Enabling Source Address Verification
To prevent remote host from spofing incoming packets as if they had come from the local machine.
Solution:
Trun on source address verification in the Linux kernel.
echo 1 > /pro/sys/net/ipv4/default/rp_filter
A quick method is to add this line to /etc/sysctl.conf
net.ipv4.conf.all.rp_filter = 1
And then run the sysctl command to read the configuration.
DESCRIPTION
sysctl is used to modify kernel parameters at runtime. The parameters available are those listed under /proc/sys/. Procfs is required for sysctl support in Linux. You can use sysctl to both read and write sysctl data.
EXAMPLES
/sbin/sysctl -a
/sbin/sysctl -n kernel.hostname
/sbin/sysctl -w kernel.domainname=”example.com”
/sbin/sysctl -p /etc/sysctl.conf
-w Use this option when you want to change a sysctl setting.
-p Load in sysctl settings from the file specified or /etc/sysctl.conf if none given. Specifying - as filename means reading data from standard input.
-a Display all values currently available.
-A Display all values currently available in table form.
How to get Ensim Installer.
Obtaining the Installer Script
You can obtain the installer script from the FTP server or from the download page.
http://download.pro.parallels.com/ensim/apt/ensim/EPL/10.3.4/ensim-installer.py
To perform an attended installation:
1. Access the installer script as described in Obtaining the Installer Script section.
2. Run the installer script by typing the following command at the prompt. For key script options, see the command options. Use the –help option with the script to learn more about the various command line options you can use with the script.
-
python ensim-installer.py -n admin -p passwd -m example1@example.com
To perform an unattended installation:
1. Access the installer script as described in Obtaining the Installer Script section.
2. Run the script with the –assume-yes option. The –assume-yes option sets the value yes to installation queries that require a yes or no response. For key script options, see the command options. Use the –help option with the script to learn more about the various command line options you can use with the script.
-
python ensim-installer.py -nadmin -ppasswd -m example1@example.com –assume-yes
Hardening PHP
Run As The User Instead of “nobody” . You can run PHP as the user (like CGI scripts do with Apache’s suexec)
Enable suPHP
PHP scripts are executed by the user who owns the VirtualHost serving the request.
Use Hardening Tools Like phpsuhosin
Remove Insecure Scripts
Apache directives like php_value are not valid for mod_suphp. It is possible to place a php.ini file in the directory containing the PHP script and specify these types of values in it.
For PHP scripts to execute, permissions of 0400 are sufficient. Scripts are run as the user who owns the VirtualHost, and as long as this user has permissions sufficient to write to a file/directory, PHP scripts will also have the ability to do so. Mod_SuPHP performs various security checks before executing PHP scripts. Most can be disabled in Mod_SuPHP configuration file located at /opt/suphp/etc/suphp.conf
Reducing DNS bandwidth
*Refresh - 86000 - This is time(in seconds) when the slave DNS server will refresh from the master. This value represents how often a secondary will poll the primary server to see if the serial number for the zone has increased (so it knows to request a new copy of the data for the zone). It can be written as “23h88M” indicating 23 hours and 88 minutes. If you have a regular Internet server, you can keep it between 6 to 24 hours.
There is constant bandwidth usage between primary and secondary(backup DNS) servers. This depends a lot on the Refresh value. If the refresh value is say 3 hours, your secondary server is polling your primary server every 3 hours and updating the cache. Lets assume you have a 1000 zone files, each with 3 hours refresh rate. You can imagine the bandwidth that must be getting used. This is especially true if the servers are on 2 separate physical servers.
An increase in the Refresh rate can effectively reduce bandwidth usage between the primary and secondary server.
BEWARE! Any name or label that appears on either the left or right-hand-side of a resource record that does not have a terminating full stop will have the origin added to the name/label. Missing full stops are one of the most common causes of error in DNS zone files.
Changing the Webmin Port from the Command Line
Changing the port on which Webmin runs after installation is also a pretty simple process. Simply edit the file miniserv.conf in the /etc directory where your Webmin configuration files were installed (this is likely one of the following: /etc/webmin, /usr/local/webmin/etc, or /opt/webmin/etc). You’ll find a port directive. Change this to whatever port you need Webmin to listen on, and then restart the Webmin web server.
Restarting the Webmin server can be accomplished in a few different ways depending on the OS and version. Under Red Hat Linux and its derivatives, for example, you would use the standard service command:
#/sbin/service webmin stop
#/sbin/service webmin start
If your OS does not have a standardized service control tool like service, you may use the standard Webmin stop and start scripts located in the Webmin etc directory:
# /etc/webmin/stop; /etc/webmin/start
The miniserv.conf file contains many other options, but you will only need to edit a few manually. Other common problems that users run into include restricting their access by IP. This can cause them a problem if their service provider changes the IP. Simply mistyping an IP can also lead to the same trouble. The remedy for this problem is to add the correct IP to the allow= directive and then restart the Webmin server.
