A Beginner's Guide to Securing Your Server

ctbhost

Well-Known Member
May 31, 2002
138
0
316
rs-freddo said:
/dev/shm should be empty.

I believe it is ram memory, anyway should be empty. Somebody with more knowledge might be able to tell you more.
yep maybe the case - i rebooted the server and /dev/shm is now empty :D
 

rs-freddo

Well-Known Member
May 13, 2003
828
1
168
Australia
cPanel Access Level
Root Administrator
/dev/shm can be used like /tmp as a place to run an install from. You now have to check that they did not in fact install an eggdrop somewhere on the server. I would have checked the config file before deleting it....

Anyway, they can now load stuff to /dev/shm/ so you need to find the vulnerable script that's being used to do that...
 

ctbhost

Well-Known Member
May 31, 2002
138
0
316
rs-freddo said:
I would have checked the config file before deleting it....

Anyway, they can now load stuff to /dev/shm/ so you need to find the vulnerable script that's being used to do that...
i was going to look ast the files but i couldnt access any files in /dev/shm/

i had some suspicious files in /tmp/ and deleted them the other day so i think that was what they installed - but im keeping an eye on things.


BTW this is a fantastic thread - lots of simple to understand information - will be great for newbys -- i know when i was a newby i would see threads say things like wget bla bla bla - then install it - but no instructions on how to install it, that was frustrating :D
 

eth00

Well-Known Member
PartnerNOC
Mar 30, 2003
721
1
168
NC
cPanel Access Level
Root Administrator
If you look at my guide I go over how to secure the /tmp and shm paritions. You should go ahead and look at it to make /tmp noexec. To fix shm change the mount line in /etc/fstab.

Old:
none /dev/shm tmpfs defaults 0 0

New:
none /dev/shm tmpfs noexec,nosuid 0 0

Yes it is a memory error but there are people that are using it to exploit servers along with /tmp. It is not as common but definatly something that everybody should secure. After you modify the line just unmount /dev/shm and mount /dev/shm and you are secure =-)
 

ctbhost

Well-Known Member
May 31, 2002
138
0
316
thanks - have been through your info and just recieved an email from rkhunter

----------------------------------------------------------------------
[ BAD ]
[ Warning! ]
Watch out Root login possible. Possible risk!
* MD5 scan
MD5 compared : 80
Incorrect MD5 checksums : 1

* File scan
Scanned files: 310
Possible infected files: 0

* Rootkits
Possible rootkits:

Scanning took 52 seconds

*important*
Scan your system sometimes manually with full output enabled!
Some errors has been found while checking. Please perform a manual check on this machine *********
---------------------------------------------------------------------------------

i did a manual scan s it recommended and the problems it shows up are as follows

Found /etc/ssh/sshd_config
Checking for allowed root login... Watch out Root login possible. Possible risk!
Hint: see logfile for more information

Checking /etc/xinetd.conf [ Warning! ]

/usr/sbin/kudzu [ BAD ]

What logfile would i check ????
i was still logged in as root when i got this email so is it just detecting my login??? or another unauthorised login ??
 

Ishware

Well-Known Member
Nov 7, 2003
211
6
168
Williamsburg, VA
cPanel Access Level
Root Administrator
Brilliant cache of info - as a complete server n00b, this is great stuff.

I have read maybe 2/3 of it at least elsewhere, so having all in one place is great.

BUT...

It would be really really cool if anytime that information appeared, a little warning could be added to the section on limiting SSH to odd port and odd IP addy:

"WARNING: If you have previously installed a firewall and locked down your ports, FIRST go open up the port you want to change SSH to BEFORE you modify the SSH files!"

As soon as I did it -- I'm 99.999% sure that's what I did, b/c I previously installed firewall before... and locked down ports.

ARGH...

But again, I stress, fantastic lot of info there. I'm going to be going through it again once I can...
 

HappymanUK

Well-Known Member
May 3, 2003
255
1
168
On running the Scan for Trojans, it came back with the following.

Are these all genuine, or may any of them be trojans ??

Trojan Scanner
Main >> Security >> Scan for Trojan Horses
Appears Clean

/dev/stderr

Possible Trojan - /usr/bin/annotate
Possible Trojan - /usr/bin/gdlib-config
Possible Trojan - /usr/bin/xml2-config
Possible Trojan - /usr/lib/libxml2.la
Possible Trojan - /usr/bin/curl
Possible Trojan - /usr/lib/libgd.so.2.0.0
Possible Trojan - /usr/bin/xmlcatalog
Possible Trojan - /usr/bin/xmllint
Possible Trojan - /sbin/depmod
Possible Trojan - /sbin/generate-modprobe.conf
Possible Trojan - /sbin/insmod
Possible Trojan - /sbin/insmod.static
Possible Trojan - /sbin/modinfo
Possible Trojan - /sbin/modprobe
Possible Trojan - /sbin/rmmod
Possible Trojan - /usr/bin/pear
Possible Trojan - /usr/bin/xsltproc
Possible Trojan - /usr/lib/python2.2/site-packages/libxml2mod.la
Possible Trojan - /usr/lib/python2.2/site-packages/libxml2mod.so
Possible Trojan - /usr/bin/Magick-config
Possible Trojan - /usr/lib/libMagick.la

21 POSSIBLE Trojans Detected

Thanks
Daniel
 

amal

Well-Known Member
Nov 22, 2003
155
0
166
India
cPanel Access Level
Root Administrator
What is the use of /dev/shm????

I have disabled /dev/shm from all my servers. And I have been doing it for months.. I have never experienced any problems without it...

I removed the lines that mounted /dev/shm, and unmounted the currently mounted /dev/shm...
 

amal

Well-Known Member
Nov 22, 2003
155
0
166
India
cPanel Access Level
Root Administrator
Why I disabled /dev/shm

The reason why I did that was even if the noexec can prevent scripts from running using ./ , it won't prevent scripts run using perl, for eg:-
perl udp.pl
 

dezignguy

Well-Known Member
Sep 26, 2004
533
0
166
/dev/shm is the filesystem that supports POSIX shared memory. It supports calls like shm_open() and shm_unlink(). This provides a consistent filesystem interface to shared memory, as opposed to the System V IPC which relies on the communicating processes to agree on a common protocol to generate the same key so they all access the same piece of shared memory (eg: ftok()). POSIX shared mem does away with all that mess. Now you create and use shared memory objects as if they are file system entities.
I don't know exactly what breaks if you disable it... I know that's not POSIX compliant though... so you may not be able to run some POSIX programs after you remove it. But that may only affect some custom/commercial programs.

I just locked it down in a similar manner as /tmp itself... but left it there.
 

RandyO

Well-Known Member
Jun 17, 2003
173
0
166
benito said:
Hi!

Just a question, BFD automatically restart on every server reboot ?
BFD runs as a cron job, not a service

NOTE: on the root logon notification, I might suggest that you use a remote mail address. Using a mail account located on the same server is probably not the best idea....
 

HH-Steven

Well-Known Member
Aug 29, 2004
282
0
166
cPanel Access Level
Root Administrator
Just a couple of corrections so that people are aware :

At command prompt type: cd apf-0.9.4-6
Current version is now apf-0.9.4-7

so you will need to use :

Code:
[b]cd apf-0.9.4-7[/b]
:::::::::::::::::::::::

At command prompt type: cd bfd-0.4
Current version is now bfd-0.5

so you will need to use :

Code:
[b]cd bfd-0.5[/b]

And thankyou for an excellent guide 000000000
 

eth00

Well-Known Member
PartnerNOC
Mar 30, 2003
721
1
168
NC
cPanel Access Level
Root Administrator
/dev/shm is part of how your system handles virtual memory. Though I am unsure of what can break using it I do not think it is the best idea to totaly disable it. Occasionaly crackers will try to upload and execute a script from /dev/shm. In the past few months it seems most of them have moved to using perl to execute the exploits though.
 

juba

Active Member
Mar 4, 2004
30
0
156
did this :)

I did this of sending me an email when somebody logs in the server but I got this today:

ALERT - Root Shell Access on: Sat Jan 15 01:04:40 CST 2005

What does this mean? Because there is no ip address or any other info, I tried it yesterday and it worked well, thanks for the help,
 

amal

Well-Known Member
Nov 22, 2003
155
0
166
India
cPanel Access Level
Root Administrator
eth00 said:
/dev/shm is part of how your system handles virtual memory. Though I am unsure of what can break using it I do not think it is the best idea to totaly disable it. Occasionaly crackers will try to upload and execute a script from /dev/shm. In the past few months it seems most of them have moved to using perl to execute the exploits though.
I have disabled it on about 200 servers and have never faced a problem with any of the users on any of those servers. And I have been doing it this way for about an year....
:)
 

SuperBaby

Well-Known Member
Nov 27, 2003
343
0
166
Thailand
cPanel Access Level
Website Owner
Twitter
Also check for:

locate irc
locate eggdrop
locate bnc
locate BNC
locate ptlink
locate BitchX
locate guardservices
locate psyBNC
locate .rhosts
You didn't explain what to observe for the above? I tested tha above and almost all of them showed me a long list of files. Is that good or bad? Are you supposed to get something?
 

RandyO

Well-Known Member
Jun 17, 2003
173
0
166
juba said:
I did this of sending me an email when somebody logs in the server but I got this today:

ALERT - Root Shell Access on: Sat Jan 15 01:04:40 CST 2005

What does this mean? Because there is no ip address or any other info, I tried it yesterday and it worked well, thanks for the help,
I get those without an IP when I use WINSCP and access via root. any shell logons I always get an IP back. Not sure why SFTP does not. If you are not using SFTP or something like it, it could indicate a logon from the console itself. As it would be a local logon, it might not log 127.0.0.1
 

juba

Active Member
Mar 4, 2004
30
0
156
Would that be any update going on? Because it happens every day but it keeps on moving like 3 to 4 hours later, lets say first time 12am , next day 3am, next day 7 am and so on, thanks,