Error : Fix the WHM CSF Security Test

How to fix the WHM CSF security test errors!

Csf logo

As a part of ensuring security, Hostdens perform a CSF security scan from WHM. We may get the following error after the scan. 

“Check csf LF_SCRIPT_ALERT option WARNING This option will notify you when a large amount of email is sent from a particular script on the server, helping track down spam scripts”

-fix-the-WHM-CSF

 

 

To fix this error :

 

1) SSH into the server.

2) Edit the csf configuration file by using following command:

vi /etc/csf/csf.conf

3) Search for LF_SCRIPT_ALERT = “0″

4) Change the value from “0″ to “1″ to fix the issue.

5) Restart the CSF.

 

You may also get the following error :

 

“Check exim for extended logging (log_selector) WARNING You should enable extended exim logging to enable easier tracking potential outgoing spam issues. Add:log_selector = +arguments +subject +received_recipients”

 

FIX:

1) Edit the exim configuration file by using following command :

/etc/exim.conf

2) Change the value from “log_selector = +all” to the following :

log_selector = +arguments +subject +received_recipients

3) Save changes.

4) Restart the CSF.

.

.

.

.

This should resolve the error

Read More

What is Shell Shock Vulnerability?

shell-shock

CVE-2014-7169 / Shell Shock Vulnerability.

 

GNU Bash through 4.3 bash43-025 processes trailing strings after certain malformed function definitions in the values of environment variables, which allows remote attackers to write to files or possibly have unknown other impact via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution.
NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-6271.
In short Shell Shock vulnerability allows remote attackers to execute arbitrary code given certain conditions, by passing strings of code following environment variable assignments.
The Shell Shock vulnerability is considered bigger than Heartbleed as it’s affecting all versions of bash and it’s still unclear from when and adding to that linux bash is not only running on linux webservers but other embedded devices as well such as Mac Laptops

Test your server bash version using below command

bash –version
or
/bin/bash –version

Output

GNU bash, version 3.2.25(1)-release (x86_64-redhat-linux-gnu)
Copyright (C) 2005 Free Software Foundation, Inc.

Check if your server is affected

root@hostdens[#] env x='() { :;}; echo vulnerable’ bash -c “echo this is a test”
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for`x’
this is a test

If you get the above output then you are safe. But,  if you get the below output then you are affected.

root@hostdens[#] env x='() { :;}; echo vulnerable’ bash -c “echo this is a test”
vulnerable
this is a test

To fix it follow below steps:

For RedHat/CentOS/Fedora/RPM based OS:

Note:: This is a temporary fix released by Red Hat Security Team. The team is still working on a full fix which is expected to release soon.

root@hostdens[#] yum upgrade bash

For Ubuntu / Debian

apt-get update && sudo apt-get install –only-upgrade bash

 

 

Read More

How to install mod_evasive on Linux server ?

mod_evasive is an evasive maneuvers module for Apache that provides evasive action in the event of an HTTP DoS attack or brute force attack. It is also designed to be a detection and network management tool, and can be easily configured to talk to ipchains, firewalls, routers, and more.

 

Go to the below path.

cd /usr/local/src

Download the file using the below link:

wget wget http://www.zdziarski.com/blog/wp-content/uploads/2010/02/mod_evasive_1.10.1.tar.gz

Untar the file.

tar xzf mod_evasive_1.10.1.tar.gz

Go to the folder.

cd mod_evasive

Run the below command for the installation.

apxs -cia mod_evasive20.c

 

You’ll then need to add the mod_evasive configuration to your Apache configuration file. First, find this section:

File:/etc/httpd/conf/httpd.conf (CentOS / Fedora)

LoadModule evasive20_module /usr/lib/httpd/modules/mod_evasive20.so

Below those sections, add the mod_evasive configuration:

File excerpt:mod_evasive configuration

<IfModule mod_evasive20.c>
DOSHashTableSize 3097
DOSPageCount 2
DOSSiteCount 50
DOSPageInterval 1
DOSSiteInterval 1
DOSBlockingPeriod 60
DOSEmailNotify someone@somewhere.com
</IfModule>

————————————————————

File:/etc/apache2/apache2.conf (Debian / Ubuntu)

# Include module configuration:
Include mods-enabled/*.load
Include mods-enabled/*.conf
————————————————————-

You’ll then need to restart Apache for your changes to take effect:

Debian / Ubuntu:

/etc/init.d/apache2 restart

CentOS / Fedora:

/etc/init.d/httpd restart

 

Read More

How to install Apache module mod_limitipconn.c on linux server ?

apache module

 

Apache module mod_limitipconn.c is a module which allows web server administrators to limit the number of simultaneous downloads permitted from a single IP address.

 

 

To set the IP limit on the server using mod_security.

Check apache version first on server.

httpd -v

Go to the below path

cd /usr/local/src/

Download the mod_limitpconn using the below link. I am having apache version 2.2.22. As per your apache version download the file.

wget http://dominia.org/djao/limit/mod_limitipconn-0.24.tar.bz2


Untar the file

tar -xvf mod_limitipconn-0.24.tar.bz2

Go to that folder

cd mod_limitipconn-0.24

Compile it with apache

make
make install

Check the apache syntax and restart the apache service if it is Ok

httpd -t
/etc/init.d/httpd restart

Add the below lines in httpd.conf

vi /usr/local/apache/conf/httpd.conf

 

# This command is always needed
ExtendedStatus On

# Only needed if the module is compiled as a DSO
LoadModule limitipconn_module lib/apache/mod_limitipconn.so

<IfModule mod_limitipconn.c>

# Set a server-wide limit of 10 simultaneous downloads per IP,
# no matter what.
MaxConnPerIP 10
<Location /somewhere>
# This section affects all files under http://your.server/somewhere
MaxConnPerIP 3
# exempting images from the connection limit is often a good
# idea if your web page has lots of inline images, since these
# pages often generate a flurry of concurrent image requests
NoIPLimit image/*
</Location>

<Directory /home/*/public_html>
# This section affects all files under /home/*/public_html
MaxConnPerIP 1
# In this case, all MIME types other than audio/mpeg and video*
# are exempt from the limit check
OnlyIPLimit audio/mpeg video
</Directory>
</IfModule>

Check the syntax if everything is ok then restart the apache.

httpd -t
/etc/init.d/httpd restart
/etc/init.d/httpd status

Confirm that domains are working on the server. You can select the domain from the below file and try randomly accessing it.

cat /etc/userdomains.

 

Notes:

This module will not function unless mod_status is loaded and the “ExtendedStatus On” directive is set.

Make sure mod security is already installed on the server using easyapache.

Read More

How to install mod security plugin from shell ?

mod-sec

 

Go to the below path.

cd /usr/local/src

Download the below file.

wget http://www.configserver.com/free/cmc.tgz

Extract that file.

tar -xzf cmc.tgz

Go into that folder.

cd cmc

Run the file using the below command.

sh install.sh

Once done, then access the mod security using WHM.

 

How to uninstall mod security plugin from shell ?

 

Run the below commands to uninstall mod security plugin from cPanel server.

rm -fv /usr/local/cpanel/whostmgr/docroot/cgi/addon_cmc.cgi

rm -fv /usr/local/cpanel/whostmgr/docroot/cgi/cmcversion.txt

rm -Rfv /usr/local/cpanel/whostmgr/docroot/cgi/cmc/

 

 

Read More