- Monitoring
- Process
- Windows and Linux
- cron
- hosting
- users
- RCS
- chmod
- Apache
- Authentification
- modules
- archive
- advertising
- e-payment
- BootProm
- T1, T2, T3, DSL
- Robots exclusion
- System resources
nmap: portscanner - This is the hacker tool responsible for many of the portscans you may be recieving.
nmap -sT -F IP-address Scan
nmap -sS -F IP-address SYN Scan
nmap -sU -F IP-address Scan UPD ports
nmap -sF -F IP-address FIN Scan
nmap -O -F IP-address Determine OS
nmap -p22 -F -O IP-address
nmap -p 1-30,40-65535 IP-Address Scan given port ranges
Add the option -v (verbose) or -vv (super verbose) for more info.
The ports will be determined to be open, filtered or firewalled.
Sample output from command: nmap -sS -F -O IP-Address
Tripwire will monitor your filesystems for intrusion or addition of a file so you may determine what changes have occured on your system in sensitive areas. Chkrootkit will scan your system for known exploits, trojan commands, and worms used to compromise a system.
TripwireSecurity.com
Download chkrootkit from http://www.chkrootkit.org
The NESSUS software is available from
Yolinux, Tcpdump
Using tcpdump to monitor the network:
[root@node prompt]# ifconfig eth0 promisc - Put nic into promiscuous mode to sniff traffic.
[root@node prompt]# tcpdump -n - Sniff trafficaddress which is your remote session.
[root@node prompt]# ifconfig eth0 -promisc - Pull nic out of promiscuous mode.
# tcpdump -D -> list interfaces
# tcpdump -i -> listen on interface
ex: # tcpdump -i eth1 src host myhost and ! port 22
get ip:
# pacman -S tcpdump
IPTRAF:
./Setup
go into the src dir of that package to start that prog:
# /src/./iptraf
as root
Processes
i like that one : # top
Other Diagnostic stuff:
BOOT LOG:
# dmesg
* System mount point: /mnt/
[root]# mkdir $HOME/.gnome-desktop/MS-SERVER-NAME
[root]# mkdir /mnt/MS-SERVER-NAME
[root]# mkdir /mnt/MS-SERVER-NAME/MS-Windows-Share
[root]# ln -s /mnt/MS-SERVER-NAME/MS-Windows-Share $HOME/.gnome-desktop/MS-SERVER-NAME
or
* User mount point: $HOME/
[root]# mkdir $HOME/.gnome-desktop/MS-SERVER-NAME
[root]# mkdir $HOME/MS-SERVER-NAME
[root]# mkdir $HOME/MS-SERVER-NAME/MS-Windows-Share
[root]# ln -s $HOME/MS-SERVER-NAME/MS-Windows-Share $HOME/.gnome-desktop/MS-SERVER-NAME
Directly and upon system boot, mount MS/Windows file server:
Create file ~/.smbpassword (chmod 400 $HOME/.smbpassword)
username = ms-windows-login-name
password = ****
Edit file: /etc/fstab
(you need to be root to edit this file.)
and add the following line:
//MS-SERVER-NAME/MS-Windows-Share /home/linux-user-id/MS-SERVER-NAME/MS-Windows-Share smbfs credentials=/home/linux-user-id/.smbpassword,workgroup=MS-WINDOWS-DOMAIN,uid=linux-user-id,gid=linux-user-group-name 0 0
Mount: [root]# mount /home/linux-user-id/MS-SERVER-NAME/MS-Windows-Share
Unmount: [root]# umount /home/linux-user-id/MS-SERVER-NAME/MS-Windows-Share
Note: If the uid and gid are omitted you may only have read access to the MS/Windows server. The uid/gid may be the alphanumeric name or the system user/group numbers.
- Send a WinPopup Message:
MS/Windows can send a message to another MS/Windows PC which will pop-up (using "WinPopup" protocol) and appear in a dialog box. This is used by admins for notification purposes. The DOS command is:
NET SEND NetBIOS-computer-name "Message to send to user"
Linux can send the same message to a MS/Windows PC using the command:
[prompt]$ smbclient -M NetBIOS-computer-name
Message to send to user
ctrl-d
Notes:
* Message limit is 1600 bytes.
* Alternate method: cat mymessage.txt | smbclient -M NetBIOS-computer-name
Recieve a WinPopup Message:
To handle incomming " WinPopup" messages on Linux, set the "message command" parameter in the smb.conf.
message command = csh -c 'xedit %s;rm %s' &
This will use the application "xedit" to display the message. The message is then removed.
* %s : The filename containing the message.
* %t : Message destination (computer or server to which it was sent.)
* %f : Message sender.
Default smb.conf config file is no message command.
Notes:
* Using mail to relay the incomming message. Linux smb.conf:
message command = /bin/mail -s 'message from %f on %m' root < %s; rm %s
PhpFreaks # minute | hour | day of month | month | day of week0-59/1 * * * * exec /path/to/somecommand
When you can not do it with a common script, i suggest you use C or Perl as they are more fast than php.
For database interaction i opted for Perl and its DBI.
Hourly Cron
0 Minutes after the Hour
* Hours of the Day
* Days of the Month
* Months of the Year
* WeekDays of the Week
/usr/local/bin/php /home/user/crons/cronjob.php Execute command
>/dev/null Output
- If you want to run that cron job every 30 minutes it would be like this:
30 * * * * /usr/local/bin/php /home/user/crons/cronjob.php
30 Minute Cron
30 Minutes after the Hour
* Hours of the Day
* Days of the Month
* Months of the Year
* WeekDays of the Week
/usr/local/bin/php /home/user/crons/cronjob.php Execute command
>/dev/null Output
Another example would be a cron that runs every 2 days at 1 AM.
0 1 2,4,6,8,10,12,14,16,18,20,22,24,26,28,30 * * /usr/local/bin/php /home/user/crons/cronjob.php >/dev/null
Every 2 Days at 1 AM
0 Minutes after the Hour
1 Hours of the Day
2,4,6,8,10,12,14,16,18,20,22,24,26,28,30 Days of the Month
* Months of the Year
* WeekDays of the Week
/usr/local/bin/php /home/user/crons/cronjob.php Execute command
>/dev/null Output
ALTERNATIVE
This would be an another example of the CRON job above that runs every other Weekday instead of Calendar day. This would account for those months that have a number of different days
0 1 * * 0,2,4,6 /usr/local/bin/php /home/user/crons/cronjob.php >/dev/null
Every 2 Days at 1 AM (Alternative)
0 Minutes after the Hour
1 Hours of the Day
(intentionally left blank) Days of the Month
* Months of the Year
0,2,4,6 WeekDays of the Week
/usr/local/bin/php /home/user/crons/cronjob.php Execute command
>/dev/null Output
- My Example:
*/20 * * * * /home/perl/online.pl > /dev/null
then add this line to :
#crontab -e
- Log :
add to the crontab
- Editor VI:
INSERT with : a
get out : ESC and :wq to write and quit !.
zip -r file.zip allfile*
tar:
tar -xf to extract
bzip2:
bzip2 -d filename
gunzip -d to decompress ZIP files
Apache HTTP Authentication with PHP: /var/log/httpd/access_log and error_log - Apache log filesTo view if these services are running, type ps -aux and look for the httpd, inetd and named services (daemons). These are background processes necessary to perform the server tasks.
root 681 0.0 0.5 2304 744 ? S Sep09 0:01 named
nobody 28123 0.0 1.1 3036 1420 ? S Oct06 0:00 httpd
nobody 28186 0.0 0.7 3044 896 ? S Oct06 0:00 httpd
root 385 0.0 0.1 1136 232 ? S Sep09 0:00 inetd
Get rid of Log Spamers: --> Into httpd.conf :
Redirect all shit to microsoft huh !
Depending of if you have access and if it does not cause problems with any 'real' page names the following directive is quite helpful. There are plenty of thing that can be stopped by this but the last line worked prefectly for me.
RedirectMatch permanent (.*)cmd.exe(.*)$ http://www.microsoft.com
RedirectMatch permanent (.*)root.exe(.*)$ http://www.microsoft.com
RedirectMatch permanent (.*)\/_vti_bin\/(.*)$ http://www.microsoft.com
RedirectMatch permanent (.*)\/scripts\/\.\.(.*)$ http://www.microsoft.com
RedirectMatch permanent (.*)\/_mem_bin\/(.*)$ http://www.microsoft.com
RedirectMatch permanent (.*)\/msadc\/(.*)$ http://www.microsoft.com
RedirectMatch permanent (.*)\/MSADC\/(.*)$ http://www.microsoft.com
RedirectMatch permanent (.*)\/c\/winnt\/(.*)$ http://www.microsoft.com
RedirectMatch permanent (.*)\/d\/winnt\/(.*)$ http://www.microsoft.com
RedirectMatch permanent (.*)\/x90\/(.*)$ http://www.microsoft.com
RedirectMatch permanent (.*)NULL.IDA(.*)$ http://www.microsoft.com
OR :
$IPT -A INPUT -p tcp --destination-port 80 -m string --string "SEARCH"
+ -j REJECT --reject-with tcp-reset
but need that string filtering module
Fed up with SPAMS,
ex SEARCH METHOD, and CONNECT METHOD :
To enable the Limit directive, add the following lines to your .htaccess file exactly as they appear here:
into httpd.conf ?
or only GET and POST:
The only thing working for me getting that shit /x90.... OUTTA my logs :
# grep -v SEARCH /var/log/httpd/access_log
will show you all lines except those containing SEARCH.
Or MUCH Better about Logs :
Apache, errors
Conditional Logging :
# Mark requests from the loop-back interface
SetEnvIf Remote_Addr "127\.0\.0\.1" dontlog
# Mark requests for the robots.txt file
SetEnvIf Request_URI "^/robots\.txt$" dontlog
# Log what remains
CustomLog logs/access_log common env=!dontlog
ex:
# Code Red
.SetEnvIf request_uri "^/default\.(ida¦idq)(.*)$" msjunk nolog
# Nimda
SetEnvIf request_uri "(cmd¦root¦shell)\.exe(.*)$" msjunk nolog
SetEnvIf request_uri "(admin¦httpodbc)\.dll(.*)$" msjunk nolog
# Windows Media Attack
SetEnvIf request_uri "nsiislog\.dll(.*)$" msjunk nolog
# MS WebDAV Attack
SetEnvIf request_method "SEARCH" msjunk nolog
SetEnvIf request_uri "^PROPFIND(.*)$" msjunk nolog
# Don't log local requests
SetEnvIf Remote_Addr "127\.0\.0\.1" nolog
CustomLog logs/msjunk.log combined env=msjunk
CustomLog logs/access.log combined env=!nolog
Finally i did it on the reverse side, only allow POST and GET to be Logged.coz that SEARCH does not seem to be a SEARCH METHOD (Apache Bug ?)!!.
SetEnvIf request_method "(POST|GET)" logthatone
CustomLog logs/access.log combined env=logthatone
- Language negociation with Apache (you wish a redirect upon the local language or browser language ?):
Multiviews into Options field of the directory section into httpd.conf :
--> index.htm.fr and index.htm.en accessed from index.htm
4 for r, 2 for w, 1 for x
Triplet for u: rwx => 4 + 2 + 1 = 7
Triplet for g: r-x => 4 + 0 + 1 = 5
Tripler for o: r-x => 4 + 0 + 1 = 5
Which makes : 755
So, 755 is a terse way to say 'I don't mind if other people read or run this file,
but only I should be able to modify it' and 777 means 'everyone has full access to this file'
# man chmod
RcsRevision Control System (RCS)
ci -u filename Check a file into the RCS system
co -l filename Check a file out with exclusive write privileges
rcsdiff filename Show changes (differences) in the file since the previous revision
rlog filename Show the detailed log of what's been done to a file in its long and storied history
Webhostingtalk
Few Tips:
About Keywords: ne d¨¦passez pas les 1000 caract¨¨res, ne r¨¦p¨¦tez pas plusieurs fois le m¨ºme mot, et ¨¦vitez les accents.
About Title: Le nombre de caract¨¨res maximal est 100. Evitez les titres du genre "index" ou "home page", ou les titres avec accent.
About Description: ne d¨¦passez pas les 200 caract¨¨res, n'utilisez pas de phrase du type "le meilleur site sur¡" et ¨¦vitez les accents.
Everything in this tut ! check that page ,really good.
ex:
# adduser(8) - Command used to add user accounts.
# chage (1) - Used to change the time the user's password will expire.
# chfn(1) - Change a user's finger information
# chsh(1) - Change a user's shell.
# chgrp (1) - Changes the group ownership of files.
# chown (1) - Change the owner of file(s ) to another user.
# gpasswd (1) - Used to administer the /etc/group file.
groupadd (8) - Create a new group.
# grpconv (8) - Creates /etc/gshadow from the file /etc/group which converts to shadow passwords.
# grpunconv (8)- Uses the files /etc/passwd and /etc/shadow to create /etc/passwd, then deletes /etc/shadow which converts from shadow passwords.
# groupdel (8) - Delete a group
# groupmod (8) - Modify a group
# groups (1) - print the groups a user is in
# grpck (8) - Verify the integrity of group files.
# id(1) - Print group or user ID numbers for the specified user.
# newgrp(1) - Allows a user to log in to a new group.
# newusers (8) - Update and create new users in batch form.
nologin (5) - Prevent non-root users from logging onto the system.
# passwd (1) - Used to update a user's password. The command "passwd username" will set the password for the given user.
# pwconv (8) - Used to create the file /etc/shadow from the file /etc/passwd to convert to shadow passwords.
# pwunconv (8) - Uses the files /etc/passwd and /etc/shadow to create /etc/passwd, then deletes /etc/shadow to convert from shadow passwords.
# su (1) - run a shell with substitute user and group IDs
# useradd (8) - Create a new user or update default new user information
# userdel (8) - Delete a user account and their files from the system. The command "userdel -r newuser" will remove the user and deletes their home directory.
# usermod (8) - Modify a user account.
Other useful commands/examples:
# find / -user username -ls Gives a list of all files owned by username.
# chown -R myuser /home/myuser Changes ownership of all files in mysuer home directory to myuser.
# chmod +s filename Sets the uid
# /etc/passwd - Where the user's name, and other pertinent information are stored. This includes the password unless your system is using shadow passwords.
# /etc/shadow - Where the user's password is stored if you are using shadow passwords.
# /etc/group - Where group names are stored.
# /etc/aliases - Where the user's name is matched to a nickname for e-mail.
# /etc/sudoers - A list of users with special privileges along with the commands they can execute.
# modinfo ip_tables
List:
# lsmod
# modprobe -l |more Lists all the modules available for your kernel
Then remove the module using
# rmmod simpleModule
CPM, CPC ....wot works best ?
http://www.nilo.org/remoteboot/Remote-Boot-4.htmlgood info about boot from remote server, no need hd even locally !!
t1, t3From Google Faq: Comment autoriser l'accès à votre robot d'exploration ?
Vous pouvez permettre à notre robot d'exploration d'accéder à vos pages sans pour autant donner accès à votre site à d'autres robots. Il vous suffit d'ajouter les deux lignes de texte suivantes au début du fichier robots.txt:
User-agent: Mediapartners-Google*
Disallow:
* free - Show system memory availability and usage
* df - Show the amount of disk free space on each mounted filesystem.
* du - Show disk usage
* lspci - List PCI devices
* pnpdump - Lists ISA PNP device resource information.
* vmstat - Reports virtual memory statistics.