Clam AntiVirus (ClamAV) is a free and open-source, cross-platform antivirus software tool-kit able to detect many types of malicious software, including viruses. In the previous article, I shown you “How To Install/Compile ClamAV In CentOS 6“. In this article, I will continue to show you How to use ClamAV & Cronjobs to run daily & hourly virus scans.

The first, I will create a new directory to store script & log files of ClamAV

# mkdir -p /usr/local/clamav/script
# mkdir -p /usr/local/clamav/log

Setting up hourly scans

Creating a file called name clamscan_hourly

# vi /usr/local/clamav/script/clamscan_hourly

And add the following code

#!/bin/bash
SUBJECT="`hostname` PASSED HOURLY SCAN"
EMAIL="admin@domain.com"
LOG=/usr/local/clamav/log/clamav.log
TMP_LOG=/tmp/clam.hourly
 
av_report() {
 
    if [ `cat ${TMP_LOG}  | grep Infected | grep -v 0 | wc -l` != 0 ]
    then
		SUBJECT="[WARNING] `hostname` PASSED HOURLY SCAN"
    fi
	
	EMAILMESSAGE=`mktemp /tmp/virus-alert.XXXXX`
    echo "To: ${EMAIL}" >>  ${EMAILMESSAGE}
    echo "From: alert@domain.com" >>  ${EMAILMESSAGE}
    echo "Subject: ${SUBJECT}" >>  ${EMAILMESSAGE}
    echo "Importance: High" >> ${EMAILMESSAGE}
    echo "X-Priority: 1" >> ${EMAILMESSAGE}
    echo "`tail -n 50 ${TMP_LOG}`" >> ${EMAILMESSAGE}
    sendmail -t < ${EMAILMESSAGE}
	
	cat ${TMP_LOG} >> ${LOG}
	rm -rf ${TMP_LOG}
}

av_scan() {
	touch ${TMP_LOG}
	find / -not -wholename '/sys/*' -and -not -wholename '/proc/*' -mmin -61 -type f -print0 | xargs -0 -r clamscan --exclude-dir=/proc/ --exclude-dir=/sys/ --quiet --infected --log=${TMP_LOG}
}

av_scan
av_report
freshclam

Save the file. Make sure it’s executable, type

# chmod +x /usr/local/clamav/script/clamscan_hourly

Setting up daily scans

Creating a file called name clamscan_daily

# vi /usr/local/clamav/script/clamscan_daily

And add the following code

#!/bin/bash
SUBJECT="`hostname` PASSED DAILY SCAN"
EMAIL="admin@domain.com"
LOG=/usr/local/clamav/log/clamav.log
TMP_LOG=/tmp/clam.daily
 
av_report() {
 
    if [ `cat ${TMP_LOG}  | grep Infected | grep -v 0 | wc -l` != 0 ]
    then
	SUBJECT="[WARNING] `hostname` PASSED DAILY SCAN"
    fi
	
	EMAILMESSAGE=`mktemp /tmp/virus-alert.XXXXX`
    echo "To: ${EMAIL}" >>  ${EMAILMESSAGE}
    echo "From: alert@domain.com" >>  ${EMAILMESSAGE}
    echo "Subject: ${SUBJECT}" >>  ${EMAILMESSAGE}
    echo "Importance: High" >> ${EMAILMESSAGE}
    echo "X-Priority: 1" >> ${EMAILMESSAGE}
    echo "`tail -n 50 ${TMP_LOG}`" >> ${EMAILMESSAGE}
    sendmail -t < ${EMAILMESSAGE}
	
	cat ${TMP_LOG} >> ${LOG}
	rm -rf ${TMP_LOG}
}

av_scan() {
	touch ${TMP_LOG}
	clamscan -r / --exclude-dir=/sys/ --quiet --infected --log=${TMP_LOG}
}
 
av_scan
av_report

Save the file. Make sure it’s executable, type

# chmod +x /usr/local/clamav/script/clamscan_daily

Setting Up Crontab to run ClamAV hourly & daily scans

Type the following command

# crontab -e

Add the following code

# ClamAV scan
01 * * * * /usr/local/clamav/script/clamscan_hourly
01 00 * * * /usr/local/clamav/script/clamscan_daily

Setting up log rotation for ClamAV

Creating a file called name clamav, type

# vi /etc/logrotate.d/clamav

Add the following code

/usr/local/clamav/log/*.log {
    daily
    dateext
    dateformat -%d%m%Y
    missingok
    rotate 90
    compress
    delaycompress
    notifempty
    create 600 root root
}

The post How To Use ClamAV & Cron Jobs To Run Daily And Hourly Virus Scans appeared first on lifeLinux: Linux Tips, Hacks, Tutorials, Ebooks.

Clam AntiVirus (ClamAV) is a free and open-source, cross-platform antivirus software tool-kit able to detect many types of malicious software, including viruses. It’s easy to use and best for Linux based Web & Mail server. In this article, I will show you through the step by step installation of ClamAV on CentOS 6.x from source.

The first, You need to download ClamAV latest version at http://www.clamav.net. Login as root and type the following command

# wget http://downloads.sourceforge.net/project/clamav/clamav/0.98.4/clamav-0.98.4.tar.gz?r=http%3A%2F%2Fwww.clamav.net%2Fdownload.html&ts=1410062157&use_mirror=softlayer-sng -O clamav-0.98.4.tar.gz

The second, extracting clamav-0.98.4.tar.gz package

# tar zxvf clamav-0.98.4.tar.gz
# cd clamav-0.98.4

Installing ClamAV

Type the following command to Compile ClamAV from source

# ./configure --prefix=/usr/local --sysconfdir=/etc --with-xml=/usr/local --with-zlib=/usr
# make
# make install

Configuring ClamAV

Creating user for clamav, enter

useradd -s /sbin/nologin -d /dev/null clamav

Creating database folder of clamav, enter

# mkdir /usr/local/share/clamav
# chown clamav /usr/local/share/clamav
# chmod 700 /usr/local/share/clamav

Type these following commands to create ClamAV configuration files

mv /etc/freshclam.conf.sample /etc/freshclam.conf
mv /etc/clamd.conf.sample /etc/clamd.conf

Open and remove contains

# Comment or remove the line below.
Example

Updating ClamAV

# freshclam

Configuring daily scan

In this example, I will configure a cronjob to scan the /home/ directory every day. Creating a file called name scanav at /opt/, enter

# vi /opt/scanav

Add the following to the file above

#!/bin/bash

SCAN_DIR="/home"
SCAN_LOG="/var/log/clamav.log"

# Update CLAMAV
freshclam

# Scan AV
clamscan -i -r $SCAN_DIR >> $SCAN_LOG

Give our cron script executable permissions, enter

# chmod +x /opt/scanav

Configuring daily scan with crontab, type the following command

# crontab -e

Add the following

01 01 * * * /opt/scanav

The post How To Install/Compile ClamAV In CentOS 6 appeared first on lifeLinux: Linux Tips, Hacks, Tutorials, Ebooks.

SSG550M is a purpose-built, modular security platform that delivers 1+ Gbps of firewall traffic and 600 Mbps of IPSec VPN for large branch, regional offices and enterprises. If you ever forget your password and lose access to your SSG firewall then in this article, I will show you How to recover password Juniper SSG 550 using serial number step by step.
NOTE: You will be notified that you will lose your configuration and all your settings.

Step 1. Connect to the device with a console connection.
Step 2. Log into the firewall using the device’s serial number as both the username and password. The following shows a typical serial number login and the resulting messages.

login: 00442421012308289
password:

Step 3. A warning message will display, requesting confirmation to continue with the process. Enter “y”

!!! Lost Password Reset !!! You have initiated a command to reset the device to
factory defaults, clearing all current configuration and settings. Would you like
to continue? y/[n] y

Step 4. A reconfirmation message displays. Again, enter ” y “. The firewall will reboot.

!! Reconfirm Lost Password Reset !! If you continue, the entire
configuration of the device will be erased. In addition, a permanent
counter will be incremented to signify that this device has been reset.
This is your last chance to cancel this command. If you proceed, the
device will return to factory default configuration, which is: System IP:
192.168.1.1; username: netscreen, password: netscreen. Would you like to
continue? y/[n] y

Step 5. Upon reboot, the configuration is set back to factory default. The login for both the username and password is reset to “netscreen”.

The post How To Recover Password Juniper SSG 550 Using Serial Number appeared first on lifeLinux: Linux Tips, Hacks, Tutorials, Ebooks.

I have setup an web server using Apache on CentOS. How do I configure firewall using iptables to allow or block access to the web server under CentOS ? In Tutorial I will show you How do I do it.

What is iptables ?

iptables is a user space application program that allows a system administrator to configure the tables provided by the Linux kernel firewall (implemented as different Netfilter modules) and the chains and rules it stores. Different kernel modules and programs are currently used for different protocols; iptables applies to IPv4, ip6tables to IPv6, arptables to ARP, and ebtables for Ethernet frames.

Setting up iptables

In most Linux distros including Redhat / CentOS Linux installs iptables by default. You can use the following procedure to verify that iptables has been installed. Open terminal and type the following command:

# iptables -V

Sample outputs:

iptables v1.4.7

You can use the following command to view the status of iptables command, enter:

# yum info iptables

Sample outputs:

Installed Packages
Name        : iptables
Arch        : x86_64
Version     : 1.4.7
Release     : 5.1.el6_2
Size        : 833 k
Repo        : installed
From repo   : anaconda-CentOS-201207061011.x86_64
Summary     : Tools for managing Linux kernel packet filtering capabilities
URL         : http://www.netfilter.org/
License     : GPLv2
Description : The iptables utility controls the network packet filtering code in
            : the Linux kernel. If you need to set up firewalls and/or IP
            : masquerading, you should install this package.
...

If the above message does not appear, then type the following command to install iptables

# yum install iptables -y

Configuration iptables for a web server

The default iptables configuration on CentOS does not allow access to the HTTP (TCP PORT # 80) and HTTPS (TCP PORT # 443) ports used by the Apache web server. You can do step by step to configure
Step 1: Flush or remove all iptables rules

# iptables -F
# iptables -X
# iptables -t nat -F
# iptables -t nat -X
# iptables -t mangle -F
# iptables -t mangle -X

Step 2: Set default rules

# iptables -P INPUT DROP
# iptables -P FORWARD ACCEPT
# iptables -P OUTPUT ACCEPT

Step 3: Allow access to HTTP (80) and HTTPS (443)

# iptables -A INPUT -i lo -j ACCEPT 
# iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT 
# iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
# iptables -A INPUT -p icmp -j ACCEPT
# iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
# iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT

Turn on and save iptables

Type the following two commands to turn on firewall:

# chkconfig iptables on
# service iptables save

Anti synflood with iptables

Edit /etc/sysctl.conf to defend against certain types of attacks and append / update as follows:

net.ipv4.tcp_syncookies = 1
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.tcp_max_syn_backlog = 8192
net.ipv4.netfilter.ip_conntrack_max = 1048576

And type the following command

# iptables -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 --syn -m recent --set --name CHECK --rsource 
# iptables -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 --syn -m recent --update --seconds 5 --hitcount 15 --rttl --name CHECK --rsource -j DROP 

The post How To Setup Iptables Firewall For A Web Server On CentOS appeared first on lifeLinux: Linux Tips, Hacks, Tutorials, Ebooks.

Protect the server from Flood attacks , Using the property Port Flood Protection In firewall CSF . After doing the necessary settings will be able to determine the number of allowed connections Same time for each IP tries to connect to the server.

So How to Make a flood attack ?
Logically flood attacks are two ways :
first through a specific communication
the second through multiple connections each connection of these connections connect with the provider
Requirements

1. Installing firewall CSF last version
2. Enabled IPT and works well
3. Model IPT_Recent special for IPT

Application

Through edited the configuration file special for CSF it is located in the following path:

root@server:$ nano /etc/csf/csf.conf

We pressing CTRL + W and look for PORTFLOOD we will find the line as follows default :

PORTFLOOD = " "

put inside ” ” Settings that we want ,as in the following example:

PORTFLOOD = "80;tcp;20;10"

80 is the port , TCP is the protocol , 20 is the number of connections allowed at the same time , 10 is time of pause temporarily after the 10 seconds is allowed IP make new contacts

Important note: ipt_recent can count 20 Packets for each Title , So you can change the number of connections from 1 to 20 only

Is there a possibility of adding more than one port ?yes be as follows (Just an example) :

PORTFLOOD = "22;tcp;10;200,21;tcp;15;100,80;tcp;20;5"

Note that when we add a new port we put a comma (,)

In the previous example you choose more than one port are 22, 21 and 80 And you can add more and you can change the number of connections and also change the protocol type, for example, from TCP to UDP after the completion of the edited we save the file : CTRL + X, Y, and then Enter button.

Finally, do not forget to restart CSF with the following command:

root@server:$ csf -r

Thank You ,,

The post Repel port flood by CSF and IPT_Recent appeared first on lifeLinux: Linux Tips, Hacks, Tutorials, Ebooks.

There are a lot of people do not know what these variables and how they can be used , this Variables exist in php.ini file , the php.ini file is contains settings PHP on server , and for each variable in the php.ini file have a special role and can be disabled and activated with ON and Off

Disable = Off

Activate = On

So now I will explain to you the benefit of each function and put you a choice in the activation and disable

expose_php

Is a a property from which to see PHP version on the server so disabling means not making available to the hacker to know the version of PHP

allow_url_fopen

When you disable this function no one will be able to contain another link in a specific page , but some scripts like AM4SS – Vbulletin need this function for the arrival of notifications within the Admin Control Panel

register_globals

When you Desable this function become possible to control the content of php files difficult and does not allow the Edited only by the owner
So now we come to the disabled and activation of these properties

Enter in the shell and modify the php.ini file with the following command

nano /usr/local/lib/php.ini

By pressing Ctrl + W will open new box writes what you want to search for inside file

Looking for the variable you want edited for example

allow_url_fopen

You’ll find as follows :

allow_url_fopen = On

Mark value after the mark (=) On for activate Off  for disabled , Apply it with the rest of the properties , After completion of the amendment to click on the keys CTRL + X + Y then Enter button

You will see a new command line in the main interface in shell
Observation : you must restart Apache after any amendment to this file for edited is defined in the php and Apache
To restart apache :

service httpd restart

Or you can restart apache using server Control Panel WHM In a private box to restart services From there you can restart any service you want to.

The post What is the role of this variables in php.ini file (expose_php – allow_url_fopen – register_globals) ? appeared first on lifeLinux: Linux Tips, Hacks, Tutorials, Ebooks.

I run CentOS on my server, and I often find that my server is being attacked by other computers. Brute force SSH attacks, port scanning, viruses scanning for the ability to spread, things like that. In this article, I’ll show you how to block an IP address on Linux server using IPTables.

The First, I’ll assume you are already using iptables. If you need help setting that up, read this article.

How do I block an IP address ?

Example I want to block incoming request from IP 1.2.3.4, login as root and type the following command

# iptables -I INPUT -s 1.2.3.4 -j DROP

Where,
– I: Inserts the chain at the top of the rules.
– s: Match source IP address.
– j: Jump to the specified target chain when the packet matches the current rule.

To drop packets coming in on interface eth0 from 1.2.3.4, type the following command

# iptables -I INPUT -i eth0 -s 1.2.3.4 -j DROP

How do I block a subnet ?

Use the following syntax to block 10.0.0.0/8

# iptables -I INPUT -s 10.0.0.0/8 -j DROP

How do I save blocked IP address ?

To save blocked IP address to iptables config file, type the following command

# service iptables save

Or

# /etc/init.d/iptables save

How Do I Unblock An IP Address?

First, you need to display blocked IP address along with line number and other information, type the following command

# iptables -L INPUT -n --line-numbers
# iptables -L INPUT -n --line-numbers | grep 1.2.3.4

Sample outputs:

Chain INPUT (policy DROP)
num  target     prot opt source               destination
1    DROP       all  --  1.2.3.4              0.0.0.0/0
2    LOCALINPUT  all  --  0.0.0.0/0            0.0.0.0/0
3    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
4    ACCEPT     udp  --  203.162.4.1          0.0.0.0/0           udp spts:1024:65535 dpt:53

To unblock 1.2.3.4 you must delete line number 1, enter:

# iptables -D INPUT 1

The post How Do I Block An IP Address On Linux Server ? appeared first on lifeLinux: Linux Tips, Hacks, Tutorials, Ebooks.

Sometimes you may want to disable ping response for many reasons, may be for a security reason… This article explains how do I disable the ping response on Linux ?

Disable ping response Temporarily

To disable the PING response, login as root and type the following command

# echo 1 >/proc/sys/net/ipv4/icmp_echo_ignore_all

To reenable the PING response do this:

# echo 0 >/proc/sys/net/ipv4/icmp_echo_ignore_all

Disable ping response Permanently

Edit the /etc/sysctl.conf file and add the following line

net.ipv4.conf.icmp_echo_ignore_all = 1

Execute sysctl -p to enforce this setting immediately

# sysctl -p

The post How Do I Disable The Ping Response On Linux? appeared first on lifeLinux: Linux Tips, Hacks, Tutorials, Ebooks.

If you store private information on your Linux system and you want to prevent other people who use the system from viewing your private files, you need to password protect these files. Solution is to use following commands to encrypt or decrypt files with a password.

gpg command

GnuPG is the GNU project’s complete and free implementation of the OpenPGP standard as defined by RFC4880. GnuPG allows to encrypt and sign your data and communication, features a versatile key management system as well as access modules for all kinds of public key directories. GnuPG, also known as GPG, is a command line tool with features for easy integration with other applications.

To encrypt a file, use command gpg as follows:

$ gpg -c filename

Example, to encrypt private.txt file, type the command

$ gpg -c private.txt

Output

Enter passphrase:
Repeat passphrase:

Where,
-c : Encrypt with symmetric cipher.

To decrypt file use gpg command

$ gpg private.txt.gpg

Output:

gpg private.txt.gpg
gpg: CAST5 encrypted data
Enter passphrase:

mcrypt command

Mcrypt is a simple crypting program, a replacement for the old unix crypt. When encrypting or decrypting a file, a new file is created with the extension .nc and mode 0600. The new file keeps the modification date of the original. The original file may be deleted by specifying the -u parameter.

Examples, to encrypt data.txt file, type the following command

$ mcrypt data.txt

Output:

Enter the passphrase (maximum of 512 characters)
Please use a combination of upper and lower case letters and numbers.
Enter passphrase:
Enter passphrase:

Note that a new file is created with the extension .nc.

To decrypt the data.txt.nc file, enter

$ mcrypt -d data.txt.nc

Output:

Enter passphrase:
File data.txt.nc was decrypted.

The post Linux Password Protect Files appeared first on lifeLinux: Linux Tips, Hacks, Tutorials, Ebooks.

Under Linux operating system you can use the faillog command to display faillog records or to set login failure limits. faillog command displays the contents of the failure log from /var/log/faillog database file. It also can be used for maintains failure counters and limits. If you run faillog command without arguments, it will display only list of user faillog records who have ever had a login failure.

Synopsis

faillog [options]

Options

The options which apply to the faillog command are:
-a, --all
Display faillog records for all users.
-h, --help
Display help message and exit.
-l, --lock-time SEC
Lock account to SEC seconds after failed login.
-m, --maximum MAX
Set maximum number of login failures after the account is disabled to MAX. Selecting MAX value of 0 has the effect of not placing a limit on the number of failed logins. The maximum failure count should always be 0 for root to prevent a denial of services attack against the system.
-r, --reset
Reset the counters of login failures or one record if used with the -u LOGIN option. Write access to /var/log/faillog is required for this option.
-t, --time DAYS
Display faillog records more recent than DAYS. The -t flag overrides the use of -u.
-u, --user LOGIN
Display faillog record or maintains failure counters and limits (if used with -l, -m or -r options) only for user with LOGIN.

Examples

To display all failed login attempt with following command:

# faillog -a

Sample outputs

Login       Failures Maximum Latest                   On

root            0        0   01/01/70 07:00:00 +0700
bin             0        0   01/01/70 07:00:00 +0700
daemon          0        0   01/01/70 07:00:00 +0700
adm             0        0   01/01/70 07:00:00 +0700
lp              0        0   01/01/70 07:00:00 +0700
sync            0        0   01/01/70 07:00:00 +0700
shutdown        0        0   01/01/70 07:00:00 +0700
halt            0        0   01/01/70 07:00:00 +0700
mail            0        0   01/01/70 07:00:00 +0700
news            0        0   01/01/70 07:00:00 +0700
uucp            0        0   01/01/70 07:00:00 +0700
operator        0        0   01/01/70 07:00:00 +0700

To display failed login attempt for user root with following command:

# faillog -u root

Sample outputs

Login       Failures Maximum Latest                   On

root            0        0   01/01/70 07:00:00 +0700

The post How To Display Failed Login Attempt ? appeared first on lifeLinux: Linux Tips, Hacks, Tutorials, Ebooks.