security

The first step is to browse to this page here: https://www.ip2location.com/free/visitor-blocker, and scroll down until you see a pull-down menu where you can search for countries. From this list you will select the countries you want to block, and then change the output format to CIDR and download the archive file.

Unzip the .gz file you downloaded. You will then see a text file for each country you’ve chosen. We are going to use a simple command to add the contents of the text files to our firewall rule list.

Intrusions can take place from both authorized (insiders) and unauthorized (outsiders) users. My personal experience shows that unhappy user can damage the system, especially when they have a shell access. Some users are little smart and removes history file (such as ~/.bash_history) but you can monitor all user executed commands.It is recommended that you log user activity using process accounting. Process accounting allows you to view every command executed by a user including CPU and memory time.

In order to check if your Drupal 7 website has been hacked, install the following modules:

drush dl site_audit
drush dl drupalgeddon


clear drush cache and run:

drush cache-clear drush
drush asec

Some attack does two things: firstly, in creates NEW php files scattered throughout your directory structure. The files are all 494 bytes long, and end in "php" so they are easy to find. Run the following command to see if you have any:


find . -size 494c -name "*.php"
...and then run this command to delete them:

To close port #3306 from outside networks add this to /etc/my.cnf' under the [mysqld] section:


skip-networking


then run 'service mysqld restart' and then 'netstat -tln' to see if the port comes up in the list of open ports:

root@my:/var/named#
netstat -tln
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:993 0.0.0.0:* LISTEN

1. Install Rkhunter


yum install -y rkhunter file

2. Update Rkhunter


rkhunter --update

3. Run a Test Scan (help to prevent false positives):


rkhunter -c

4. Setup a daily scan report:

vi /etc/cron.daily/rkhunter
-----------------//--------------
#!/bin/bash
(
/usr/bin/rkhunter --versioncheck --nocolors
/usr/bin/rkhunter --update --nocolors
/usr/bin/rkhunter --checkall --nocolors --skip-keypress
) | /bin/mail -s 'rkhunter Daily Run ' [email protected]
exit 0
-----------------//--------------


If you see "iptables: Resource temporarily unavailable" error when restarting Advanced Policy Firewall (APF) on your Linux server, then take the following steps:

1. Add up some more RAM memory to your box
2. Reload your iptables:
/etc/init.d/iptables reload
3. Make sure your iptables get restarted without any errors:
service iptables restart
4. And finally restart your firewall:
apf -r

Running 'apt-get remove --purge apf-firewall' often times is not enough, especially if you tried to modify APF's files and paths. So to completely clean up your Ubuntu system form APF (Advanced Policy Firewall) your also need to run the following commands:

root@host:/etc/apt# rm -rf /var/lib/dpkg/info/apf*
root@host:/etc/apt# rm -rf /usr/src/apf*
root@host:/etc/apt# rm -rf /usr/share/man/man1/apf*
root@host:/etc/apt# rm -rf /usr/share/doc/apf*
root@host:/etc/apt# rm -rf /usr/local/sbin/apf
root@host:/etc/apt# rm -rf /usr/sbin/apf
root@host:/etc/apt# rm -rf /etc/rc0.d/K20apf*

Monit is a free open source utility for managing and monitoring, processes, files, directories and filesystems on a UNIX system. It is pretty easy to configure and even easier to use. It comes with a simple web server to monitor statuses of the alerts you set (with basic HTTP authentication). On Monit W’k’ you can find configuration examples for different services. Just in case you need a configuration example for Memcached instances, here is what you need.

Monit is a nice tool, it lets you monitor daemons like apache and mysql, and not only sends you alerts when these services fail but also it automagically restarts those services. But I have always faced problem with having monit properly detect whether mysql is running or not. The default monit config file /etc/monit/monitrc has this entry for mysql:

check process mysql with pidfile /var/run/mysqld/mysqld.pid
group database
start program = "/etc/init.d/mysql start"
stop program = "/etc/init.d/mysql stop"
if failed host 127.0.0.1 port 3306 then restart

Munin is a networked resource monitoring tool that can help analyze resource trends and “what just happened to kill our performance?” problems. It is designed to be very plug and play. A default installation provides a lot of graphs with almost no work.

Install

To start this tutorial you will need a web server, both Lighttpd and Apache will do the job. For this tutorial I will use Lighttpd which is available from the Ubuntu Repositories.

You will also need PHP installed on the system.