How to (Automatically) Backup Your Website into Dropbox

As owners of websites, one of the more important things you should do is to regularly backup the website. Most web hosting providers will enable daily or weekly backups, mainly for their disaster recovery purpose only. You can do backup of website by yourself using the Backup function in hosting control panels like cPanel, Plesk and DirectAdmin.

A good backup should have following criteria:

  • Backup your data as frequently as possible.
  • Give higher priority to critical data like database and web contents. Try to exclude temporary files.
  • Your backup should NOT be saved inside the same server.
  • Your backup should be retrievable and accessible anytime, anywhere.
  • You should get notified for every backup status which has been scheduled.
  • Your backup should be compressed, if disk space or bandwidth is your concern.

Cloud storage is becoming the best way to store files. Popular providers like Amazon S3, Dropbox, iCloud and Box.net are offering these facilities for free with some limitations. But, none of them are supporting FTP as the medium to transfer while almost all of webhosting providers only allow this transfer method.

Backup Box

Here’s where Backup Box comes in. Backup Box helps you securely transfer anything on an FTP server to your Dropbox account. Actually, Backup Box can integrate your FTP account with cloud storage providers like Amazon, GitHub, Box.net and Flickr as well. At this very moment, only Dropbox integration is supported while the others are still under development. It is free to use, with limited features like monthly backup schedule and immediate transfer schedule. In this post, I am focusing on preparing the backup data for weekly backup while running on cPanel server.

We can use this tool with various ways of implementation such as 1, directly copying the web directory using FTP and transferring to Dropbox (compressed or uncompressed) or 2, creating a compressed backup (cPanel backup) and using FTP to fetch the backup to Dropbox.

Before we proceed with the tutorial, ensure that you have following required information:

  • An FTP account which is mapped to your web directory. Get it from your hosting control panel.
  • A Dropbox account. You can register here for free.
  • A Backup Box account. You can register here for free.

Web directory > FTP > Dropbox

Since the database is also important, we need to prepare the database backup and put it into our web directory. If you are running on Linux hosting, you can use a task scheduler called a cron job with some help from mysqldump. In cPanel, it is located under cPanel > Advanced > Cron jobs.

Let’s use the following data as an example:

1
2
3
Web directory path: /home/mycpanel/public_html
cPanel username: mycpanel
cPanel password: mypass123$

Create a new weekly cron job and use the following command:

1
mysqldump --opt -Q -u mycpanel -p'mypass123$' --all-databases > /home/mycpanel/public_html/databases.sql

An Example:

This will create an SQL backup file which includes all the databases under your cPanel account. Login into Backup Box. On the left panel, login into the FTP account by clicking the ‘gear’ icon. On the right panel, login into your Dropbox account.

transfer-public-html

You can choose Transfer public_html as a folder in the Transfer Options. This will transfer the whole public_html folder including all files into your Dropbox account. You can now start the immediate transfer by clicking Review. This will transfer the public_html folder to Dropbox. Once done, you can create Monthly schedule to automate this backup task monthly. Just click Monthly > select Date and Time > Finalize and Run. Note: If you want to use weekly or daily backup, you need to upgrade your subscription as stated in the website. Do not forget to change the cron job setting based on when you want the backup schedule to happen

cPanel backup > FTP > Dropbox

The good thing about cPanel is you can generate your own backup automatically using cPanel API. In this case, we will use PHP script to run on schedule to generate backup. Since the backup location needs to be exclusively for Backup Box, we will need to create an FTP account which is mapped to a new backup folder.

Go to cPanel > FTP and create an FTP account as the screenshot below. Do not create the FTP directory under public_html because it is accessible publicly via web browser (unless you protect the directory with a password):

add-ftp-account

We need to use PHP with cPanel API to trigger the backup process. Download this file (cpanel-php-backup.zip) and unzip it. You should see 2 files, cpanel-backup.php and xmlapi.php.inc. Change all required information inside cpanel-backup.php as below:

1
2
3
4
5
6
7
8
9
// Credentials for cPanel account
$source_server_ip = ""; // Server IP or domain name eg: 212.122.3.77 or cpanel.domain.tld
$cpanel_account = ""; // cPanel username
$cpanel_password = ""; // cPanel password
// Credentials for FTP to Backup Box
$ftpacct = ""; // FTP account
$ftppass = ""; // FTP password
$email_notify = ''; // Email address for backup notification

Save the file and upload both files into your public_html directory using FTP. You can start to generate a backup by accessing the PHP file directly via browser, which is usually http://www.yourwebsite.com/cpanel-backup.php .

In order to automate cPanel backup creation, we need to setup a weekly cron job into cPanel and use following command:

1
php -q /home/username/public_html/cpanel-backup.php

Here is a sample:

add-new-cron-job

Login into Backup Box. On the left panel, login into the FTP account (use the backup box FTP account) and in the right panel, login into your Dropbox account:

transfer-only-content-of

Since we store backup files into a dedicated folder, we can only transfer the contents of it. Select Transfer only the contents of / in the Transfer Options as the transfer method.

You can now start the immediate transfer by clicking Review. This will transfer the public_html folder to Dropbox. Once done, you can create Monthly schedule to automate this backup task monthly. Just click Monthly > select Date and Time > Finalize and Run.

Note: If you want to use weekly or daily backup, you need to upgrade your subscription as stated in the website. If you do, do not forget to change the cron job setting according to your backup schedule. Another thing, the PHP script will delete all previous cPanel backup before it generate new backups. This to make sure your backup will not eat up much disk space.

Posted in Backup, CPanel | Tagged | Leave a comment

How to force www or non-www in htaccess

You need to create  a .htaccess file under the webroot directory of your domain and store the following code in it

.

Be sure to replace ‘test.com‘ with your actual domain name. NOTE: do not place both selections of code in the file as it will cause an error.

#Force www:
RewriteEngine on
RewriteCond %{HTTP_HOST} ^test.com [NC]
RewriteRule ^(.*)$ http://www.test.com/$1 [L,R=301,NC]

 

#Force non-www:
RewriteEngine on
RewriteCond %{HTTP_HOST} ^www\.test\.com [NC]
RewriteRule ^(.*)$ http://test.com/$1 [L,R=301]

Now, when you type in your domain name with either www in front or not, it should display as you have set it in the .htaccess file.

Posted in Linux | Leave a comment

Setting up TCP Wrappers and local firewall on a remote host

If you use local firewall rules and tcp wrappers on a remote host where you might get locked out, with no easy way to get logged in again, here is a quick howto on playing it safe. The trick is to setup a couple cron jobs to undo whatever you stuffed up.

I scheduled two 10 minute recurring jobs. Gives you 10 minute windows of configuring/testing before security resets.

Set two cron jobs:

[root@kanyakonil root]# crontab -l
/10 * * * * cp /root/hosts.deny /etc/hosts.deny
/10 * * * * /sbin/iptables --flush

Tcp wrappers:

I made a copy of /etc/hosts.deny file in /root and then waited for the next cron run to test if the copy is really working as expected.

It looked good after cron ran.

# cat /etc/hosts.deny
#
...
#ALL: ALL

Now uncomment the ALL: ALL line in the real /etc/hosts.deny and start testing /etc/hosts.allow rules.

# more /etc/hosts.allow
...
# Host allowed to SSH
sshd: xx.xx.xx.xx

Test from non allowed and allowed host.

Feb 24 05:32:56 kanyakonil sshd[12346]: pam_unix(sshd:session): session opened for user aharon by (uid=0)
Feb 24 05:33:43 kanyakonil sshd[12380]: refused connect from host.domain.com (::ffff:xx.xx.xx.xx)
Feb 24 05:34:34 kanyakonil sshd[12386]: Accepted password for aharon from xx.xx.xx.xx port 37415 ssh2
Feb 24 05:34:34 kanyakonil sshd[12386]: pam_unix(sshd:session): session opened for user aharon by (uid=0)

Now lets go tune the firewall rules…

List rules:

# iptables --list
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
ACCEPT     icmp --  anywhere             anywhere            icmp any
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:webcache
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:etlservicemgr
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:mysql
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:redwood-broker
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:smtp
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ftp
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:https
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Saved rules in this file:

# cat /etc/sysconfig/iptables
# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -p icmp --icmp-type any -j ACCEPT
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 8080 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 9001 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 3306 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 3001 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT

Delete unneeded rules:

# iptables -D INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT
# iptables -D INPUT -m state --state NEW -m tcp -p tcp --dport 3306 -j ACCEPT
# iptables -D INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT
# iptables -D INPUT -p tcp -m state --state NEW -m tcp --dport 8080 -j ACCEPT

Check (and test using something like nmap):

# iptables --list
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
ACCEPT     icmp --  anywhere             anywhere            icmp any
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:etlservicemgr
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:redwood-broker
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:https
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

kanyakonil@philip:~$ sudo nmap -A -T4 192.168.1.3

Starting Nmap 4.20 ( http://insecure.org ) at 2007-10-16 22:42 WIT

Interesting ports on 192.168.1.3:

Not shown: 1693 filtered ports

PORT STATE SERVICE VERSION

80/tcp open http Apache httpd 2.2.0 ((Linux/SUSE))

113/tcp closed auth

139/tcp open netbios-ssn Samba smbd 3.X (workgroup: HOME)

445/tcp open netbios-ssn Samba smbd 3.X (workgroup: HOME)

MAC Address: 00:0D:88:B3:72:F3 (D-Link)

Device type: general purpose|WAP|specialized|storage-misc|broadband router

Running (JUST GUESSING) : Linux 2.6.X|2.4.X (97%), Siemens linux (93%), Atmel Linux 2.6.X (92%), Inventel embedded (89%), Linksys Linux 2.4.X (89%), Asus Linux 2.4.X (89%), Maxtor Linux 2.4.X (89%), Netgear embedded (87%)

Aggressive OS guesses: Linux 2.6.13 – 2.6.18 (97%), Siemens Gigaset SE515dsl wireless broadband router (93%), Linux 2.6.11 – 2.6.15 (Ubuntu or Debian) (93%), Linux 2.6.15-27-686 (Ubuntu Dapper, X86) (93%), Atmel AVR32 STK1000 development board (runs Linux 2.6.16.11) (92%), Linux 2.6.14 – 2.6.17 (92%), Linux 2.6.17 – 2.6.18 (x86) (92%), Linux 2.6.17.9 (X86) (92%), Linux 2.6.9-42.0.2.EL (RedHat Enterprise Linux) (92%), Linux 2.6.9 – 2.6.12 (x86) (92%)

No exact OS matches for host (test conditions non-ideal).

Network Distance: 1 hop

OS and Service detection performed. Please report any incorrect results at http://insecure.org/nmap/submit/ .

Nmap finished: 1 IP address (1 host up) scanned in 58.830 seconds


Save the rules:

# service iptables save
Saving firewall rules to /etc/sysconfig/iptables:          [  OK  ]

Check stored rules:

# cat /etc/sysconfig/iptables
# Generated by iptables-save v1.3.5 on Fri Feb 24 05:48:21 2012
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [734:96465]
-A INPUT -i lo -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 9001 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 3001 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Fri Feb 24 05:48:21 2012

Check running rules:

# iptables --list
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
ACCEPT     icmp --  anywhere             anywhere            icmp any
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:etlservicemgr
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:redwood-broker
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:https
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
Posted in Security | Leave a comment

Some Shell Scripts

Shell Script to add zone to DNS server.

NS1 = ns1.example.net
NS2 = ns2.example.net

#!/bin/bash
# check to see if the script is being run as root or not
grep=`which grep`
rndc=`which rndc`
if [ "$(id -u)" != "0" ]; then
echo "You must be root in order to run this script. You are `whoami`."
exit 1
fi
# if this is a cPanel server, exit the script as a DNS zone can be created from WHM
if [ -d "/usr/local/cpanel" ]; then
echo "This is a cPanel box. You can create the DNS zone from WHM."
exit 1;
# if this is a Plesk server, exit the script as the DNS zone can be created from Plesk itself
elif [ -d "/usr/local/psa" ]; then
echo "This is a Plesk box. You can create the DNS zone from the Plesk Control Panel."
exit 1;
else
domain=$1
echo "Please enter the domain name"
read domain
ip=$2
echo "Please enter the IP address for the domain"
read ip
test=`echo "${ip}." | $grep -E "([0-9]{1,3}\.){4}"`
if [ "$test" ]
then
echo "$ip" | nawk -F. '{
if ( (($1>=0) && ($1<=255)) &&    (($2>=0) && ($2<=255)) &&    (($3>=0) && ($3<=255)) &&    (($4>=0) && ($4<=255)) ) { print($0 " is a valid IP address. Using this IP." ); } else { print($0 ": Please specify a correct IP address." ); exit 1; } }' else echo "${ip} is not a valid IP address, exiting script!" exit 1; fi fi //echo "The zone file for the domain $domain will be created using $ip." //admin=$3 //echo "Please enter the administrator for this domain's DNS in a admin.domain.com form" //read admin //ns1=$4 //echo "Please enter the primary nameserver for $domain" //read ns1 //ns2=$5 //echo "Please enter the secondary nameserver for $domain" //read ns2 # ok, so enough with the chit-chat, let's move on to the DNS stuff serial=`date +%Y%m%d00` folder=`echo $domain|cut -c1` mkdir /var/named/$folder touch /var/named/$folder/$domain.zone echo -e "\$ORIGIN ." >> /var/named/$domain.zone
echo -e "\$TTL 600     ; 10 minutes" >> /var/named/$folder/$domain.zone
echo "$domain   IN     SOA    ns1.$domain. root.ns1.example.net. (" >> /var/named/$folder/$domain.zone
echo "               $serial    ; serial, todays date + todays serial" >> /var/named/$folder/$domain.zone
echo "               7200           ; refresh, seconds" >> /var/named/$folder/$domain.zone
echo "               3600            ; retry, seconds" >> /var/named/$folder/$domain.zone
echo "               43200         ; expire, seconds" >> /var/named/$folder/$domain.zone
echo "               3600 )            ; minimum, seconds" >> /var/named/$folder/$domain.zone
echo "                  IN       A    $ip" >> /var/named/$folder/$domain.zone
echo "                  IN       NS    ns1.example.net" >> /var/named/$folder/$domain.zone
echo "                  IN       NS    ns2.example.net" >> /var/named/$folder/$domain.zone
echo "                  IN       MX    5 mail.$domain." >> /var/named/$folder/$domain.zone
echo -e "\$ORIGIN $domain." >> /var/named/$folder/$domain.zone
echo "mail.$domain. IN     A     $ip" >> /var/named/$folder/$domain.zone
echo "www           IN     CNAME $domain." >> /var/named/$folder/$domain.zone
echo "ftp           IN     A     $ip" >> /var/named/$folder/$domain.zone
echo "sql           IN     A     $ip" >> /var/named/$folder/$domain.zone
echo "ns1           IN     A     $ip" >> /var/named/$folder/$domain.zone
echo "ns2           IN     A     $ip" >> /var/named/$folder/$domain.zone
echo "Done creating DNS zone, adding the zone to named.conf in named.zone file"
echo "zone \"$domain\" IN {" >> /etc/named/named.zone
echo "     type master;" >> /etc/named/named.zone
echo "     file \"/var/named/$folder/$domain.zone\";" >> /etc/named/named.zone
echo "     allow-transfer {" >> /etc/named/named.zone
echo "     10.10.11.243;" >> /etc/named/named.zone
echo "     };" >> /etc/named/named.zone
echo "};" >> /etc/named/named.zone
echo "Zone addded to named.conf. Restarting rndc & named"
sleep 2
$rndc reload
/etc/init.d/named restart
echo "All done"


Script to check if IP is blacklisted

#!/bin/sh
# -- $Id: blcheck.xml,v 1.8 2007/06/17 23:38:00 j65nko Exp $ --

#*/15 * * * * sh /root/spam.sh 38.111.101.66|mail -s "Spam Report in 15 Min" inct@rohtan.com
#*/15 * * * * sh /root/spam.sh 38.111.101.100|mail -s "Spam Report in 15 Min" inct@rohtan.com

# Check if an IP address is listed on one of the following blacklists
# The format is chosen to make it easy to add or delete
# The shell will strip multiple whitespace

BLISTS="
    cbl.abuseat.org
    dnsbl.sorbs.net
    bl.spamcop.net
    zen.spamhaus.org
    combined.njabl.org
"

# simple shell function to show an error message and exit
#  $0  : the name of shell script, $1 is the string passed as argument
# >&2  : redirect/send the message to stderr

ERROR() {
  echo $0 ERROR: $1 >&2
  exit 2
}

# -- Sanity check on parameters
[ $# -ne 1 ] && ERROR 'Please specify a single IP address'

# -- if the address consists of 4 groups of minimal 1, maximal digits, separated by '.'
# -- reverse the order
# -- if the address does not match these criteria the variable 'reverse will be empty'

reverse=$(echo $1 |
  sed -ne "s~^\([0-9]\{1,3\}\)\.\([0-9]\{1,3\}\)\.\([0-9]\{1,3\}\)\.\([0-9]\{1,3\}\)$~\4.\3.\2.\1~p")

if [ "x${reverse}" = "x" ] ; then
      ERROR  "IMHO '$1' doesn't look like a valid IP address"
      exit 1
fi

# Assuming an IP address of 11.22.33.44 as parameter or argument

# If the IP address in $0 passes our crude regular expression check,
# the variable  ${reverse} will contain 44.33.22.11
# In this case the test will be:
#   [ "x44.33.22.11" = "x" ]
# This test will fail and the program will continue

# An empty '${reverse}' means that shell argument $1 doesn't pass our simple IP address check
# In that case the test will be:
#   [ "x" = "x" ]
# This evaluates to true, so the script will call the ERROR function and quit

# -- do a reverse ( address -> name) DNS lookup
REVERSE_DNS=$(dig +short -x $1)

echo IP $1 NAME ${REVERSE_DNS:----}

# -- cycle through all the blacklists
for BL in ${BLISTS} ; do

    # print the UTC date (without linefeed)
    printf $(env TZ=UTC date "+%Y-%m-%d_%H:%M:%S_%Z")

    # show the reversed IP and append the name of the blacklist
    printf "%-40s" " ${reverse}.${BL}."

    # use dig to lookup the name in the blacklist
    #echo "$(dig +short -t a ${reverse}.${BL}. |  tr '\n' ' ')"
    LISTED="$(dig +short -t a ${reverse}.${BL}.)"
    echo ${LISTED:----}

done

# --- EOT ------

Posted in Linux, Shell Script | Leave a comment

Monitor linux services using bash script

# Vi check_httpd.sh

#!/bin/sh
run=`ps ax | grep /usr/local/apache/bin/httpd | grep -v grep | cut -c1-5 | paste -s -`
if [ “$run” ];
then
echo “apache is running” > /home/admin/check_httpd.log
else
/usr/local/apache/bin/apachectl -k restart
mail -s “Apache server restarted by check-httpd script ” admin [at]adminlogs[dot]info < /usr/local/apache/logs/error.log
fi

Or ( only for apache )

# Vi check_httpd.sh

#!/bin/sh
cd /tmp
wget adminlogs.info:80
if [ $? -gt 0 ]; then
/usr/local/apache/bin/apachectl -k restart
mail -s “Apache server restarted by check-httpd script ” admin [at]adminlogs[dot]info < /usr/local/apache/logs/error.log
fi

$? contains the return code of the last executed process. -gt means greater than. Usually programs return zero on success or something else on failure

Add the script to crontab ( It will check the status in every 5 minutes )

*/5 * * * * /bin/bash check_httpd.sh

Its worked fine and now I have no worry about that website and getting good sleep :)

Posted in Apache, Linux, Optimize, Shell Script | Leave a comment

CentOs Fix for Bash Bug ( CVE-2014-6271 & CVE-2014-7169 )

Bash, aka the Bourne-Again Shell, has a newly discovered security hole which has been officially documented as CVE-2014-6271 & CVE-2014-7169. And, for many Unix or Linux Web servers, it’s a major problem.

The flaw involves how Bash evaluates environment variables. With specifically crafted variables, a hacker could use this hole to execute shell commands. This, in turn, could render a server vulnerable to ever greater assaults.

 

After couple of days trouble today we got a fix from Centos for the so famous bash security issue ( For known loop holes

CVE-2014-6271 & CVE-2014-7169 )

CentOS 5 Fix :-

* i386:

( sha256sum ) 9755e86ad8536c908f95340be308190b52989bfa0d9268a461c40a3f0d493bc7 : bash-3.2-33.el5_10.4.i386.rpm

* x86_64:

( sha256sum) b1e14edd0d675c6fb0be64cb875fbd9fac208a58e427ea32f373c9359b35642c : bash-3.2-33.el5_10.4.x86_64.rpm

CentOS 6 Fix: –

* x86_64:

http://mirror.centos.org/centos/6/updates/x86_64/Packages/bash-4.1.2-15.el6_5.2.x86_64.rpm

* i386:

http://mirror.centos.org/centos/5/updates/i386/RPMS/bash-3.2-33.el5_10.4.i386.rpm

Test Output : –

[root@ ~]# rpm -qa | grep bash

bash-3.2-32.el5

[root@ ~]# env X='() { (a)= >\’ bash -c “echo date”;

bash: X: line 0: syntax error near unexpected token `=’

bash: X: line 0: `X () { (a)= >\’

bash: error importing function definition for `X’

date

[root@ ~]#

* After updating to latest bash rpm.

[root@ ~]# rpm -qa | grep bash

bash-3.2-33.el5_10.4

[root@ ~]#

[root@ ~]# env X='() { (a)= >\’ bash -c “echo date”;

date

[root@ ~]#

 

Posted in Linux | Leave a comment

shell-init: error retrieving current directory: getcwd: cannot access parent directories: No such file or directory

Today I saw an interesting error ,while restarting apache
=======
]# /etc/init.d/httpd restart
shell-init: error retrieving current directory: getcwd: cannot access parent directories: No such file or directory
Stopping httpd: [ OK ]
Starting httpd: shell-init: error retrieving current directory: getcwd: cannot access parent directories: No such file or directory
[ OK ]
]#
===========
may be you also face this or already faced.
Don’t surprise …Just do a  ” cd  / ”   , or  cd  to any direcotry ..  it will fix the error !!

This happen as the current working directory from which the command was fired does not exits on the server.

Posted in Linux | Leave a comment

Heart Bleeding

One of the Google Security Engineer ( Thanks for Neel Mehta of Google Security and team of security engineers (Riku, Antti and Matti) at Codenomicon for discovering the bug)  reported a serious bug with current openssl  on 3rd of April 2014 . ( TLS heartbeat read overrun (CVE-2014-0160) )

As per openssl , Only 1.0.1 and 1.0.2-beta releases of OpenSSL are affected including 1.0.1f and 1.0.2-beta1. And its advised to upgrade to OpenSSL 1.0.1g ( https://www.openssl.org/source/openssl-1.0.1g.tar.gz )  to fix this issue or recompile affected versions with the option -DOPENSSL_NO_HEARTBEATS.

You may need to recompile other services which are associated with openssl like Apache , nginx , php etc . Also its better to renew your ssl cert’s to make sure everything is safe/fine.

How to Check Whether your server/website is affected or not ?

http://possible.lv/tools/hb

Posted in Linux | Leave a comment

POODLE: SSLv3.0 vulnerability

What is POODLE ?

POODLE stands for Padding Oracle On Downgraded Legacy Encryption. This vulnerability allows a man-in-the-middle attacker to decrypt ciphertext using a padding oracle side-channel attack.

How to Fix ?

At present there is no working patch for this bug . So that Admin needs to manually disable SSLv3 on their servers .

Disable SSLv3 – Apache

1) Add ” SSLProtocol All -SSLv2 -SSLv3 ” to httpd.conf

2) Restart apache service .

Disable SSLv3 – Nginx

1) Add ” ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ” to nginx.conf under ssl section .

2) Restart nginx service .

Disable SSLv3 – PostFix

1) change smtpd_tls_mandatory_protocols to ” smtpd_tls_mandatory_protocols =!SSLv2,!SSLv3 ”

2) Restart postfix server .

Disable SSLv3 – Weblogic

Start weblogic with the following JVM option ” -Dweblogic.security.SSL.protocolVersion=TLS1 ”

How to Diagnose ?

# openssl s_client -connect localhost:443 -ssl3

==> If you have already disabled sslv3 , then the output will be as follows

CONNECTED(00000003)

20888:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1053:SSL alert number 40

20888:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:530:

==> If you are not disabled the sslv3 and you are getting the following output , then your server is vulnerable to POODLE !!.

CONNECTED(00000003)

depth=0 /C=SomeCountry/ST=SomeState/L=Some Place/O=Example Pte Ltd/OU=Systems/CN=453232-example/emailAddress=info@example.com

verify error:num=18:self signed certificate

verify return:1

depth=0 /C=SomeCountry/ST=SomeState/L=Some Place/O=Example Pte Ltd/OU=Systems/CN=453232-example/emailAddress=info@example.com

verify return:1

Certificate chain

0 s:/C=SomeCountry/ST=SomeState/L=Some Place/O=Example Pte Ltd/OU=Systems/CN=453232-example/emailAddress=info@example.com

i:/C=SomeCountry/ST=SomeState/L=Some Place/O=Example Pte Ltd/OU=Systems/CN=453232-example/emailAddress=info@example.com


 

If you manage an entire data center or a corporate intranet, the problem is a little harder to solve than disabling SSL 3.0 in a browser. Regardless of the mitigation strategy you choose, you need to know which of your servers are currently running SSL 3.0. To that end, here a couple of quick scripts based on open source tools that will help you take control of the situation.

The first script, ssl3_cipher_check.sh, checks a single target for the presence of SSL 3.0 ciphers. The results will be similar to the following:

# ssl3_cipher_check.sh 192.168.1.51 443

Testing 192.168.1.51:443 for support of SSL3.0 ciphers…

NULL-MD5…NO (ssl handshake failure)

NULL-SHA…NO (ssl handshake failure)

EXP-RC4-MD5…NO (ssl handshake failure)

RC4-MD5…NO (ssl handshake failure)

RC4-SHA…NO (ssl handshake failure)

EXP-RC2-CBC-MD5…NO (ssl handshake failure)

IDEA-CBC-SHA…NO (no cipher match)

EXP-DES-CBC-SHA…NO (ssl handshake failure)

DES-CBC-SHA…NO (ssl handshake failure)

DES-CBC3-SHA…YES – SSL 3.0 cipher detected

EXP-DH-DSS-DES-CBC-SHA…NO (no cipher match)

DH-DSS-DES-CBC-SHA…NO (no cipher match)

DH-DSS-DES-CBC3-SHA…NO (no cipher match)

EXP-DH-RSA-DES-CBC-SHA…NO (no cipher match)

DH-RSA-DES-CBC-SHA…NO (no cipher match)

DH-RSA-DES-CBC3-SHA…NO (no cipher match)

EXP-DHE-DSS-DES-CBC-SHA…NO (no cipher match)

DHE-DSS-CBC-SHA…NO (no cipher match)

DHE-DSS-DES-CBC3-SHA…NO (no cipher match)

EXP-DHE-RSA-DES-CBC-SHA…NO (no cipher match)

DHE-RSA-DES-CBC-SHA…NO (no cipher match)

DHE-RSA-DES-CBC3-SHA…NO (no cipher match)

EXP-ADH-RC4-MD5…NO (ssl handshake failure)

ADH-RC4-MD5…NO (ssl handshake failure)

EXP-ADH-DES-CBC-SHA…NO (ssl handshake failure)

ADH-DES-CBC-SHA…NO (ssl handshake failure)

ADH-DES-CBC3-SHA…NO (ssl handshake failure)

SSL3 ciphers were detected on server 192.168.1.51:443

The second script, ssl3_scan.sh, allows you to test an entire network range. Using a network range specified in CIDR notation or a format compatible with nmap, the script detects and checks the standard and alternate ports commonly used for HTTPS on all hosts in the network range. Results will be similar to the following:

# ./ssl3_scan.sh 192.168.1.0/24

Beginning test… please be patient…

192.168.1.17:443 – SSL3.0 ciphers NOT supported

192.168.1.35:443 – SSL3.0 ciphers NOT supported

192.168.1.34:443 – SSL3.0 ciphers NOT supported

192.168.1.51:443 – SSL3.0 ciphers supported

192.168.1.58:443 – SSL3.0 ciphers supported

How you decide to mitigate the risk is a decision you will have to make.

http://www.symantec.com/connect/sites/default/files/ssl3_check_scripts.tar.gz

Posted in Linux | Leave a comment