Archive for the tag 'server'

SBDavid
Jun 29th, 2010

Security Checks During Server Compromise

Security Checks During Server Compromise

We can use some techniques and tools to investigate our server if we suspect they’ve been compromised.

Compromised as a result of various factors: weak passwords, weak iptables rules, older versions of software with known exploits, and more.

Below command helps you check for any “backdoors” which have been opened on your server.

# netstat -an

Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 117.214.112.13:53 0.0.0.0:* LISTEN
tcp 0 0 192.168.1.1:53 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN
tcp 0 0 192.168.1.1:22 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:3128 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN
tcp 0 0 192.168.1.1:3128 192.168.1.2:53704 ESTABLISHED
tcp 0 0 192.168.1.1:3128 192.168.1.2:53705 ESTABLISHED
tcp 0 0 192.168.1.1:22 192.168.1.2:33097 ESTABLISHED
tcp 0 0 192.168.1.1:3128 192.168.1.2:53703 ESTABLISHED
tcp 0 0 192.168.1.1:3128 192.168.1.2:53702 ESTABLISHED
tcp 0 0 192.168.1.1:3128 192.168.1.2:35523 ESTABLISHED
tcp6 0 0 :::53 :::* LISTEN
tcp6 0 0 ::1:953 :::* LISTEN

Sniff for any connections to a particular port using tcpdump

#tcpdump -v src port 3128

07:58:07.756470 IP (tos 0×0, ttl 64, id 20876, offset 0, flags [DF], proto TCP (6), length 52) laptop.ss.com.3128 > dell.local.36737: ., cksum 0×130f (correct), ack 3466497798 win 482
^C
1 packets captured
1 packets received by filter
0 packets dropped by kernel

This will capture all the packets with destination port 3128.

To list all the open IP sockets associated with your SSH server run the following command:

# lsof -i:22

COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
sshd 2701 root 3u IPv4 7109 TCP laptop.ss.com:ssh (LISTEN)
sshd 3891 root 3r IPv4 12124 TCP laptop.ss.com:ssh->dell.local:33097 (ESTABLISHED)

lsof can be used to display all his running processes for a particular user.

# lsof -u [username]

More example can be found in the man pages for lsof.

SBDavid
Jun 28th, 2010

OpenLDAP server daemon slapd Installation in Ubuntu

OpenLDAP server daemon slapd Installation in Ubuntu

First, install the OpenLDAP server daemon slapd and ldap-utils, a package containing LDAP management utilities:

sudo apt-get install slapd ldap-utils

By default slapd is configured with minimal options needed to run the slapd daemon.

The configuration example in the following sections will match the domain name of the server. For example, if the machine’s Fully Qualified Domain Name (FQDN) is ldap.example.com, the default suffix will be dc=example,dc=com.

Populating LDAP

OpenLDAP uses a separate directory which contains the cn=config Directory Information Tree (DIT). The cn=config DIT is used to dynamically configure the slapd daemon, allowing the modification of schema definitions, indexes, ACLs, etc without stopping the service.

SBDavid
Jun 7th, 2010

Checking your outgoing mail server (Is Port 25 blocked?)

Checking your outgoing mail server (Is Port 25 blocked?)

Many email clients and services use port 25 for SMTP to send out emails. However an ISP (Internet Service Provider) may block port 25 in order to prevent spamming by its customers. Here is how you can check to see if port 25 is blocked on your network.

1. Type the following command:

telnet serverbuddies.com 25

2. View Results:
If port 25 is not blocked you will get a successful 220 response (text may vary).

telnet serverbuddies.com 25
Trying 67.228.43.85…
Connected to serverbuddies.com.
Escape character is ‘^]’.
220-box.serverbuddies.com ESMTP Exim 4.69 #1 Mon, 07 Jun 2010 02:23:15 -0500
220-We do not authorize the use of this system to transport unsolicited,
220 and/or bulk e-mail.

If port 25 is blocked you will get a connection error or no response at all.

Trying 67.228.43.85…
telnet: connect to address 67.228.43.85: Connection refused
telnet: Unable to connect to remote host
SBDavid
May 19th, 2010

How to determine system log settings for a Linux server?

How to determine system log settings for a Linux server?

Usually the /var/log/messages file is used for the regular system messages.

It is possible to find which place is used by a Linux system for logging from the /etc/syslog.conf or /etc/rsyslog.conf configuration files:

#cat /etc/syslog.conf

or

#cat /etc/rsyslog.conf
SBDavid
May 7th, 2010

Managing an Exim 4 server

Managing an Exim 4 server.

Remove mails by ID.

/usr/sbin/exim -v -Mrm (MAIL ID HERE)

List queded mails.

/usr/sbin/exim -bp

Output the number of queded mails.

/usr/sbin/exim -bpc

Delete frozen mails.

/usr/sbin/exim -bp | awk ‘$6~”frozen” { print $3 }’ | xargs exim -Mrm

Deliver forcefully emails.

/usr/sbin/exim -qff -v -C /etc/exim.conf &

Freeze Mails from the sender.

/usr/sbin/exiqgrep -i -f (MAIL ADDRESS HERE) | xargs exim -Mf

Remove mails from the sender.

/usr/sbin/exiqgrep -i -f (MAIL ADDRESS HERE) | xargs exim -Mrm

Files in /var/spool/exim/msglog contain logging information for each message and are named the same as the message-id.

Exim includes a utility that is quite nice for grepping through the queue, called exiqgrep.
http://www.exim.org/exim-html-4.50/doc/html/spec_49.html#IX2895

Reference: http://www.exim.org/

« Prev - Next »