Rewrite Rules (URL Rewriting, mod_rewrite)

(1) Redirect site from http to https :

add the below in .htaccess file in public_html

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}


(2) Redirecting a domain to another domain via .htaccess

Example :- redirect vivek.com to google.com

RewriteEngine on
RewriteCond %{HTTP_HOST} ^vivek\.com$ [OR]
RewriteCond %{HTTP_HOST} ^www\.vivek\.com$
RewriteRule ^/?$ “http\:\/\/www\.google\.com\/” [R=301,L]

(3)  Redirect users to access the site with WWW

Example :- redirect vivek.com to www.vivek.com

add the below in .htaccess file

RewriteEngine on
RewriteCond %{HTTP_HOST} ^vivek\.com$ [NC]
RewriteRule ^(.*)$ http://www.vivek.com/$1 [L,R=301]


(4)  Redirect page to another page within public_html

Example1 :- to redirect home.html to index.php

RewriteEngine on
RewriteRule ^home.html$ index.php


Example2 :-   rewrite site  vivek.com/kb/index.php  to   vivek.com/blog/index.html

Go to kb directory and create a .htaccess file

#cd public_html/kb
#touch .htaccess
#vi .htaccess

RewriteEngine on
RewriteRule ^index.php$ /blog/index.html

Installing Rkhunter

Rkhunter (Rootkit Hunter) is a Unix-based tool that scans for rootkits, backdoors and possible local exploits


Installation :

cd /tmp
wget http://ncu.dl.sourceforge.net/project/rkhunter/rkhunter/1.4.0/rkhunter-1.4.0.tar.gz
tar -xvf rkhunter-1.4.0.tar.gz
cd rkhunter-1.4.0
./installer.sh --layout default --install

Updating rkhunter

Run the RKH updater to fill the database properties by running the following command :

/usr/local/bin/rkhunter --update
/usr/local/bin/rkhunter --propupd



To add cron:


Create a file called rkhunter.sh under /etc/cron.daily/, which then scans your file system every day and sends email notifications to your email id. Create following file with the help of your favourite editor.

vi /etc/cron.daily/rkhunter.sh


Add the following lines of code to it and replace “YourServerNameHere” with your “Server Name” and “your@email.com” with your “Email Id“.

#!/bin/sh
(
/usr/local/bin/rkhunter --versioncheck
/usr/local/bin/rkhunter --update
/usr/local/bin/rkhunter --cronjob --report-warnings-only
) | /bin/mail -s 'rkhunter Daily Run (PutYourServerNameHere)' your@email.com

Set execute permission on the file :

chmod 755 /etc/cron.daily/rkhunter.sh

To scan the entire file system, run the Rkhunter as a root user :

rkhunter --check

The above command generates log file under /var/log/rkhunter.log,

With the checks results made by Rkhunter.

For more information and options please run the following command.

rkhunter --help

Linux Kernel /etc/sysctl.conf Hardening

# Turn on execshield

kernel.exec-shield=1
kernel.randomize_va_space=1

# Enable IP spoofing protection
net.ipv4.conf.all.rp_filter=1

# Disable IP source routing
net.ipv4.conf.all.accept_source_route=0

# Ignoring broadcasts request
net.ipv4.icmp_echo_ignore_broadcasts=1
net.ipv4.icmp_ignore_bogus_error_messages=1

# Make sure spoofed packets get logged
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.log_martians = 1

# Disable ICMP routing redirects
sysctl -w net.ipv4.conf.all.accept_redirects=0
sysctl -w net.ipv6.conf.all.accept_redirects=0
sysctl -w net.ipv4.conf.all.send_redirects=0
sysctl -w net.ipv6.conf.all.send_redirects=0

# Disables the magic-sysrq key
kernel.sysrq = 0

# Turn off the tcp_sack
net.ipv4.tcp_sack = 0

# Turn off the tcp_timestamps
net.ipv4.tcp_timestamps = 0

# Enable TCP SYN Cookie Protection
net.ipv4.tcp_syncookies = 1

# Enable bad error message Protection
net.ipv4.icmp_ignore_bogus_error_responses = 1

Securing Linux Cpanel server

WHM

WHM >> Security Center

1. Compiler Access >> make sure it is disabled for all users except "root".

2. Configure Security Policies >> Password Strength

3. cPHulk Brute Force Protection >> Enable it. White List known IPs if required (say if customer has static IP from ISP).

4. Traceroute Enable/Disable >> Disable it.

5. Shell Fork Bomb Protection >> Enable.

 OS and kernel

6. find / ( -perm -a+w ) ! -type l >> world_writable.txt : Look at world_writable.txt to see all world writable files and directories. This will reveal locations where an attacker can store files on your system. NOTE: Fixing permissions on some PHP/CGI scripts that are not properly coded will break them.

7. find / -nouser -o -nogroup >> no_owner.txt : Look at no_owner for all files that do not have a user or group associated with them. All files should be owned by a specific user or group to restrict access to them.

8. Make Sure No Non-Root Accounts Have UID Set To 0

    awk -F: '($3 == "0") {print}' /etc/passwd (you should only see one o/p) like:

    root:x:0:0:root:/root:/bin/bash

9. Tripwire – Monitors checksums of files and reports changes.
    http://tripwire.com or http://sourceforge.net/projects/tripwire
 
10. Chrookit – Scans for common rootkits, backdoors, etc.

    http://www.chkrootkit.org

11. Rkhunter – Scans for common rootkits, backdoors, etc.

    http://www.rootkit.nl/projects/rootkit_hunter.html

  Now create a cronjob so it will email you with notifications to the root mailbox:
  #crontab -e

    At the bottom add the following line
   16 0 * * * /usr/local/bin/rkhunter -c --nocolors --cronjob --report-mode --createlogfile --skip-keypress --quiet

   Press control x to save

12. Logwatch – Monitors and reports on daily system activity.

    http://logwatch.org

13. Change SSH port to non-standard port.

14. Change SSH Protocol 2,1 to Protocol 2

15. Enable Email Alert on root login

    cd /root ; vi  .bashrc

   Scroll to the end of the file then add the following:

   echo 'ALERT - Root Shell Access (YourserverName) on:' `date` `who` | mail -s "Alert: Root Access from `who | cut -d"(" -f2 | cut -d")" -f1`" admin@domain.com

 Firewall and mis security

17. Install CSF firewall and make sure test mode is disabled after opening all used ports.

   IMP: Make sure SSH port set in #14 is opened in firewall.

   CSF Connection Limit
   There is in csf.conf CT option, configure it like this
   CT_LIMIT = “100″
   It means every IP with more than 100 connections is going to be blocked.
   CT_PERMANENT = “1″
   IP will blocked permanenty
   CT_BLOCK_TIME = “1800″
   IP will be blocked 1800 secs(1800 secs = 30 mins)
   CT_INTERVAL = “60″
   Set this to the the number of seconds between connection tracking scans.
   After csf.conf editing, restart csf

18. Tweak LFD and CSF to prevent DOS.

19. Secure /tmp, /dev/shm and /var/tmp

 PHP security

20. Disable vulnerable PHP functions. Find the disable_functions in php.ini file and

    disable_functions = system, show_source, symlink, exec, dl,
    shell_exec, passthru, phpinfo, escapeshellarg,escapeshellcmd

21. Enable suPHP if the server is for shared hosting.

22. WHM >> Configure PHP and suEXEC > set suPHP handler and suexec

Apache

22. Install mod_security and cmc to manage the mod sec rules via WHM. See http://configserver.com/cp/cmc.html

23. Install dos_evasive.

FTP

24. WHM >> Service Configuration >> FTP Server Configuration

   Make sure Anonymous logins and uploads are disabled.

MySQL

25. Disable networking if you don't need anyone to remotely connect to MySQL server.

     Add the below line to my.cnf

    skip-networking

Enabling Second-Level Quotas for Openvz containers

The parameter that controls the second-level disk quotas is QUOTAUGIDLIMIT in the Container configuration file. By default, the value of this parameter is zero and this corresponds to disabled per-user and per-group quotas.

If you assign a non-zero value to the QUOTAUGIDLIMIT parameter, this action brings about the two following results:

Second-level (per-user and per-group) disk quotas are enabled for the given Container;
The value that you assign to this parameter will be the limit for the number of file owners and groups of this Container, including Linux system users. Note that you will theoretically be able to create extra users of this Container, but if the number of file owners inside the Container has already reached the limit, these users will not be able to own files.
Enabling per-user and per-group quotas for a Container requires restarting the Container. The value for it should be carefully chosen; the bigger value you set, the bigger kernel memory overhead this Container creates. This value must be greater than or equal to the number of entries in the Container /etc/passwd and /etc/group files. Taking into account that a newly created Red Hat Linux-based Container has about 80 entries in total, the typical value would be 100. However, for Containers with a large number of users this value may be increased.

When managing the quotaugidlimit parameter, please keep in mind the following:

If you delete a registered user but some files with their ID continue residing inside your Container, the current number of ugids (user and group identities) inside the Container will not decrease.
If you copy an archive containing files with user and group IDs not registered inside your Container, the number of ugids inside the Container will increase by the number of these new IDs.
The session below turns on second-level quotas for Container 101:

# vzctl set 101 --quotaugidlimit 100 --save
Unable to apply new quota values: ugid quota not initialized
Saved parameters for Container 101

You have to stop the container and start it again to reflect the changes as the values cannot be updated to a running container.

# vzctl stop 101;
Stopping Container ...
Container was stopped
Container is unmounted
#vzctl start 101
Starting Container ...
Container is mounted
Adding IP address(es): 192.168.1.101
Hostname for Container set: ct101
Container start in progress...

Inorder to check if the parameter is correctly enabled in the container, Issue the command in the hardware node :

grep -i QUOTAUGIDLIMIT /etc/sysconfig/vz-scripts/CT_ID.conf

If you get the respected qoutaaugidlimt value it is enabled
If you get an empty result, or a result of zero, second-level quotas are not supported by this environment.

Migrating SSL certificate from old server to new one

1 .Login as root via SSH

You Will find the cert,CA bundle and the private key at /etc/ssl folder.

root@server[/etc/ssl]ls
./ ../ certs private/

Inside certs folder you will find domain.crt and domain.cabundle.

 Inside private folder you will see the domain key.

2 .Copy those to a notepad.

3 .Login to WHM of new server > make sure that the site is on dedicated Ip.

 If not, >> change site Ip address to dedicated Ip.

4 .Via WHM >> Install an SSL certificate and Setup the Domain >> enter the cert,key and bundle.

Make sure that the username, Ip and Domain name is in the respective fields.

5 .Submit and you are done.

6 .Make sure that https://domain.com works before updating the customer.