CyanogenMod 11.0 M7 based on Android 4.4.2 Released for supported devices

CyanogenMod, the popular open source OS for smartphones and tablet computers, based on the Android mobile platform is out with yet another milestone release. CyanogenMod pushes newer releases on a nightly, milestone, and “stable version” schedule.

CyanogenMod
CyanogenMod

CyanogenMod Team has started pushing the latest milestone release CyanogenMod 11.0 M7 to the download servers for the general public. The latest version of the CyanogenMod is based on Android 4.4.2 KitKat and is now available for download for all compatible devices.According to the team, the new release runs on Android 4.4.2 and the 4.4.3 based milestone release M8 will come sometime in July because the android 4.4.3 KitKat source was release only a week back and they didn’t want to rush it in the stable release. But the 4.4.3 source has been merged into CM for nightlies. You can try the CyanogenMod nightly builds if you’re interested in getting your hand on Android 4.4.3 right away.

In terms of the changes, the M7 builds include an overhaul of the theme chooser, revamped calculator app, improved performance on low memory devices, and many more. The team has also revealed the changelog for CyanogenMod 11.0 M7 which includes:

  • Common: Theme Chooser UI Overhaul
  • Common: Calculator app redesign
  • Common: Performance Profiles
  • Common: Improved theming performance on low memory devices (~512MB RAM or less)
  • Trebuchet: Move settings to new slide-out panel
  • Trebuchet: Consolidate settings for home and drawer options
  • Media: Add FFMPEG support (expanded media format support)
  • Bluetooth: Improved support for new car audio systems and docks
  • Various small bugfixes, global and device-specific

With the latest build, Cyanogen has announced support for new devices that include the HTC One M8, Samsung Galaxy Tab Pro 8.4 (mondrianwifi), Galaxy Note 8.0 LTE (n5120) and LG G2 Docomo (l01f).The CM Team also mentioned that the non-device specific code was branched on May 22nd and Device specific code was branched on May 31st. The team has also tipped those who jump between nightlies and M releases to pay attention to the May 22nd branch point.

Updated builds can be grabbed from CM Updater on your CM running device as an over-the-air update or directly from CyanogenMod website for manual flashing. CM 11.0 M7 is available for around 40 devices and is the most stable AOSP (Android Open Source Project) fork available.

So Happy flashing guys!

Source : CyanogenMod Blog

How can I secure my mail service – cPanel

Mail servers are exploited a lot these days to flood out spam mails from the ones which have been compromised.

Securing your mail service is very much important. There are some tweaks which can be carried out from WHM panel.

–> In Home >> Server Configuration >> Tweak Settings

Prevent “nobody” from sending mail – This will ensure that PHP
scripts running under the ownership ‘nobody’ will not be able to send mails. Most of the times, any of the vulnerable PHP script will be the culprit for sending out spams from your account.

Restrict outgoing SMTP to root, exim, and mailman – This prevents users from bypassing your mail server to send mail. Only the ones mentioned here are authorized to connect to remote SMTP servers.

// If you get an error while trying to enable SMTP restrictions, then you probably are missing an iptables module required for the proper functioning. Ask your provider to enable it for you, or if you have the ways to do it, give-in the following :

modprobe ipt_owner

// 

–> In Home >> Service Configuration >> Service Manager,  you can find the option Antirelayd. Keep this disabled, so that each time POP3 connects authentication would be required.

–> If you are facing any issues related to IMAP getting restarted numerous times,  check

# grep 'LOGIN FAILED' /var/log/maillog|awk '{print $9}'|sort|uniq -c | sort -n

to see if you have many authentication failures from any IPs.  If so, your account is being brute-force attacked. Block the offending IPs in your server firewall.

–> Use secure passwords for your email accounts. Check out the various domains and make sure there are no test accounts created. Under normal cases, test email accounts are created with insecure passwords, which can easily be guessed by the attacker.

Cannot connect to real www.google.co.in ?

Sometimes the biggest problems, have the easiest fixes. If you are getting a warning message like the one shown below, then the reason behind this will be nothing other than an error in system date & time.

jo

Whenever you get a warning message like this, make a look at the right bottom corner of your system and check whether the system date and time is correct. If it is not correct, then correct the date and time and try reloading the page.

If you are getting the same message after the next restart then it’s time to change your CMOS battery inside the CPU.

You don’t have to call a technician to rectify this issue. It is as easy as changing the battery of a clock. Get one new CMOS battery and replace it with the old one. Open the CPU box and find a circular shaped battery fixed towards the rear end and dislodge it from its current holding and place the newly bought one.

Securing your SSH server !

SSH is the most powerful tool with which you can access your server. As Uncle Ben says in Spiderman —

Remember, with great power, comes great responsibility.

If your service is not hardened, it can be exploited to a level directly proportional to the power of SSH. Let us now consider some of the ways in which you can secure/harden your SSH server.

–> Use  key based authentication instead of passwords. There are a lot of botnets trying brute force attacks against your SSH server. Using a password authentication system at the first place, gives them more opportunities. If you use password authentication system, it would mean any machine can connect to your server, if they are aware/have successfully brute forced the password. On the other hand, if you use public/private key based authentication system, not every machine around the world can get in access. Only the ones for which the private/public key pairs match can get-in. And brute-forcing such a system is currently impossible.

To set up key-based authentication, follow the steps given below :

ClientMachine # ssh-keygen

Generate a passphrase-protected SSH key 

ssh-keygen

 

Once this is complete, the private key gets stored to /root/.ssh/id_rsa and public key to /root/.ssh/id_rsa.pub.

Now you need to copy paste the contents of /root/.ssh/id_rsa.pub to your server or transfer this to your server. You can transfer this using :

# ssh-copy-id SERVERIP ( will prompt for root password as well )

or copy paste the contents of /root/.ssh/id_rsa.pub ( from ClientMachine) to the file /root/.ssh/authorized_keys found in the server.

Once this is complete, open your SSH configuration file ( /etc/ssh/sshd_config ) and give-in the below line and restart the service :

PasswordAuthentication no ( If its already commented, uncomment and make sure the argument passed is ‘no’

Now you can SSH from your ClientMachine without passing any passwords ( you might have to type your passphrase if it was given )

–> For a server with user’s around the world having to SSH in and the machines which they use are subject to changes, key based authentication can become a real headache.

Even when we are using Password based authentication, we can make it more secure. Disabling root login can be a big plus-point. Most of the brute force attacks are carried out with the username as ‘root’ in perpective. We can change that root user to be able to login, allow a system user and then sudo in to get the root privilages.

$  First create a system user for this purpose ( Ingnore this step if you already have one user in mind )

# adduser newusername
# passwd newusername

$ Now, we want to edit the sudo rights and grant administrative privilages to this user.

# visudo or # vi /etc/sudoers

Add the username which we just created, below the space

## Allow root to run any commands anywhere
root ALL=(ALL) ALL

root-etcsudo

 

After adding, it would look like :

newusername

 

Now save and close this file. Go to your ssh configuration file and give the setting :

PermitRootLogin no

This will make sure, root login is disabled and you can SSH as the newusercreated, then sudo in to get as root

newuser

 

–> You can also consider about changing the custom SSH port from 22 to any other.

–> If you have multiple IP’s, you can think about binding SSH server to just one IP.

^ These 2 options can be found from /etc/ssh/sshd_config file

portsip

–> If you have a defined networking environment, you can provide the range of IPs which can access the SSH service and deny all others. This can be done using TCP_Wrapper. Using the files /etc/hosts.deny and /etc/hosts.allow

=====================

/etc/hosts.deny
sshd:  ALL

/etc/hosts.allow
sshd: Trusted IPs/subnet

=====================

So, try these methods out !

Issue with parsing of PHP pages !

Are you facing the scenario in which the PHP page is getting downloaded to your local machine, instead of showing it ?

For example, when www.domain.com/index.php is  given in browser, the file index.php gets downloaded rather than displaying it.

This is an issue where PHP files are not properly parsed by the web-server.

To fix this issue :

— > Make sure the  php module is loaded.

 ‘LoadModule php5_module' must be passed in httpd.conf file

–> Make sure the proper PHP interpreter to handle files with a .php extension is mentioned. Something like,

'AddType application/x-httpd-php .php' is given in httpd.conf

If these lines are not found within your httpd configuration, PHP parsing can be an issue.

Too much denied named queries ?

When you have setup a production box, running with a DNS server ( named service, in this matter ), you get tones of queries. If you have disabled recursion, lesser the number of DNS workload.

While going through your /var/log/messages, have you found lots of query ( cache ) denied messages ? Something like this ?

Date host named[28251]: client IP#xxxxx: view external: query (cache) 'domain.com/A/IN' denied

Check whether the domains to which these queries are directed are present in the server or not.

If you find that these domains once existed in the server and not now, we can conclude that domains are still pointed to the DNS servers even though the sites went out of business or went offline. 

In other words, they no longer have a DNS or HTTP entry, but the domains still exists and have their DNS records pointed here.

Resolution to this issue is

Add the following lines to /etc/named.conf ( named config file )
( Add under the section ‘options’

additional-from-auth no;
additional-from-cache no;

Once these settings are given, BIND will not follow out-of-zone records even if it is in the cache.

How do I clear my DNS cache !

The local DNS cache in your machine will store the locations  of web-servers/websites that contain pages which you have recently viewed.

If the location of these pages have  changed, you will be unable to access them due to the local DNS cache ( the one cached by your local machine, which you use to access the webpages )

Following shows you on how to clear DNS cache on different platforms :

* On a system running in windows, navigate to cmd and run the following :

# ipconfig/flushdns

* On a system running on OS X Mountain Lion, type in the following from terminal :

# sudo killall -HUP mDNSResponder

* On a system running on linux distro’s, run the following :

# sudo /etc/init.d/nscd restart

Install nscd ( name service cache daemon ) if not present :

# sudo apt-get install nscd or yum install nscd

Issue with dovecot.index file

A recent & common issue faced with dovecot service in cPanel based server’s is the corruption of dovecot.index files for the email accounts. When the index file is broken, the respective user facing this issue will not be able to login to his webmail and will throw up a ‘server error’. The basic idea behind Dovecot’s index files is that it makes reading the mailboxes a lot faster.

Checking the logs to confirm its the issue with dovecot.index file :

# tailf /var/log/maillog

###################################

host dovecot: imap(zzzz@yyyy.com): Error: Transaction log file /pathto/dovecot.index.log seq 302: log_file_tail_offset update shrank it (988 vs 1184 sync_offset=972)

host dovecot: imap(zzzz@yyyy.com): Error: broken sync positions in index file /pathto/dovecot.index

host dovecot: imap(zzzz@yyyy.com) Error: Fixed index file /pathto/dovecot.index log_file_tail_offset 1184 -> 988

###################################

The solution to fix this issue is to delete the dovecot.index file for the respective user and for the respective folder.

# rm -rf /path-to-the-/dovecot.index

If you find that this file is broken for the folder ‘Trash’, then do delete the index file which is found in Trash. This happens to be a long term bug with dovecot and deleting the index file and recreating ( automatically done by dovecot) is the only solution at this juncture.

GNS3 – Quick installation and setup (for Ubuntu)

This is a small intro on how to install GNS3 on Ubuntu platforms.

gns2

 

 

 

 

 

GNS3 is a graphical network simulator, which gives you the ability to create network topologies graphically and give the devices a simulated environment to run. This is very much like the cisco packet tracer, which is useful for guys preparing for cisco exams.

GNS3 too, is very helpful to get a faint picture about how the networking devices when put through in a network scenario is ought to perform. This program with the help of the core program ‘Dynamips ‘run Cisco IOS’s in a virtual environment and allows IOS emulation.

To install GNS3 on a machine running on Ubuntu, follow the steps :

# sudo add-apt-repository ppa:gns3/ppa

^ Adds  the GNS3 PPA

# sudo apt-get update

^ updates the packages list

# sudo apt-get install dynamips gns3

^ installs the tool along with the core program

Once the installation is complete, lauch the program from dash. You will get a setup wizard

Setup-Wizard_001

 

Step 1 –> Defines the path where you must store all the IOS images.  By default, you will not find any images. You can download them and save to the configured path.

A list of cisco IOS images can be found from :

ftp://ftp.unikon-ua.net/pub/Cisco/IOS/

Step 2 –> Defines the path to the core script dynamips. It would be the default one when you install using the repo’s. Once the path is selected, test the settings. You will find a button near the left bottom of the window :

Preferences_002

 

 

 

 

 

 

 

 

Step 3 –> Selects the router images. If you do not have any images during the time of setting it up, leave it blank and we can add it later after downloading images from the ftp link which i mentioned earlier.

With this, the basic installation is complete.

To add the IOS images, once they are downloaded and save to the location which we had defined in the step 1, select the option ‘IOS images and hypervisors’ from ‘Edit’ Menu

images

 

Under the ‘Settings’ select the path to Image and calculate the IDLE PC value. You can give-in Auto calculation. The setting of idlepc is necessary to lower a CPU rate of use, rather than sticking to 100% use when the device is started up. Once you save this, the router with the IOS you download will be available for use.

Now, you can proceed with downloading the required images and setting up the required topologies.

Investigating your Linux box for vulnerabilities

A server in a live environment is always susceptible to malware attacks, code vulnerabilities, hacking, rootkits and what not else !

Analyzing your server for these back-doors and pin-pointing the exact issue always poise a big problem to the server owners or their administrators. Thankfully Linux can provide you with many results, logs and statistics which can help you in a great way. Lets look at some of the things which you can do when you feel like your system is compromised..

  • Unintended processes running can at-times increase the server load. Using the command # top -c,  check the current server load and analyze if you can find any unfamiliar processes or process paths running.
  •  Check for the process tree in your server and see if you can spot any unusual process/paths.  Use the command # pstree -p. If you find an unsual process get the PID of it and alanyze using lsof command, which will lead to current working directory ( cwd ) of the process.

Just for an example, consider you find lots of Perl process running, the root perl process has got the PID ‘9905’. Use the command # lsof PID to check more about this.

=================

# lsof -p 9905
COMMAND  PID USER   FD   TYPE     DEVICE    SIZE      NODE NAME
perl    9905 root  cwd    DIR       x,xx  6770688  33825697 /tmp
perl    9905 root  rtd    DIR       x,xx    4096  33465149 /
perl    9905 root  txt    REG       x,xx   13696  41518574 /usr/bin/perl

=================

Checking this shows you something, an invalid/malicious Perl script is running from /tmp, which should not happen at all.  Analyze the files in /tmp and make sure you clean up the unwanted ones.

  • Use # ls -al /tmp ( followed by grep arguments ) to check for the files in /tmp.
  • Another recently noted process in # pstree -p, is lots of hosts commands being carried out. Capture the PID of one of the process with the name ‘hosts’ and run an lsof on it. Probably you might see something like :

================

COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME

host 7909 nobody cwd DIR 0,32 4096 117770255 /home/domain/public_html/blog/wp-content/uploads

================

The host command, which is used for resolving DNS, is being executed and some scripts is coercing it to do HTTP requests, which is seen as the issue here. Blocking the scripts found in the location ( cwd ) will help in this case. Analyze if it was uploaded via any unsecured plugins ( mostly happens with WordPress )

  • Check the IP’s making connections to you server.  Use the command given below to find the number of tcp/udp flow :

netstat -anp |grep 'tcp\|udp' | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n

If you find the connections from an IP is not on the normal side, check for what it is trying to access :

# netstat -plan | grep IP

And block ’em in the firewall if it looks invalid.

  • If you are using a cPanel server, you can find what exactly it is trying to access if its to the web-server.

# grep -i -r IP /usr/local/apache/domlogs*

There are many occasions in which the IP would be trying to brute-force attack the logins such as WP-login.php. In those cases, you can find that IP is ‘POST’ ing the logins to the login.php page.

  • Changing the username of WordPress from the default ‘admin’ to a stronger one can also help.  These sort of attacks can increase the server load as well as compromise the server security, if the brute-force attack is successful.
  • Find out the most accessed domain for a particular day by giving the following command :

grep -r '14/Dec/2014' /usr/local/apache/domlogs* |awk {'print $1'}|cut -d: -f1|sort -n|uniq -c|sort -n

^ Date is to be given in this format.

  • Find out the most accessed IP for the domain which you get from the above result :

# grep -r '14/Dec/2014' /usr/local/apache/domlogs/domain.tld |awk {'print $1'}|cut -d: -f1|sort -n|uniq -c|sort -n

  • Checking the root history ( cat /root/.bash_history ) can help you to see if your server is root hacked. Also check # last command to see if you can spot any unfamiliar IPs, which tried to login to your box.
  • You can use rkhunter to scan for possible rootkits and local exploits in your linux based box.  It also performs checks to see if commands/paths have been altered , if the system startup files have been modified, and various checks on the network interfaces, including checks for listening applications.

Once rkhunter is installed, you can scan the system using the command # rkhunter --check and find if it returns any negative result.

So, let the Sherlock Holmes investigation start !

%d bloggers like this: