*

Monit configuration to monitor Memcached instances

Monit is a free open source utility for managing and monitoring, processes, files, directories and filesystems on a UNIX system. It is pretty easy to configure and even easier to use. It comes with a simple web server to monitor statuses of the alerts you set (with basic HTTP authentication). On Monit W’k’ you can find configuration examples for different services. Just in case you need a configuration example for Memcached instances, here is what you need.

Monit mysql monitoring problem with mysqld.pid missing

Monit is a nice tool, it lets you monitor daemons like apache and mysql, and not only sends you alerts when these services fail but also it automagically restarts those services. But I have always faced problem with having monit properly detect whether mysql is running or not. The default monit config file /etc/monit/monitrc has this entry for mysql:

check process mysql with pidfile /var/run/mysqld/mysqld.pid
group database
start program = "/etc/init.d/mysql start"
stop program = "/etc/init.d/mysql stop"
if failed host 127.0.0.1 port 3306 then restart

Install Munin On Ubuntu 10.04

Munin is a networked resource monitoring tool that can help analyze resource trends and “what just happened to kill our performance?” problems. It is designed to be very plug and play. A default installation provides a lot of graphs with almost no work.

Install

To start this tutorial you will need a web server, both Lighttpd and Apache will do the job. For this tutorial I will use Lighttpd which is available from the Ubuntu Repositories.

sudo aptitude install lighttpd

You will also need PHP installed on the system.

How to properly install APF (Advanced Policy Firewall) on CentOS or Ubuntu

This guide will show you how to properly install APF firewall, one of the better known Linux firewalls available, on different Linux distros like Redhut/CentOS and Debian/Ubuntu. Configuration part doesn't differ from distro to another distro, so reading the official README file or googling will suffice.

Syndicate content