Reference: http://www.fail2ban.org/wiki/index.php/MANUAL_0_8
##Manual Installation
# Download Fail2ban from http://www.fail2ban.org/wiki/index.php/Downloads
cd /tmp
wget http://nchc.dl.sourceforge.net/sourceforge/fail2ban/fail2ban-0.8.3.tar.bz2
tar jxvf fail2ban-0.8.3.tar.bz2
rm -rf /tmp/fail2ban-0.8.3.tar.bz2
cd fail2ban-0.8.3
./setup.py install
cd /tmp/fail2ban-0.8.3/files
cp -a redhat-initd /etc/init.d/fail2ban
cd /etc/init.d/
chown root.root fail2ban
chmod 755 fail2ban
/sbin/chkconfig --add fail2ban
/sbin/chkconfig fail2ban on
cd /etc/fail2ban
cp -a jail.conf jail.conf.orig
vi /etc/fail2ban/jail.conf
Edit values as follows
##########
# Put space separated list of IPs you want to ignore
ignoreip = x.x.x.x
[[ssh-iptables]
#enabled = false
enabled = true
filter = sshd
#action = iptables[name=SSH, port=ssh, protocol=tcp]
# sendmail-whois[name=SSH, dest=you@mail.com, sender=fail2ban@mail.com]
action = iptables[name=SSH, port=ssh, protocol=tcp]
sendmail-whois[name=SSH, dest=admin@yourdomain.com, sender=fail2ban@mail.com]
#logpath = /var/log/sshd.log
logpath = /var/log/secure
#maxretry = 5
maxretry = 3
############
Edit Shorewall configuration (if you are using one as follow)
vi /etc/shorewall/shorewall.conf
#########
#BLACKLISTNEWONLY=Yes
BLACKLISTNEWONLY=No
##########
cd /etc/fail2ban
chown root.root fail2ban.conf
chmod 644 fail2ban.conf
# Log rotation of Fail2ban Logs
cd /etc/logrotate.d
vi fail2ban
###
/var/log/fail2ban.log {
missingok
notifempty
copytruncate
}
###
chown root.root fail2ban
chmod 644 fail2ban
/etc/rc.d/init.d/fail2ban start
# Check fail2ban.log for any errors
tail -f /var/log/fail2ban.log
rm -rf /tmp/fail2ban-0.8.3
Wednesday, February 11, 2009
Saturday, January 03, 2009
Clam Antivirus & SpamAssassin Setup on Qmail
Reference:http://qmailrocks.org/clamspam_rh.htm
# Install the following Perl Modules using Cpan
Digest::SHA1
Digest::HMAC
Net::DNS
Time::HiRes
HTML::Tagset
HTML::Parser
Pod::Usage
Parse::Syslog
Statistics::Distributions
yum install perl-suidperl
yum install unzip
yum install gmp-devel
#Installing ClamAv ( http://www.clamav.net/ )
yum install clamav-devel
/usr/sbin/useradd -c "Qmail-Scanner Account" -s /bin/false qscand
#Installing Clamav Manually
/usr/sbin/useradd -c "Qmail-Scanner Account" -s /bin/false qscand
cd /tmp
wget http://freshmeat.net/redir/clamav/29355/url_tgz/clamav-0.90.tar.gz
tar zxvf clamav-0.90.tar.gz
cd clamav-0.90
./configure --with-user=qscand --with-group=qscand
make
make install
vi /usr/local/etc/clamd.conf
"Example" - should already be commented out. However, if it is not, make sure that it is commented out (#)
"LogFile" - should be set to /var/log/clamd.log
"User" - should be set to qscand
"PidFile" - should be set to /var/run/clamd.pid
LogTime 1
FixStaleSocket 1
ScanMail 1
LogSyslog 1
cd /var/run/
touch clamd.pid
chown qscand clamd.pid
cp -a /tmp/clamav-0.90/contrib/init/RedHat/clamd /etc/init.d/
chown root.root /etc/rc.d/init.d/clamd
/sbin/chkconfig clamd on
vi /usr/local/etc/freshclam.conf
#Make the necessary changes in the conf file
touch /var/log/freshclam.log
cd /var/log/
chown qscand.root freshclam.log
chown qscand.root clamd.log
cd /usr/local/share/
#chown clamav.qscand clamav (no clamav user)
chown qscand.qscand clamav
/usr/local/bin/freshclam
crontab -e
00 00 * * * /usr/local/bin/freshclam
cd /etc/logrotate.d/
vi clamd
#
# Rotate Clam AV daemon log file
#
/var/log/clamd.log {
missingok
create 640 root qscand
postrotate
/bin/kill -HUP `cat /var/run/clamd.pid 2> /dev/null` 2> /dev/null || true
endscript
}
chown root.root clamd
chmod 644 clamd
/etc/rc.d/init.d/clamd start
#Installing SpamAssassin
#Using cpan install the following Perl Module
install Mail::SpamAssassin
yum install spamassassin
/usr/sbin/groupadd spamd
/usr/sbin/useradd -g spamd -s /home/spamd spamd
vi /etc/sysconfig/spamassassin
If the above file exists, replace its contents with the following line. If the file does not exist, create it and add the following line:
SPAMDOPTIONS="-x -u spamd -H /home/spamd -d"
vi /etc/mail/spamassassin/local.cf
Add the following line...
required_hits 5
/etc/rc.d/init.d/spamassassin start
/sbin/chkconfig spamassassin on
# If you encounter the following errors in /var/log/maillog
###########
Jan 14 03:59:49 66-226-73-100 spamd[27442]: Failed to run __ENV_AND_HDR_FROM_MATCH SpamAssassin test, skipping:__(Can't locate object method "check_for_matching_env_and_hdr_from" via package "Mail::SpamAssassin::PerMsgStatus" at /usr/lib/perl5/vendor_perl/5.8.6/Mail/SpamAssassin/PerMsgStatus.pm line 2341, line 193._)
Jan 14 03:59:49 66-226-73-100 spamd[27442]: Failed to run USER_IN_DEF_SPF_WL SpamAssassin test, skipping:__(Can't locate object method "check_for_def_spf_whitelist_from" via package "Mail::SpamAssassin::PerMsgStatus" at /usr/lib/perl5/vendor_perl/5.8.6/Mail/SpamAssassin/PerMsgStatus.pm line 2341, line 193._)
Jan 14 03:59:49 66-226-73-100 spamd[27442]: Failed to run USER_IN_SPF_WHITELIST SpamAssassin test, skipping:__(Can't locate object method "check_for_spf_whitelist_from" via package "Mail::SpamAssassin::PerMsgStatus" at /usr/lib/perl5/vendor_perl/5.8.6/Mail/SpamAssassin/PerMsgStatus.pm line 2341, line 193._)
##########
# then do the following
cp -a /etc/mail/spamassassin/init.pre /etc/mail/spamassassin/init.pre.orig
vi /etc/mail/spamassassin/init.pre
# Comment out this line
#loadplugin Mail::SpamAssassin::Plugin::SPF
# Update spammassain every night by setting up a cronjob
/usr/lib/cpan
install LWP::UserAgent
yum install gnupg
# Please check the update by running /usr/bin/sa-update manually to ensure no errors are encountered
crontab -e
00 1 * * * /usr/bin/sa-update && /sbin/service spamassassin restart
ps aux | grep spamd
#You should the following info concerning spamassassin. The PID might differ on your system, but you get the idea.
#spamd 3734 0.2 2.0 24992 20808 ? S 14:21 0:01 /usr/bin/spamd -x -u spamd -H /home/spamd -d
setup
#One in the setup menu, scroll down and select the "system services" option. From the system services menu, scroll down to "clamd".
#Installing Qmail Scanner (http://qmail-scanner.sourceforge.net/) and Qmail analog ( http://www.qms-analog.teel.ws/ )
cd /tmp
wget http://kent.dl.sourceforge.net/sourceforge/qms-analog/qms-analog-0.4.4.tar.gz
tar zxvf qms-analog-0.4.4.tar.gz
cd qms-analog-0.4.4
make all
cd /tmp
wget http://kent.dl.sourceforge.net/sourceforge/qmail-scanner/qmail-scanner-2.01.tgz
tar zxvf qmail-scanner-2.01.tgz
# Download the Qmail-Scanner-2.01st (st patch) patch from http://toribio.apollinare.org/qmail-scanner/
cd /tmp
wget http://toribio.apollinare.org/qmail-scanner/download/q-s-2.01st-20070204.patch.gz
gunzip q-s-2.01st-20070204.patch.gz
cp -a q-s-2.01st-20070204.patch /tmp/qmail-scanner-2.01
cd /tmp/qmail-scanner-2.01
patch -p1 < install=" else" install="--install" qmailqueue="/var/qmail/bin/qmail-scanner-queue.pl" page_id="98" shell="/bin/sh" vpop="| /usr/local/vpopmail/bin/vdelivermail '' bounce-no-mailbox" vhome="`/usr/local/vpopmail/bin/vuserinfo" host ="="="" exit ="="="" returncode ="="" returncode ="="" returncode ="="" maildirquota="`/usr/bin/head" returncode ="="" returncode ="="" end ="="="" returncode ="="" returncode ="="" end ="="="" vpop="| /usr/local/vpopmail/bin/vdelivermail '' bounce-no-mailbox" vhome="`/usr/local/vpopmail/bin/vuserinfo" vpop="| /home/vpopmail/bin/vdelivermail '' bounce-no-mailbox" vhome="`/home/vpopmail/bin/vuserinfo" list="$2/Maildir/courierimapsubscribed" test="`cat">> $LIST
fi
else
# the file does not exist so we define the full list
# and then create the file.
FULL="INBOX\nINBOX.Sent\nINBOX.Trash\nINBOX.Drafts\nINBOX.$1"
echo -e $FULL > $LIST
/bin/chown vpopmail:vchkpw $LIST
/bin/chmod 644 $LIST
fi
#######
chmod 755 /usr/local/sbin/subscribeIMAP.sh
qmailctl stop
qmailctl start
qmailctl stat
In case of issues check these log files
tail -f /var/log/qmail/qmail-smtpd/current
tail -f /var/log/qmail/qmail-send/current
# Setup Log rotation for maildrop.log file as follows
cd /etc/logrotate.d/
vi maildrop
###
/var/log/qmail/maildrop.log {
missingok
notifempty
copytruncate
}
###
chown root.root maildrop
chmod 644 maildrop
# DCC Razor Pyzor and RBL setup
# Install DCC
mkdir /downloads/spam
cd /downloads/spam
# Download DCC from http://www.rhyolite.com/anti-spam/dcc/
wget http://www.rhyolite.com/anti-spam/dcc/source/dcc.tar.Z
tar zxfv dcc.tar.Z
cd dcc-1.3.45/
./configure
make install
cd /downloads/spam
# Install Pyzor
Download Pyzor from http://pyzor.sourceforge.net
cd /downloads/spam
wget http://nchc.dl.sourceforge.net/sourceforge/pyzor/pyzor-0.4.0.tar.bz2
tar xjvf pyzor-0.4.0.tar.bz2
cd pyzor-0.4.0
python setup.py build
python setup.py install
pyzor discover
cd /downloads/spam
# Setup cronjob to update pyzor servers automatically
00 1 * * * /usr/bin/pyzor discover
# Install Razor
# Install the following perl modules
perl -MCPAN -e "install Time::HiRes"
perl -MCPAN -e "install Digest::SHA1"
perl -MCPAN -e "install MIME::Base64"
perl -MCPAN -e "install Test::Simple"
perl -MCPAN -e "install Test::Harness"
perl -MCPAN -e "install Getopt::Long"
perl -MCPAN -e "install File::Copy"
perl -MCPAN -e "install URI::Escape"
# Download Razor from http://razor.sourceforge.net/
cd /downloads/spam
wget http://jaist.dl.sourceforge.net/sourceforge/razor/razor-agents-2.82.tar.bz2
tar xjvf razor-agents-2.82.tar.bz2
cd razor-agents-2.82
perl Makefile.PL
make test
make install
razor-admin -create
cd /root/.razor
chown spamd.spamd razor-agent.conf
chmod 764 razor-agent.conf
razor-admin -register -user=postmaster@yourdomain.com
cp -a /etc/mail/spamassassin/local.cf /etc/mail/spamassassin/local.cf.orig
#Generate a local.cf file from http://www.yrex.com/spam/spamconfig.php.Use the http://opensourceheaven.net/local.cf.txt file as reference.
vi /etc/mail/spamassassin/local.cf
# Paste the contents of the generated local.cf file here
dcc_home /var/dcc
dcc_path /usr/local/bin/dccproc
dcc_dccifd_path /var/dcc/libexec/dccifd
pyzor_path /usr/bin/pyzor
score PYZOR_CHECK 1
########
sa-learn --sync
/etc/rc.d/init.d/spamassassin restart
# Run the following command to check if spamassassin configuration is correct
spamassassin -D --lint
# Enabling Surbl in spamassassin
perl -MCPAN -e "install Net::DNS::Resolver"
updatedb && locate v310.pre
#If this file is already in /etc/mail/spamassassin, then you are ready for the next bit. If the file is somewhere else on your system, copy it to /etc/mail/spamassassin/.
vi /etc/mail/spamassassin/v310.pre
Add these lines at the end:
# SURBL DNS Blacklisting
loadplugin Mail::SpamAssassin::Plugin::URIDNSBL
qmailctl stop
qmailctl start
/etc/init.d/spamd restart
#To test if the changes are working, send yourself a message (from a different email address) with http://surbl-org-permanent-test-point.com in the message body. If all is well message should be tagged as spam.
#Enable RBL checking
vi /var/qmail/supervise/qmail-smtpd/run
# Edit the lines as shown below
/etc/tcp.smtp.cdb -c "$MAXSMTPD" \ -u "$QMAILDUID" -g ................ \
rblsmtpd \
-r zen.spamhaus.org \
-r bl.spamcop.net \
-r relays.ordb.org \
/var/qmail/bin/qmail-smtpd server.yourdomain.com \
qmailctl stop
qmailctl start
qmailctl stat
# Installing fuzzyocr to block image spam
References:
http://www.goodcleanemail.com/kb.php?ToDo=view&questId=90&catId=2
http://fuzzyocr.own-hero.net/wiki/Downloads
# Installing dependecnies
yum install ImageMagick
yum install netpbm
yum install netpbm-progs
yum install netpbm-devel
yum install libungif
# On Fedora Core 6 libungif is known as giflib
yum install libungif-progs
# On Fedora Core install giflib-utils instead of libungif-progs
cpan
install String::Approx
# Installing GOCR
# Download gocr from http://jocr.sourceforge.net
cd /tmp
wget http://prdownloads.sourceforge.net/jocr/gocr-0.43.tar.gz
tar zxvf gocr-0.43.tar.gz
cd gocr-0.43
./configure --with-netpbm=/usr/lib/
make
make install
# Installing Fuzzyocr
Dwonload Fuzzyocr from http://fuzzyocr.own-hero.net/wiki/Downloads
cd /tmp
wget http://users.own-hero.net/~decoder/fuzzyocr/fuzzyocr-2.3b.tar.gz
tar zxvf fuzzyocr-2.3b.tar.gz
cd /tmp/FuzzyOcr-2.3b
vi FuzzyOcr.cf
# Make necessary changes on the lines as shown below
#########
focr_logfile /var/log/FuzzyOcr.log
# Set this to 1 if you are running a version < 3.1.4.
# This will disable a function used in conjunction with animated gifs that isn't available in earlier versions (Default value: 0.0)
#focr_pre314 0.0
focr_pre314 1
focr_enable_image_hashing 1
focr_digest_db /etc/mail/spamassassin/FuzzyOcr.hashdb
focr_base_score 2
###########
vi FuzzyOcr.pm
# Change the log file location as shown below
# Add this line below any existing use statements at start of the file
use Mail::SpamAssassin::Timeout;
######
our $logfile = "/var/log/FuzzyOcr.log";
######
cd /var/log
touch FuzzyOcr.log
chown spamd.spamd FuzzyOcr.log
chmod 755 FuzzyOcr.log
cp -a FuzzyOcr.cf /etc/mail/spamassassin/
cp -a FuzzyOcr.words.sample /etc/mail/spamassassin/
cp -a FuzzyOcr.pm /etc/mail/spamassassin/
cd /etc/mail/spamassassin/
mv FuzzyOcr.words.sample FuzzyOcr.words
chown root.root FuzzyOcr.*
touch focr_digest_db
chmod o+w focr_digest_db
vi v310.pre
# Add these lines
####
# FuzzyOcr Image Spam Filter
loadplugin FuzzyOcr FuzzyOcr.pm
#####
cd /var/log/qmail
chown spamd.spamd FuzzyOcr.log
chmod 600 FuzzyOcr.log
# Run the following command to check if spamassassin configuration is correct
spamassassin -D --lint
/etc/rc.d/init.d/spamassassin restart
# Testing
/tmp/FuzzyOcr-2.3b/samples
spamassassin -t < animated-gif.eml
spamassassin -t < corrupted-gif.eml
spamassassin -t < jpeg.eml
spamassassin -t <>
# Install the following Perl Modules using Cpan
Digest::SHA1
Digest::HMAC
Net::DNS
Time::HiRes
HTML::Tagset
HTML::Parser
Pod::Usage
Parse::Syslog
Statistics::Distributions
yum install perl-suidperl
yum install unzip
yum install gmp-devel
#Installing ClamAv ( http://www.clamav.net/ )
yum install clamav-devel
/usr/sbin/useradd -c "Qmail-Scanner Account" -s /bin/false qscand
#Installing Clamav Manually
/usr/sbin/useradd -c "Qmail-Scanner Account" -s /bin/false qscand
cd /tmp
wget http://freshmeat.net/redir/clamav/29355/url_tgz/clamav-0.90.tar.gz
tar zxvf clamav-0.90.tar.gz
cd clamav-0.90
./configure --with-user=qscand --with-group=qscand
make
make install
vi /usr/local/etc/clamd.conf
"Example" - should already be commented out. However, if it is not, make sure that it is commented out (#)
"LogFile" - should be set to /var/log/clamd.log
"User" - should be set to qscand
"PidFile" - should be set to /var/run/clamd.pid
LogTime 1
FixStaleSocket 1
ScanMail 1
LogSyslog 1
cd /var/run/
touch clamd.pid
chown qscand clamd.pid
cp -a /tmp/clamav-0.90/contrib/init/RedHat/clamd /etc/init.d/
chown root.root /etc/rc.d/init.d/clamd
/sbin/chkconfig clamd on
vi /usr/local/etc/freshclam.conf
#Make the necessary changes in the conf file
touch /var/log/freshclam.log
cd /var/log/
chown qscand.root freshclam.log
chown qscand.root clamd.log
cd /usr/local/share/
#chown clamav.qscand clamav (no clamav user)
chown qscand.qscand clamav
/usr/local/bin/freshclam
crontab -e
00 00 * * * /usr/local/bin/freshclam
cd /etc/logrotate.d/
vi clamd
#
# Rotate Clam AV daemon log file
#
/var/log/clamd.log {
missingok
create 640 root qscand
postrotate
/bin/kill -HUP `cat /var/run/clamd.pid 2> /dev/null` 2> /dev/null || true
endscript
}
chown root.root clamd
chmod 644 clamd
/etc/rc.d/init.d/clamd start
#Installing SpamAssassin
#Using cpan install the following Perl Module
install Mail::SpamAssassin
yum install spamassassin
/usr/sbin/groupadd spamd
/usr/sbin/useradd -g spamd -s /home/spamd spamd
vi /etc/sysconfig/spamassassin
If the above file exists, replace its contents with the following line. If the file does not exist, create it and add the following line:
SPAMDOPTIONS="-x -u spamd -H /home/spamd -d"
vi /etc/mail/spamassassin/local.cf
Add the following line...
required_hits 5
/etc/rc.d/init.d/spamassassin start
/sbin/chkconfig spamassassin on
# If you encounter the following errors in /var/log/maillog
###########
Jan 14 03:59:49 66-226-73-100 spamd[27442]: Failed to run __ENV_AND_HDR_FROM_MATCH SpamAssassin test, skipping:__(Can't locate object method "check_for_matching_env_and_hdr_from" via package "Mail::SpamAssassin::PerMsgStatus" at /usr/lib/perl5/vendor_perl/5.8.6/Mail/SpamAssassin/PerMsgStatus.pm line 2341,
Jan 14 03:59:49 66-226-73-100 spamd[27442]: Failed to run USER_IN_DEF_SPF_WL SpamAssassin test, skipping:__(Can't locate object method "check_for_def_spf_whitelist_from" via package "Mail::SpamAssassin::PerMsgStatus" at /usr/lib/perl5/vendor_perl/5.8.6/Mail/SpamAssassin/PerMsgStatus.pm line 2341,
Jan 14 03:59:49 66-226-73-100 spamd[27442]: Failed to run USER_IN_SPF_WHITELIST SpamAssassin test, skipping:__(Can't locate object method "check_for_spf_whitelist_from" via package "Mail::SpamAssassin::PerMsgStatus" at /usr/lib/perl5/vendor_perl/5.8.6/Mail/SpamAssassin/PerMsgStatus.pm line 2341,
##########
# then do the following
cp -a /etc/mail/spamassassin/init.pre /etc/mail/spamassassin/init.pre.orig
vi /etc/mail/spamassassin/init.pre
# Comment out this line
#loadplugin Mail::SpamAssassin::Plugin::SPF
# Update spammassain every night by setting up a cronjob
/usr/lib/cpan
install LWP::UserAgent
yum install gnupg
# Please check the update by running /usr/bin/sa-update manually to ensure no errors are encountered
crontab -e
00 1 * * * /usr/bin/sa-update && /sbin/service spamassassin restart
ps aux | grep spamd
#You should the following info concerning spamassassin. The PID might differ on your system, but you get the idea.
#spamd 3734 0.2 2.0 24992 20808 ? S 14:21 0:01 /usr/bin/spamd -x -u spamd -H /home/spamd -d
setup
#One in the setup menu, scroll down and select the "system services" option. From the system services menu, scroll down to "clamd".
#Installing Qmail Scanner (http://qmail-scanner.sourceforge.net/) and Qmail analog ( http://www.qms-analog.teel.ws/ )
cd /tmp
wget http://kent.dl.sourceforge.net/sourceforge/qms-analog/qms-analog-0.4.4.tar.gz
tar zxvf qms-analog-0.4.4.tar.gz
cd qms-analog-0.4.4
make all
cd /tmp
wget http://kent.dl.sourceforge.net/sourceforge/qmail-scanner/qmail-scanner-2.01.tgz
tar zxvf qmail-scanner-2.01.tgz
# Download the Qmail-Scanner-2.01st (st patch) patch from http://toribio.apollinare.org/qmail-scanner/
cd /tmp
wget http://toribio.apollinare.org/qmail-scanner/download/q-s-2.01st-20070204.patch.gz
gunzip q-s-2.01st-20070204.patch.gz
cp -a q-s-2.01st-20070204.patch /tmp/qmail-scanner-2.01
cd /tmp/qmail-scanner-2.01
patch -p1 < install=" else" install="--install" qmailqueue="/var/qmail/bin/qmail-scanner-queue.pl" page_id="98" shell="/bin/sh" vpop="| /usr/local/vpopmail/bin/vdelivermail '' bounce-no-mailbox" vhome="`/usr/local/vpopmail/bin/vuserinfo" host ="="="" exit ="="="" returncode ="="" returncode ="="" returncode ="="" maildirquota="`/usr/bin/head" returncode ="="" returncode ="="" end ="="="" returncode ="="" returncode ="="" end ="="="" vpop="| /usr/local/vpopmail/bin/vdelivermail '' bounce-no-mailbox" vhome="`/usr/local/vpopmail/bin/vuserinfo" vpop="| /home/vpopmail/bin/vdelivermail '' bounce-no-mailbox" vhome="`/home/vpopmail/bin/vuserinfo" list="$2/Maildir/courierimapsubscribed" test="`cat">> $LIST
fi
else
# the file does not exist so we define the full list
# and then create the file.
FULL="INBOX\nINBOX.Sent\nINBOX.Trash\nINBOX.Drafts\nINBOX.$1"
echo -e $FULL > $LIST
/bin/chown vpopmail:vchkpw $LIST
/bin/chmod 644 $LIST
fi
#######
chmod 755 /usr/local/sbin/subscribeIMAP.sh
qmailctl stop
qmailctl start
qmailctl stat
In case of issues check these log files
tail -f /var/log/qmail/qmail-smtpd/current
tail -f /var/log/qmail/qmail-send/current
# Setup Log rotation for maildrop.log file as follows
cd /etc/logrotate.d/
vi maildrop
###
/var/log/qmail/maildrop.log {
missingok
notifempty
copytruncate
}
###
chown root.root maildrop
chmod 644 maildrop
# DCC Razor Pyzor and RBL setup
# Install DCC
mkdir /downloads/spam
cd /downloads/spam
# Download DCC from http://www.rhyolite.com/anti-spam/dcc/
wget http://www.rhyolite.com/anti-spam/dcc/source/dcc.tar.Z
tar zxfv dcc.tar.Z
cd dcc-1.3.45/
./configure
make install
cd /downloads/spam
# Install Pyzor
Download Pyzor from http://pyzor.sourceforge.net
cd /downloads/spam
wget http://nchc.dl.sourceforge.net/sourceforge/pyzor/pyzor-0.4.0.tar.bz2
tar xjvf pyzor-0.4.0.tar.bz2
cd pyzor-0.4.0
python setup.py build
python setup.py install
pyzor discover
cd /downloads/spam
# Setup cronjob to update pyzor servers automatically
00 1 * * * /usr/bin/pyzor discover
# Install Razor
# Install the following perl modules
perl -MCPAN -e "install Time::HiRes"
perl -MCPAN -e "install Digest::SHA1"
perl -MCPAN -e "install MIME::Base64"
perl -MCPAN -e "install Test::Simple"
perl -MCPAN -e "install Test::Harness"
perl -MCPAN -e "install Getopt::Long"
perl -MCPAN -e "install File::Copy"
perl -MCPAN -e "install URI::Escape"
# Download Razor from http://razor.sourceforge.net/
cd /downloads/spam
wget http://jaist.dl.sourceforge.net/sourceforge/razor/razor-agents-2.82.tar.bz2
tar xjvf razor-agents-2.82.tar.bz2
cd razor-agents-2.82
perl Makefile.PL
make test
make install
razor-admin -create
cd /root/.razor
chown spamd.spamd razor-agent.conf
chmod 764 razor-agent.conf
razor-admin -register -user=postmaster@yourdomain.com
cp -a /etc/mail/spamassassin/local.cf /etc/mail/spamassassin/local.cf.orig
#Generate a local.cf file from http://www.yrex.com/spam/spamconfig.php.Use the http://opensourceheaven.net/local.cf.txt file as reference.
vi /etc/mail/spamassassin/local.cf
# Paste the contents of the generated local.cf file here
dcc_home /var/dcc
dcc_path /usr/local/bin/dccproc
dcc_dccifd_path /var/dcc/libexec/dccifd
pyzor_path /usr/bin/pyzor
score PYZOR_CHECK 1
########
sa-learn --sync
/etc/rc.d/init.d/spamassassin restart
# Run the following command to check if spamassassin configuration is correct
spamassassin -D --lint
# Enabling Surbl in spamassassin
perl -MCPAN -e "install Net::DNS::Resolver"
updatedb && locate v310.pre
#If this file is already in /etc/mail/spamassassin, then you are ready for the next bit. If the file is somewhere else on your system, copy it to /etc/mail/spamassassin/.
vi /etc/mail/spamassassin/v310.pre
Add these lines at the end:
# SURBL DNS Blacklisting
loadplugin Mail::SpamAssassin::Plugin::URIDNSBL
qmailctl stop
qmailctl start
/etc/init.d/spamd restart
#To test if the changes are working, send yourself a message (from a different email address) with http://surbl-org-permanent-test-point.com in the message body. If all is well message should be tagged as spam.
#Enable RBL checking
vi /var/qmail/supervise/qmail-smtpd/run
# Edit the lines as shown below
/etc/tcp.smtp.cdb -c "$MAXSMTPD" \ -u "$QMAILDUID" -g ................ \
rblsmtpd \
-r zen.spamhaus.org \
-r bl.spamcop.net \
-r relays.ordb.org \
/var/qmail/bin/qmail-smtpd server.yourdomain.com \
qmailctl stop
qmailctl start
qmailctl stat
# Installing fuzzyocr to block image spam
References:
http://www.goodcleanemail.com/kb.php?ToDo=view&questId=90&catId=2
http://fuzzyocr.own-hero.net/wiki/Downloads
# Installing dependecnies
yum install ImageMagick
yum install netpbm
yum install netpbm-progs
yum install netpbm-devel
yum install libungif
# On Fedora Core 6 libungif is known as giflib
yum install libungif-progs
# On Fedora Core install giflib-utils instead of libungif-progs
cpan
install String::Approx
# Installing GOCR
# Download gocr from http://jocr.sourceforge.net
cd /tmp
wget http://prdownloads.sourceforge.net/jocr/gocr-0.43.tar.gz
tar zxvf gocr-0.43.tar.gz
cd gocr-0.43
./configure --with-netpbm=/usr/lib/
make
make install
# Installing Fuzzyocr
Dwonload Fuzzyocr from http://fuzzyocr.own-hero.net/wiki/Downloads
cd /tmp
wget http://users.own-hero.net/~decoder/fuzzyocr/fuzzyocr-2.3b.tar.gz
tar zxvf fuzzyocr-2.3b.tar.gz
cd /tmp/FuzzyOcr-2.3b
vi FuzzyOcr.cf
# Make necessary changes on the lines as shown below
#########
focr_logfile /var/log/FuzzyOcr.log
# Set this to 1 if you are running a version < 3.1.4.
# This will disable a function used in conjunction with animated gifs that isn't available in earlier versions (Default value: 0.0)
#focr_pre314 0.0
focr_pre314 1
focr_enable_image_hashing 1
focr_digest_db /etc/mail/spamassassin/FuzzyOcr.hashdb
focr_base_score 2
###########
vi FuzzyOcr.pm
# Change the log file location as shown below
# Add this line below any existing use statements at start of the file
use Mail::SpamAssassin::Timeout;
######
our $logfile = "/var/log/FuzzyOcr.log";
######
cd /var/log
touch FuzzyOcr.log
chown spamd.spamd FuzzyOcr.log
chmod 755 FuzzyOcr.log
cp -a FuzzyOcr.cf /etc/mail/spamassassin/
cp -a FuzzyOcr.words.sample /etc/mail/spamassassin/
cp -a FuzzyOcr.pm /etc/mail/spamassassin/
cd /etc/mail/spamassassin/
mv FuzzyOcr.words.sample FuzzyOcr.words
chown root.root FuzzyOcr.*
touch focr_digest_db
chmod o+w focr_digest_db
vi v310.pre
# Add these lines
####
# FuzzyOcr Image Spam Filter
loadplugin FuzzyOcr FuzzyOcr.pm
#####
cd /var/log/qmail
chown spamd.spamd FuzzyOcr.log
chmod 600 FuzzyOcr.log
# Run the following command to check if spamassassin configuration is correct
spamassassin -D --lint
/etc/rc.d/init.d/spamassassin restart
# Testing
/tmp/FuzzyOcr-2.3b/samples
spamassassin -t < animated-gif.eml
spamassassin -t < corrupted-gif.eml
spamassassin -t < jpeg.eml
spamassassin -t <>
Monday, April 14, 2008
Dealing with large files and directories in Linux/Unix
# Cleaning up audit logs on solaris
# Source: http://docs.sun.com/app/docs/doc/816-4557/audittask-12?a=view
# List the files with the not_terminated string on your audit file system in order of creation.
ls -R1t audit-directory*/files/* | grep not_terminated
# -R Lists files in subdirectories.,-t Lists files from most recent to oldest.,-1 Lists the files in one column.
# Clean up the old not_terminated file.Specify the name of the old file to the auditreduce -O command.
auditreduce -O system-name old-not-terminated-file
# Remove the old not_terminated file.
rm system-name old-not-terminated-file
# Finding Disk Utilisation
df -k
or
du -sk * |sort -rn | head
or
du -k * |sort -rn | head
# For Solaris servers.To check usage in current filesystem/device
du -dk <filesystem> | sort -rn | head
#eg.
du -dk /opt/sunone61 | sort -rn | head
#For reverse sorting by size
ls -lSr
or
du | sort -nr | cut -f2- | xargs du -hs | head
or
du | sort -nr | cut -f2- | xargs du -s | head
#Find the Top 10 biggest directories under /
du -kod / |sort -n | tail -10
# Reverse sort by change date
ls -ltr
# Finding Directory sizes
du -sh folder_name
du -ch folder_name
du -csh folder_name
# List files and ignore .gz files
ls -lah | grep -v '.gz$'
# Finding files above 100 Mb
find / -type f -size +100000k -exec ls -lh {} \; | awk '{ print $9 ": " $5 }'
find / -type f -size +100000k
# Find 10 largest directores in current directory
du -hs */ | sort -hr | head
# To move files older than 90 days in the current directory and move them to /tmp folder
# in current and sub directories
find . -type f -mtime +90 -exec mv {} /tmp \;
# In current directory only
find . -maxdepth 1 -type f -mtime +90 -exec mv {} /tmp \;
To move *.gz files older than 90 days in the current directory and move them to /tmp folder
find . -type f -mtime +90 -name "*.gz" -exec mv {} /tmp/ \;
# To delete files older than 90 days in the current directory
find . -mtime +90 -exec rm {} \;
# To delete files named core.fmd.* in the current directory
find . -type f -name "core.fmd.*" -exec rm {} \;
# To find all files having log in the file name and older than 30 days in the location /
find / -mtime +30 -type f -name "*.log.*" -exec ls -lh {} \; | awk '{ print $9 ": " $5 }'
# To compress all files having log in the file name and older than 30 days in the location /
find / -mtime +30 -type f -name "*.log.*" -exec gzip {} \;
# Compressing and nullyfying a file in one go
cp -a /<path>/<file_name> /tmp && cat /dev/null > /<path>/<file_name> && gzip /tmp/<file_name> && mv /tmp/<file_name>.gz /<path>
Thursday, April 03, 2008
Shorewall setup to ease your Iptables setup
Reference:
http://www.shorewall.net/shorewall_setup_guide.htm
# Backup your existing Iptables configuration so that you can revert back in case something goes wrong
cp -a /etc/sysconfig/iptables /etc/sysconfig/iptables_backup_
# Deploying a safety net to ensure that you dont get locked out
Reference : http://www.iptablesrocks.org/guide/safetynet.php
vi /root/firewall_reset
############
# Iptables firewall reset script
*filter
:INPUT ACCEPT [164:15203]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [147:63028]
COMMIT
*mangle
:PREROUTING ACCEPT [164:15203]
:INPUT ACCEPT [164:15203]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [147:63028]
:POSTROUTING ACCEPT [147:63028]
COMMIT
*nat
:PREROUTING ACCEPT [14:672]
:POSTROUTING ACCEPT [9:684]
:OUTPUT ACCEPT [9:684]
COMMIT
###########
# Test if the above script works and throws no error
/sbin/iptables-restore < /root/firewall_reset
/sbin/iptables -L
# The output should be similar to the following
###
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
###
# restore your orginal firewall configuration and proceed
/sbin/iptables-restore < /etc/sysconfig/iptables_backup_
# Confirm that your original rules have been restored by running the following command
/sbin/iptables -L
# Create a crontab entry that resets the firewall every 15 minutes
crontab -e
0,15,30,45 * * * * /sbin/iptables-restore < /root/firewall_reset
# Please ensure that you comment out this line after you have succesfully tested you shorewall working.
# Reference:http://www.shorewall.net/shorewall_quickstart_guide.htm
# Before installing ,check if iproute and shorewall already exist
rpm -qa | grep -i "iproute"
rpm -qa | grep -i "shorewall"
# If iproute doesn't exist then proceed as follows
yum install iproute
# Shorewall Installation
# Using Yum
yum install shorewall
# Using RPM
# In most cases shorewall would not exist in yum repositories so proceed as follows for the rpm installation
References :
http://www.shorewall.net/Install.htm
http://www.shorewall.net/download.htm
Download the shorewall and shorewall-perl rpm package
cd /tmp
wget http://www.invoca.ch/pub/packages/shorewall/4.2/shorewall-4.2.5/shorewall-4.2.5-3.noarch.rpm
wget http://www.invoca.ch/pub/packages/shorewall/4.2/shorewall-4.2.5/shorewall-perl-4.2.5-3.noarch.rpm
rpm -ivh shorewall-perl-4.2.5-3.noarch.rpm shorewall-4.2.5-3.noarch.rpm
#Setting up Shorewall on a standalone Linux system with a single static IP address
Reference :http://www.shorewall.net/standalone.htm
# Add your IP address (IP address of the system/gateway you are connecting from and not the server IP address where you are installing shorewall) to the /etc/shorewall/routestopped file to ensure that you stay connected when the firewall restarts.You can find your IP address by visiting http://whatismyip.com
cp -a /etc/shorewall/routestopped /etc/shorewall/routestopped.orig
vi /etc/shorewall/routestopped
# eg. if your IP address ( the system/gateway you are connecting from) is 59.144.118.69
#INTERFACE HOST(S)
eth0 59.144.0.0/24
# You can also add a CIDR number to indicate a range of IPs from which connection will not break
# For eg. if you want to keep alive connections from 192.168.0.1 to 192.168.0.254 during the firewall restart add the following line
#INTERFACE HOST(S)
eth0 192.168.0.0/24
# Find the sample configuration files by running
rpm -ql shorewall | fgrep one-interface
cp -a /usr/share/doc/shorewall-4.2.5/Samples/one-interface /tmp/
cd /tmp/one-interface
# Confirm your ethernet interface ( to check if you have a single lan card)
/sbin/ifconfig -a
vi interfaces
########
#ZONE INTERFACE BROADCAST OPTIONS
net eth0 210.210.18.90 norfc1918,routefilter,tcpflags,logmartians,nosmurfs
########
# The BROADCAST address can be ignored above and instead you can put a -
#RFC-1918 reserves several Private IP address ranges for use in private networks:
10.0.0.0 - 10.255.255.255
172.16.0.0 - 172.31.255.255
192.168.0.0 - 192.168.255.255
#If your IP address falls in any of the above range, then please remove "norfc1918" in the options section of the interfaces file
# If you have a non-static DHCP IP address,add "detect" in the "broadcast" section and add “dhcp” to the option list.
# Configuration of rules
# You can find custom rules files by running
ls /usr/share/shorewall/macro.*
# You can then use these macros in your shorewall rules file
# For eg. if you want to allow access to your web server running TCP Port 80 and SSHD running on TCP port 22 do the following
# Tip: You can identify the network services running on your server bu issuing the following command.
/bin/netstat -luntp
# Based on the output you get , you can decide which services to allow remote access or not
cd /tmp/one-interface
vi rules
#######
#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
Web/ACCEPT net $FW
SSH/ACCEPT net $FW
######
# You can also add the above rules in this way.
vi rules
#########
#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
ACCEPT net $FW tcp 80
ACCEPT net $FW tcp 22
#########
# You can also add the following rule if you see port TCP 113 as closed in your nmap scan.
DROP net $FW tcp 113
If you want to allow conections to let's say the ssh port only from specific IP Addresses on the internet add the following
ACCEPT net:192.0.2.16/28,192.0.2.44 fw tcp 22
# Please ensure that you check the individual macros you applies from /usr/share/shorewall/macro.* to ensure that they work as desired
# You must enable startup by editing /etc/shorewall/shorewall.conf and setting STARTUP_ENABLED=Yes
cp -a /tmp/one-interface/shorewall.conf /tmp/one-interface/shorewall.conf.orig
vi /tmp/one-interface/shorewall.conf
# Modify the lines as shown
#STARTUP_ENABLED=No
STARTUP_ENABLED=Yes
#IPTABLES=
IPTABLES=/sbin/iptables
#IP_FORWARDING=On
IP_FORWARDING=Off
#DISABLE_IPV6=Yes
# Copy your configuration files to appropriate locations
cd /etc/shorewall/
cp -a policy policy.orig
cp -a rules rules.orig
cp -a interfaces interfaces.orig
cp -a zones zones.orig
cp -a /tmp/one-interface/* /etc/shorewall/
rm -rf /tmp/one-interface/
/etc/rc.d/init.d/shorewall restart
# You can use the following command to clear all shorewall rules
/sbin/shorewall clear
# Configure shorewall to auto start at boot time
/sbin/chkconfig shorewall on
# Use nmap from a different system to ensure that your firewall rules are in place
# Multiple IP address to single interface
# Reference:http://www.shorewall.net/Shorewall_and_Aliased_Interfaces.html#id2491727
# Ensure that all IP addresses ( non virtual ie. additional IP addresses on separate lan cards ) are configured in the /etc/shorewall/interfaces
# eg.
vi /etc/shorewall/interfaces
#ZONE INTERFACE BROADCAST OPTIONS
net eth1 210.210.23.26 norfc1918,routefilter,tcpflags,logmartians,nosmurfs
# The BROADCAST address can be ignored above and instead you can put a -
#RFC-1918 reserves several Private IP address ranges for use in private networks:
10.0.0.0 - 10.255.255.255
172.16.0.0 - 172.31.255.255
192.168.0.0 - 192.168.255.255
#If your IP address falls in any of the above range, then please remove "norfc1918" in the options section of the interfaces file
# If you have a non-static DHCP IP address,add "detect" in the "broadcast" section and add “dhcp” to the option list.
# If you are using virtual IP addresses (eg. eth0:0,eth0:1 etc,) configured for a single ethernet card, then you can ignore the above setting in /etc/shorewall/interfaces
# If you have muliple IP addresses and want a sshd to be available on a single IP address (eg. 210.210.23.26 )instead of all IP adresses on the server ,then do this
vi /etc/shorewall/rules
#ACCEPT net $FW tcp 22
ACCEPT net $FW:210.210.23.26 tcp 22
/sbin/shorewall clear
/etc/rc.d/init.d/shorewall restart
# Remove the firewall_reset cron job and the entries in /etc/shorewall/routestopped after shorewall is run and firewall behaves as expected.
http://www.shorewall.net/shorewall_setup_guide.htm
# Backup your existing Iptables configuration so that you can revert back in case something goes wrong
cp -a /etc/sysconfig/iptables /etc/sysconfig/iptables_backup_
# Deploying a safety net to ensure that you dont get locked out
Reference : http://www.iptablesrocks.org/guide/safetynet.php
vi /root/firewall_reset
############
# Iptables firewall reset script
*filter
:INPUT ACCEPT [164:15203]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [147:63028]
COMMIT
*mangle
:PREROUTING ACCEPT [164:15203]
:INPUT ACCEPT [164:15203]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [147:63028]
:POSTROUTING ACCEPT [147:63028]
COMMIT
*nat
:PREROUTING ACCEPT [14:672]
:POSTROUTING ACCEPT [9:684]
:OUTPUT ACCEPT [9:684]
COMMIT
###########
# Test if the above script works and throws no error
/sbin/iptables-restore < /root/firewall_reset
/sbin/iptables -L
# The output should be similar to the following
###
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
###
# restore your orginal firewall configuration and proceed
/sbin/iptables-restore < /etc/sysconfig/iptables_backup_
# Confirm that your original rules have been restored by running the following command
/sbin/iptables -L
# Create a crontab entry that resets the firewall every 15 minutes
crontab -e
0,15,30,45 * * * * /sbin/iptables-restore < /root/firewall_reset
# Please ensure that you comment out this line after you have succesfully tested you shorewall working.
# Reference:http://www.shorewall.net/shorewall_quickstart_guide.htm
# Before installing ,check if iproute and shorewall already exist
rpm -qa | grep -i "iproute"
rpm -qa | grep -i "shorewall"
# If iproute doesn't exist then proceed as follows
yum install iproute
# Shorewall Installation
# Using Yum
yum install shorewall
# Using RPM
# In most cases shorewall would not exist in yum repositories so proceed as follows for the rpm installation
References :
http://www.shorewall.net/Install.htm
http://www.shorewall.net/download.htm
Download the shorewall and shorewall-perl rpm package
cd /tmp
wget http://www.invoca.ch/pub/packages/shorewall/4.2/shorewall-4.2.5/shorewall-4.2.5-3.noarch.rpm
wget http://www.invoca.ch/pub/packages/shorewall/4.2/shorewall-4.2.5/shorewall-perl-4.2.5-3.noarch.rpm
rpm -ivh shorewall-perl-4.2.5-3.noarch.rpm shorewall-4.2.5-3.noarch.rpm
#Setting up Shorewall on a standalone Linux system with a single static IP address
Reference :http://www.shorewall.net/standalone.htm
# Add your IP address (IP address of the system/gateway you are connecting from and not the server IP address where you are installing shorewall) to the /etc/shorewall/routestopped file to ensure that you stay connected when the firewall restarts.You can find your IP address by visiting http://whatismyip.com
cp -a /etc/shorewall/routestopped /etc/shorewall/routestopped.orig
vi /etc/shorewall/routestopped
# eg. if your IP address ( the system/gateway you are connecting from) is 59.144.118.69
#INTERFACE HOST(S)
eth0 59.144.0.0/24
# You can also add a CIDR number to indicate a range of IPs from which connection will not break
# For eg. if you want to keep alive connections from 192.168.0.1 to 192.168.0.254 during the firewall restart add the following line
#INTERFACE HOST(S)
eth0 192.168.0.0/24
# Find the sample configuration files by running
rpm -ql shorewall | fgrep one-interface
cp -a /usr/share/doc/shorewall-4.2.5/Samples/one-interface /tmp/
cd /tmp/one-interface
# Confirm your ethernet interface ( to check if you have a single lan card)
/sbin/ifconfig -a
vi interfaces
########
#ZONE INTERFACE BROADCAST OPTIONS
net eth0 210.210.18.90 norfc1918,routefilter,tcpflags,logmartians,nosmurfs
########
# The BROADCAST address can be ignored above and instead you can put a -
#RFC-1918 reserves several Private IP address ranges for use in private networks:
10.0.0.0 - 10.255.255.255
172.16.0.0 - 172.31.255.255
192.168.0.0 - 192.168.255.255
#If your IP address falls in any of the above range, then please remove "norfc1918" in the options section of the interfaces file
# If you have a non-static DHCP IP address,add "detect" in the "broadcast" section and add “dhcp” to the option list.
# Configuration of rules
# You can find custom rules files by running
ls /usr/share/shorewall/macro.*
# You can then use these macros in your shorewall rules file
# For eg. if you want to allow access to your web server running TCP Port 80 and SSHD running on TCP port 22 do the following
# Tip: You can identify the network services running on your server bu issuing the following command.
/bin/netstat -luntp
# Based on the output you get , you can decide which services to allow remote access or not
cd /tmp/one-interface
vi rules
#######
#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
Web/ACCEPT net $FW
SSH/ACCEPT net $FW
######
# You can also add the above rules in this way.
vi rules
#########
#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
ACCEPT net $FW tcp 80
ACCEPT net $FW tcp 22
#########
# You can also add the following rule if you see port TCP 113 as closed in your nmap scan.
DROP net $FW tcp 113
If you want to allow conections to let's say the ssh port only from specific IP Addresses on the internet add the following
ACCEPT net:192.0.2.16/28,192.0.2.44 fw tcp 22
# Please ensure that you check the individual macros you applies from /usr/share/shorewall/macro.* to ensure that they work as desired
# You must enable startup by editing /etc/shorewall/shorewall.conf and setting STARTUP_ENABLED=Yes
cp -a /tmp/one-interface/shorewall.conf /tmp/one-interface/shorewall.conf.orig
vi /tmp/one-interface/shorewall.conf
# Modify the lines as shown
#STARTUP_ENABLED=No
STARTUP_ENABLED=Yes
#IPTABLES=
IPTABLES=/sbin/iptables
#IP_FORWARDING=On
IP_FORWARDING=Off
#DISABLE_IPV6=Yes
# Copy your configuration files to appropriate locations
cd /etc/shorewall/
cp -a policy policy.orig
cp -a rules rules.orig
cp -a interfaces interfaces.orig
cp -a zones zones.orig
cp -a /tmp/one-interface/* /etc/shorewall/
rm -rf /tmp/one-interface/
/etc/rc.d/init.d/shorewall restart
# You can use the following command to clear all shorewall rules
/sbin/shorewall clear
# Configure shorewall to auto start at boot time
/sbin/chkconfig shorewall on
# Use nmap from a different system to ensure that your firewall rules are in place
# Multiple IP address to single interface
# Reference:http://www.shorewall.net/Shorewall_and_Aliased_Interfaces.html#id2491727
# Ensure that all IP addresses ( non virtual ie. additional IP addresses on separate lan cards ) are configured in the /etc/shorewall/interfaces
# eg.
vi /etc/shorewall/interfaces
#ZONE INTERFACE BROADCAST OPTIONS
net eth1 210.210.23.26 norfc1918,routefilter,tcpflags,logmartians,nosmurfs
# The BROADCAST address can be ignored above and instead you can put a -
#RFC-1918 reserves several Private IP address ranges for use in private networks:
10.0.0.0 - 10.255.255.255
172.16.0.0 - 172.31.255.255
192.168.0.0 - 192.168.255.255
#If your IP address falls in any of the above range, then please remove "norfc1918" in the options section of the interfaces file
# If you have a non-static DHCP IP address,add "detect" in the "broadcast" section and add “dhcp” to the option list.
# If you are using virtual IP addresses (eg. eth0:0,eth0:1 etc,) configured for a single ethernet card, then you can ignore the above setting in /etc/shorewall/interfaces
# If you have muliple IP addresses and want a sshd to be available on a single IP address (eg. 210.210.23.26 )instead of all IP adresses on the server ,then do this
vi /etc/shorewall/rules
#ACCEPT net $FW tcp 22
ACCEPT net $FW:210.210.23.26 tcp 22
/sbin/shorewall clear
/etc/rc.d/init.d/shorewall restart
# Remove the firewall_reset cron job and the entries in /etc/shorewall/routestopped after shorewall is run and firewall behaves as expected.
How to Secure a Linux Box
#Reference:http://www.cisecurity.org/bench_linux.html
#Note:This tutorial is based on Fedora Core 4.Should be valid for a newer version of Fedora too.The reader is advised to read the CIS Benchmark pdf after completing all activities mentioned in this document.
# Setup an informative command prompt
export PS1="-\$?-(\u@\h) \w > "
# Hostname Setup
Reference:http://www.cpqlinux.com/hostname.html
# Please ensure that the correct hostname is setup in the following files.The hostname should ideally match the PTR record of the system IP
/etc/hosts
/etc/sysconfig/network
# Use echo to set the hostname in the file below eg.
echo yourhostname > /proc/sys/kernel/hostname
/proc/sys/kernel/hostname
# Virtual IP Setup
cd /etc/sysconfig/network-scripts
#Check for existing network adapters with the command:
ls ifcfg-*
#In most instances, you will see the files ifcfg-eth0 and ifcfg-lo. If you see other files with any other names and are unfamiliar with configuring TCP/IP, you may want to consult with your system administrator before proceeding.
cp -a ifcfg-eth0 ifcfg-eth0:0
cp -a ifcfg-eth0 ifcfg-eth0:1
# Ensure the following lines are configured as
vi icfg-eth0:0
DEVICE=eth0:0
IPADDR=
VLAN=yes
vi icfg-eth0:1
DEVICE=eth0:1
IPADDR=
VLAN=yes
#Disable IPV6
cp -a /etc/modprobe.conf /etc/modprobe_backup.conf
echo "alias net-pf-10 off" >> /etc/modprobe.conf
echo "alias ipv6 off" >> /etc/modprobe.conf
/etc/init.d/ip6tables stop
/sbin/chkconfig --level 35 ip6tables off
# Restart the network to effect changes
/sbin/service network restart
# Edit /etc/hosts and add a line for your new addresses and name such as:
127.0.0.1 localhost.localdomain localhost
x.x.x.x newhost1.yourdomain.com
x.x.x.x newhost2.yourdomain.com
# Disabling selinux
vi /etc/sysconfig/selinux
#check for the line SELINUX
SELINUX=disabled
# Date and Time Configuration
Ref:http://www.linuxsa.org.au/tips/time.html
ln -sf /usr/share/zoneinfo/Asia/Calcutta /etc/localtime
date monthdayhourminyear
yum install ntp
#Configure a cron job to update time every night at 12 AM
00 00 * * * /usr/sbin/ntpdate 0.pool.ntp.org 1.pool.ntp.org
# Configure Automatic Updates using yum.Fedora Core 6 or above will have yum-updatesd instead of yum
/sbin/chkconfig yum on
/sbin/service yum start
# If you wish to disable autoupdation of some package, eg.firefox and cacti ,do the following
cp -a /etc/yum.conf /etc/yum.conf.orig
vi /etc/yum.conf
# Add the following line
exclude=firefox cacti
# For Fedora Core 6 or above do this
# Reference: http://www.die.net/doc/linux/man/man5/yum-updatesd.conf.5.html
cp -a /etc/updatedb.conf /etc/updatedb.conf.orig
vi /etc/yum/yum-updatesd.conf
#########
# Configure the entries as shown below
# automatically install updates
do_update = yes
# automatically download updates
do_download = yes
# automatically download deps of updates
do_download_deps = yes
#########
/sbin/chkconfig yum-updatesd on
/sbin/service yum-updatesd start
crontab -e
00 0 * * * yum -y update
# Configuring updatedb
cp -a /etc/updatedb.conf /etc/updatedb.conf.orig
vi /etc/updatedb.conf
#Configure the following values to yes
#DAILY_UPDATE=no
DAILY_UPDATE=yes
# Configuring Log Compression
cp -a /etc/logrotate.conf /etc/logrotate.conf.orig
vi /etc/logrotate.conf
# uncomment this if you want your log files compressed
compress
# Unalias cp and mv
unalias mv cp
# Firewall ,Reactive IDS and SSH bruteforce prevention setup
Please install and configure shorewall ,psad and fail2ban by referring their separate howtos
# Apache Installation
# Check if Apache is already installed
rpm -qa httpd
service httpd status
# If httpd is not installed proceed with the apache installation as follows
yum install httpd
yum install httpd-devel
# Apache Hardening
Edit httpd.conf file as follows.
cd /etc/httpd/conf/
cp -a httpd.conf httpd.conf.orig
vi /etc/httpd/conf/httpd.conf
# Edit the following entry as follows
#ServerTokens OS
ServerTokens Prod
#ServerSignature On
ServerSignature Off
#Ref:http://www.slac.stanford.edu/comp/unix/apache-security.html
#http://publib.boulder.ibm.com/httpserv/ihsdiag/http_trace.html
# Disabling Indexing
# Ref: http://www.ducea.com/2006/06/26/apache-tips-tricks-disable-directory-indexes/
# In Main Server Configurations
Options -Indexes
# To disable Trace and Track Methods:
For apache version 1.3.34 (or later 1.3.x versions), or apache 2.0.55 (or later), in section 1, add the line
TraceEnable off
For older versions of apache, see below.
#Add Before Secton 3 and in each virtual host configuration section/file
# Block access: SLAC addition
RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]
# End block access rule
# Disabling welcome page
cp -a /etc/httpd/conf.d/welcome.conf /etc/httpd/conf.d/welcome.conf.orig
vi /etc/httpd/conf.d/welcome.conf
# Comment all the lines in the file
# Disabling configuration by .htaccess
AllowOverride None
# Restart Apache
/etc/rc.d/init.d/httpd start
# MySQL Installation
# Check if MySQL is already installed
rpm -qa mysql
service mysqld status
# If Mysqld Daemon is not installed proceed with the MySQL installation as follows
yum install mysql-server
yum install mysql
yum install mysql-devel
#Start MySQL for the first time
mysql_install_db
/etc/rc.d/init.d/mysqld start
#Note:In case you have issues starting Mysql server for the first time and you see error messggaes saying that tmp files could not be created,please run bastille configuration again and answer N to "Q: Would you like to install TMPDIR/TMP scripts?" question reboot the system.Post reboot you can start Mysqld
/sbin/chkconfig mysqld on
#Mysql Hardening:
mysql
# Removing anonymous login:
DELETE FROM mysql.user WHERE User = '';
FLUSH PRIVILEGES;
quit
#Setting Mysql Root password:
/usr/bin/mysqladmin -u root password 'yourpassword'
/usr/bin/mysqladmin -u root -h password 'yourpassword'
# Delete test database
mysql
drop database test;
# Configure Mysql to not listen for external connections
cp -a /etc/my.cnf /etc/my.cnf.orig
vi /etc/my.cnf
[mysqld]
skip-networking
#Perl Installation
#check if perl is installed or not
rpm -qa perl
# If Perl is not installed proceed with the Perl installation as follows
yum install perl
# Cpan configuration
# Before running cpan ensure that gcc is installed else some modules will throw errors during compilation
rpm -qa gcc
# Install gcc if not found
yum install gcc
# Run and configure cpan
cpan
# A first time set of configuration questions will be asked
# Update cpan by running
cpan
install Bundle::CPAN
reload cpan
# Bastille Hardening
#Bastille Installation
cd /tmp
wget http://nchc.dl.sourceforge.net/sourceforge/bastille-linux/Bastille-3.2.1-0.1.noarch.rpm
# Ref: http://www.bastille-linux.org/running_bastille_on.htm#top
rpm -ivh Bastille-3.2.1-0.1.noarch.rpm
# Install Curses from cpan
# Please check wheather ncurses-devel is installed
rpm -qa ncurses-devel
# If ncurses is not installed install it as follows
yum install ncurses-devel
# Install Curses module as follows
cpan
install Curses
# Run bastille text mode hardening as follows
/usr/sbin/bastille -c
# Respond to all questions
# Check your score
/usr/sbin/bastille --report
# ICMP Hardening
# Check and Download sysctl RPM
yum install sysctl
# Enter the following in /etc/sysctl.conf file
net.ipv4.icmp_echo_ignore_all = 1
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.tcp_max_syn_backlog = 4096
net.ipv4.tcp_syncookies=1
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
net.ipv4.tcp_max_orphans = 256
net.ipv4.conf.all.log_martians = 1
# Diable Forwarding and Gateway functionality
net.ipv4.ip_forward = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
#Check for the syntax in the file /etc/sysctl.conf
/sbin/sysctl -p
OR
/sbin/iptables -A INPUT -j REJECT -p icmp --icmp-type 13
/sbin/iptables -A OUTPUT -j REJECT -p icmp --icmp-type 14
# Detailed audit trail setup
Ref: http://www.cyberciti.biz/tips/howto-log-user-activity-using-process-accounting.html
yum install psacct
chkconfig psacct on
/etc/init.d/psacct start
# Rootkit Hunter
Reference:http://www.rootkit.nl/
Installation:
# Download rkhunter from http://www.rootkit.nl/projects/rootkit_hunter.html
cd /tmp
wget http://nchc.dl.sourceforge.net/sourceforge/rkhunter/rkhunter-1.3.2.tar.gz
tar zxvf rkhunter-1.3.2.tar.gz
cd rkhunter-1.3.2
sh installer.sh --layout default --install
# Running Rkhunter
/usr/local/bin/rkhunter --update
/usr/local/bin/rkhunter -c --createlogfile --quiet
The report will be generated at /var/log/rkhunter.log
#Configure rkhunter for automatic update
crontab -e
00 0 * * * /usr/local/bin/rkhunter --update -q
# SSHD Hardening
cp -a /etc/ssh/sshd_config /etc/ssh/sshd_config.orig
vi /etc/ssh/sshd_config
#change port no from 22 to 222
Port 222
PermitRootLogin no
Banner /etc/issue
#This banner is generated when you ran Bastille previously.
#Prevent X11 forwarding
X11Forwarding no
#Don't read the user's ~/.rhosts and ~/.shosts files uncomment IgnoreRhosts yes
IgnoreRhosts yes
# The following switch is not found in Fedora 4.Please check the switch to ensure that it exists #before making this entry
RhostsAuthentication no
RhostsRSAAuthentication no
HostbasedAuthentication no
PermitEmptyPasswords no
#Note:Before restarting ssh please create a non-root account.
Restart sshd
/etc/rc.d/init.d/sshd restart
# Nessus Setup
# Read the Nessus How to file for installing and running Nessus
# CIS benchmark security exercise
# Download the CIS benchmark locally from http://www.cisecurity.org/bench_linux.html and copy the do-backup.sh file in /root and run the same to backup all important directories and files
cd /root
chmod 755 do-backup.sh
./do-backup.sh
# Uninstalling xinetd
rpm -qa xinetd
rpm -e xinetd-versionnumber
# Incase you still want to use some services in xinetd ,please run the following comands to stop these unnnecessary services.
cd /etc/xinetd.d
for FILE in chargen chargen-udp cups-lpd cups daytime \ daytime-udp echo echo-udp eklogin ekrb5-telnet finger \ gssftp imap imaps ipop2 ipop3 krb5-telnet klogin kshell \ ktalk ntalk pop3s rexec rlogin rsh rsync servers services \ sgi_fam talk telnet tftp time time-udp vsftpd wu-ftpd do
chkconfig ${FILE} off done
# Disable GUI
sed -e 's/id:5:initdefault:/id:3:initdefault:/' \
< /etc/inittab-preCIS > /etc/inittab
chown root:root /etc/inittab
chmod 0600 /etc/inittab
diff /etc/inittab-preCIS /etc/inittab
# Disable Unneccessary services
# Please review all services listed in the following script before running.
vi disable_unwanted_services
########
for FILE in apmd avahi-daemon canna cups-config-daemon FreeWnn gpm hidd hpoj hplip innd irda isdn kdcrotate lvs mars-nwe messagebus oki4daemon privoxy rstatd rusersd rwalld rwhod wine; do
/sbin/service $FILE stop
/sbin/chkconfig $FILE off
done
for FILE in nfs nfslock autofs ypbind ypserv yppasswdd portmap smb netfs lpd tux snmpd named postgresql webmin kudzu squid cups ip6tables pcmcia bluetooth mDNSResponder; do
/sbin/service $FILE stop
/sbin/chkconfig $FILE off
done
########
chmod 755 disable_unwanted_services
./disable_unwanted_services
# Assign Proper permissions to log files
chmod o-rwx boot.log* cron* dmesg ksyms* httpd/* maillog* messages* news/* pgsql rpmpkgs* samba/* sa/* scrollkeeper.log secure* spooler* squid/* vbox/* wtmp
chmod o-rx boot.log* cron* maillog* messages* pgsql secure* spooler* squid/* sa/*
chmod g-w boot.log* cron* dmesg httpd/* ksyms* maillog* messages* pgsql rpmpkgs* samba/* sa/* scrollkeeper.log secure* spooler*
chmod g-rx boot.log* cron* maillog* messages* pgsql secure* spooler*
chmod o-w gdm/ httpd/ news/ samba/ squid/ sa/ vbox/
chmod o-rx httpd/ samba/ squid/ sa/
chmod g-w gdm/ httpd/ news/ samba/ squid/ sa/ vbox/
chmod g-rx httpd/ samba/ sa/
chmod u-x kernel syslog loginlog
# Verify passwd, shadow, and group File Permissions
cd /etc
chown root:root passwd shadow group
chmod 644 passwd group
chmod 400 shadow
# Allowing only root access to Cron and At
cd /etc/
rm -f cron.deny at.deny
echo root > cron.allow
echo root > at.allow
chown root:root cron.allow at.allow
chmod 400 cron.allow at.allow
# Restrict Permissions On crontab Files
chown root:root /etc/crontab
chmod 400 /etc/crontab
chown -R root:root /var/spool/cron
chmod -R go-rwx /var/spool/cron
cd /etc
ls | grep cron | grep -v preCIS | xargs chown -R root:root
ls | grep cron | grep -v preCIS | xargs chmod -R go-rwx
# Block all system accounts from loging on to the server
cd /root
vi lock_system_accounts
####
cd /etc
for NAME in `cut -d: -f1 /etc/passwd`; do
MyUID=`id -u $NAME`
if [ $MyUID -lt 500 -a $NAME != 'root' ]; then
/usr/sbin/usermod -L -s /dev/null $NAME
fi
done
###
chmod 755 lock_system_accounts
./lock_system_accounts
rm -rf lock_system_accounts
# Check for empty password accounts
awk -F: '($2 == "") { print $1 }' /etc/shadow
# Set Account Expiration Parameters On Active Accounts
cd /etc
awk '($1 ~ /^PASS_MAX_DAYS/) { $2="90" }
($1 ~ /^PASS_MIN_DAYS/) { $2="7" }
($1 ~ /^PASS_WARN_AGE/) { $2="28" }
($1 ~ /^PASS_MIN_LEN/) { $2="6" }
{ print } ' login.defs-preCIS > login.defs
diff login.defs-preCIS login.defs
chown root:root login.defs
chmod 640 login.defs
diff login.defs-preCIS login.defs
useradd -D -f 7
diff /etc/default/useradd-preCIS /etc/default/useradd
for NAME in `cut -d: -f1 /etc/passwd`; do
uid=`id -u $NAME`
if [ $uid -ge 500 -a $uid != 65534 ]; then
chage -m 7 -M 90 -W 28 -I 7 $NAME
fi
done
diff shadow-preCIS shadow
# Verify No Legacy '+' Entries Exist In passwd, shadow, And group Files
grep ^+: /etc/passwd /etc/shadow /etc/group
# No '.' or Group/World-Writable Directory In Root's $PATH
#To find ‘.’ in $PATH:
echo $PATH | egrep '(^|:)(\.|:|$)'
#To find group- or world-writable directories in $PATH:
find `echo $PATH | tr ':' ' '` -type d \( -perm -002 -o -perm -020 \) -ls
#These commands should produce no output.
#User Home Directories Should Be Mode 750 or More Restrictive
vi user_directories_permission
###############
for DIR in `awk -F: '($3 >= 500) { print $6 }' /etc/passwd`; do
chmod g-w $DIR
chmod o-rwx $DIR
done
##############
chmod 755 user_directories_permission
./user_directories_permission
#No User Dot-Files Should Be World-Writable
vi user_dot_files_non_worldwritable
#############
for DIR in `awk -F: '($3 >= 500) { print $6 }' /etc/passwd`; do
for FILE in $DIR/.[A-Za-z0-9]*; do
if [ ! -h "$FILE" -a -f "$FILE" ]; then
chmod go-w "$FILE"
fi
done
done
#########
chmod 755 user_dot_files_non_worldwritable
./user_dot_files_non_worlwritable
#Remove User .netrc Files
find / -name .netrc
# If any .netrc file is found then run the following script to remove
vi remove_netrc
###############
for DIR in `cut -f6 -d: /etc/passwd`; do
if [ -e $DIR/.netrc ]; then
echo "Removing $DIR/.netrc"
rm -f $DIR/.netrc fi
done
###############
chmod 755 remove_netrc
./remove_netrc
#Set Default umask For Users
vi set_default_umask
#########
cd /etc
for FILE in profile csh.login csh.cshrc bashrc; do
if ! egrep -q 'umask.*77' $FILE ; then
echo "umask 077" >> $FILE
fi
chown root:root $FILE
chmod 444 $FILE
diff ${FILE}-preCIS $FILE
done
cd /root
for FILE in .bash_profile .bashrc .cshrc .tcshrc; do
if ! egrep -q 'umask.*77' $FILE ; then
echo "umask 077" >> $FILE # See description
fi
chown root:root $FILE
diff ${FILE}-preCIS $FILE
done
###########
chmod 755 set_default_umask
./set_default_umask
# Disable Core Dumps
cp -a /etc/security/limits.conf /etc/security/limits.conf.orig
vi /etc/security/limits.conf
#Add the following two lines.In future you can enable core dumps for invidual users if required.
* soft core 0
* hard core 0
####
# Limit Access To The Root Account From su
# Warning:Please add your account to the wheel group before proceeding with this activity else you # will not be able to su.
# eg. /usr/sbin/usermod -G wheel
# In case you want to create a new account and add it to the wheel group, then run this command
/usr/sbin/useradd -G wheel
# Limit Access To The Root Account From su
cd /etc/pam.d/
cp -a su su_backup_18_dec_2006
vi su
##Uncommenting this line allows only the users in the wheel group to become root by using the su command and entering the root password.All other users get the message Incorrect Password
auth required /lib/security/$ISA/pam_wheel.so use_uid
# Banners
# Note:/etc/issue banner should have already been created by BastilleIf you havent run Bastille please create an appropriate banner file /etc/issue as follows
***************************************************************************
NOTICE TO USERS
This computer system is the private property of, whether
individual, corporate or government. It is for authorized use only.
Users (authorized or unauthorized) have no explicit or implicit
expectation of privacy.
Any or all uses of this system and all files on this system may be
intercepted, monitored, recorded, copied, audited, inspected, and
disclosed to your employer, to authorized site, government, and law
enforcement personnel, as well as authorized officials of government
agencies, both domestic and foreign.
By using this system, the user consents to such interception, monitoring,
recording, copying, auditing, inspection, and disclosure at the
discretion of such personnel or officials. Unauthorized or improper use
of this system may result in civil and criminal penalties and
administrative or disciplinary action, as appropriate. By continuing to use
this system you indicate your awareness of and consent to these terms
and conditions of use. LOG OFF IMMEDIATELY if you do not agree to the
conditions stated in this warning.
****************************************************************************
cp -a issue.net issue_backup_todays_date.net
cp -a issue issue.net
# Contents of /etc/motd are displayed after a user logins in so its not neccessary to create a #banner in that file
chown root:root /etc/motd /etc/issue /etc/issue.net
chmod 644 /etc/motd /etc/issue /etc/issue.net
# Removing unnecessary applications
# Please refer http://www.mjmwired.net/resources/mjm-services-fc6.html for the list of services and their uses and recommendations on which to disable
cd /etc/init.d
ls
# Verify the softwares that are listed here.Remove all unnecesaasy packages as show below.
# For eg. if you see bluetooth and you want to identify what package it represnts, do the following
rpm -qf bluetooth
bluez-utils-2.15-7
yum remove bluez-utils-2.15-7
# Do this for all other softwares like portmap,apmd,cups,isdn,irda,etc.
# RHEL comes with virtualisation enabled.Due to this you may see an additional network adapter ( virbr0 ) when you run /sbin/ifconfig -a
# This can be removed by following these steps
#Source :http://www.cyberciti.biz/faq/rhel-fedora-centos-linux-remove-network-interface-virbr0/
yum groupremove "Virtualization"
# Type y when it lists the following pakcages to be removed
libvirt
libvirt-python
rhn-virtualization-host
This will also remove the virbr0 network adapter
#Firewall Configuration
/bin/netstat -ltunp
# The above command will show you list of processes running on specific ports.Please ensure that unnecassary services are disabled and uninstalled as shown in the above point.
# Open required ports in iptables using Shorewall (Please refer the separate Howto)
/usr/sbin/lokkit
# Remove All Compilers and Assemblers
#The following command will help you identify the packages installed on your system
rpm -qa | egrep "^gcc|java|bin86|dev86|nasm"
#Identify the package and remove the ones you dont need
#Verify That No Unauthorized UID 0 Accounts Exists
getent passwd | awk -F: '$3 == "0" { print $1 }'
#should return only the word "root", unless additional uid 0 accounts have been specifically authorized. Having #multiple uid 0 accounts are acceptable if the accounts are authorized, but not recommended for some situations.
#Note:This tutorial is based on Fedora Core 4.Should be valid for a newer version of Fedora too.The reader is advised to read the CIS Benchmark pdf after completing all activities mentioned in this document.
# Setup an informative command prompt
export PS1="-\$?-(\u@\h) \w > "
# Hostname Setup
Reference:http://www.cpqlinux.com/hostname.html
# Please ensure that the correct hostname is setup in the following files.The hostname should ideally match the PTR record of the system IP
/etc/hosts
/etc/sysconfig/network
# Use echo to set the hostname in the file below eg.
echo yourhostname > /proc/sys/kernel/hostname
/proc/sys/kernel/hostname
# Virtual IP Setup
cd /etc/sysconfig/network-scripts
#Check for existing network adapters with the command:
ls ifcfg-*
#In most instances, you will see the files ifcfg-eth0 and ifcfg-lo. If you see other files with any other names and are unfamiliar with configuring TCP/IP, you may want to consult with your system administrator before proceeding.
cp -a ifcfg-eth0 ifcfg-eth0:0
cp -a ifcfg-eth0 ifcfg-eth0:1
# Ensure the following lines are configured as
vi icfg-eth0:0
DEVICE=eth0:0
IPADDR=
VLAN=yes
vi icfg-eth0:1
DEVICE=eth0:1
IPADDR=
VLAN=yes
#Disable IPV6
cp -a /etc/modprobe.conf /etc/modprobe_backup.conf
echo "alias net-pf-10 off" >> /etc/modprobe.conf
echo "alias ipv6 off" >> /etc/modprobe.conf
/etc/init.d/ip6tables stop
/sbin/chkconfig --level 35 ip6tables off
# Restart the network to effect changes
/sbin/service network restart
# Edit /etc/hosts and add a line for your new addresses and name such as:
127.0.0.1 localhost.localdomain localhost
x.x.x.x newhost1.yourdomain.com
x.x.x.x newhost2.yourdomain.com
# Disabling selinux
vi /etc/sysconfig/selinux
#check for the line SELINUX
SELINUX=disabled
# Date and Time Configuration
Ref:http://www.linuxsa.org.au/tips/time.html
ln -sf /usr/share/zoneinfo/Asia/Calcutta /etc/localtime
date monthdayhourminyear
yum install ntp
#Configure a cron job to update time every night at 12 AM
00 00 * * * /usr/sbin/ntpdate 0.pool.ntp.org 1.pool.ntp.org
# Configure Automatic Updates using yum.Fedora Core 6 or above will have yum-updatesd instead of yum
/sbin/chkconfig yum on
/sbin/service yum start
# If you wish to disable autoupdation of some package, eg.firefox and cacti ,do the following
cp -a /etc/yum.conf /etc/yum.conf.orig
vi /etc/yum.conf
# Add the following line
exclude=firefox cacti
# For Fedora Core 6 or above do this
# Reference: http://www.die.net/doc/linux/man/man5/yum-updatesd.conf.5.html
cp -a /etc/updatedb.conf /etc/updatedb.conf.orig
vi /etc/yum/yum-updatesd.conf
#########
# Configure the entries as shown below
# automatically install updates
do_update = yes
# automatically download updates
do_download = yes
# automatically download deps of updates
do_download_deps = yes
#########
/sbin/chkconfig yum-updatesd on
/sbin/service yum-updatesd start
crontab -e
00 0 * * * yum -y update
# Configuring updatedb
cp -a /etc/updatedb.conf /etc/updatedb.conf.orig
vi /etc/updatedb.conf
#Configure the following values to yes
#DAILY_UPDATE=no
DAILY_UPDATE=yes
# Configuring Log Compression
cp -a /etc/logrotate.conf /etc/logrotate.conf.orig
vi /etc/logrotate.conf
# uncomment this if you want your log files compressed
compress
# Unalias cp and mv
unalias mv cp
# Firewall ,Reactive IDS and SSH bruteforce prevention setup
Please install and configure shorewall ,psad and fail2ban by referring their separate howtos
# Apache Installation
# Check if Apache is already installed
rpm -qa httpd
service httpd status
# If httpd is not installed proceed with the apache installation as follows
yum install httpd
yum install httpd-devel
# Apache Hardening
Edit httpd.conf file as follows.
cd /etc/httpd/conf/
cp -a httpd.conf httpd.conf.orig
vi /etc/httpd/conf/httpd.conf
# Edit the following entry as follows
#ServerTokens OS
ServerTokens Prod
#ServerSignature On
ServerSignature Off
#Ref:http://www.slac.stanford.edu/comp/unix/apache-security.html
#http://publib.boulder.ibm.com/httpserv/ihsdiag/http_trace.html
# Disabling Indexing
# Ref: http://www.ducea.com/2006/06/26/apache-tips-tricks-disable-directory-indexes/
# In Main Server Configurations
Options -Indexes
# To disable Trace and Track Methods:
For apache version 1.3.34 (or later 1.3.x versions), or apache 2.0.55 (or later), in section 1, add the line
TraceEnable off
For older versions of apache, see below.
#Add Before Secton 3 and in each virtual host configuration section/file
# Block access: SLAC addition
RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]
# End block access rule
# Disabling welcome page
cp -a /etc/httpd/conf.d/welcome.conf /etc/httpd/conf.d/welcome.conf.orig
vi /etc/httpd/conf.d/welcome.conf
# Comment all the lines in the file
# Disabling configuration by .htaccess
AllowOverride None
# Restart Apache
/etc/rc.d/init.d/httpd start
# MySQL Installation
# Check if MySQL is already installed
rpm -qa mysql
service mysqld status
# If Mysqld Daemon is not installed proceed with the MySQL installation as follows
yum install mysql-server
yum install mysql
yum install mysql-devel
#Start MySQL for the first time
mysql_install_db
/etc/rc.d/init.d/mysqld start
#Note:In case you have issues starting Mysql server for the first time and you see error messggaes saying that tmp files could not be created,please run bastille configuration again and answer N to "Q: Would you like to install TMPDIR/TMP scripts?" question reboot the system.Post reboot you can start Mysqld
/sbin/chkconfig mysqld on
#Mysql Hardening:
mysql
# Removing anonymous login:
DELETE FROM mysql.user WHERE User = '';
FLUSH PRIVILEGES;
quit
#Setting Mysql Root password:
/usr/bin/mysqladmin -u root password 'yourpassword'
/usr/bin/mysqladmin -u root -h
# Delete test database
mysql
drop database test;
# Configure Mysql to not listen for external connections
cp -a /etc/my.cnf /etc/my.cnf.orig
vi /etc/my.cnf
[mysqld]
skip-networking
#Perl Installation
#check if perl is installed or not
rpm -qa perl
# If Perl is not installed proceed with the Perl installation as follows
yum install perl
# Cpan configuration
# Before running cpan ensure that gcc is installed else some modules will throw errors during compilation
rpm -qa gcc
# Install gcc if not found
yum install gcc
# Run and configure cpan
cpan
# A first time set of configuration questions will be asked
# Update cpan by running
cpan
install Bundle::CPAN
reload cpan
# Bastille Hardening
#Bastille Installation
cd /tmp
wget http://nchc.dl.sourceforge.net/sourceforge/bastille-linux/Bastille-3.2.1-0.1.noarch.rpm
# Ref: http://www.bastille-linux.org/running_bastille_on.htm#top
rpm -ivh Bastille-3.2.1-0.1.noarch.rpm
# Install Curses from cpan
# Please check wheather ncurses-devel is installed
rpm -qa ncurses-devel
# If ncurses is not installed install it as follows
yum install ncurses-devel
# Install Curses module as follows
cpan
install Curses
# Run bastille text mode hardening as follows
/usr/sbin/bastille -c
# Respond to all questions
# Check your score
/usr/sbin/bastille --report
# ICMP Hardening
# Check and Download sysctl RPM
yum install sysctl
# Enter the following in /etc/sysctl.conf file
net.ipv4.icmp_echo_ignore_all = 1
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.tcp_max_syn_backlog = 4096
net.ipv4.tcp_syncookies=1
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
net.ipv4.tcp_max_orphans = 256
net.ipv4.conf.all.log_martians = 1
# Diable Forwarding and Gateway functionality
net.ipv4.ip_forward = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
#Check for the syntax in the file /etc/sysctl.conf
/sbin/sysctl -p
OR
/sbin/iptables -A INPUT -j REJECT -p icmp --icmp-type 13
/sbin/iptables -A OUTPUT -j REJECT -p icmp --icmp-type 14
# Detailed audit trail setup
Ref: http://www.cyberciti.biz/tips/howto-log-user-activity-using-process-accounting.html
yum install psacct
chkconfig psacct on
/etc/init.d/psacct start
# Rootkit Hunter
Reference:http://www.rootkit.nl/
Installation:
# Download rkhunter from http://www.rootkit.nl/projects/rootkit_hunter.html
cd /tmp
wget http://nchc.dl.sourceforge.net/sourceforge/rkhunter/rkhunter-1.3.2.tar.gz
tar zxvf rkhunter-1.3.2.tar.gz
cd rkhunter-1.3.2
sh installer.sh --layout default --install
# Running Rkhunter
/usr/local/bin/rkhunter --update
/usr/local/bin/rkhunter -c --createlogfile --quiet
The report will be generated at /var/log/rkhunter.log
#Configure rkhunter for automatic update
crontab -e
00 0 * * * /usr/local/bin/rkhunter --update -q
# SSHD Hardening
cp -a /etc/ssh/sshd_config /etc/ssh/sshd_config.orig
vi /etc/ssh/sshd_config
#change port no from 22 to 222
Port 222
PermitRootLogin no
Banner /etc/issue
#This banner is generated when you ran Bastille previously.
#Prevent X11 forwarding
X11Forwarding no
#Don't read the user's ~/.rhosts and ~/.shosts files uncomment IgnoreRhosts yes
IgnoreRhosts yes
# The following switch is not found in Fedora 4.Please check the switch to ensure that it exists #before making this entry
RhostsAuthentication no
RhostsRSAAuthentication no
HostbasedAuthentication no
PermitEmptyPasswords no
#Note:Before restarting ssh please create a non-root account.
Restart sshd
/etc/rc.d/init.d/sshd restart
# Nessus Setup
# Read the Nessus How to file for installing and running Nessus
# CIS benchmark security exercise
# Download the CIS benchmark locally from http://www.cisecurity.org/bench_linux.html and copy the do-backup.sh file in /root and run the same to backup all important directories and files
cd /root
chmod 755 do-backup.sh
./do-backup.sh
# Uninstalling xinetd
rpm -qa xinetd
rpm -e xinetd-versionnumber
# Incase you still want to use some services in xinetd ,please run the following comands to stop these unnnecessary services.
cd /etc/xinetd.d
for FILE in chargen chargen-udp cups-lpd cups daytime \ daytime-udp echo echo-udp eklogin ekrb5-telnet finger \ gssftp imap imaps ipop2 ipop3 krb5-telnet klogin kshell \ ktalk ntalk pop3s rexec rlogin rsh rsync servers services \ sgi_fam talk telnet tftp time time-udp vsftpd wu-ftpd do
chkconfig ${FILE} off done
# Disable GUI
sed -e 's/id:5:initdefault:/id:3:initdefault:/' \
< /etc/inittab-preCIS > /etc/inittab
chown root:root /etc/inittab
chmod 0600 /etc/inittab
diff /etc/inittab-preCIS /etc/inittab
# Disable Unneccessary services
# Please review all services listed in the following script before running.
vi disable_unwanted_services
########
for FILE in apmd avahi-daemon canna cups-config-daemon FreeWnn gpm hidd hpoj hplip innd irda isdn kdcrotate lvs mars-nwe messagebus oki4daemon privoxy rstatd rusersd rwalld rwhod wine; do
/sbin/service $FILE stop
/sbin/chkconfig $FILE off
done
for FILE in nfs nfslock autofs ypbind ypserv yppasswdd portmap smb netfs lpd tux snmpd named postgresql webmin kudzu squid cups ip6tables pcmcia bluetooth mDNSResponder; do
/sbin/service $FILE stop
/sbin/chkconfig $FILE off
done
########
chmod 755 disable_unwanted_services
./disable_unwanted_services
# Assign Proper permissions to log files
chmod o-rwx boot.log* cron* dmesg ksyms* httpd/* maillog* messages* news/* pgsql rpmpkgs* samba/* sa/* scrollkeeper.log secure* spooler* squid/* vbox/* wtmp
chmod o-rx boot.log* cron* maillog* messages* pgsql secure* spooler* squid/* sa/*
chmod g-w boot.log* cron* dmesg httpd/* ksyms* maillog* messages* pgsql rpmpkgs* samba/* sa/* scrollkeeper.log secure* spooler*
chmod g-rx boot.log* cron* maillog* messages* pgsql secure* spooler*
chmod o-w gdm/ httpd/ news/ samba/ squid/ sa/ vbox/
chmod o-rx httpd/ samba/ squid/ sa/
chmod g-w gdm/ httpd/ news/ samba/ squid/ sa/ vbox/
chmod g-rx httpd/ samba/ sa/
chmod u-x kernel syslog loginlog
# Verify passwd, shadow, and group File Permissions
cd /etc
chown root:root passwd shadow group
chmod 644 passwd group
chmod 400 shadow
# Allowing only root access to Cron and At
cd /etc/
rm -f cron.deny at.deny
echo root > cron.allow
echo root > at.allow
chown root:root cron.allow at.allow
chmod 400 cron.allow at.allow
# Restrict Permissions On crontab Files
chown root:root /etc/crontab
chmod 400 /etc/crontab
chown -R root:root /var/spool/cron
chmod -R go-rwx /var/spool/cron
cd /etc
ls | grep cron | grep -v preCIS | xargs chown -R root:root
ls | grep cron | grep -v preCIS | xargs chmod -R go-rwx
# Block all system accounts from loging on to the server
cd /root
vi lock_system_accounts
####
cd /etc
for NAME in `cut -d: -f1 /etc/passwd`; do
MyUID=`id -u $NAME`
if [ $MyUID -lt 500 -a $NAME != 'root' ]; then
/usr/sbin/usermod -L -s /dev/null $NAME
fi
done
###
chmod 755 lock_system_accounts
./lock_system_accounts
rm -rf lock_system_accounts
# Check for empty password accounts
awk -F: '($2 == "") { print $1 }' /etc/shadow
# Set Account Expiration Parameters On Active Accounts
cd /etc
awk '($1 ~ /^PASS_MAX_DAYS/) { $2="90" }
($1 ~ /^PASS_MIN_DAYS/) { $2="7" }
($1 ~ /^PASS_WARN_AGE/) { $2="28" }
($1 ~ /^PASS_MIN_LEN/) { $2="6" }
{ print } ' login.defs-preCIS > login.defs
diff login.defs-preCIS login.defs
chown root:root login.defs
chmod 640 login.defs
diff login.defs-preCIS login.defs
useradd -D -f 7
diff /etc/default/useradd-preCIS /etc/default/useradd
for NAME in `cut -d: -f1 /etc/passwd`; do
uid=`id -u $NAME`
if [ $uid -ge 500 -a $uid != 65534 ]; then
chage -m 7 -M 90 -W 28 -I 7 $NAME
fi
done
diff shadow-preCIS shadow
# Verify No Legacy '+' Entries Exist In passwd, shadow, And group Files
grep ^+: /etc/passwd /etc/shadow /etc/group
# No '.' or Group/World-Writable Directory In Root's $PATH
#To find ‘.’ in $PATH:
echo $PATH | egrep '(^|:)(\.|:|$)'
#To find group- or world-writable directories in $PATH:
find `echo $PATH | tr ':' ' '` -type d \( -perm -002 -o -perm -020 \) -ls
#These commands should produce no output.
#User Home Directories Should Be Mode 750 or More Restrictive
vi user_directories_permission
###############
for DIR in `awk -F: '($3 >= 500) { print $6 }' /etc/passwd`; do
chmod g-w $DIR
chmod o-rwx $DIR
done
##############
chmod 755 user_directories_permission
./user_directories_permission
#No User Dot-Files Should Be World-Writable
vi user_dot_files_non_worldwritable
#############
for DIR in `awk -F: '($3 >= 500) { print $6 }' /etc/passwd`; do
for FILE in $DIR/.[A-Za-z0-9]*; do
if [ ! -h "$FILE" -a -f "$FILE" ]; then
chmod go-w "$FILE"
fi
done
done
#########
chmod 755 user_dot_files_non_worldwritable
./user_dot_files_non_worlwritable
#Remove User .netrc Files
find / -name .netrc
# If any .netrc file is found then run the following script to remove
vi remove_netrc
###############
for DIR in `cut -f6 -d: /etc/passwd`; do
if [ -e $DIR/.netrc ]; then
echo "Removing $DIR/.netrc"
rm -f $DIR/.netrc fi
done
###############
chmod 755 remove_netrc
./remove_netrc
#Set Default umask For Users
vi set_default_umask
#########
cd /etc
for FILE in profile csh.login csh.cshrc bashrc; do
if ! egrep -q 'umask.*77' $FILE ; then
echo "umask 077" >> $FILE
fi
chown root:root $FILE
chmod 444 $FILE
diff ${FILE}-preCIS $FILE
done
cd /root
for FILE in .bash_profile .bashrc .cshrc .tcshrc; do
if ! egrep -q 'umask.*77' $FILE ; then
echo "umask 077" >> $FILE # See description
fi
chown root:root $FILE
diff ${FILE}-preCIS $FILE
done
###########
chmod 755 set_default_umask
./set_default_umask
# Disable Core Dumps
cp -a /etc/security/limits.conf /etc/security/limits.conf.orig
vi /etc/security/limits.conf
#Add the following two lines.In future you can enable core dumps for invidual users if required.
* soft core 0
* hard core 0
####
# Limit Access To The Root Account From su
# Warning:Please add your account to the wheel group before proceeding with this activity else you # will not be able to su.
# eg. /usr/sbin/usermod -G wheel
# In case you want to create a new account and add it to the wheel group, then run this command
/usr/sbin/useradd -G wheel
# Limit Access To The Root Account From su
cd /etc/pam.d/
cp -a su su_backup_18_dec_2006
vi su
##Uncommenting this line allows only the users in the wheel group to become root by using the su command and entering the root password.All other users get the message Incorrect Password
auth required /lib/security/$ISA/pam_wheel.so use_uid
# Banners
# Note:/etc/issue banner should have already been created by BastilleIf you havent run Bastille please create an appropriate banner file /etc/issue as follows
***************************************************************************
NOTICE TO USERS
This computer system is the private property of
individual, corporate or government. It is for authorized use only.
Users (authorized or unauthorized) have no explicit or implicit
expectation of privacy.
Any or all uses of this system and all files on this system may be
intercepted, monitored, recorded, copied, audited, inspected, and
disclosed to your employer, to authorized site, government, and law
enforcement personnel, as well as authorized officials of government
agencies, both domestic and foreign.
By using this system, the user consents to such interception, monitoring,
recording, copying, auditing, inspection, and disclosure at the
discretion of such personnel or officials. Unauthorized or improper use
of this system may result in civil and criminal penalties and
administrative or disciplinary action, as appropriate. By continuing to use
this system you indicate your awareness of and consent to these terms
and conditions of use. LOG OFF IMMEDIATELY if you do not agree to the
conditions stated in this warning.
****************************************************************************
cp -a issue.net issue_backup_todays_date.net
cp -a issue issue.net
# Contents of /etc/motd are displayed after a user logins in so its not neccessary to create a #banner in that file
chown root:root /etc/motd /etc/issue /etc/issue.net
chmod 644 /etc/motd /etc/issue /etc/issue.net
# Removing unnecessary applications
# Please refer http://www.mjmwired.net/resources/mjm-services-fc6.html for the list of services and their uses and recommendations on which to disable
cd /etc/init.d
ls
# Verify the softwares that are listed here.Remove all unnecesaasy packages as show below.
# For eg. if you see bluetooth and you want to identify what package it represnts, do the following
rpm -qf bluetooth
bluez-utils-2.15-7
yum remove bluez-utils-2.15-7
# Do this for all other softwares like portmap,apmd,cups,isdn,irda,etc.
# RHEL comes with virtualisation enabled.Due to this you may see an additional network adapter ( virbr0 ) when you run /sbin/ifconfig -a
# This can be removed by following these steps
#Source :http://www.cyberciti.biz/faq/rhel-fedora-centos-linux-remove-network-interface-virbr0/
yum groupremove "Virtualization"
# Type y when it lists the following pakcages to be removed
libvirt
libvirt-python
rhn-virtualization-host
This will also remove the virbr0 network adapter
#Firewall Configuration
/bin/netstat -ltunp
# The above command will show you list of processes running on specific ports.Please ensure that unnecassary services are disabled and uninstalled as shown in the above point.
# Open required ports in iptables using Shorewall (Please refer the separate Howto)
/usr/sbin/lokkit
# Remove All Compilers and Assemblers
#The following command will help you identify the packages installed on your system
rpm -qa | egrep "^gcc|java|bin86|dev86|nasm"
#Identify the package and remove the ones you dont need
#Verify That No Unauthorized UID 0 Accounts Exists
getent passwd | awk -F: '$3 == "0" { print $1 }'
#should return only the word "root", unless additional uid 0 accounts have been specifically authorized. Having #multiple uid 0 accounts are acceptable if the accounts are authorized, but not recommended for some situations.
Reactive Firewall Setup using Psad
Reference: http://www.cipherdyne.org/psad/
# Download the latest version of psad from http://www.cipherdyne.org/psad/download/
cd /tmp
wget http://www.cipherdyne.org/psad/download/psad-2.1.4-1.i386.rpm
rpm -Uvh psad-2.1.4-1.i386.rpm
rm -rf psad-2.1.4-1.i386.rpm
cp -a /etc/psad/psad.conf /etc/psad/psad.conf.orig
vi /etc/psad/psad.conf
# Adjust the values as shown
######
EMAIL_ADDRESSES you@domain1.com, you@domain2.com;
HOSTNAME example.com;
# If there is only one network interface on the box, then just set this variable to "NOT_USED".
HOME_NET NOT_USED;
EMAIL_ALERT_DANGER_LEVEL 1;
ENABLE_AUTO_IDS Y;
AUTO_IDS_DANGER_LEVEL 1;
ENABLE_SCAN_ARCHIVE Y;
DISK_MAX_PERCENTAGE 85;
FLUSH_IPT_AT_INIT N;
#######
# Add CIDR value of a private network interface card in HOME_NET if you are using one.Not required if you have a single public interface.
Automate Signature Updates
crontab -e
###
0 0 * * * /usr/sbin/psad --sig-update && /sbin/service psad restart
###
# Ensure that /bin/mail exists or create an appropriate symbolic link /bin/mail poiting to your mail executable
eg.
ln -s /usr/lib/sendmail /bin/mail
/etc/rc.d/init.d/psad start
/usr/sbin/psad --sig-update
/sbin/chkconfig psad on
# Check psad statistics after 5-10 mins by running this command
/usr/sbin/psad --Status
# Setup Cronjob to delete Psad scan archive older than 7 days
crontab -e
0 0 * * * find /var/log/psad/scan_archive -type d -mtime +7 | xargs rm -rf
# Fwsnort Installation
Reference: http://www.cipherdyne.org/fwsnort
# Download fwsnort from http://www.cipherdyne.org/fwsnort/download/
cd /tmp
wget http://www.cipherdyne.org/fwsnort/download/fwsnort-1.0.5.tar.gz
tar zxvf fwsnort-1.0.5.tar.gz
cd /tmp/fwsnort-1.0.5
perl install.pl
cp -a /etc/fwsnort/fwsnort.conf /etc/fwsnort/fwsnort.conf.orig
vi /etc/fwsnort/fwsnort.conf
######
# Modify the uname location as follows
unameCmd /bin/uname;
######
# Add CIDR value of a private network interface card in HOME_NET in /etc/fwsnort/fwsnort.conf if you are using one.Not required if you have a single public interface.
/usr/sbin/fwsnort --no-ipt-sync --verbose
# Check log file for errors and correct accordingly
tail -f /var/log/fwsnort.log
#If you encounter the following errors
###
#[*] It does not appear that string match support has been compiled into
# Netfilter. Fwsnort will not be of very much use without this.
# ** NOTE: If you want to have fwsnort generate a Netfilter policy
# anyway, specify the --no-ipt-test option. Exiting.
#[root@extranet tmp]# tail -f /var/log/fwsnort.log
#[-] Netfilter ipv4options extension not available, disabling ipopts translation.
# then run this
# Update signatures
/usr/sbin/fwsnort --update-rules
#Then run this
/usr/sbin/fwsnort --no-ipt-test --verbose
# Run the generated Netfilter script
/etc/fwsnort/fwsnort.sh
# Enable auto-update of firewall rules
crontab -e
1 1 * * * /usr/sbin/fwsnort --no-ipt-test --verbose > /dev/null 2>&1 && sh /etc/fwsnort/fwsnort.sh > /dev/null 2>&1
# Enable auto-update of fwsnort signatures
crontab -e
0 0 * * * /usr/sbin/fwsnort --update-rules
/etc/rc.d/init.d/psad restart
rm -rf /tmp/fwsnort-1.0.5.tar.gz
rm -rf /tmp/fwsnort-1.0.5
# Enabling whitelisting and Special danger levels for IPs and Port.
Edit the /etc/psad/auto_dl for whitelisting or setting up an elevated danger zone.
# Eg. Add the IP address of the nmap/nessus server in the /etc/psad/auto_dl file before starting the nessus scan.Please ensure that you restart psad after adding the IP address.
# Download the latest version of psad from http://www.cipherdyne.org/psad/download/
cd /tmp
wget http://www.cipherdyne.org/psad/download/psad-2.1.4-1.i386.rpm
rpm -Uvh psad-2.1.4-1.i386.rpm
rm -rf psad-2.1.4-1.i386.rpm
cp -a /etc/psad/psad.conf /etc/psad/psad.conf.orig
vi /etc/psad/psad.conf
# Adjust the values as shown
######
EMAIL_ADDRESSES you@domain1.com, you@domain2.com;
HOSTNAME example.com;
# If there is only one network interface on the box, then just set this variable to "NOT_USED".
HOME_NET NOT_USED;
EMAIL_ALERT_DANGER_LEVEL 1;
ENABLE_AUTO_IDS Y;
AUTO_IDS_DANGER_LEVEL 1;
ENABLE_SCAN_ARCHIVE Y;
DISK_MAX_PERCENTAGE 85;
FLUSH_IPT_AT_INIT N;
#######
# Add CIDR value of a private network interface card in HOME_NET if you are using one.Not required if you have a single public interface.
Automate Signature Updates
crontab -e
###
0 0 * * * /usr/sbin/psad --sig-update && /sbin/service psad restart
###
# Ensure that /bin/mail exists or create an appropriate symbolic link /bin/mail poiting to your mail executable
eg.
ln -s /usr/lib/sendmail /bin/mail
/etc/rc.d/init.d/psad start
/usr/sbin/psad --sig-update
/sbin/chkconfig psad on
# Check psad statistics after 5-10 mins by running this command
/usr/sbin/psad --Status
# Setup Cronjob to delete Psad scan archive older than 7 days
crontab -e
0 0 * * * find /var/log/psad/scan_archive -type d -mtime +7 | xargs rm -rf
# Fwsnort Installation
Reference: http://www.cipherdyne.org/fwsnort
# Download fwsnort from http://www.cipherdyne.org/fwsnort/download/
cd /tmp
wget http://www.cipherdyne.org/fwsnort/download/fwsnort-1.0.5.tar.gz
tar zxvf fwsnort-1.0.5.tar.gz
cd /tmp/fwsnort-1.0.5
perl install.pl
cp -a /etc/fwsnort/fwsnort.conf /etc/fwsnort/fwsnort.conf.orig
vi /etc/fwsnort/fwsnort.conf
######
# Modify the uname location as follows
unameCmd /bin/uname;
######
# Add CIDR value of a private network interface card in HOME_NET in /etc/fwsnort/fwsnort.conf if you are using one.Not required if you have a single public interface.
/usr/sbin/fwsnort --no-ipt-sync --verbose
# Check log file for errors and correct accordingly
tail -f /var/log/fwsnort.log
#If you encounter the following errors
###
#[*] It does not appear that string match support has been compiled into
# Netfilter. Fwsnort will not be of very much use without this.
# ** NOTE: If you want to have fwsnort generate a Netfilter policy
# anyway, specify the --no-ipt-test option. Exiting.
#[root@extranet tmp]# tail -f /var/log/fwsnort.log
#[-] Netfilter ipv4options extension not available, disabling ipopts translation.
# then run this
# Update signatures
/usr/sbin/fwsnort --update-rules
#Then run this
/usr/sbin/fwsnort --no-ipt-test --verbose
# Run the generated Netfilter script
/etc/fwsnort/fwsnort.sh
# Enable auto-update of firewall rules
crontab -e
1 1 * * * /usr/sbin/fwsnort --no-ipt-test --verbose > /dev/null 2>&1 && sh /etc/fwsnort/fwsnort.sh > /dev/null 2>&1
# Enable auto-update of fwsnort signatures
crontab -e
0 0 * * * /usr/sbin/fwsnort --update-rules
/etc/rc.d/init.d/psad restart
rm -rf /tmp/fwsnort-1.0.5.tar.gz
rm -rf /tmp/fwsnort-1.0.5
# Enabling whitelisting and Special danger levels for IPs and Port.
Edit the /etc/psad/auto_dl for whitelisting or setting up an elevated danger zone.
# Eg. Add the IP address of the nmap/nessus server in the /etc/psad/auto_dl file before starting the nessus scan.Please ensure that you restart psad after adding the IP address.
Friday, February 09, 2007
Hackers Attack Every 39 Seconds
Hackers attack computers every 39 seconds, according to new research.
The study, which investigated how exactly hackers crack computers, confirms those regularly issued warnings about password vulnerability. Experts advise longer passwords, regularly changed and not based on users' biographies, that mix letters and numerals and are hard to guess.
“Our data provide quantifiable evidence that attacks are happening all the time to computers with Internet connections,” study author Michel Cukier of the University of Maryland said. “The computers in our study were attacked, on average, 2,244 times a day.”
Today, hackers briefly overwhelmed at least DNS servers that help manage global computer traffic.
To test how hackers break into computers, Cukier’s team set up weak security on four Linux computers connected to the Internet and monitored hacker attacks.
Unlike the sophisticated hackers portrayed on TV and in films, these hackers weren’t targeting specific computers.
“Most of these attacks employ automated scripts that indiscriminately seek out thousands of computers at a time, looking for vulnerabilities,” Cukier said.
The study, which investigated how exactly hackers crack computers, confirms those regularly issued warnings about password vulnerability. Experts advise longer passwords, regularly changed and not based on users' biographies, that mix letters and numerals and are hard to guess.
“Our data provide quantifiable evidence that attacks are happening all the time to computers with Internet connections,” study author Michel Cukier of the University of Maryland said. “The computers in our study were attacked, on average, 2,244 times a day.”
Today, hackers briefly overwhelmed at least DNS servers that help manage global computer traffic.
To test how hackers break into computers, Cukier’s team set up weak security on four Linux computers connected to the Internet and monitored hacker attacks.
Unlike the sophisticated hackers portrayed on TV and in films, these hackers weren’t targeting specific computers.
“Most of these attacks employ automated scripts that indiscriminately seek out thousands of computers at a time, looking for vulnerabilities,” Cukier said.
Sunday, April 30, 2006
Apache Now the Leader in SSL Servers
Apache has overtaken Microsoft as the leading developer of secure web servers. Apache now runs on 44.0% of secure web sites, compared to 43.8% for Microsoft.
Thursday, March 16, 2006
Beat Censorship using these proxies
Many schools, universities, offices, ISPs and countries like Saudi Arabia, China, Pakistan, Burma, Iran, North Korea, Vietnam ,Cuba, Syria, Tunisia ,Uzbekistan, Egypt, Belarus and Turkmenistan don't allow their surfers to access some web sites which them deem inappropriate.
Here is a list of 350+ proxy sites which let you surf any web site anonymously
Here is a list of 350+ proxy sites which let you surf any web site anonymously
3 Proxy 3 Proxy 3 Proxy 4 Proxy A1 Proxy A Free Proxy Alien ProxyAnonymate Anonymizer Anonymouse Anonymousurfing Anonypath Anonypath Anonypost Anoxx Anti-boredom Anti Trace Anti Trace Antiwebfilter A Proxy Site Arnit At School Awkward Alliteration Backfox Bbscience Best Proxy Big Proxy Block My Boardmerlin Bored At School Box Proxy Browse At School Browse At Work Btunnel Bypasser Bypassit Cacheless Cecid Cgi-proxy Clever Proxy Click CopClick These Cloaker Cloak My Coconia Concealme Cool Handle Ctunnel Dark Proxy Dejacey Desire Proxy Dnbroker Drpruxy DtunnelEat More Blueberries E-konkursy Estealth Exo Proxy Ez Proxy Famous5 Fly Proxy Foxy Proxy Frast Proxy Free Http Proxy Free Internet Proxy Free Proxy Free-proxy Free Proxy Freetoview Free Usa Proxy Free Web Proxy Fritoon Fsurf Fully Sick Proxy Gamecrib Get Past Get Proxy Ghostclick Green Rabbit Hatkoff Hide Hide And Go Surf Hide-me Hide Your Hidip Hujiko I Am New Guy Ibypass Ibypass Ibypass Ibypass Ibypass Ibypass Ideal Proxy Idoxy Intbonline Ipbounce Ipbouncer Ip-privacy Ipsecret Ipzap JiggywormJj4 Just Hide Just Proxy Just Proxy It Kampen Kaz Proxy KezfunLet Me By Link2caro Lite Proxy Live Proxy Log Buster Log Buster Melloyello Mfp Mint Proxy Mister Proxy Monkey Signs Mr Proxy Msnvip Msxsecurity My Cgi Proxy My Free Proxy My Proxysurfer Myspacehooker My Web Tunnel Netsack Network Techs Nfan Ninja Proxy Node Proxy Nopath Nopath Nsfwurl Page Hot Page Wash Paper Tiger Shark Pc-portal Peoples Proxy Perfect Proxy Perl Proxy Php Proxy Phproxy Phproxy Pimpmyip Pimp Proxy Pionas Porno Proxy Poxy Preoxy Preps On Crack Presto Proxy Prime Proxy Procksee Project Bypass Proxatron Proxene Proxert Proxify Proxify Proxify Proxify Proxify Proxify Proxify Proxify Proxy Proxy1 Proxy121 Proxy7 Proxy77 Proxy Arcade Proxy Aware Proxyboys Proxy Browsing Proxybull Proxy Buster Proxycat Proxy Chat Room Proxy Circle Proxy Craze Proxy Detective Proxy Devil Proxy Drop Proxy Drop Proxy Drop Proxy Drop Proxy Drop Proxy Eyes Proxy For All Proxy Fox Proxy Free Proxyful Proxy Gasp Proxy Genie Proxy Hut Proxy Jet Proxy Kingz Proxy Lord Proxy Maxi Proxy Mod Proxy Nut Proxy Party Proxy PleaseProxy Prince Proxy Rocket Proxy Shock Proxy Spy Proxy-surf Proxy Surfing Proxy Tap Proxy Tastic Proxy The Web Proxy Through Proxy Togo Proxy Touch Proxy Wave Proxy Web Proxy Website Proxy WhipProxyz Pruxy Prxxy Psurf Pt Proxy Public- Proxy Pxy Quiet ProxyR45 Radio-farda Rapid Proxy Roach Host Runarcade Safe For WorkSafe Hazard Sd9 Secret Browse Smart- Proxy Smart Proxy Smart Proxy Sneak2 Sneaky Proxy Sneaky Surf Sneaky User Snoop Block Snoop Block Snoop Blocker Snoop Blocker Some Proxy Song Today Sonic Pig Spiffy Proxy Spysurfing Stealth-ip Stoptheblock Student Proxy Stupid Proxy Surf-anon Surfby Proxy Sweet Proxy Switch Proxy Team Proxy Tech Takeover Teen Proxy Tera Proxy That Proxy The Cgi Proxy The Proxy The Proxy Free The Proxy Site The Proxy Spot The Web Tunnel Tnt Proxy Torify Total Upload Traceless Unblock Unblock My Space Unbloxy Undirect Unipeak United Email Systems Urlencoded Use Proxy Virtual-browser Vpntunnel Vrijsurfen Vtunnel W3privacy Want Proxy Website Proxy Webtools King White Proxy Wkccp Work Browse World Want Xerohour Xxx Proxy Your-proxy Your Proxy Yours Domain http://www.privax.us http://www.etary.com http://s1.iphide.com http://proxiesrus.com http://www.surfindark.com http://www.navydog.com http://falsario.com http://www.cheekyproxy.com http://www.funkyproxy.com http://www.surfsneaker.com http://www.proxii.com http://www.proxynumber1.com (Replace 1 with any number between 1 to 10) http://myspaceproxyy.com http://tenpass.com http://www.browsesneaky.com http://www.proogle.info http://greatproxy.info http://www.playnsurf.info http://www.realproxy.info http://aplusproxy.com http://www.ecoproxy.com http://freedom.webtuo.com http://www.proxyz.us http://www.sneakschool.com http://www.iphide.com http://www.slyuser.com/ http://pawxy.com http://pawxy.org http://browseanywhere.info http://www.404surf.com http://www.cloakip.net http://aniscartujo.com/webproxy http://www.browsedark.com http://www.dartprox.com http://www.proxish.com http://www.surfsneak.com http://www.surfsneaky.com http://www.browsehidden.com http://www.filterhide.com http://www.browsesneak.com http://www.eggproxy.com http://www.theschoolcloak.com http://www.badboysproxy.com http://www.surfscreened.com http://www.hidemefast.com http://urlbrowse.com http://www.hideipaddress.net http://www.sneakfilter.com http://www.browsestealth.com http://www.sneak1.info http://underproxy.com http://www.proxypit.com http://www.proxypan.com http://myspacewebproxy.org/ http://www.proxyzip.org http://www.hagiomusic.info http://www.greenpips.info http://www.allfreehere.info http://www.takefreely.info http://logu.in http://autobypass.com http://www.proxcity.info
You can also you the FoxyProxy http://foxyproxy.mozdev.org/ Firefox plugin and TOR http://tor.eff.org/ to browse anonymously.
Google translate http://translate.google.com/ is also used to browse anonymously.
Subscribe to:
Posts (Atom)