Checking Bash Vulnerability and Fixing it

There has been a critical vulnerability found in Bash. The vulnerability affects Linux/Unix distributions that use or have Bash installed. For additional information on this vulnerability please visit the following link:

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271

We advise all our clients to keep their servers & software updated constantly to make sure their servers are at minimal risk of potential vulnerabilities. For this particular vulnerability we recommend reading the following links and taking action as soon as possible:

https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/
https://access.redhat.com/articles/1200223

To test if your version of Bash is vulnerable, run the following command:

$ env x='() ; echo vulnerable' bash -c "echo this is a test"

If the output of the above command looks as follows:

vulnerable
this is a test

You are using a vulnerable version of Bash. The patch used to fix this issue ensures that no code is allowed after the end of a Bash function.

If you run the above example with the patched version of Bash, you should get an output verifying you are not vulnerable:

$ env x='() ; echo vulnerable' bash -c "echo this is a test"
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test

To fix this issue just update your bash by following command:

yum update bash -y

Now check bash again:

$ env x='() ; echo vulnerable' bash -c "echo this is a test"

It should return :

bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test

OR

this is a test

libkeyutils.so.1: cannot open shared object file: no such file or directory on centos 6 x64 – Resolution

Today one of my VPS customer got following error : libkeyutils.so.1: cannot open shared object file: no such file or directory on centos 6

He was not able to login to SSH, SSHD server kept on denying with the message : connection to ssh refused.

While inspecting his VPS from node panel i came to know the server is hacked and hacker removed/changed libkeyutils.so.1 and libkeyutils.so.1.3 both are not present in lib64 directory, hacker just deleted them.
Please note these files are necessary files and are responsible for any connections inbound/outbound, so if they are not present or corrupted your server cannot connect to other computers.

Following is the solution to this issue :

Login to your main node (SSH), or your VPS by SSH console provided by your VPS provider.

Now go to /lib64 directory to check if libkeyutils.so.1 and libkeyutils.so.1.3 files are there or not. If files are there just delete them, the file libkeyutils.so.1 is symbolic link to libkeyutils.so.1.3 file. You should delete both of them by :

rm -f /lib64/libkeyutils.so.1 /lib64/libkeyutils.so.1.3

Now you would need to download RPM for libkeyutils.so.1 from centos web site:

wget ftp://ftp.muug.mb.ca/mirror/centos/6.4/os/x86_64/Packages/keyutils-libs-1.4-4.el6.x86_64.rpm

Please note, this is the step you might need assistance from your VPS provider, just ask them to place this RPM in your /lib64 directory as you cannot download it. Wget also does not work without libkeyutils.so.1 file.

Once the RPM package is downloaded, you would need to execute following command in lib64 directory:

rpm -ivh --replacefiles --replacepkgs keyutils-libs-1.4-4.el6.x86_64.rpm

This will replace package library files as well as other files, and now restart SSH by:

service sshd restart

and reboot your server:

reboot

Suggestion: Install config server firewall immediately once you get back the SSH access, your VPS will not get hack again, it takes only 2 minutes:

http://configserver.com/free/csf/install.txt

Cron job for backing up MYSQL database from SSH

Backing up MYSQL databases became very necessary especially if you own a shopping cart or e commerce website.

Hackers are always trying to gain access to your database and sometimes they gain access and the most action they perform is to modify databases and change the information stored. In that case you cannot restore your database if you do not have backup and if you have backups mostly they are daily or weekly backups taken by cPanel or by any other control panel.

There is no feature in any hosting panel which allows you to take backup every minute or by custom time span.

The following script allows you to configure an time interval for taking backup of mysql database and it does not replace any backup stored already. This means you can restore any backup available accordingly.

Features are discussed in the comment# lines of the scripts:

Just copy and paste this script in any file like: backup.sh and upload it in any folder giving root access to it.

 

#!/bin/bash -x
#backup file location, it is the location where backup will be stored, change it to your own
backupDir=/home/USERNAME/public_html/backups/
myDate=$(date '+%Y-%m-%d'-'%I-%M-%S-%p')

#this is the backup file name, generates different names of files to avoid rewriting
dbName=backupSQL-$myDate

# This is temporary directory, change it accordingly if you have this somewhere else.
cd /tmp

# MYSQL command to take backup with valid username/password
mysqldump -u root -pPASSWORD_HERE DATABASE_NAME_HERE > $dbName

# it compresses the file into tar to save the disk space.
tar -cvf $dbName.tar $dbName

# moves the file to backup directory from temporary directory
mv $dbName.tar $backupDir

# delete backups older than 2 days, change -mtime +2 to any digit like +7 for files older than 7 days.
find $backupDir -mtime +2 | xargs rm -rf

<br/ >
Now come to a cron job, Follow the following steps to set a cron job for auto backups.
<br/ >
Login to SSH with root access.

Execute following command:

$ crontab -e

A text editor will be opened just write the following cron job line at the end of file:

*/5 * * * * /FILE-PATH/backup.sh

In above code */5 is the time interval for auto backups. Auto backup script will run every 5 minutes. You can change it accordingly.
Just save the cron job and you’re done.

Feedback are welcome šŸ™‚

How to deal with hackers for web server? Sym links solution

Nowadays hacking becomes more ordinary, and most web hosting companies are being targeted and there is no proper solution to prevent or to make your server 100% secure.

As a web hosting provider, we do always try to secure our servers from the hackers sometime it works but sometimes we failed.

Today i want to describe some commands forĀ Linux WHM/cPanelĀ based servers commands to make your server secure not 100% but it works out of the box. As i am using these commands to not prevent server from hacking but these commands are very useful and does not allow hackers to do anything on the server with other accounts.

I assume, you already familiar with theĀ sym links those are auto-created on the linux based servers, they allow hackers to create link directory/files with the other accounts, so they can access other accounts those are related to other cPanel accounts on the server.

If you disableĀ sym links on the server, hackers cannot hack into your server or if they are able to hack one account, other accounts will remain safe and will not get affected.

Well, disablingĀ sym links is not the proper solution and also disturbs functionality of some scripts on the server like joomla and wordpress.

Here i would like to describe some linux commands those are used to prevent creation of new symlinks in the root directory of an account, on cPanel it isĀ public_html.

Follow the following steps to:

  • Login to your server via ssh with root access.
  • Now make a check if there areĀ sym linksĀ  already created on the server.
  • Execute following command for cPanel:
  • Ā # find /home*/*/public_html -type l
  • Above command will display all theĀ sym links for all cPanel accounts created in public_html and sub directoriesĀ if any.
  • Now, add a cron job to check forĀ sym linksĀ  and remove them if found, you can set any interval, in the below command i set it to everyĀ 5Ā minutes.
  • So the command checks and removes allĀ sym linksĀ inside theĀ public_htmlĀ directory and their sub directories.
  • Execute the following commands to add cron job:
  • # crontab -e
  • A crontab file will be opened in default text-editor.
  • Go to last line and add below command:
  • */5 * * * * find /home*/*/public_html -type l -exec rm -rfv {} \;
  • Now, save your crontab file to make it functional.
  • And you’re done, this will check forĀ sym linksĀ insideĀ public_htmlĀ directory and will remove them if found.
  • TIP: you can also change the location of your directory for other control panels, by replacing /home*/*/public_html
  • Note: Do not execute command on system directories, your server will be destroyed and will become unstable.

That is all, comments are welcome : ) if it works for you.

Configuring WHM/cPanel tweak settings from SSH

You can also configure/alter tweak settings for WHM/cPanel from SSH terminal.

Follow the steps:

  1. Login to SSH via Putty or any terminal with root privileges.
  2. Run following command:
    • nano /var/cpanel/cpanel.config
  3. Make changes accordingly and save the file, after making changes run below command:
  4. /usr/local/cpanel/whostmgr/bin/whostmgr2 –updatetweaksettings

Change Host Name of Linux Red Hat or CentOS Permanently

Here is the short commands to change the host name of your linux Red Hat or CentOS 5 & 6 operating system, Follow the below steps:

  • Login to your server via SSH
  • Edit the fileĀ /etc/sysconfig/networkĀ by executing below command:
  • nano /etc/sysconfig/network
  • Find the host name line, usually written as :
  • server.websterz.net
  • Just change the host name and press:
  • CTRL + O and then press Enter

Read More