A blog for Linux Lovers.

Archive for the ‘Server Securiy’ Category

Posted by sibu on June 20, 2009

Iptables to log messages to a different log file

According to man page:

Iptables is used to set up, maintain, and inspect the tables of IP packet filter rules in the Linux kernel. Several different tables may be defined. Each table contains a number of built-in chains and may also contain user defined chains.

By default, Iptables log message to a /var/log/messages file. However you can change this location. I will show you how to create a new logfile called /var/log/iptables.log. Changing or using a new file allows you to create better statistics and/or allows you to analyze the attacks.
Iptables default log file

For example, if you type the following command, it will display current iptables log from /var/log/messages file:
tail -f /var/log/messages



Oct  4 00:44:28 debian gconfd (anish-4435): Resolved address “xml:readonly:/etc/gconf/gconf.xml.defaults” to a read-only configuration source at position 2
Oct  4 01:14:19 debian kernel: IN=ra0 OUT= MAC=00:17:9a:0a:f6:44:00:08:5c:00:00:01:08:00 SRC= DST= LEN=60 TOS=0×00 PREC=0×00 TTL=51 ID=18374 DF PROTO=TCP SPT=46040 DPT=22 WINDOW=5840 RES=0×00 SYN URGP=0


Procedure to log the iptables messages to a different log file

Open your /etc/syslog.conf file:

vi /etc/syslog.conf

Append following line

kern.warning /var/log/iptables.log

Save and close the file.

Restart the syslogd (Debian / Ubuntu Linux): /etc/init.d/sysklogd restart On the other hand, use following command to restart syslogd under Red Hat/Cent OS/Fedora Core Linux: /etc/init.d/syslog restart

Now make sure you pass the log-level 4 option with log-prefix to iptables. For example:
DROP everything and Log it
iptables -A INPUT -j LOG –log-level 4
iptables -A INPUT -j DROP

For example, drop and log all connections from IP address to your /var/log/iptables.log file:

iptables -A INPUT -s -m limit –limit 5/m –limit-burst 7 -j LOG –log-prefix ‘** HACKERS **’ –log-level 4
iptables -A INPUT -s -j DROP


* –log-level 4: Level of logging. The level # 4 is for warning.
* –log-prefix ‘*** TEXT ***’: Prefix log messages with the specified prefix (TEXT); up to 29 letters long, and useful for distinguishing messages in the logs.

You can now see all iptables message logged to /var/log/iptables.log file:
tail -f /var/log/iptables.log

Posted by sibu on March 10, 2009

Securing /tmp and /dev/shm

The first step is to check if /tmp is already secure. Some data centers do not create a /tmp partition while others do.
df -h |grep tmp

If that displays nothing then go below to create a tmp partition. If you do have a tmp partition you need to see if it mounted with noexec.
cat /etc/fstab |grep tmp

If there is a line that includes /tmp and noexec then it is already mounted as non-executable. If not follow the instructions below to create one without having to physically format your disk. Idealy you would make a real partition when the disk was originally formated, that being said I have not had any trouble create a /tmp partition using the following method.

Create a ~1000Mb partition
cd /dev/; dd if=/dev/zero of=tmpMnt bs=1024 count=1000000

Format the partion
mkfs.ext2 /dev/tmpMnt

When it asks about not being a block special device press Y

Make a backup of the old data
cp -Rp /tmp /tmp_backup

Mount the temp filesystem
mount -o loop,noexec,nosuid,rw /dev/tmpMnt /tmp

Set the permissions
chmod 0777 /tmp

Copy the old files back
cp -Rp /tmp_backup/* /tmp/

Once you do that go ahead and restart mysql and make sure it works ok. We do this because mysql places the mysql.sock in /tmp which neeeds to be moved. If not it migth have trouble starting. If it does you can add this line to the bottom of the /etc/fstab to automatically have it mounted:

Open the file in vi:
vi /etc/fstab

Now add this single line at the bottom:
/dev/tmpMnt /tmp ext2 loop,noexec,nosuid,rw 0 0

While we are at it we are going to secure /dev/shm. Look for the mount line for /dev/shm and change it to the following:
none /dev/shm tmpfs noexec,nosuid 0 0

Umount and remount /dev/shm for the changes to take effect.
umount /dev/shm
mount /dev/shm

Next delete the old /var/tmp and create a link to /tmp
rm -rf /var/tmp/

ln -s /tmp/ /var/

If everything still works fine you can go ahead and delete the /tmp_backup directory.
rm -rf /tmp_backup

You /tmp, /var/tmp, and /dev/shm are now mounted in a way that no program can be directly run from these directories. Like I have said in other articles there are still ways in but this is one of the many layers of security you should have on your system.

Posted by sibu on March 10, 2009

Installing Nobody Check

Login to your server as root.

This script get installed at /usr/local/

1) Login to your server as the root user through shell

2) wget

3) chmod +x
4) ./

Wait for the installer to finish

5) rm -f

6) Open the /usr/local/nobody_check/nc.conf and put in your email address and select your options. Change the to email address to the address you want reports to be sent to.

Check if cron entry below has been updated

vi /var/spool/cron/root

0 */1 * * * /usr/local/nobody_check/nobody_check >/dev/null 2>&1

Example root cronjob runs once per hour

And then restart CRON

/etc/init.d/crond restart

Reports are only sent when a detection is found.

Posted by sibu on March 10, 2009

How to disable direct root login

Following steps will show you how to disable direct root login. If you are using cPanel server make sure you add your admin user to the .wheel. group so that you will be able to .su -. to root, otherwise you may lock yourself out of root.

1. SSH into your server as .admin. and gain root access by su

2. Copy and paste this line to edit the file for SSH logins
vi /etc/ssh/sshd_config

3. Find the line
Protocol 2, 1

4. Uncomment it and change it to look like
Protocol 2

5. Next, find the line
PermitRootLogin yes

6. Uncomment it and make it look like PermitRootLogin no

7. Save the file

8. Now you can restart SSH
/etc/rc.d/init.d/sshd restart

Now, no one will be able to login to root with out first loggin in as admin and .su -. to root, and you will be forcing the use of a more secure protocol. Just make sure you remember both passwords!

Posted by sibu on March 10, 2009

LES (Linux Environment Security)


tar -zxvf les-current.tar.gz
cd les-0.*

LES run

/usr/local/sbin/les –secure-bin on
/usr/local/sbin/les –secure-path on