Page 2 of 13 FirstFirst 1234512 ... LastLast
Results 26 to 50 of 309
  1. #26
    Join Date
    Jun 2004
    Location
    Rockford, Michigan 49341
    Posts
    30
    I think that you can only edit your post for a short time then there perminate.
      0 Not allowed!

  2. #27
    Fantastic tutorial!
      0 Not allowed!

  3. #28
    Join Date
    Apr 2005
    Location
    -=heaven=-
    Posts
    35
    I got this from logwatch:

    --------------------- SSHD Begin ------------------------


    SSHD Killed: 1 Time(s)

    SSHD Started: 1 Time(s)

    Failed logins from these:
    Io****/password from ***.***.***.***: 1 Time(s)
    Me**/password from ***.***.***.***: 1 Time(s)
    aa***/password from ***.***.***.***: 1 Time(s)
    ...
    ...
    ...
    ze****/password from ***.***.***.***: 1 Time(s)
    ze**/password from ***.***.***.***: 1 Time(s)

    **Unmatched Entries**
    Illegal user anonymous from ***.***.***.***
    Illegal user passwd from ***.***.***.***
    Illegal user ch*** from ***.***.***.***
    ...
    ...
    ...
    Illegal user re***** from ***.***.***.***
    Illegal user ze** from ***.***.***.***

    What does it means?
    -- for me, it looks like someone is doing dictionary attack on my ssh server.

    Can anyone make a suggestion for me?
    Thanks.
      0 Not allowed!

  4. #29
    Join Date
    Nov 2005
    Location
    Seattle, WA
    Posts
    648
    I also suggest for shared hosting that the setting in the php.ini file for disable_functions
    be changed to
    disable_functions = "system,exec"

    Doing that will disable the function that most exploits call upon.
      0 Not allowed!

  5. #30
    Join Date
    Dec 2002
    Location
    Amsterdam/Rotterdam, NL
    Posts
    2,135
    Quote Originally Posted by Wizardkid101
    I also suggest for shared hosting that the setting in the php.ini file for disable_functions
    be changed to
    disable_functions = "system,exec"

    Doing that will disable the function that most exploits call upon.
    If you want to do that you should also disable all other functions that enable file execution such as: passthru, escapeshellcmd, popen, pcntl_exec, and I thinkt here might be a few others.
      0 Not allowed!

  6. #31
    Join Date
    Dec 2002
    Location
    Amsterdam/Rotterdam, NL
    Posts
    2,135
    Quote Originally Posted by zeca40
    Is it OK to install Razor (http://razor.sourceforge.net/) and DCC (http://www.rhyolite.com/anti-spam/dcc/) on a VPS?
    Absolutely. This does not relate to security or optimization though.

    For a good tutorial on real advanced spam filtering read this article by rvskin: http://www.rvskin.com/index.php?page=public/antispam
      0 Not allowed!

  7. #32
    Join Date
    Nov 2005
    Location
    Seattle, WA
    Posts
    648
    disable_functions = dl,system,exec,passthru,shell_exec
      0 Not allowed!

  8. #33
    Good job !!!

    Originally Posted by elix
    VPSes are really hard to use with the memory restrictions and CPU limitations...but with some optimization they can definitely serve your websites fast!

    MySQL Optimization
    Here are my suggested settings for the my.cnf file. This should work well for a VPS with 256-512MB RAM.
    [mysqld] max_connections = 400
    max_connections = 400 in a VPS with 256 - 512 Mb + Cpanel seem a little high to me
    Server will run out memory before to reach max_connections
    RemarkableCloud.com | Managed Cloud Servers | High-Performance WordPress Hosting
    Reseller Packaged | Cloud Hosting | Shared Hosting
      0 Not allowed!

  9. #34
    Spam Assassin
    Spam Assassin can take up a lot of memory and make it really hard to host just a few sites on a VPS, but there is a way around this...

    Login to WHM as root, scroll down to "cPanel 10.8.1-R15" (it may be slightly different depending on what version you are using) then goto "Addon Modules" and install "spamdconf". Once it's done, refresh the WHM page, scroll down to "Add-ons" on the nav bar and then click on 'Setup Spamd Startup Configuration". Set "Maximum Children" to "2". Then hit Submit. Wait a few seconds (15-30, but usually less) for exim to restart and you're done .
    I don't use WHM, what file can I manually edit to change this setting? I have lots of spamd processes running.
      0 Not allowed!

  10. #35
    Join Date
    Dec 2004
    Location
    New York, NY
    Posts
    10,710
    max_connections = 400 in a VPS with 256 - 512 Mb + Cpanel seem a little high to me
    Server will run out memory before to reach max_connections
    That is definitely a possibility but it does depend a lot on what those connections are doing. The config there is really just a template that you should tweak to your own needs.
    MediaLayer, LLC - www.medialayer.com Learn how we can make your website load faster, translating to better conversion rates for your business!
    The pioneers of optimized web hosting, featuring LiteSpeed Web Server & SSD Storage - Celebrating 10 Years in Business
      0 Not allowed!

  11. #36
    could someone give a brief example where and how to set this up?

    it sounds very useful and i've never managed a sever on my own but i would like to install some of the software lol or what ever it is to protect my site
      0 Not allowed!

  12. #37
    This is in WMpanel and cpanel.

    How about in plesk? do you have the tutorial on that one?
      0 Not allowed!

  13. #38
    Join Date
    Mar 2005
    Location
    Labrador, Canada
    Posts
    988
    Quote Originally Posted by SamOwen
    I don't use WHM, what file can I manually edit to change this setting? I have lots of spamd processes running.
    It may depend on your installation.

    If you're using a Redhat-derived distribution (e.g., CentOS) with spamassassin installed by rpm, you should have a configuration file /etc/sysconfig/spamassassin.

    Edit that file and change the "-m" option. Default is "-m5" (five child processes). Try "-m2" (two child processes).

    If you're on a different distro, you may need to find the spamassassin startup script and change the "-m" command line option.

    Restart spamd for the change to take effect.
      0 Not allowed!

  14. #39
    How do I remove or edit the service banners without recompiling the packages of my WHM/cPanel server ? I would like to remove or possibly edit the server application and version banners that can be easily get noticed and grabbed by anybody or scripts even with a simple telnet to the listening port. It is a simple problem but it is always the first attempt of somebody who would want to attack or exploit the certain flaws from the running version of the application/service that he could find with that banner grabbing. The quick way to lure the attacker for his initial phase with this issue could be simply removing the banners or replace the banners with the ones from the completely different service platform. Is there a way to accomplish without recompiling any of the default packages of cPanel/WHM server?
      0 Not allowed!

  15. #40
    Join Date
    Jan 2006
    Location
    Guatemala
    Posts
    26
    If you use Cpanel and WHM, there is a new firewall made by Chirpy that looks great, it uses a lot of less resources than APF and BTF and it is integrated into WHM as an addon as well. And it updates automatically.

    Also, you can access CSF from SSH.

    You can download CSF with LFD from here:
    configserver.com/cp/csf.html

    I have just changed APF and BTF for CSF and LFD (both from Chirpy) and it is working really nice in my VPS.

    QUESTION:
    In your first post you said:
    Disable Shell Accounts
    To disable any shell accounts hosted on your server SSH into server and login as root.
    At command prompt type: locate shell.php
    Also check for:
    locate irc
    locate eggdrop
    locate bnc
    locate BNC
    locate ptlink
    locate BitchX
    locate guardservices
    locate psyBNC
    locate .rhosts

    Note: There will be several listings that will be OS/CPanel related. Examples are
    /home/cpapachebuild/buildapache/php-4.3.1/ext/ircg
    /usr/local/cpanel/etc/sym/eggdrop.sym
    /usr/local/cpanel/etc/sym/bnc.sym
    /usr/local/cpanel/etc/sym/psyBNC.sym
    /usr/local/cpanel/etc/sym/ptlink.sym
    /usr/lib/libncurses.so
    /usr/lib/libncurses.a
    But you never mention how to disable them, would you be very kind to explain this step a little bit further?

    I really want to thank Frynge for this terrific guide.

    Regards,
    Sergio
    Last edited by secmas; 07-10-2006 at 10:20 AM.
      0 Not allowed!

  16. #41
    i did not know how to manage a VPS,until i read this ,thank you !
      0 Not allowed!

  17. #42
    Join Date
    Nov 2005
    Posts
    98
    Hello,

    This is a very great thread for newbies like me. After reading it and doing all this stuff I feel much more comfortable now about my new VPS. I do have a few questions though about things that are not clear to me.


    First: Checking for formmail.

    Can I disable these without interferring with cPanel ?

    /usr/local/cpanel/cgi-sys/FormMail-clone.cgi
    /usr/local/cpanel/cgi-sys/FormMail.cgi
    /usr/local/cpanel/cgi-sys/formmail.cgi
    /usr/local/cpanel/cgi-sys/FormMail.pl
    /usr/local/cpanel/cgi-sys/formmail.pl
    /usr/local/cpanel/install/formmail


    Second: Disable shell accounts

    How do I do that ? The post says to use "locate shell.php" but it doesn't explain how to disable it. These are the only 3 found by locate.

    /usr/local/cpanel/base/horde/admin/cmdshell.php
    /usr/local/cpanel/base/horde/admin/phpshell.php
    /usr/local/cpanel/base/horde/admin/sqlshell.php

    It also says that there will be several that are OS/cPanel related such as /usr/local/cpanel/etc/sym/bnc.sym, should they be disabled too or is this sentence meant as a warning NOT to disable those ?

    Third: PHPSuExec

    It says that all my users will need to make sure their php files have permissions no greater than 0755. On my current reseller hosting account I've installed a few php based applications for my clients that wouldn't work until I change some permissions to 0777. I'm not sure what PHPSuExec does, what problems should I expect if php files do have greater permissions than 0755 ?


    That's it.
      0 Not allowed!

  18. #43
    Join Date
    Mar 2005
    Location
    Labrador, Canada
    Posts
    988
    Quote Originally Posted by EricG
    Hello,

    This is a very great thread for newbies like me. After reading it and doing all this stuff I feel much more comfortable now about my new VPS. I do have a few questions though about things that are not clear to me.


    First: Checking for formmail.

    Can I disable these without interferring with cPanel ?

    /usr/local/cpanel/cgi-sys/FormMail-clone.cgi
    /usr/local/cpanel/cgi-sys/FormMail.cgi
    /usr/local/cpanel/cgi-sys/formmail.cgi
    /usr/local/cpanel/cgi-sys/FormMail.pl
    /usr/local/cpanel/cgi-sys/formmail.pl
    /usr/local/cpanel/install/formmail
    That formmail script is a component of cpanel. Users will have access to use it if you make it available to them. Depends on how you have addons, features (Feature Manager) and packages configured in WHM.

    Quote Originally Posted by EricG
    Second: Disable shell accounts

    How do I do that ? The post says to use "locate shell.php" but it doesn't explain how to disable it. These are the only 3 found by locate.

    /usr/local/cpanel/base/horde/admin/cmdshell.php
    /usr/local/cpanel/base/horde/admin/phpshell.php
    /usr/local/cpanel/base/horde/admin/sqlshell.php

    It also says that there will be several that are OS/cPanel related such as /usr/local/cpanel/etc/sym/bnc.sym, should they be disabled too or is this sentence meant as a warning NOT to disable those ?
    "Disable shell accounts" means to deny account owners the right to login to a shell command prompt (via SSH). In WHM look at "Manage Shell Users". You can choose to give each user a full shell, a jail shell (where they cannot move outside their home directory), or no shell. Unless you have a good reason to do otherwise, it's recommend that you disable shell access (no shell). Of course give full shell access to your own account so you can login

    "shell.php" is a separate issue. Essentially you're looking for PHP scripts on your server than can be used to achieve shell access. These may have been uploaded by users or fetched by someone exploiting a vulnerable website. The files you've listed about are a part of cpanel's Horde webmail and can be left alone.

    Quote Originally Posted by EricG
    Third: PHPSuExec

    It says that all my users will need to make sure their php files have permissions no greater than 0755. On my current reseller hosting account I've installed a few php based applications for my clients that wouldn't work until I change some permissions to 0777. I'm not sure what PHPSuExec does, what problems should I expect if php files do have greater permissions than 0755 ?
    PHP is run as either an Apache module or as a CGI (phpsuexec). As a module, PHP scripts run as the Apache user "nobody". In order for the user "nobody" to write to disk (e.g., to save an uploaded photo), directory permissions have to be relaxed, usually by setting the directory chmod 777 (writable by everyone).

    When using phpsuexec, PHP scripts run as the account user. The account user owns the account's directories, and therefore, the PHP scripts have ready access to write. There is no need to change permissions.

    Incorrect permissions or ownership will cause errors when trying to run the PHP scripts. Usually with phpsuexec, files should be chmodded no higher than 644 and directories 755. The files should be owned by the account username, not "nobody" and not "root" (that will also cause a runtime error).
      0 Not allowed!

  19. #44
    Join Date
    Jul 2006
    Posts
    87
    Is that thread cache setting a typo? That one in particular has always been vodoo for me, but that's ten times what I'm using.

    I can't immagine not hitting swap before half that many are cached on burstable 256 meg VPS.
      0 Not allowed!

  20. #45
    Join Date
    Nov 2005
    Posts
    98
    Sleddog,

    Thanks a lot for your answers, I really appreciate all the help you've given me in the last few weeks.
      0 Not allowed!

  21. #46
    Hello,

    I searched for FformMmail and have come up with many entries

    /cgi-sys/formmail.cgi
    /cgi-sys/formmail.pl
    /install/formmail

    /cgi/FormMail.html
    /cgi-sys/FormMail-clone.cgi
    /cgi-sys/FormMail.cgi
    /cgi-sys/FormMail.pl

    Do I need to change the permissions on each and everyone of these files?

    and the same for CGIMAIL?

    Thanks for the help, I want to make sure I get started right

    John
      0 Not allowed!

  22. #47
    I'd just like to make a quick note on the difference between :blackhole: and :fail: from my personal experience with cPanel servers and Exim:

    Since :blackhole: processes the entire email, more resources wind up getting used. I, like many others, have tested replacing :blackhole: with :fail: on some of servers in the past, and can say that easily, without a doubt, less resources (namely CPU and disk I/O) wind up getting used, which helps keep the load average even lower than usual. :fail: will immediately send a 550 error after the invalid RCPT TO: line, vice accepting then discarding the entire email. I'm not saying that will work for everyone, but I have personally seen it immediately decrease resource usage on a shared hosting server with a fairly busy day to day mail flow, and would recommend it to anyone else looking to do the same regardless of the server type.
      0 Not allowed!

  23. #48
    Excellent tutorial! would you mind if i posted it in my knowledege base?
      0 Not allowed!

  24. #49
    Join Date
    May 2006
    Posts
    32
    thanks, that is a great tutorial
    it do help me alot, i think i need some help in some of the basic codes,
    hope anyone help me, nope these are not too newbie question


    1a) Root breach DETECTOR and EMAIL WARNING

    At command prompt type:
    pico .bash_profile

    Scroll down to the end of the file and add the following line:

    echo 'ALERT - Root Shell Access on:' `date` `who` | mail -s "Alert: Root Access from `who | awk '{print $6}'`" your@email.com
    How am i able to set the server to send more then one warning mail to our server admin. what i think is to if anyone have access to the root, the server will send an mail to 2nd, 3rd server admin mail etc etc


    Shall i have to do the long way or there a better way then this?
    echo 'ALERT - Root Shell Access on:' `date` `who` | mail -s "Alert: Root Access from `who | awk '{print $6}'`" admin1@email.com

    echo 'ALERT - Root Shell Access on:' `date` `who` | mail -s "Alert: Root Access from `who | awk '{print $6}'`" admin2@email.com

    echo 'ALERT - Root Shell Access on:' `date` `who` | mail -s "Alert: Root Access from `who | awk '{print $6}'`" admin3@email.com



    1b) Mail Receive
    ALERT - Root Shell Access on: Mon Sep x 00:00:55 SGT 2006 root ttyp0
    Sep x 00:01 (bb000-xx-xxx-7.domains.com) root ttyp1 Sep x 00:01
    (bb000-xx-xxx-7.domains.com)
    i have try the above code to set the to send out an e-mail, when someone access/login to the root account of the server. but for some reason, i unable to see the user login Ip-address. Do anyone know, what code i should add so that it will show the ip-address?



    2) Alert Email Sent
    Is there a way to set the server to send out more then 1 alert mail (default of 1 mail) to the system admin, Looking at, the server will send to two or more alert to the rest of the system admin.


    example 1
    BFD, Under Enable brute force hack attempt alerts:

    ALERT_USR="1"
    EMAIL_USR="your@email.com"
    example 2
    LogWatch, SSH into server and login as root.

    At command prompt type:
    pico -w /etc/log.d/conf/logwatch.conf

    Scroll down to
    Mailto = your@email.com
    example 3
    Immediate Notification Of Specific Attackers
    If you need immediate notification of a specific attacker (TCPWrapped services only), add the following to /etc/hosts.deny

    ALL : nnn.nnn.nnn.nnn : spawn /bin/ 'date' %c %d | mail -s"Access attempt by nnn.nnn.nnn.nnn on for hostname" notify@mydomain.com
    Replacing nnn.nnn.nnn.nnn with the attacker's IP address.
    Replacing hostname with your hostname.
    Replacing notify@mydomain.com with your e-mail address.
    This will deny access to the attacker and e-mail the sysadmin about the access attempt.


    really sorry for these newbie question, as we like the alert to be send to at lest 2-3 server admin when such thing happen....

    thanks
    Feng
      0 Not allowed!

  25. #50
    Great Tutorial
      0 Not allowed!

Page 2 of 13 FirstFirst 1234512 ... LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •