Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Hi,
I have a hosting server (cpanel/whm on FC4) with almost 500 accounts.
Till now no security incidence has occurred. Yesterday I found out a perl script in /tmp directory which lunched some sort of DDoS attack ( It sent 20Mbs to different networks on the internet).
Please tell me some guidelines about the way I could protect my server in the future from these kind of attacks. (What could I do, are there any harden tools etc)
Is the /tmp directory in its own partition? If it is then consider using the "noexec" and "nodev" mount options to mount this, and any other world writeable partition. There is also a nosuid option. Also, check for root kits, and keep tabs on security messages that root gets. ( I assume that there is a service that monitors the system for changes and emails a report once a day )
The March edition of Linux Journel is about security. There are also books on Hardening Linux. Read messages on this site on security. There are websites dedicated to computer security also. Fedora Core uses RPM, so you can check the integrity of your packages with rpm -V. Make sure you have backups you can rely on if the worst happens. Some people will produce md5sums of system directories and the libraries, and save them offline. Then if you suspect an attack, you could compare. There are many other things that can be done, and will probably be suggested by other members on this board.
I forgot the most important thing. That is to keep an eye on the logs. The last program can show you who has logged on. SuSE comes with a program called apparmour. Perhaps fc4 has something similar.
The /tmp partition is world writable by definition. Some directories in /var are also world writable. ( /var/games, /var/lock, /var/mail, and /var/spool ). I don't know what the /var/games is for, probably if you run a game server. The lock mail and spool directories have the sticky bit set, which prevents one user from deleting another users files.
I don't believe that the /var partition is used to run code, so that may be another candidate for the "noexec" option.
I'm suprised that the person who used this script didn't delete it when they were done. If it was still running, you could have used the 'ps' command and 'lsof' command to find out who had a lock on the file, and what uid the process was running as. Hopefully, it wasn't a system user like mysql. What was the user name? If it was a system user, that could tell you that someone was able to crash that service. If it was owned by root then we're talking big trouble.
Hi there,
Thanks for your advices.
That is not my server and I don't know exacly how it was configured. A fried of mine who runs this hosting service asked me to help him harden his server.
The problem is that it uses cpanel for its management.
After I searched around I found the following:
- the installation started from a FC4 "minimal installation". Then cpanel has installed everything (exim, apache, php etc). It manages everything on that system (user accounts, updates, backup etc). I don't like this automatically scripts like cpanel, webmin etc. You have no flexibility and you have to do everything from their interface. Otherwise things could get messed. I would prefer a "by hand solution" where the admin is in control. But maybe for a hosting solution this is preferable.
Anyway:
/tmp is on its own partition: /dev/sda6 on /tmp type ext3 (rw,noexec,nosuid) [/tmp]
noexec and nosuid don't help in not running a perl scripts. It is world written because it is needed by some services (apache, mysql etc) and I think it needs to remain this way. Sticky bit is set.
I've installed AIDE, rkhunter, chkrootkit, log management system etc. Apache, php, mysql etc are stable and updated (not the last version, but a version without major known bugs). I will also set a firewall not to allow outbound connections.
The problem is that there are 2-300 hundred user hosting accounts and every user is responsible for the content of its site, scripts etc. Practically everyone could copy/install anything in its /home directory.
I'll try to find who owned that Perl script. Let's suppose (and I suppose) that apache owned that script. What could I do to prevent something similar?
i was also interested on how to protect the server from same thing to happen, and from what i read i would advise following:
- install app/antivirus that will monitor tmp folders for malware - It is maldet (Linux malware detect) in daemon mode, or just a bash script.
- install CXS or if not willing to spend money (i think worth the price), then use Linux malware Detect. CXF scanning files as they are uploaded via HTTP or FTP so it prevent many bad shells to be uploaded.
- try to google mod security and if you can create some rule that will prevent people from loading perl/python.. scripts into /tmp
- use good modsecurity rule set. i am using Comodo free ModSec rules and they are not bad
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.