Update your server as necessary

As its nature, Linux is a multi-developer operating system and you might see an update on any package everyday, an updater like YUM if you don’t change it’s default behavior hosts the most recent stable versions of each package that you install on your server.

Compared to other operating systems, updating Linux is easy as writing a command to terminal, the rest will be automated by YUM. Yum can be extended by independent software repositories like Repoforge. RPMforge is a collaboration of Dag and other packagers. They provide over 5000 packages for CentOS, including wine, vlc, mplayer, xmms-mp3, and other popular media tools. It is not part of Red Hat or CentOS but is designed to work with those distributions.

To install Rpmforge, run;

 rpm -Uvh http://pkgs.repoforge.org/rpmforge-release/rpmforge-release-0.5.2-2.rf.src.rpm

If you get an error with the command, check the web site for a recent version. If you are using a control panel like Directadmin you better exclude the packages below from yum as they are maintained by the control panel updater;

exclude=apache* httpd* mod_* mysql* MySQL* da_* *ftp* exim* sendmail* php* bind-chroot*

and the last thing you should do is to type

yum upgrade

We suggest you to run the update at least every once a month.

Disable Telnet

Nowadays, Telnet is mostly given its role to SSH; more secure remote shell client, because Telnet is sending the passwords in readable clear text. Also SSH have many abilities that you can use such as private-keys that you can use to log in to the server without writing down a password. Public key is mostly used when you need root access even you don’t know the root password (root password might be changed by the system administrator or by your client which you install the system for).

Connect to the server and edit /etc/xinetd.d/telnet by typing;

vi /etc/xinetd.d/telnet

if exists disable = no change to disable = yes

save & exit (SHIFT + ZZ)

Restrict Access to applications that can directly connect to the Internet

Even an attacker leak into your server, it is better to give him no chance to download his applications to the server, don’t give run permission to following applications except root user by typing;

chmod 700 /usr/bin/wget
chmod 700 /usr/bin/telnet
chmod 700 /usr/local/bin/lynx
chmod 700 /usr/bin/links
chmod 700 /usr/bin/bcc
chmod 700 /usr/bin/byacc
chmod 700 /usr/bin/cc
chmod 700 /usr/bin/gcc
chmod 700 /usr/bin/perlcc
chmod 700 /usr/bin/yacc
chmod 0700 /usr/bin/curl
chmod 700 /usr/bin/lwp-*
chmod 700 /usr/bin/*ncftp*

Also please note that, if you are taking backups of your domains/dbs to the same server, be aware that a directory created without explicit permission will be readable by all users, to make the directory readable only by root, type;

chmod 600 /backups

Restrict OS level function calling to PHP

In a shared hosting environment, even a customer of yours may try to explore your server. If you don’t have any reason to call the functions below, restrict them;

edit /etc/php.ini (or whereever it is, for directadmin you can check /usr/local/lib/php.ini) and find the line disable_functions and replace with the below line:

disable_functions = apache_get_modules,apache_get_version,apache_getenv,apache_note, apache_setenv,disk_free_space,diskfreespace,dl, highlight_file,ini_alter,ini_restore,openlog,passthru,phpinfo, proc_nice,shell_exec,show_source,symlink,system, exec,popen,escapeshellarg,escapeshellcmd,myshellexec,c99_buff_prepare,c99_sess_ put,fpassthru

 Block executing commands on the /tmp Partition

Several script languages like PHP, holds temporary files like session,upload and cache on the /tmp partition on Linux systems. İf the attacker has an access to this folder then those scripts can be run from this point so with this way, all system files can be reached or accessed by root. To block running of files which are in the /tmp partition, it must not be given run permission while mounting /tmp partition.

To do this process, you have to choose /tmp partition as seperate partition while installaing the system. Enter this command in the command line to check this setting:

df -h # or
mount

Enter this command:

[root@xxx ~]# df -h
Filesystem            Size  Used Avail Use% Mounted on
/dev/mapper/VolGroup00-LogVol00 2.9G  820M  1.9G  30% /
/dev/mapper/VolGroup00-LogVol02 2.9G  288M  2.4G  11% /tmp
/dev/mapper/VolGroup00-LogVol04 7.8G  3.8G  3.7G  51% /var
/dev/mapper/VolGroup00-LogVol05 44G   35G  6.6G  85% /hsphere
/dev/mapper/VolGroup00-LogVol03 4.8G  908M  3.6G  20% /usr
/dev/sda1              99M   36M   58M  39% /boot
tmpfs                 2.0G     0  2.0G   0% /dev/shm

If you can not see a seperate  /tmp partition like in the example, create a new 3 GB /tmp partition by applying steps below. If there is a /tmp partition then follow with the step 2:

Step 1:

cd /dev/
dd if=/dev/zero of=Tmp bs=1024 count=3000000
mkfs -t ext3 /dev/Tmp
cd /
cp -aR  /tmp  /tmp_backup
mount  -o  loop,noexec,nosuid,rw  /dev/Tmp  /tmp
cp -aR /tmp_backup/* /tmp/
chmod 0777 /tmp
chmod +t  /tmp

Add information of the newly created partition into the /etc/fstab in order to make it available after next boot.

/dev/Tmp          /tmp          ext3          loop,rw,nosuid,noexec     0 0

If you already have  /tmp partition, please apply the below steps.

Step 2:

change “defaults” in the line starting with /tmp in /etc/fstab to restrict running applications such as

/dev/VolGroup00/LogVol02 /tmp                    ext3    defaults 1 2

to

/dev/VolGroup00/LogVol02 /tmp                    ext3     rw,nosuid,noexec 1 2

Change defaults region as rw,nosuid,noexec then save and exit. Remount /tmp partition in order to make changes available immediately by typing;

mount -oremount loop,rw,nosuid,noexec /tmp

..

note: Some parts of this document inspired from the documentation of dynamicnet.net

The post Web Hosting Security premier appeared first on VeriTeknik.

First of all don’t forget that this module is only available if you’re using a Red Hat branch of distribution (fedora, centos etc.) For other distributions, such as Debian, there are other api’s, such as apt itself.

Below you’ll find some basic ways of getting configuration settings of the current yum.

import yum
yb = yum.YumBase()
print yb.conf.logfile # this will obviously printout the logfile's path
for i in yb.conf.reposdir : print i # and this will printout the directories and files for the repositories
print yb.conf.skip_broken # usually false. when set to true, your yum commands will take action of is the --skip-broken parameters was given to the yum itself.
print yb.conf.errorlevel # this is the level of errors you'd like to get as an output. it's between 0-10 and 0 is only critical ones, while 10 is more like a debug feature. Usually it is set to default 2, but since you'll be running in a script, after your script gets stable, its a good idea to set this to 0 and then distribute it.
print yb.conf.config_file_path # obvious again, the file path for your yum's config file.

for more configuration options, you can always see like this;

dir(yb.conf)

and don’t forget this perfect module, to reverse engineer some function if you don’t know what arguments it gets and if it’s poorly documented (ex: it doesn’t have a valid __doc__ attribute) :

import inspect
inspect.getargspec(somefunction)

And about the arch method. What yum knows about our architecture.

import yum
yb = yum.YumBase()
print yb.arch.compatarches # these are the compatible architectures with our system.
# below are the arch types that yum thinks we are usig (hopefully true!)
print yb.arch.canonarch
print yb.arch.basearch
# With the function below, you can get a list of architectures which are compatible with each other.
# Let's say you're using an x86_64 arch, then u can use packages from these ones,
yb.arch.get_arch_list('x86_64')
['x86_64', 'athlon', 'i686', 'i586', 'i486', 'i386', 'noarch']

If you’d like to get the currently installed packages on your system, rpm is the module you’d like to load.

import rpm
bold = "\033[1m"
reset = "\033[0;0m"
trans = rpm.TransactionSet()
for header in trans.dbMatch() : print "%s%s%s-%s:%s-%s.%s%s%s" % (bold,header['name'],reset,header['epochnum'],header['version'],header['release'],bold,header['arch'],reset)

Note that this script outputs various parts in bold. You can use this in any script you’d like.

Yet here’s a nice method to install new packages.

import yum
yb=yum.YumBase()
searchlist=['name']
arg=['gedit']
matches = yb.searchGenerator(searchlist,arg)
for (package, matched_value) in matches :
    if package.name == 'gedit' : yb.install(package)
    yb.buildTransaction()
    yb.processTransaction()

Experiment, enjoy!

The post Using the Python API for Yum appeared first on VeriTeknik.

If you are using RedHat & its clones like CentOS or CloudLinux etc. you can use Yum or up2date to upgrade your current system.

Please note that is you have a RedHat Enterprise Linux Subscription we offer you to use the command up2date, to upgrade your server with yum write the command from shell:

yum upgrade

If it asks for the keys, you can press “Y” to accept the keys and continue to install the upgrades, to install an application or library with yum type:

yum install packagename

If you don’t know the package name containing the application you want to use, you can use the list function of yum.

For example to list packages related to dig similiar to Windows nslookup type the following command:

yum list dig*

Yum will find the packages names starting with dig, this function is so useful when finding apache modules (mod-*) and php modules (php-*) but this time it will return with an error as it cannot find any related packages names starting with dig*:

#Error: No matching Packages to list

Because some applications reside in a set of packages in Linux distros. Here comes the “whatprovides” in stage. If you used the command in Linux before but you don’t know the package containing the command you can find it easily with yum:

yum whatprovides */dig

and the output of yum is:

#30:bind-utils-9.3.6-4.P1.el5_4.2.x86_64 : Utilities for querying DNS name servers.
#Repo        : base
#Matched from:
#Filename    : /usr/bin/dig

Yum tell us the package we were searching for is bind-utils. When you install bind-utils you will have a bunch of useful utulities related to named. After this step the only thing you need to do is:

yum install bind-utils

and yum will install the package with all prerequisities.

IMPORTANT NOTE: This document is prepared for CentOS 5.6 and ment to work with other versions and distros.Never assume the directory structures exist in your system as written in the document. Never blindly follow security instructions — read, review, compare, apply as it fits your system.

The post How to update Linux with Yum appeared first on VeriTeknik.