Other Blocking 


                                           Create 22th Feb. 2013
                                                By  Eiji Hamano

1. Check dangerous user's cgi 

  Search the dangerous user's cgi and delete after talks.
  Finding statements which include "sendmail" at the site, for example.

     >  find  /home/sites/www.xxxxx.com/web  -type f -print0  |  xargs -0 egrep  sendmail   




2.  Close webmail and RoundCube as open.  
    Use basic pawd or use them from Control Page inside. 

  Open page of webmail and RoundCube are very dangerous.
  So in order to close them, let's do comment out the definitions.

  How to close them.
    
     > vi  /etc/httpd/conf.d/squirrelmail.conf 

          Alias /webmail /usr/share/squirrelmail
       to 
          ##Alias /webmail /usr/share/squirrelmail 


     > vi  /etc/httpd/conf.d/roundcube.conf
 
          Alias /roundcube /usr/share/roundcube
          Alias /mail /usr/share/roundcube
       to 
          ##Alias /roundcube /usr/share/roundcube
          ##Alias /mail /usr/share/roundcube

     >  /etc/init.d/httpd  restart  


   In order to use "basic pawd", 
   please search how to use "/usr/bin/htpasswd".



3. Close port 3306 


     >  /sbin/iptables -A INPUT -p tcp --dport 3306 -j DROP ; 

   But if your customer pages use Flash, 
   some useless developer may be using the port 3306. 
   That case, you might not be able to close 3306.



4. Defense Ddos with iptables 


   Defense Ddos.  Blocking attack over 2 per second.    SSH, FTP,  etc..

     >  /sbin/iptables -A INPUT -p tcp   --syn --destination-port 22 -m limit --limit 2/s -j ACCEPT   ;
     >  /sbin/iptables -A INPUT -p tcp ! --syn --destination-port 22 -j ACCEPT  ;

     >  /sbin/iptables -A INPUT -p tcp   --syn --destination-port 21 -m limit --limit 2/s -j ACCEPT  ;
     >  /sbin/iptables -A INPUT -p tcp ! --syn --destination-port 21 -j ACCEPT  ;

     >  etc...
     >  etc...


   There are various ways to write.  This is the easiest description.


   Defense Ddos.  Blocking attack over 8 per minute, for example.    SSH, FTP,  etc..

     >  /sbin/iptables -A INPUT -p tcp   --syn --destination-port 22 -m limit --limit 8/m -j ACCEPT   ;
     >  /sbin/iptables -A INPUT -p tcp ! --syn --destination-port 22 -j ACCEPT  ;

     >  /sbin/iptables -A INPUT -p tcp   --syn --destination-port 21 -m limit --limit 8/m -j ACCEPT  ;
     >  /sbin/iptables -A INPUT -p tcp ! --syn --destination-port 21 -j ACCEPT  ;

     >  etc...
     >  etc...


   I cannot understand why BO does not have Ddos defenses at initial.
 

@
FIN