Brute Force Attack cPanel

Check the logs: # nano /var/log messages PAM-hulk[13813]: Brute force detection active: 580 LOGIN DENIED Check cphulkd.log at /usr/local/cpanel/logs # nano /usr/local/cpanel/logs/login_log 72.177.xxx.xx - root [11/04/2014:05:48:13 -0000] "POST /login/?login_only=1 HTTP/1.1" DEFERRED LOGIN whostmgrd: brute force attempt (user root) has locked out IP 72.177.xxx.xx

Sandworm Vulnerability Affects All Microsoft Operating Systems

On Tuesday, October 14, 2014, iSIGHT Partners and Microsoft announced a Zero-Day vulnerability named “Sandworm” found in all versions of Microsoft Windows and Windows Server 2008 and 2012. The vulnerability has been exploited in a small number of cyberespionage attacks against NATO, energy companies, a US academic organization and many others. Microsoft has since created a patch and released it…

Fail2Ban Setup on CentOS 6.6

Because fail2ban is not available from CentOS, we should start by downloading the EPEL repository: rpm -Uvh http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm Follow up by installing fail2ban: yum install fail2ban The default fail2ban configuration file is location at /etc/fail2ban/jail.conf. The configuration work should not be done in that file, however, and we should instead make a local copy of it. cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local After…

PCI-DSS

The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements designed to ensure that ALL companies that process, store ortransmit credit card information maintain a secure environment. Essentially any merchant that has a Merchant ID (MID). General requirements for compliance Firewall Intrusion Drevention Systems Intrusion Prevention Systems Dedicated IP addresses PCI Cage

SSLv3 Vulnerability (Poodle)

According to The Register, a serious vulnerability in SSL v3 will be disclosed tomorrow on October 15th. Some people are recommending disabling SSL v3 in various daemons until further notice. A vulnerability in the design of SSL version 3.0. This vulnerability allows the plaintext of secure connections to be calculated by a network attacker. SSL 3.0 is nearly 18 years…

Bash Code Injection Vulnerability (Shellshock)

Products Affected: Product/Channel Fixed in package Remediation details Red Hat Enterprise Linux 7 bash-4.2.45-5.el7_0.2 Red Hat Enterprise Linux Red Hat Enterprise Linux 6 bash-4.1.2-15.el6_5.1 Red Hat Enterprise Linux bash-4.1.2-15.el6_5.1.sjis.1 Red Hat Enterprise Linux bash-4.1.2-9.el6_2.1 Red Hat Enterprise Linux 6.2 AUS bash-4.1.2-15.el6_4.1 Red Hat Enterprise Linux 6.4 EUS Red Hat Enterprise Linux 5 bash-3.2-33.el5.1 Red Hat Enterprise Linux bash-3.2-33.el5_11.1.sjis.1 Red Hat…

How to Secure SSH with Google Authenticator’s Two-Factor Authentication

Source: http://www.howtogeek.com/121650/how-to-secure-ssh-with-google-authenticators-two-factor-authentication/ Also, for CentOS: http://www.tecmint.com/ssh-two-factor-authentication/ Want to secure your SSH server with easy-to-use two-factor authentication? Google provides the necessary software to integrate Google Authenticator’s time-based one-time password (TOTP) system with your SSH server. You’ll have to enter the code from your phone when you connect.

Root Compromised

Check the server if it is root compromised. lsattr /usr/bin Root compromised output. All of those files are set to immutable and append only. That's what the "ia" you see is. [root@mail ~]# lsattr /usr/bin s---ia------- /usr/bin/bzcmp s---ia------- /usr/bin/getkeycodes s---ia------- /usr/bin/enc2xs s---ia------- /usr/bin/mail-files s---ia------- /usr/bin/chage s---ia------- /usr/bin/mdeltree s---ia------- /usr/bin/nslookup s---ia------- /usr/bin/semodule_link s---ia------- /usr/bin/mbchk s---ia------- /usr/bin/rpcgen s---ia------- /usr/bin/lkbib s---ia------- /usr/bin/dig s---ia-------…