The following is a first list of the stuff we should know how to do. - Access new system. ssh actswac@104.238.116.218 - Find names of software packages in the official CentOS repositories. Sample commands yum search subversion yum list available "*subversion*" yum info subversion.x86_64 - Install new software packages from the official CentOS repositories. Sample commands yum install subversion.x86_64 - update software packages from the official CentOS repositories. * For a specific package yum update "package" * To update all currently installed packages yum update - find which packages have updates available from the official CentOS repositories. yum check-update - Find groups of packages installed or available. yum grouplist yum group list available - Install PERL Modules from cpan.org - THIS SHOULD ONLY BE USED FOR MODULES NOT FOUND IN THE GoDaddy CentOS REPOSITORIES. I installed "cpan" from the GoDaddy CentOS repositories. It, the command "cpan" can be used to install Perl modules from cpan.org. Configuration will be written to /root/.cpan/CPAN/MyConfig.pm I set the configuration so "sudo cpan" should be used to install modules. - Create new users & control user ids, group ids, home dir., initial shell, password policy, etc. Sample commands for root user to add hivy user: useradd -m -c "Hank Ivy" hivy passwd hivy Note: System prompts for the new password twice and validates hackability. Sample command for root user to force hivy user to change his password upon logging in. passwd --expire hivy Sample command to add a user to a group. gpasswd -a bcarico wwwteam Sample command to map an old user id to a new user id. - ditto group find . -uid 503 -exec chown ddoughty {} \; find . -gid 504 -exec chgrp ddoughty {} \; - Set up master source base. * On the old testmanager1.com, the svn master source base, MSB, is at file:/usr/local/subversion * Sample command to create a repository. svnadmin create --fs-type fsfs /usr/local/subversion BILL: You should never have to do this, for another ten years. Sample command to dump an svn MSB. svnadmin dump /usr/local/subversion > MSB_dumpfile Sample command to load the dumpfile into another repository svnadmin load /usr/local/subversion < MSB_dumpfile * Sample command to look at the repository. svnlook ??? - create a developer sandbox - force shutdown and default reboot of the system, even if it is inaccessible itself. * If it is accessible, become the root user and, shutdown -r now - Setup automated off site backups. - setup automated daily archive of WEB error and access logs, with a monthly retention cycle. - configure sudo users. For the root user: cd /etc/sudoers.d cp bcarico newguy Edit the file newguy to replace "bcarico" with "newguy" - configure firewall - configure port for ssh access, we want to stop using the default port. - route root user's email to Bill Carico, etal. - re-evaluate disk space requirements. - Acts developer/sustainer documentation - GUI applications from Acts server to my client that I used ssh to log in. Go to godaddy.com Click on login user ID: actswac Password: Qbttxpsea1! Servername: ACTS1 IP: 104.238.116.218 ssh actswac@104.238.116.218 The actswac account has sudoer privileges, id 1000, group actswac 1000 - Copy files to new system. Login to testmanager1.com sftp -u hivy 104.238.116.218 GoDaddy ??? Customer # and pin # William Carico — Customer Number: 11479942 pin: Ask Bill Stuff to copy over. Done Master Source Base. Backups hivy home bcarico home ddoughty home itembank home /usr/local/httpd/conf/ssl*/. Stuff to copy over. ToDo /var/www/x4/. (Archive) /usr/local/httpd.fmac/. (Archive) /var/www/error/. /var/www/-All-Else (Archive) Correct the owner and group IDs. See the old owner and group IDs in /home/transfers/hivy/ passwd, and group sudo find . -uid nnn -exec sudo chown NNN {} \; sudo find . -gid nnn -exec sudo chgrp NNN {} \; Stuff to configure Firewalls - Close up undesired access. - Open up holes for sandbox web access - Open up holes for sshd - open up holes for ftp? - System Status Sample commands to list status of services chkconfig --list systemctl list-unit-files Sample commands to turn on firewall # Turn on the iptables service, AKA firewall chkconfig iptables on # Start the firewall, AKA iptables service iptables start systemctl start iptables.service # Check the firewall status service iptables status systemctl status iptables.status # restart the firewall service iptables restart systemctl restart iptables # stop the firewall service iptables stop systemctl stop iptables.service - Sample commands to open a hole in a firewall for port 2702 as a new fifth rule in the INPUT chain - The new rule is inserted, the fifth and successive rules become the sixth and successive rules. iptables -I INPUT 5 -p tcp --dport 2702 -j ACCEPT iptables -I INPUT 5 -p tcp --dport http -j ACCEPT iptables -I INPUT 5 -p tcp --dport https -j ACCEPT NOTE: The dport is http. The value http is indexed in /etc/services as port 80. NOTE: The dport is https. The value https is indexed in /etc/services as port 443. - Making a lasting change to the firewall, AKA iptables. As the root user sudo iptables-save > /etc/sysconfig/iptables.new20150301A cd /etc/sysconfig; sudo cp iptables.new20150301A iptables Sample commands to find files in production httpd that have changed: cd /usr/local/httpd find . \! -name access_log \! -name error_log -type f -newer /home/backups/usr_local_HTTPD.start - Sandbox Web Servers as a system service A System Service is typically a single process that might have children processes helping it. I will set up a service SB-hivy. I did the following to get config and service, AKA unit, files to edit. cp /etc/sysconfig/httpd /etc/sysconfig/SB-hivy cp /usr/lib/systemd/system/httpd.service /usr/lib/systemd/system/SB-hivy.service I edited the two new files. If you want your own sandbox services, choose your own name of SB-* service, copy, and edit your files. - Start my own Sandbox webserver systemctl start SB-hivy.service - Verbose Status of my own Sandbox webserver systemctl status -l SB-hivy.service - Shorter Status of my own Sandbox webserver systemctl status SB-hivy.service - Shutdown my own Sandbox webserver systemctl stop SB-hivy.service - Shutdown and start my own Sandbox webserver systemctl restart SB-hivy.service MPM is Multi-Processing Module. ********** HTTP configuration files * old style - All entries are in a single file. P.S. Used Pre-Fork MPM. * new style - Include methodology includes files that include files with entries. * New Style Configuration file has: Include conf.modules.d/*.conf IncludeOptional conf.d/*.conf EXCEPT ssl.conf NOTE: /etc/httpd contains both conf.modules.d/*.conf and conf.d/*.conf * conf.modules.d/*.conf contains LoadModule directives. Some are commented out, or conditional. --- 00-mpm.conf is sort of conditional. We have the default: LoadModule mpm_prefork_module modules/mod_mpm_prefork.so #LoadModule mpm_worker_module modules/mod_mpm_worker.so #LoadModule mpm_event_module modules/mod_mpm_event.so We are using the "Prefork MPM". * conf.d/*.conf contains: * conf.d/autoindex.conf contains: --- AddIcon* directives for different files or filename extensions. --- These are only displayed for FancyIndexed directories. --- These are AddIconByEncoding, AddIconByType, AddIcon, DefaultIcon IndexOptions, Alias /icons/ "/usr/share/httpd/icons/" # ReadmeName is the name of the README file the server will look for by # default, and append to directory listings. # # HeaderName is the name of a file which should be prepended to # directory indexes. ReadmeName README.html HeaderName HEADER.html # IndexIgnore is a set of filenames which directory indexing should ignore # and not include in the listing. Shell-style wildcarding is permitted. # IndexIgnore .??* *~ *# HEADER* README* RCS CVS *,v *,t * conf.d/mpm_prefork.conf contains: httpd server process parameters * conf.d/userdir.conf contains: # UserDir: The name of the directory that is appended onto a user's home # directory if a ~user request is received. # # The path to the end user account 'public_html' directory must be # accessible to the webserver userid. This usually means that ~userid # must have permissions of 711, ~userid/public_html must have permissions # of 755, and documents contained therein must be world-readable. # Otherwise, the client will only receive a "403 Forbidden" message. # Directives to disallow, or allow and control access to a special folder in a developer's or user's home folder. Default is to disallow. WE SHOULD DISALLOW. * conf.d/welcome.conf contains: # This configuration file enables the default "Welcome" page if there # is no default index page present for the root URL. To disable the # Welcome page, comment out all the lines below. NOTES on Parms for Pre-Fork MPM StartServers 8 OK MinSpareServers 5 OK MaxSpareServers 20 OK ServerLimit 256 MaxClients 256 ??? Not valid parm ? MaxRequestsPerChild 4000 ??? Not valid parm. ? MaxRequestWorkers ??? default 256 MaxConnectionsPerChild default 0 means never kill. I want: StartServers 8 OK MinSpareServers 5 OK MaxSpareServers 20 OK ServerLimit 256 MaxRequestWorkers 256 default 256 MaxConnectionsPerChild 512 default 0 means never kill. NOTES on software differences -- CentOS7 did not seem to have these. I used a cpan shell to get, make, test, and install them. GD::Graph::bars GD::Graph::bars3d GD::Graph::colour GD::Graph::colour qw(:colours) GD::Graph::Data GD::Graph::hbars GD::Graph::linespoints GD::Graph::pie GD::Text::Align MIME::Base64 qw(encode_base64 decode_base64) POSIX qw(iscntrl) NOTES: On redirecting http requests on the old host to the new host. Found answer in WWW - Redirect permanent / http://www.new-domain.com/ I used - Redirect permanent / http://104.238.116.218/ Plan: Status is: Done, Prog., ToBe Status - id - Desc. Done - 01 - Find Hacker id, and files. Done - 02 - Restart the system (killing Hacker's processes.) Done - 03 - Restart the WEB Server. Done - 04 - Find and Back up all WEB Server files to tar balls. Note: 2.3GB compressed files. Done - 05 - Find and back up all relevant home directories. NOTE: None. ToBe - 06 - Review tar balls for Hacker files, and handle. ToBe - 07 - Restore tar balls for WEB Server files. ToBe - 08 - Edit testmanager1 WEB Server Configuration file for new virtual hosts. ToBe - 09 - Move one active non-test virtual host to testmanager1. ToBe - 10 - Move all non-active virtual hosts to testmanager1. ToBe - 11 - Test both previous steps. Make them work. ToBe - 12 - Move remaining virtual hosts to testmanager1. ToBe - 13 - Test previous step. Make virtual hosts work. ToBe - 14 - SHUTDOWN testmanager.com at the hosting site. testmanager1 security tasks: ToBe - A. - Move the sshd to a non-default port number. ToBe - B. - Review, reload, and replace any PuTTY identity keys. ToBe - C. - Any similar passwords on testmanager and testmanager1 should be changed. The Hacker has had access to our encrypted passwords, the time, and the tools to unencrypt them. NEW 2014 Bill said testmanager1 is a godaddy account, about 80 dollars/mon., stand-alone. I logged into testmanager1 and found it had 111 GB of disk, 1GB of RAM. GoDaddy offers a Virtual Private Server at multiple levels of cost and features. The premium level is $80/mon., 4GB of RAM, 120 GB of disk, and 4TB of bandwidth/ mon. We could have CentOS with cPanel including patching, root access, and access to the WEB server error logs. Replacement Server goals (not prioritized list) 1. Run a stable, well supported Linux distribution. (CentOS is OK.) 2. Install released packages, and patches. 3. Configure firewall holes 4. Install PERL modules from CPAN. 5. FTP access. (configure non-standard port) 6. ssh access. (Configure non-standard port) 7. access to httpd error logs. 8. Configure httpd WEB server. 9. Create user ids, control id numbers, and groups. # addgroup # adduser --gid --groups wwwteam # passwd # su - $ mkdir dev $ cd dev $ svn co file:///usr/local/subversion/Testmanager/trunk Testmanager NOTE: Alternates for Item Bank $ svn co file:///usr/local/subversion/Testmanager/branches/ItemBank Testmanager $ svn co file:///usr/local/subversion/Testmanager/branches/SpecialChar Testmanager $ ln -s Testmanager httpd $ exit # cd /etc/httpd/conf # cp httpd.conf httpd.conf.bak # vi httpd.conf Copy last virtual machine entry; change username and port numbers Must add .testmanager1.com to DNS for alias to work, otherwise just access sandbox at testmanager1.com: # apachectl configtest # apachectl graceful # cp bcarico.conf .conf # vi .conf Change bcarico to ; change port numbers # vi /etc/init.d/sandbox On line 33 ("for sandbox in ...") add to end of list # /usr/sbin/httpd -f /etc/httpd/conf/.conf Point web browser to https://www.testmanager1.com:10000 Log in to webmin as root Click on Networking -> Linux Firewall Click on "Accept" next to any existing port rule to edit that rule Scroll to bottom and click "Clone Rule" On new rule, change port number, then click "Create" Click on Move arrows to move new rule up and place it in numeric order by port Repeat for second port Scroll to bottom and click on "Apply Configuration" Click on Logout If webmin appears to hang, you can check the firewall rules by entering: # iptables --list | grep If it shows the port number, the firewall config has been applied and you can safely exit webmin. ---- All code changes seem to happen in: cgi-bin/js/./*.js cgi-bin/./*.p[lm] secure_html/template/./*.htt secure_html/data/*.std secure_html/data/tests/default.std secure_html/language/phrases.enu