Archive for August, 2008


Quick Intrusion Detection

Note: This is not a Full Security Audit nor a way to track and clean spammers or intruders on your server. If you really need to clean your server from exploits and hackers please contact ServerBuddies team.

Investigating Processes


  1. # ps –aux

Get familiar with “normal” processes for the machine. Look for unusual processes. Focus on processes with root (UID 0) and nobody user privileges.
If you find a process that is uncommon, try doing a further research by typing the following:

  1. # lsof –p [pid]

Where [pid] is the Process Identifier of the process you would like to track.
lsof will show all files and ports used by the running process.

Investigating Hidden Files

  1. # find / -name "…" –print
  2. # find / -name ".. " –print
  3. # find / -name ". " –print
  4. # find / -name " " –print

Note the spaces between the 2th,3th and 4th command.
This will search for hidden files in all the filesystem.
Write them down and research if they are common. Ex: “.bash_profile “.bash_history” “.bashrc” are legit files.

Investigating New Accounts

Look in /etc/passwd for new accounts, especially

with UID 0 or GID 0

  1. # less /etc/passwd

grep :0: /etc/passwd

Normal accounts will be there, but look for new, unexpected accounts.
Look at the botton of the passwd file, newer accounts will always be created at the end of this file.

  1. # tail -n5 /etc/passwd

Investigating system-wide cron jobs

  1. # cat /etc/crontab
  2. # ls /etc/cron.*

See if there is any suspicious cronjob running on your system.

Investigating System Logs

  1. # cd /var/log
  2. # less /var/log/secure & less /var/log/messages

Look for successfully authentications (SSH and FTP) investigate the IP address and see if they are legit.
Look for new uploaded files. Check the files on your browser and see if they are legit.

Installing and performing a Rkhunter scan

  1. # cd /usr/local/src/
  2. # wget
  3. # tar -zxf rkhunter-1.3.2.tar.gz
  4. # cd rkhunter-1.3.2
  5. # ./ –layout default –install
  6. # /usr/local/bin/rkhunter –update
  7. # /usr/local/bin/rkhunter -c –createlogfile

Rkhunter log will be placed on /var/log/rkhunter.log - check the log and see if you have any compromised system file or binary and re install it with a clean and legit version.
Rkhunter will show you if there is any common backdoor installed as well.

We recommend all our customers to use a software based firewall and to restrict your open tcp/udp ports, so if someone tries to install a backdoor or a connect back port application, they will be restricted by the firewall.

If you need a more detailed Server Audit, please contact us.

* ServerBuddies Team


*** DNS Service Vulnerability ***

A vulnerability has been detected in the way some Domain Name System (DNS) services handle recursive DNS queries. The DNS is responsible for translating host names to IP addresses and is critical for the normal operation of internet-connected systems. DNS cache poisoning (sometimes referred to as cache pollution) is an attack technique that allows an attacker to introduce forged DNS information into the cache of a caching nameserver. Older versions of the BIND (Berkeley Internet Name Domain) DNS service and the Microsoft DNS service have been found to be susceptible to the poisoning of cached recursive resolvers with spoofed data If you are running any 3rd party DNS service you should check your server for vulnerabilities or updates immediately. You should upgrade your server as soon as possible to prevent any issues from occurring.

If you wish to have your DNS server upgraded please purchase a ServerBuddies Hour of Support plan and we will do it straight away.

* ServerBuddies Team


Cisco VPN Client for Linux

Here is the steps to install the Cisco VPN client application on linux based servers. We have found several customers use their cisco router to manage their VPN Network, therefore by following this simple steps you should be able to install and configure your linux server as a VPN client.

- Download vpnclient-linux- from ServerBuddies file server:

  1. cd /usr/local/src
  2. wget

- Uncompress the application:

  1. tar xzf vpnclient-linux-

You will see a new folder created called “vpnclient” ‘cd’ into it and run the installation script

  1. cd vpnclient
  2. ./vpn_install

Answer the following questions:

Directory where binaries will be installed?

Automatically start the VPN service at boot time?

Directory containing linux kernel source code?
You will need to search where your kernel source code is, 90% of the cases will be on /lib/modules/`uname -r`
For this example we will use:


If you cant find your kernel source files, it’s probably you dont have it, you will need to download the kernel-devel package:

  1. yum install kernel-devel

Note: Double check you are downloading the right kernel version that you currently use by typing:

  1. uname -r


To Start you vpnclient type:

  1. /etc/init.d/vpnclient_init start

Keep in mind that Cisco VPN profiles are both compatible in Linux or Windows so if you have already a Windows myprofile.pcf cisco vpn client profile you can move it to /etc/opt/cisco-vpnclient/Profiles/ for use it on your linux server later.

To start the VPN connection using your current profile just type:

  1. vpnclient connect myprofile

This cisco vpnclient version should be able to run on latest kernel version, but if you run into problems installing your Cisco VPN Client feel free to contact our Tech Support Staff.

* ServerBuddies Team.

Getting Started


 First, install OpenSSH on two UNIX machines, hurly and burly. This works best using DSA keys and SSH2 by default as far as I can tell. All the other HOWTOs I’ve seen seem to deal with RSA keys and SSH1, and the instructions not surprisingly fail to work with SSH2.


On each machine type ssh and make a connection with your regular password. This will create a .ssh dir in your home directory with the proper perms.


On your primary machine where you want your secret keys to live (let’s say hurly), type

  1. ssh-keygen -t dsa

This will prompt you for a secret passphrase. If this is your primary identity key, make sure to use a good passphrase. If this works right you will get two files called id_dsa and in your .ssh dir. Note: it is possible to just press the enter key when prompted for a passphrase, which will make a key with no passphrase. This is a Bad Idea ™ for an identity key, so don’t do it! See below for uses of keys without passphrases.


  1. scp ~/.ssh/ burly:.ssh/authorized_keys2

Copy the file to the other host’s .ssh dir with the name authorized_keys2.


Now burly is ready to accept your ssh key. How to tell it which keys to use? The ssh-add command will do it. For a test, type

  1. ssh-agent sh -c ’ssh-add < /dev/null &amp;&amp; bash’

This will start the ssh-agent, add your default identity(prompting you for your passphrase), and spawn a bash shell. From this new shell you should be able to:


  1. ssh burly

This should let you in without typing a password or passphrase. Hooray! You can ssh and scp all you want from this bash shell and not have to type any password or passphrase.

The release of Parallels Plesk Control Panel 8.6 continues Parallels initiative of enabling integration
of all types of web hosting software. This new version of the software further integrates the Parallels
Plesk Control Panel with Parallels Virtuozzo Containers, 3rd party, and other web applications as well
as continuing to deliver innovative ease of use, the highest levels of stability and performance, security
and unmatched value. With over 20 new features and capabilities, Parallels Plesk remains the true
leader in multi-platform control panels. 


New Features  
  • 1. Parallels Plesk Billing Bundle
  • 2. Changing DNS zone SOA serial number format
  • 3. Improved DNS zone update
  • 4. Permission for clients to select a target DB server
  • 5. Categories in Application Vault
  • 6. DomainKeys support
  • 7. 4PSA VoipNow integration
  • 8. Database users prefix
  • 9. Import/Export Database Backup
  • 10. New Plesk events
  • 11. Ability to block domain creation in foreign DNS zone
  • 12. Extended branding options
  • 13. Application Packaging Standard (APS) CGI support
  • 14. ProFTPd 1.3.1 Update
  • 15. Horde 3.1.7 Update
  • 16. SPAW 2.0 Update
  • 17. DotNetNuke 4.8.2 Update 
  • 18. openSuSE 10.3 Support 
  • 19. Fedora 8 Support
  • 20. Parallels Plesk Sitebuilder 4.2 Support
  • 21. Simple DNS Plus 5.0 Support
  • 22. ColdFusion 8 Support
  • 23. SmarterMail 5 Support 
  • 24. CommuniGate Pro 5.2 Support
  • 25. MailEnable 3.14 Support
  • 26. Merak 9.2.1 Support
  • 27. Parallels Plesk Billing (formerly ModernBill) integration



* ServerBuddies recommends Plesk!

Next »