Linux : Setting umask for SFTP

Umask is used to remove additional permissions of files which are copied to the server. If the file has 777 permission on the source and uploaded via sftp using -p or -P option, the permission will be preserved. To change the permission after uploading the file, we can add a umask for the sftp subsystem.

This can be used to prevent setting executable or world writable permissions when files are uploaded using SFTP. By default, FTP changes the permission to 644 on upload and SFTP doesn’t.

Edit the file /etc/ssh/sshd_config.

vi /etc/ssh/sshd_config

Add the following under “# override default of no subsystems” :

Subsystem sftp /bin/sh -c ‘umask <umask>; /usr/libexec/openssh/sftp-server’

OR

Subsystem sftp /usr/libexec/openssh/sftp-server -u <umask>

where <umark> is the umask to be set.

 

Then restart the SSH daemon.

/etc/init.d/sshd restart
OR
service sshd restart

Note: The umask settings only tries to remove permissions, not to add them.

sftp_new

The file gw80 was uploaded before setting the umask and its permission on the source was 664.

File gw80_1 was uploaded after setting up the umask. The permission of the file was 664 in source and was changed to 644 after upload.

Post to Twitter Tweet This Post

Continue Reading

Spamming: A handbook for admins

1. Hourly count of sent mail for a domain, by specifying the domain and date.

DOMAIN=‘<DOMAIN>‘;DATE=‘YYYY-MM-DD‘;o1=`for i in $(grep $DOMAIN /var/log/exim_mainlog|grep $DATE|egrep “A=fixed|A=<LOGIN>”|awk {‘print $4′}|sort|uniq);do grep $i /var/log/exim_mainlog;done|grep -v “retry time not reached for any host”`;unset DOMAIN;unset DATE;o2=`echo “$o1″|awk {‘print $2′}|cut -d: -f1|sort| uniq -c`;echo ” COUNT HOUR”;echo “$o2″;unset o1;unset o2;

DOMAIN : domain.com without www

YYYY-MM-DD : Date like 2011-11-03

LOGIN : dovecot_login / courier_login

Replace all instances of above terms with appropriate values from now on.

2. How many emails have been sent per email address for the specified domain.

grep somedomain.com /var/log/exim_mainlog | grep courier_login | awk -F”courier_login:” ‘{print $2}’ | awk ‘{print $1}’ | sort | uniq -c | sort -n

3. Show how many emails have been sent from ALL domains since the beginning of the log.

cat /var/log/exim_mainlog | grep “A\=<LOGIN>” | awk -F”A=<LOGIN>:” {‘print $2′} | cut -f1 -d’ ‘ | sort | uniq -c | sort -n | awk {‘print $1, ” unique emails sent by ” , $2′}

 4. Delete mail in queue from a certain user.

for i in $(exim -bp|grep user@domain.com|grep -|grep @|awk {‘print $3′});do exim -Mrm $i;done

5. Find the source path if from address is being forged.

echo -ne “What cpanel user: “; read p; cat /var/log/exim_mainlog | grep cwd | grep -v /var/spool | awk -F”cwd=” ‘{print $2}’ | awk ‘{print $1}’ | sort | uniq -c | sort -n | grep $p

6. Find the files that sends mail via phpMail.

find ./ -name \*.php -exec grep -l “mail(” {} \;

7. Show user and number of connections to IMAP.

ps -ef |grep imap | awk ‘{print $1}’ | sort | uniq -c | sort -g -k 1 | tail

8. Fix Shadow file permission.

If the user receives mail, but can not send and all settings are correct

find /home/<user>/etc -type f -name shadow -exec chmod 644 {} \;

9. Show the number of failed logins per IP (Check if the user is being brute forced).

grep FAILED /var/log/maillog |awk ‘{print $9}’ |sort -n|uniq -c |sort -n |tail -7

10. Shows number of failed logins, the IP doing the failing, and how many different users were attempted to be logged into:

awk -F”ffff:” ‘/FAILED/ {IP[$NF]++;}END{ for ( host in IP ) print IP[host]” “host}’ /var/log/maillog | awk ‘{ if ( $1 > 99 ) print $0}’ | sort -nk1 | sed ‘s#]##’ > IPS; for IP in `awk ‘{print $2}’ IPS`; do echo -n $(grep $IP IPS); echo -n ” – Failed users: “; grep $IP /var/log/maillog | awk -F”user=” ‘/FAILED/ {print $2}’ | cut -d, -f1 | sort | uniq | wc -l; done

Will show something like:

135 50.75.12.41 – Failed users: 3

11. Show all the emails in queue by domain.

exim -bp | /usr/sbin/exiqsumm

12. Show you all the emails in queue by email account

exim -bp|awk ‘NF>1{print $4}’ | sort | uniq -c |sort -nk1

13. Force delivery of one message

exim -M <messageID>

14. View the log for the message.

exim -Mvl <messageID>

15. View the header of the message

exim -Mvh <messageID>

16. View the body of the message

exim -Mvb <messageID>

17. Remove message without sending any error message.

exim -Mrm <messageID>

18. Number of frozen mails in the queue

exim -bpr | grep frozen | wc -l

19. Deleting frozen Messages

exim -bpr | grep frozen | awk {‘print $3′} | xargs exim -Mrm
OR
exiqgrep -z -i | xargs exim -Mrm

20. Check to see how many emails are in queue for domain.com, run the following:

exim -bp | grep ‘domain.com>’

Make sure the ‘>‘ is in there because that character appears in the sending field. If you don’t, then it will show you the to and from results.

21. Top 50 domains using mail server sorted by different criteria.

eximstats -ne -nr /var/log/exim_mainlog

22. Show the IPs which are connected to server through port number 25.

netstat -plan | grep :25 | awk {‘print $5′} | cut -d: -f 1 | sort | uniq -c | sort -nk 1

23. Find “nobody” spamming (Only works when the spamming is going on).

ps -C exim -fH ewww | awk ‘{for(i=1;i<=40;i++){print $i}}’ | sort | uniq -c | grep PWD | sort -n

It will give some result like:
Example :
6 PWD=/
347 PWD=/home/sample/public_html/test
Count the PWD and if it is a large value check the files in the directory listed in PWD
(Ignore if it is / or /var/spool/mail /var/spool/exim)

24. Remove all mails from ‘<>’

exim -bp | grep “<>” | awk ‘{print $3}’ | xargs exim -Mrm

Post to Twitter Tweet This Post

Continue Reading

Modsecparse.pl cron job error

Scenario

The modsecparse.pl cronjob producing the following error

/etc/cron.hourly/modsecparse.pl:

DBI connect(‘modsec:localhost’,’modsec’,…) failed: Can’t connect to local MySQL server through socket ‘/tmp/mysql.sock’ (2) at /etc/cron.hourly/modsecparse.pl line 19

Unable to connect to mysql database at /etc/cron.hourly/modsecparse.pl line 19.

 

Solution

Try reproducing the error by running the cron job manually:

#/etc/cron.hourly/modsecparse.pl

 

If it shows the same error, make sure the password used on the “my $dbpassword” 19th line in /etc/cron.hourly/modsecparse.pl matches the “modsec” password in MySQL.

my $dbpassword = ‘sample';

You can reset the “modsec” MySQL password by following these steps:

mysql > use modsec;
mysql > update user set Password=password(‘sample’) where User=’modsec';
mysql > flush privileges;
mysql > quit;

Also in WHM Click Service Manager -> Check enable mysql and mysql monitor boxes -> Save changes. It should solve problem.

mod_sec_cron

Post to Twitter Tweet This Post

Continue Reading

Disable mod_sec2 for a domain

Disabling Mod_security for an account was easier in Mod_security v 1.x, you just had to add the following lines in the .htaccess file for that account’s public_html directory :

SecFilterEngine Off
SecFilterScanPost Off

This will no longer work as Mod_security 2.x was been started to use in newer WHM/cPanel versions. In this article, we are going to review such a case and its solution

Case

A user was trying to copy an article (which was including certain URLs) and paste it in their Online Discussion forums. The following error were shown when they were trying to submit the post :

errorlive

When the content was Plain formatted (which means no type of formatting involved in it – no links embedded and such – just like plain text) they could submit it. Obviously this is something with Apache and hence the error_log has to be checked :

root@server:~ [/home]#tail -f /usr/local/apache/logs/error_log | grep 1xxx.174.208.127

[Mon Jan 07 17:14:11 2013] [error] [client 1xx.174.208.127] ModSecurity: Access denied with code 403 (phase 2). Pattern match “(< ?(?:(?:java|vb)?script|about|applet|activex|chrome) ?>|> ?< ?(img ?src|a ?href) ?= ?(ht|f)tps?:/|” ?> ?<|” ?[a-z]+ ?<.*>|> ?”? ?(>|<)|< ?/?i?frame|\\%env)” at ARGS:quot;” style. [file "/usr/local/apache/conf/modsec_rules/10_asl_rules.conf"] [line "903"] [id "340147"] [rev "81"] [msg "Atomicorp.com - FREE UNSUPPORTED DELAYED FEED - WAF Rules: Generic XSS filter"] [data "3990"] [severity "CRITICAL"] [hostname "my_domain.com"] [uri "/ko/portal/apps/discussions/creatediscussionview.php"] [unique_id "WQyvlUPkwtoAADKsDMwAAAAv"]
[Mon Jan 07 17:14:11 2013] [error] [client 1xxx.174.208.127] File does not exist: /home/sysbc/public_html/my_domain.com/403.shtml, referer: http://my_domain.com/ko/portal/home.php?main=discussview

 

A pattern in the URL is triggering the Mod_security rule. In this case, client demanded disabling it for his account, otherwise we wouldn’t have done it for security purposes.

Solution

Mod_security disabling is the solution, but remember for this account only. Lets take a look at the VirtualHost section of this domain :

<VirtualHost xx.xx.xx.xx:80>
ServerName my_domain.com
ServerAlias www.my_domain.com my_domain.com www
DocumentRoot /home/sysbc/public_html/mdom
ServerAdmin webmaster@my_domain.com
UseCanonicalName Off
CustomLog /usr/local/apache/domlogs/my_domain.com combined
CustomLog /usr/local/apache/domlogs/my_domain.com-bytes_log “%{%s}t %I .\n%{%s}t %O .”
## User sysprobc # Needed for Cpanel::ApacheConf
<IfModule mod_suphp.c>
suPHP_UserGroup ysb ysb
</IfModule>
<IfModule concurrent_php.c>
php4_admin_value open_basedir “/home/sysbc:/usr/lib/php:/usr/php4/lib/php:/usr/local/lib/php:/usr/local/php4/lib/php:/tmp”
php5_admin_value open_basedir “/home/sysbc:/usr/lib/php:/usr/local/lib/php:/tmp”
</IfModule>
<IfModule !concurrent_php.c>
<IfModule mod_php4.c>
php_admin_value open_basedir “/home/sysbc:/usr/lib/php:/usr/php4/lib/php:/usr/local/lib/php:/usr/local/php4/lib/php:/tmp”
</IfModule>
<IfModule mod_php5.c>
php_admin_value open_basedir “/home/sysbc:/usr/lib/php:/usr/local/lib/php:/tmp”
</IfModule>
<IfModule sapi_apache2.c>
php_admin_value open_basedir “/home/sysbc:/usr/lib/php:/usr/php4/lib/php:/usr/local/lib/php:/usr/local/php4/lib/php:/tmp”
</IfModule>
</IfModule>
<IfModule !mod_disable_suexec.c>
<IfModule !mod_ruid2.c>
SuexecUserGroup sysbc ysbc
</IfModule>
</IfModule>
<IfModule mod_ruid2.c>
RUidGid sysprobc sysprobc
</IfModule>
ScriptAlias /cgi-bin/ /home/ysbc/public_html/mdom/cgi-bin/

# To customize this VirtualHost use an include file at the following location
# Include “/usr/local/apache/conf/userdata/std/2/sysbc/my_domain.com/*.conf”

 

Take a look at the last 2 lines :

# To customize this VirtualHost use an include file at the following location
# Include “/usr/local/apache/conf/userdata/std/2/sysbc/my_domain.com/*.conf”

By default,the location /usr/local/apache/conf/userdata/std/2 exists. You will have to create the remaining path ysbc/my_domain.com

 

# mkdir -p  /usr/local/apache/conf/userdata/std/2/ysbc/my_domain.com

Create a file vhost.conf and add the following lines :

<IfModule mod_security2.c>

SecRuleEngine Off

</IfModule>

After this, you need to rebuild the Virtual hosts using the following command :
 
# /scripts/ensure_vhost_includes –user=<cPanel username>
 
Here it would be 
 
# /scripts/ensure_vhost_includes --user=sysbc
 
Alternatives

The above explained method entirely disables mod_security for a particular account, which is not recommended and safe. However there are other methods to do the trick.

root@server:~ [/home]#tail -f /usr/local/apache/logs/error_log | grep xx.xx.xx.xx

[Mon Jan 07 17:14:11 2013] [error] [client xx.xx.xx.xx] ModSecurity: Access denied with code 403 (phase 2). Pattern match “(< ?(?:(?:java|vb)?script|about|applet|activex|chrome)   ?>|> ?< ?(img ?src|a ?href) ?= ?(ht|f)tps?:/|” ?> ?<|” ?[a-z]+ ?<.*>|> ?”? ?(>|<)|< ?/?i?frame|\\%env)” at ARGS:quot;” style. [file  "/usr/local/apache/conf/modsec_rules/10_asl_rules.conf"] [line "903"] [id "340147"] [rev "81"] [msg "Atomicorp.com - FREE UNSUPPORTED DELAYED FEED - WAF Rules: Generic XSS filter"]  [data "3990"] [severity "CRITICAL"] [hostname "my_domain.com"] [uri "/ko/portal/apps/discussions/creatediscussionview.php"] [unique_id "WQyvlUPkwtoAADKsDMwAAAAv"]
[Mon Jan 07 17:14:11 2013] [error] [client xx.xx.xx.xx] File does not exist: /home/sysbc/public_html/mdom/403.shtml, referer:  http://my_domain.com/ko/portal/home.php?main=discussview

 

You can disable the rule only by adding the rule in .htaccess

<LocationMatch “.*”>
SecRuleRemoveById 340147
</LocationMatch>

Post to Twitter Tweet This Post

Continue Reading

Apache Abuse: Source IP identification

Scenario

Some times the webserver become loaded heavily due to large no. of inbound connections and makes the server sluggish or non-responsive. This is quite evident during DOS or DDOS attacks. You can use the following script to identify the IP and the no. of connections active on a server using the following commands

 

netstat -ntu | awk ‘{print $5}’ | cut -d: -f1 | sort | uniq -c | sort -n


or


netstat -plan | grep :80 | awk ‘{print $5}’ | cut -d: -f1 | sort | uniq -c | sort -n

 

The output would look like the following

20  2.50.172.59
21  117.247.123.43
29   116.202.39.208
64  92.96.145.2
156  216.70.110.99

The first column represents the no. of connections while the second column represents the source IP

 

Post to Twitter Tweet This Post

Continue Reading

About this blog

This blog, acts as a knowledge repository for the world and is unofficial! Anything we find interesting in the cyber world will go here. Most cases, this blog will reflect the happiness of our staff in reaching successful solution to an issue (s)he worked on. A reference for other fellow SAGEs who come across similar issues later