Posted by: h4ck@lyst | February 11, 2008

Security lapse..

Well, err… This was something that happened yesterday with Pragyan. Unfortunately IndexIgnore in httpd.conf of the server wasnt configured properly. It read

IndexIgnore *#some comments

Now to achieve the desired effect, i.e, to disallow listing of files, I guess it should have had been

IndexIgnore * #some comment

Notice the space between * and # in the second version.

One can also put up a .htaccess file in the root of the folder where he doesnt want the listing with just the above directive.

Well, thanks to the small lapse/breach, we got to tweak up the server a hell lot. Now phpMyAdmin cannot be accessed from any set of ip addresses other than the set of private ip range specified in  phpMyAdmin.conf.

Its there in /etc/httpd/conf.d/

<Directory /usr/share/phpMyAdmin/>
order deny,allow
deny from all
Allow from {The range of ip/ set of ip you want to access it from}

</Directory>
And I got to read and understand the data that goes into apache log. I was able to backtrack each and every step of the concerned person during the well err.. I don’t know whether break in would be the apt word or not, but still. And am glad that owing to multplicity of “pragyan” db s on the server, he wasn’t able to even find out which was the current db. Even though this information was also there in the same place from where he got the password for a read only account of the database. It was a python file that we use to compare the database for structural differences between our development server and the actual deployment server.

Also changing the default ssh port of your server reduces the various brute force attacks on your server like hell. Coz most of the bots are programmed to try on the default port 22.

You can change the default port by editing the sshd.conf in /etc/sshd/sshd.conf

just uncomment the line

Port 22

and change the port to whatever you want. You ll have to restart the ssh daemon using

/sbin/service sshd restart

Also change the appropriate port in the firewall/iptables if you are using one.

So how do you really find out what all ports are actually open on a server and what are they being used for. Simple. Do a nmap

nmap servername.com

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Categories

%d bloggers like this: