Archive for the tag 'Security'

WHM News - The Apache security/version table

The News link at the top of the WHM screen provides up-to-date information about your server. The information is divided up into 3 sections:

This table shows selected Apache modules you have installed on your server.

The information is divided into 4 columns:

Module — The module to which the other information in the row pertains.
Apache Core — The Apache web server. For more information visit http://httpd.apache.org/.
mod_ssl — The module that provides SSL cryptography to the Apache web server. For more information visit http://www.modssl.org.
OpenSSL — A general purpose, open source, cryptographic library for SSL and TLS. Fore more information visit http://www.openssl.org.
Passthrough Authentication — Also seen as mod_auth_passthrough. A module that is installed with Apache to allow other programs to use their own authentication methods. cPanel uses it specifically to allow FrontPage® to use its own authentication system.
Bandwidth Limiter — Also seen as mod_bwlimited. The module that is installed with WHM and cPanel that allows you to limit your users’ bandwidth usage.
FrontPage® — The FrontPage extensions that are installed with WHM and cPanel.
Latest Version — The newest version of the corresponding module that is available.
Installed Version — The version of the module that is currently installed on your server.
Status — Shows whether or not the corresponding module is considered secure.

Reference: http://cpanel.net

SBDavid

xinetd Services & security errata

xinetd Services & security errata

Services controlled by the xinetd super service only run when a there is an active connection. Examples of services controlled by xinetd include Telnet, IMAP, and POP3.

Because new instances of these services are launched by xinetd each time a new request is received, connections that occur after an upgrade are handled by the updated software. However, if there are active connections at the time the xinetd controlled service is upgraded, they are serviced by the older version of the software.

To kill off older instances of a particular xinetd controlled service, upgrade the package for the service then halt all processes currently running. To determine if the process is running, use the ps command and then use the kill or killall command to halt current instances of the service.

For example, if security errata imap packages are released, upgrade the packages, then type the following command as root into a shell prompt:

ps aux | grep imap

This command returns all active IMAP sessions. Individual sessions can then be terminated by issuing the following command:

kill [ PID ]

If this fails to terminate the session, use the following command instead:

kill -9 [ PID ]
SBDavid

Security Tools Nessus and Nikto

Nessus

The official website at the following URL: http://www.nessus.org/

Nessus is a full-service security scanner. The plug-in architecture of Nessus allows users to customize it for their systems and networks. As with any scanner, Nessus is only as good as the signature database it relies upon. Fortunately, Nessus is frequently updated and features full reporting, host scanning, and real-time vulnerability searches. Remember that there could be false positives and false negatives, even in a tool as powerful and as frequently updated as Nessus.

Nikto

Nikto can be found at the following URL: http://cirt.net/nikto2

Nikto is an excellent common gateway interface (CGI) script scanner. Nikto not only checks for CGI vulnerabilities but does so in an evasive manner, so as to elude intrusion detection systems.

If you have Web servers serving up CGI scripts, Nikto can be an excellent resource for checking the security of these servers.

Apache Security: Hide Apache Web Server Version number

Apache Web Server Version number with ServerSignature and ServerTokens directives

Open your httpd.conf file using text editor such as vi:

vi httpd.conf

There are two config directives that controls Apache version. The ServerSignature directive adds a line containing the Apache HTTP Server server version and the ServerName to any server-generated documents, such as error messages sent back to clients. ServerSignature is set to on by default. The ServerTokens directive controls whether Server response header field which is sent back to clients includes a description of the generic OS-type of the server as well as information about compiled-in modules.

Append/modify config directive as follows:

ServerSignature Off
ServerTokens Prod

Save and close the file. Restart Apache web server:

/etc/init.d/httpd restart

Using find Command for security check

The ‘find’ command is usually used to find filenames which have specific patterns. However, we can also use it to find the files modified/accessed within a specific time period.

For example we can find all files in /etc owned by root that have been modified within the last 2 days:

find /etc -user root -mtime -2

The options we can use here are:

-atime: when the file was last accessed
-ctime: when the file’s permissions were last changed
-mtime: when the file’s data was last modified

You may have noticed that we have a minus sign in front of ‘2′ in the last example. The ‘time’ options for the find command are expressed in 24-hour increments, and the sign in front of the number can indicate ‘less than’ or ‘greater than’. Thus ‘-2′ means we want to find files which were modified within the last two days. If we wanted to find files that were modified more than 2 days ago, we would need to put a plus sign in front of the 2:

find /etc -user root -mtime +2

There are also versions of the atime, ctime, and mtime arguments that measure time in minutes:

-amin: when (in minutes) the file was last accessed
-cmin: when (in minutes) the file’s permissions were last changed
-mmin: when (in minutes) the file’s data was last modified

To match -atime +1, a file has to have been accessed at least two days ago. More example in the find man pages.

« Prev - Next »