Thursday, August 30, 2007

Save the VPS from Hackers

The following is a list of software and configurations that you must installed to secure, optimize and harden your server.

a) Install CHKRootKit, which is a program that looks for known signatures in trojaned system binaries, it basically detects if your system has been compomised.

b) Install Rootkit Hunter, which is scanning tool to find most types of exploits (backdoors, suspicious files, md5 hash comparisons, and is over 99% accurate in detecting such exploits.


c) Install APF Firewall and configured to only allow traffic on the ports that are used. Configured the Anti-DOS function in APF. This additional module helps mitigate and prevent certain types of DOS (denial of service) attacks to your server. This also saves from the Brute forcing attack but sometimes some packets get pass through but if your password is not from those which available in the dictionary then no problem.

d) Install BFD (Brute Force Detection), this program works real time in conjunction with APF firewall to block any IP Addresses of users that fail authentication more than 3 times in 10 minutes.


e) Install Logwatch now. This program parses through your server's logs and reports to you via e-mail on a daily basis with tabulated information.

f) Install SIM (System Integrity Monitor) on your server now, this software checks all services 24x7 and restarts them if they are down. An e-mail is dispatched a downed service is detected and restarted.


g) Install mod_security to secure your server littlebit from the badly coded scripts. But it can interfere with certain common functions in your scripts. If you are looking for really secure one then enable safemod. Also install mod_evasive and choose the following settings.

DOSHashTableSize 3097
DOSPageCount 9
DOSSiteCount 100
DOSPageInterval 2
DOSSiteInterval 2
DOSBlockingPeriod 900

h) Secure the System Configuration File "host.conf" and "nsswitch.conf" to prevent DNS lookup poisoning and also provide protection against spoofs.

i) Secure the System Configuration File "sysctl.conf " to prevent the TCP/IP stack from syn-flood attacks. It is also configured to prevet other various and similar network abuse.


j) /tmp and /var/tmp need to be secured to prevent the execution of malicious scripts

k) Install SPRI, this program changes the priority of different processes in accordance to their level of importance. You should see at least a 5-20% decrease in the average load level of your server on average.


l) Disabled the Mchat, Cgiecho, Cgiemail, Guestbook, Counter, Formmail and Anonymous FTP access. They are the most commonly exploited scripts since they are in the same location on every CPanel server in the world.

m) Disable the Telnet to prevent insecure transmissions of data and passwords, SSH must be used instead of Telnet, and functions the same way. Harden the SSH by restricting the SSH Protocol to SSH 2. SSH will still function the same way, just more secure.
  • Change the port of the SSH from default
  • Disable the direct root login acess
  • Set the wheel/username password
  • Set the email alert for anyone login through root
  • Email address must be different from the server address

n) Background Process Killer need to be enabled to kill any of the following which are commonly recognized bad processes: BitchX, bnc, eggdrop, generic-sniffers, guardservices, ircd, psyBNC, ptlink and related services.

o) Enable the phpsuexec, open_basedir.


p) Disable any anitivirus on the VPS. Also disable ClamAV because that is very resource intensive.

q) You can install the MRTG on the server to track the actual bandwidth usage but it is very resource intensive.


r) Disbale these scripts exec, shell_exec, system, passthru, shell_exec, popen,proc_close,proc_get_status,proc_nice,proc_open, proc_terminate. But some scripts can stop working which are using this.

Wednesday, June 20, 2007

Increasing options in add/remove programs

Not a fan of MSN Messenger? don't want Windows Media Player on your system? Fair enough, but if you go to Add/Remove Programs in the Control Panel, by default none of Windows XP's 'built in' programs are visible. it's fairly easy to change, though... just open the file X:\Windows\inf\sysoc.inf (where X: is the drive letter where Windows XP is installed) in Notepad. You should see a section of the file something like this:

[Components]
NtComponents=ntoc.dll,NtOcSetupProc,,4
WBEM=ocgen.dll,OcEntry,wbemoc.inf,hide,7
Fax=fxsocm.dll,FaxOcmSetupProc,fxsocm.inf,,7
NetOC=netoc.dll,NetOcSetupProc,netoc.inf,,7
Display=desk.cpl,DisplayOcSetupProc,,7
iis=iis.dll,OcEntry,iis.inf,,7
com=comsetup.dll,OcEntry,comnt5.inf,hide,7
dtc=msdtcstp.dll,OcEntry,dtcnt5.inf,hide,7
IndexSrv_System = setupqry.dll,IndexSrv,setupqry.inf,,7
TerminalServer=TsOc.dll, HydraOc, TsOc.inf,hide,2
msmq=msmqocm.dll,MsmqOcm,msmqocm.inf,,6
ims=imsinsnt.dll,OcEntry,ims.inf,,7
fp_extensions=fp40ext.dll,FrontPage4Extensions,fp40ext.inf,,7
AutoUpdate=ocgen.dll,OcEntry,au.inf,hide,7
msmsgs=msgrocm.dll,OcEntry,msmsgs.inf,hide,7
RootAutoUpdate=ocgen.dll,OcEntry,rootau.inf,,7
IEAccess=ocgen.dll,OcEntry,ieaccess.inf,,7
This is a list of all components installed at the moment. I've taken the example of MSN Messenger - the program entry called 'msmsgs', third-last line. You can see the word 'hide' highlighted - this is the string which tells Windows not to display the component in the Add/Remove Programs list. Fix this up by simply deleting the word 'hide' like so:

msmsgs=msgrocm.dll,OcEntry,msmsgs.inf,hide,7

To this:

msmsgs=msgrocm.dll,OcEntry,msmsgs.inf,,7

Now, after restarting, you should be able to see MSN Messenger in the Add/Remove Programs list. If you want to be able to quickly view and remove all components, simply open the sysoc.inf file and do a global find and replace for the word ",hide" and replace it with a single comma ",".

No Shutdown

Wanna play with your friends by removing the shutdown option from start menu in their computer.Just hack it down !!!

RegeditHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer"NoClose"="DWORD:1"