Atomicorp

Will i gave it a shot and i missed something, When i got the option for server or client i selected server.

I can get into the Plesk CP but i can't start httpd i get the following from plesk.

0: /usr/local/psa/admin/plib/common_func.php3:190
psaerror(string 'Unable to make action: Unable to manage service by websrvmng: websrvmng: Service /etc/init.d/httpd failed to restart')
1: /usr/local/psa/admin/htdocs/server/restart_services.php:28

Now i can't putty into the server and all my domains are down.

Below are some errors from /etc/asl/config


Checking Kernel security settings
ASL kernel Critical not detected
Kernel GRsecurity support High not found
GRsecurity administrative password Info not set
GRsecurity ACL database Info not found

General Security Checks

Checking for unnecessary services
Service portmap Ok disabled
Service nfs Ok disabled
Service nfslock Ok disabled
Service rpcidmapd Ok disabled
Service cups Ok disabled
Service gpm Ok disabled
Service xfs Ok disabled

Checking for End of Life (EOL) operating systems
centos/5 Ok Supported

Checking General PSA settings
Plesk SQL Injection vulnerability SA26741 Ok not detected
Horde Turba Vulnerability CVE-2008-0807 Ok not detected
Horde Vulnerability SA28382 Ok not detected
Horde Turba Vulnerability SA28382 Ok not detected
Horde Mnemo Vulnerability SA28382 Ok not detected
Horde Kronolith Vulnerability SA28382 Ok not detected
Horde Vulnerability CVE-2007-6018 Ok not detected
Horde Vulnerability CVE-2008-1284 Ok not detected
Horde Kronolith Vulnerabilty BugtraqID 28898 Ok not detected
Verify SSLv2 disabled Ok verified

Checking psmon settings
Checking for psmon installation Ok installed
psmon set to Ok enabled
Regenerating configuration from template Ok psmon.conf-template
Process monitoring enabled Ok yes
Notifications to Fixed xxxxt@xxxxxxxxxxx.com
From line set to Fixed psmon@xxxxx.xxxxxxxxxxx.com

Checking System services monitored by psmon
clamd Fixed monitored
courier-imap Fixed monitored
crond Fixed monitored
ossec-hids Fixed monitored
psa Fixed monitored
psa-spamassassin Fixed monitored
sshd Fixed monitored
xinetd Fixed monitored

Checking General ossec-hids settings
Checking for ossec-hids installation Ok installed
ossec-hids set to Ok enabled

OSSEC is configured in server mode.
Checking for server installation Ok installed
Enable email notification Ok yes
Notifications to Ok xxxx@xxxxxxx.com
Notifications from Ok ossec@xxx.xxxxxxxxx.com
SMTP server set to Ok localhost
Max emails per hour set to Ok 200
Client connections allowed through firewall Ok yes
Verifying Active Response set to Ok on
Shun period time set to Ok 600

Verifying OSSEC whitelists
checking Ok 127.0.0.1
Monitoring mod_security log Ok audit_log
[ OK ] Shutting down ossec-hids
[ OK ] Starting ossec-hids

Checking General rkhunter settings
Checking for rkhunter installation Ok installed
rkhunter set to Ok enabled
Notifications sent to Ok support@xxxxxx.com
Allow SSH root logins Ok no
Allow SSH protocol version 1 Ok no

Checking for whitelist for Plesk services
ftp_psa Ok enabled
poppassd_psa Ok enabled
smtp_psa Ok enabled
smtps_psa Ok enabled

Checking Denyhosts settings
Checking for denyhosts installation Ok installed
DenyHosts set to Ok enabled
Notifications sent to Ok support@xxxxxxxxxxxxxx.com
Notifications sent from Ok denyhosts@D2540.xxxxxxxxxxx.com
Logging set to Ok syslog
Shun period set to Ok 10m

Verifying DenyHosts whitelists
checking Ok 127.0.0.1

sent DenyHosts SIGTERM
/usr/bin/env python /usr/bin/denyhosts.py --daemon --config=/etc/denyhosts.conf Starting denyhosts

Checking SSHD configuration
Enforce Protocol Version Ok 2
Strict modes enabled Ok yes
Ignore .rhosts Ok yes
Enable Public Key authentication for users Ok yes
FAILED High No administrative users are defined
SSH will not be reconfigured at this time. warning
FAILED High Remote root logins are still permitted
FAILED High Password authentication is enabled
Enable Privilege separation Ok yes
Allow GSSAPIAuthentication Ok no
Allow GSSAPICleanupCredentials Ok no
SSH Banner Ok /etc/asl/banner

Checking General httpd settings
Verify .htacces AllowOverride not set to ALL Ok verified
Verify HTTP TRACE disabled Ok verified
Verify SSLv2 disabled Ok verified

Checking general mod_evasive settings.
Checking for mod_evasive installation Ok installed
mod_evasive set to Ok enabled
DOSHashTableSize set to Ok 4096
DOSPageCount set to Ok 5
DOSSiteCount set to Ok 200
DOSPageInterval set to Ok 2
DOSSiteInterval set to Ok 2
DOSBlockingPeriod set to Ok 20
[FAILED] Stopping httpd
[FAILED] Starting httpd

Checking General mod_security settings
Checking for mod_security installation Ok installed
mod_security set to Ok enabled
Server Signature set to Ok Apache
SecUploadDir set to Ok /var/asl/data/suspicious
SecUploadKeepFiles set to Ok Off
Logfile set to Ok audit_log
Logging set to Ok Concurrent
Audit Logging to Ok /var/asl/data/audit
Logging elements set to Ok ABIFHZ
SecRequestBodyInMemoryLimit set to Ok 131072
SecResponseBodyLimit set to Ok 2621440
Enable debug log Ok yes
SecDataDir set to Ok /var/asl/data/msa
SecTmpDir set to Ok /tmp

Checking rule class settings
RBL Checks Low off
Upload Scanner ruleset Ok on
Anti-Malware ruleset Ok on
Generic Attack ruleset Ok on
Malicious Useragents ruleset Ok on
Anti-Spam ruleset Ok on
Apache2 Generic ruleset Ok on
Rootkit ruleset Ok on
Recon ruleset Ok on
Just In Time Patches Ok on
Whitelist Ok off
There is a problem with the apache config error

Checking General PHP settings
Checking for php installation Ok installed
PHP Safe Mode High enabled
Register Globals Fixed off

Checking for High-Risk functions
Function dl Fixed no
Function exec Fixed no
Function furl_open Fixed no
Function passthru Fixed no
Function pfsockopen Fixed no
Function popen Fixed no
Function posix_kill Fixed no
Function posix_mkfifo Fixed no
Function posix_setuid Fixed no
Function proc_close Fixed no
Function proc_open Fixed no
Function proc_terminate Fixed no
Function shell_exec Fixed no
Function system Fixed no

Checking for Moderate-Risk functions
Function leak Fixed no
Function posix_kill Fixed no
Function posix_setpgid Fixed no
Function posix_setsid Fixed no
Function proc_get_status Fixed no
Function proc_nice Fixed no
Function show_source Fixed no

Checking for Low-Risk functions
Function phpinfo Allowed yes
[Done] Generating report


Looks like i screwed the pooch on this one, is there away to disable ASL from the plesk cp or am i in big trouble now, cause i can't even putty in to uninstall it.

Was this a fresh install of ASL? Have you rebooted the server? Do you have the Atomic Secured Linux interface in running in Plesk? If so what is the status of the modules?

The inability to log-in via SSH may be a temporary shun, leave server alone for 10mins and give it another go.

Has anything else been added/updated? The install seems to have gone OK other than httpd not restarting.

If you can get back SSH run asl -u and/or /etc/init.d/httpd configtest (this will let you know if there's anything wrong with apache config). If Syntax OK, run /etc/init.d/httpd start or look at: /var/log/httpd/error_log if not.

Finally if you've not it already, run asl -s -f

Post you finding back here.

Kalimari wrote:Was this a fresh install of ASL? Have you rebooted the server? Do you have the Atomic Secured Linux interface in running in Plesk? If so what is the status of the modules?

Yes fresh install then rebooted and ASL shows up in Plesk.

The inability to log-in via SSH may be a temporary shun, leave server alone for 10mins and give it another go.

i'll wait for a little like you suggest

Has anything else been added/updated? The install seems to have gone OK other than httpd not restarting.

nope before install i made sure i yummed everything with art repo

If you can get back SSH run asl -u and/or /etc/init.d/httpd configtest (this will let you know if there's anything wrong with apache config). If Syntax OK, run /etc/init.d/httpd start or look at: /var/log/httpd/error_log if not.

Finally if you've not it already, run asl -s -f

Post you finding back here.

I did notice one thing, when i finished the install i got the denyhosts notification and it had my IP in it. I did go to the whitelist and add my IP but still no go.

The shun should only be for 10mins (based on the config settings). Are you able to SSH yet?

Are ModSecurity/ModEvasive etc RED in the ASL WebGUI? Did you install the stable or testing version of ASL?

Kalimari wrote:The shun should only be for 10mins (based on the config settings). Are you able to SSH yet?

Are ModSecurity/ModEvasive etc RED in the ASL WebGUI? Did you install the stable or testing version of ASL?

Nope still can't SSH in to it.

When in the dashboard of ASL PaX/GRSECURITY has the little Red button.
and so does ModSecurity and Mod Evasive

Installed the stable using the autoinstaller.

There are several (fairly well documented on this forum) solutions, but to get at the cause of the problem will require SSH. If you've not done so, drop support[at]atomicorp[dot]com an e-mail. You've given a pretty clear indication of the set-up/scenario.

Edit: One more thing does the latest stable art kernel show under the Plesk->Server->Statistics->OS: should be: Linux 2.6.25.4-4

This is whats showing for OS Linux 2.6.18-92.1.18.el5PAE

Is it a Dedi or VPS box? Can you reboot the server from within Plesk? If you can boot into the ASL kernel it may right itself. In lieu of SSH and sites down, it's probably worth trying.

It's a dedicated box and i've rebooted it from plesk like 20 times already..lol.

support is checking on it for me to see how i screwed this up.

Well, seems something went awry on install... I'll leave you in the capable hands of ART Support. Good luck!

Thanks i appreciate all the help you were giving me.

No problem, just wish we could have cracked it. I've had a couple of heart stoppers like this in my time so I know how it feels... The path to ASL is worthwhile. Post back the solution (when one's found) it may well help others...

Looks like i screwed it up probably, during the install i miss understood the whitelist and did'nt add my IP. And then in a panic i started turning stuff off in the configuration hoping it would jar something loose.. lol

But support was point on and saved my arse.

I think i'm still off on some configurations too cause PaX/GRS shows the little red thing and where it says there is a ASL update in the signatures it has it there too. And i also can't see the scanner option and yum option in the custom menu panel of plesk. So i might need to go thru a re-install i believe.

But this will give me time to learn more about the product and utilize it to it's full potential.

Yea i think it's hosed, when i run asl -s -f this is what i get.


Checking Kernel security settings
ASL kernel: not detected [CRITICAL]
Kernel GRsecurity support: not found [HIGH]
GRsecurity administrative password: not set [INFO]
GRsecurity ACL database: not found [INFO]

We literally just got the first PAE kernels done this month, so thats totally normal. Short of using a non-PAE kernel, or going to the -testing channel for one.