I’ve updated the modsec.sh script to include some new rules from gotroot.com.
Check out its new permanent page at http://www.skyhorse.org/web-server-administration/auto-update-modsecurity-rules-modsecsh/
Tags: cPanel, Downloads, hacking, hosting, mod-security, WHMRelated posts:
I have recently gone more deeply into the bare bones of WHM and cPanel 10 to improve security, reduce bandwidth and cpu usage and generaly make sure servers are as good as they can possibly be.
So, in the process, I had to go deep into tons of scripts, code, discussions, forums and google to find out the best configurations and how to achieve them.
This is an on-going guide, not meant to be new release of information but more an aggregation of several feeds, with an hands-on approach.
It is not intended for the basic setup, nor for basic security (like disabling telnet) but more for obscure or interesting tweaks, which are either hard to find or you simply wouldn’t be looking for them.
I’ll be updating it regularly.
Enjoy!
The Definite Guide of Obscure Tweaks to Install and Maintain cPanel / WHM (version 10)
1) Since verification is now done on the RCPT stage, make the default catch-all to :fail: , not :blackhole: . For new accounts, change the settings in the “tweak settings” from WHM. For existing accounts, see script below.
The reasons are:
1. :blackhole: accepts the email and receives it, then sends it to /dev/null. This wastes your bandwidth and actually breaks the SMTP RFC because you’re not notifying the sender that the email is undelivered.
2. :fail: stops the email from being received, because verify = recipient occurs at the RCPT phase of the SMTP exchange before any data has been received. No bounce is sent, the exchange simply termintates with an SMTP error code. This means much less processing resources on your SMTP server, much less bandwidth (you don’t actually receive the email) and you maintain RFC compliance by notifying the senders SMTP server that the delivery failed (which spammers ignore and real people appreciate if they’ve made an addressing mistake).
(Jonathan Michaelson)
ACTION
Script to change all existing catch-all emails from :blackhole: to :fail:
Run this in a different directory than valiases, I recomend your home directory because it will create a backup of the current aliases (just in case)
This also keeps permissions and owners settings.
tar -cf valiases_backup.tar /etc/valiases/*
gzip valiases_backup.tar
files=`find /etc/valiases -type f`
for file in $files
do
cp -p $file $file.tmp
cat /dev/null > $file.tmp
cat $file | sed ’s/\:blackhole\:/\:fail\:/g’ > $file.tmp
mv $file.tmp $file -f
done
2) Let exim read userdomains!
It happens that eximstats cannot read /etc/userdomains as this fille is owned by root.mail, and smtp records in /var/log/exim_mainlog dont contain the system user so a lookup must be used.
This affects bandwidth measures will improve the accurracy, by including transfers in the users which were previously being counted towards the mailnull or cpanel user.
ACTION
open /etc/passwd with your favourite editor and change this line:
mailnull:x:47:47::/var/spool/mqueue:/sbin/nologin
to
mailnull:x:47:12::/var/spool/mqueue:/sbin/nologin
3)Fix BFD to properly check the Exim logs
You should already be running APF and BFD.
BFD 0.9 script does not work for me , and it doesnt parse exim logs properly, so I had to hack it.
I would advise you to do the same, if you want to block IP addresses that consistently try to flood your email server and they belong to a spam list
ACTION
In the BFD itself, I changed one line. Here’s the diff:
root@host [/usr/local/bfd]# diff bfd bfd.backup
126c126
< for ihost in `echo $ARG_VAL | tr ' ' '\n' | tr ':' ' ' | awk '{print$1}' | grep -E '[.0-9]+' | sort -u`; do
—
> for ihost in `echo $ARG_VAL | tr ‘ ‘ ‘\n’ | tr ‘:’ ‘ ‘ | awk ‘{print$1}’ | grep -E ‘[.0-9]+’ | uniq`; do
In the rules directory , I changed my exim file and it looks like this now:
REQ=”/usr/sbin/exim”
if [ -f "$REQ" ]; then
LP=”/var/log/exim_mainlog”
TLOG_TF=”exim”
TRIG=”10″
# Max log entries to process at once for this rule
MLOG=2500
## EXIM
ARG_VAL=`$TLOGP $LP $TLOG_TF | grep -iw “rejected RCPT” | awk ‘{print$4}’ | tr -d ‘[]‘ | tr ‘:’ ‘ ‘ | awk ‘{print$1}’ | grep -E ‘^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$’ | tail -n $MLOG`
fi
I have also setup BFD to run once a minute, with minimal performance impact.
DISCUSSION
I found that uniq doesnt really uniq the list down, but simply uniques lines that are consecutively repeated. So it will change this:
192.168.0.1
192.168.0.1
192.168.0.2
192.168.0.3
192.168.0.1
into this:
192.168.0.1
192.168.0.2
192.168.0.3
192.168.0.1
when in reality, what we want is this:
192.168.0.1
192.168.0.2
192.168.0.3
which is what sort -u does.
The original exim rules don’t parse my exim log properly, so my exim file placed in the directory rules does the job. I found that the original rule does not take the ip address properly, because it tries to make a match at 192.168.0.1:1312, where in reality we need first to remove the port number (:1312) and then look for an ip address, I also found it lets things like (domain.com) pass, which shouldn’t.
– Monitoring
1) Make sure you get an e-mail everytime root logs in!
ACTION
Edit your .bash_profile and include these lines:
echo ‘ALERT - Root Shell Access on:’ `date` `who` | mail -s “Alert: Root Access from `who | awk ‘{print $6}’`” your@email.com
your@email.com should be an external e-mail address for obvious reasons.
2)Set an SSH Legal Message
ACTION
To add a SSH legal message upon login, SSH into server and login as root.
At command prompt type: pico /etc/motd
Enter your message, save and exit.
3) Get an e-mail every day with the total disk usage plus the 30 biggest directories.
It’s easy, simply add this to cron:
du / | sort -n | tail -n 30 | mail -s "Daily disk usage report" your@email.com
4)Use LogWatch to get an e-mail with details parsed from your server logs.
Apart from the normal instalation of LogWatch, to make it useful take these steps:
- edit the /usr/share/logwatch/default.conf/logwatch.conf
change: the email destination (external email is better) , set Detail to medium or high (I would set to high)
- edit /etc/logwatch/override.conf (originally this file is empty) and put these lines:
logfiles/exim: LogFile = exim_mainlog
logfiles/http: LogFile = /usr/local/apache/logs/access_log
services/pop3: *OnlyService = cpanelpop
services/pop3: *RemoveHeaders = 1
services/pure-ftpd: LogFile = messages
This overrides the logfiles and messages for some of the services, these are the working ones under cPanel 10.8 (not using maildir).
In my current version (Logwatch 7.2.1 and cPanel 10.8.1) both POP3 and Exim parsing does not work properly. I have recoded the POP3 perl script to output something useful, but this is work in progress still.
I am working on the Exim script now, but I am having serious problems with performance.
Once I have both script ready, I’ll post them here.
Pure ftpd is not working either, but I think this is a configuration issue, not a problem with the parser itself.
Run logwatch once from the command line and see if you like the emails. Tweak as necessary.
5)PRM - (Process Resource Monitor) . This tool does what it says on the tin.
Quick reference article, taken from Crucial Paradigm help pages:
How to install PRM (Process Resource Monitor)
PRM (Process Resource Monitor)
Introduction
PRM monitors the process table on a given system and matches process id’s with set resource limits in the config file or per-process based rules. Process id’s that match or exceed the set limits are logged and killed; includes e-mail alerts, kernel logging routine and more…
How it works?
PRM works on the basis that once a process id is found matching resource limits; there is a corresponding trigger and wait value. The trigger value increments upwards from zero (0) to the defined value, pausing the duration of seconds defined as wait value. There after the status of the flagged pid is checked again, if still above or equal to resource limits the trigger/wait cycle begins again till the max trigger value is reached. When this trigger value is reached the given process is logged/killed.
This all together has the effect that applications with short burst resource spikes (e.g: apache, mysql etc..) are not killed; but rather on applications with prolonged resource consumption. Using the rule system, you can define different wait/trigger/resource values for any application.
Installation
First we must fetch the package:
wget http://www.rfxnetworks.com/downloads/prm-current.tar.gz
And extract it:
tar xvfz prm-current.tar.gz
The current version of prm as of this writing is 0.3, so lets cd to the 0.3 extracted path:
cd prm-0.3/
And finally run the enclosed install.sh script:
./install.sh
Configuration
The prm installation is located at ‘/usr/local/prm’, and the configuration file is labeled ‘conf.prm’.
Open the ‘/usr/local/prm/conf.prm’ file with your preferred editor. There is an array of options in this file but we will only be focusing on the main variables.
Lets skip down to the user e-mail alert’s section and set the USR_ALERT value to ‘1′; enabling alerts.
# enable user e-mail alerts [0=disabled,1=enabled] USR_ALERT=”1″
And configure our e-mail addresses for alerts:
# e-mail address for alerts USR_ADDR=”root, you@domain.com”
Check the 5,10, or 15 minute load average; relative to the later option below for min. load level.
# check 5,10,15 minute load average. [1,2,3 respective of 5,10,15] LC=”1″
PRM optionally has a required load average for running. If the load is not equal to or greater than this value; PRM will not run. Setting this value to zero will force the script to always run but this should not be needed.
# min load level required to run (decimal values unsupported) MIN_LOAD=”1″
This is the introduction described wait value, used for pauses between trigger increments. The value of wait multiplied by the value of kill_trig equal the duration of time before a process is killed (10×3=30seconds).
# seconds to wait before rechecking a flagged pid (pid’s noted resource # intensive but not yet killed). WAIT=”10″
The trigger limit before processes are killed, described in detail in the above ‘wait’ description and introduction.
# counter limit that a process must reach prior to kill. The counter value # increases for a process flagged resource intensive on rechecks. KILL_TRIG=”3″
The max percentage of CPU a process should be allowed to use before PRM flags it for killing.
# Max CPU usage readout for a process - % of all cpu resources (decimal values unsupported) MAXCPU=”35″
The max percentage of MEM a process should be allowed to use before PRM flags it for killing.
# Max MEM usage readout for a process - % of system total memory (decimal values unsupported) MAXMEM=”15″
That is it; you should tweak the MAXCPU/MAXMEM limits to your desired needs but the defaults should be fine for most.
Usage
The executable program resides in ‘/usr/local/prm/prm’ and ‘/usr/local/sbin/prm’. The prm executable can receive one of two arguments:
-s Standard run
-q Quiet run
The log path for prm is ‘/usr/local/prm/prm_log’, as well pid specific logs are stored in ‘/usr/local/prm/killed/’.
A default cronjob for PRM is installed to ‘/etc/cron.d/prm’, and is configured to run once every 5 minutes.
There is a provided ignore file, to ignore processes based on string rules. The ignore file is located at ‘/usr/local/prm/ignore’. This file supports line separated ignore strings. As a default the strings ‘root, named and postgre’ are ignored by PRM; this script was not intended to monitor root processes but rather user land tasks. It could easily watch root processes by removing the given line in the ignore file but this is strongly discouraged.
– Web (apache)
1) Remove version information from Apache (check Security by Obscurity part)
2) Activate the Php open_basedir Tweak (go to Tweak Security in WHM)
3) Install Modsecurity
Mod security allows filtering the incoming requests. There are already filters available on the web to use straight away and they are updated regularly.
ACTION
Go to the “Addon Modules” in WHM and check the Modsecurity module
You now have to edit your Apache httpd.conf file (usually resides in /usr/local/apache/conf/httpd.conf)
cPanel should have added this line in there already for you, but double check anyway:
Include "/usr/local/apache/conf/modsec.conf"
Now, edit the modsec.conf file.
This is how my modsec.conf file looks like. You might want to change some settings. Notice the inclusion of the rules for the modsecurity module:
SecFilterEngine On
SecFilterCheckURLEncoding On
SecFilterForceByteRange 0 255
SecAuditEngine RelevantOnly
SecAuditLog logs/audit_log
SecFilterDebugLog logs/modsec_debug_log
SecFilterDebugLevel 0
SecFilterDefaultAction “deny,log,status:406″
SecFilterSelective REMOTE_ADDR “^127.0.0.1$” nolog,allow
Include “/usr/local/apache/conf/modsec.user.conf”
#And now, the rules
#Remove any of these Include lines you do not use or have rules for.
#First, add in your exclusion rules:
#These MUST come first!
Include /etc/modsecurity/exclude.conf
#Application protection rules
#Include /etc/modsecurity/rules.conf
#Comment spam rules
Include /etc/modsecurity/blacklist.conf
#Bad hosts, bad proxies and other bad players
Include /etc/modsecurity/blacklist2.conf
#Bad clients, known bogus useragents and other signs of malware
#Include /etc/modsecurity/useragents.conf
#Known bad software, rootkits and other malware
Include /etc/modsecurity/rootkits.conf
#Signatures to prevent proxying through your server
#only rule these rules if your server is NOT a proxy
Include /etc/modsecurity/proxy.conf
#Additional rules for Apache 2.x ONLY! Do not add this line if you use Apache 1.x
#Include /etc/modsecurity/apache2-rules.conf
The reason I don’t use all rules is because some where crashing my apache. Anyway, you see the /etc/modsecurity needs to exist and the rules need to be there. So go ahead and mkdir /etc/modsecurity
Now, you need the rules. You can download them from gotroot.com website. I have, however, made a script to auto-update these rules, based on a existing script from gotroot.com. I was informed they will include my script on their page soon, but meanwhile you can download it here.
Here’s the direct link to gotroot.com rules page:
http://www.gotroot.com/tiki-index.php?page=mod_security+rules
If you use my script, just put it in /etc/modsecurity and run it. It should download the rules if you don’t have them yet or update them if you have an old version. It also tries to restart apache, so no need to do that manually. You’ll get an error if apache doesn’t load.
– Security by Obscurity
I will include here the necessary steps to remove all version information from named, exim, apache and cppop.
Some recommended actions:
1)Change the default port for SSH. Ideally you should have as litle shell users as possible, so it is not an inconvenient to advise whoever uses it to use a different non-standard port.
On a regular day, even with pro-active firewalling, you will have hundreds of attempts to connect to SSH. Serious. This is how you do it:
ACTION
sudo pico -w /etc/ssh/sshd_config
You’ll probably see this:
#Port 22
Change this to:
Port 12345
Or whatever port number you like, keeping in mind not to use any other standard port for other services (I recommend anything between 9999 and 49151)
While you’re at it, remove ssh version 1 from usage:
Protocol 2
You can also only listen on certain IP addresses and there are plenty of other options here, play around.
Now you need to close port 22 on your firewall and open your new port up:
sudo pico -w /etc/apf/conf.apf
Look for your line looking like this one:
IG_TCP_CPORTS=”20,21,25,26,53,80,110,143,443….”
and remove 22 and add your new port.
After you finish, just do:
apf –restart
service sshd restart
Before you logoff, you better ensure your configuration is working:
ssh -2 -l username -p newPortNumber yourhost.com
Now, you might want to change your local SSH client options to set the new port number and protocol, just so you don’t have to do that all the time. Under linux, this can easily be done by editing, this time on your local computer, the same ssh_config file:
sudo pico -w /etc/ssh/ssh_config
Add these lines:
Host yourdomain.com
Port 12345 (your port number)
Protocol 2
Thats it!
– Handy scripts and information
I have made a few scripts to solve some common problems, such as removing the .cpanel-datastore from all your accounts home directory and the .cpanel-ducache as well.
Other things include fixing the /home directory permissions.
In a post near you…
cPanel and WHM list of used (or possibly used) incoming ports:
20 FTP Data (if you FTP out)
21 FTP (TCP)
22 SSH (TCP) (only if you haven’t changed this, as recommended)
25 SMTP (TCP)
53 DNS - Domain Name Server (TCP)
80 HTTP (TCP)
110 POP3 (TCP)
143 IMAP (TCP)
443 HTTPS (TCP)
465 SMTPs (TCP)
953 ??BIND??
993 IMAP4s protocol over TLS/SSL (TCP)
995 POP3s protocol over TLS/SSL (TCP)
2082 CPANEL (TCP)
2083 CPANEL SSL (TCP)
2084 entropychat server (TCP)
2086 WHM (TCP)
2087 WHM SSL (TCP)
2095 WebMail (TCP)
2096 WebMail SSL (TCP)
3306 mySQL remote access (TCP)
6666 Melange chat Server (TCP)
7786 Interchange (TCP)
3000_3500
—–
5100 for ASP,
8080 and 8443 for JSP
Related posts:
I’m one of those who spent hours moving from DirectAdmin to cPanel, and in the meantime I’ve developed a couple of usefull tools to help me do it.
For the sanity of everyone ever trying to achieve this, forget googling because there is no tool available ATM. No one has ever started a script simply because the transition from DA to CP are so different that it is unthinkable.
There are scripts to move from cPanel to DirectAdmin though
I’ve started a BASH script that basically takes the files already available under the directories “backup” and “domains”, puts them nicely under one directory and tar-gzips it all. (the backup and domains directories come from untaring the User Backup created under DirectAdmin)
you then have to upload the resulting tar-gzip to the newly created cPanel account and untar-zip it. The file manager in cPanel does this with a click.
This script still has LOADS of problems, and if you’re unexperienced with the linux FS, permissions, etc… don’t come this way
What this does, however, is saving a lot of time if the accounts in question have many e-mails accounts (I did this because some of my clients had 100+ emails), and also takes care of the user files (public_html and everything else)
Resuming, this is what the script does:
- copy the quota file
- copy the IMAP folders and inbox folder of the main account
- copy the squirrelmail settings
for EACH e-mail account it does this:
- generate the entry and update the shadow and passwd file with its username and password (you keep everyone’s passwords!)
- copy the IMAP folders and inbox to the respective directory
to the domain files, it does this also:
- update references in every file (php, html, etc) by removing “domains/domain.net”
(ie /home/skyhorse/domains/skyhorse.org/public_html becomes /home/skyhorse/public_html)
This does not handle FTP settings, subdomain settings, dns settings, or anything else.
But hey, it saved me hundreds of hours of pain…
It is easily improved, so if you do, please send it back to me
BTW, the scripts assumes you’re using the SAME username in directadmin and in cpanel for each account, and the same domains as well.
It can also take a bit of hard disk space, since it literally duplicates the accounts files. If this is an issue, script around it to use the /tmp directory or even better, do some pipelining with tar
One last thing, although you see the CHMOD command being used, when untaring all files loose the damn permissions.
you NEED to change the permissions manually (inbox NEEDS to be group writable) or find a way to resolve the issue, which I couldn’t.
Here it is anyway, remember to replace the variables with your own settings:
# bash
# Copyleft (C) SkyHorse 2004
# for each account:
# put passwd as passwd + shadow
# quota (if != 0)
# into ~/etc/%domain%
GENDOMAIN=domain.com
GENUSERNAME=accuser
NEWACCPASS=accpass
MYFILESPATH=/home/skyhorse/temp_sites
mkdir result
mkdir result/mail
mkdir result/mail/$GENDOMAIN
mkdir result/etc
mkdir result/etc/$GENDOMAIN
cp $MYFILESPATH/$GENUSERNAME/backup/$GENDOMAIN/email/quota result/etc/quota
chmod 644 result/etc/quota
touch result/etc/shadow
chmod 640 result/etc/shadow
touch result/etc/passwd
chmod 644 result/etc/passwd
chmod 660 $MYFILESPATH/$GENUSERNAME/backup/email_data/imap/*
cp $MYFILESPATH/$GENUSERNAME/backup/email_data/imap/* result/mail
cp $MYFILESPATH/$GENUSERNAME/backup/email_data/pop/$GENUSERNAME result/mail/inbox
chmod 660 result/mail/inbox
mkdir result/.sqmaildata
cp $MYFILESPATH/$GENUSERNAME/backup/email_data/squirrelmail/* result/.sqmaildata
ENTRY=`cat $MYFILESPATH/$GENUSERNAME/backup/$GENDOMAIN/email/passwd`
for line in $ENTRY
do
login=`echo $line | sed s/[:].*//`
pass=`echo $line | sed s/.*[:]//`
mkdir result/mail/$GENDOMAIN/$login
mkdir result/mail/$login
echo $login:x:32120:622::/home/$GENUSERNAME/mail/$GENDOMAIN/$login:/usr/local/cpanel/bin/noshell >> result/etc/passwd
echo $login:$pass::::::: >> result/etc/shadow
chmod 750 result/mail/$GENDOMAIN/$login
cp $MYFILESPATH/$GENUSERNAME/backup/$GENDOMAIN/email/data/pop/$login result/mail/$GENDOMAIN/$login/inbox
chmod 660 result/mail/$GENDOMAIN/$login/inbox
cp $MYFILESPATH/$GENUSERNAME/backup/$GENDOMAIN/email/data/imap/$login/.mailboxlist result/mail/$GENDOMAIN/$login/
cp $MYFILESPATH/$GENUSERNAME/backup/$GENDOMAIN/email/data/imap/$login/mail/* result/mail/$GENDOMAIN/$login/
touch result/mail/$login/inbox
chmod 660 result/mail/$login/inbox
done
cp result/etc/* result/etc/$GENDOMAIN/
#domain files
cd domains/$GENDOMAIN
#update file references - this one liner deletes domains/domain.net in every file of the tree.
# efectively changes:
#/home/username/domains/domain.net/public_html into
#/home/username/public_html
find ./ -type f -exec sed -i ’s/domains\/$GENDOMAIN\///’ {} \;
cp -R * ../../result
cd ../../result
tar –owner=$GENUSERNAME –group=$GENUSERNAME -czf ../$GENUSERNAME-$GENDOMAIN.tar.gz *
cd ..
#upload tar.gz
#I have ncftpput installed, but because most people don’t, I’ve commented it out
#ncftpput -u $GENUSERNAME -p $NEWACCPASS localhost / $GENUSERNAME-$GENDOMAIN.tar.gz
#database:
#mysql
#subdomains
#ftp
Tags: cPanel, directadmin, Downloads, hosting, Programming, scripts, Web Design, WHMRelated posts:
Some web applications, like my own cPanel and Web Mail, use non-standard tcp ports. Usually this is because they are part of a software package that runs alongside Apache but does not use it to serve the pages.
Problem is many corporate and university firewalls do not allow access to ports such as 2095 and makes all the neat web apps like the ones above completely useless until you get home (where you probably have some other e-mail software anyway).
For some time I have used a simple port redirector installed on my home computer which allowed me to see my e-mails from my work place and my university. This is a bit annoying, though, because not only I have to leave my pc on the all day just for this but also because it is a slower connection and I am the only one who can use it (yes, I am thinking about my own hosting clients/partners who complain about the same problem).
So, I am starting a journey to make a ‘transparent’ PHP application that can successfully accept an incoming HTTP connection, grab the headers and open a server-side connection to another service and use the incoming headers for the request. Upon reception of the response, the script must alter *all* tags to its own name and append a single GET variable with the original href.
Thus, on a simple page, where there is a:
<a xhref=”www.skyhorse.org/abc.html?I=rule” mce_href=”www.skyhorse.org/abc.html?I=rule”>
there will be a:
<a xhref=”redirector.php?requestedURL=’www.skyhorse.org/abc.html?I=rule’” mce_href=”redirector.php?requestedURL=’www.skyhorse.org/abc.html?I=rule’”>
I still don’t know if the use of ‘ or even ” will be tolerated by the HTTP request, but I think as a last resort I can always do some kind of two-way encoding (like base64 or something similar) to encode the original request in an AsciiSimple format.
For now, I have some proof of concept working (yikes, I can open a server-side socket in PHP!) but I am still a long way before I turn off my home computer during the day :)
If anyone has any information on how to accomplish what I am trying to do, please, do give me a shout :)
– Update 1
After some time I discovered another major issue: Images!
I think I will have to make a standalone script or function in PHP just to handle the redirection of images… yes, because there has to be a request for images to a PHP script and those images have to be quested server-side and returned… mmm … maybe not that complicated, just a redirect.php?requestImage=originalURL and the request.php will take care of returning just the binary information taken directly from the server-side connection made to the service… could work… will work!
–Update 2
Ok, so, I finally discovered I was re-inventing the wheel…
I had already looked for this on the web, but couldn’t find anything. But now I stumbled upon cpanelproxy .
It does exactly what is says on the label: server-side proxy to cPanel.
It’s funny how the script I was writting was starting to look like the script they made! Unfortunatelly it does not yet support SSL, perhaps I could find a way to implement it, but I think it would be almost impossible…
Related posts:
NMA Brand Republic iMedia Connection: Consumer Strategies Behavioural Targeting news Adotas MarketingVox SimsCity blog Donald Hamilton Don't be Square mindcode ZDnet Security