Mod_security(ModSecurity is an open source intrusion detection and prevention engine for web applications)

Features

• filtering POST and GET requests (including hearders)
• filters inheritance and ability to add filters in each vhosts configuration file, and    per directory
• include a way to chroot apache in an easiest way
• ability to fake apache output (like telling "Microsoft IIS" on error page or whatever    you want to display)
• can store uploaded files in a tmp directory and call an anti-virus scan like clamav on    these files

Installation

wget http://www.modsecurity.org/download/modsecurity-apache_1.9.4.tar.gz
tar zxvf modsecurity-apache_1.9.4.tar.gz
cd modsecurity-apache_1.9.4
/usr/local/apache/bin/apxs -cia mod_security.c
/usr/local/apache/bin/apachectl stop
/usr/local/apache/bin/apachectl start

Add required modsecurity directives in httpd.conf

Mod_evasive( mod_evasive is intended to avoid DDOS attacks by baning IPs that have reached a configured limit of requests during a laps of time)

Features

• Its quite easy to deploy on a webserver and can be very usefull.
• IP addresses of trusted clients can be whitelisted to insure they are never denied
• This tool is excellent at fending off request-based DoS attacks or scripted
   attacks, and brute force attack

Installation

wget http://www.zdziarski.com/projects/mod_evasive/mod_evasive_1.10.1.tar.gz
1. Extract this archive into src/modules in the Apache source tree
2. Run ./configure --add-module=src/modules/evasive/mod_evasive.c
3. make, install
4. Restart Apache
With DSO Support, Ensim, or CPanel:
1. /usr/local/apache/bin/apxs -iac mod_evasive.c
2. Restart Apache

Add required directive in httpd.conf

Mod_limitipconn(mod_limitipconn allows web server administrators to limit the number of simultaneous downloads permitted from a single IP address)

Features

• Allows inclusion and exclusion of files based on MIME type.
• Partially fixes the problem of dangling browser connections counting towards the    download limit

Installation

wget
http://dominia.org/djao/limit/mod_limitipctar xzvf mod_limitipconn-0.04.tar.gz
tar xzvf mod_limitipconn-0.04.tar.gz
cd apache_1.3.27
patch -p1 < /root/mod_limitipconn-0.04/apachesrc.diff
cp /root/mod_limitipconn-0.04/mod_limitipconn.c src/modules/extra/
./configure --activate-module=src/modules/extra/mod_limitipconn.c --with-forward
make ,install

With DSO Support, Ensim, or CPanel:
1.cd mod_limitipconn-0.04
2.make
3.make install

add required directives in httpd.conf

APF (Advanced Policy Firewall is a policy based iptables firewall system designed for ease of use and configuration)

Features

- detailed and well commented configuration file
- granular inbound and outbound network filtering
- user id based outbound network filtering
- application based network filtering
- trust based rule files with an optional advanced syntax
- global trust system where rules can be downloaded from a central management
   server
- debug mode provided for testing new features and configuration setups
- fast load feature that allows for 1000+ rules to load in under 1 second
- inbound and outbound network interfaces can be independently configured
- global tcp/udp port & icmp type filtering with multiple methods of excuting
   filters (drop, reject, prohibit)
- configurable policies for each ip on the system with convenience variables to
   import settings
- packet flow rate limiting that prevents abuse on the most widely abused
   protocol, icmp
- prerouting and postrouting rules for optimal network performance
- dshield.org block list support to ban networks exhibiting suspicious activity
- spamhaus Don't Route Or Peer List support to ban known "hijacked zombie" IP
   blocks
- antidos subsystem to stop attacks before they become a significant threat
- any number of additional interfaces may be configured as firewalled
   (untrusted) or trusted (not firewalled)
- additional firewalled interfaces can have there own unique firewall policies
   applied
- intelligent route verification to prevent embarrassing configuration errors
- advanced packet sanity checks to make sure traffic coming and going meets
- filter attacks such as fragmented UDP, port zero floods, stuffed routing,
   arp poisoning and more
- configurable type of service options to dictate the priority of different types
   of network traffic
- intelligent default settings to meet every day server setups
- dynamic configuration of your servers local DNS revolvers into the firewall
- optional filtering of common p2p applications
- optional filtering of private & reserved IP address space
- optional implicit blocks of the ident service
- configurable connection tracking settings to scale the firewall to the size of
   your network
- configurable kernel hooks (ties) to harden the system further to syn-flood
   attacks & routing abuses
- advanced network control such as explicit congestion notification and overflow
   control
- special chains that are aware of the state of FTP DATA and SSH connections to
   prevent client side issues
- control over the rate of logged events, want only 30 filter events a minute?
   300 a minute? - you are the boss
- logging subsystem that allows for logging data to user space programs or
   standard syslog files
- logging that details every rule added and a comprehensive set of error checks
   to prevent config errors
- if you are familiar with netfilter you can create your own rules in any of
   the policy files
- pluggable and ready advanced use of QoS algorithms provided by the Linux

Installation

wget http://www.rfxnetworks.com/downloads/apf-current.tar.gz
tar -xvzf apf-current.tar.gz
cd apf-0.9.6-2/
./install.sh

configure apf(/etc/apf/conf.apf) upon requrements

then start apf
/usr/local/sbin/apf -s

BFD( Brute Force Detection is a modular shell script for parsing applicable logs and checking for authentication

Installation

wget http://www.rfxnetworks.com/downloads/bfd-current.tar.gz
tar -xvzf bfd-current.tar.gz
cd bfd-0.7
./install.sh

configure bfd (/usr/local/bfd/conf.bfd ) upon requirements

to start bdf running
/usr/local/sbin/bfd -s

SIM (System Integrity Monitor is a system and services monitor for ‘SysVinit’ systems. It is designed to be intuitive and modular in nature)

Features

- Service monitoring of HTTP, FTP, DNS, SSH, MYSQL & more
- Event tracking and alert system
- Auto restart ability for downed services
- Checks against network sockets & process list to ensure services are online
- HTTP log size monitor, to avoid segfaults from apache due to large logs
- URL Aware monitoring, to ensure HTTP does not 'lockup'
- System load monitor with customizable warning levels, actions, and more...
- Informative command line status display
- Easily customizable configuration file
- Auto configuration script
- Auto cronjob setup feature
- Caching feature for ps/netstat output, to ease on runtime load
- Simple & Informative installation script
- Integrated auto-update feature

Installation

wget http://www.r-fx.org/downloads/sim-current.tar.gz
tar -xzvf sim-current.tar.gz
cd sim-2.5-4/
./setup -i
Then press "Enter"
Then when it says MORE press the "space bar"
Then press "Enter"
Then when it says MORE press the "space bar"
Now you will press ENTER one more time to do the auto-configuration script for SIM

To add a cron.
Type: ./setup -c
If it says "Removed SIM cronjob." then you must type it again.
Type: ./setup -c

Portsentry( PortSentry is a tcpwrapper that listens for port scans, which can be used to send back fake ping replys)

Features

-help us to protect our network from unsolicited intrusions
-we can choose which ports we want to be open and which one's we dont

Installation

wget http://www.macosxunleashed.com/downloads/portsentry-1.0.tar.gz
tar zxvfx portsentry-1.0.tar.gz
cd portsentry-1.0
make linux
make install

conf file( /usr/local/psionic/portsentry/portsentry.conf)make relevant changes

chkrootkit (it is a tool to locally check for signs of a rootkit)

Features

* chkrootkit: shell script that checks system binaries for rootkit modification.
* ifpromisc.c: checks if the interface is in promiscuous mode.
* chklastlog.c: checks for lastlog deletions.
* chkwtmp.c: checks for wtmp deletions.
* check_wtmpx.c: checks for wtmpx deletions. (Solaris only)
* chkproc.c: checks for signs of LKM trojans.
* chkdirs.c: checks for signs of LKM trojans.
* strings.c: quick and dirty strings replacement.
* chkutmp.c: checks for utmp deletions.

Installation

wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz
tar zxvf chkrootkit.tar.gz
cd chkrootkit-0.47/
make sense
./chkrootkit

configure reporting cronjob:-

cd /etc/cron.daily
vi chkrootkit.cron
#!/bin/bash
cd /root/chkrootkit-0.47/
./chkrootkit 2>&1 | mail –s “chkrootkit daily report” ndztest@gmail.com

Save & exit
chmod +x chkrootkit.cron

RKHunter (RootKit Hunter Is a security scanning tool which will scan for rootkits, backdoors, and local exploits)

Features

It runs many tests, including MD5 hash comparisons, default filenames used by rootkits, wrong file permissions for binaries, and suspicious strings in LKM and KLD modules

Installation

wget http://downloads.rootkit.nl/rkhunter-1.1.4.tar.gz
tar -xzvf rkhunter-1.1.4.tar.gz
cd rkhunter
./installer.sh

configure reporting cronjob:-
cd /etc/cron.daily
vi rkhunter.cron
#!/bin/bash
/usr/local/bin/rkhunter -c --cronjob 2>&1 | mail -s "RKhunter Scan Details" ndztest@gmail.com

Save & exit
chmod +x rkhunter.cron

Snort(Snort is an open source network intrusion detection and prevention system)

Features

* capable of performing real-time traffic analysis, alerting, blocking and packet    logging on IP networks
* Protocol Analysis
* Content searching / matching
* Real-time alerting capability
* Can read in a TCPDump trace and run against a rule set
* Flexible rules language to describe traffic that it should collect or pass

Installation

wget http://www.snort.org/dl/current/snort-2.6.1.5.tar.gz
tar zxvf snort-2.6.1.5.tar.gz
cd snort-2.6.1.5
./configure
make
make install

mkdir /etc/snort
cp -rf etc/* /etc/snort

change /etc/snort/snort.conf according to your requirements

Tripwire(Tripwire data integrity assurance software monitors the reliability of critical system files and directories by identifying changes made to them)

Features

*  Centralized management console with web interface
*  Centralized database that stores historical changes
*  Tailorable reports and dashboards
*  Customizable roles and permissions to ensure a secure audit trail
*  Integration with change management systems, providing automated change     reconciliation

Installation

yum install tripwire

/usr/sbin/tripwire-setup-keyfiles

To generate database
/usr/sbin/tripwire --init

To view Tripwire database
/usr/sbin/twprint -m d --print-dbfile | less

libsafe(Libsafe is a library that try to prevent buffer overflow attack)

Features

* Detection and protection against stack smashing attacks

Installation

wget http://fresh.t-systems-sfr.com/linux/src/libsafe-2.0-16.tgz
tar zxvfp libsafe-2.0-16.tgz
cd libsafe-2.0-16
make
make install
cd exploits
make
./int.sh t1
- hit carraige return and watch

./int.sh t3
- hit carraige return and watch

./int.sh t4
- hit carraige return and watch

./xlock -nolock

./canary-exploit

./exploit-non-exec-stack

Enable libsafe

export LD_PRELOAD=/lib/libsafe.so.2

Permanently install libsafe

vi /etc/profile
export LD_PRELOAD=/lib/libsafe.so.2

PHP mail() header patch(This patch attempts to address this weakness by inserting an informational header to messages sent from PHP via the mail() function)

Features

* The header identifies both the script and the apparent IP address that called it
* This can make it difficult to trace misuse, even if you have comprehensive mail and    webserver logs

Installation

wget http://www.lancs.ac.uk/~steveb/patches/php-mail-header-patch/php5-mail-header.patch

cd /root/php-5.2.1
patch -p1 < ../php5-mail-header.patch

Recompile Php

Limit compiler and fetch utilities access to root only

chmod 700 /usr/bin/gcc
chmod 700 /usr/bin/wget

Ensure OpenSSH protocol is only using protocol 2

vi /etc/ssh/ssh_config
Find the line #Protocol 2, 1 and change it to Protocol 2

Disable DNS recursion

vi /etc/named.conf
Give "recursion no;" in the "options" clause

If you need to enable recursion for your local network
give allow-recursion { 192.168.1.1;192.168.1.20;192.168.1.21;192.168.1.59;192.168.1.22; } in "options" section

Disable used services(eg:telnet)

vi /etc/xinetd.d/telnet
replace "disable = no" and with "disable = yes"
/etc/init.d/xinetd restart
chkconfig telnet off
chkconfig --del telnet
Scan server to ensure port 23 is closed
nmap -sT -O localhost

Disable IP source routing

vi /etc/sysctl.conf

net.ipv4.conf.default.accept_source_route = 0

Ensure cannot SSH directly to root. Must SSH to admin first

For cPanel make sure you add your admin user to the ‘wheel’ group so that you will be able to ’su -’ to root
After that
vi /etc/ssh/sshd_config
PermitRootLogin no

Disable ICMP Redirect Acceptance (When hosts use a non-optimal or defunct route to a particular destination, an ICMP redirect packet is used by routers to inform the hosts what the correct route should be. If an attacker is able to forge ICMP redirect packets, he or she can alter the routing tables on the host and possibly subvert the security of the host by causing traffic to flow via a path you didn't intend. It's strongly recommended to disable ICMP Redirect Acceptance to protect your server from this hole.)

vi /etc/sysctl.conf
net.ipv4.conf.all.accept_redirects = 0
/etc/init.d/network restart

Enforce noexec & nosuid on temporary directories /tmp and /var/tmp

vi /etc/fstab
LABEL=/tmp /tmp ext3 noexec,nosuid,rw 0 0
/dev/shm /dev/shm tmpfs noexec,nosuid defaults 0 0

chmod 0777 /tmp

umount /dev/shm
mount /dev/shm
rm -rf /var/tmp/
ln -s /tmp/ /var/

Enable IP spoofing protection( The spoofing protection prevents your network from being the source of spoofed i.e. forged communications that are often used in DoS attacks)

vi /etc/sysctl.conf
net.ipv4.conf.all.rp_filter = 1
/etc/init.d/network restart

Enable syncookie protection

vi /etc/sysctl.conf
net.ipv4.tcp_syncookies = 1
/etc/init.d/network restart

Disable certain php functions (system, exec, shell_exec)

vi /usr/local/lib/php.ini
disable_functions = system, exec, shell_exec

Harden host.conf

vi /etc/host.conf
order hosts,bind
nospoof on
/etc/init.d/network restart

Email spoofing prevention ( Email spoofing is the practice of changing your name in email so that it looks like the email came from somewhere or someone else.)

Router filtering
Putting a filter on your router is the first preventive step. By using an Access Control List, you can block private IP addresses.

Encryption and authentication
By using encryption and authentication, you can reduce spoofing attacks. Ensuring the right authentication procedures are in place with a secure network will make it much more difficult for an attack to take place.

Upgrade kernal to latest OS release

wget http://download.openvz.org/kernel/branches/2.6.20/2.6.20-ovz005.1
//kernel-2.6.20-ovz005.1.i686.rpm
rpm -ivh kernel-2.6.20-ovz005.1.i686.rpm