chmod, chown & remove

Set permissions on all directories under the folder server1 to 755

chmod -R 755 /usr/home/username/server1/

Remove all data (file and directories) from the folder server1

rm -rf /usr/home/username/server1/*

Set the user and group to example:example for all data (files and directories) on/under the directory accounts

chown -R example:example /home/username/public_html/test/accounts

Install ClamAV

Main >> cPanel >> Manage Plugins >> clamavconnector – Check ‘Install and Keep Updated’ box and the press ‘Save’ button at the bottom of the page.

Update Database

freshclam

Scan /Home Dir and output results to text file name .logs.txt

clamscan -ir /home > logs.txt

If you get -bash: clamscan: command not found

Run:

/scripts/restartsrv_clamd

If you get Unable to locate clamd

Follow the steps as given below:

# Red Hat Enterprise Linux 5 / i386:
rpm -Uhv http://apt.sw.be/redhat/el5/en/i386/rpmforge/RPMS/rpmforge-release-0.3.6-1.el5.rf.i386.rpm
# Red Hat Enterprise Linux 5 / x86_64:
rpm -Uhv http://apt.sw.be/redhat/el5/en/x86_64/rpmforge/RPMS//rpmforge-release-0.3.6-1.el5.rf.x86_64.rpm

Then install it through yum:

yum install clamd

And finally restart clamd service:

/scripts/restartsrv_clamd

Situation : clamAV installed from WHM, but not working on the command line.

FIX:
If you have have already installed ClamAV through WHM, check to make sure that your executables are here
#ls -lah /usr/local/cpanel/3rdparty/bin/*clam*
If they are, make sure that there are no current ClamAV files in /usr/local/bin:
# ls -l /usr/local/bin/*clam*
If both of those check out, you can create symlinks in /usr/local/bin to make scanning your server easier.
ln -s /usr/local/cpanel/3rdparty/bin/freshclam /usr/local/bin/freshclam
ln -s /usr/local/cpanel/3rdparty/bin/clamscan /usr/local/bin/clamscan
ln -s /usr/local/cpanel/3rdparty/bin/clamd /usr/local/bin/clamd
ln -s /usr/local/cpanel/3rdparty/bin/clamav-config /usr/local/bin/clamav-config
Double check your work with this command:
# ls -l /usr/local/bin/*clam*
Then you can scan your server’s public_html folders with this command
clamscan -ir /home/*/public_html > /usr/local/src/scan.txt [The scan results will get saved to the “scan.txt” file]

View Results

cat /usr/local/src/scan.txt

Install ConfigServer Tools

ConfigServer ModSecurity Control (cmc)

rm -fv cmc.tgz
wget http://www.configserver.com/free/cmc.tgz
tar -xzf cmc.tgz
cd cmc
sh install.sh
cd ~

ConfigServer Mail Manage (cmm)

rm -fv cmm.tgz
wget https://download.configserver.com/cmm.tgz
tar -xzf cmm.tgz
cd cmm
sh install.sh
cd ~

ConfigServer Mail Queues (cmq)

rm -fv cmq.tgz
wget https://download.configserver.com/cmq.tgz
tar -xzf cmq.tgz
cd cmq
sh install.sh
cd ~

ConfigServer Explorer (cse)

rm -fv cse.tgz
wget https://download.configserver.com/cse.tgz
tar -xzf cse.tgz
cd cse
sh install.sh
cd ~

Install Logwatch

yum install logwatch

or

SSH into server and login as root.

wget http://downloads.sourceforge.net/project/logwatch/logwatch-7.4.0/logwatch-7.4.0-1.noarch.rpm
rpm -Uvh logwatch-7.4.0-1.noarch.rpm

Edit file:

nano /usr/share/logwatch/default.conf/logwatch.conf

Update the following:

Output = mail
MailTo = root

Note: Set the e-mail address to an offsite account in case you get hacked.

Hit CTRL+X press y and then enter to save the file.

Install MyTop

Installing TermReadKey

wget http://search.cpan.org/CPAN/authors/id/J/JS/JSTOWE/TermReadKey-2.30.tar.gz
tar -zxf TermReadKey-2.30.tar.gz
cd TermRead*
perl Makefile.PL
make test
make
make install

Installing DBI

wget http://perlmirror.indialinks.com/authors/id/T/TI/TIMB/DBI-1.50.tar.gz
tar -zxf DBI-1.50.tar.gz
cd DBI*
perl Makefile.PL
make test
make
make install

Installing mytop

wget http://jeremy.zawodny.com/mysql/mytop/mytop-1.4.tar.gz
tar -zxf mytop-1.4.tar.gz
cd mytop*
perl Makefile.PL
make test
make
make install

Install rkhunter (Rootkit Hunter) in Linux

Rootkit Hunter

Rootkit scanner is scanning tool to ensure you for about 99.9%* you’re clean of nasty tools. This tool scans for rootkits, backdoors and local exploits by running tests like:

– MD5 hash compare
– Look for default files used by rootkits
– Wrong file permissions for binaries
– Look for suspected strings in LKM and KLD modules
– Look for hidden files
– Optional scan within plaintext and binary files

Installation:

yum install rkhunter

or

cd /usr/local/src
wget http://scripts.hostxnow.com/rkhunter-1.4.0.tar.gz
tar -xzf rkhunter-1.4.0.tar.gz
cd rkhunter-1.4.0
./installer.sh --install

Update rkhunter after installation.

rkhunter --update

Scanning:

You can run a scan using the following command

rkhunter -c

You can view all the available options with rkhunter using the following command

rkhunter --help

If you want to skip the interactive prompts, add the -sk option at the end:

rkhunter -c -sk

Setup Daily Scan Report:

You can setup a daily scan report by using a cron as like follows.

nano /etc/cron.weekly/rkhunter.sh

#!/bin/sh
( /usr/bin/rkhunter --versioncheck
/usr/bin/rkhunter --update
/usr/bin/rkhunter --cronjob --summary
) | /bin/mail -s "rkhunter (Corp)" [email protected]

chmod 750 /etc/cron.weekly/rkhunter.sh

You may need to change scripts path in /etc/rkhunter.conf

SCRIPTDIR=/usr/lib64/rkhunter/scripts

Install chkrootkit

At command prompt, type:

yum install chkrootkit

Then create the file:

nano /etc/cron.monthly/chkrootkit.sh

You can add the following cronjob:

#!/bin/bash
(cd /usr/lib/chkrootkit-0.49/; ./chkrootkit 2>&1 -q | mail -s "chkrootkit (Corp)" [email protected])

Hit CTRL+X press y and then enter to save the file.

chmod +x /etc/cron.monthly/chkrootkit.sh

Disable_Functions

Usually, these three will do: system, exec and shell_exec

All the rest will most likely break your scripts.

ini_set,fpassthru,crack_check,crack_closedict,crack_getlastmessage,crack_opendict,psockopen,php_ini_scanned_files,hell-exec,system,dl,ctrl_dir,phpini,tmp,safe_mode,systemroot,server_software,get_current_user,HTTP_HOST,php_uname,ini_restore,popen,pclose,exec,suExec,passthru,proc_open,proc_nice,proc_terminate,proc_get_status,proc_close,pfsockopen,leak,apache_child_terminate,posix_kill,posix_mkfifo,posix_setpgid,posix_setsid,posix_setuid,escapeshellcmd,escapeshellarg,posix_ctermid,posix_getcwd,posix_getegid,posix_geteuid,posix_getgid,posix_getgrgid,posix_getgrnam,posix_getgroups,posix_getlogin,posix_getpgid,posix_getpgrp,posix_getpid,posix_getppid,posix_getpwnam,posix_getpwuid,posix_getrlimit,posix_getsid,posix_getuid,posix_isatty,posix_setegid,posix_seteuid,posix_setgid,posix_times,posix_ttyname,posix_uname,posix_access,posix_get_last_error,posix_mknod,posix_strerror,posix_initgroups,posix_setsidposix_setuid,apache_setenv,define_syslog_variables,eval,fp,fput,ftp_connect,ftp_exec,ftp_get,ftp_login,ftp_nb_fput,ftp_put,ftp_raw,ftp_rawlist,highlight_file,ini_alter,ini_get_all,inject_code,openlog,phpAds_remoteInfo, phpAds_XmlRpc,phpAds_xmlrpcDecode,phpAds_xmlrpcEncode,syslog,show_source,system,shell_exec,phpinfo,allow_url_fopen

Root Breach Email Notification

If someone does happen to get root, be warned quickly by installing a detector and warning at your box. You will at least get the hackers/spammers IP address and be warned someone is in there.

Server e-mail every time someone logs in as root

To have the server e-mail you every time someone logs in as root, SSH into server and login as root.

At command prompt type:

nano .bash_profile

Scroll down to the end of the file and add the following line:

echo 'ALERT - Root Shell Access on:' `date` `who` | mail -s "Alert: Root Access from `who | awk '{print $6}'`" [email protected]

Hit CTRL+X press y and then enter to save the file.