Security Checks During Server Compromise
We can use some techniques and tools to investigate our server if we suspect they’ve been compromised.
Compromised as a result of various factors: weak passwords, weak iptables rules, older versions of software with known exploits, and more.
Below command helps you check for any “backdoors” which have been opened on your server.
#
netstat -an
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 117.214.112.13:53 0.0.0.0:* LISTEN
tcp 0 0 192.168.1.1:53 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN
tcp 0 0 192.168.1.1:22 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:3128 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN
tcp 0 0 192.168.1.1:3128 192.168.1.2:53704 ESTABLISHED
tcp 0 0 192.168.1.1:3128 192.168.1.2:53705 ESTABLISHED
tcp 0 0 192.168.1.1:22 192.168.1.2:33097 ESTABLISHED
tcp 0 0 192.168.1.1:3128 192.168.1.2:53703 ESTABLISHED
tcp 0 0 192.168.1.1:3128 192.168.1.2:53702 ESTABLISHED
tcp 0 0 192.168.1.1:3128 192.168.1.2:35523 ESTABLISHED
tcp6 0 0 :::53 :::* LISTEN
tcp6 0 0 ::1:953 :::* LISTEN
Sniff for any connections to a particular port using tcpdump
#
tcpdump -v src port 3128
07:58:07.756470 IP (tos 0×0, ttl 64, id 20876, offset 0, flags [DF], proto TCP (6), length 52) laptop.ss.com.3128 > dell.local.36737: ., cksum 0×130f (correct), ack 3466497798 win 482
^C
1 packets captured
1 packets received by filter
0 packets dropped by kernel
This will capture all the packets with destination port 3128.
To list all the open IP sockets associated with your SSH server run the following command:
#
lsof -i:22
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
sshd 2701 root 3u IPv4 7109 TCP laptop.ss.com:ssh (LISTEN)
sshd 3891 root 3r IPv4 12124 TCP laptop.ss.com:ssh->dell.local:33097 (ESTABLISHED)
lsof can be used to display all his running processes for a particular user.
More example can be found in the man pages for lsof.
BIND Security
BIND supports a number of different methods to protect the updating and transfer of zones, on both master and slave nameservers:
DNSSEC — Short for DNS SECurity, this feature allows for zones to be cryptographically signed with a zone key.
In this way, the information about a specific zone can be verified as coming from a nameserver that has signed it with a particular private key, as long as the recipient has that nameserver’s public key.
BINDversion 9 also supports the SIG(0) public/private key method of message authentication.
TSIG — Short for Transaction SIGnatures, a shared secret key exists on the master and slave server, verifying that a transfer from master to slave is authorized.
This feature strengthens the standard IP address-based method of transfer authorization. An attacker would not only need to have access to the IP address to transfer the zone, but they would also need to know the secret key.
BINDversion 9 also support TKEY, which is another shared secret key method of authorizing zone transfers.
Apache Security Tips - Permissions on ServerRoot Directories
In typical operation, Apache is started by the root user, and it switches to the user defined by the User directive to serve hits. As is the case with any command that root executes, you must take care that it is protected from modification by non-root users. Not only must the files themselves be writeable only by root, but so must the directories, and parents of all directories. For example, if you choose to place ServerRoot in /usr/local/apache then it is suggested that you create that directory as root, with commands like these:
mkdir /usr/local/apache
cd /usr/local/apache
mkdir bin conf logs
chown 0 . bin conf logs
chgrp 0 . bin conf logs
chmod 755 . bin conf logs
It is assumed that /, /usr, and /usr/local are only modifiable by root. When you install the httpd executable, you should ensure that it is similarly protected:
cp httpd /usr/local/apache/bin
chown 0 /usr/local/apache/bin/httpd
chgrp 0 /usr/local/apache/bin/httpd
chmod 511 /usr/local/apache/bin/httpd
You can create an htdocs subdirectory which is modifiable by other users — since root never executes any files out of there, and shouldn’t be creating files in there.
SSH Security On cPanel Servers.
1. Change SSH port number.
Edit your ssh configuration file under /etc/ssh/sshd_config and add/replace this line:
# What ports, IPs and protocols we listen for
Port 22
2. Allow only the IP’s that you would like to have access to SSH through your firewall.
iptables -A INPUT -i eth0 -s 192.168.1.1 -p tcp –dport 22 -j ACCEPT
3. Use a utility like BFD, BlockHosts and DenyHosts
denyhosts - a utility to help system admins thwart ssh crackers
4. Use iptables to limit the rate of incoming connections to SSH.
iptables -I INPUT -p tcp –dport 22 -i eth0 -m state –state NEW -m recent –update –seconds 60 –hitcount 4 -j DROP
This will limit incoming connections to port 22 to no more than 3 attempts in a minute. Any more will be dropped.
How to get info about threads and security
To get info about threads:
To get security info:
ps -eo euser,ruser,suser,fuser,f,comm,label
ps axZ
ps -eM
