DNSstuff.com
Apr
21st

Simple Security Checks For Your Dedicated Server

We’ve all heard the saying ‘prevention is better than cure’. This is especially relevant to server security. The best way to prevent an attack is to make sure the opportunity isn’t provided. There’s no way to be totally safe from internet criminals but it’s important to make sure you have a strong, well configured firewall and that you aren’t running any scripts or services that aren’t required.

It’s also important to check regularly for signs of an attempted attack or break in. Here are some of things you can do. You will need to have SSH access to your server.

1. Run rkhunter regularly. I set up a cron job on the servers I manage which runs rkhunter every day and emails me the output. It checks for rootkits, changed files and other anomolies that may lead to an insecure server. You can download it from http://www.rootkit.nl/projects/rootkit_hunter.html

2. Check your server’s /tmp folder. The tmp folder is the preferred location for many exploits … particularly web based .. as it is where PHP stores uploaded files temporarily. If you have suPHP enabled you will also be able to see who the owner of the temporary files is. For the most part there shouldn’t be a whole lot in the /tmp directory. Probably some session files and a handful of other files and folders. Sometimes the name of the file will cause immediate suspicion, but some may be just randomly named. You should ‘cat’  or ‘more’ these files and examine the contents. Also, make sure that your /tmp folder is set so that it doesn’t allow executable files to be run.

If you have CPanel/WHM installed you can run this script from the command line (you will need to be logged in as root)

/scripts/securetmp

If you aren’t running CPanel then these are the commands you will need to use:

Edit /etc/fstab and change your /tmp entry so it looks like this:

LABEL=/tmp /tmp ext3 noexec,nosuid,nodev,rw 1 2

then remount it with this:

mount -o remount /tmp

These are just two steps you can take in preventing a server break-in.

May
10th

Vulnerability Assessment On The Cheap

Your server is only as secure as the scripts you run on it. Strong passwords, firewalls and a tight security policy aren’t going to help if you have scripts or applications that contain vulnerabilities. Unfortunately, many of the most popular scripts and applications do contain flaws and/or poorly written code that may allow the bad guys to deface your web site or use your resources.

So … how can you prevent this from happening without spending a fortune on expensive auditing tools or services? There are several very good assesment tools that are free and/or open source. We’re going to look at two of the most popular and, in my opinion, most useful tools for testing your server.

Nessus

Nessus is an application that runs on Windows and various Unix operating systems. It ‘probes’ your server and looks for many of the known vulnerabilities in server software. After performing a scan (which can take several hours) it will list all of the vulnerabilities and potential vulnerabilities it found and in many cases will offer possible solutions such as upgrading your server software. At the very least it can provide you with a very detailed report about the ports and server applications that are exposed by your server. You would be surprised to see just howw much information can be gleaned from a server by running a few simple commands and probing the server ports. Information such as the operating system type and version as well as the versions of applications such as the web server, mail server etc are usually displayed by default. If a hacker knows that you are running a version of software that has some known vulnerabilities then they virtually have their foot in the door.

The Nessus application and it’s huge range of plugins are updated regularly. The plugins (and there are literally thousands of them) define the parameters for vulerabilities and potential security holes. You can download Nessus from www.nessus.org.

Nikto

Nikto is an Open Source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items, including over 3500 potentially dangerous files/CGIs, versions on over 900 servers, and version specific problems on over 250 servers. Scan items and plugins are frequently updated and can be automatically updated (if desired).

So, rather than being a general security scanner, Nikto is totally focussed on vulnerabilities in web server software and scripts. Your web server tends to be one of the most vulnerable applications as it is usually publically available and can access the file system on your server.

Nikto is updated regularly with updated plugins available on the  Nikto web site. The list of features is quite long:

* Uses rfp’s LibWhisker as a base for all network funtionality
* Main scan database in CSV format for easy updates
* Fingerprint servers via favicon.ico files
* Determines “OK” vs “NOT FOUND” responses for file type, if possible
* Determines CGI directories for each server, if possible
* Switch HTTP versions as needed so that the server understands requests properly
* SSL Support (Unix with OpenSSL or maybe Windows with ActiveState’s Perl/NetSSL)
* Output to file in plain text, HTML or CSV
* Plugin support (standard PERL)
* Checks for outdated server software
* Proxy support (with authentication)
* Host authentication (Basic)
* Watches for “bogus” OK responses
* Attempts to perform educated guesses for Authentication realms
* Captures/prints any Cookies received
* Mutate mode to “go fishing” on web servers for odd items
* Builds Mutate checks based on robots.txt entries (if present)
* Scan multiple ports on a target to find web servers (can integrate nmap for speed, if available)
* Multiple IDS evasion techniques
* Users can add a custom scan database
* Supports automatic code/check updates (with web access)
* Multiple host/port scanning (scan list files)
* Username guessing plugin via the cgiwrap program and Apache ~user methods

It really is an essential tool if you want to know whether your web site has any well known vulnerabilities. The Nikto application (Unix only) is available at http://www.cirt.net/nikto2.

Mar
7th

cPanel – Horde arbitrary file inclusion vulnerability

The following message came through from cPanel just now:
An arbitrary file inclusion vulnerability has been discovered in the Horde
webmail application. At present, we can confirm that this security
vulnerability in question affects Horde 3.1.6 and earlier. Based on
incomplete information at this time, we also believe this affects Horde
Groupware 1.0.4 and earlier as well (cPanel does not use Horde Groupware
at this time).

cPanel customers should update their cPanel and WHM servers immediately to
prevent any chance of compromise. The patch will be available in builds
11.18.2 and greater (or 11.19.2 and greater for EDGE systems). The updated
builds will be available immediately to all fast update servers. The
builds will be available to all other update servers within one hour of
this posting.

To check which version of cPanel and WHM is on your server, simply log
into WebHost Manager (WHM) and look in the top right corner, or execute
the following command from the command line as root:

/usr/local/cpanel/cpanel -V

You can upgrade your server by navigating to ‘cPanel’ -> ‘Upgrade to
Latest Version’ in WebHost Manager or by executing the following from the
command line as root:

/scripts/upcp

It is recommended that all use of Horde 3.1.6 and earlier be stopped (on
cPanel and non-cPanel systems alike) until Horde updates can be applied.
You can disable Horde on your cPanel system by unchecking the box next to
‘Server Configuration’ -> ‘Tweak Settings’ -> ‘Mail’ -> ‘Horde Webmail’
within WHM, and saving the page with the new settings.

We would like to thank HostGator for providing the initial details in
their report of this vulnerability.

If you are a Dedicated Server Doctor service subsciber, your server was updated within 15 minutes of us receiving this message.

Feb
7th

91% Of Websites Are Hackable

Well..according to Acunetix (a provider of enterprise grade security scanning products). At first glance it seems an alarming figure and I would forgive you if you thought that perhaps they might be exaggerating those figures a little. I don’t believe that’s the case … let me explain why.

Let’s use houses as an analogous example. Of all the houses in your town or city, how many do you think are totally impenetrable? I bet that with the right tools you or I could break into just about any house. It’s really only the ones with the razor wire, electric fence, dogs, bees, and dogs with bees in their mouth that might prove to be too great a challenge. Networked computers are much the same as houses. They have entry points (just as the house has entry points such as windows, doors and sky-lights’) and whether someone is able to break in depends on how strong those entry points are. So, when you stop and think about it, 90% isn’t such an alarming figure.

What’s more worrying is that Acunetix also says that ‘ Out of 3,200 sites scanned, 70% had vulnerabilities with either a medium or high-risk rating’. If we use our house analogy, it’s like saying that ‘70% of the houses we tried to get into had the front door unlocked or open’. It’s a scary percentage but I suspect that it’s not going to surprise many in the Internet/IT industry. SQL injection and cross site scripting (XSS) are still rampant and unless someone can develop a product that can block all  XSS and SQL injection attempts at the firewall (which is not really practical) then that’s not going to change any time soon.

In the meantime, those of us who care will continue to try and find new and better ways of keeping the bad guys out 🙂

Oct
10th

Help! I’ve Been Hacked!

It’s a cry for help that I’m hearing more and more lately. That is due in part to there being several organised groups on the Internet who are very actively defacing websites. You may have even seen some of the defaced sites. One of the most active groups is a Turkish group that has, on some days, been able to deface thousands of sites with their automated scripts. Fortunately this type of ‘hack’ is generally fairly easy to repair and a script update will usually ‘plug the hole’. Still, it can be a scary experience to open the home page of your website and see a totally different page.

That’s the good news! The bad news is that if you have a dedicated server then the remedy may not be so easy. Particularly if someone has managed to get root access. The only safe way to ‘repair’ your server in that case is to do a full, clean re-install of the operating system and all of your files after identifying exactly how the intruder managed to get root access. This can be costly and time consuming depending on how successful the intruder was at hiding his tracks. This is also one of the main reasons we at The Dedicated Server Doctor monitor our customers’ system log files in real time. All system logs are archived into a database so that if an intruder does manage to get in, we may be able to see where they came from and which service they were able to exploit.

Remember, your server is only as secure as you make it. Weak passwords and outdated scripts and services will almost certainly lead to a compromised server.