ModSecurity, a very helpful Linux tool for preventing unwanted server intrusions, caught a user using the program Python-urllib trying to access on of my websites.
Python-urllib is often used by web users as an email harvester. It is also used by Hanzo to archive websites.
216.246.65.100 – -”GET HTTP/1.1″ 406 269 “-” “Python-urllib/2.4″
This means that our ModSec rules identified the useragent ‘Python-urllib’ and return ed a ‘406′ response which means Not Acceptable.
216.246.65.100 resolves back to unknown.ord.servercentral.net.
Written by admin on July 4th, 2008 with comments disabled.
Read more articles on ModSecurity and Spiders.
There appears to be a problem with Centos 5.2 when trying to upgrade openssh-clients to version 4.3p2-26.el5.
root@server [/usr/src]# yum update openssh-clients
Loading “protectbase” plugin
Loading “fastestmirror” plugin
Loading mirror speeds from cached hostfile
* base: mirror.sanctuaryhost.com
* updates: mirror.sanctuaryhost.com
* addons: mirrors.rit.edu
* extras: updates.interworx.info
Excluding Packages in global exclude list
Finished
0 packages excluded due to repository protections
Setting up Update Process
Resolving Dependencies
–> Running transaction check
—> Package openssh-clients.i386 0:4.3p2-26.el5 set to be updated
–> Finished Dependency Resolution
Dependencies Resolved
=============================================================================
Package Arch Version Repository Size
=============================================================================
Updating:
openssh-clients i386 4.3p2-26.el5 base 446 k
Transaction Summary
=============================================================================
Install 0 Package(s)
Update 1 Package(s)
Remove 0 Package(s)
Total download size: 446 k
Is this ok [y/N]: y
Downloading Packages:
Running rpm_check_debug
Running Transaction Test
Finished Transaction Test
Transaction Test Succeeded
Running Transaction
Updating : openssh-clients ######################### [1/2]
Error unpacking rpm package openssh-clients – 4.3p2-26.el5.i386
error: unpacking of archive failed on file /usr/bin/ssh: cpio: rename
Updated: openssh-clients.i386 0:4.3p2-26.el5
Complete!
UPDATE: I finally figured out why Openssh was not updating.
If you lsattr /usr/bin/ssh it will probably show that the file has been modified using chattr -i -a to prevent modification.
Written by admin on July 2nd, 2008 with comments disabled.
Read more articles on Centos and Linux.
This robot, “obot” emanating from Ripe net was trying to spider the server and did not respect robots.txt. It is now banned.
194.153.113.8 – - [26/Jun/2008:16:19:12 -0400] “GET / HTTP/1.1″ 404 8686 “-” “Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 4.0; obot)”
The IP referenced belongs to cobion.com.
Written by admin on June 29th, 2008 with comments disabled.
Read more articles on Spiders.
Do you want to check if your server is properly configured with rDNS or reverse DNS?
It’s pretty important these days to have a reverse DNS setup for your dedicated IP address in order for email to be properly delivered.
Many free email companies like GMail, Hotmail, Yahoo Mail, and others require a reverse DNS to be setup for the IP address from which the email orginiates. It would not hurt to have a SPF Record and/or a DomainKey configured as well, but that is for another post.
STEPS
1) Log into your server as root or as another user.
2) Enter the following at the prompt using putty or other SSH client.
root@server [~]# dig -x 68.180.206.184 <--- replace with your IP address
The output should look like this:
;; QUESTION SECTION:
;184.206.180.68.in-addr.arpa. IN PTR
;; ANSWER SECTION:
184.206.180.68.in-addr.arpa. 1200 IN PTR w2.rc.vip.sp1.yahoo.com.
As long as there is a record in the PTR section that matches what you would like your rDNS to be such as www.server.com then your are golden.
Sometimes, you must contact your server host and have them manually enter your PTR records for you or providers will allow you to do it yourself via a control panel.
Written by admin on June 26th, 2008 with comments disabled.
Read more articles on Centos and How To and Linux.
There are a few ways to see what version of Centos your server has installed.
Steps
1) While logged in as root, enter the following commands.
cat /etc/redhat-release
This should produce a response like this:
CentOS release 5.2 (Final)
2) Another method is to enter the following command:
rpm -qa | grep centos
This should produce results like this:
root@server [~]# rpm -qa | grep centos
procmail-3.22-17.1.el5.centos
comps-extras-11.1-1.1.el5.centos
basesystem-8.0-5.1.1.el5.centos
gdm-2.16.0-46.el5.centos
pm-utils-0.99.3-6.el5.centos.19
yum-fastestmirror-1.1.10-9.el5.centos
specspo-13-1.el5.centos
rhgb-0.16.4-8.el5.centos.1
nss-3.11.99.5-2.el5.centos
centos-release-notes-5.2-2
desktop-backgrounds-basic-2.0-40.el5.centos
anacron-2.3-45.el5.centos
pango-1.14.9-3.el5.centos
kdelibs-3.5.4-16.el5.centos
system-config-date-1.8.12-3.el5.centos.2
gnome-session-2.16.0-6.el5.centos
gnome-desktop-2.16.0-1.el5.centos.1
redhat-logos-4.9.99-8.el5.centos
redhat-artwork-5.1.0-26.el5.centos
redhat-lsb-3.1-12.3.EL.el5.centos
pirut-1.3.28-13.el5.centos
httpd-manual-2.2.3-6.el5.centos.1
filesystem-2.4.0-1.el5.centos
mod_ssl-2.2.3-6.el5.centos.1
ntp-4.2.2p1-8.el5.centos.1
nss-tools-3.11.99.5-2.el5.centos
gzip-1.3.5-10.el5.centos
busybox-1.2.0-4.el5.centos
initscripts-8.45.19.EL-1.el5.centos.1
firstboot-tui-1.4.27.3-1.el5.centos
firstboot-1.4.27.3-1.el5.centos
crash-4.0-5.0.3.el5.centos
Deployment_Guide-en-US-5.2-9.el5.centos
kdebase-3.5.4-18.el5.centos
yum-protectbase-1.1.10-9.el5.centos
xorg-x11-proto-devel-7.1-9.el5.centos
setuptool-1.19.2-1.el5.centos
centos-release-5-2.el5.centos
yum-3.2.8-9.el5.centos.2.1
bluez-utils-3.7-2.el5.centos
httpd-2.2.3-6.el5.centos.1
firefox-3.0-0.beta5.6.el5.centos
3) To check your Kernel version, you could enter this command.
uname -a
Written by admin on June 25th, 2008 with comments disabled.
Read more articles on Centos and How To.
Yum is word that may inspire fear in hearts of many noobie server admins because they don’t understand what it does and fear it make break their server if used.
Yum stands for “Yellow Updater, Modified” and is similar to commands apt-get and up2date in function.
Here are some common Yum commands used while you are logged in as root.
# yum upgrade
# yum update
# yum install bind
Yum usage:
yum [options] <update | upgrade | install |
info | remove | list |clean | provides |
search | check-update | groupinstall |
groupupdate | grouplist>
Yum Options
-c [config file] - specify the config file
to use
-e [error level] - set the error logging
level
-d [debug level] - set the debugging level
-y answer yes to all questions
-t be tolerant about errors in package
commands
-R [time in minutes] - set the max amount of
time to randomly run in.
-C run from cache only - do not update the cache
--installroot=[path] - set the install root
(default '/')
--version - output the version of yum
-h, --help this screen
Written by admin on June 24th, 2008 with comments disabled.
Read more articles on Centos and Linux.
It’s a good idea on a new server to edit the syctl.conf file to increase server security.
Steps:
1) Log into your server as root.
2) I recommend using WinSCP as a windows based interface to edit and manipulate server files.
3) Find /etc/sysctl.conf
4) Add the following text to the file. Cut and paste.
#Kernel sysctl configuration file for Red Hat Linux
#
# For binary values, 0 is disabled, 1 is enabled. See sysctl(8) and
# sysctl.conf(5) for more details.
# Disables packet forwarding
net.ipv4.ip_forward=0
# Disables IP source routing
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.lo.accept_source_route = 0
net.ipv4.conf.eth0.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
# Enable IP spoofing protection, turn on source route verification
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.lo.rp_filter = 1
net.ipv4.conf.eth0.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
# Disable ICMP Redirect Acceptance
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.lo.accept_redirects = 0
net.ipv4.conf.eth0.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
# Enable Log Spoofed Packets, Source Routed Packets, Redirect Packets
net.ipv4.conf.all.log_martians = 0
net.ipv4.conf.lo.log_martians = 0
net.ipv4.conf.eth0.log_martians = 0
# Disables IP source routing
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.lo.accept_source_route = 0
net.ipv4.conf.eth0.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
# Enable IP spoofing protection, turn on source route verification
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.lo.rp_filter = 1
net.ipv4.conf.eth0.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
# Disable ICMP Redirect Acceptance
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.lo.accept_redirects = 0
net.ipv4.conf.eth0.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
# Disables the magic-sysrq key
kernel.sysrq = 0
# Decrease the time default value for tcp_fin_timeout connection
net.ipv4.tcp_fin_timeout = 15
# Decrease the time default value for tcp_keepalive_time connection
net.ipv4.tcp_keepalive_time = 1800
# Turn off the tcp_window_scaling
net.ipv4.tcp_window_scaling = 0
# Turn off the tcp_sack
net.ipv4.tcp_sack = 0
# Turn off the tcp_timestamps
net.ipv4.tcp_timestamps = 0
# Enable TCP SYN Cookie Protection
net.ipv4.tcp_syncookies = 1
# Enable ignoring broadcasts request
net.ipv4.icmp_echo_ignore_broadcasts = 1
# Enable bad error message Protection
net.ipv4.icmp_ignore_bogus_error_responses = 1
# Log Spoofed Packets, Source Routed Packets, Redirect Packets
net.ipv4.conf.all.log_martians = 1
# Increases the size of the socket queue (effectively, q0).
net.ipv4.tcp_max_syn_backlog = 1024
# Increase the tcp-time-wait buckets pool size
net.ipv4.tcp_max_tw_buckets = 1440000
# Allowed local port range
net.ipv4.ip_local_port_range = 16384 65536
5) You will now have to manually restart sysctl to affect the changes. This can be done by executing these two commands in order.
a) /sbin/sysctl -p
b) sysctl -w net.ipv4.route.flush=1
Written by admin on June 24th, 2008 with comments disabled.
Read more articles on How To and Linux.
How To: Add SPF Record to Sub Domain
Most folks don’t realize that if you have a subdomain that sends email; that it probably should have a SPF record so that email will not be rejected as spam.
Example: subdomain.foo.com
Steps
1) Log into Cpanel/WHM and navigate to:
Main >> DNS Functions >> Edit DNS Zone
2) Choose a Zone to Edit – example: foo.com
3) Find: “Add New Entries Below this Line”
4) Enter your corresponding variables such as this:
subdomain 14400 IN TXT "v=spf1 a mx ptr ~all"
5) Click on “Save”
This will reset Bind and your DNS zone should be updated.
To confirm that your subdomain is working properly, log into root and enter:
dig subdomain.abc.com
That should dispaly the new SPF record if all goes well.
Written by admin on June 24th, 2008 with 1 comment.
Read more articles on Cpanel and How To.
No older articles
Newer articles »
