Server Sitters Tech Corner » Security

Block access to files by extension

Paul — Wed, 17 Nov 2010 18:07:45 +0000

It’s often required to block access to files in a folder by the file extension. For example – customer has an outdated version of oscommerce that they refuse to upgrade. It requires the images folder to have the permissions 777. The only thing that should be stored in the folder is images. To ensure a script kiddie doesn’t upload php/html files and run them we’ll often add the following to the .htaccess file within the folder:

order deny,allow

deny from all

order deny,allow

deny from all

order deny,allow

deny from all

order deny,allow

deny from all

order deny,allow

deny from all

This stops script kiddies from uploading hacking scripts and then loading them in their browser.

Mod Security Whitelist IP

Paul — Mon, 24 May 2010 14:08:09 +0000

Sometimes it’s necessary to whitelist an IP address so it can get past the mod_security filters. This is a great feature in case you want to open the filters for one visitor while leaving the security features in place.

Open the mod_security whitelist file:
vi /usr/local/apache/conf/modsec2/whitelist.conf

Code:
SecRule REMOTE_ADDR "^111\.222\.333\.444" phase:1,nolog,allow,ctl:ruleEngine=off

Where 111.222.333.444 would be replaced with the IP address you wish to whitelist.

Notify when a root user logs in

Paul — Mon, 11 Jan 2010 07:02:32 +0000

If you don’t have this setup already you should! This is a great method to ensure you’re notified each time the root user connects to your server via SSH.

Edit the .bash_profile file of the user whose account you wish to monitor – typically: /root/.bash_profile

echo ‘ALERT – Root Shell Access on:’ `hostname` `date` `who` | mail -s “Alert: Root Access on `hostname`” email@yourdomain.com

You will then receive an email each time the selected user logs into the system via SSH. The email will provide you with their full connection string and IP so you can keep a close eye on who’s accessing a particular server with root privileges.

Number of connections from an IP

Paul — Thu, 31 Dec 2009 02:20:01 +0000

We have seen a huge increase in individual servers/IP’s attempting to flood a server or brute force a particular account. Here’s a great way to check the number of connections being made from each IP that is connected to your server:

netstat -an|awk '{print $5}'|cut -d ":" -f1|sort|uniq -c|sort -n

We will post an automated method to check for an excessive number of connections and then block the IP’s if they hit a certain threshold. However, that article won’t be ready for a few days.

Protect /home from prying eyes

Paul — Tue, 22 Dec 2009 21:54:50 +0000

This tip is especially important if you allow your clients SSH access. By default /home permissions are set to 755 which allows any user to cd /home and then list all of the user folders with ls -lah. This may not sound like too big of a security issue. However, if they’re a hacker or just being curious they now have a full list of every username within the system. To resolve this you should update the permissions on the /home folder. This fix has been tested on cpanel servers, DSM servers, Plesk, etc… without any problems.

chmod 751 /home;

Then login as a non-root user and you will be unable to list the folders in /home.

Change RDP port for security

Paul — Fri, 18 Dec 2009 17:03:04 +0000

Server:
How do I change the Terminal Server (or RDP) listening port?

By default, Terminal Server (For Windows 2000 and Windows Server 2003) and Remote Desktop Protocol (for Windows XP and Windows Server 2003) listens on TCP port 3389.

To change the default port for all new connections created on the Terminal Server:

1. Run Regedit and go to this key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ Control\Terminal Server\WinStations\RDP-Tcp

2. Find the “PortNumber” subkey and notice the value of 00000D3D, hex for (3389). Modify the port number in Hex and save the new value.

You can now connect to the new port by using the “old” Windows 2000 Terminal Server client. A better option is to use the XP RDP 5.1 client (Download RDP 5.1). Even better, use the newer Windows Server 2003 RDP 5.2 client (Download RDP 5.2).

You’ll need to configure your TS client to connect to the new port. Although changing the connection port on the RDP clients is quite easy, you CAN also change the connection port for the TS client. See Related Articles list for more info.

Client Side:
just add the new port in the connection string when connecting via RDP i.e.
win.yourservername.com:$NEWPORT

Default port is 3389