Archive for the tag 'Security'

nmap - Network exploration tool and security / port scanner

Nmap (“Network Mapper”) is an open source tool for network exploration and security auditing. It was designed to rapidly scan large networks, although it works fine against single hosts. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. While Nmap is commonly used for security audits, many systems and network administrators find it useful for routine tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime.

A typical Nmap scan is shown in Example 1. The only Nmap arguments used in this example are -A, to enable OS and version detection,script scanning, and traceroute; -T4 for faster execution; and then the two target hostnames.

Example 1. A representative Nmap scan

# nmap -A -T4 scanme.nmap.org

ISC BIND & DNS allow-recursion security feature.

allow-recursion { 192.168.1.0/24; localhost; };

The allow-recursion statement specifies which hosts are allowed to make recursive queries through this server. With the configuration as shown above, we allow recursive queries only from internal hosts since allowing every external hosts on the Internet to ask your name server to answer recursive queries can open you up to certain kinds of cache poisoning attacks. This is a security feature.

Important Parallels Plesk Panel Critical Vulnerability MicroUpdates

Parallels has released new set of Critical MicroUpdates for certain versions of Plesk Panel 10.4 or earlier to address functional fixes, stability, and security – including third-party components.

Impact
These MicroUpdates are not needed for Parallels Plesk Panel 11. Updating prior versions to Parallels Plesk Panel 11 eliminates the need to apply this set of Critical MicroUpdates. Parallels Plesk Panel 11 can be downloaded from: http://www.parallels.com/download/plesk.

These Critical MicroUpdates are available for Windows and Linux for the following versions of Parallels Plesk Panel:

10.4.x
10.3.x
10.2.x
10.1.x
10.0.x
9.5.x
9.3.x
9.2.x
9.0.x
8.6.x
8.4.x
8.2.x

Independent of this update Parallels has become aware of unsubstantiated claims of a new Security Vulnerability in Parallels Plesk Panel version 10.4 and earlier (http://kb.parallels.com/en/114330). After extensive investigation, Parallels has traced all reported issues back to the vulnerability already reported and closed with the February 2012 security advisory http://kb.parallels.com/113321. This vulnerability has had patches and remediation steps available since February 2012.

Call to Action and Best Practices

By applying this new MicroUpdate, all previous MicroUpdates will also be applied (including those discussed in the most recent advisory: http://kb.parallels.com/113321).

Independent of this update Parallels has become aware of unsubstantiated claims of a new Security Vulnerability in Parallels Plesk Panel version 10.4 and earlier (http://kb.parallels.com/en/114330). After extensive investigation, Parallels has traced all reported issues back to the vulnerability already reported and closed with the February 2012 security advisory http://kb.parallels.com/113321. This vulnerability has had patches and remediation steps available since February 2012.

Parallels takes the security of our customers very seriously and encourages you to take the recommended actions as soon as possible.

Important Note: Your updated Parallels Plesk Panel installation will only be secureif your underlying server infrastructure is correctly maintained and patched. Please ensure that all your server components including operating systems and databases are correctly patched and up-to-date.

Remove any active sessions using:

# php -d open_basedir= -d safe_mode=0 plesk_password_changer.php `cat /etc/psa/.psa.shadow` –clean-up-sessions

Review published web content for integrity, removing any malicious scripts:

# grep -ilr ‘km0ae9gr6m’ /var/www/vhosts/ | while read arq; do echo $arq; echo $arq >> /root/infected.txt; sed -ni ‘1h;1!H;${x;s/km0ae9gr6m.*qhk6sa6g1c/virus removed/;p}’ $arq; done;

Should you require further support to patch/upgrade your Parallels Plesk Panel or solve this issue, please submit a Full Security Audit plan: http://www.serverbuddies.com/full-server-security-audit.php

Security - verify that All World-Writable Directories Have Sticky Bits Set

Locate any directories in local partitions which are world-writable and do not have their sticky bits set. The following command will discover and print these. Run it once for each local partition:

# find PARTITION -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print

If this command produces any output, fix each reported directory /dir using the command:

# chmod +t /dir

When the so-called “sticky bit” is set on a directory, only the owner of a given file may remove that file from the directory. Without the sticky bit, any user with write access to a directory may remove any file in the directory. Setting the sticky bit prevents users from removing each other’s files. In cases where there is no reason for a directory to be world-writable, a better solution is to remove that permission rather than to set the sticky bit.

SBDavid

Increasing PHP security php functions

Increasing PHP security php functions

dl — Loads a PHP extension at runtime
This function is required for loading ionCube on the fly. However if you have a popular sites using ionCube then the better way is to load it from php.ini anyway. Not only because of speed increase, also you would be in control of ionCube versions so you can make sure that they match with your PHP versions.

exec — Execute an external program
This function is required for XCart and spellcheck feature of Horde. There is no good thing about letting this function work. You could perhaps use safe_mode to designate a safebin environment where you let users to execute only the binaries you allow.

fsockopen — Open Internet or Unix domain socket connection
This function is unfortunately required for Virtuemart paypal module. Thus removed from the example above. You can add it if you are sure that it wont break anything in your system.

Next »