Category: Security

  • How to whitelist a hostname in CSF firewall

    How to whitelist a hostname in CSF firewall

    Firewalls usually allow or block IP addresses. If you need to allow a hostname, you need to find the IP address and white list the IP address. If you use dynamic DNS services like noip, dyndns, the IP address of your hostname changes when your internet provider assigns you a new IP address.

    ConfigServer Security and Firewall (CSF) supports dynamic DNS. This feature can be used to whitelist normal hostnames too.

    To allow a hostname, login to your server using SSH.

    Edit file

    vi /etc/csf/csf.dyndns

    In this file, you can add your hostname to the whitelist.

    In the CSF config file, you need to make the following changes.

    vi /etc/csf/csf.conf

    Set value for DYNDNS

    DYNDNS = "600"

    This will tell the CSF firewall to check for the IP address of whitelisted hostnames every 10 minutes. You can change this as needed.

    DYNDNS_IGNORE = "1"

    By setting the value of DYNDNS_IGNORE to 1, the CSF firewall will never block these IP addresses even if there are failed login attempts or too many connections.

    restart lfd

    systemctl restart lfd

    Back to CSF Firewall

  • Cheap Imunify360 license

    Imunify360 is security software for web servers. It supports popular control panels like Cpanel, Plesk, etc…

    Buying Imunify360 from a reseller is cheaper than buying directly. Here are some resellers for Imunify360

    PROVIDER 1 User 30 Users 250 Users Unlimited Users
    imunify360.com (direct) $12 $25 $35 $45
    isplicense.com $7.6 $15.3 $19.4 $28.2
    cplicense.net $7.5 $11.5 $15.5 $19.5
    jonesolutions.com $8 $12 $16 $20
  • Install Nginx ModSecurity on CentOS 7

    Install Nginx ModSecurity on CentOS 7

    ModSecurity is a Web Application Firewall that protects your website from hacking attacks. It is Open Source and free to use. It can be used with webservers like Apache, Nginx, and IIS. To install ModSecurity with Nginx, we need to compile the ModSecurity Nginx module and activate it in the Nginx configuration file.

    Install the compilers and libraries needed for building the source code.

    yum groupinstall "Development Tools"

    Install dependency

    yum install bison curl curl-devel doxygen flex gcc-c++ git GeoIP-devel libxml2 libxml2-devel lmdb lmdb-devel lua lua-devel pcre-devel ssdeep ssdeep-devel yajl yajl-devel zlib-devel

    Download and install ModSecurity

    cd /usr/local/src/
git clone --depth 1 -b v3/master --single-branch https://github.com/SpiderLabs/ModSecurity
cd ModSecurity/
git submodule init
git submodule update
./build.sh
./configure
make
make install

    Clone ModSecurity-nginx repository. This contains Nginx ModSecurity module source code.

    cd /usr/local/src
git clone --depth 1 https://github.com/SpiderLabs/ModSecurity-nginx.git

    We need to download the source code for the version of Nginx you are running now. For this, check Nginx version with the command

    [root@ok ~]# nginx -v
nginx version: nginx/1.20.1
[root@ok ~]#

    In this case, we use Nginx 1.20.1, go to http://nginx.org/en/download.html and download the source code for Nginx version you are using.

    cd /usr/local/src
wget http://nginx.org/download/nginx-1.20.1.tar.gz
tar xvf nginx-1.20.1.tar.gz
cd nginx-1.20.1

    Find out the configure command used to compile nginx.

    [root@ok ~]# nginx -V
nginx version: nginx/1.20.1
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-44) (GCC) 
built with OpenSSL 1.0.2k-fips  26 Jan 2017
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib64/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-compat --with-file-aio --with-threads --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-mail --with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-cc-opt='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic -fPIC' --with-ld-opt='-Wl,-z,relro -Wl,-z,now -pie'
[root@ok ~]#

    You can see configure arguments on the last line, we need to use these arguments when we compile Nginx from source code.

    Run

    cd /usr/local/src/nginx-1.20.1
./configure --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib64/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-compat --with-file-aio --with-threads --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-mail --with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-cc-opt='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic -fPIC' --with-ld-opt='-Wl,-z,relro -Wl,-z,now -pie' --add-dynamic-module=../ModSecurity-nginx

    In the above, we added –add-dynamic-module=../ModSecurity-nginx at end of the configure command to compile the Nginx module.

    To build Nginx modules, run

    make modules

    Once the module is built, copy it to /etc/nginx/modules

    cp objs/ngx_http_modsecurity_module.so /etc/nginx/modules

    Copy ModSecurity configuration files

    cp /usr/local/src/ModSecurity/modsecurity.conf-recommended /etc/nginx/modsecurity.conf
cp /usr/local/src/ModSecurity/unicode.mapping /etc/nginx/unicode.mapping

    Enable ModSecurity

    sed -i 's/SecRuleEngine DetectionOnly/SecRuleEngine On/g' /etc/nginx/modsecurity.conf

    To load ModSecurity module, edit file

    vi /etc/nginx/nginx.conf

    Find

    worker_processes  auto;

    Add below

    load_module modules/ngx_http_modsecurity_module.so;

    Edit your server config (virtual host entry), add

    modsecurity on;
modsecurity_rules_file /etc/nginx/modsecurity.conf;

    Install ModSecurity Rules

    You can download ModSecurity rules from

    https://coreruleset.org

    At the time of writing this, the latest version is v3.3.2. So let’s download and install it.

    cd /usr/local/src
wget https://github.com/coreruleset/coreruleset/archive/refs/tags/v3.3.4.tar.gz
tar xvf v3.3.4.tar.gz
mv coreruleset-3.3.4 /etc/nginx
cd /etc/nginx/coreruleset-3.3.4
cp crs-setup.conf.example crs-setup.conf

    To activate the rule, edit the file

    vi /etc/nginx/modsecurity.conf

    At end of the file, add

    Include /etc/nginx/coreruleset-3.3.4/crs-setup.conf
Include /etc/nginx/coreruleset-3.3.4/rules/*.conf
SecRule ARGS:sec-test "@contains hacker" "id:1234,deny,status:403"

    Restart Nginx

    systemctl restart nginx

    To verify ModSecurity is working, access your website URL with 

    curl -I http://YOUR-SERVER-IP-OR-DOMAIN/?sec-test=hacker

    You will see 403 Forbidden error.

    boby@sok-01:~$ curl -I http://152.167.4.94?sec-test=hacker
HTTP/1.1 403 Forbidden
Server: nginx/1.20.1
Date: Mon, 12 Jul 2021 18:24:36 GMT
Content-Type: text/html
Content-Length: 153
Connection: keep-alive

boby@sok-01:~$

    See ModSecurity Web Application Firewall, Nginx

  • Whitelisting an IP Address in CSF Firewall

    Whitelisting an IP Address in CSF Firewall

    There are 3 ways to whitelist an IP address in ConfigServer Security & Firewall (csf). Whitelisting an IP address will allow the IP address to access all ports on the server including any closed ports. For example, you can block SSH port 22 on the server. Then add your IP address to the whitelist, now you will be able to access SSH from your IP address.

    Using WHM

    Login to WHM as user root. Then go to WHM > Plugins > ConfigServer Security & Firewall.

    whitelist IP in csf

    On the text box right side of the “Quick Allow” button, enter the IP address you need to whitelist. Then click on the “Quick Allow” button.

    The Quick Deny option below can be used to block an IP address from accessing the server.

    Quick Ignore allows you to ignore any IP address. This is the same as Quick ALlow. The difference is if you whitelist an IP address using the Quick Allow option and if the IP fails some ModSecurity rules or makes several failed logins, it gets blocked. If you ignored an IP address, it will never get blocked by ModSecurity or lfd.

    Using csf command

    If you are logged in to SSH or WHM > Terminal, you can run the following command to whitelist an IP address.

    csf -a IP_ADDR_HERE

    IP address can be a single IP address or IP range in CIDR format.

    To block an IP, use

    csf -d IP_ADDR_HERE

    Manually editing csf.allow

    To allow an IP or IP range (CIDR format), you can edit the file

    vi /etc/csf/csf.allow

    If you need to Ignore an IP address, then add IP to file

    vi /etc/csf/csf.ignore

    IPs added to csf.ignore will never get banned due to LDF or ModSecurity failures. Ips in csf.allow can be blocked by ModSecurity or lfd.

    Add your IP to the file. Then restart csf firewall.

    csf -r

    See csf

  • Stop SSH bruteforce with endlessh

    Endlessh is an open source SSH trapit. It send slow random banner string to attacker, wasting their time.

    Before you install endlessh, you need to change your SSH port to a higher non default port. To do this edit 

    vi /etc/ssh/sshd_config

    Find 

    Port 22

    Replace with

    Port YOUR_NEW_PORT_HERE

    If the line is commented with #, uncomment it.

    Now you can install endlessh with

    cd /usr/local/src
git clone https://github.com/skeeto/endlessh
cd /usr/local/src/endlessh
make
cp endlessh /usr/local/bin
cp /usr/local/src/endlessh/util/endlessh.service /etc/systemd/system/

    By default endlessh run on port 2222. To change it to port 22, edit file

    vi /etc/systemd/system/endlessh.service

    Find

    #AmbientCapabilities=CAP_NET_BIND_SERVICE

    Replace with

    AmbientCapabilities=CAP_NET_BIND_SERVICE

    Find

    PrivateUsers=true

    Replace with

    #PrivateUsers=true

    Run

    setcap 'cap_net_bind_service=+ep' /usr/local/bin/endlessh

    Create endlessh configuration file

    vi /etc/endlessh/config

    Add following content

    Port 22
Delay 10000
MaxLineLength 32
MaxClients 4096
LogLevel 0
BindFamily 0

    If you need to enable log, set LogLevel to 1.

    Enable and restart endlessh

    systemctl enable endlessh
systemctl start endlessh

  • SSL Life Time Reduced to 397 days

    Due to changes in Apple, Mozilla and Google Root Store Policies, as of September 1, 2020, newly issued SSL/TLS certificates with a validity period greater than 13 months (397 days) are prohibited by policy and will not be trusted.

    https://www.globalsign.com/en/blog/maximum-ssltls-certificate-validity-now-one-year

    https://blog.mozilla.org/security/2020/07/09/reducing-tls-certificate-lifespans-to-398-days/

  • malware

    Online Malware Scanner for websites
    Scan a folder with clamscan
    maldet
    https://opentip.kaspersky.com
    https://sitecheck.sucuri.net

    Tools

    https://remnux.org/

    Forums

    http://www.virusinfo.info

    http://www.rootkit.com

    http://www.gmer.net

    Blogs

    https://www.securelist.com/en/threats/detect?chapter=83

    http://www.youtube.com/watch?v=Q5cT3YHKVsY

  • Online Malware Scanner for websites

    Online Malware Scanner for websites

    If your web site is hacked and infected by malware, Google Safe Browsing can block your web site with red warning.

    If this happens, you need to clean your web site. If your web site have lot of files, cleaning become hard as hacker can hide his files in any of these files. Manually verifying files is almost impossible. If you antivirus like clamav, it won’t detect all malware. Even a one line PHP script with exec() function can give hacker access back. For this reason, it is always better to remove all files from your server and upload files fresh. If you use CMS like wordpress, joomla, etc.. just download the software and reinstall.

    You may need to use images folder from hacked site, in such case, verify these folders don’t have any malware/php files in it. As for theme, it is always better to download latest version from theme provider and do a reinstall. Theme is one place where hackers hide/install backdoors, that allow them to access site after cleanup as many just copy back old theme files.

    Here are some sites, that you can use to verify your web site have any malware.

    Sucuri SiteCheck

    This site provides Free website security check & malware scanner for web sites. You can enter your web site url and it scan your web site and provide report of malware it found.

    sucuri online malware scanner

    https://sitecheck.sucuri.net

    Google Safe Browsing

    This service is used by browsers like google chrome and firefox to protect visitors from sites infected with malware.

    Google Safe Browsing

    You can check if your web site is blocked by google safe browsing at

    https://transparencyreport.google.com/safe-browsing/search

    More Tools

    Some other sites that offer online malware scanner of web sites

  • ssl checker

    Here is few web sites where you can check your SSL certificate is installed properly.

    See SSL

  • Tripwire

    Tripwire is a data integrity tool for monitoring and alerting file and directory changes.

    https://github.com/Tripwire/tripwire-open-source

    To install, run

    yum install tripwire

    Generate keys

    Run

    tripwire-setup-keyfiles

    This ask you to enter password.

    Creating Database

    tripwire --init

    You need to edit file

    vi /etc/tripwire/twpol.txt

    customise it for your system or you may get file/directory not found errors.

    Checking for changes

    tripwire --check

  • ModSecurity Web Application Firewall

    ModSecurity is a Web Application Firewall. Protect sites from SQL injection and Application level hacking.

    To install ModSecurity on Ubuntu/Debian with Apache, run

    apt install libapache2-mod-security2 -y

    verify Apache module is installed with

    apachectl -M | grep security

    Enable config file

    mv /etc/modsecurity/modsecurity.conf-recommended /etc/modsecurity/modsecurity.conf

    Update config

    sed -i "s/SecRuleEngine DetectionOnly/SecRuleEngine On/" /etc/modsecurity/modsecurity.conf
sed -i "s/SecResponseBodyAccess On/SecResponseBodyAccess Off/" /etc/modsecurity/modsecurity.conf

    Restart Apache

    systemctl restart apache2

  • Password

    https://www.passbolt.com – Open source password manager.
    https://www.grc.com/passwords.htm – Online secure password generator.