Archive for March, 2010

Virus and how to scan it?

Posted: March 26, 2010 in My live

If you have found virus and dont know how to scan or your antivirus do not do their job than you need this..

http://www.virustotal.com/

Online Virus scanning and they have 40 0r more antivirus system to scan the fail…

use it … :p

Advertisements

This is how you secure your linux box.

1. Account Locking

Account locking for multiple failed tries puts extra burden on the system administrators but it also puts some responsibility on the user to remember his passwords. Additionally, locking allows the administrator to track the accounts that have potential hack attempts against them and to notify those users to use very strong passwords.

Typically, a system will drop your connection after three unsuccessful attempts to login but you may reconnect and try again. By allowing an infinite number of failed attempts, you’re compromising your system’s security. Smart system administrators can take the following measure to stop this threat: Account lockout after a set number of attempts. My preference is to set that limit to three.

Add the following lines to your system’s /etc/pam.d/system-auth file. 

auth required /lib/security/$ISA/pam_tally.so onerr=fail no_magic_root

account required /lib/security/$ISA/pam_tally.so per_user deny=3 no_magic_root reset

Your distribution might not include the system-auth file but instead uses the /etc/pam.d/login file for these entries.

2. Cron Restriction

On multiuser systems, you should restrict cron and at to root only. If other users must have access to scheduling, add them individually to the /etc/cron.allow and /etc/at.allow files. If you choose to create these files and add user accounts into them, you also need to create /etc/cron.deny and /etc/at.deny files. You can leave them empty but they need to exist. Don’t create an empty /etc/cron.deny unless you add entries to the /etc/cron.allow because doing so allows global access to cron. Same goes for at.

To use the allow files, create them in the /etc directory and add one user per line to the file. The root user should have an entry in both allow files. Doing this restricts cron to the root user only.

As the system administrator, you can allow or deny cron and at usage based upon the user’s knowledge and responsibility levels.

3. Deny, Deny, Deny

“Deny everything” sounds eerily Presidential doesn’t it? But for system security and certain political indiscretions, it’s the right answer. System security experts recommend denying all services for all hosts using an all encompassing deny rule in the /etc/hosts.deny file. The following simple entry (ALL: ALL) gives you the security blanket you need.

#

# hosts.deny This file describes the names of the hosts which are

# *not* allowed to use the local INET services, as decided

# by the ‘/usr/sbin/tcpd’ server.

#

# The portmap line is redundant, but it is left to remind you that

# the new secure portmap uses hosts.deny and hosts.allow. In particular

# you should know that NFS uses portmap!

ALL: ALL

Edit the /etc/hosts.allow file and insert your network addresses (192.168.1., for example) where you and your users connect from before you logout or you’ll have to login via the console to correct the problem. Insert entries similar to the following to allow access for an entire network, single host or domain. You can add as many exceptions as you need. The /etc/hosts.allow file takes precedence over the /etc/hosts.deny to process your exceptions.

4. Deny SSH by Root

Removing the root user’s ability to SSH provides indirect system security. Logging in as root to a system removes your ability to see who ran privileged commands on your systems. All users should SSH to a system using their standard user accounts and then issue su or sudocommands for proper tracking via system logs.

Open the /etc/ssh/sshd_config file with your favorite editor and change PermitRootLogin yes to PermitRootLogin no and restart the ssh service to accept the change.

5. Change the Default Port 

While changing the default SSH port (22) will have limited effectiveness in a full port sweep, it will thwart those who focus on specific or traditional service ports. Some sources suggest changing the default port to a number greater than 1024, for example: 2022, 9922 or something more random, such as 2345. If you’re going to use this method as one of your strategies, I suggest that you use a port that doesn’t include the number 22.

Edit your /etc/ssh/sshd_config and change the “Port” parameter to your preferred port number. Uncomment the Port line too. Restart the sshd service when you’re finished and inform your users of the change. Update any applicable firewall rules to reflect the change too.

System security is important and is a constant battle. You have to maintain patch levels, updates and constantly plug newly discovered security holes in system services. As long as there are black hat wearing malcontents lurking the Net looking for victims, you’ll have a job keeping those wannabe perpetrators at bay.

Apparmour on ubuntu server

Posted: March 11, 2010 in Debian
If you install ubuntu server and wanna feels like debian free configure.. 
than disable and remove apparmour on your server
sudo /etc/init.d/apparmor stop
sudo update-rc.d -f apparmor remove
sudo aptitude remove apparmor apparmor-utils

Nikto is a free, open source, command line scanning script used for testing your web server’s security. It checks for thousands of vulnerabilities and potential security weaknesses such as default files and programs, outdated servers, insecure files, server and software misconfigurations. Nikto uses a configuration file, three dozen plugins for testing and a handful of templates for reporting.

Nikto is not a weapon nor is it a remedy for damage that’s already occurred. It is an assessment tool that, when used properly, may prevent a host of potential security threats from becoming reality.

Download Nikto here.

http://cirt.net/nikto/nikto-2.1.1.tar.gz

Use nikto with the following guide.

$ ./nikto.pl -h website.com

- Nikto v2.1.1
---------------------------------------------------------------------------
+ Target IP:          192.168.1.250
+ Target Hostname:    website.com
+ Target Port:        80
+ Start Time:         2010-03-01 13:42:23
---------------------------------------------------------------------------
+ Server: Apache/2.2.3 (CentOS)
+ Number of sections in the version string differ from those in the database, the server reports: apache/2.2.3 while the database has: 2.2.14. This may cause false positives.
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS, TRACE
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ OSVDB-3268: /icons/: Directory indexing is enabled: /icons
+ OSVDB-3233: /icons/README: Apache default file found.
+ 3818 items checked: 5 item(s) reported on remote host
+ End Time:           2010-03-01 13:42:54 (31 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
#################################################################################################################

$ ./nikto.pl -h website.com -port 443,8080

---------------------------------------------------------------------------
+ No web server found on 192.168.1.250:443
---------------------------------------------------------------------------
+ No web server found on 192.168.1.250:8080
---------------------------------------------------------------------------