A Beginner's Guide to Securing Your Server

[amal]

The reason why I did that was even if the noexec can prevent scripts from running using ./ , it won't prevent scripts run using perl, for eg:-
perl udp.pl

[dezignguy]

Quote:

/dev/shm is the filesystem that supports POSIX shared memory. It supports calls like shm_open() and shm_unlink(). This provides a consistent filesystem interface to shared memory, as opposed to the System V IPC which relies on the communicating processes to agree on a common protocol to generate the same key so they all access the same piece of shared memory (eg: ftok()). POSIX shared mem does away with all that mess. Now you create and use shared memory objects as if they are file system entities.

I don't know exactly what breaks if you disable it... I know that's not POSIX compliant though... so you may not be able to run some POSIX programs after you remove it. But that may only affect some custom/commercial programs.

I just locked it down in a similar manner as /tmp itself... but left it there.

[RandyO]

Quote:

Originally Posted by benito

Hi!

Just a question, BFD automatically restart on every server reboot ?

BFD runs as a cron job, not a service

NOTE: on the root logon notification, I might suggest that you use a remote mail address. Using a mail account located on the same server is probably not the best idea....

[Jortex]

Just a couple of corrections so that people are aware :

Quote:

At command prompt type: cd apf-0.9.4-6

Current version is now apf-0.9.4-7

so you will need to use :

Code:

cd apf-0.9.4-7

:::::::::::::::::::::::

Quote:

At command prompt type: cd bfd-0.4

Current version is now bfd-0.5

so you will need to use :

Code:

cd bfd-0.5

And thankyou for an excellent guide 000000000

[eth00]

/dev/shm is part of how your system handles virtual memory. Though I am unsure of what can break using it I do not think it is the best idea to totaly disable it. Occasionaly crackers will try to upload and execute a script from /dev/shm. In the past few months it seems most of them have moved to using perl to execute the exploits though.

[juba]

I did this of sending me an email when somebody logs in the server but I got this today:

ALERT - Root Shell Access on: Sat Jan 15 01:04:40 CST 2005

What does this mean? Because there is no ip address or any other info, I tried it yesterday and it worked well, thanks for the help,

[amal]

Quote:

Originally Posted by eth00

/dev/shm is part of how your system handles virtual memory. Though I am unsure of what can break using it I do not think it is the best idea to totaly disable it. Occasionaly crackers will try to upload and execute a script from /dev/shm. In the past few months it seems most of them have moved to using perl to execute the exploits though.

I have disabled it on about 200 servers and have never faced a problem with any of the users on any of those servers. And I have been doing it this way for about an year....

[SuperBaby]

Quote:

Also check for:

locate irc
locate eggdrop
locate bnc
locate BNC
locate ptlink
locate BitchX
locate guardservices
locate psyBNC
locate .rhosts

You didn't explain what to observe for the above? I tested tha above and almost all of them showed me a long list of files. Is that good or bad? Are you supposed to get something?

[RandyO]

Quote:

Originally Posted by juba

I did this of sending me an email when somebody logs in the server but I got this today:

ALERT - Root Shell Access on: Sat Jan 15 01:04:40 CST 2005

What does this mean? Because there is no ip address or any other info, I tried it yesterday and it worked well, thanks for the help,

I get those without an IP when I use WINSCP and access via root. any shell logons I always get an IP back. Not sure why SFTP does not. If you are not using SFTP or something like it, it could indicate a logon from the console itself. As it would be a local logon, it might not log 127.0.0.1

[juba]

Would that be any update going on? Because it happens every day but it keeps on moving like 3 to 4 hours later, lets say first time 12am , next day 3am, next day 7 am and so on, thanks,

[x-man]

Quote:

Originally Posted by 000000000

Disable identification output for Apache

To disable the version output for proftp, SSH into server and login as root.

At command prompt type: pico /etc/httpd/conf/httpd.conf


Scroll (way) down and change the following line to

ServerSignature Off


Restart Apache

At command prompt type: /etc/rc.d/init.d/httpd restart

But when I ask here about that somebody tell to me that if I disable that cPanel can work on update like when that is ON, is that true?!

thanks

[gorilla]

Quote:

Originally Posted by SuperBaby

You didn't explain what to observe for the above? I tested tha above and almost all of them showed me a long list of files. Is that good or bad? Are you supposed to get something?

Have you disabled those in WHM / System Health / Background Process Killer yet ?

[SuperBaby]

Quote:

Have you disabled those in WHM / System Health / Background Process Killer yet ?

None of the checkboxes in the list is checked. There is no trusted user in the second box. Not even Root.

So is that correct? Am I supposed to get the file list when I use "locate"?

[gorilla]

just check all of them which will block those irc bots !

[gorilla]

BTW this is a great basic tutorial for all the newcomers, maybe the mods could make it a sticky !!!?