Security
Contents
- 1 Advanced Policy Firewall
- 2 CSF
- 3 Fail2Ban
- 4 RK Hunter
- 5 CHK Rootkit Hunter
- 6 Unhide
- 7 System Integrity Monitor
- 8 Process Resource Monitor
- 9 Linux Socket Monitor
- 10 Network Socket Inode Validation
- 11 Linux Malware Detect
- 12 Dos Deflate X
- 13 Mod Evasive
- 14 Syn Flood Monitor
- 15 Wget / Lynx
- 16 TripWire
- 17 Snort
- 18 Lynis
- 19 MySQL Performance (also known as MySQL Tuner)
- 20 List Open Ports
- 21 List Connections
- 22 List User ID's
- 23 On Guard
- 24 Secure Partitions
- 25 Find Shell Scripts
- 26 Find Open Proxies
- 27 Process Checker
Advanced Policy Firewall
Install, remove, configure and manage Advanced Policy Firewall and Brute Force Detection. Note this feature also has an advanced management area we call APF Central for managing APF and BFD, including editing the config, adding and removing IP's and more.
CSF
Install and remove Config Server Firewall and LFD protection. Note we only provide the means to install and remove CSF. Management of CSF is done via configservers on addon that will be visible after you install and refresh your screen. You can find it in the plugins section of the WHM menu where Xtra is also located.
Fail2Ban
Scans logs and bans IP's that it finds are making to many connections (eg brute force attacks).
RK Hunter
RK Hunter is one of the more popular rootkit detectors. This part of Xtra will allow you to install, upgrade, remove and overall manage RK Hunter. This interface will also allow you to run it and view realtime results as well as view the log generated after it finishes running. You may also toggle the cron on and off as well as set the email to send the results to if you wish to receive them via email.
CHK Rootkit Hunter
Similar to RK Hunter but performing slightly different checks. Useful to run with RK Hunter. This interface allows the installation, removal and management of CHK as well as turning the cron on and off and setting the email to send the results to (if you wish). You can also run it from this interface and view the results live.
Unhide
Performs several types of checks for hidden processes and suspicious processes. Install, remove and view live results with this script.
System Integrity Monitor
SIM is a system and services monitor. It is designed to be intuitive and modular in nature, and to provide a clean and informative status system. Install, remove, update and manage this program via Xtra.
Process Resource Monitor
PRM monitors the process table on a given system and matches process id's with set resource limits in the config file or per-process based rules. Process id's that match or exceed the set limits are logged and killed; includes e-mail alerts, kernel logging routine and more. Install, remove, update and manage this feature in this section.
Linux Socket Monitor
LSM is a bash scripted network socket monitor. It is designed to track changes to Network sockets and Unix domain sockets. LSM identifies changes in both Network Sockets and Unix Domain Sockets. By recording a base set of what sockets should be active then comparing the currently active socket information to that of the base comparison files, we highlight otherwise unknown services.
Network Socket Inode Validation
Network socket inode validation is a rule based utility intended to aid in the validation of inodes against each LISTEN socket on a system. The nature for this app is such that rouge binaries can easily hijack a user, program privileges, or work space; and utilize such to kill the old service & execute a new service on the known port they crashed. The best known examples of this trend is ‘tmp’ path uploaded content via php remote include exploits; which is executed, crashes the web server and starts a rouge httpd process and other such items. The execution cycle of NSIV is very simple, first it determines the running process ID of your binary followed by the trusted inode (that which is associated to the BIN variable). Then, the PORT value is used to check that the binary holding said port open actually references back to the trusted inode, if it does not then we assume the service has been hijacked and the PID is killed / RST executed with optional e-mail alert dispatched.
Linux Malware Detect
Linux Malware Detect is a malware scanner for Linux that is designed around the threats faced in shared hosted environments. It uses threat data from network edge intrusion detection systems to extract malware that is actively being used in attacks and generates signatures for detection.
Dos Deflate X
A modified version of the original DoS Deflate. Dos Deflate is designed to block IP's that connect too many times for a set time period (configurable) and combat DDoS attacks. Note this is not the same as a firewall. A firewall is designed primarily to keep unwanted traffic from hacking into the server, while DoS Deflate is meant to aid in combating outright attacks against your server.
Mod Evasive
An evasive module for Apache to provide protection in the event of a DDoS or brute force attack. Runs with apache to actively monitor traffic and block undesired attacks.
Syn Flood Monitor
Monitors a server to detect SYN flood attacks, alert the administrator and combat the attack in order to allow legit traffic through.
Wget / Lynx
Used for updating software and cpanel (and Xtra) WGET and Lynx can also be used by hackers to get exploits onto your server. For security we suggest using this feature to disable them until you need them to upgrade something.
TripWire
Open Source Tripwire software is a security and data integrity tool useful for monitoring and alerting on specific file change(s) on a range of systems.
Snort
Snort is an open source network intrusion prevention and detection system (IDS/IPS) developed by Sourcefire. Takes about 5 minutes to install.
Note: Requires some manual work to complete the install, if you aren't familiar with it already don't mess with it. This version not for 64 bit systems.
Lynis
Lynis is an auditing tool for Unix. It scans the system and available software, to detect security issues. Beside security related information it will also scan for general system information, installed packages and configuration mistakes.
MySQL Performance (also known as MySQL Tuner)
Reports various data on how MySQL is performing on your server and suggests possible ways to improve it. Original script by Major Hayden.
List Open Ports
This little script will show you which ports on your server and are currently actively listening for traffic. Useful to check and see if a hacker may have opened a port that you want closed.
List Connections
Shows current and recent connections to the server along with the full status of apache.
List User ID's
Lists the ID's of all system users.
On Guard
On Guard is a script designed by us to monitor files in /tmp, /var/tmp and /dev/shm for malicious files and exploits uploaded to your server by hackers. Once activated the script will monitor these directories and email you if it detects a possibly malicious file so you can check it out before a hacker does any serious damage. Use the interface to install, configure and manage the script as well as the cron job.
Secure Partitions
Secure and set proper permissions on /tmp, /var/tmp and /dev/shm.
Find Shell Scripts
This will search for cgi and php scripts containing shell commands most often used by hackers. Default search checks /home and /home2. If you just want to check a specific user account or a different directory you can use the custom search option.
Find Open Proxies
This script checks your server for open proxy servers. Note there is nothing to run, it quickly checks whenever you visit the page.
Process Checker
Scans all running processes for suspicious ones and kills any it finds. Nothing to run, scan and results come up right away (yes it's real time scanning).