Basic audit commands
- knowledgediary4min
- Mar 3, 2020
- 3 min read
DIRECT ROOT LOGIN
>>>cat /etc/ssh/sshd_config|grep Permi
>>>cat /root/.bashrc | grep "ALERT - Root Shell Access"
============================
[root@s3 ~]# cat /etc/ssh/sshd_config|grep Permi
PermitRootLogin no
[root@s3 ~]# cat /root/.bashrc | grep "ALERT - Root Shell Access"
echo 'ALERT - Root Shell Access (s3.webhosting.uy) on:' `date` `who` |
mail -s "Alert: Root Access from `who | cut -d"(" -f2 | cut -d")" -f1`"
[root@s3 ~]#
============================
***************************************************************************************************************************
KERNEL UPDATES
>>>yum check-update | grep kernel
>>>uname -r
============
[root@s3 ~]# uname -r
2.6.32-431.11.2.el6.x86_64
[root@s3 ~]# yum check-update | grep kernel
abrt-addon-kerneloops.x86_64 2.0.8-26.el6.centos base
dracut-kernel.noarch 004-356.el6 base
kernel.x86_64 2.6.32-504.1.3.el6 updates
kernel-firmware.noarch 2.6.32-504.1.3.el6 updates
kernel-headers.x86_64 2.6.32-504.1.3.el6 updates
libreport-plugin-kerneloops.x86_64 2.0.9-21.el6.centos base
[root@s3 ~]#
===============
***************************************************************************************************************************
ROOTKIT
chrootkit
tail -f /var/log/rkhunter.log
rkhunter --versioncheck
cd /root
wget dfn.dl.sourceforge.net/sourceforge/rkhunter/rkhunter-1.4.2.tar.gz
ls -al /etc/cron.weekly
grep Warning\ ] /var/log/rkhunter.log
***************************************************************************************************************************
RDNS
host IP
======
[root@s3 ~]# host 173.192.25.170
170.25.192.173.in-addr.arpa domain name pointer s3.webhosting.uy.
[root@s3 ~]#
======
***************************************************************************************************************************
SPAMMING
exim >> exim -bpc
Postfix >> mailq or postqueue -p
Qmail >> /var/qmail/bin/qmail-qstat
***************************************************************************************************************************
DISK USAGE
df -h
***************************************************************************************************************************
MOD_SECURITY
grep modsec2 /usr/local/apache/conf/httpd.conf
OR
httpd -M | grep security2
=========
[root@s3 ~]# httpd -M | grep security2
security2_module (shared)
Syntax OK
=========
***************************************************************************************************************************
PHP DANGEROUS FUNCTIONS
cat /usr/local/lib/php.ini | grep disable_functions
or
cat /etc/php.ini | grep disable_functions
***************************************************************************************************************************
REMOTE MYSQL
cpanel:
>>mysql
show variables like 'skip_networking';
Plesk :
mysql -uadmin -p`cat /etc/psa/.psa.shadow` (place of the file where password hides)
show variables like 'skip_networking';
skip_networking | ON (Remote MySQL disabled in your server)
***************************************************************************************************************************
BACKUP STATUS
In cPanel :
cat /etc/cpbackup.conf |grep BACKUPENABLE
In plesk :
log in to plesk and check in backup manager.
The following command will allow you to determine if backups are enabled on the legacy backup system:
grep BACKUPENABLE /etc/cpbackup.conf
For the new backup system, this command is used:
r
***************************************************************************************************************************
DIRECTORY HARDENING
bin/cp /etc/fstab /etc/fstab.bak
Use df to check if a /tmp partition is already present.
[if no /tmp partition is present]
cd /usr
dd if=/dev/zero of=/usr/tmpMnt bs=1024 count=2000000
mke2fs -j /usr/tmpMnt
cd /
cp -R /tmp /tmp_backup
mount -o loop,noexec,nosuid,rw /usr/tmpMnt /tmp
chmod 0777 /tmp
/bin/cp -R /tmp_backup/* /tmp/
rm -rf /tmp_backup
nano -w /etc/fstab
[if /tmp partition is present]
At the very bottom add
/usr/tmpMnt /tmp ext3 loop,noexec,nosuid,rw 0 0
nano -w /etc/fstab
change “defaults” to loop,noexec,nosuid,rw
mount /tmp
rm -rf /var/tmp
ln -s /tmp /var/tmp
If a symlink is not possible, then /var/tmp is most likely also a partition. In this case, /var/tmp must be hardened with loop,noexec,nosuid,rw in fstab as well. If /tmp is hardened by cpanel’s /scripts/securetmp. Remove the line from /etc/rc.d/rc.local and then reboot. It will come back without a /tmp partition and then you can follow the instructions above
Great! thank you for taking time to go through each one. Much appriciated.
Just one problem though if you open any magento website the products are
***************************************************************************************************************************
SCAN
maldet --scan-all
take the screen and do the scan
if it is plesk : maldet -a /var/www/vhost
***************************************************************************************************************************
MEMORY
free -m/free -g
***************************************************************************************************************************
15. Check if any of the domains have set to forward un-routed mails to default mail account or to any other mail servers.
this is only for cpanel . so if it is plesk leave this part
for j in $(for i in `cat /etc/valiases/* | grep -v "No Such User Here" | grep -v ":fail:" | grep -v "autorespond" | grep -v "mailman" | grep -v "index.php" | cut -d ":" -f2 | cut -d "@" -f2`; do grep $i /etc/userdomains > /dev/null; if [ $? != 0 ]; then echo $i; fi; done | sort | uniq) ; do grep -l $j /etc/valiases/*; done | awk -F/ {'print $4'} | wc -l
***************************************************************************************************************************
OUTDATED CMS
https://grepitout.com/find-outdated-versions-of-wordpress-and-joomla-on-your-server/
find /home/ -path "*/wp-includes/version.php" | xargs grep "wp_version = " | grep -v '4.3.1'|cut -d"/" -f3 | sort | uniq | wc -l
go to the domain and use this command find wp version
locate wp-includes/version.php | xargs grep "wp_version = " | grep -v "= '4.6'" | cut -d"/" -f3 | sort | uniq
grep wp_version wp-includes/version.php
#Ubuntu server
find /var/www/*/htdocs/ -type f -iwholename "*/wp-includes/version.php" -exec grep -H "\$wp_version =" {} \; | grep -v "4.8"
***************************************************************************************************************************
EMPTY PASSWORD
awk -F: '($2 == "") {print}' /etc/shadow
***************************************************************************************************************************
18. Port scanning with online tools like http://www.t1shopper.com/tools/port-scan/#
***************************************************************************************************************************
OPENSSL
[root@mail ~]# openssl version
OpenSSL 1.0.1e-fips 11 Feb 2013
[root@mail ~]# rpm -qa openssl --changelog | head
>> FOR UBUNTU SERVERS
# apt-cache policy openssl
***************************************************************************************************************************
SSH
[root@mail ~]# ssh -V
OpenSSH_5.3p1, OpenSSL 1.0.1e-fips 11 Feb 2013
# Ubuntu server new ssh version check
apt-cache policy ssh
***************************************************************************************************************************
Password strength
/var/cpanel/cpanel.config Password strength
Password strength is rated on a scale of 0 to 100, where 100 represents a very strong password.
***************************************************************************************************************************
OS VERSION
cat /etc/issue.net
***************************************************************************************************************************
MYSQL AND PHP CHECKING
# mysql -V
#php -v
# Ubuntu server new mysql version check
apt-cache policy mysql-server- 10.1.18
If mariadb then use that.
Comments