Saturday, April 30, 2016

Install Composer in XAMPP 1.8.1 and Windows 10 (x64)

Prerequisites:
  • Windows 10 
  • XAMPP work
Make sure openssl extension is enable in php.ini:
extension=php_openssl.dll

Follow this step to install composer
  1. Open cmd Windows
  2. Donwload installer by running this command
    php -r "readfile('https://getcomposer.org/installer');" > composer-setup.php
    for example*
    D:\xampp\php>php -r "readfile('https://getcomposer.org/installer');" > composer-setup.php
  3. Validate your composer-setup.php by running 
    php -r "if (hash_file('SHA384', 'composer-setup.php') === 'a52be7b8724e47499b039d53415953cc3d5b459b9d9c0308301f867921c19efc623b81dfef8fc2be194a5cf56945d223') { echo 'Installer verified'; } else { echo 'Installer corrupt'; unlink('composer-setup.php'); } echo PHP_EOL;"
    for example*:
    D:\xampp\php>php -r "if (hash_file('SHA384', 'composer-setup.php') === 'a52be7b8724e47499b039d53415953cc3d5b459b9d9c0308301f867921c19efc623b81dfef8fc2be194a5cf56945d223') { echo 'Installer verified'; } else { echo 'Installer corrupt'; unlink('composer-setup.php'); } echo PHP_EOL;"
    Installer verified
  4. Install your composer by running
    php composer-setup.php
    for example*:
    D:\xampp\php>php composer-setup.php
    Some settings on your machine may cause stability issues with Composer.
    If you encounter issues, try to change the following:
    The OpenSSL library (0.9.8x) used by PHP does not support TLSv1.2 or TLSv1.1.
    If possible you should upgrade OpenSSL to version 1.0.1 or above.
    Downloading 1.0.3...
    Composer successfully installed to: D:\xampp\php\composer.phar
    Use it: php composer.phar
  5. Remove composer-setup.php** by running:
    php -r "unlink('composer-setup.php');"
    for example*:
    D:\xampp\php>php -r "unlink('composer-setup.php');"
Note:
* in my case I use stand alone xampp in directory d:
** you do not have to save any composer-setup.php, it may change for a new version
 
References:

  • http://i.justrealized.com/2013/install-composer-windows/
  • https://getcomposer.org/download/
Posted by at No comments:
Labels:

Saturday, April 23, 2016

WHM/CPanel Centos 7: enabling ipset in csf

Prerequisite:
  • Iptables & Ipset
  • Serverconfig v7.54 or later
Follow WHM/CPanel centos 7: blocking brute force attack to replace firewalld with iptables and ipset.

Download and Install serverconfig:

# wget http://configserver.com/free/csf.tgz# tar -xzf csf.tgz# cd csf & ./install.cpanel.sh

To enable ipset in csf, edit file /etc/csf/csf.conf or edit it via WHM/CPanel:

TESTING = “0”
LF_IPSET = 1
TCP_IN= “22,80,53,443” 
TCP_OUT=”22,80,53,443″
UDP_IN=”53″
UDP_OUT=”53″
NOTE: don't forget to add your port services

Restart your csf

# service csf restart
Or via WHM/CPanel click Restart CSF+LFD

References:

Posted by at No comments:
Labels:

Sunday, April 17, 2016

WHM/CPanel Centos 7: blocking brute force attack

By default, Centos 7 use firewalld to manages net filter rules. Just like iptables, adding new rules may increase your cpu load. This is my notes to optimize net filtering ipset to block brute force attack.

Disable firewalld and enable iptables/ipset

Stop and mask the firewalld service:
# systemctl stop firewalld# systemctl mask firewalld
Install the iptables-services package:
# yum install iptables-services
Enable the service at boot-time:
# systemctl enable iptables
# systemctl enable ip6tables
Start iptables service
# systemctl start iptables
# systemctl start ip6tables
Install ipset
# yum install ipset

Install & Configure fail2ban (Optional)

Installing fail2ban
# yum install fail2ban
Enable fail2ban
# systemctl enable fail2ban
Start fail2ban
# systemctl start fail2ban
or
# service fail2ban start
Fix firewall run
# /scripts/configure_firewall_for_cpanel
Open some port for examples 12345
# iptables -I INPUT -p tcp --dport 12345 -m state --state NEW,ESTABLISHED -j ACCEPT
To disable fail2ban service
# systemctl stop firewalld
# systemctl disable fail2ban
If you prefered to use CSF (ConfigServer Sercurity & Firewall) follow WHM/CPanel Centos 7: enabling ipset in csf
Preferences: 
Posted by at No comments:
Labels:

Wednesday, April 13, 2016

Webmin: Domain Slave in webmin and Domain Master in WHM/CPanel

In WHM/Cpanel server:
  • open file /etc/named.conf and edit
    //allow-transfer    { "none"; };
    allow-transfer { your_public_ip_for_slave_dns; }; 
    • restart your bind/named
    # /scripts/restartsrv_named 
    In Debian Jessie server:
    • Open webmin, Servers -> BIND DNS Server -> Create slave zone
    Zone type : Forward (Names to Adddress)
    Domain name / Network : yourdomain.com
    Record file : Automatic
    Master server : your_debian_ip_address
    Server port : Default
    • Test Zone Transfer
    Testing transfer of slave zone from master_ip_address .... from master_ip_address : Completed OKTest transfer successfully fetched 28 records from at least one nameserver. Actual transfers by BIND should also succeed.
    Now you can add/edit your Domain Slave Server in WHM/CPanel -> Edit DNS Zone. 

    Reference:
    • https://www.debian.org/doc/manuals/network-administrator/ch-bind.html
    • http://serverfault.com/questions/403848/configure-secondary-dns-server-debian
    Posted by at No comments:
    Labels:

    Monday, April 4, 2016

    Loading ipset and iptables on boot in Debian Jessie

    Debian Jessie until I write this note, does not provide script to save and load ipset rules.
    ipset
    -----------------------------------------------------------------------------------------------
    saving ipset rules:
    # ipset save 
    or
    # /sbin/ipset save
    We follow wiki rules for filename https://wiki.debian.org/iptables (i.e. /etc/iptables.up.rules)
    # ipset save > /etc/ipset.up.rules
    To save ipset rules to other file
    # ipset save > /root/iptablesrules/ipsetrules.save 
    To restore ipset rules
    # ipset restore -! < /etc/ipset.up.rules
    or
    # /sbin/ipset restore -! < /etc/ipset.up.rules
    iptables (my version v1.4.21)
    -----------------------------------------------------------------------------------------------
    saving iptables rules
    # iptables-save 
    or
    # /sbin/iptables-save 
    We follow wiki rules for filename https://wiki.debian.org/iptables (i.e. /etc/iptables.up.rules)
    # iptables-save > /etc/iptables.up.rules
    To save iptables rules to other file
    # iptables-save > /root/iptablesrules/iptablesrules.save
    Note: in iptables-persistent packages, rules are save in file:

    1. /etc/iptables/rules.v4
    2. /etc/iptables/rules.v6

    But we do not use iptables-persistent
    To restore iptables
    # iptables-restore < /etc/iptables.up.rules
    or
    # /sbin/iptables-restore < /etc/iptables.up.rules
    We have some choice to load ipset and iptables on boot:
    1. Manual init.d configuration
    2. Configuring via ifup
      1. put loader in file /etc/network/interface
      2. put script configuration in /etc/network/if-pre-up.d/
    Option 1:

    To use /etc/network/interface to load ipset and iptables
    Edit /etc/network/interface
    ....
    # The primary network interface
    allow-hotplug eth0
    iface eth0 inet static
       ...
       pre-up ipset restore -! < /etc/ipset.up.rules
       pre-up iptables-restore < /etc/iptables.up.rules
    ...
    Option 2:

    To use script configuration in /etc/network/if-pre-up.d/ to load ipset and iptables
    Create or edit /etc/network/if-pre-up.d/load.rules
    #!/bin/sh
    /sbin/ipset     restore -! < /etc/ipset.up.rules
    /sbin/iptables-restore < /etc/iptables.up.rules
    chmod +x /etc/network/if-pre-up.d/load.rules

    Note:
    1. Use only one option above.
    2. After adding ip address into ipset rules, don't forget to save it in file etc/ipset.up.rules.
    3. If you use fail2ban, Do not put fail2ban rules in iptables.up.rules. It will automatically configure it self. you need to remove fail2ban rules in file /etc/iptables.up.rules.
    Distributing ipset across server farm
    This ipset rules can be distributed across your server.
    Master ipset can be generated from honeypot/server and distribute it via web. Run this script after you add or edit ipset rules into your root web directory
    #!/bin/bash
    ## create by dedetok April 2016
    ## last update 2016-04-28
    ## GNU GPL v3
    ## Disclaimer: experimental, use it with your own risk
    /sbin/ipset save > /etc/ipset.up.rules
    # create temporary file to save new ipset rules without fail2ban rules
    if [ -f "/root/bin/ipset.up.rules.new" ] ; then
     rm "/root/bin/ipset.up.rules.new"
    fi
    touch /root/bin/ipset.up.rules.new
    while read -r line; do
     if [[ $line != *"fail2ban"* ]]
     then
      echo "$line" >> /root/bin/ipset.up.rules.new
     fi
    done < /etc/ipset.up.rules
    # copy clean ipset into /etc/ipset.up.rules
    cp /root/bin/ipset.up.rules.new /etc/ipset.up.rules
    # save it into web or user public_html
    #cp /root/bin/ipset.up.rules.new /home/[user]/public_html/ipset.up.rules
    cp /root/bin/ipset.up.rules.new /var/www/public_html/ipset.up.rules
    Do the following steps on your server farm:
    • Write this bash script to download /root/unduhgarasiku.sh or download
    #!/bin/bash
## create by dedetok April 2016
## last update 2017-05-02
## GNU GPL v3
## Disclaimer: experimental, use it with your own risk
echo "download from http://www.garasiku.web.id/ipset.up.rules into /etc/ipset.up.rules.new"
if wget -O /etc/ipset.up.rules.new http://www.garasiku.web.id/ipset.up.rules; then
 chmod 444 /etc/ipset.up.rules.new
 chown root:root /etc/ipset.up.rules.new
 ## Update ipset ignore error, we need fresh list
 echo "updating new rules"
 if /sbin/ipset restore -! < /etc/ipset.up.rules.new; then
  echo "Saving new ipset rules into /etc/ipset.up.rules"
  cp /etc/ipset.up.rules.new /etc/ipset.up.rules
  chmod 544 /etc/ipset.up.rules
  chown root:root /etc/ipset.up.rules
 else
  echo "Error, ipset.up.rules not in ipset format"
  exit 1
 fi
else
 echo "Fail to download ipset.up.rules"
 exit 1
fi
echo "End process"
    Old version
    #!/bin/bash
## create by dedetok April 2016
## last update 2016-04-15
## GNU GPL v3
## Disclaimer: experimental, use it with your own risk 
echo "download from http://www.garasiku.web.id/ipset.up.rules into /etc/ipset.up.rules.new"
wget -O /etc/ipset.up.rules.new http://www.garasiku.web.id/ipset.up.rules
chmod 444 /etc/ipset.up.rules.new
chown root:root /etc/ipset.up.rules.new
## Compare ipset.up.rules vs ipset.uprules.new
echo "updating new rules"
diff --new-line-format="+ %L" --old-line-format="- $L" <(sort /etc/ipset.up.rules) <(sort /etc/ipset.up.rules.new) |
while IFS=' ' read -r r1 r2 r3 r4; do
 if [ "$r2" = "add" ]; then
  if [ "$r1" = "+" ]; then
   cmdline="/sbin/ipset $r2 $r3 $r4"
   echo "eval $cmdline"
   eval "$cmdline"
  fi
  if [ "$r2" = "-" ]; then
   cmdline="/sbin/ipset del $r3 $r4"
   echo "eval $cmdline"
   eval "$cmdline"
  fi
 fi
done
echo "Saving new ipset rules into /etc/ipset.up.rules"
/sbin/ipset save > /etc/ipset.up.rules
echo "End process"
    • Put it into crontab to update ipset.up.rules everyday at 0 night:
    # crontab -e
    • Put this line (you can choose nano editor)
    0 0 * * * /root/unduhgarasiku.sh
    • Save it (you can use default file name)
    File Name to Write: /tmp/crontab.9uLsb5/crontab
    • iptabes rules for server farm
    -A INPUT -m set --match-set mynetrules src -j DROP
    -A INPUT -p tcp -m multiport --dports 25,465,587,993,995,465,143,110 -m set --match-set mynetrulessmtp src -j DROP
    -A INPUT -p tcp -m multiport --dports 80,443 -m set --match-set mynetruleshttp src -j DROP
    -A INPUT -p tcp --dport 22 -m set --match-set mynetrulesssh src -j DROP
    -A INPUT -p tcp  -m multiport --dports 21,22 -m set --math-set mynetrulesftp src -j DROP
    -A INPUT -p tcp --syn --dport 22 -m connlimit --connlimit-above 3 -j DROP
    or if you want to limiting connection from class C up to 20 connection -A INPUT -p tcp --syn --dport 22 -m connlimit --connlimit-above 20 --connlimit-mask 24 -j DROP
    -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m multiport --dports 25,465,587,993,995,265,143,110 -m connlimit --connlimit-above 8 --connlimit-mask 32 --connlimit-saddr -j DROP
    NOTE: don't forget to add your ipset rules into iptables rules in every your server farms and make it persistent. I suggest you create iptables rules in every server, do not copy iptables other server. Every server may have unique iptables rules.
    Simple script to analyst authentication log files:
    • Search fail in sshawk '(/authentication fail/ && /ssh/) { print $(NF-1), $NF }' /var/log/auth.log | sort | uniq -c | sort -n
    • search fail in smtpawk '(/authentication fail/ && /smtp/) { print $(NF-1), $NF }' /var/log/auth.log | sort | uniq -c | sort -n
    • search fail in ftpawk '(/authentication fail/ && /ftp/) { print $(NF-1), $NF }' /var/log/auth.log | sort | uniq -c | sort -n
    • search fail in dovecotawk '(/authentication fail/ && /dovecot/) { print $(NF-1), $NF }' /var/log/auth.log | sort | uniq -c | sort -n
    • search ssh preauthentication awk '(/Connection closed by/ && /sshd/) { print $(NF-1),$NF}' /var/log/auth.log | sort | uniq -c | sort -n
      awk '(/preaut/ && /sshd/) { print $0}' /var/log/auth.log
    • search fail in mailawk '(/authentication fail/) { print $7}' /var/log/mail.log | sort | uniq -c
    Reference:
    Posted by at No comments:
    Labels:

    Saturday, April 2, 2016

    How to determine your Debian need to restart after packages update

    Does your Debian server need to restart after packages update?

    You can use checkrestart from the debian-goodies. debian-goodies availabe since Debian Wheezy.
    • Install debian-goodies
    # apt-get install debian-goodies
    • Check does our Debian need to restart
    # checkrestart
    Found 44 processes using old versions of upgraded files
    (28 distinct programs)
    (21 distinct packages)
    ...
      • Restart your Debian

      References:
      • http://serverfault.com/questions/667076/debian-how-can-i-know-if-reboot-is-required-after-update
      Posted by at No comments:
      Labels:

      Friday, April 1, 2016

      Find host or IP on Fail2ban log in Centos using bash and awk

      Find out your fail2ban log and make permanent block. You need to install ipset to make your iptables rules

      • Create script bannedge2centos.sh
      #!/bin/bash
      ## create by dedetok March 2016
      ## GNU GPL v3
      echo "These IP get WARNING at least twice"
      awk '(/fail2ban.filter/ && /WARNING/) { print $NF}' /var/log/fail2ban.log | sort | uniq -c | sort -n |
      {
        while read -r line1 line2
        do
          if [ "$line1" -ge 2 ]; then
            echo "$line1 $line2"
          fi
        done
      }

      echo "These IP get Filter sshd at least twice"
      awk '(/fail2ban.filter/ && /sshd/) { print $NF}' /var/log/fail2ban.log | sort | uniq -c | sort -n | {
        while read -r line1 line2
        do
          if [ "$line1" -ge 2 ]; then
            echo "$line1 $line2"
          fi
        done
      }

      echo "These IP get Filter ftpd at least twice"
      awk '(/fail2ban.filter/ && /vsftpd/) { print $NF}' /var/log/fail2ban.log | sort | uniq -c | sort -n | {
        while read -r line1 line2
        do
          if [ "$line1" -ge 2 ]; then
            echo "$line1 $line2"
          fi
        done
      }

      echo "These hosts get Filter Fail2ban at least twice"
      awk '(/fail2ban.filter/ && /WARNING Unable/) { print $(NF-7)}' /var/log/fail2ban.log | sort | uniq -c |
       sort -n | {
        while read -r line1 line2
        do
          if [ "$line1" -ge 2 ]; then
            echo "$line1 $line2"
          fi
        done
      }
      • Create ipset rules mynetrules
      # ipset create mynetrules hash:net
      • Run bash bannedge2centos.sh  
      # ./bannedge2centos.sh
      These IP get WARNING at least twice
      2 ['199.15.112.8']
      2 ['216.117.2.180']
      2 ['82.148.206.193']
      4 ['208.100.26.231']
      4 ['31.211.102.129']
      5 ['71.6.167.142']
      10 ['88.80.15.69']
      28 known
      These IP get Filter sshd at least twice
      2 118.136.248.90
      18 84.16.74.40
      These IP get Filter ftpd at least twice
      5 88.80.15.69
      These hosts get Filter Fail2ban at least twice
      2 128-140-19-52.maxnet.ir:
      2 1-39-45-166.live.vodafone.in:
      2 178.218.202.224.ip.turontelecom.uz:
      2 181-174-60-157.telebucaramanga.net.co:
      2 222.64.uzpak.uz:
      2 238.124.206.49-ras.beamtele.net:
      2 75-242-69-115.vasaicable.co.in:
      2 78.187.230.16.static.ttnet.com.tr:
      2 85-113-26-150.static.ktnet.kg:
      2 91-219-55-106.static-pool.centr.zp.ua:
      2 brbnd47-30.mng.net:
      2 static-mum-120.63.188.93.mtnl.net.in:
      4 client.fttb.2day.kz:
      • Popuate ipset rules mynetrules
      # ipset add mynetrules 84.16.74.40
      # ipset add mynetrules 71.6.167.142
      # ipset add mynetrules 208.100.26.231
      # ipset add mynetrules 31.211.102.129
      • Add ipset rules into iptables rules
      # iptables -I INPUT -m set --match-set mynetrules src -j DROP
      • Save your new rules
      # service ipset save
      # service iptables save
      Default ipset and iptables: /etc/sysconfig/ipset, /etc/sysconfig/iptables,  and /etc/sysconfig/iptables.save 
      • To reload ipset and iptables
      # service ipset reload
      # service iptables restart
      Another interesting scrips
      • # awk '(/pam_unix/ && /sshd:auth/ && /authentication failure/) { print $NF }' /var/log/secure | sort | uniq -c | sort
      • # awk '(/pam_unix/ && /webmin/ && /authentication failure/) { print $(NF-1) }' /var/log/secure | sort | uniq -c | sort
      • # awk '(/pam_unix/ && /vsftpd/ && /authentication failure/) { print $(NF) }' /var/log/secure | sort | uniq -c | sort 
      • awk '((/not receive/ || /Failed/ || /Connection closed/ || /closed/ || /failure/ ) && /preauth/ && /sshd/) { print (NF-2),$(NF-1),$NF}' /var/log/auth.log | sort  | uniq -c
      Note:
      • You can modify these to auto block those IP into your ipset rules. But beware about your IP may incidentally get auto blocked. Check those IP or host location before add them into ipset ruls
      • When ipset size increasing, it wont impose to CPU load.


      Posted by at No comments:
      Labels:

      Read your debian server log and ....

      Requirement:

      • awk
      • ipset & iptables

      Read your mail log for authentication failure:
      create this bash script ckmail.sh or download 
      #!/bin/bash
      ## create by dedetok April 2016
      ## GNU GPL v3
      echo "reading mail log file"
      awk '(/authentication failure/) { print $7," ",$(NF-1)," ",$(NF)}' /var/log/mail
      .log | sort | uniq -c | {
        while read -r line1 line2 line3 line4
        do
          if [ "$line1" -ge 5 ]; then
             echo -e "$line1\t$line2 $line3 $line4"
          fi
        done
      }
      create ipset rules for blacklisting smpt
      # ipset create mynetrulessmtpd hash:net
      Run script and pupulate mynetrulessmtpd:
      # ./ckmail.sh
      reading mail log file
      20      unknown[157.122.148.154]: authentication failure
      840     unknown[195.22.127.187]: authentication failure
      16      unknown[91.193.74.31]: authentication failure
      # ipset add mynetrulessmtpd 157.122.148.154
      # ipset add mynetrulessmtpd 195.22.127.187
      # ipset add mynetrulessmtpd 91.193.74.31
      Add ipset rules into iptables rules
      # iptables -I INPUT -p tcp --match multiport --dports smtp,smtps -m set --match-set mynetrulessmtpd src -j DROP

      Posted by at No comments:
      Labels:
      Subscribe to: Posts (Atom)