To give an example , if we configure port Knocking access to port 50, this port will only be open when we make requests to the ports 1000,2500,3000 in that order , doing so, once we complete the sequence correctly the firewall will open the port that was previously closed.With this we add another level of security to certain types of connections to our server.

The client can perform the port knocking using Nmap, Telnet, or a tool for these purposes.

Let’s secure SSH connections using this method on a server running Linux CentOS . Follow the below steps as root.

Install Prerequisites

Install the libpcap library packages as requirment of Knock-server

# yum install libpcap*

Install Knock Server Package

Download and install knock-server rpm package

# wget http://li.nux.ro/download/nux/misc/el6/i386/knock-server-0.5-7.el6.nux.i686.rpm
# rpm -ivh knock-server-0.5-7.el6.nux.i686.rpm

Before setting up the Knockd daemon, we must create an iptable rule the drops all connections to the SSH port , in this case we ‘ll use the default (22).

# iptables -A INPUT -p tcp --dport 22 -j DROP
# service iptables save

[NOTE: Do not use below command it you are connected with SSH to server, It will drop your current connection]

OK ,we can now configure our knockd daemon so that out SSH port opens after a correct port knocking Sequence. Edit knockd configuration file add following values

# vi /etc/knockd.conf

[options]
        logfile = /var/log/knockd.log

[openSSH]
        sequence = 5040,6010,6500
        seq_timeout = 30
        tcpflags = syn
        Start_command = /sbin/iptables -I INPUT -s %IP% -p tcp --dport 22 -j ACCEPT

[closeSSH]
        sequence = 4040,5050,8080
        seq_timeout = 30
        command = /sbin/iptables -D INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
        tcpflags = syn

Save the file and Quit (:wq!)

Finally start the Knockd service

# service knockd  start

How to Use Port Port Knowcking

Here to open the SSH port we will knock ports 5040,6010,6500 and when the sequence is completed correctly it will run a command that will add a rule in the firewall to allow the connection to our Linux Server via port 22 . We have another directive to close the port,Knocking ports 4040,5050,8080 it will run a command that will remove the Firewall rule that allowed us to do the connection via SSH.

To Knock the ports you can use the tool Nmap or Telnet as follow. For this example we use nmap.

To Open the SSH connection

# nmap -p 5040 SERVER-IP
# nmap -p 6010 SERVER-IP
# nmap –p 6500 SERVER-IP

To close the connection

# nmap -p 4040 SERVER-IP
# nmap -p 5050 SERVER-IP
# nmap -p 8080 SERVER-IP

If we see the Knockd log we will have something like this

# tail /var/log/knockd.log

[2014-04-10 05:20] 192.168.1.184: openSSH: Stage 1
[2014-04-10 05:21] 192.168.1.184: openSSH: Stage 2
[2014-04-10 05:21] 192.168.1.184: openSSH: Stage 3
[2014-04-10 05:21] 192.168.1.184: openSSH: OPEN SESAME
[2014-04-10 05:21] openSSH: running command: /sbin/iptables -I INPUT -s 192.168.1.184 -p tcp --dport 22 -j ACCEPT

I’m going to show a little more graphical .

This is a brief representation of the process including authentication with RSA keys.

Here we have our remote connections with a good level of security and combine with RSA authentication we hardened the connection even more. We can use this method to secure any type of connections to our Linux Server. To read more about visit http://www.zeroflux.org/projects/knock

The post How to Secure SSH Connections with Port Knocking on Linux CentOS appeared first on TecAdmin.

Step 1: Backup Existing Databases

Firstly take a backup of all existing databases, In case we need to restore it.

# mysqldump -u root -p --all-databases > BackupDBS.sql

Step 2: Remove MySQL

After confirming that you have all databases backup, Lets remove MySQL from system. Firstly Stop the MySQL Service

# service mysqld stop

We copy the MySQL Configuration File to a Different location to use

# cp /etc/my.cnf /tmp/

Remove all the MySQL Packages

# yum remove mysql*

Step 3: Install MariaDB

To Solve any dependency problem we install the REMI Repo.

# rpm –ivh http://rpms.famillecollet.com/enterprise/remi-release-6.rpm

Then install the compat-mysql55 package

# yum –enablerepo=remi-test –disablerepo=remi install compat-mysql55

Now we can proceed with the installation of MariaDB. You can follow the Steps on https://tecadmin.net/install-mariadb-in-centos-rhel-and-fedora/
After we completed these steps we restore our my.cnf we backed up previously to its original location

# cp /tmp/my.cnf /etc/my.cnf

Step 4: Restore All Databases (If Required)

Restore the backup of all our databases in MariaDB server.

# mysql –u root –p < BackupDBS.sql

Finally we restart the service, log back in to MariaDB and check that all our data is indeed all there.

# service mysql restart
# mysql –u –root –p

The post How to Replace MySQL with MariaDB in CentOS/RHEL appeared first on TecAdmin.

Mod_Security can be deployed and integrated with our current Web Servers infrastructure, meaning that we do not have to modify our internal Network, we don’t add any point of failure, we can benefit from load balancing and scalability and we would not have any issues with compress or encrypted Data. Mod_Security is a valuable security tool and have proven to be effective. If we want to protect our web applications this is a tool the deserves your attention.

Step 1 – Enable EPEL Repository

Firstly add the EPEL rpm repository in your system using the following command.

### For RHEL/CentOS 7 
rpm -Uvh http://dl.fedoraproject.org/pub/epel/7/x86_64/Packages/e/epel-release-7-11.noarch.rpm

### For RHEL/CentOS 6 
rpm -Uvh http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm

Step 2 – Install Mod_Security and Predefined Rules

Let’s install mod_security Apache modules with predefined rules of mod_security.

yum install mod_security mod_security_crs

Step 3 – Activate mod_security Module

Edit ModSecurity configuration file /etc/httpd/conf.d/mod_security.conf and look for the SecRuleEngine Directive on the File and configured with the Desired Value.

On – Rules are activated
Off – Rules are Deactivated
DetectionOnly – Only Intercepts and logs Transactions

Since we want to Intercept and Block Attacks we configure it with On.

 SecRuleEngine on

Step 4 – Restart Apache and Check

After completing all the configuration, restart Apache service on your system.

service httpd restart

To confirm that our web application firewall is working we should see something like this in our Apache error logs.

tail /var/log/httpd/error_log

[Sat Mar15 16 09:20:58 2014] [notice] ModSecurity for Apache/2.7.3 (http://www.modsecurity.org/) configured.
[Sat Mar15 16 09:20:58 2014] [notice] ModSecurity: APR compiled version=”1.3.9″; loaded version=”1.3.9″
[Sat Mar15 16 09:20:58 2014] [notice] ModSecurity: PCRE compiled version=”7.8 “; loaded version=”7.8 2008-09-05″
[Sat Mar15 16 09:20:58 2014] [notice] ModSecurity: LUA compiled version=”Lua 5.1″
[Sat Mar15 16 09:20:58 2014] [notice] ModSecurity: LIBXML compiled version=”2.7.6″

Important files to Remember

• Mod Security Config File – /etc/httpd/conf.d/mod_security.conf
• Debug Log – /var/log/httpd/modsec_debug.log
• Audit log – /var/log/httpd/modsec_audit.log
• Rules – /etc/httpd/modsecurity.d/activated_rules

References:
https://www.modsecurity.org/
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual

The post How to Install mod_security with Apache on CentOS/RHEL 7/6 appeared first on TecAdmin.

One of this tools is Lynis. This tool is supported by multiple platforms including Linux CentOS, Debian, Fedora, FreeBSD, MacOS, Ubuntu and much more.

This tool will audit the system in multiple categories like:

• System Tools
• Boot and Services
• Kernel
• Memory and process
• User, Groups and Authentication methods
• Shells
• FileSystems
• Storage
• Network FileSystems
• Applications
• Name Services: Dns, Bind
• Ports
• Packages
• Network Services: Nginx, Apache
• Print Services
• Mailing and messaging
• SSH
• SNMP
• Databases: MySQL, Oracle, MariaDB
• LDAP
• PHP
• Squid
• Logs
• Insecure Services: inetd
• CronJobs
• Criptography
• Virtualization
• File Integrity
• Malware
• Directories
• And more…

Step 1 – Install Lynis

To install this valuable security tool, all we have to do is run these commands in the terminal as the root user. With these commands, we will create a Dir for Lynis and download the package.

cd /opt
git clone https://github.com/CISOfy/lynis

Step 2 – Scan System with Lynis

To run this tool simply run the below command.

cd /opt/lynis
./lynis audit system --quick

Once the tool has finished scanning, it will save its audit report in /var/log/lynis.log. The report will alert us with the found vulnerabilities in our Linux server. It will also give us suggestions to hardened the security.

Check all results and fix vulnerabilities. For example, the result showing expose_php is on in PHP.

The post How to Check for Vulnerabilities on Linux with Lynis appeared first on TecAdmin.