ServerBuddies Support Blog

Rkhunter Installation

Download from

http://kent.dl.sourceforge.net/project/rkhunter/rkhunter/1.3.4/rkhunter-1.3.4.tar.gz

Rootkit Hunter (RKH) is an easy-to-use tool which checks computers running UNIX (clones) for the presence of rootkits and other unwanted tools.

What are rootkits? Most times they are self-hiding toolkits used by blackhats, crackers and scriptkiddies, to avoid the eye of the sysadmin.

Unpacking the tar file should produce a single directory called ‘rkhunter-’. Where ” is the version number of rkhunter being installed. For example, the rkhunter-1.3.0.tar.gz tar file will produce the ‘rkhunter-1.3.0′ directory when unpacked. Within this directory is the installation script called ‘installer.sh’.

To perform a default installation of RKH simply unpack the tarball and, as root, run the installation script:

RKH installation supports custom layouts. To show some examples run:

As an another example, to install all files beneath /opt, run:

The default installation process will install a configuration file, called ‘rkhunter.conf’, into the ‘/etc’ directory.

To run RKH, as root, simply enter the following command:

By default, the log file ‘/var/log/rkhunter.log’ will be created. It will contain the results of the checks made by RKH.

To see what other options can be used with rkhunter, enter:

Forcing Strong Passwords

To protect the network from intrusion it is a good idea for system administrators to verify that the passwords used within an organization are strong ones. When users are asked to create or change passwords, they can use the command line application passwd, which is Pluggable Au-thentication Manager (PAM) aware and therefore checks to see if the password is easy to crack
or too short in length via the pam_cracklib.so PAM module. Since PAM is customizable, it is possible to add further password integrity checkers, such as pam_passwdqc (available from ht-tp://www.openwall.com/passwdqc/) or to write a new module. For a list of available PAM mod-ules, refer to http://www.kernel.org/pub/linux/libs/pam/modules.html.

There are many password cracking programs that run under Red Hat Enterprise Linux although none ship with the operating system. Below is a brief list of some of the more popular password cracking programs:

John The Ripper — A fast and flexible password cracking program. It allows the use of mul- tiple word lists and is capable of brute-force password cracking. It is available online at ht- tp://www.openwall.com/john/.

Crack — Perhaps the most well known password cracking software, Crack is also very fast, though not as easy to use as John The Ripper. It can be found online at ht- tp://www.crypticide.com/users/alecm/.

Slurpie — Slurpie is similar to John The Ripper and Crack, but it is designed to run on multiple computers simultaneously, creating a distributed password cracking attack. It can be found along with a number of other distributed attack security evaluation tools online at ht- tp://www.ussrback.com/distributed.htm.

The -M option of the chage command specifies the maximum number of days the password is valid. So, for instance, to set a user’s password to expire in 90 days, type the following com-mand:

Password Protecting GRUB Using Boot Loader Passwords

GRUB can be configured by adding a password directive to its configuration file. To do this, first decide on a password, then open a shell prompt, log in as root, and type:

When prompted, type the GRUB password and press Enter. This returns an MD5 hash of the password.

Next, edit the GRUB configuration file /boot/grub/grub.conf. Open the file and below the timeout line in the main section of the document, add the following line:

Replace with the value returned by /sbin/grub-md5-crypt

The next time the system boots, the GRUB menu does not allow access to the editor or com-mand interface without first pressing p followed by the GRUB password.

prevent an attacker from booting into a non-secure operat-ing system in a dual-boot environment. For this, a different part of the /boot/grub/grub.conf file must be edited.

Look for the title line of the non-secure operating system and add a line that says lock directly beneath it.

For a DOS system, the stanza should begin similar to the following:

To create a different password for a particular kernel or operating system, add a lock line to the stanza, followed by a password line.

Each stanza protected with a unique password should begin with lines similar to the following example:

Install or upgrade the csf webmin module and csf Uninstallation.

To install or upgrade the csf webmin module:

Install csf first.

Install the csf webmin module in.

Uninstallation

Removing csf and lfd is even more simple:

On cPanel servers:

On DirectAdmin servers:

On generic linux servers:

How to install CSF Firewall on your Server.

Installation

Installation is quite straightforward:

Next, test whether you have the required iptables modules:

Don’t worry if you cannot run all the features, so long as the script doesn’t report any FATAL errors

You should not run any other iptables firewall configuration script. For example, if you previously used APF+BFD you can remove the combination (which you will need to do if you have them installed otherwise they will conflict horribly):

That’s it. You can then configure csf and lfd by edit the files directly in /etc/csf/*, or on cPanel servers use the WHM UI

csf installation for cPanel is preconfigured to work on a cPanel server with all the standard cPanel ports open.

csf installation for DirectAdmin is preconfigured to work on a DirectAdmin server with all the standard DirectAdmin ports open.

csf auto-configures your SSH port on installation where it’s running on a non-standard port.

csf auto-whitelists your connected IP address where possible on installation.

You should ensure that kernel logging daemon (klogd) is enabled. Typically, VPS servers have this disabled and you should check /etc/init.d/syslog and make sure that any klogd lines are not commented out. If you change the file, remember to restart syslog.

Download the firewall script from : http://www.configserver.com/