Archive for the ‘Security’ Category

wordpress & wordpress MU mass upgrade script 2.9.2

Tuesday, February 16th, 2010 by Liz Quilty

Okay, I have rolled the usual ‘upgrade all instances of wordpress’ script.

In this version i finally got around to checking the permissions prior to updating and changing the ownership of them back to that owner afterwards. This was breaking things and could be rather annoying before if you had more than 5  sites to fix permissions on.

Also, I did a database check to make sure your schema is the latest version, if not it will display the upgrade.php link which will do it for you (before it just showed that regardless)

Let me know if you have any bugs at all, or any problems.

Here’s your script to upgrade them all.
wget http://b.ri.mu/files/wordpress-upgrade-2.9.2.sh ; sh wordpress-upgrade-2.9.2.sh

Because the wordpress mu previous version has one less number (it shows up as 2.8.5 rather than 2.9.1.1 ) you may notice that it says
You have version 2.8.5’; located at /path/etc

Just ignore it, its not going to matter. so long as the version isn’t current. it needs to be upgraded :)

Tags: , , , , ,
Posted in Security | 2 Comments »

Whats using all my disk space up?

Thursday, February 4th, 2010 by Liz Quilty

Often we get asked by customers ‘What is using up all my disk space on my VPS?’. Usually we track it down to log files not being rotated or email etc.

Here are a few of the commands we use to do that

You can find what’s using space using du -sh as root ie

du -sh /*

Gives you an idea on what directories are using space – this may take a bit. Then from there you can cd into those directories and again du -sh to find more. If you drop the -h (human readable) then you can do –max-depth 5 i think it is and get 5 levels deep then see the larger numbers as to what taking up the space.

Here is a command I often use to do it in one go. This will return the largest 20 subdirectories

du -m --max-depth=5 /  | sort -g | awk '{if($1 > 102400) print $1/1024 "MB" " " $2 }' | tail -n 20

From here you can find the 15 largest files with

find /path -printf "%k %p\n" | sort -g -k 1,1 | awk '{if($1 > 102400) print $1/1024 "MB" " " $2 }' |tail -n 15

A couple of quick easy fixes are

Debian package caches
apt-get clean # this removes all your downloaded packages no longer needed

btmp
rm /var/log/btmp # This file can safely be removed. Its used by the command ‘lastb’ which lists failed login attempts by users. It can get rather large if there are automated attacks on your VPS.

tmp
rm -r /tmp/* # double check what’s in here first, there may be valid session cookies etc you don’t want removing. Rebooting often clears this out automatically anyway

mysql
/var/lib/mysql/ibdata1 – this is a tricky one. Its well documented bug/feature if you are using INNODB style databases. You can read about it here http://bugs.mysql.com/bug.php?id=1341
There are several suggested fixes, however they all involve dumping the databases, removing it, then re-importing them all.
Whilst you are doing it adding in the option into the my.cnf for mysql
innodb_file_per_table
This will prevent it coming back.

Summary

Nine times out of ten most (possibly reclaimable) space is used up under /var or /home. /usr will typically be largeish (a GB or two) but its contents are typically required to run your server. Don’t mess with /proc. Don’t delete things you are unsure about, best check (via google or email us) before deleting anything. Often it pays to move something elsewhere (trash folder?) to see if it breaks things, if it does then move it back. If it doesn’t break things, then you can rm it next week when you are sure.

If you need more disk space and you are on a RimuHosting VPS, you can add more space from your control panel.

Tags: , , , , , , , , , , ,
Posted in Rimuhosting, Security | No Comments »

Keeping Tabs on Successful Logins

Thursday, December 17th, 2009 by davidmace

There are a number of things that any sysadmin should be doing (or is already doing) to keep tabs on the systems they manage. One of the things that I do which is quite simple (read: quick and dirty) is having my server send me a message anytime a user logs into the server. I just pop the following line at the top of /etc/profile to do that:

echo "`whoami` logged in at `date`" | mail -s "`hostname` login" youraddress@example.com

The resulting message would look like this:

root logged in at Wed Dec 16 16:39:37 UTC 2009

It’s not fancy or sophisticated by any stretch of the imagination. Moving your ssh port, limiting access to that port via your packet filter, disabling interactive authentications are among the options to tighten up ssh access so that it doesn’t happen in the first place….but what if. :)

My systems do not see very many interactive logins (and they better be me) so the resulting emails are not a burden on my inbox. But if somebody did manage to get a shell on my server, I should see an email giving me a heads u

Tags: , ,
Posted in Rimuhosting, Security | 3 Comments »

Quick and easy iptables blocking and firewalling basics

Friday, December 4th, 2009 by Liz Quilty

A customer emailed in today had noticed somebody trying to hack or crash his VPS. He tracked it down to one particular IP address but didnt know how to block him.

There are several things you can do to block him, the long term solution and better option is probably using a firewall like iptables.

To block a single IP address with iptables you run the following

iptables -A input -s offendingip -j DROP

This simply drops all packets from that source ip address. This will not be saved at all when you reboot so to do that, you can run the following comands

iptables-save >/etc/iptables-save

This saves your rules all into that file, now you just need a way of importing those rules which would be as follows

iptables-restore < /etc/iptables-save

By adding this to your network up scripts this will auto import them every reboot when your network comes up.

Under RHEL/Centos you can use following commands:
To Save the rules to /etc/sysconfig/iptables file:

# /etc/init.d/iptables save

To Restore the rules from /etc/sysconfig/iptables file:

# /etc/init.d/iptables start

If you are using Debian Linux open /etc/network/interfaces:

# vi /etc/network/interfaces

Append the line to eth0 section:

post-up iptables-restore < /etc/iptables-save

As always, if you get stuck at all, just drop us an email at support, we are only too happy to help out.

Tags: , , , , , ,
Posted in Security | No Comments »

apache modules to help keep your system steady

Monday, November 23rd, 2009 by Liz Quilty

libapache2-mod-bw – bandwidth limiting module

This module allows you to limit bandwidth usage on every virtual host or directory or to restrict the number of simultaneous connections.

The bandwidth control, for example, can be configured according to the criteria: origin of the connection, file extension, file size or user agent of the client.
Example:

LoadModule bw_module /usr/lib/apache2/modules/mod_bw.so
BandWidthModule On
BandWidth all 40000
MinBandWidth all 10000
ForceBandWidthModule On

libapache2-mod-defensible – module for Apache2 which provides DNSBL usage

mod_defensible implements usage of DNSBL servers to block access to a Web site or to specific locations.

Example:

DnsblUse On
DnsblServers httpbl.abuse.ch sbl-xbl.spamhaus.org
DnsblNameserver 145.253.2.75

libapache2-mod-evasive – evasive module to minimize HTTP DoS or brute force attacks

mod_evasive is an evasive maneuvers module for Apache to provide some protection in the event of an HTTP DoS or DDoS attack or brute force attack.

It is also designed to be a detection tool, and can be easily configured to talk to ipchains, firewalls, routers, and etcetera.

Example:

<IfModule mod_evasive20.c>
DOSHashTableSize 3097
DOSPageCount 5
DOSSiteCount 100
DOSPageInterval 1
DOSSiteInterval 1
DOSBlockingPeriod 600
</IfModule>

Comes with a perl script to test it also.

vps:/etc/apache2/mods-available# perl /usr/share/doc/libapache2-mod-evasive/examples/test.pl
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 200 OK
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden

libapache2-mod-line-edit – search-and-replace line editor module for apache 2

mod_line_edit is a general-purpose apache 2 filter for text documents. It operates as a simple on-the-fly line editor, applying search-and-replace rules defined in a configuration or .htaccess file. Both simple text and regular expression search and replace are supported.

Example:

SetOutputFilter    line-editor
SetEnv    LineEdit “text/plain;text/css;text/html”
LELineEnd ANY
LERewriteRule https?://(www\.)?example\.com http://example-development.yoursite.co.nz Ri

Throw something like that into your or somewhere and you instantly fixed all those problem URLS on your development system, without touching the source files at all.
This is ideal to stop/prevent people exploiting various holes in web applications and inserting javascript redirects etc.

Please note: the name of all these modules is debian/ubuntu related. Centos or RedHat based distros may have another name for the same modules. If you need any of these installed just drop an email into the support box and let us know.

Tags: , , , , , , ,
Posted in Security | No Comments »

Wordpress Update Script – 2.8.6 and Wordpress MU 2.8.5.2

Monday, November 16th, 2009 by Liz Quilty

New Wordpress came out last Friday,  Sorry about the delay updating the script.

This script will update all instances of wordpress that are not the most current. Run it as root, it will make backups in /root/wp_upgrades of both databases and files in case things go wrong.

It will determine if its a Wordpress or Wordpress Multi User and apply the correct fix.

wget http://b.ri.mu/files/wordpress-upgrade-2.8.6.sh
sh wordpress-upgrade-2.8.6.sh

You may need to change the ownership of the wordpress files after install, I will fix this bug and write it into the script in the next couple of versions.

If you have any bugs or problems with it, please let me know or contact support

Tags: , ,
Posted in Security | 1 Comment »

Evading Webapp Vulnerability Scans

Monday, November 2nd, 2009 by davidmace

Most attackers aren’t after your digital property or information stored on your server.  They’re mostly after your server for its resources to send spam, host phishing sites or launch attacks against other servers.  So unless you’re running a high profile site or have managed to anger a malcontent, your server likely isn’t going to be the subject of a targeted attack.  Your server will, however, be scanned by automated scripts looking for known exploits in popular webapps (wordpress, joomla, drupal, etc).

These scans typically run across IP ranges and not valid hostnames.  When an incoming request contains no Host header, Apache will service the request using the default virtual host for that IP.  This would be either the first name-based virtual host defined for that IP in /etc/httpd/conf/httpd.conf or the first virtual host loaded for that IP in virtual hosts defined in /etc/apache2/sites-enabled/ (loaded in alphabetical order I believe).

A simple addition to your Apache configuration can help limit this security exposure by routing these requests to a bogus virtual host.  If /etc/httpd/conf/httpd.conf exists, go ahead and open that and add this to the top of the virtual hosts section:

<VirtualHost *:80>
notvalid.yourdomain.com
DocumentRoot /var/www/blank
</VirtualHost>

If /etc/httpd/conf/httpd.conf does not exist, create a new file with the above contents at /etc/apache2/sites-available/000-afakeentry.conf then run:

ln -s /etc/apache2/sites-available/000-afakeentry.conf /etc/apache2/sites-enabled/

In addition to the changes above, you need to be sure that you have name based virtual hosts enabled.  You need the following directive uncommented in /etc/httpd/conf/httpd.conf or /etc/apache2/ports.conf:

NameVirtualHost *:80
or
NameVirtualHost yourip:80

Restart Apache after you’ve made those changes:

/etc/init.d/httpd restart
or
/etc/init.d/apache2 restart

You should notice that requests to your IP now no longer display your site.  http://1.2.3.4/  That’s no reason to not keep on top of applying security updates to your webapps, but it can help keep you out of harms way for most automated attacks.  :)

Tags: , , , ,
Posted in Security | No Comments »

checking the checksums of your binary packages

Thursday, October 15th, 2009 by Liz Quilty

Occasionally you just want a bit of piece of mind about your server or Linux install. You may suspect there is somebody who has hacked your computer or even something changed by a package install that shouldn’t have been.

Heres a couple of ideas on how to do a quick ‘health’ check on he md5sum of binary packages. This gem is inspired by Ivan (who does mostly Dev stuff)

Debian based people should install dlocate and use that

apt-get install dlocate
dlocate -md5check openssh-server

To force a fail try something like this

mv /usr/share/man/man5/sshd_config.5.gz /usr/share/man/man5/sshd_config.5.gz-old
echo Boo > /usr/share/man/man5/sshd_config.5.gz
dlocate -md5check openssh-server

For Redhat/Centos etc based servers you can use yum

 rpm -qvV openssh

Again you can force a fail by changing a file

mv /usr/share/doc/openssh-4.3p2/CREDITS /usr/share/doc/openssh-4.3p2/CREDITS-old
echo Boo >/usr/share/doc/openssh-4.3p2/CREDITS
rpm -qvV openssh

For less verbosity just drop the lower case v (so its rpm -qV )

Tags: , , , , , ,
Posted in Security | No Comments »

Unsure who is sending spam? Try this

Friday, October 9th, 2009 by Liz Quilty

Anyone who has hosted peoples websites before, has had  either a blog hacked, or some guy thinking he is going to send mass mailouts using PHP or similar happen.

Its extremely hard to trackdown and deal with, and yet it can get your server listed at spam service denying legitimate email from getting through. This was my answer to the problem, and its helped me track down several insecure contact forms or trouble users.

  1. Put the code below into a somewhere like /usr/local/securemail/mail.pl
  2. Adjust the sendmail_path to be this script (ie php_admin_value sendmail_path “/usr/local/securemail/mail.pl ” )
  3. Edit the script to point to the mailer you use ( the line that says my $mailprog = ‘/usr/sbin/exim -t ‘; )
  4. Add a logrotate entry for /var/log/formmail.log or similar
#!/usr/bin/perl
#
# This will tell you who is emailing from your server and where from. Good for diagnosing which person has
# an insecure website and is sending spam via a PHP application. Possible to use for other services also.
#
# Put this into where ever you want the mail logged from. edit where $mailprog is for this particular server
# (if you use postfix or qmail etc then find the path and put that instead
#
# Edit php.ini and adjust the sendmail_path to be this script
# If you want to do it domain by domain you can add the following line into your virtualhost
#	php_admin_value sendmail_path "/usr/local/securemail/mail.pl "
#
# Now for the finale, chmod +x /usr/local/securemail/mail.pl (or where ever you put the script)
# touch /var/log/formmail.log ; chown www-data.www-data /var/log/formmail.log
# Basicly create and make sure apache user owns/can write to the log.
#
#
use strict;
use Env;
my $date = `date`;
chomp $date;
open (INFO, "&gt;&gt;/var/log/formmail.log") || die "Failed to open file ::$!";
my $uid = $&gt;;
my @info = getpwuid($uid);
if($REMOTE_ADDR) {
print INFO "$date - $REMOTE_ADDR ran $SCRIPT_NAME at $SERVER_NAME \n";
}
else {
 
print INFO "$date - $PWD - @info\n";
 
}
my $mailprog = '/usr/sbin/exim -t ';
foreach (@ARGV) {
$arg="$arg" . " $_";
}
 
open (MAIL,"|$mailprog $arg") || die "cannot open $mailprog: $!\n";
while ( ) {
print MAIL;
}
close (INFO);
close (MAIL);

Update: I have had some problems with this on some systems, so reverted to the following PHP script instead of the perl one

#!/usr/bin/php
<?php
 
$sendmail_bin = '/usr/sbin/sendmail';
$logfile = '/var/log/formmail.log';
 
//* Get the email content
$logline = '';
$pointer = fopen('php://stdin', 'r');
 
while ($line = fgets($pointer)) {
 if(preg_match('/^to:/i', $line) || preg_match('/^from:/i', $line)) {
 $logline .= trim($line).' ';
 }
 $mail .= $line;
}
 
//* compose the sendmail command
$command = 'echo ' . escapeshellarg($mail) . ' | '.$sendmail_bin.' -t -i';
for ($i = 1; $i < $_SERVER['argc']; $i++) {
 $command .= escapeshellarg($_SERVER['argv'][$i]).' ';
}
 
//* Write the log
file_put_contents($logfile, date('Y-m-d H:i:s') . ' ' . $_ENV['PWD'] . ' ' . $logline ."\n", FILE_APPEND);
//* Execute the command
return shell_exec($command);
?>

Tags: , , , ,
Posted in Rimuhosting, Security | No Comments »

Does your VPS have MD5 enabled for passwords?

Tuesday, October 6th, 2009 by Liz Quilty

We recently discovered that the way we install a VPS differs slightly from the usual CD install. This is not something we do specifically but something that can be improved on in the set-ups of CentOS5.3.

When you install from a CD it automatically enables MD5 encryption in passwords (which should be the norm), however when you install directly from base packages it does not.

This appears to be a fairly new development and we have caught it quickly thanks to some great users who have passwords longer than 8 characters.  The main side effect of having no MD5 is that you can not have a password longer than 8 characters at all, it just doesn’t work.

To test your VPS and see if you have it, you can set a password with more than 8 characters, if you trim the end characters off you will still be able to login with only the first 8 characters.

There is an easy fix for this,

Edit /etc/sysconfig/authconfig

You need to have this enabled

USEMD5=yes

Next, edit this file /etc/pam.d/system-auth

Make sure it has the following line (which has md5 in that place)

password sufficient pam_unix.so md5 shadow try_first_pass use_authtok nullok

You should then reset any passwords on the box with passwd so they are now using MD5

passwd username

before

[root@hostname ~]# cat /etc/shadow
root:y.yYKjjc6dh4M:14519:0:99999:7:::

after

[root@hostname /etc/pam.d]# cat /etc/shadow
root:$1$trQ54tcS$azHBlqdd3kzNF4v8Xp3N/0:14519:0:99999:7:::

If you have any problems or concerns you should contact us on support. Just drop in a ticket and we can get things going again.

Tags: , , ,
Posted in Security | 3 Comments »

« Older Entries