Linux Admin Zone

I was amazed to hear from my friend that one of their server got hacked and reason may be that their part-time admin set password of root user as ‘admin’. Wow!! can’t believe it! They dont have right to cry about security attacks as they themselves keep their door opens

I’ve suggested them some points as per described below for ensuring secure access to servers. They have 5-6 Linux servers. This is obviously may not be the best way and I’m as always appreciate if you can give your suggestion in comments. My approach is that from 6 servers, we will be able to login only in 2 servers from remote through key based access and from these 2 server, we can access remaining. Here’s what we did:

Hosting my wordpress blog in GoDaddy was a big mistake, I realized this when one of my regular visitor alerted me that my blog is having suspicious activity. I promptly downloaded all of my blog files in my local system to scan and that operation took around 2 hours because of terrible FTP download rate from GoDaddy. Upon looking inside the files, almost all php files were having suspicious code and certainly infected by some malware. I did a clean of each and every file including database scan for any malicious records, users etc (referred this while cleaning). Uploaded all new files by replacing existing completely. I checked my logs and thought for a while about why such thing happened. My wordpress version was latest, strong FTP password and in fact no regular FTP activities from my side. I’ve Mac for myself. So I didnt’ found any reason and forgot that incident.

You need to disable SSL ver 2 and enable SSL ver 3 in apache for PCI compliance. Its very easy to do. Following settings will set SSL ver 3 and also disable older/unsecure cipher suite in Redhat/centos/fedora Linux server:
1. Open /etc/httpd/conf.d/ssl.conf and add or if these lines already there, edit them as per follows:

## Disbale SSLv2 and enable SSLv3
SSLProtocol -All +SSLv3 +TLSv1
SSLCipherSuite HIGH:!SSLv2:!ADH:!aNULL:!eNULL:!NULL

2. Reload httpd service to apply the new settings:

# /etc/init.d/httpd reload

3. Verify the settings by connecting to SSL ver 3 protocol:

# openssl s_client -connect localhost:443 -ssl3

It should connect. you can also try connecting to SSL ver 2 which should result in error. Request the PCI test again and it should not complain about Apache SSL related issues.

In the era of daily brute force attacks, it is advisable to change your ssh port from defaul 22 to something higher to lower your chances of being a victim.

I’m using CentOS 5.2 box here but the process should be identical in other RH based distros.

1. Update /etc/ssh/sshd_config file, line 13 (it might be different in your file):

old line:
Port 22
Change it to:
Port 54545 # any port number you wish

if you rush and try to restart your ssh service, you may end with getting error:

ntop is one of the most powerful and easy to use tool for network traffic statistics viewing and analysis.

Here are quick steps to install it on CentOS 5.2 box (upgraded from 5.0 release).

Try to install in easy way:
# yum install ntop

Most probably yum get failed for missing dependencies such as rrdtool package. If this is the case, download and install this package manually:

# cd /usr/src
# wget http://dag.wieers.com/rpm/packages/rrdtool/rrdtool-1.2.23-1.el5.rf.i386.rpm
# rpm -ivh rrdtool-1.2.23-1.el5.rf.i386.rpm --nodeps

I’ve used –nodeps option in rpm command to ignore any dependencies. Yum will take care of that, we just need rrdtool as of now.