Handy tool to monitor file creation in your server !

When you have a live server, there might be situations in which you or your clients would need to have a list of files which have been created. This can be very helpful for example when you have a backdoor to your server and to track and close any vulnerabilities within the server. These days we are seeing lots of malicious scripts being uploaded due to vulnerabilities in plugins or themes used for the CMS’s in the server. Tracking those locations manually can be a tedious job.

Luckily, you have a command ‘inotifywait’ to track the changes to a file or the file creation itself. Install inotifywait along with inotify-tools using the following command in a RPM based server :

# yum install inotify-tools

Once the installation is complete, go ahead and create a script like :

# vi /etc/init.d/inotifywaitd

#!/bin/bash

DIR="/root/newfiles"
INOTIFY_CMD="/usr/bin/inotifywait"

if [ $# != 1 ];then
echo "Usage: /etc/init.d/inotifywaitd {start|stop}"
exit 1
fi

if [ ! -d ${DIR} ];then
mkdir ${DIR}
fi
case $1 in

start)

for i in `ls -d /home/*/public_html`
do
user=$(echo "${i}"|cut -d\/ -f3)
${INOTIFY_CMD} -m -r -e create --format '%f' ${i} > ${DIR}/${user}&
done

;;

stop) pkill inotifywait ;;

*) echo "Usage: /etc/init.d/inotifywaitd {start|stop}" ;;

esac

# chmod 755 /etc/init.d/inotifywaitd

/etc/init.d/inotifywaitd start

The above script will monitor if there are any newly created files coming under the document root of each of the users and if there is a newly created file, it will report it as a line in the file  /root/newfiles/$username. This can become a really handy tool when you are going through an inspection phase in your server 😉

Qmail failing to restart !

When trying to restart Qmail are you getting the failure message ?

Check for the mailogs to see if you can spot something. If you are on a plesk server, you can find the logs at /usr/local/psa/var/log/maillog

Do you find an error like :

==================

Date host qmail: xxxxx alert: cannot start: unable to open mutex

Date host qmail: xxxxx alert: cannot start: unable to open mutex

==================

This can happen when you manually try to delete the qmail queue and you might just happen to delete a file from /var/qmail/queue folder. To solve this error, do the following :

# touch /var/qmail/queue/lock/sendmutex
# chown qmails:qmail /var/qmail/queue/lock/sendmutex

Once this is done, restart qmail as

# /etc/init.d/qmail start

Installing LAMP – Ubuntu 14.04 !

LAMP is a group of open source which is deployed usually to host websites. In LAMP ‘L’ stands for Linux, the OS which provides the platform, ‘A’ stands for Apache, the webserver, ‘M’ stands for MySQL, the database server and ‘P’ stands for PHP which processes the dynamic content.

First, let’s install Apache webserver.

Open your terminal and type the following to install Apache via apt :

sudo apt-get install apache2

Once the web-server is installed, you can verify that if its able to serve the webpages by simply opening your server IP in a browser :

http://IP-address

You would be able to see the default Apache2 ubuntu page which looks like :

apache2 ubuntu

We can now install the MySQL server from the terminal.

# sudo apt-get install mysql-server php5-mysql

We will need to install the package ‘php5-mysql ‘ which provides modules for MySQL database connections directly from PHP scripts

During the installation, you will need to confirm a password for the MySQL “root” user. This is an administrative account in MySQL that has increased privileges.

mysql-installation-ubuntu

Once the installation is complete, type the following to create the database directory structure :

sudo mysql_install_db

Once this is done, we will have to follow some steps to make the MySQL configuration a safe one :

sudo mysql_secure_installation

You will have to enter the MySQL root password and then move ahead with some straightforward questions. You can decide whether to remove the sample db’s, and stuffs like disabling remote root logins etc. This is all with the MySQL installation.

After MySQL, we will move ahead with installing PHP in the server :

sudo apt-get install php5 libapache2-mod-php5

You can also decide if you wish to install the PHP modules along with this, modules like – php5-gd etc. You either install it now, or at a later time. An example would be like :

# sudo apt-get install php5-gd

With this, the installation of LAMP stack is over. We can now move ahead and test if the webserver is able to parse the pages without any issues.

Create a test php page  inside /var/www/html :

# vi /var/www/html/phpinfo.php

<?php

// Show all information, defaults to INFO_ALL
phpinfo();

?>

Now try to open the phpinfo page from your browser,

http://IP-of-server/phpinfo.php
 

The SSLv3 vulnerability – What do I need to do ? !

It looks like opensource is constantly being hit with vulnerabilities these days ! but yea, as a wise man once said, the more people use and learn on a stuff, the more loopholes you get to find and fix.

So the recent vulnerability is with the SSLv3 protocol which has been tagged as a secure protocol for establishing secure communication between the client and the server until now.

You can check if your services are bound to this vulnerability by checking using this online server tester at :

https://access.redhat.com/labs/poodle/

( you may need a redhat login to get through )

Or you can check using the following one-liner from a shell :

# openssl s_client -connect 'ServerIP or hostname':<'port'> -ssl3

eg,

# openssl s_client -connect xx.xx.xx.xx:443 -ssl3

The above command when initiated should result something like this if its not vulnerable :

=========

CONNECTED(00000003)

xxxxxxxxxx :error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1256:SSL alert number 40

xxxxxxxxxxx :error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:596:

=========

If your service bound on the port is vulnerable to SSLv3 vulnerability, you would see a SSL handshake being established.

You would need to individually disable SSL v3 for each of the services.

To disable SSLv3 for httpd follow the steps given below :

Open your SSL directive file, ( if configured ), ie, the file /etc/httpd/conf.d/ssl.conf or the top-level configuration file, or inside the default virtual host configuration for an address and specify the following :

SSLProtocol All -SSLv2 -SSLv3

The above SSLProtocol directive disables SSLv2 and SSLv3

If you use a WHM/cPanel server, this can be done from WHM as follows :

WHM » Service Configuration » Apache Configuration » Include Editor » Pre Main Include

SSLProtocol all -SSLv2 -SSLv3
SSLHonorCipherOrder on

Save the above lines and restart the service.

For the moment, patches are still being released for each of the services.  As of now, consider patching your httpd service as the first step and then move on to other services once fixes are available.

Also, there a lot of suggestions in the forums to disable the SSL ciphers for SSLv3 in cPanel configuration so that all the services would get disabled in using SSLv3. However, if you are on centos 5, the base SSL version would be 0.98.e and there is no other ciphers included in it, ie, there are no TLS protocols along with it , which would mean if you change your cPanel to disable SSLv3, you wont be able to access anything over the browser.

You can change /var/cpanel/conf/cpsrvd/ssl_socket_args and give the following to disable SSLv3 :

ALL:!ADH:+HIGH:+MEDIUM:-LOW:-SSLv2:-SSLv3:-EXP

As i said, if you are on openssl 0.9.8.e, giving the following would break everything and you would need to give back what was originally in the file /var/cpanel/conf/cpsrvd/ssl_socket_args, ie,

ALL:!ADH:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP

You can check your current openssl version and the available ciphers in your installation using the following commands :

# openssl version -a
# openssl ciphers -v

If you need to upgrade your Openssl to a latest version, check this post here.

So now, as a server admin you should disable SSLv3 ( first and foremost for your httpd service ) for the security of your users.

As a user, you should disable SSLv3 in your browser now to secure yourself when visiting websites which still  support SSLv3.

Upgrading openssl – for Centos !

With the recent openSSL vulnerabilities,  upgrading openssl to a more latest and stable version, openssl-1.0.1g can be done using the following easy steps. Applicable for CentOS server’s !

# wget ftp://ftp.openssl.org/source/openssl-1.0.1g.tar.gz
# tar -zxf openssl-1.0.1g.tar.gz
# cd openssl-1.0.1g
# ./config --prefix=/usr/local
# make
# make test
# make install

Check the current version using the command :

# openssl version -a

 

How long would httpd service be down when recompiling is done via EasyApache ?

Under normal circumstances, the process involving recompilation of Apache and PHP would take around 15-30 mins. However the httpd service would not stay down for this long.

In a usual scenario if things are going well, it would be down for less than a minute.

This is due to the fact EasyApache does a dry run of everything first
to make sure it will work. This means Apache and PHP remain operational during EasyApache’s compile process.

Only when your configuration compiles and runs successfully does EasyApache replace your existing Apache and PHP installations, and during this short frame, the httpd service goes down and comes up.

 

Should I enable/disable mod_gzip in my server ?

mod_gzip is an external extension module for Apache, which uses Gzip compression method for a significant reduction of the volume of web page content served.

Disabling mod_gzip has advantages as well as disadvantages. Among the advantages are that you can save up some space in /tmp and the server load/resources used will be less when compared to the
scenario in which mod_gzip is enabled – because files will not have to be compressed before sending it to client. Also, mod_gzip is known to leave files in /tmp and other locations, which results in number of files being high in folders. At times, that results in thousands of files in /tmp which prevent new files being created. ie, it will cause a similar situation like /tmp being full – where OS cannot create new files in /tmp.

One of the disadvantages of disabling mod_gzip is that your server will consume more bandwidth. But this becomes a significant factor only when you have limits on the bandwidth usage.So choose for yourself considering the advantages and disadvantages of mod_gzip.

cPanel/WHM – Unable to start PureFtpd !

When trying to run/restart the Pureftp service, do you get the following error ?

pure-ftpd (/usr/sbin/pure-ftpd -O clf:/var/log/xferlog –daemonize -A -c50 -B - C8 -D -E -fftp -H -I15 -lextauth:/var/run/ftpd.sock -L2000:8 -m4 -p30000:35000 -s -S21 -U133:022 -u100 -i -pure-authd (/usr/sbin/pure-authd -s /var/run/ftpd.sock -r /usr/local/cpanel/bin/pureauth) running as root 
with PID xxxxx (pidfile check method)

The reason for this error is that Pure-ftpd service doesn’t work with CallUploadScript set to yes in /etc/pure-ftpd.conf file. That is because the pure-uploadscript service is not getting started while restarting the pure-ftpd service.

The fix to this issue is running the following via SSH :

# /usr/sbin/pure-uploadscript -B -r /etc/pure-ftpd.conf

Then restart the service :

# /etc/init.d/pure-ftpd restart