Ubuntu Enterprise Cloud (UEC) : How to

Grow Your Own Cloud Servers With Ubuntu

Have you been wanting to fly to the cloud, to experiment with cloud computing? Now is your chance. With this article, we will step through the process of setting up a private cloud system using Ubuntu Enterprise Cloud (UEC), which is powered by the Eucalyptus platform.

The system is made up of one cloud controller (also called a front-end server) and one or more node controllers. The cloud controller manages the cloud environment. You can install the default Ubuntu OS images or create your own to be virtualized. The node controllers are where you can run the virtual machine (VM) instances of the images.

System Requirements

At least two computers must be dedicated to this cloud for it to work:

• One for the front-end server (cloud or cluster controller) with a minimum 1GHz CPU, 512MB of memory, CD-ROM, 40GB of disk space, and an Ethernet network adapter
• One or more for the node controller(s) with a CPU that supports Virtualization Technology (VT) extensions, 1GB of memory, CD-ROM, 40GB of disk space and an Ethernet network adapter

You might want to reference a list of Intel processors that include VT extensions. Optionally, you can run a utility, called SecurAble, in Windows. You can also check in Linux if a computer supports VT by seeing if "vmx" or "svm" is listed in the /proc/cpuinfo file. Run the command: egrep '(vmx|svm)' /proc/cpuinfo. Bear in mind, however, this tells you only if it's supported; the BIOS could still be set to disable it.

Preparing for the Installation

First, download the CD image for the Ubuntu Server remix — we're using version 9.10 — on any PC with a CD or DVD burner. Then burn the ISO image to a CD or DVD. If you want to use a DVD, make sure the computers that will be in the cloud read DVDs. If you're using Windows 7, you can open the ISO file and use the native burning utility. If you're using Windows Vista or later, you can download a third-party application like DoISO.
Before starting the installation, make sure the computers involved are setup with the peripherals they need (i.e., monitor, keyboard and mouse). Plus, make sure they're plugged into the network so they'll automatically configure their network connections.

Installing the Front-End Server

The installation of the front-end server is straightforward. To begin, simply insert the install CD, and on the boot menu select "Install Ubuntu Enterprise Cloud", and hit Enter. Configure the language and keyboard settings as needed. When prompted, configure the network settings.
When prompted for the Cloud Installation Mode, hit Enter to choose the default option, "Cluster". Then you'll have to configure the Time Zone and Partition settings. After partitioning, the installation will finally start. At the end, you'll be prompted to create a user account.
Next, you'll configure settings for proxy, automatic updates and email. Plus, you'll define a Eucalyptus Cluster name. You'll also set the IP addressing information, so users will receive dynamically assigned addresses.

Installing and Registering the Node Controller(s)

The Node installation is even easier. Again, insert the install disc, select "Install Ubuntu Enterprise Cloud" from the boot menu, and hit Enter. Configure the general settings as needed.
When prompted for the Cloud Installation Mode, the installer should automatically detect the existing cluster and preselect "Node." Just hit Enter to continue. The partitioning settings should be the last configuration needed.

Registering the Node Controller(s)

Before you can proceed, you must know the IP address of the node(s). To check from the command line:

/sbin/ifconfig

Then, you must install the front-end server's public ssh key onto the node controller:

1. On the node controller, set a temporary password for the eucalyptus user using the command:

   sudo passwd eucalyptus

2. On the front-end server, enter the following command to copy the SSH key:

   sudo -u eucalyptus ssh-copy-id -i ~eucalyptus/.ssh/id_rsa.pub eucalyptus@

3. Then you can remove the eucalyptus account password from the node with the command:

   sudo passwd -d eucalyptus

4. After the nodes are up and the key copied, run this command from the front-end server to discover and add the nodes:

   sudo euca_conf --no-rsync --discover-nodes

Getting and Installing User Credentials

Enter these commands on the front-end server to create a new folder, export the zipped user credentials to it, and then to unpack the files:

mkdir -p ~/.euca chmod 700 ~/.euca cd ~/.euca sudo euca_conf --get-credentials mycreds.zip (It takes a while for this to complete; just wait) unzip mycreds.zip cd -

The user credentials are also available via the web-based configuration utility; however, it would take more work to download the credentials there and move them to the server.

Setting Up the EC2 API and AMI Tools

Now you must setup the EC2 API and AMI tools on your front-end server. First, source the eucarc file to set up your Eucalyptus environment by entering:

~/.euca/eucarc

For this to be done automatically when you login, enter the following command to add that command to your ~/.bashrc file:

echo "[ -r ~/.euca/eucarc ] && . ~/.euca/eucarc" >> ~/.bashrc

Now to install the cloud user tools, enter:

sudo apt-get install ^31vmx32^4

To make sure it's all working, enter the following to display the cluster availability details:

. ~/.euca/eucarc euca-describe-availability-zones verbose

Accessing the Web-Based Control Panel

Now you can access the web-based configuration utility. From any PC on the same network, go to the URL, https://:8443. The IP address of the cloud controller is displayed just after logging onto the front-end server. Note that that is a secure connection using HTTPS instead of just HTTP. You'll probably receive a security warning from the web browser since the server uses a self-signed certificate instead of one handled out by a known Certificate Authority (CA). Ignore the alert by adding an exception. The connection will still be secure.
The default login credentials are "admin" for both the Username and Password. The first time logging in you'll be prompted to setup a new password and email.

Installing images

Now that you have the basic cloud set up, you can install images. Bring up the web-based control panel, click the Store tab, and click the Install button for the desired image. It will start downloading, and then it will automatically install, which takes a long time to complete.

Running images

Before running an image on a node for the first time, run these commands to create a keypair for SSH:

touch ~/.euca/mykey.priv chmod 0600 ~/.euca/mykey.priv euca-add-keypair mykey > ~/.euca/mykey.priv

You also need to open port 22 up on the node, using the following commands:

euca-describe-groups euca-authorize default -P tcp -p 22 -s 0.0.0.0/0

Finally, you can run your registered image. The command to run it is available via the web interface. Login to the web interface, click the Store tab, and select the How to Run link for the desired image. It will display a popup with the exact command.
The first time you run an instance, it will likely take a while for the image to be cached. You can get the status of your instance by running the command:

watch -n5 euca-describe-instances

Once it moves from "pending" to "running", reference the assigned IP address and connect to it:

IPADDR=$(euca-describe-instances | grep $EMI | grep running | tail -n1 | awk '{print $4}') ssh -i ~/.euca/mykey.priv ubuntu@$IPADDR

To terminate the SSH connection for the instance:

INSTANCEID=$(euca-describe-instances | grep $EMI | grep running | tail -n1 | awk '{print $2}') euca-terminate-instances $INSTANCEID

Maintaining the cloud

Now you should have a working cloud on your network. If you run into problems, you might have to reference the official documentation or hit the message boards. Before I leave, here are a few final tips:

• To restart the front-end server run: sudo service eucalyptus [start|stop|restart]
• To fresh a node run: sudo service eucalyptus-nc [start|stop|restart]
• Here are some key file locations:
• Log files
  /var/log/eucalyptus
• Configuration files
  /etc/eucalyptus
• Database
  /var/lib/eucalyptus/db
• Keys
  /var/lib/eucalyptus
  /var/lib/eucalyptus/.ssh

Eric Geier is the Founder and CEO of NoWiresSecurity, which helps businesses easily protect their Wi-Fi with enterprise-level encryption by offering an outsourced RADIUS/802.1X authentication service. He is also the author of many networking and computing books for brands like For Dummies and Cisco Press.

Installing and configuring mod_security-Ubuntu 9.04

This how-to is reported to work in Ubuntu 8.04-10.10 as well.

What is mod_security you ask ?

Mod Security can significantly increase the security of your Apache installation.
 
What Is ModSecurity?

ModSecurity is a web application firewall that can work either embedded or as a reverse proxy. It provides protection from a range of attacks against web applications and allows for HTTP traffic monitoring, logging and real-time analysis.

It is also an open source project that aims to make the web application firewall technology available to everyone.

Do not think you need this ? Follow along with the examples and decide for yourself (This tutorial assumes you already have Apache and php5 installed).
First, let us look at the default Apache behavior. I will use “ubuntuVPS” as the server of interest.

“Insecure” Example 1 – curl

Use curl to obtain information on the server (bodhi@home is a remote machine connecting to “ubutnuVPS”. You can test all this with any browser if you wish, simply use your server’s home page).

bodhi@home# curl -i ubuntuVPS
HTTP/1.1 200 OK
Date: Tue, 28 Apr 2009 22:06:21 GMT
Server: Apache/2.2.11 (Ubuntu) PHP/5.2.6-3ubuntu4.1 with Suhosin-Patch
Last-Modified: Tue, 28 Apr 2009 21:39:54 GMT
ETag: "50d4a-2d-468a44dadbe80"
Accept-Ranges: bytes
Content-Length: 45
Vary: Accept-Encoding
Content-Type: text/html
< html>< body>< h1>It works!< /h1>< /body>< /html>

Looks like this in your browser (the famous It works! page)

See how with a single command we already know the server is Ubuntu running Apache 2.2.11 and PHP 5.2.6 ?

“Insecure” Example 2 – bad .php

For this I will ask you to create a file “/var/www/insecure.php”
Put the following code in the file :

# vim /var/www/insecure.php
< ? $secret_file = $_GET['secret_file'];
include ( $secret_file); ? >;

Note: I had to put a space at the front of the php tag “<; ?”, remove it.

Now what ? Open a browser and enter http://ubuntuVPS/insecure.php?secret_file=/etc/passwd

I shall use curl in this example:

bodhi@home# curl -i "http://ubuntuVPS/insecure.php?secret_file=/etc/passwd"
HTTP/1.1 200 OK
Date: Tue, 28 Apr 2009 22:24:11 GMT
Server: Apache/2.2.11 (Ubuntu) PHP/5.2.6-3ubuntu4.1 with Suhosin-Patch
X-Powered-By: PHP/5.2.6-3ubuntu4.1
Vary: Accept-Encoding
Content-Length: 860
Content-Type: text/html
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
sshd:x:101:65534::/var/run/sshd:/usr/sbin/nologin
postfix:x:104:107::/var/spool/postfix:/bin/false

YIKES !!!

Install and configure mod_secure

There was a time when installing mod_security was a bit difficult, now it is as easy as :

sudo apt-get -y install libapache-mod-security

The “hard part” is that we need to configure mod_security and obtain a few rules.

Configure mod_security

Using any editor, make a file “/etc/apache2/conf.d/modsecurity2.conf” and put the following contents in the file.

#vim /etc/apache2/conf.d/modsecurity2.conf
< ifmodule mod_security2.c>
Include conf.d/modsecurity/*.conf
< /ifmodule>

Note: I had to add a space at the front of the tag “< ifmodule mod_security2.c>” and “< /ifmodule>”, remove them.

By default, mod_security logs to /etc/apache2/logs, the following commands will put the log in /var/log/apache2/mod_security and create a symbolic link back to /etc/apache2/logs

sudo mkdir /var/log/apache2/mod_security
sudo ln -s /var/log/apache2/mod_security/ /etc/apache2/logs

Download and install rules
Download rules from here

As of this writing, the rule set was “modsecurity-core-rules_2.5-1.6.1.tar.gz”, you may need to adjust accordingly as new rules are released.

sudo mkdir /etc/apache2/conf.d/modsecurity
cd /etc/apache2/conf.d/modsecurity
sudo wget http://www.modsecurity.org/download/modsecurity-core-rules_2.5-1.6.1.tar.gz
sudo tar xzvf modsecurity-core-rules_2.5-1.6.1.tar.gz
sudo rm CHANGELOG LICENSE README modsecurity-core-rules_2.5-1.6.1.tar.gz

Enable mod_security:

sudo a2enmod mod-security

Now restart Apache
That’s it :)

Testing mod_security

“Secure” Example 1 – curl

bodhi@home# curl -i http://ubuntuVPS
HTTP/1.1 200 OK
Date: Tue, 28 Apr 2009 22:44:42 GMT
Server: Apache/2.2.0 (Fedora)
Last-Modified: Tue, 28 Apr 2009 21:39:54 GMT
ETag: "50d4a-2d-468a44dadbe80"
Accept-Ranges: bytes
Content-Length: 45
Vary: Accept-Encoding
Content-Type: text/html
< html>< body>< h1>It works!< /h1>< /body>< /html>

Look no more server or php information (Fedora apache 2.2.0 , LOL !!! )

“Secure” Example 2 – bad .php

bodhi@home# curl -i "http://ubuntuVPS/insecure.php?secret_file=/etc/passwd"
HTTP/1.1 501 Method Not Implemented
Date: Tue, 28 Apr 2009 22:47:38 GMT
Server: Apache/2.2.0 (Fedora)
Allow: TRACE
Vary: Accept-Encoding
Content-Length: 291
Connection: close
Content-Type: text/html; charset=iso-8859-1
< !DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
< html>< head>
< title>501 Method Not Implemented< /title>
< /head>< body>
< h1>Method Not Implemented< /h1>
< p>GET to /insecure.php not supported.< br />
< /p>
< hr>
< address>Apache/2.2.0 (Fedora) Server at ubuntuvps Port 80< /address>
< /body>< /html>
Looks like this in your browser:
"501 Method Not Implemented
Method Not Implemented"
GET to /insecure.php not supported.Apache/2.2.0 (Fedora) Server at ubuntuvps Port 80
Ah 501 Error looks much better then the contents of /etc/passwd :)

Where to go from here ?

1. Monitor your logs :

tail /var/log/apache2/mod_security/modsec_audit.log
 

2. Learn / edit your mod_security rules : ModSecurity Reference Manual

3. Delete bad.php, LOL

sudo rm -rf /var/www/insecure.php

I hope you enjoyed and learned from this tutorial :)

Reference:
"This is just a copy cat of the post from http://blog.bodhizazen.net/linux/how-to-mod_security-ubuntu-904/
All credit should go to the respective author. I tried the method in Ubuntu 10.10 and it works fine."

Note:-
Some of the rules may deny the access to you applications (eg: phpmyadmin/drupal etc). Test the rules well before you implement.

APT-GET command real time examples

http://www.thegeekstuff.com/2009/10/debian-ubuntu-install-upgrade-remove-packages-using-apt-get-apt-cache-apt-file-dpkg/

howto install mod_security2 with apache2 in Ubuntu

here are many significant changes and enhancements in ModSecurity 2.x over the 1.x branch, including:

• use core rules with various features
• five processing phases: request headers, request body, response headers, response body, logging
• per-rule transformation options (previously normalization was implicit and hard-coded). New transformation functions were added.
• transaction variables. This can be used to store pieces of data, create a transaction anomaly score etc.
• data persistence. It can be configured any way you want. Most people will want to use this feature to track IP addresses, application sessions, and application users).
• support for anomaly scoring and basic event correlation (counters can be automatically decreased over time; variables can be expired).
• support for web applications and session IDs.
• regular expression back-references (allows one to create custom variables using transaction content).
• many new functions that can be applied to the variables (where you could use only use regular expressions, previously).
• XML support (parsing, validation, XPath).

Download mod_security

• Download source from mod_security2 (you need to sign up to download).

There is currently no binary of mod_security 2.5.6 available for Ubuntu, so you need to compile it yourself.

Step by Step Ubuntu install guide

1) install g++ environment

apt-get install g++ doc-base autoconf automake1.9 bison bison libtool make

2) install preconditions for mod_security2

apt-get install apache2-threaded-dev libxml2-dev libcurl4-gnutls-dev

• try to run configure with missing libraries or header files

  ./configure --with-apxs2=/usr/bin/apxs2
  
  result:
  checking for strtol... yes
  configure: looking for Apache module support via DSO through APXS
  configure: error: couldn't find APXS

• install apache apxs

  apt-get install apache2-threaded-dev

• next error with configure: missing libxml2

  checking for libxml2 config script... no
  configure: *** libxml2 library not found.
  configure: error: libxml2 library is required

• install libxml2-dev

  sudo apt-get install libxml2-dev

• next error with configure: missing libcurl
  • this step is optional, only needed if you want to build mlogc, id did it.

    checking for libcurl config script... no
    configure: *** curl library not found.
    configure: NOTE: curl library is only required for building mlogc

• install libcurl4-gnutls-dev

  sudo apt-get install libcurl4-gnutls-dev

3) final configure works, run make now

cd ~/modsecurity-apache_2.5.6/apache2
./configure --with-apx2=/usr/bin/apxs2

output:
checking for g++... g++
checking for C++ compiler default output file name... a.out
checking whether the C++ compiler works... yes
checking whether we are cross compiling... no
checking for suffix of executables... 
checking for suffix of object files... o
checking whether we are using the GNU C++ compiler... yes
checking whether g++ accepts -g... yes
checking for gcc... gcc
checking whether we are using the GNU C compiler... yes
checking whether gcc accepts -g... yes
checking for gcc option to accept ISO C89... none needed
checking how to run the C preprocessor... gcc -E
checking for a BSD-compatible install... /usr/bin/install -c
checking whether ln -s works... yes
checking whether make sets $(MAKE)... yes
checking for ranlib... ranlib
checking for perl... /usr/bin/perl
checking for grep that handles long lines and -e... /bin/grep
checking for egrep... /bin/grep -E
checking for ANSI C header files... yes
checking for sys/types.h... yes
checking for sys/stat.h... yes
checking for stdlib.h... yes
checking for string.h... yes
checking for memory.h... yes
checking for strings.h... yes
checking for inttypes.h... yes
checking for stdint.h... yes
checking for unistd.h... yes
checking fcntl.h usability... yes
checking fcntl.h presence... yes
checking for fcntl.h... yes
checking limits.h usability... yes
checking limits.h presence... yes
checking for limits.h... yes
checking for stdlib.h... (cached) yes
checking for string.h... (cached) yes
checking for unistd.h... (cached) yes
checking for an ANSI C-conforming const... yes
checking for inline... inline
checking for C/C++ restrict keyword... __restrict
checking for size_t... yes
checking whether struct tm is in sys/time.h or time.h... time.h
checking for uint8_t... yes
checking for stdlib.h... (cached) yes
checking for GNU libc compatible malloc... yes
checking for working memcmp... yes
checking for atexit... yes
checking for fchmod... yes
checking for getcwd... yes
checking for memset... yes
checking for strcasecmp... yes
checking for strchr... yes
checking for strdup... yes
checking for strerror... yes
checking for strncasecmp... yes
checking for strrchr... yes
checking for strstr... yes
checking for strtol... yes
configure: looking for Apache module support via DSO through APXS
configure: found apxs at /usr/bin/apxs2
configure: checking httpd version
configure: httpd is recent enough
checking for libpcre config script... /usr/bin/pcre-config
configure: using '-L/usr/lib -lpcre' for pcre Library
checking for libapr config script... /usr/bin/apr-1-config
configure: using ' -luuid -lrt -lcrypt  -lpthread -ldl' for apr Library
checking for libapr-util config script... /usr/bin/apu-1-config
configure: using ' -L/usr/lib -laprutil-1' for apu Library
checking for libxml2 config script... /usr/bin/xml2-config
configure: using '-lxml2' for libxml Library
checking for pkg-config script for lua library... no
configure: optional lua library not found
checking for libcurl config script... /usr/bin/curl-config
configure: using '-lcurl -lgssapi_krb5' for curl Library
configure: creating ./config.status
config.status: creating Makefile
config.status: creating build/apxs-wrapper
config.status: creating t/run-unit-tests.pl
config.status: creating t/run-regression-tests.pl
config.status: creating t/gen_rx-pm.pl
config.status: creating t/csv_rx-pm.pl
config.status: creating t/regression/server_root/conf/httpd.conf
config.status: creating ../tools/rules-updater.pl
config.status: creating mod_security2_config.h

make

4) install mod_security2

i did this manual way to control what is installed,
of course you can use "make install".

cp modsecurity-apache_2.5.6/apache2/.libs/mod_security2.so /usr/lib/apache2/modules
chmod 644 /usr/lib/apache2/modules/mod_security2.so
chown root:root /usr/lib/apache2/modules/mod_security2.so

5) include mod_security2 in the apache2 way

/etc/apache2/mods-available# cat mod_security2.load 
LoadModule security2_module /usr/lib/apache2/modules/mod_security2.so

/etc/apache2/mods-enabled# ln -s ../mods-available/mod_security2.load .

6) load apache2 mod_unique_id

• run apachectl configtest and find the missing mod_unique_id error

  apachectl configtest
  less /var/log/apache2/error.log
  [Fri Aug 15 11:59:34 2008] [error] ModSecurity: ModSecurity requires mod_unique_id to be installed

• fix it with a2enmod of make a manual symlink in mods-enabled

  a2enmod mod_unique_id

7) reload apache config

• reload config and check error.log

  apachectl configtest
  apachectl graceful
  less /var/log/apache2/error.log

after reloading apache, make test to you webserver and check access.log and error.log

8) initial mod_security configuration

After initial installation of mod_security2 you can add mod_security2 rules. For example you can add a core rule, for example add rule to apache conf directory:

/etc/apache2/conf.d/mod_security2# ls
modsecurity_crs_10_config.conf

9) adopt log path

SecAuditLog /var/log/apache2/modsec_audit.log
SecDebugLog             /var/log/apache2/modsec_debug.log

10) example: set higher SecDebugLogLevel

# NOTE Debug logging is generally very slow. You should never
#      use values greater than "3" in production.
#      0 - no logging.
#      1 - errors (intercepted requests) only.
#      2 - warnings.
#      3 - notices // default value.
#      4 - details of how transactions are handled.
#      5 - as above, but including information about each piece of information handled.
#      9 - log everything, including very detailed debugging information.

SecDebugLogLevel        5

related posts

• Official mod_security Documentation
• Using Gotroot.com Modsecurity Rules With H-Sphere
• Setup mod_security at gotroot.com
• gotroot rules

HOWTO : Make sure no rootkit on your Ubuntu server

To ensure your server will not be installed rootkits or trojans as well as worm without your approval, you should check it frequently.

ChkRootKit

Get the chkrootkit package :

sudo apt-get install chkrootkit

Make a Cron Job to do the scan daily at 0700 hours :

sudo crontab -e

0 7 * * * /usr/sbin/chkrootkit; /usr/sbin/chkrootkit -q 2 >&1 | mail -s "Daily ChkRootKit Scan" me@mail.com

Do a manual scan :

sudo /usr/sbin/chkrootkit

Rootkit Hunter (Optional)

sudo apt-get install rkhunter

Make a Cron Job to do the scan daily at 0500 hours :

sudo crontab -e

0 5 * * * rkhunter --cronjob --rwo | mail -s "Daily Rootkit Hunter Scan" me@mail.com

Do a manual scan :

sudo rkhunter --check

Forensic tool to find hidden processes and ports – unhide

Get the unhide package :

sudo apt-get install unhide

Make a Cron Job to do the scan daily between 0800 and 0930 hours :

sudo crontab -e

0 8 * * * unhide proc; unhide proc -q 2 >&1 | mail -s "Daily unhide proc Scan" me@mail.com

30 8 * * * unhide sys; unhide sys -q 2 >&1 | mail -s "Daily unhide sys Scan" me@mail.com

0 9 * * * unhide brute; unhide brute -q 2 >&1 | mail -s "Daily unhide brute Scan" me@mail.com

30 9 * * * unhide-tcp; unhide-tcp -q 2 >&1 | mail -s "Daily unhide-tcp Scan" me@mail.com

Do a manual scan :

sudo unhide proc
sudo unhide sys
sudo unhide brute
sudo unhide-tcp

Beware :
There will be produced some false positive by RootKit Hunter or ChkRootKit when your packages or files had been updated or have the similar behavior as the rootkit.

Remarks :
It is not 100% to proof that your system is away from the attack of Rootkits.

Reset Root password UBUNTU

If you forgot you password for your ubuntu system you can recover using the following steps

1. Turn your computer on.
2. Press ESC at the grub prompt.
3. Press e for edit.
4. Highlight the line that begins kernel ………, press e
5. Go to the very end of the line, add rw init=/bin/bash
6. press enter, then press b to boot your system.
7. Your system will boot up to a passwordless root shell.
8. Type in passwd username

Setup mod_jk on Ubuntu (Dapper) for Ofbiz

Install a few Ubuntu packages required prior to building mod_jk:

#apt-get install libtool automake autoconf apache2-threaded-dev

Download the latest version of tomcat-connectors
Build and install the mod_jk libraries with the following commands:

#tar xvzf tomcat-connectors-1.2.23-src.tar.gz
#cd tomcat-connectors-1.2.23-src/native
#./buildconf.sh
#./configure --with-apxs=/usr/bin/apxs2
#make
#make install

Short cut

#sudo apt-get install libapache2-mod-jk

This installed the libraries in /usr/lib/apache2/modules.
Create /etc/apache2/mods-enabled/jk.load:
equal to-

LoadModule jk_module /usr/lib/apache2/modules/mod_jk.so
Create /etc/apache2/mods-enabled/jk.conf:

JkWorkersFile /etc/apache2/workers.properties
JkLogFile /var/log/apache2/jk.log
JkMount /ecommerce/* worker1
JkMount /images/* worker1
JkMount /content/* worker1
Create /etc/apache2/workers.properties:

# Define 1 real worker using ajp13
worker.list=worker1
# Set properties for worker1 (ajp13)
worker.worker1.type=ajp13
worker.worker1.host=localhost
worker.worker1.port=8009
There are no extras defined here. This is only to get things up and running. There are extra steps that you should take to ensure that things are secure.

Tuning LAMP server

• APCHE2
  

Our HTTPD is using some modules as url rewriting, server info, php5, GeoIP and other basic modules. We could optimize much more by using an Apache 2.2.3 Worker and only useful modules or even more delivering static pages and using proxy for dynamic pages. All this depend on your developments and your server usage. Here we will only focus on the Apache Prefork.
Nowadays, it’s important to keep active the KEEPALIVE functionality. This will increase the speed of delivring pages for lot of modern browsers (it’s supported by ie, firefox, safari, opera, etc.). The only thing is to touch a little to the default value. In fact, if your keepalive time out is too big, you will keep an entire apache slot open for a user that is probably gone ! A 4 seconds timeout is enough for delivering a full web page and take care of any network congestion. MaxKeepAliveRequests is used to define the maximum number of request manage by an apache slot during a keepalive session. Except if you have lot of pictures to load on your web pages you don’t really need to have a big value at this state.

KeepAlive On
KeepAliveTimeout 4
MaxKeepAliveRequests 500

As I don’t have lot of memory available on the server I ‘m constraint to decrease drastically the number of running servers from 150 to 60. As I have an apache using approximatly 13Mo of memory (withdraw 3Mo of shared memory), I need approximately 600 Mo of available memory when all the apache child process are running. We have to consider, for our further tuning, that this memory is used. It’s really important in our case to dedicate memory for avoid to swap too much and lost the box in a freeze. you can follow your memory usage by using TOP and looking for your apache/httpd process. (Do a quick “man top” for know more). If you have little more free memory you can take a look to the apache documentation for further tuning.

ServerLimit 60
MaxClients 60

Our server is often overload, with lot of traffic. When I need to restart the apache, or in case of any crashes the apache server start with only 5 Child server process and will add new one 1 second later, 2 new child 2 second later, 4 new at the third second, etc. It’s really too long when you are in a peak ! So, I configured StartServers for let us start directly with 30 child Server process. That will help us to deliver quickly the clients and minimize the impact of the server restart.

MinSpareServers and MaxSpareServers is used in same way as StartServer. When your apache server isn’t load, there is idle child waiting for connection. It’s not usefull to have all your child still open but, In case of a new peak the best way to minimize its impact on your server is to deliver web pages as quick as possible. So keeping some idle Child Process still waiting for client isn’t so stupid. Furthermore in case of our touchy server we consider to be able to allocate 600Mo of RAM. So, We can use it even if it’s for idle Child Process as we dedicate this RAM for apache. For avoid any module Memory Leak, and having fully available Child I set the MaxRequestPerChild to 1000, that mean that each 1000 request, the child will be kill and Apache Server will spare a new one. You’ll probably have to set this value to a higher number. It’s depend of the structure of your web page. You will have to monitor a little your server after those change for being sure to don’t have too much child kill/spare instead of delivering web pages.

StartServers 30
MinSpareServers 30
MaxSpareServers 30
MaxRequestsPerChild 1000

Follow some security issue, we don’t display too much information about our server. As we don’t need the reverse lookup on the client ip, we keep the default value of HostnameLookups to Off and by this way we save some network traffic and server load.

ServerTokens Prod
ServerSignature Off
HostnameLookups Off

• PHP 5.1.4

For perform our page generation and save some cpu we use the php extension eaccelerator. Take a look at the documentation for install it.
We dedicate 32Mo of our RAM for eaccelerator (shm_size) and will use it with shared memory and file cache (”shm_and_disk” value for keys, sessions and content variable). (Memory is really useful in our case, because of all the mails, apache log and MySQL disk access that generate too much i/o and slow down considerably all the server). As we don’t change often the php script on the server we don’t need to use the check_mtime functionality. When set to “1″, that will do a stat on the php script for checking of last modification date We don’t need this because we want to save disk access and we don’t have so many updates on the running scripts. We just have to clean the cache directory after an update.

eaccelerator.shm_size=”32″
eaccelerator.cache_dir=”/www/tmp/eaccelerator”
eaccelerator.enable=”1″
eaccelerator.optimizer=”1″
eaccelerator.check_mtime=”0″
eaccelerator.debug=”0″
eaccelerator.filter=”"
eaccelerator.shm_max=”0″
eaccelerator.shm_ttl=”3600″
eaccelerator.shm_prune_period=”1″
eaccelerator.shm_only=”0″
eaccelerator.compress=”1″
eaccelerator.compress_level=”9″
eaccelerator.keys = “shm_and_disk”
eaccelerator.sessions = “shm_and_disk”
eaccelerator.content = “shm_and_disk”

• MySQL 5.0.24

As I don’t manage how has been coding many of running script, I decrease all the timeout MySQL connection for avoid congestion. Then I increase the number off simultaneous MySQL connection as we had lot of “Too many connection” error message.

wait_timeout=6
connect_timeout=5
interactive_timeout=120
max_connections = 500
max_user_connections = 500

Now we change the touchiest part of the MySQL configuration : The RAM usage. It’s touchy because a bad value can really decrease your server performance and result in a big server swap. After some test I decrease the table cache and the key buffer cache to 256Mo. In fact we don’t have so many available ram as we had 600Mo for our HTTPD and we have lot of other services running. I tried to set it up little higher, hopping that the swap won’t be to big, but in fact, due to our i/o load the swap were totaly not a good thing for MySQL :-)

If you are using MYISAM tables I suggest you to use the “concurrent_insert=2” that will really increase your server performance in many case. MYISAM use table lock, with concurrent insert, the engine will sometime bypass the lock and allow INSERT and SELECT to run concurrently. We also disable all engine that is not used (innodb, bdb). Take a look at the MySQL documentation for better tuning.

join_buffer_size=1M
sort_buffer_size=1M
read_buffer_size=1M
read_rnd_buffer_size=1M
table_cache=256M
max_allowed_packet=4M

key_buffer=256M
key_buffer_size=256M
thread_cache=256M
thread_concurrency=2
thread_cache_size=40
thread_stack=128K

concurrent_insert=2

query_cache_limit=1M
query_cache_size=256M
query_cache_type=1
skip-bdb
skip-innodb

• Linux Kernel 2.6.18

Here is a touchy part of our tuning, we will try to perform the Linux Kernel behavior with our server load for save some memory and avoid too much swap. Furthermore, has we done a great stuff above this part, we have to manage more TCP connection and support correctly the peak. We will use the command “sysctl” for doing our update on values.

# display value of a variable or group of variable
sysctl [-n] [-e] variable …
# set a new value toe the specified variable
sysctl [-n] [-e] [-q] -w variable=value …
# display all the variable
sysctl [-n] [-e] -a
# load a sysctl config file
sysctl [-n] [-e] [-q] -p (default /etc/sysctl.conf)

For our test we will create a test config file “/etc/sysctl.conf.testing” and we will load it by using the following command line :

sysctl -p /etc/sysctl.conf.testing

When you will be glad of your change you could rename the file for “/etc/sysctl.conf”. All the sysctl variable are documented with the Kernel Sources. I suggest you to download the documentation corresponding to your kernel version and read it carefully if you decide to change some values.
A really good article on Security Focus give us some key for minimize the impact of a SYN ATTACK / SYN SPOOFING. In this goal we activate the syncookies and the route validation

net.ipv4.conf.default.rp_filter=1
net.ipv4.tcp_syncookies=1
net.ipv4.tcp_synack_retries=3
net.ipv4.tcp_syn_retries=3

As we had some swap troubles, important thing to do is to change the value of vm.swappiness where the default value is 60. This variable control how much the kernel should favor swapping out applications, its value can be 0 to 100. I set it to 10 for minimize the swap.

vm.swappiness=10

We upgrade the max backlog for support more TCP traffic and we change the congestion control algorithm to BIC. The Linux Kernel support lot of congestion algorithm like Reno (default one), htcp, vegas, westwood, etc.

net.core.netdev_max_backlog=2500 # Interface buffering
net.ipv4.tcp_max_syn_backlog=4096
net.core.somaxconn=1024 # Limit of socket listen() backlog. Default is 128.
net.ipv4.tcp_congestion_control=bic

For avoid to have a big TCP queue and so memory usage for not really active connection I decrease some TCP timeout and force the kernel to recycle quickly tcp connection. We don’t cache the value of ssthresh (Slow Start Threshold) for avoid to impact a given host to have a reduced ssthresh for all is next connections.

net.ipv4.tcp_keepalive_time=900
net.ipv4.tcp_fin_timeout=30
net.ipv4.tcp_max_orphans=16384
net.ipv4.tcp_tw_reuse=1
net.ipv4.tcp_tw_recycle=1
net.ipv4.tcp_rfc1337=1
net.ipv4.tcp_no_metrics_save=1

It’s critical to use the optimal SEND and RECEIVE socket buffer size for the link you are using. In our case we have a 100Mbits link connection. So for a better TCP connection and congestion control we had to increase the TCP Buffer. You can read more about this here.

net.core.rmem_max=16777216
net.core.wmem_max=16777216
net.ipv4.tcp_rmem=4096 87380 16777216
net.ipv4.tcp_wmem=4096 65536 16777216

• That’s all folks !

Now, this server support twice more traffic load. Technical aspect was our traffic growth bottleneck. Lot of other tuning could be done for better performance (on i/o and disk access, other kernel options, compile a new kernel, using apache worker, etc.). This post was just some clues about how to tune your servers. One important thing to don’t forget is whatever you tune on your server, that will never be enough if you have a bloody developed programs running on it !

Refer:

http://www.shell-tips.com/2006/11/25/fine-tuning-a-linux-apache-mysql-php-lamp-server/

Linux Password Cracking: Explain unshadow and john commands ( john the ripper tool )

Q. Can you tell me more about unshadow and john command line tools? How does it protect my server from crackers?

A. Both unshadow and john distributed with - John the Ripper security software or fast password cracker software. It is free and Open Source software. It runs on Windows, UNIX and Linux operating system. Use this tool to find out weak users passwords on your own server.

John cracking modes

John can work in the following modes:
[a] Wordlist : John will simply use a file with a list of words that will be checked against the passwords. See RULES for the format of wordlist files.

[b] Single crack : In this mode, john will try to crack the password using the login/GECOS information as passwords.

[c] Incremental : This is the most powerful mode. John will try any character combination to resolve the password. Details about these modes can be found in the MODES file in john’s documentation, including how to define your own cracking methods.

Install John the Ripper Password Cracking Tool

John the ripper is not installed by default. If you are using Debian / Ubuntu Linux, enter:
$ sudo apt-get install john
Note: RHEL, CentOS, Fedora, Redhat Linux user can grab john the ripper here. Once downloaded use rpm command:
# rpm -ivh john*

How do I use John the ripper to check weak passwords / crack passwords?

First use the unshadow command to combines the /etc/passwd and /etc/shadow files so John can use them. You might need this since if you only used your shadow file, the GECOS information wouldn’t be used by the "single crack" mode, and also you wouldn’t be able to use the -shells option. On a normal system you’ll need to run unshadow as root to be able to read the shadow file. So login as root or use old good sudo / su command under Debian / Ubuntu Linux:
$ sudo /usr/sbin/unshadow /etc/passwd /etc/shadow > /tmp/crack.password.db
RHEL / CentOS / Fedora Linux user type the following command:
# /usr/bin/unshadow /etc/passwd /etc/shadow > /tmp/crack.password.db
To check weak password (crack password), enter the following command:

WARNING! These examples uses brute-force ~ CPU-time consuming password cracking techniques.

To use John, you just need to supply it a password file created using unshadow command along with desired options. If no mode is specified, john will try "single" first, then "wordlist" and finally "incremental" password cracking methods.
$ john /tmp/crack.password.db
Output:

 john  /tmp/crack.password.db
Loaded 1 password (FreeBSD MD5 [32/32])

This procedure will take its own time. To see the cracked passwords, enter:
$ john -show /tmp/crack.password.db

test:123456:1002:1002:test,,,:/home/test:/bin/bash
didi:abc123:1003:1003::/home/didi:/usr/bin/rssh

2 passwords cracked, 1 left

Above output clearly indicates - user test has 123456 and didi has abc123 password.

OpenSSH Server Best Security Practices

Introduction:
OpenSSH is the implementation of the SSH protocol. OpenSSH is recommended for remote login, making backups, remote file transfer via scp or sftp, and much more. SSH is perfect to keep confidentiality and integrity for data exchanged between two networks and systems. However, the main advantage is server authentication, through the use of public key cryptography. From time to time there are rumors about OpenSSH zero day exploit. Here are a few things you need to tweak in order to improve OpenSSH server security.

Default Config Files and SSH Port

• /etc/ssh/sshd_config - OpenSSH server configuration file.
• /etc/ssh/ssh_config - OpenSSH client configuration file.
• ~/.ssh/ - Users ssh configuration directory.
• ~/.ssh/authorized_keys or ~/.ssh/authorized_keys - Lists the public keys (RSA or DSA) that can be used to log into the user’s account
• /etc/nologin - If this file exists, sshd refuses to let anyone except root log in.
• /etc/hosts.allow and /etc/hosts.deny : Access controls lists that should be enforced by tcp-wrappers are defined here.
• SSH default port : TCP 22

#1: Disable OpenSSH Server

Workstations and laptop can work without OpenSSH server. If you need not to provide the remote login and file transfer capabilities of SSH, disable and remove the SSHD server. CentOS / RHEL / Fedora Linux user can disable and remove openssh-server with yum command:

# chkconfig sshd off
# yum erase openssh-server

Debian / Ubuntu Linux user can disable and remove the same with apt-get command:

# apt-get remove openssh-server

You may need to update your iptables script to remove ssh exception rule. Under CentOS / RHEL / Fedora edit the files /etc/sysconfig/iptables and /etc/sysconfig/ip6tables. Once done restart iptables service:

# service iptables restart
# service ip6tables restart

#2: Only Use SSH Protocol 2

SSH protocol version 1 (SSH-1) has man-in-the-middle attacks problems and security vulnerabilities. SSH-1 is obsolete and should be avoided at all cost. Open sshd_config file and make sure the following line exists:

Protocol 2

#3: Limit Users' SSH Access

By default all systems user can login via SSH using their password or public key. Sometime you create UNIX / Linux user account for ftp or email purpose. However, those user can login to system using ssh. They will have full access to system tools including compilers and scripting languages such as Perl, Python which can open network ports and do many other fancy things. One of my client has really outdated php script and an attacker was able to create a new account on the system via a php script. However, attacker failed to get into box via ssh because it wasn't in AllowUsers.

Only allow root, vivek and jerry user to use the system via SSH, add the following to sshd_config:

AllowUsers root vivek jerry

Alternatively, you can allow all users to login via SSH but deny only a few users, with the following line:

DenyUsers saroj anjali foo

You can also configure Linux PAM allows or deny login via the sshd server. You can allow list of group name to access or deny access to the ssh.

#4: Configure Idle Log Out Timeout Interval

User can login to server via ssh and you can set an idel timeout interval to avoid unattended ssh session. Open sshd_config and make sure following values are configured:

ClientAliveInterval 300
ClientAliveCountMax 0

You are setting an idle timeout interval in seconds (300 secs = 5 minutes). After this interval has passed, the idle user will be automatically kicked out (read as logged out). See how to automatically log BASH / TCSH / SSH users out after a period of inactivity for more details.

#5: Disable .rhosts Files

Don't read the user's ~/.rhosts and ~/.shosts files. Update sshd_config with the following settings:

IgnoreRhosts yes

SSH can emulate the behavior of the obsolete rsh command, just disable insecure access via RSH.

#6: Disable Host-Based Authentication

To disable host-based authentication, update sshd_config with the following option:

HostbasedAuthentication no

#7: Disable root Login via SSH

There is no need to login as root via ssh over a network. Normal users can use su or sudo (recommended) to gain root level access. This also make sure you get full auditing information about who ran privileged commands on the system via sudo. To disable root login via SSH, update sshd_config with the following line:

PermitRootLogin no

However, bob made excellent point:

Saying "don't login as root" is horseshit. It stems from the days when people sniffed the first packets of sessions so logging in as yourself and su-ing decreased the chance an attacker would see the root pw, and decreast the chance you got spoofed as to your telnet host target, You'd get your password spoofed but not root's pw. Gimme a break. this is 2005 - We have ssh, used properly it's secure. used improperly none of this 1989 will make a damn bit of difference. -Bob

#8: Enable a Warning Banner

Set a warning banner by updating sshd_config with the following line:

Banner /etc/issue

Sample /etc/issue file:

----------------------------------------------------------------------------------------------
You are accessing a XYZ Government (XYZG) Information System (IS) that is provided for authorized use only.
By using this IS (which includes any device attached to this IS), you consent to the following conditions:

+ The XYZG routinely intercepts and monitors communications on this IS for purposes including, but not limited to,
penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM),
law enforcement (LE), and counterintelligence (CI) investigations.

+ At any time, the XYZG may inspect and seize data stored on this IS.

+ Communications using, or data stored on, this IS are not private, are subject to routine monitoring,
interception, and search, and may be disclosed or used for any XYZG authorized purpose.

+ This IS includes security measures (e.g., authentication and access controls) to protect XYZG interests--not
for your personal benefit or privacy.

+ Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching
or monitoring of the content of privileged communications, or work product, related to personal representation
or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work
product are private and confidential. See User Agreement for details.
----------------------------------------------------------------------------------------------

Above is standard sample, consult your legal team for exact user agreement and legal notice details.

#8: Firewall SSH Port # 22

You need to firewall ssh port # 22 by updating iptables or pf firewall configurations. Usually, OpenSSH server must only accept connections from your LAN or other remote WAN sites only.

Netfilter (Iptables) Configuration

Update /etc/sysconfig/iptables (Redhat and friends specific file) to accept connection only from 192.168.1.0/24 and 202.54.1.5/29, enter:

-A RH-Firewall-1-INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -s 202.54.1.5/29 -m state --state NEW -p tcp --dport 22 -j ACCEPT

If you've dual stacked sshd with IPv6, edit /etc/sysconfig/ip6tables (Redhat and friends specific file), enter:

 -A RH-Firewall-1-INPUT -s ipv6network::/ipv6mask -m tcp -p tcp --dport 22 -j ACCEPT

Replace ipv6network::/ipv6mask with actual IPv6 ranges.

*BSD PF Firewall Configuration

If you are using PF firewall update /etc/pf.conf as follows:

pass in on $ext_if inet proto tcp from {192.168.1.0/24, 202.54.1.5/29} to $ssh_server_ip port ssh flags S/SA synproxy state

#9: Change SSH Port and Limit IP Binding

By default SSH listen to all available interfaces and IP address on the system. Limit ssh port binding and change ssh port (by default brute forcing scripts only try to connects to port # 22). To bind to 192.168.1.5 and 202.54.1.5 IPs and to port 300, add or correct the following line:

Port 300
ListenAddress 192.168.1.5
ListenAddress 202.54.1.5

A better approach to use proactive approaches scripts such as fail2ban or denyhosts (see below).

#10: Use Strong SSH Passwords and Passphrase

It cannot be stressed enough how important it is to use strong user passwords and passphrase for your keys. Brute force attack works because you use dictionary based passwords. You can force users to avoid passwords against a dictionary attack and use john the ripper tool to find out existing weak passwords. Here is a sample random password generator (put in your ~/.bashrc):

genpasswd() {
 local l=$1
       [ "$l" == "" ] && l=20
      tr -dc A-Za-z0-9_ < /dev/urandom | head -c ${l} | xargs
}

Run it:
genpasswd 16
Output:

uw8CnDVMwC6vOKgW

#11: Use Public Key Based Authentication

Use public/private key pair with password protection for the private key. See how to use RSA and DSA key based authentication. Never ever use passphrase free key (passphrase key less) login.

#12: Use Keychain Based Authentication

keychain is a special bash script designed to make key-based authentication incredibly convenient and flexible. It offers various security benefits over passphrase-free keys. See how to setup and use keychain software.

#13: Chroot SSHD (Lock Down Users To Their Home Directories)

By default users are allowed to browse the server directories such as /etc/, /bin and so on. You can protect ssh, using os based chroot or use special tools such as rssh. With the release of OpenSSH 4.8p1 or 4.9p1, you no longer have to rely on third-party hacks such as rssh or complicated chroot(1) setups to lock users to their home directories. See this blog post about new ChrootDirectory directive to lock down users to their home directories.

#14: Use TCP Wrappers

TCP Wrapper is a host-based Networking ACL system, used to filter network access to Internet. OpenSSH does supports TCP wrappers. Just update your /etc/hosts.allow file as follows to allow SSH only from 192.168.1.2 172.16.23.12 :

sshd : 192.168.1.2 172.16.23.12 

See this FAQ about setting and using TCP wrappers under Linux / Mac OS X and UNIX like operating systems.

#15: Disable Empty Passwords

You need to explicitly disallow remote login from accounts with empty passwords, update sshd_config with the following line:

PermitEmptyPasswords no

#16: Thwart SSH Crackers (Brute Force Attack)

Brute force is a method of defeating a cryptographic scheme by trying a large number of possibilities using a single or distributed computer network. To prevents brute force attacks against SSH, use the following softwares:

• DenyHosts is a Python based security tool for SSH servers. It is intended to prevent brute force attacks on SSH servers by monitoring invalid login attempts in the authentication log and blocking the originating IP addresses.
• Fail2ban is a similar program that prevents brute force attacks against SSH.
• security/sshguard-pf protect hosts from brute force attacks against ssh and other services using pf.
• security/sshguard-ipfw protect hosts from brute force attacks against ssh and other services using ipfw.
• security/sshguard-ipfilter protect hosts from brute force attacks against ssh and other services using ipfilter.
• security/sshblock block abusive SSH login attempts.
• security/sshit checks for SSH/FTP bruteforce and blocks given IPs.
• BlockHosts Automatic blocking of abusive IP hosts.
• Blacklist Get rid of those bruteforce attempts.
• Brute Force Detection A modular shell script for parsing application logs and checking for authentication failures. It does this using a rules system where application specific options are stored including regular expressions for each unique auth format.
• IPQ BDB filter May be considered as a fail2ban lite.

#17: Rate-limit Incoming Port # 22 Connections

Both netfilter and pf provides rate-limit option to perform simple throttling on incoming connections on port # 22.

Iptables Example

The following example will drop incoming connections which make more than 5 connection attempts upon port 22 within 60 seconds:

#!/bin/bash
inet_if=eth1
ssh_port=22
$IPT -I INPUT -p tcp --dport ${ssh_port} -i ${inet_if} -m state --state NEW -m recent  --set
$IPT -I INPUT -p tcp --dport ${ssh_port} -i ${inet_if} -m state --state NEW -m recent  --update --seconds 60 --hitcount 5 -j DROP
 

Call above script from your iptables scripts. Another config option:

$IPT -A INPUT  -i ${inet_if} -p tcp --dport ${ssh_port} -m state --state NEW -m limit --limit 3/min --limit-burst 3 -j ACCEPT
$IPT -A INPUT  -i ${inet_if} -p tcp --dport ${ssh_port} -m state --state ESTABLISHED -j ACCEPT
$IPT -A OUTPUT -o ${inet_if} -p tcp --sport ${ssh_port} -m state --state ESTABLISHED -j ACCEPT
# another one line example
# $IPT -A INPUT -i ${inet_if} -m state --state NEW,ESTABLISHED,RELATED -p tcp --dport 22 -m limit --limit 5/minute --limit-burst 5-j ACCEPT

See iptables man page for more details.

*BSD PF Example

The following will limits the maximum number of connections per source to 20 and rate limit the number of connections to 15 in a 5 second span. If anyone breaks our rules add them to our abusive_ips table and block them for making any further connections. Finally, flush keyword kills all states created by the matching rule which originate from the host which exceeds these limits.

sshd_server_ip="202.54.1.5"
table  persist
block in quick from 
pass in on $ext_if proto tcp to $sshd_server_ip port ssh flags S/SA keep state (max-src-conn 20, max-src-conn-rate 15/5, overload  flush)

#18: Use Port Knocking

Port knocking is a method of externally opening ports on a firewall by generating a connection attempt on a set of prespecified closed ports. Once a correct sequence of connection attempts is received, the firewall rules are dynamically modified to allow the host which sent the connection attempts to connect over specific port(s). A sample port Knocking example for ssh using iptables:

$IPT -N stage1
$IPT -A stage1 -m recent --remove --name knock
$IPT -A stage1 -p tcp --dport 3456 -m recent --set --name knock2

$IPT -N stage2
$IPT -A stage2 -m recent --remove --name knock2
$IPT -A stage2 -p tcp --dport 2345 -m recent --set --name heaven

$IPT -N door
$IPT -A door -m recent --rcheck --seconds 5 --name knock2 -j stage2
$IPT -A door -m recent --rcheck --seconds 5 --name knock -j stage1
$IPT -A door -p tcp --dport 1234 -m recent --set --name knock

$IPT -A INPUT -m --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -p tcp --dport 22 -m recent --rcheck --seconds 5 --name heaven -j ACCEPT
$IPT -A INPUT -p tcp --syn -j doo

• fwknop is an implementation that combines port knocking and passive OS fingerprinting.
• Multiple-port knocking Netfilter/IPtables only implementation.

#19: Use Log Analyzer

Read your logs using logwatch or logcheck. These tools make your log reading life easier. It will go through your logs for a given period of time and make a report in the areas that you wish with the detail that you wish. Make sure LogLevel is set to INFO or DEBUG in sshd_config:

LogLevel INFO

#20: Patch OpenSSH and Operating Systems

It is recommended that you use tools such as yum, apt-get, freebsd-update and others to keep systems up to date with the latest security patches.

Other Options

To hide openssh version, you need to update source code and compile openssh again. Make sure following options are enabled in sshd_config:

#  Turn on privilege separation
UsePrivilegeSeparation yes
# Prevent the use of insecure home directory and key file permissions
StrictModes yes
# Turn on  reverse name checking
VerifyReverseMapping yes
# Do you need port forwarding?
AllowTcpForwarding no
X11Forwarding no
#  Specifies whether password authentication is allowed.  The default is yes.
PasswordAuthentication no

Verify your sshd_config file before restarting / reloading changes:

# /usr/sbin/sshd -t

Tighter SSH security with two-factor or three-factor (or more) authentication.

instance in scalr farm rebooting continuously

Answer:
Most likely, SNMP monitoring does not work or event handler configured
improperly.

Steps:
# apt-get install snmpd snmp
# vim /etc/default/snmpd
----------------------
#SNMPDOPTS='-Lsd -Lf /dev/null -u snmp -I -smux -p /var/run/snmpd.pid 127.0.0.1'
## remove the localhost parameter from the end of the line
SNMPDOPTS='-Lsd -Lf /dev/null -u snmp -I -smux -p /var/run/snmpd.pid '
----------------------
# vim /etc/snmp/snmpd.conf
----------------------
com2sec readonly default cc54b971b0bd1a
group MyROGroup v1 readonly
group MyROGroup v2c readonly
group MyROGroup usm readonly
view all included .1 80
view system included .iso.org.dod.internet.mgmt.mib-2.system
# context sec.model sec.level match read write notif
access MyROSystem "" any noauth exact system none none
access MyROGroup "" any noauth exact all none none
access MyRWGroup "" any noauth exact all all none
#
syslocation Amazon EC2
syscontact Nativetung Inc.
----------------------
# vim /etc/snmp/snmptrapd.conf
----------------------
authCommunity log,execute,net cc54b971b0bd1a
----------------------
# /etc/init.d/snmpd restart

Still have the same issue... ?
Have you configure the event handler?

Login to scalr --> Settings --> Core settings --> add the event handler url and IP address as same as the scalr machine

Now pull up ur sleeves and lets explore more now..

I am getting the following error while I try to create a new application or a new farm.

"Unexpected exception in javascript:Badly formed JSON string: '
\nFatal error: Class \'HttpRequest\' not found in /var/scalr/app/src/
LibWebta/library/NET/API/AWS/class.AmazonS3.php on line 454
\n'"

Solution:
pecl_http php extension is missing on your system.

So start here to resolve the issue...
# apt-get install libcurl4-openssl-dev
Make sure that curl is installed then procees again
# pecl install pecl_http

add extension=http.so in /etc/php5/apache2/php.ini & /etc/php5/cli/php.ini & "copy the http.so file to the php5 lib folder "

Changing the Logging format and Log file of bind:

Update the following in to the file "named.conf.local"

#vim /etc/bind/named.conf.local
------------------------------------------
logging {
channel "debug" {
file "/var/log/bind/query.log";
print-time yes;
print-category yes;
};
category "default" { "debug"; };
category "general" { "debug"; };
category "database" { "debug"; };
category "security" { "debug"; };
category "config" { "debug"; };
category "resolver" { "debug"; };
category "xfer-in" { "debug"; };
category "xfer-out" { "debug"; };
category "notify" { "debug"; };
category "client" { "debug"; };
category "unmatched" { "debug"; };
category "network" { "debug"; };
category "update" { "debug"; };
category "update-security" { "debug"; };
category "queries" { "debug"; };
category "dispatch" { "debug"; };
category "dnssec" { "debug"; };
category "lame-servers" { "debug"; };
category "delegation-only" { "debug"; };
};
------------------------------------------

# mkdir /var/log/bind/
# cd /var/log/bind/
# touch query.log
# chown bind /var/log/bind/query.log
# service bind9 restart

Debian / Ubuntu Linux enable/disable an apache module (simple way)

Debian / Ubuntu Linux comes with two scripts:

(a) a2enmod is a script that enables the specified module within the apache2 configuration. It does this by creating symlinks within /etc/apache2/mods-enabled.

(b) a2dismod disables a module by removing those symlinks. It is not an error to enable a module which is already enabled, or to disable one which is already disabled.

Syntax:
a2dismod {module-name}

For example disable a module called foo or mime_magic, enter:

# a2dismod foo
# a2dismod mime_magic

If you ever need to re-enable disabled modules, use a2enmod command as follows:

Syntax:
a2enmod {module-name}

For example, enable imagemap module, enter:
# a2enmod imagemap

Note if don't know module name, it will show a list of all available modules:
# a2enmod

----------------------------

Which module would you like to disable?
Your choices are: alias auth_basic authn_file authz_default authz_groupfile authz_host authz_user autoindex cgi dir env fastcgi mime negotiation php5 setenvif status userdir
Module name?  authz_user
----------------------------

Enable apache modules under Debian based system

Apache is usually suitable out of the box for most common used. The apache structure under debian based systems is actually really well made as it is really easy to activate or deactivate module.

This how-to will show how to activate or deactivate available modules under a debian system running apache2.

1. How it works:

There is 2 kinds of modules used by apache:

• Modules compiled in
• Modules that are loaded when you launch apache

In order to check which modules were compiled in with apache, you can type the following command:

$apache2 -l

---------------
Compiled in modules:
core.c
mod_access.c
mod_auth.c
mod_log_config.c
mod_logio.c
mod_env.c
mod_setenvif.c
prefork.c
http_core.c
mod_mime.c
mod_status.c
mod_autoindex.c
mod_negotiation.c
mod_dir.c
mod_alias.c
mod_so.c

---------------

This list correspond to the modules compile with apache on an Ubuntu Dapper system. As you can see, there is no php, rewrite.... modules compiled in. Those modules are meant to be included when running apache.

Now, let check the main apache configuration file, namely /etc/apache2/apache2.conf, around line 115, you can see those 2 lines:

---------------
# Include module configuration:
Include /etc/apache2/mods-enabled/*.load
Include /etc/apache2/mods-enabled/*.conf
---------------

As you can see, apache load any files ending with .load first and .conf after, in /etc/apache2/mods-enabled/.

Now, let's have a look in that directory:

$ ls /etc/apache2/mods-enabled/

---------------
actions.load php5.conf rewrite.load userdir.load
cgi.load php5.load userdir.conf

---------------

As you can see, I have cgi, actions, php5, userdir and rewrite modules enabled. This allow me to run an php5 scripts in /home/user/public_html using rewriting rules.

Going further up into the investigation, we can see that files in mods-enabled are not actually files, but links to files contained in mods-available:

$ ls -l /etc/apache2/mods-enabled/userdir.load

---------------
lrwxrwxrwx 1 root root 30 2006-05-15 03:00 /etc/apache2/mods-enabled/userdir.load -> ../mods-available/userdir.load

---------------

Now, let's have a look at /etc/apache2/mods-available:

$ ls /etc/apache2/mods-available/

---------------
actions.load dav_fs.conf info.load proxy.load
asis.load dav_fs.load ldap.load rewrite.load
auth_anon.load dav.load mem_cache.load speling.load
auth_dbm.load deflate.load mime_magic.conf ssl.conf
auth_digest.load disk_cache.load mime_magic.load ssl.load
auth_ldap.load expires.load php5.conf suexec.load
cache.load ext_filter.load php5.load unique_id.load
cern_meta.load file_cache.load proxy.conf userdir.conf
cgid.conf headers.load proxy_connect.load userdir.load
cgid.load imap.load proxy_ftp.load usertrack.load
cgi.load include.load proxy_http.load vhost_alias.load

---------------

This basically contains all the files linked by mods-enabled plus a whole load of available modules.

2. Adding modules:

Now, taking into account the strucutre of apache, it is pretty easy to add modules to be loaded by apache. Let's assume that you want to add mime_magic module. To do so, you can either:

• add it by hand:
  

  $cd /etc/apache2/mods-enabled
  $ sudo ln -s ../mods-available/mime_magic.conf mime_magic.conf
  $sudo ln -s ../mods-available/mime_magic.load mime_magic.load

  OR

• add it the debian way with a2enmod:
  

  $sudo a2enmod

• Which module would you like to enable?
  Your choices are: actions asis auth_anon auth_dbm auth_digest auth_ldap cache cern_meta cgid cgi dav_fs dav deflate disk_cache expires ext_filter file_cache headers imap include info ldap mem_cache mime_magic php5 proxy_connect proxy_ftp proxy_http proxy rewrite speling ssl suexec unique_id userdir usertrack vhost_alias
  Module name? mime_magic
  Module mime_magic installed; run /etc/init.d/apache2 force-reload to enable.

• 
  

That's it, your module will now be loaded next time you start apache. You can actually avoid restarting apache, by asking it to simply reload its configuration:

$ sudo /etc/init.d/apache2 reload

And here you go, your new added module is included in apache.