Security Checks During Server Compromise
We can use some techniques and tools to investigate our server if we suspect they’ve been compromised.
Compromised as a result of various factors: weak passwords, weak iptables rules, older versions of software with known exploits, and more.
Below command helps you check for any “backdoors” which have been opened on your server.
#
netstat -an
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 117.214.112.13:53 0.0.0.0:* LISTEN
tcp 0 0 192.168.1.1:53 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN
tcp 0 0 192.168.1.1:22 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:3128 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN
tcp 0 0 192.168.1.1:3128 192.168.1.2:53704 ESTABLISHED
tcp 0 0 192.168.1.1:3128 192.168.1.2:53705 ESTABLISHED
tcp 0 0 192.168.1.1:22 192.168.1.2:33097 ESTABLISHED
tcp 0 0 192.168.1.1:3128 192.168.1.2:53703 ESTABLISHED
tcp 0 0 192.168.1.1:3128 192.168.1.2:53702 ESTABLISHED
tcp 0 0 192.168.1.1:3128 192.168.1.2:35523 ESTABLISHED
tcp6 0 0 :::53 :::* LISTEN
tcp6 0 0 ::1:953 :::* LISTEN
Sniff for any connections to a particular port using tcpdump
#
tcpdump -v src port 3128
07:58:07.756470 IP (tos 0×0, ttl 64, id 20876, offset 0, flags [DF], proto TCP (6), length 52) laptop.ss.com.3128 > dell.local.36737: ., cksum 0×130f (correct), ack 3466497798 win 482
^C
1 packets captured
1 packets received by filter
0 packets dropped by kernel
This will capture all the packets with destination port 3128.
To list all the open IP sockets associated with your SSH server run the following command:
#
lsof -i:22
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
sshd 2701 root 3u IPv4 7109 TCP laptop.ss.com:ssh (LISTEN)
sshd 3891 root 3r IPv4 12124 TCP laptop.ss.com:ssh->dell.local:33097 (ESTABLISHED)
lsof can be used to display all his running processes for a particular user.
More example can be found in the man pages for lsof.
Apache Security Tips - Permissions on ServerRoot Directories
In typical operation, Apache is started by the root user, and it switches to the user defined by the User directive to serve hits. As is the case with any command that root executes, you must take care that it is protected from modification by non-root users. Not only must the files themselves be writeable only by root, but so must the directories, and parents of all directories. For example, if you choose to place ServerRoot in /usr/local/apache then it is suggested that you create that directory as root, with commands like these:
mkdir /usr/local/apache
cd /usr/local/apache
mkdir bin conf logs
chown 0 . bin conf logs
chgrp 0 . bin conf logs
chmod 755 . bin conf logs
It is assumed that /, /usr, and /usr/local are only modifiable by root. When you install the httpd executable, you should ensure that it is similarly protected:
cp httpd /usr/local/apache/bin
chown 0 /usr/local/apache/bin/httpd
chgrp 0 /usr/local/apache/bin/httpd
chmod 511 /usr/local/apache/bin/httpd
You can create an htdocs subdirectory which is modifiable by other users — since root never executes any files out of there, and shouldn’t be creating files in there.
When PHP safe_mode is on
When safe_mode is on, PHP checks to see if the owner of the current script matches the owner of the file to be operated on by a file function or its directory. For example:
-rw-rw-r– 1 buddies buddies 43 Nov 1 19:20 passwd.php
-rw-r–r– 1 root root 1116 Nov 26 18:01 /etc/passwd
Running passwd.php: results in this error when safe mode is enabled:
Warning: SAFE MODE Restriction in effect. The script whose uid is 500 is not
allowed to access /etc/passwd owned by uid 0 in /docroot/passwd.php on line 2
However, there may be environments where a strict UID check is not appropriate and a relaxed GID check is sufficient. This is supported by means of the safe_mode_gid switch. Setting it to On performs the relaxed GID checking, setting it to Off (the default) performs UID checking.
If instead of safe_mode, you set an open_basedir directory then all file operations will be limited to files under the specified directory. For example (Apache httpd.conf example):
php_admin_value open_basedir /docroot
If you run the same script.php with this open_basedir setting then this is the result:
Warning: open_basedir restriction in effect. File is in wrong directory in /docroot/passwd.php on line 2
Protect Server Files by Default
One aspect of Apache which is occasionally misunderstood is the feature of default access. That is, unless you take steps to change it, if the server can find its way to a file through normal URL mapping rules, it can serve it to clients.
For instance, consider the following example:
1. # cd /; ln -s / public_html
2. Accessing http://localhost/~root/
This would allow clients to walk through the entire filesystem. To work around this, add the following block to your server’s configuration:
Order Deny,Allow
Deny from all
Protecting System Settings in Apache
To run a really tight ship, you’ll want to stop users from setting up .htaccess files which can override security features you’ve configured. Here’s one way to do it.
In the server configuration.
This prevents the use of .htaccess files in all directories apart from those specifically enabled.
