SOHO : Small Office Home Office
Freeware - Opensource software tips, tricks, tweaks & fixes for managing, securing, improving the performance of SOHO Desktop, Laptop, Networks

Saturday, March 31, 2012

How to secure a VPS



To disable Formmail in order to stop spam mails -


1) Command to find Mails -
find / -name “[Ff]orm[mM]ai*”


2) Command to find CGI mails -
find / -name “[Cc]giemai*”


3) To disable form mails -


chmod a-rwx /path/to/filename


this is will disable all the scripts.


B) Root kits should be installed -


- Set a root kit on a cron job, this will show if any one has hacked in the roots.
- Update the roots


1) Command to install chrootkit -


cd /root/
wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz
tar xvzf chkrootkit.tar.gz
cd chkrootkit-0.44


2) To run chkrootkit -


/root/chkrootkit-0.44/chkrootkit


C) Installation of a root breach detector and warning of any emails -


pico .bash_profile


At the end of the page -


Add,


echo ‘ALERT – Root Shell Access on:’ `date` `name` | mail -s “Alert: Root Access from `the person accessing | awk ‘{print $6}’`” self@mail.com


Thereafter save the changes


Exit.


2) To release an SSH message -


pico /etc/motd


thereafter enter the message


Save changes


Exit


D) Changes to be made in WHM/cpanel to secure server -


Log in to cpanel>Server setup>Tweak settings


a) Domains -


Prevent users from parking/adding domains.


b) Mail -


Prevent pop3 connections loading


c) System -


Jailshell should be used as a default shell for all the accounts.


d) Server setup>Tweak security
1) Enable php open_basedir Protection
2) Enable mod_userdir Protection


e) Server setup>Manage Wheel Group Users
1) Remove all other users except for root and main account users.


f) Server setup > Shell Fork Bomb Protection
1) Enable Shell Fork Bomb Protection


g) Service Configuration>FTP Configuration
1) Disable Anonymous FTP


h) Account Functions>Manage Shell Access
1) Disable shell access


I) Mysql>MySQL Root Password
1) Change root password


j) Security>Run Quick Security Scan>Trojan Horses -
1) The following are not Trojan -
/sbin/depmod
/sbin/insmod
/sbin/insmod.static
/sbin/modinfo
/sbin/modprobe
/sbin/rmmod

Continue Reading...

Set Linux local timezone for VPS


This guide describes how to set the Linux local timezone.


ls /usr/share/zoneinfo/  and note the region where you reside 
ls /usr/share/zoneinfo/<YOUR_REGION> (where <YOUR_REGION> is your local region) and note the timezone which corresponds to your location 

For Ubuntu
ln -sf /usr/share/zoneinfo/<YOUR_REGION>/<YOUR_TIMEZONE> /etc/localtime 

For Debian
ln -sf /usr/share/zoneinfo/<YOUR_REGION>/<YOUR_TIMEZONE localtime 

Use date command to verify that your timezone has change.
Continue Reading...

Friday, March 30, 2012

Common iptables sample


# Modify this file accordingly for your specific requirement.
# 1. Delete all existing rules
iptables -F


# 2. Set default chain policies
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP


# 3. Block a specific ip-address
#BLOCK_THIS_IP="x.x.x.x"
#iptables -A INPUT -s "$BLOCK_THIS_IP" -j DROP


# 4. Allow ALL incoming SSH
#iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
#iptables -A OUTPUT -o eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT


# 5. Allow incoming SSH only from a sepcific network
#iptables -A INPUT -i eth0 -p tcp -s 192.168.200.0/24 --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
#iptables -A OUTPUT -o eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT


# 6. Allow incoming HTTP
#iptables -A INPUT -i eth0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
#iptables -A OUTPUT -o eth0 -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT


# Allow incoming HTTPS
#iptables -A INPUT -i eth0 -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
#iptables -A OUTPUT -o eth0 -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT


# 7. MultiPorts (Allow incoming SSH, HTTP, and HTTPS)
iptables -A INPUT -i eth0 -p tcp -m multiport --dports 22,80,443 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp -m multiport --sports 22,80,443 -m state --state ESTABLISHED -j ACCEPT


# 8. Allow outgoing SSH
iptables -A OUTPUT -o eth0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT


# 9. Allow outgoing SSH only to a specific network
#iptables -A OUTPUT -o eth0 -p tcp -d 192.168.101.0/24 --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
#iptables -A INPUT -i eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT


# 10. Allow outgoing HTTPS
iptables -A OUTPUT -o eth0 -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT


# 11. Load balance incoming HTTPS traffic
#iptables -A PREROUTING -i eth0 -p tcp --dport 443 -m state --state NEW -m nth --counter 0 --every 3 --packet 0 -j DNAT --to-destination 192.168.1.101:443
#iptables -A PREROUTING -i eth0 -p tcp --dport 443 -m state --state NEW -m nth --counter 0 --every 3 --packet 1 -j DNAT --to-destination 192.168.1.102:443
#iptables -A PREROUTING -i eth0 -p tcp --dport 443 -m state --state NEW -m nth --counter 0 --every 3 --packet 2 -j DNAT --to-destination 192.168.1.103:443


# 12. Ping from inside to outside
iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT


# 13. Ping from outside to inside
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT


# 14. Allow loopback access
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT


# 15. Allow packets from internal network to reach external network.
# if eth1 is connected to external network (internet)
# if eth0 is connected to internal network (192.168.1.x)
iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT


# 16. Allow outbound DNS
#iptables -A OUTPUT -p udp -o eth0 --dport 53 -j ACCEPT
#iptables -A INPUT -p udp -i eth0 --sport 53 -j ACCEPT


# 17. Allow NIS Connections
# rpcinfo -p | grep ypbind ; This port is 853 and 850
#iptables -A INPUT -p tcp --dport 111 -j ACCEPT
#iptables -A INPUT -p udp --dport 111 -j ACCEPT
#iptables -A INPUT -p tcp --dport 853 -j ACCEPT
#iptables -A INPUT -p udp --dport 853 -j ACCEPT
#iptables -A INPUT -p tcp --dport 850 -j ACCEPT
#iptables -A INPUT -p udp --dport 850 -j ACCEPT


# 18. Allow rsync from a specific network
iptables -A INPUT -i eth0 -p tcp -s 192.168.101.0/24 --dport 873 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 873 -m state --state ESTABLISHED -j ACCEPT


# 19. Allow MySQL connection only from a specific network
iptables -A INPUT -i eth0 -p tcp -s 192.168.200.0/24 --dport 3306 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 3306 -m state --state ESTABLISHED -j ACCEPT


# 20. Allow Sendmail or Postfix
iptables -A INPUT -i eth0 -p tcp --dport 25 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 25 -m state --state ESTABLISHED -j ACCEPT


# 21. Allow IMAP and IMAPS
iptables -A INPUT -i eth0 -p tcp --dport 143 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 143 -m state --state ESTABLISHED -j ACCEPT


iptables -A INPUT -i eth0 -p tcp --dport 993 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 993 -m state --state ESTABLISHED -j ACCEPT


# 22. Allow POP3 and POP3S
iptables -A INPUT -i eth0 -p tcp --dport 110 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 110 -m state --state ESTABLISHED -j ACCEPT


iptables -A INPUT -i eth0 -p tcp --dport 995 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 995 -m state --state ESTABLISHED -j ACCEPT


# 23. Prevent DoS attack
iptables -A INPUT -p tcp --dport 80 -m limit --limit 25/minute --limit-burst 100 -j ACCEPT


# 24. Port forwarding 422 to 22
iptables -t nat -A PREROUTING -p tcp -d 192.168.102.37 --dport 422 -j DNAT --to 192.168.102.37:22
iptables -A INPUT -i eth0 -p tcp --dport 422 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 422 -m state --state ESTABLISHED -j ACCEPT


# 25. Log dropped packets
iptables -N LOGGING
iptables -A INPUT -j LOGGING
iptables -A LOGGING -m limit --limit 2/min -j LOG --log-prefix "IPTables Packet Dropped: " --log-level 7
iptables -A LOGGING -j DROP


To save and restore iptables 
iptables-save > /path/iptabels.conf
iptables-restore < /path/iptables.conf


To delete a rule 

You can delete them based on what they're doing:


iptables -D INPUT -s 127.0.0.1 -p tcp --dport 111 -j ACCEPT
Or you can delete them based on their number and chain name:


iptables -D INPUT 4



The number is the row number of the item when you list them using:


how to know chain number 



The number is the row number of the item when you list them using:


iptables --list



or 



best way to view chain numbers is


iptables -L INPUT --line-numbers


you can also substitute with OUTPUT etc


Most important : Getting iptables to survive a reboot



Create some iptables rules and list them:


iptables --list
if the listed rules satisfy your needs, then save them somewhere. I use /etc/firewall.conf but this location is not fixed:


iptables-save > /etc/firewall.conf
Then create a script so ifupdown loads these rules on boot:


echo "#!/bin/sh" > /etc/network/if-up.d/iptables 
echo "iptables-restore < /etc/firewall.conf" >> /etc/network/if-up.d/iptables 
chmod +x /etc/network/if-up.d/iptables 


Now reboot your machine and pray - the rules should come up exactly like before (use "iptables --list" to verify this).
--------------------------------------------------------------------

Run the following commands to reset Iptables:


iptables -F
iptables -X
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT


/sbin/service iptables save ( for centos)
Continue Reading...

Thursday, March 29, 2012

Syslog file is not readable, read access may be denied


User permissions in syslog files are 640 but for LogAnalyzer to work syslog files must be readable by www-data. Below are the steps to make syslog readable

1. First add a new group by using this command, we call the group logadmin in this sample.
     groupadd logadmin

2. Now we add the www-data user to the new created logadmin group!
     usermod -a -G logadmin www-data

3. Verify the success by using this command:
     groups www-data

4. Now it is time to edit the /etc/logrotate.conf configuration file. Search for the default "create" command, and change it to the following:
     create 640 root logadmin
The next time logrotate will run, the logfiles will become readable to the webserver by default.

What is Log Analyzer?
The LogAnalyzer project provides an easy to use but powerful front end for searching, reviewing and analyzing network event data, including syslog, windows event log and many other event sources. It focusses on the user-interface side of this project, so the data itself needs to be gathered by another program, for example the stock syslogd, rsyslog (often the distro's default syslogd), WinSyslog or MonitorWare Agent. LogAnalyzer works equally well on Linux and Windows. It is a free, GPLed open source application written mostly in php. 




Continue Reading...

How to make syslog files readable by default on ubuntu?

We installed LogAnalyzer for easy analysis and reporting of the server.  For this syslog files must be readable by www-data. Below are the steps to make syslog readable

1. First add a new group by using this command, we call the group logadmin in this sample.
     groupadd logadmin

2. Now we add the www-data user to the new created logadmin group!
     usermod -a -G logadmin www-data

3. Verify the success by using this command:
     groups www-data

4. Now it is time to edit the /etc/logrotate.conf configuration file. Search for the default "create" command, and change it to the following:
     create 640 root logadmin
The next time logrotate will run, the logfiles will become readable to the webserver by default.

What is Log Analyzer?
The LogAnalyzer project provides an easy to use but powerful front end for searching, reviewing and analyzing network event data, including syslog, windows event log and many other event sources. It focusses on the user-interface side of this project, so the data itself needs to be gathered by another program, for example the stock syslogd, rsyslog (often the distro's default syslogd), WinSyslog or MonitorWare Agent. LogAnalyzer works equally well on Linux and Windows. It is a free, GPLed open source application written mostly in php. 
Continue Reading...

Wednesday, March 28, 2012

WHAT'S THE DIFFERENCE OpenVZ and Xen VPS?


Below, we provide you with a basic chart of the largest differences between  OpenVZ VPS Hosting and Xen VPS Hosting.



OpenVZ VPS Hosting  Xen VPS Hosting
Speed Fastest Fast
Custom Kernel Compiling  Not possible Yes, Compile anyway!
VM Isolation Shares host nodes kernel. Does not have complete isolation Complete isolation from other containers. The abuse of other VM's will not affect yours
Overselling Yes, overselling can be done Overselling is not allowed as resources are dedicated
Running JAVA Don't even look at me Look at me. I'll treat you much better then OpenVZ
Stability Least reliable due to not having total isolation - shared kernel Most reliable due to having complete isolation
Continue Reading...

Hide blogger post footer in home page

Sometimes you may wonder how to change the way some components appear on your homepage such as Default Post Footer.  To hide default Blogger Post Footer from your homepage.




Steps:
1. Go to Blogger Dashboard

2. Click on your Blog Title.

3. Jump to Template tab from left pane. 
Note: Before editing your template, you may want to save a copy of it. 

4. Now click on Edit HTML button.

5. Click Proceed button to view Template Editor.

6. Tick on Expand Widget Templates

7. Find below code in your template

8. Now paste following code snippet after ]]></b:skin>.

9. Preview your blog to confirm changes and Save template.


Continue Reading...

Monday, March 26, 2012

Install ioncube loader in ubuntu

IonCube protects software written using the PHP programming language from being viewed, changed, and run on unlicensed computers.
1. Download ionCube loaders to suite your system architecture
wget http://downloads.ioncube.com/loader_downloads/ioncube_loaders_lin_x86.tar.gz
2. Extract
tar zxvf ioncube_loaders_lin_x86.tar.gz
3. Move to a permanent location
mv ioncube /usr/local/lib
4. Add reference to your php.ini file (sudo nano /etc/php5/apache2/php.ini)
zend_extension = /usr/local/lib/ioncube/ioncube_loader_lin_5.2.so
There are a few versions of the loader in the tar archive and you must  choose the one as your php version ( check php version with command  php -v )
5. Restart apache
/etc/init.d/apache2 restart
6. Verify
Print phpinfo() and notice the following red rectangular, "with the ionCube PHP Loader v4.0.1, copyright(c) 2002-2010, by ionCube LTD"
Continue Reading...

Saturday, March 24, 2012

Allow only encrypted connections for both incoming and outgoing with rtorrent

What does encryption Do?

The RC4 encryption obfuscates not only the header but the entire stream. This means that it’s very hard for your ISP to detect that the traffic you are generating comes from BitTorrent.

Note that RC4 uses more CPU time than the plain encryption or no encryption. It is however harder to identify for traffic shaping devices


This can be achieved by modifying the .rtorrent.rc file
  • Quit all rtorrent sessions
  • Add / modify this line in rtorrent config file ( .rtorrent.rc located in the users home folder)  
encryption = require,allow_incoming,require_RC4
  • Restart rtorrent.
  • Check for E flag to all connected peers
( Click on image to enlarge )
Continue Reading...

Monday, March 19, 2012

How to add & remove users by command line in ubuntu?

To add a user you must use be root or use the sudo command. Here are the commands:

To add a user. NOTE: do not use the useradd command.
$ sudo adduser <username>


To see the options for adding a user try the man command.
$ man adduser


Add user
Here is a useful example of the useradd command. Why use useradd? It gives a few more options for special cases. To add a user, give her a standard home directory in the /home folder and specify the shell she accesses by default do this:

$ sudo useradd username -m -s /bin/bash 
$ sudo passwd username 

Groups


You might also wish to create a new group for your users.
# sudo addgroup <groupname>


To add a new user to a existing group you would do this:
# sudo adduser <username> audio


To add an existing user to an existing group you can use the same command:
# sudo adduser <username> <groupname>

or
# sudo usermod -aG <groupname> <username>



Delete  user

To remove a user from a system without deleting the users home directory.
# sudo userdel username


To remove the user and delete the users home folder:
# sudo userdel -r username


Continue Reading...

Tuesday, March 13, 2012

Torrent client configuration

In order to apply these tips you need to know your maximum up- and download speed. You can test your bandwidth over here (stop all download activity while testing). 

Note that there’s a difference between kb/s (kilobits/second) and kB/s (kilobytes/second). To be precise, kB/s = kb/s divided by 8. In this tutorial we use kB/s (like most torrent clients do). This means that you might need to calculate your max speed in kB/s yourself if the speedtest only gives you the results in kb\s (so divide by 8 then).

Settings 1-4 can be found in the options, settings or preference tab of most torrent clients.

1. Maximum upload speed
Probably the most important setting there is. Your connection is (sort of) like a pipeline, if you use your maximum upload speed there’s not enough space left for the files you are downloading. So you have to cap your upload speed.

Use the following formula to determine your optimal upload speed…

80% of your maximum upload speed

so if your maximum upload speed is 40 kB/s, the optimal upload rate is 32kB/s

2. Maximum download speed
Although setting your maximum download speed to unlimited may sound interesting, in reality it will only hurt your connection. If you still want to be able to browse properly, set your maximum download speed to:

95% of your maximum download speed

so if your maximum download speed is 400 kB/s, the optimal download speed is 380kB/s

3. Maximum connected peers per torrent
Yet another setting that you don’t want to max out. I experimented quite a lot with the max connected peers settings and came to the conclusion that both high and low number hurt the download speed of a torrent. The following setting worked best for me.

upload speed * 1.3

so if your maximum upload speed is 40 kB/s, the optimal amount of connected peers per torrent is  40 * 1.3 = 52 .  I didn’t noticed a difference for fast or slow connections here.

4. Maximum upload slots
1 + (upload speed / 6)

so if your maximum upload speed is 30 kB/s, the optimal number of upload slots is

1 + (30 / 6) = 6

5.Change the default port.
By default, BitTorrent uses a port 6881-6999. BitTorrent generates a lot traffic (1/3), so isp’s like to limit the connection offered on the these ports. So, you should change these to another range. Good clients allow you to do this, just choose anything you like. If you’re behind a router, make sure you have your ports forwarded (portforward.com) or UPnP enabled.

6.Turn on Encryption
Encrypting your torrents will prevent throttling ISP’s from limiting your BitTorrent traffic. Check out how to enable encryption in Azureus, uTorrent, and Bitcomet, the three most popular torrent clients.


7.Enable DHT
DHT stands for “Distributed Hash Table”. If a web based tracker goes down, the torrents stay alive because peers can act as “nodes” keeping the swarm intact, and the torrent alive. So you could say that the DHT layer serves as a peer-to-peer tracker. The DHT feature is available on Azureus, Bitcomet, uTorrent and several other BitTorrent clients.


To do on windows PC

1. Disable Windows Firewall
It sucks. Windows Firewall hates P2P and often leads a life of it’s own. So disable it and get yourself a decent (free) firewall, Kerio or Zone Alarm for example.

2.Optimize your internet connection
The TCP optimizer is a freeware utility that optimizes your internet connection. I found it very useful and it helped speeding up my connection for regular internet activity and for downloading torrents. Just download it, and move the slidebar to your maximum download rate (note that it’s in kb/s). Don’t try to set it higher because that will hurt your download speeds!
Continue Reading...