Archive for the 'Security' Category

SBDavid

Backing Up Using Acronis True Image

Backing Up Using Acronis True Image

Acronis True Image Enterprise Server allows you to create the exact server disk image for complete server backup.

The server disk backup file includes all the server disk data including system, programs, databases, and the like.

Plesk has integration with Acronis True Image. You can set up either one-time or recurring backup of server’s hard drives via Plesk control panel interface. Presently, restoring of backup data is possible only via separate Acronis True Image utilities.

SBDavid

IP Spoofing

IP Spoofing

A remote machine acts as a node on your local network, finds vulnerabilities with your servers, and installs a backdoor program or trojan horse to gain control over your network resources.

Spoofing is quite difficult as it involves the attacker predicting TCP/IP sequence numbers to coordinate a connection to target systems, but several tools are available to assist crackers in performing such a vulnerability.

Depends on target system running services (such as rsh, telnet, FTP and others) that use source-based authentication techniques, which are not recommended when compared to PKI or other forms of encrypted authentication used in ssh or SSL/TLS.

Using RPM Verify to Monitor Changes to System Files

It is important for administrators of critical server systems to be able to track changes to files on their systems. Tracking file changes helps detect accidental or malicious modifications such as viruses, root kits, or hacking activity. RPM, the package management system used for all RPM based Linux distributions, provides an easy mechanism for tracking these changes. When a package is installed, the RPM database stores information about each file belonging to that package including the size, date, and MD5 sum among others. This data can later be compared to the existing files on the system to detect any changes.

Verifications are performed with the rpm command and the -V flag. This command should be executed as root so that all file attributes can be read from the system without file permissions getting in the way. For example:

To verify all files in the RPM database:

# rpm -Va

To verify all files belonging to a package, packagename:

# rpm -V packagename

To verify all files belonging a particular RPM file (local, FTP, HTTP):

# rpm -V path_to_the_file.rpm

All applicable files are checked, and any discrepancies are shown. The output is a string of eight characters, followed by an optional attribute marker. The string of eight characters indicates changes in size, permissions, MD5 sum, etc.

S file Size differs
M Mode differs (includes permissions and file type)
5 MD5 sum differs
D Device major/minor number mis-match
L readLink(2) path mis-match
U User ownership differs
G Group ownership differs
T mTime differs

For example:

S.5….T c /etc/wvdial.conf

This example shows that the configuration file, /etc/wvdial.conf, has a different size, MD5 sum, and modified time than the RPM database has on record. In this case, this is probably okay–it is a configuration file and it is normal for them to change.

Nikto2 web server assessment tool Install.

Nikto is a web server assessment tool. It is designed to find various default and insecure files, configurations and programs on any type of web server.

Nikto is an Open Source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items, including over 6400 potentially dangerous files/CGIs, checks for outdated versions of over 1000 servers, and version specific problems on over 270 servers. It also checks for server configuration items such as the presence of multiple index files, HTTP server options, and will attempt to identify installed web servers and software. Scan items and plugins are frequently updated and can be automatically updated.

Installation

Any system which supports a basic Perl installation should allow Nikto to run. For SSL support the Net::SSLeay Perl module must be installed (which in turn requires OpenSSL on the Unix platform).

Perl: http://www.cpan.org/
LibWhisker: http://www.wiretrip.net/
ActiveState Perl: http://www.activestate.com/
OpenSSL: http://www.openssl.org/
Perl modules RPC::XML::Client and RPC::XML for Metasploit logging integration

Download - http://cirt.net/nikto/nikto-2.1.3.tar.bz2

Unpack the download file:

tar -xvfz nikto-2.1.3.tar.bz2

Basic Testing
The most basic Nikto scan requires simply a host to target, since port 80 is assumed if none is specified. The host can either be an IP or a hostname of a machine, and is specified using the -h (-host) option. This will scan the IP 192.168.0.1 on TCP port 80:

perl nikto.pl -h 192.168.0.1

To check on a different port, specify the port number with the -p (-port) option. This will scan the IP 192.168.0.1 on TCP port 443:

perl nikto.pl -h 192.168.0.1 -p 443

How to use lsof command to Find Open Files

The lsof utility can help identify which files are being used by any given application, which network ports are open, and much more.

A process would show up in top or ps aux, but the executable may not seem to exist. Using lsof, we could hunt down the scripts or executables used to run the program. If we run just lsof, it will attempt to show all files (which includes network sockets, pipes and special files) that are open.

If we want to see all the open files owned by a process, we can use the -p option (for PID) like so:

lsof -p XXXXX

Just replace XXXXX with the process ID (PID) of the process you want to see. The output will show the command that has the file open, the PID, the user, the file descriptor, type, size of the file and the name of the file.

We can also see what files are open by users. Running lsof -u user will show all open files by processes owned by the user. You can also substitute the user ID (UID) for the username. If you want to eliminate a user from the listing, use ^user instead. The preceding caret will negate the selection, so the user will be ignored.

If we want to see what network sockets are owned by a particular user or process? Try ..

lsof -u user -a -i

That will show only the open TCP and UDP sockets. If we want to see what files are open over the network, use -i. This will show you which files and sockets are open, and their respective protocols, hostnames and so on. We can narrow network parameters down by IP version (-i4 for IPv4, -i6 for IPv6), protocol (UDP or TCP), and even hostname or port.

By default, lsof will look up hostnames, but we can turn this off using the -n option. It will run faster without needing to do name lookups.

lsof 4.81
latest revision: ftp://lsof.itap.purdue.edu/pub/tools/unix/lsof/
latest FAQ: ftp://lsof.itap.purdue.edu/pub/tools/unix/lsof/FAQ
latest man page: ftp://lsof.itap.purdue.edu/pub/tools/unix/lsof/lsof_man

« Prev - Next »