Category Archives: Linux

Securing Mysql

1. Restrict anonymous remote access :- Which means never provide grant access from all hosts. It must limit to specific users from specific hosts only. Do not grant the SUPER privilege and FILE privilege to non-administrative users. Any user who has this privilege can write a file anywhere in the file system with the privileges of the mysqld daemon.

 

skip-networking

in “/etc/my.cnf”

This line disables the initiation of networking during MySQL startup. Please note that a local connection can still be established to the MySQL server.

 

Another possible solution is to force MySQL to listen only to the localhost by adding the following line in the[mysqld] section of my.cnf

bind-address=127.0.0.1

2. Improve local security :- To improve local security use different socket file for both client and server connections. For that edit and add following line in the [client] section of /etc/my.cnf:

[client]

socket = /tmp/mysql.sock

Also the following parameter should be added in the [mysqld] section in /etc/my.cnf:

set-variable=local-infile=0

3.  Change admin password :- This is the most important step in securing MySQL is changing the database administrator’s(root) password, which is empty by default. Below are the steps to change administrator password.

mysql -u root mysql> SET PASSWORD FOR root@localhost=PASSWORD(‘new_password’);

4. Change admin name :- It is strongly recommending to change the default name of administrator’s account (root), to a different for the more security. Such a change will help to prevent from the brute-force and dictionary attacks on the administrator’s password.

mysql> update user set user=”mysqluser” where user=”root”; mysql> flush privileges;

 

5. Remove history :- We also recommended to remove the content of the MySQL history file (~/.mysql_history, ~/.history, ~/.bash_history,~/.mysql_history) in which having all executed SQL commands (especially passwords are stored in this as plain text).

 

6. User Access Privileges :- Create accounts for specific databases which will be used by specific applications, so accounts should have access rights only to the databases which are used by the specific applications. In particular,they no longer will have any access rights to the mysql database, nor any system or administrative privileges (FILE, GRANT, ALTER, SHOW DATABASE, RELOAD, SHUTDOWN, PROCESS, SUPER etc.). Any Application user should not granted all privileges to database with Grant option from any host.

 

7. Disable remote access :- Only few applications on the same server will be allowed to access the database. So we need MySQL not to even listen on port 3306 for TCP connections like it does by default.

Edit /etc/my.cnf and uncomment the skip-networking line (comment the leading #).

8. Remove default users/db :- Remove the sample database (test) and all accounts except the local root account:

mysql> drop database test;

mysql> use mysql;

mysql> delete from db;

mysql> delete from user where not (host=”localhost” and user=”root”);

mysql> flush privileges;

This is why because it will prevent the database from establishing anonymous connections and irrespective of the skip-networking parameter in /etc/my.cnf remote connections as well.

Advertisements
Tagged , , , , ,

Securing Postfix

cd /etc/postfix

vi main.cf

 

####### smtp auth
smtpd_tls_auth_only = no
smtp_use_tls = yes
smtpd_sasl_auth_enable =   yes
smtpd_sasl_type = cyrus
local_recipient_maps =
smtpd_use_tls = yes
smtp_tls_note_starttls_offer   = yes
smtpd_tls_key_file =   /etc/postfix/ssl/smtpd.key
smtpd_tls_cert_file =   /etc/postfix/ssl/smtpd.crt
smtpd_tls_CAfile =   /etc/postfix/ssl/cacert.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header   = yes
smtpd_tls_session_cache_timeout   = 3600s
tls_random_source =   dev:/dev/urandom
########

 

Then:

vi master.cf

 

Paste under smtp:

smtps   inet n   –   n   – – smtpd
-o smtpd_sasl_auth_enable=yes
-o smtpd_reject_unlisted_sender=yes
-o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
-o broken_sasl_auth_clients=yes

 

Check the smtpd.conf file and amend it:

locate smtpd.conf

vi /usr/lib/sasl2/smtpd.conf

 

Delete the contents of the file and paste into it:

pwcheck_method: saslauthd
mech_list: plain login

To check the SASL available mechanisms run:

saslauthd -V

Set SASL authentication to start at system boot:

chkconfig –levels 235 saslauthd on

Set up the encryption keys:

mkdir /etc/postfix/ssl

cd ssl/

openssl genrsa -des3 -rand /etc/hosts -out smtpd.key 1024

chmod 600 smtpd.key

openssl req -new -key smtpd.key -out smtpd.csr

openssl x509 -req -days 3650 -in smtpd.csr -signkey smtpd.key -out smtpd.crt

openssl rsa -in smtpd.key -out smtpd.key.unencrypted

mv -f smtpd.key.unencrypted smtpd.key

openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650

Set up the client certificate for importing into Internet Explorer (for Outlook) / Thunderbird (this will suppress warnings about using a self signed certificate):

openssl pkcs12 -export -in smtpd.crt -inkey smtpd.key -out OutlookSMTP.p12

Reload the config:

postfix reload

if your mail server is behind a firewall (Assuming the LAN address of your server is 192.168.0.99), add these rules on your firewall:

 

iptables -A FORWARD -i   extif -p tcp –dport 465 -d 192.168.0.99 -o intif -j ACCEPT

iptables -A FORWARD -o   extif -p tcp –sport 465 -s 192.168.0.99 -i intif -j ACCEPT

iptables -t nat -A PREROUTING -i extif -p tcp -d extip2 –dport 465 -j dnat –to 192.168.0.99:465

Testing

Check if the port is listening:

netstat -ntpl | grep master

tcp 0 0 127.0.0.1:10025  0.0.0.0:*   LISTEN   8366/master

tcp 0 0 0.0.0.0:465   0.0.0.0:*   LISTEN   8366/master

tcp 0 0 0.0.0.0:25    0.0.0.0:*   LISTEN 8366/master

Test if TLS and AUTH is working:

telnet localhost 465

[root@ls1 postfix]# telnet localhost 465

Trying 127.0.0.1…

Connected to localhost.localdomain (127.0.0.1).

Escape character is ‘^]’.

220 yourserver ESMTP Postfix

ehlo me

250-yourserver

250-PIPELINING

250-SIZE 10240000

250-VRFY

250-ETRN

250-STARTTLS

250-AUTH LOGIN PLAIN

250-AUTH=LOGIN PLAIN

250 8BITMIME

^]

telnet> quit

Connection closed.

[root@ls1 postfix]#

To test further create an account and attain the Base64 Mime password with mmencode or the following perl script:

#!/usr/bin/perl
use strict;
use MIME::Base64;
if ( $#ARGV !=1) {
die “Usage: encode_sasl_plain.pl <username> <password>n”;
}
print encode_base64(“$ARGV[0]?$ARGV[0]?$ARGV[1]”);
exit 0;

 

Generate the Mime password:

encode_sasl_plain.pl <username> <password>

Y2FtZXJvbnMAY2FtZXJvbnMAdGVzdGluZzA4

telnet localhost 465

Trying 127.0.0.1…

Connected to localhost.localdomain (127.0.0.1).

Escape character is ‘^]’.

220 yourserver ESMTP Postfix

ehlo me

250-yourserver

250-PIPELINING

250-SIZE 10240000

250-VRFY

250-ETRN

250-STARTTLS

250-AUTH PLAIN LOGIN

250-AUTH=PLAIN LOGIN

250-ENHANCEDSTATUSCODES

250-8BITMIME

250 DSN

AUTH PLAIN Y2FtZXJvbnMAY2FtZXJvbnMAdGVzdGluZzA4

235 2.0.0 Authentication successful

**If the authentication is not successful, you may have to change the MECH value in /etc/sysconfig/saslauthd and /etc/init.d/saslauthd.

Possible values are listed with the command

saslauthd -V

and restart saslauthd:

/etc/init.d/saslauthd restart

Test the connection from outside:

telnet yourserver 465

cameron@cs:~$ telnet yourserver 465

Trying your-ip…

Connected to yourserver.

Escape character is ‘^]’.

220 yourserver ESMTP Postfix

ehlo me

250-yourserver

250-PIPELINING

250-SIZE 10240000

250-VRFY

250-ETRN

250-STARTTLS

250-AUTH PLAIN LOGIN

250-AUTH=PLAIN LOGIN

250-ENHANCEDSTATUSCODES

250-8BITMIME

250 DSN

AUTH PLAIN Y2FtZXJvbnMAY2FtZXJvbnMAdGVzdGluZzA4

235 2.0.0 Authentication successful

Tagged , , , , , ,

How do I disable cphulk from the command line?

You can disable cPhulk‘s lockout by running the following command.

/usr/local/cpanel/etc/init/stopcphulkd
/usr/local/cpanel/bin/cphulk_pam_ctl –disable

You can then re-enable it by running

/usr/local/cpanel/etc/init/startcphulkd
/usr/local/cpanel/bin/cphulk_pam_ctl –enable

Tagged , , ,

How do I install “Apache Booster”?

ApacheBooster is a integration of nginx and varnish, this Plugin will reduce the server load spike and memory usage. Also the plugin will provide the maximum performance of your websites.

wget http://prajith.in/downloads/apachebooster.tar.gz

tar -zxf apachebooster.tar.gz

cd apachebooster

sh install.sh

Tagged , , , , ,

Disabling FTP access for a particular cPanel account when using pure-ftpd?

If you want to disable ftp for a particular account, there is no way you can do it through whm or cpanel.

If you are using pure-ftp, you can see that there is a section in the binary file “/usr/sbin/pureauth” which includes the solution.

—————-
# disallow accounts in ftpusers
if ( any( sub { lc($acctowner) eq lc($_) }, @ftpusers ) ) {
failed_auth();
—————

So you can specify the user-name of the account which you want to disable ftp in /etc/ftpusers (one username per line), and restart the pure-ftpd service.

Tagged , , ,

How do I fix PHP MIME Types when migrating from PHP 4 to PHP 5?

The following script is what updates the MIME types properly from PHP 4 to PHP 5.

/usr/local/cpanel/bin/update_php_mime_types –force={php version number} –user={username}

eg to force use of PHP 5.

/usr/local/cpanel/bin/update_php_mime_types –force=5 –user=testuser

http://docs.cpanel.net/twiki/bin/view/EasyApache3/UserLevelPHPCustomization

Tagged , ,

How do I use a .htaccess rewrite to force HTTPS on a domain?

You are able to force HTTPS on a domain with an SSL, using the following 3 lines in a .htaccess file, in the root directory (or the directory you wish to force SSL on)

RewriteEngine On
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://{domain name}/$1 [R,L]
Where {domain name} is for example http://www.mysau.com.au

Tagged , , ,