What is CVE-2014-7169 / Shell Shock Vulnerability?

GNU Bash through 4.3 bash43-025 processes trailing strings after certain malformed function definitions in the values of environment variables, which allows remote attackers to write to files or possibly have unknown other impact via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution.
NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-6271.
In short Shell Shock vulnerability allows remote attackers to execute arbitrary code given certain conditions, by passing strings of code following environment variable assignments.
The Shell Shock vulnerability is considered bigger than Heartbleed as it’s affecting all versions of bash and it’s still unclear from when and adding to that linux bash is not only running on linux webservers but other embedded devices as well such as Mac Laptops

Test your server bash version using below command

bash –version
or
/bin/bash –version

Output

GNU bash, version 3.2.25(1)-release (x86_64-redhat-linux-gnu)
Copyright (C) 2005 Free Software Foundation, Inc.

Check if your server is affected

[email protected][#] env x='() { :;}; echo vulnerable’ bash -c “echo this is a test”
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for`x’
this is a test

If you get the above output then you are safe. But,  if you get the below output then you are affected.

[email protected][#] env x='() { :;}; echo vulnerable’ bash -c “echo this is a test”
vulnerable
this is a test

To fix it follow below steps:

For RedHat/CentOS/Fedora/RPM based OS:

Note:: This is a temporary fix released by Red Hat Security Team. The team is still working on a full fix which is expected to release soon.

[email protected][#] yum upgrade bash

For Ubuntu / Debian

apt-get update && sudo apt-get install –only-upgrade bash

Upgrading MySQL Governor on CPanel, Plesk and DirectAdmin server

Run the below command to update MySQL Governor

yum update db-governor db-governor-mysql –enablerepo=cloudlinux-updates-testing

Run the below command to restart the service

service db_governor restart

How to install MySQL Governor on CPanel, Plesk and DirectAdmin

MySQL governor is set of utilities to monitor and restrict MySQL usage in shared hosting environment. The monitoring is done via USER_STATISTICS table that is available in CloudLinux version of MySQL as well as via tracking of slow queries.

To install MySQL governor on cPanel server

yum install db-governor –enablerepo=cloudlinux-updates-testing
/usr/share/lve/dbgovernor/install-mysql.py –install

Note :

MySQL on cPanel servers will be updated from CloudLinux RPMs.

MySQL Governor is compatible only with MySQL 5.x

Perl error while installing csf in directadmin : Can’t locate LWP/UserAgent.pm

While installing csf in linux directadmin server it will through below error message.

Checking Perl modules…
Can’t locate LWP/UserAgent.pm in @INC (@INC contains: /etc/csf /usr/lib64/perl5/site_perl/5.8.8/x86_64-linux-thread-multi /usr/lib/perl5/site_perl/5.8.8 /usr/lib/perl5/site_perl /usr/lib64/perl5/vendor_perl/5.8.8/x86_64-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.8 /usr/lib/perl5/vendor_perl /usr/lib64/perl5/5.8.8/x86_64-linux-thread-multi /usr/lib/perl5/5.8.8 .) at (eval 19) line 2.
BEGIN failed–compilation aborted at (eval 19) line 2.
Using configuration defaults

Solution:

yum search perl-libwww-perl

If package is available the install it using yum

yum install perl-libwww-perl

How to install clamd and clamscan on linux server

First check the redhat release and os architecture.

cat /etc/redhat-release

architecture check

uname -i

As per you system requirement download the rpm package and install it on the server.

http://dag.wieers.com/rpm/FAQ.php#B

Once done, then run

yum install clamv clamd clamv-devel

How to install mod security plugin in WHM

Go to the below path.

cd /usr/local/src

Download the below file.

wget http://www.configserver.com/free/cmc.tgz

Extract that file.

tar -xzf cmc.tgz

Go into that folder.

cd cmc

Run the file using the below command.

sh install.sh

Once done, then access the mod security using WHM.

How to uninstall mod security plugin from WHM server

Run the below commands to uninstall mod security plugin from WHM server.

rm -fv /usr/local/cpanel/whostmgr/docroot/cgi/addon_cmc.cgi

rm -fv /usr/local/cpanel/whostmgr/docroot/cgi/cmcversion.txt

rm -Rfv /usr/local/cpanel/whostmgr/docroot/cgi/cmc/

 

How to install Brute Force Detection (BFD) on linux server

Brute Force Detection

Brute Force Detection is a Free tool that can be used of avoiding brute force attacks over your web hosting UK servers. The main intention of this attack is to gain SSH/Root access to the server by making use of an algorithm which is capable of running different permutations and combinations to guess the password.

The Brute Force detection is capable of detecting such attempts and hence avoiding the attacker from growing into brute force attack.

Steps to Install BFD (Brute Force Detection)

Before proceeding with the installation of BFD, you are required to install an APF Firewall on the server. This is because, BFD operates in affiliation with the APF firewall, hence offering an enhanced server security. Having done that, you must follow the below steps for installing BFD over the server :

 Installation

SSH into your hosting server as root

Go to the below folder

cd /usr/local/src

Using the below command, you can download BFD:

wget http://www.rfxnetworks.com/downloads/bfd-current.tar.gz

Extract the files onto the server and make changes to the new directory:

tar -xvzf bfd-current.tar.gz
cd bfd-1.4

Using the below command you must run the installation file:

./install.sh

You should be able to see a similar message as shown below :

: BFD installed
Install path: /usr/local/bfd
Config path: /usr/local/bfd/conf.bfd
Executable path: /usr/local/sbin/bfd

You can configure it as per your requirement and then fire the below command.

/usr/local/sbin/bfd -s

How to install and uninstall DDoS Deflate on Linux server

DDoS Deflate

(D)DoS Deflate is a lightweight bash shell script designed to assist in the process of blocking a denial of service attack. It utilizes the command below to create a list of IP addresses connected to the server, along with their total number of connections. It is one of the simplest and easiest to install solutions at the software level.

netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n

Installation:

Go to below path.

cd /usr/local/src/

Create directory

mkdir ddos

Go to that directory

cd ddos

Get the latest source file using the below link:

wget http://www.inetbase.com/scripts/ddos/install.sh

Install DDOS Deflate

sh install.sh

Edit the configuration file,

/usr/local/ddos/ddos.conf

Start the ddos

/usr/local/ddos/ddos.sh -c

Uninstallation

Download the below file

wget http://www.inetbase.com/scripts/ddos/uninstall.ddos

Check the permission of uninstall.ddos, If it is not 700 then make it using below command.

chmod 0700 uninstall.ddos

Run the below command to uninstall it.
./uninstall.ddos

Note:

• It is possible to whitelist IP addresses, via /usr/local/ddos/ignore.ip.list.
• Simple configuration file: /usr/local/ddos/ddos.conf
• IP addresses are automatically unblocked after a preconfigured time limit (default: 600 seconds)
• The script can run at a chosen frequency via the configuration file (default: 1 minute)
• You can receive email alerts when IP addresses are blocked.

How to configure APF to prevent DDOS attack

Relatively new to APF is the new AntiDOS feature which can be found in: /etc/apf/ad

The log file will be located at /var/log/apfados_log so you might want to make note of it and watch it!

vi /etc/apf/ad/conf.antidos

LP_KLOG=”1″
IPT_BL=”1″

USR_ALERT=”1″
USER = “root”
ARIN_ALERT=”1″

There are various things you might want to fiddle with but I’ll get the ones that will alert you by email.

# [E-Mail Alerts]
Under this heading we have the following:

# Organization name to display on outgoing alert emails
CONAME=”Your Company”
Enter your company information name or server name..

# Send out user defined attack alerts [0=off,1=on]
USR_ALERT=”0″
Change this to 1 to get email alerts

# User for alerts to be mailed to
USR=”[email protected]”
Enter your email address to receive the alerts

Save your changes and quit the file

Restart the firewall:

/usr/local/sbin/apf -r

How to install mod_limitipconn on server

To set per IP connections limit on  server we are using mod_limitipconn. This can be a very useful tool, as it could help in lowering the load on your server due to someone connecting too many times from the same IP.

To set the IP limit on the server using mod_security.

Check apache version first on server.

httpd -v

Go to the below path

cd /usr/local/src/

Download the mod_limitpconn using the below link. I am having apache version 2.2.22. As per your apache version download the file.

wget http://dominia.org/djao/limit/mod_limitipconn-0.24.tar.bz2

Untar the file

tar -xvf mod_limitipconn-0.24.tar.bz2

Go to that folder

cd mod_limitipconn-0.24

Compile it with apache

make
make install

Check the apache syntax and restart the apache service if it is Ok

httpd -t
/etc/init.d/httpd restart

Add the below lines in httpd.conf

vi /usr/local/apache/conf/httpd.conf

# This command is always needed
ExtendedStatus On

# Only needed if the module is compiled as a DSO
LoadModule limitipconn_module lib/apache/mod_limitipconn.so

<IfModule mod_limitipconn.c>

# Set a server-wide limit of 10 simultaneous downloads per IP,
# no matter what.
MaxConnPerIP 10
<Location /somewhere>
# This section affects all files under http://your.server/somewhere
MaxConnPerIP 3
# exempting images from the connection limit is often a good
# idea if your web page has lots of inline images, since these
# pages often generate a flurry of concurrent image requests
NoIPLimit image/*
</Location>

<Directory /home/*/public_html>
# This section affects all files under /home/*/public_html
MaxConnPerIP 1
# In this case, all MIME types other than audio/mpeg and video*
# are exempt from the limit check
OnlyIPLimit audio/mpeg video
</Directory>
</IfModule>

Check the syntax if everything is ok then restart the apache.

httpd -t
/etc/init.d/httpd restart
/etc/init.d/httpd status

Confirm that domains are working on the server. You can select the domain from the below file and try randomly accessing it.

cat /etc/userdomains.

 

Notes:

This module will not function unless mod_status is loaded and the “ExtendedStatus On” directive is set.

Make sure mod security is already installed on the server using easyapache.