Category Archives: Linux

Install + Konfigurasi PowerDNS (dengan menggunakan MariaDB) dan PowerAdmin di CentOS 7

PowerDNS adalah DNS yang dikonfigurasi dengan berbagai backend seperti menggunakan relasional database, file zona seperti BIND atau algoritma load balancing / failover. Untuk installasi dan konfigurasinya akan kita bahas di halaman ini :

[1] Install dan Enable EPEL repository

# yum install epel-release -y

[2] Install MariaDB

yum install mariadb mariadb-server -y

# Start dan enable service mariadb
systemctl enable mariadb.service
Created symlink from /etc/systemd/system/multi-user.target.wants/mariadb.service to /usr/lib/systemd/system/mariadb.service.

systemctl start mariadb


# Setup MariaDB

# mysql_secure_installation

NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MariaDB
 SERVERS IN PRODUCTION USE! PLEASE READ EACH STEP CAREFULLY!

In order to log into MariaDB to secure it, we'll need the current
password for the root user. If you've just installed MariaDB, and
you haven't set the root password yet, the password will be blank,
so you should just press enter here.

Enter current password for root (enter for none): 
OK, successfully used password, moving on...

Setting the root password ensures that nobody can log into the MariaDB
root user without the proper authorisation.

Set root password? [Y/n] y
New password: 
Re-enter new password: 
Password updated successfully!
Reloading privilege tables..
 ... Success!


By default, a MariaDB installation has an anonymous user, allowing anyone
to log into MariaDB without having to have a user account created for
them. This is intended only for testing, and to make the installation
go a bit smoother. You should remove them before moving into a
production environment.

Remove anonymous users? [Y/n] y
 ... Success!

Normally, root should only be allowed to connect from 'localhost'. This
ensures that someone cannot guess at the root password from the network.

Disallow root login remotely? [Y/n] y
 ... Success!

By default, MariaDB comes with a database named 'test' that anyone can
access. This is also intended only for testing, and should be removed
before moving into a production environment.

Remove test database and access to it? [Y/n] y
 - Dropping test database...
 ... Success!
 - Removing privileges on test database...
 ... Success!

Reloading the privilege tables will ensure that all changes made so far
will take effect immediately.

Reload privilege tables now? [Y/n] y
 ... Success!

Cleaning up...

All done! If you've completed all of the above steps, your MariaDB
installation should now be secure.

Thanks for using MariaDB!

[3] Install PowerDNS

# yum install pdns pdns-backend-mysql -y

[4] Koneksikan ke Mysql dan buat database dengan menggunakan nama powerdns

# mysql -u root -p
Enter password: 
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 10
Server version: 5.5.56-MariaDB MariaDB Server

Copyright (c) 2000, 2017, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> create database powerdns;
Query OK, 1 row affected (0.00 sec)

Buat user database untuk powerdns

MariaDB [(none)]> GRANT ALL ON powerdns.* TO 'powerdns'@'YourIPServerPowerDNS' IDENTIFIED BY 'PasswordUser';
Query OK, 0 rows affected (0.00 sec)

MariaDB [(none)]> FLUSH PRIVILEGES;
Query OK, 0 rows affected (0.00 sec)

Buat tabel database PowerDNS

MariaDB [(none)]> use powerdns;
Database changed
MariaDB [powerdns]> CREATE TABLE domains (id INT auto_increment,name VARCHAR(255) NOT NULL,master VARCHAR(128) DEFAULT NULL,last_check INT DEFAULT NULL,type VARCHAR(6) NOT NULL,notified_serial INT DEFAULT NULL,account VARCHAR(40) DEFAULT NULL,primary key (id));
Query OK, 0 rows affected (0.01 sec)

MariaDB [powerdns]> CREATE UNIQUE INDEX name_index ON domains(name);
Query OK, 0 rows affected (0.01 sec)
Records: 0 Duplicates: 0 Warnings: 0

MariaDB [powerdns]> CREATE TABLE records (id INT auto_increment,domain_id INT DEFAULT NULL,name VARCHAR(255) DEFAULT NULL,type VARCHAR(6) DEFAULT NULL,content VARCHAR(255) DEFAULT NULL,ttl INT DEFAULT NULL,prio INT DEFAULT NULL,change_date INT DEFAULT NULL,primary key(id));
Query OK, 0 rows affected (0.00 sec)

MariaDB [powerdns]> CREATE INDEX rec_name_index ON records(name);
Query OK, 0 rows affected (0.01 sec)
Records: 0 Duplicates: 0 Warnings: 0

MariaDB [powerdns]> CREATE INDEX nametype_index ON records(name,type);
Query OK, 0 rows affected (0.00 sec)
Records: 0 Duplicates: 0 Warnings: 0

MariaDB [powerdns]> CREATE INDEX domain_id ON records(domain_id);
Query OK, 0 rows affected (0.00 sec)
Records: 0 Duplicates: 0 Warnings: 0

MariaDB [powerdns]> CREATE TABLE supermasters ( ip varchar(25) NOT NULL, nameserver VARCHAR(255) NOT NULL, account VARCHAR(40) DEFAULT NULL);
Query OK, 0 rows affected (0.01 sec)

MariaDB [powerdns]> quit; 
Bye

[5] Open file konfigurasi powerDNS

# vi /etc/pdns/pdns.conf

Tambahkan di baris paling bawah

Enable launch=gmysql

gmysql-host=localhost
gmysql-user=powerdns
gmysql-password="YourPassword"
gmysql-dbname=powerdns

Start dan Enable service PowerDNS

# systemctl start pdns
# systemctl enable pdns
Created symlink from /etc/systemd/system/multi-user.target.wants/pdns.service to /usr/lib/systemd/system/pdns.service.

[6] Install dependency packages sebelum melakukan installasi PowerAdmin

# yum install httpd php php-devel php-gd php-imap php-ldap php-mysql php-odbc php-pear php-xml php-xmlrpc php-mbstring php-mcrypt php-mhash gettext -y
# yum install php-pear-DB php-pear-MDB2-Driver-mysql -y

Start dan Enable Service httpd

# systemctl start httpd
# systemctl enable httpd
Created symlink from /etc/systemd/system/multi-user.target.wants/httpd.service to /usr/lib/systemd/system/httpd.service.

[7] Download packet PowerAdmin
Masuk ke direktor, lalu lakukan download packet menggunakan wget

# pwd
/var/www/html

wget https://sourceforge.net/projects/poweradmin/files/poweradmin-2.1.7.tgz

Lakukan extract

# tar xvf poweradmin-2.1.7.tgz

Restart httpd service
# systemctl restart httpd

[8] Open WebBrowser dengan alamat IP Server PowerDNS http://YourIP/poweradmin-2.1.7/install/

Catatan untuk Hostname diisi dengan IPServerPowerDNS

OK, Selanjutnya mengatur akses terbatas ke admin dengan mengeksekusi kode yang diberikan oleh poweradmin di terminal.

# mysql -u root -p
Enter password: 
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 10
Server version: 5.5.56-MariaDB MariaDB Server

Copyright (c) 2000, 2017, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> GRANT SELECT, INSERT, UPDATE, DELETE ON powerdns.* TO 'poweradmin'@'IP_Server' IDENTIFIED BY 'PasswordUser';
Query OK, 0 rows affected (0.00 sec)

MariaDB [(none)]> quit
Bye

cd /var/www/html/poweradmin-2.1.7/inc
mv config-me.inc.php config.inc.php
vi config.inc.php

// Database settings
$db_host = 'YourIP_DBServer';
$db_port = '3306';
$db_user = 'YourUserDB';
$db_pass = 'YourPassword';
$db_name = 'powerdns';
$db_type = 'mysql';
$session_key = 'MasukanSessionKeyYangSudahDiGenearateDiWebBrowser';
$dns_hostmaster = 'YourDNSHostMaster';
$dns_ns1 = 'ns1.localhost.com';
$dns_ns2 = 'ns2.localhost.com';

Ok, Konfigurasi Poweradmin selesai

Jalankan perintah berikut untuk mensupport URL yang digunakan oleh provider DNS dynamic lainnya.

Enable mod_rewrite di Konfigurasi Apache.

# /var/www/html/poweradmin-2.1.7 
# cp install/htaccess.dist .htaccess

Remove “install” folder.

# rm -rf /var/www/html/poweradmin-2.1.7/install/

[9] Sekarang coba buka web browser URL http://YourIPServer/poweradmin-2.1.7/

[-] Menambahkan Master Zones

Ok sekarang check List Zones

[-] Untuk delete DNS Master Zone, Pilih List Zone dan klik icon trash

[10] Untuk reser Password Admin bisa klik ke “Change Password” karena pada saat pertama kali selesai Konfigurasi Admin password kosong login tidak menggunakan password.

OK, Silahkan mencoba..

Cheers – AnditoYugoWicaksono

Advertisements

Lynis ( Security Audit Tool )

[1] Install lynis

# yum --enablerepo=epel -y install lynis

[2] Penggunanan lynis ( Command )

# lynis

[ Lynis 2.5.5 ]

################################################################################
 Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
 welcome to redistribute it under the terms of the GNU General Public License.
 See the LICENSE file for details about using this software.

2007-2017, CISOfy - https://cisofy.com/lynis/
 Enterprise support available (compliance, plugins, interface and tools)
################################################################################


[+] Initializing program
------------------------------------


 Usage: lynis command [options]


 Command:

audit
 audit system : Perform local security scan
 audit system remote <host> : Remote security scan
 audit dockerfile <file> : Analyze Dockerfile

show
 show : Show all commands
 show version : Show Lynis version
 show help : Show help

update
 update info : Show update details


 Options:

--no-log : Don't create a log file
 --pentest : Non-privileged scan (useful for pentest)
 --profile <profile> : Scan the system with the given profile file
 --quick (-Q) : Quick mode, don't wait for user input

Layout options
 --no-colors : Don't use colors in output
 --quiet (-q) : No output
 --reverse-colors : Optimize color display for light backgrounds

Misc options
 --debug : Debug logging to screen
 --view-manpage (--man) : View man page
 --verbose : Show more details on screen
 --version (-V) : Display version number and quit

Enterprise options
 --plugin-dir "<path>" : Define path of available plugins
 --upload : Upload data to central node

More options available. Run '/usr/bin/lynis show options', or use the man page.

No command provided. Exiting..
# lynis audit system

[ Lynis 2.5.5 ]

################################################################################
 Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
 welcome to redistribute it under the terms of the GNU General Public License.
 See the LICENSE file for details about using this software.

2007-2017, CISOfy - https://cisofy.com/lynis/
 Enterprise support available (compliance, plugins, interface and tools)
################################################################################


================================================================================

Lynis security scan details:

Hardening index : 66 [############# ]
 Tests performed : 218
 Plugins enabled : 0

Components:
 - Firewall [V]
 - Malware scanner [X]

Lynis Modules:
 - Compliance Status [?]
 - Security Audit [V]
 - Vulnerability Scan [V]

Files:
 - Test and debug information : /var/log/lynis.log
 - Report data : /var/log/lynis-report.dat

================================================================================

Lynis 2.5.5

Auditing, system hardening, and compliance for UNIX-based systems
 (Linux, macOS, BSD, and others)

2007-2017, CISOfy - https://cisofy.com/lynis/
 Enterprise support available (compliance, plugins, interface and tools)

================================================================================

[TIP]: Enhance Lynis audits by adding your settings to custom.prf (see /etc/lynis/default.prf for all settings)

[3] Report hasil scanning disimpan di /var/log/lynis-report.dat. Cari file dengan kata kunci “warning” atau “suggestion”, maka akan menunjukkan pengaturan yang direkomendasi seperti di bawah ini.

# grep -E "^warning|^suggestion" /var/log/lynis-report.dat 
suggestion[]=AUTH-9286|Configure minimum password age in /etc/login.defs|-|-|
suggestion[]=AUTH-9286|Configure maximum password age in /etc/login.defs|-|-|
suggestion[]=AUTH-9328|Default umask in /etc/profile or /etc/profile.d/custom.sh could be more strict (e.g. 027)|-|-|
suggestion[]=FILE-6310|To decrease the impact of a full /tmp file system, place /tmp on a separated partition|-|-|
suggestion[]=FILE-6310|To decrease the impact of a full /var file system, place /var on a separated partition|-|-|
suggestion[]=STRG-1840|Disable drivers like USB storage when not used, to prevent unauthorized storage or data theft|-|-|
suggestion[]=STRG-1846|Disable drivers like firewire storage when not used, to prevent unauthorized storage or data theft|-|-|
suggestion[]=NAME-4028|Check DNS configuration for the dns domain name|-|-|
suggestion[]=NAME-4404|Add the IP name and FQDN to /etc/hosts for proper name resolving|-|-|
suggestion[]=PKGS-7384|Install package 'yum-utils' for better consistency checking of the package database|-|-|

Cheers – AnditoYugoWicaksono

Setting lock user login di Centos

Kali ini saya akan membahas tentang lock User Login. Jika user system melakukan login beberapa kali dan gagal, maka user tersebut akan ter lock secara otomatis sesuai dengan settingan waktu yang di tentukan. Ok langsung saja ke topik permasalahan, skenarionya adalah dengan menggunakan settingan ketika login 3 kali salah maka user tersebut akan terlock 60 detik, sehingga di waktu 60 detik user tersebut tidak bisa melakukan login walaupun password yang di gunakan untuk login sudah benar.

[1] Masuk dan tambahkan settingan sebagai berikut di file system-auth

# vi /etc/pam.d/system-auth

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
# Tambahkan seperti di bawah ini
auth required pam_tally2.so deny=3 unlock_time=60
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth required pam_deny.so

account required pam_unix.so
# Tambahkan seperti di bawah ini
account required pam_tally2.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 1000 quiet
account required pam_permit.so

[2] Masuk dan tambahkan settingan sebagai berikut di file password-auth

# vi /etc/pam.d/password-auth

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
# Tambahkan seperti di bawah ini
auth required pam_tally2.so deny=3 unlock_time=60
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth required pam_deny.so

account required pam_unix.so
# Tambahkan seperti di bawah ini
account required pam_tally2.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 1000 quiet
account required pam_permit.so

[3] Monitoring user yang gagal login di system, contoh di bawah user tejo gagal login 7x

# pam_tally2 -u tejo
Login Failures Latest failure From
tejo 7 10/28/17 10:07:40 192.168.20.20

[4] Uji coba login menggunakan user tejo dengan password yang benar dan tetap tidak masuk karena settingan user lock yang digunakan adalah 60 detik.

$ ssh 192.168.20.20 -l tejo
tejo@192.168.20.20's password: 
Permission denied, please try again.
tejo@192.168.20.20's password: 
Permission denied, please try again.
tejo@192.168.20.20's password: 
Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).

Yeah…ter lock dan tidak bisa login.

[5] Unlock account user secara manual agar bisa login ke system

# pam_tally2 -r -u tejo
Login Failures Latest failure From
tejo 6 10/28/17 10:10:23 10.0.193.123

Cheers

 

psacct ( monitoring aktifitas user )

psacct mempunyai fungsi untuk memonitor log history  user akses system.

[1] Install psacct

# yum -y install psacct

[2] Melihat history command user

# lastcomm 
lvm2-activation root __ 0.00 secs Fri Oct 20 15:45
systemd-cryptse root __ 0.00 secs Fri Oct 20 15:45
systemd-system- root __ 0.00 secs Fri Oct 20 15:45
systemd-fstab-g S root __ 0.00 secs Fri Oct 20 15:45
systemd-sysv-ge root __ 0.00 secs Fri Oct 20 15:45
systemd-hiberna root __ 0.00 secs Fri Oct 20 15:45
systemd-debug-g root __ 0.00 secs Fri Oct 20 15:45
systemd-rc-loca root __ 0.00 secs Fri Oct 20 15:45
systemd-efi-boo root __ 0.00 secs Fri Oct 20 15:45
systemd-getty-g root __ 0.00 secs Fri Oct 20 15:45
systemd-cgroups S root __ 0.00 secs Fri Oct 20 15:44
systemd-cgroups S root __ 0.00 secs Fri Oct 20 15:44
systemd-cgroups S root __ 0.00 secs Fri Oct 20 15:44
systemctl S root pts/0 0.00 secs Fri Oct 20 15:44

[3] Jika ingin mentrace user tertentu bisa menggunakan command seperti di bawah ini

# lastcomm --user root
kworker/0:2 F root __ 0.00 secs Fri Oct 20 16:00
local S root __ 0.00 secs Fri Oct 20 17:00
systemd-cgroups S root __ 0.00 secs Fri Oct 20 17:01
crond SF root __ 0.00 secs Fri Oct 20 17:01
run-parts root __ 0.00 secs Fri Oct 20 17:01
logger root __ 0.00 secs Fri Oct 20 17:01
basename root __ 0.00 secs Fri Oct 20 17:01

Cheers – AnditoYugoWicaksono

 

Cara untuk mengetahui Proses Listening Port – Port tertentu di system

Netstat

[1] Menggunakan netstat, install packet net-tools

apt install net-tools

[2] Melihat port – port yang aktif digunakan

# netstat -tulpn
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name 
tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN 2652/mysqld 
tcp 0 0 0.0.0.0:21 0.0.0.0:* LISTEN 1308/vsftpd 
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 8587/sshd 
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 2571/master 
tcp6 0 0 :::80 :::* LISTEN 1301/httpd 
tcp6 0 0 :::22 :::* LISTEN 8587/sshd 
tcp6 0 0 ::1:25 :::* LISTEN 2571/master 
tcp6 0 0 :::443 :::* LISTEN 1301/httpd 

# netstat -tulpn | grep 80
tcp6 0 0 :::80 :::* LISTEN 1301/httpd

[3] Melihat semua Listing ports TCP dan UDP

# netstat -a | more
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State 
tcp 0 0 0.0.0.0:mysql 0.0.0.0:* LISTEN 
tcp 0 0 0.0.0.0:ftp 0.0.0.0:* LISTEN 
tcp 0 0 0.0.0.0:ssh 0.0.0.0:* LISTEN 
tcp 0 0 localhost:smtp 0.0.0.0:* LISTEN 
tcp 0 0 web.zotma:ssh 10.10.19.12:60726 ESTABLISHED
tcp6 0 0 [::]:http [::]:* LISTEN 
tcp6 0 0 [::]:ssh [::]:* LISTEN 
tcp6 0 0 localhost:smtp [::]:* LISTEN 
tcp6 0 0 [::]:https [::]:* LISTEN 
tcp6 0 0 web.zotma:https 10.10.19.12:58568 ESTABLISHED
tcp6 0 0 web.zotma:https 10.10.7.21:16723 TIME_WAIT 
tcp6 0 0 web.zotma:https 10.10.19.12:58554 TIME_WAIT 
tcp6 0 0 web.zotma:https 10.10.7.21:16710 TIME_WAIT 
tcp6 0 0 web.zotma:https 10.10.19.12:58564 FIN_WAIT2 
raw6 0 0 [::]:ipv6-icmp [::]:* 7 
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags Type State I-Node Path
unix 2 [ ACC ] STREAM LISTENING 19054 public/pickup
unix 2 [ ACC ] STREAM LISTENING 19058 public/cleanup
unix 2 [ ACC ] STREAM LISTENING 10002 /run/lvm/lvmetad.sock
et
unix 2 [ ACC ] STREAM LISTENING 19068 private/rewrite
unix 2 [ ACC ] STREAM LISTENING 19071 private/bounce

[4] Show TCP Ports connections

# netstat -at
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State 
tcp 0 0 0.0.0.0:mysql 0.0.0.0:* LISTEN 
tcp 0 0 0.0.0.0:ftp 0.0.0.0:* LISTEN 
tcp 0 0 0.0.0.0:ssh 0.0.0.0:* LISTEN 
tcp 0 0 localhost:smtp 0.0.0.0:* LISTEN 
tcp 0 208 web.zotma:ssh 10.10.19.12:60726 ESTABLISHED
tcp6 0 0 [::]:http [::]:* LISTEN 
tcp6 0 0 [::]:ssh [::]:* LISTEN 
tcp6 0 0 localhost:smtp [::]:* LISTEN 
tcp6 0 0 [::]:https [::]:* LISTEN 
tcp6 0 0 web.zotma:https 10.10.19.12:58732 TIME_WAIT 
tcp6 0 0 web.zotma:https 10.10.19.12:58738 TIME_WAIT 
tcp6 0 0 web.zotma:https 10.10.7.21:16909 TIME_WAIT 
tcp6 0 0 web.zotma:https 10.10.7.21:16919 TIME_WAIT

[5] Show UDP Ports connections

netstat -au
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State 
udp 0 0 *:mdns *:* 
udp 0 0 *:42400 *:* 
udp 0 0 *:bootps *:* 
udp 0 0 *:bootps *:* 
udp 0 0 *:55521 *:* 
udp 0 0 localhost:35243 localhost:35243 ESTABLISHED
udp 0 0 *:ipp *:* 
udp6 0 0 [::]:44107 [::]:* 
udp6 0 0 [::]:mdns [::]:*

[6] Show all Listening Connections

netstat -l
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State 
tcp 0 0 0.0.0.0:mysql 0.0.0.0:* LISTEN 
tcp 0 0 0.0.0.0:ftp 0.0.0.0:* LISTEN 
tcp 0 0 0.0.0.0:ssh 0.0.0.0:* LISTEN 
tcp 0 0 localhost:smtp 0.0.0.0:* LISTEN 
tcp6 0 0 [::]:http [::]:* LISTEN 
tcp6 0 0 [::]:ssh [::]:* LISTEN 
tcp6 0 0 localhost:smtp [::]:* LISTEN 
tcp6 0 0 [::]:https [::]:* LISTEN 
raw6 0 0 [::]:ipv6-icmp [::]:* 7 
Active UNIX domain sockets (only servers)
Proto RefCnt Flags Type State I-Node Path
unix 2 [ ACC ] STREAM LISTENING 19054 public/pickup
unix 2 [ ACC ] STREAM LISTENING 19058 public/cleanup
unix 2 [ ACC ] STREAM LISTENING 10002 /run/lvm/lvmetad.socket
unix 2 [ ACC ] STREAM LISTENING 19068 private/rewrite

[7] Show all TCP Listening Ports

# netstat -lt
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State 
tcp 0 0 0.0.0.0:mysql 0.0.0.0:* LISTEN 
tcp 0 0 0.0.0.0:ftp 0.0.0.0:* LISTEN 
tcp 0 0 0.0.0.0:ssh 0.0.0.0:* LISTEN 
tcp 0 0 localhost:smtp 0.0.0.0:* LISTEN 
tcp6 0 0 [::]:http [::]:* LISTEN 
tcp6 0 0 [::]:ssh [::]:* LISTEN 
tcp6 0 0 localhost:smtp [::]:* LISTEN 
tcp6 0 0 [::]:https [::]:* LISTEN

[8] Show all UDP Listening Ports

netstat -lu
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State 
udp 0 0 *:mdns *:* 
udp 0 0 *:42400 *:* 
udp 0 0 userlocal:domain *:* 
udp 0 0 *:bootps *:* 
udp 0 0 *:bootps *:* 
udp 0 0 *:55521 *:* 
udp 0 0 *:ipp *:* 
udp6 0 0 [::]:44107 [::]:* 
udp6 0 0 [::]:mdns [::]:*

[9] Show Statistics Protocol TCP/UDP

TCP :

# netstat -st
IcmpMsg:
 InType3: 67
 InType8: 2
 OutType0: 2
 OutType3: 71
Tcp:
 106 active connections openings
 3826 passive connection openings
 0 failed connection attempts
 21 connection resets received
 1 connections established
 42378 segments received
 51180 segments send out
 598 segments retransmited
 0 bad segments received.
 55 resets sent
UdpLite:
TcpExt:
 19 invalid SYN cookies received
 3803 TCP sockets finished time wait in fast timer
 3804 delayed acks sent
 Quick ack mode was activated 12 times
 5767 packet headers predicted
 15270 acknowledgments not containing data payload received
 2899 predicted acknowledgments
 54 times recovered from packet loss by selective acknowledgements
 4 congestion windows recovered without slow start after partial ack
 TCPLostRetransmit: 40
 401 fast retransmits
 121 forward retransmits
 23 retransmits in slow start
 66 other TCP timeouts
 TCPLossProbes: 128
 TCPLossProbeRecovery: 5
 25 SACK retransmits failed
 12 DSACKs sent for old packets
 6 connections reset due to unexpected data
 3 connections reset due to early user close
 TCPSpuriousRTOs: 4
 TCPSackShiftFallback: 1028
 TCPDeferAcceptDrop: 3813
 TCPRcvCoalesce: 296
 TCPSpuriousRtxHostQueues: 1
 TCPAutoCorking: 2410
 TCPSynRetrans: 3
 TCPOrigDataSent: 33107
 TCPHystartTrainDetect: 31
 TCPHystartTrainCwnd: 572
 TCPHystartDelayDetect: 14
 TCPHystartDelayCwnd: 253
IpExt:
 InBcastPkts: 46375
 InOctets: 15471738
 OutOctets: 32197082
 InBcastOctets: 7371334
 InNoECTPkts: 107073

UDP :

# netstat -su
IcmpMsg:
 InType3: 67
 InType8: 2
 OutType0: 2
 OutType3: 71
Udp:
 0 packets received
 67 packets to unknown port received.
 0 packet receive errors
 261 packets sent
 0 receive buffer errors
 0 send buffer errors
UdpLite:
IpExt:
 InBcastPkts: 46378
 InOctets: 15477053
 OutOctets: 32206459
 InBcastOctets: 7371632
 InNoECTPkts: 107124

[10] Menampilkan nama service dengan PID

# netstat -tp
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name 
tcp 0 224 web.zotma:ssh 10.10.19.12:60726 ESTABLISHED 8757/sshd: root@pts 
tcp6 0 0 web.zotma:https 10.10.7.21:17455 TIME_WAIT - 
tcp6 0 0 web.zotma:https 10.10.19.12:58916 TIME_WAIT - 
tcp6 0 0 web.zotma:https 10.10.7.21:17456 ESTABLISHED -

[11] Melihat Network Interface Transactions

# netstat -i
Kernel Interface table
Iface MTU RX-OK RX-ERR RX-DRP RX-OVR TX-OK TX-ERR TX-DRP TX-OVR Flg
enp2s0 1500 200366 0 0 0 52389 0 0 0 BMRU
lo 65536 281 0 0 0 281 0 0 0 LRU

[12] Melihat Informasi IPv4 dan IPv6

# netstat -g
IPv6/IPv4 Group Memberships
Interface RefCnt Group
--------------- ------ ---------------------
lo 1 224.0.0.1
enp2s0 1 224.0.0.1
lo 1 ff02::1
lo 1 ff01::1
enp2s0 1 ff02::1:ff27:6bf9
enp2s0 1 ff02::1
enp2s0 1 ff01::1

[13] Finding Listening Programs

# netstat -ap | grep https
tcp6 0 0 [::]:https [::]:* LISTEN 1301/httpd 
tcp6 0 0 web.zotma:https 10.10.19.23:33088 TIME_WAIT - 
tcp6 0 0 web.zotma:https 10.10.19.25:18649 TIME_WAIT - 
tcp6 0 0 web.zotma:https 10.10.19.25:18639 TIME_WAIT - 
tcp6 0 0 web.zotma:https 10.10.19.23:33096 TIME_WAIT -

 

lsof

Install lsof :

$ sudo apt-get install lsof

Command – command lsof

$ lsof --help
lsof: illegal option character: -
lsof: -e not followed by a file system path: "lp"
lsof 4.89
 latest revision: ftp://lsof.itap.purdue.edu/pub/tools/unix/lsof/
 latest FAQ: ftp://lsof.itap.purdue.edu/pub/tools/unix/lsof/FAQ
 latest man page: ftp://lsof.itap.purdue.edu/pub/tools/unix/lsof/lsof_man
 usage: [-?abhKlnNoOPRtUvVX] [+|-c c] [+|-d s] [+D D] [+|-E] [+|-e s] [+|-f[gG]]
 [-F [f]] [-g [s]] [-i [i]] [+|-L [l]] [+m [m]] [+|-M] [-o [o]] [-p s]
 [+|-r [t]] [-s [p:s]] [-S [t]] [-T [t]] [-u s] [+|-w] [-x [fl]] [--] [names]
Defaults in parentheses; comma-separated set (s) items; dash-separated ranges.
 -?|-h list help -a AND selections (OR) -b avoid kernel blocks
 -c c cmd c ^c /c/[bix] +c w COMMAND width (9) +d s dir s files
 -d s select by FD set +D D dir D tree *SLOW?* +|-e s exempt s *RISKY*
 -i select IPv[46] files -K list tasKs (threads) -l list UID numbers
 -n no host names -N select NFS files -o list file offset
 -O no overhead *RISKY* -P no port names -R list paRent PID
 -s list file size -t terse listing -T disable TCP/TPI info
 -U select Unix socket -v list version info -V verbose search
 +|-w Warnings (+) -X skip TCP&UDP* files -Z Z context [Z]
 -- end option scan 
 -E display endpoint info +E display endpoint info and files
 +f|-f +filesystem or -file names +|-f[gG] flaGs 
 -F [f] select fields; -F? for help 
 +|-L [l] list (+) suppress (-) link counts < l (0 = all; default = 0)
 +m [m] use|create mount supplement
 +|-M portMap registration (-) -o o o 0t offset digits (8)
 -p s exclude(^)|select PIDs -S [t] t second stat timeout (15)
 -T qs TCP/TPI Q,St (s) info
 -g [s] exclude(^)|select and print process group IDs
 -i i select by IPv[46] address: [46][proto][@host|addr][:svc_list|port_list]
 +|-r [t[m<fmt>]] repeat every t seconds (15); + until no files, - forever.
 An optional suffix to t is m<fmt>; m must separate t from <fmt> and
 <fmt> is an strftime(3) format for the marker line.
 -s p:s exclude(^)|select protocol (p = TCP|UDP) states by name(s).
 -u s exclude(^)|select login|UID set s
 -x [fl] cross over +d|+D File systems or symbolic Links
 names select named files or files on named file systems
Anyone can list all files; /dev warnings disabled; kernel ID check disabled.

Contoh menggunakan command -i

$ lsof -i :5900
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
remmina 4281 space 19u IPv4 52692 0t0 TCP 10.10.1.93:33538->10.1.1.70:5900 (ESTABLISHED)

 

fuser

Install psmisc :

$ sudo apt-get install psmisc

$ fuser
No process specification given
Usage: fuser [-fMuvw] [-a|-s] [-4|-6] [-c|-m|-n SPACE] [-k [-i] [-SIGNAL]] NAME...
 fuser -l
 fuser -V
Show which processes use the named files, sockets, or filesystems.

-a,--all display unused files too
 -i,--interactive ask before killing (ignored without -k)
 -k,--kill kill processes accessing the named file
 -l,--list-signals list available signal names
 -m,--mount show all processes using the named filesystems or block device
 -M,--ismountpoint fulfill request only if NAME is a mount point
 -n,--namespace SPACE search in this name space (file, udp, or tcp)
 -s,--silent silent operation
 -SIGNAL send this signal instead of SIGKILL
 -u,--user display user IDs
 -v,--verbose verbose output
 -w,--writeonly kill only processes with write access
 -V,--version display version information
 -4,--ipv4 search IPv4 sockets only
 -6,--ipv6 search IPv6 sockets only
 - reset options

udp/tcp names: [local_port][,[rmt_host][,[rmt_port]]]

Cheers – Andito Yugo Wicaksono

 

 

 

Membuat Banner Messages SSH Login

[1] Buat file banner, contoh membuat banner di

# vi /etc/banner.net

=Jika anda memiliki akses silahkan login=

[2] Ubah sshd_config file dan enable banners

# vi /etc/ssh/sshd_config
Banner /etc/banner.net

[3] Restart sshd service

# systemctl restart sshd

[4] Coba login ke server yang sudah di setting banner nya

$ ssh 10.10.1.10 -l root
=Jika anda memiliki akses silahkan login=
root@10.10.1.10's password:

 

SSH Warning Message untuk Users setelah Login

[1] Tambahkan Warning Message di file

# vi /etc/motd
Pergunakan hak akses anda sejujur mungkin

[2] ssh ke server

root@10.10.1.10's password: 
Last login: Tue Aug 8 09:31:50 2017 from 10.10.1.10
Pergunakan hak akses anda sejujur mungkin

Cheers – Andito Yugo Wicaksono

 

 

mod_security

Menggunakan mod_security module untuk konfigurasi Web Application Firewall (WAF).

[1] Install mod_security

yum -y install mod_security

[2] Setelah selesai installasi, konfigurasi file mod_security di direktori dan setting menjadi enabled. Setelah settingan selesai lalu tambahkan rules.

# cat /etc/httpd/conf.d/mod_security.conf 
<IfModule mod_security2.c>
 # ModSecurity Core Rules Set configuration
 IncludeOptional modsecurity.d/*.conf
 IncludeOptional modsecurity.d/activated_rules/*.conf
 
 # Default recommended configuration
 SecRuleEngine On
 SecRequestBodyAccess On
 SecRule REQUEST_HEADERS:Content-Type "text/xml" \
......................................................
.....................................................

[3] Di bawah ini contoh rules sederhana

# default action when matching rules
SecDefaultAction "phase:2,deny,log,status:406"

# "etc/passwd" is included in request URI
SecRule REQUEST_URI "etc/passwd" "id:'500001'"
SecRule REQUEST_URI "home" "id:'500005'"

# "../" is included in request URI
SecRule REQUEST_URI "\.\./" "id:'500002'"

# "<SCRIPT" is included in arguments
SecRule ARGS "<[Ss][Cc][Rr][Ii][Pp][Tt]" "id:'500003'"

# "SELECT FROM" is included in arguments
SecRule ARGS "[Ss][Ee][Ll][Ee][Cc][Tt][[:space:]]+[Ff][Rr][Oo][Mm]" "id:'500004'"

--------------------------------------------------------------------
# Restart httpd
systemctl restart httpd

[4] Akses web yang di block rule

[5] General rules disediakan dari official repository dan mudah untuk menerapkannya. Tapi mungkin anda perlu menyesuaikannya untuk situs web anda sendiri agar tidak memblokir permintaan yang diperlukan.

yum -y install mod_security_crs
cd /usr/lib/modsecurity.d/base_rules
ll
modsecurity_35_bad_robots.data
modsecurity_35_scanners.data
modsecurity_40_generic_attacks.data
modsecurity_41_sql_injection_attacks.data
modsecurity_50_outbound.data
modsecurity_50_outbound_malware.data
modsecurity_crs_20_protocol_violations.conf
modsecurity_crs_21_protocol_anomalies.conf
modsecurity_crs_23_request_limits.conf
modsecurity_crs_30_http_policy.conf
modsecurity_crs_35_bad_robots.conf
modsecurity_crs_40_generic_attacks.conf
modsecurity_crs_41_sql_injection_attacks.conf
modsecurity_crs_41_xss_attacks.conf
modsecurity_crs_42_tight_security.conf
modsecurity_crs_45_trojans.conf
modsecurity_crs_47_common_exceptions.conf
modsecurity_crs_48_local_exceptions.conf.example
modsecurity_crs_49_inbound_blocking.conf
modsecurity_crs_50_outbound.conf
modsecurity_crs_59_outbound_blocking.conf
modsecurity_crs_60_correlation.conf

Cheers.
Andito Yugo Wicaksono