Line 1: <?php
Line 2: if ($_SERVER['REQUEST_URI'] == $_SERVER['PHP_SELF'])
Line 3: exit();

What is it with people leaving default installations public facing? They must think I don’t have enough work to do. Inevitably, the server is compromised and used to host phishing attacks against clients of my employer.

Default Apache Install:

Plus PHPInfo page:

Equals phishing attack.

Nice equation.

Some pretty basic functions are missing from most of the *-nix systems by default. One of these is account lockout. In comes PAM Tally (pam_tally.so). This module maintains a count of attempted accesses, can reset count on success, and can deny access if too many attempts fail in succession.

pam_tally comes in two parts: pam_tally.so and pam_tally. The first is the PAM module and the second is a stand-alone program. pam_tally is an (optional) application which can be used to query and/or modify the count file (such as display users’ counts, set individual counts, or clear all counts).

A pretty nice walk-through can be found here.

The squid access.log file is useful for determing where your users are going when using http/80. These log files are generally rotated daily and each contain a LOT of data. In my organization, this is in the realm of 2 GB per day. So how do you find what you are looking for? I use a couple different things in combination. The first is a custom perl script that takes the common log format and parses out the timestamp to a human-readable date (by either piping data to it, for reading-in a file).

#!/usr/bin/perl
#
# Usage: grep something /var/log/squid/access.log | squidtimes.pl
# Usage: squidtimes.pl /some/file/path
 
if ($ARGV[0] ne "") {
        open(LOG, "$ARGV[0]" ) or die "Cannot open log: $!";
 
        while (< LOG >) {
                if ( $_ =~ /^(\d{10})\.(.*)/ ) {
                        $realtime = scalar localtime( $1 );
                        print "$realtime\t $2", "\n";
                }
        }
        close LOG;
 
} else {
        while (<>) {
                if ( $_ =~ /^(\d{10})\.(.*)/ ) {
                        $realtime = scalar localtime( $1 );
                        print "$realtime\t $2", "\n";
                }
        }
}

From there, we use a combination of bash programming, the script above, and awk to give us the data we’re looking for.

user@squid:~>; for ((i=30;i>1;i–));do sudo zgrep -e ‘192\.168\.11\.60′ /var/log/squid/access.log.$i.gz | /usr/local/scripts/squidtimes.pl | awk ‘{print $1,$2,$3,$4,$8,$9,$11,$12 }’ >> results.log;done

user@squid:~>; head -1 results.log
Tue Sep 2 07:22:32 192.168.11.60 TCP_IMS_HIT/304 GET http://workforceportal.elabor.com/ezLaborManagerNetRedirect/images/spacer.gif

On a recent post to a mailing list I subscribe to, a user indicated that they made an inadvertent blunder to a Linux machine they operated (they were an RHCE to boot). The email was as follows:

There are some things you can do like rpm -qlv <name_of_package> but you’re going to be troubleshooting broken items for a while - not to mention you can throw your security right out the window. What if said user was the Apache user or named user for example… Reinstall time :o)

Some things to remember:
- Anonymous root logins are very bad. There’s no audit trail, no accountability, and may allow an exhaustive list of guessing attacks.
- Under normal circumstances, log in as an assigned user (without root privs) and use ’sudo’ when you need root level access.
- Never allow the root user to connect via SSH (or over the network for that matter); but do allow via local terminal/console.
- Always use ’sudo’ with extreme care, because it’s not going to ask you if you’re sure.