Thomas Mullaly

DevOps, Security and IT Leadership

Security Onion Notes

Keep console from blanking edit /etc/rc.local Add setterm -blank 0 above exit 0

Stop X from starting up Edit /etc/default/grub with your favorite editor, eg: nano:

sudo nano /etc/default/grub

Find out this line:


Change it to:


Update Grub:

sudo update-grub

you can start X by typing startx

Performance: mount /nsm on separate disk

Adding New Esxi Thin Disk to Ubuntu Linux 14.04

I’ve been rsyncing the server data to a local vm in our esx cluster then backing up the vm. I ran out of disk so here are my notes to add a new thin provisioned disk.

I had mounted a 100 GB virtual disk on /backups, now I’m replacing it with a 300 GB virtual disk.

Pure-FTPd on Ubuntu 12.04

This is a simple setup to allow your designer ftp access to a web directory. The problem that I encountered was for a web server running wordpress. Apache runs as the user www-data with an id of 33 on Ubuntu 12.04. The wordpress files have to be ownership as the webserver for you to download and install updates through wordpress’s web interface. I guess I could just have the core wordpress files and the plugins directory and given the rest the user account permissions but I didn’t. The Pure-ftp server allow me to create virtual users and I can give them any uid, except 0 (root). For security, I would just allow from the designers ip address.

Collectd on Ubuntu 12.04 and Nginx

Collectd is the new cool kid of system monitoring tools.

apt-get install collectd collectd-utils
vi /etc/collectd/collectd.conf
service collectd restart
/var/ossec/bin/syscheck_update -u local
cd /var
mkdir www
cd www
cp -r /usr/share/doc/collectd/examples/collection3 .
apt-get install librrds-perl libconfig-general-perl libhtml-parser-perl  libregexp-common-perl
apt-get install fast-cgi
apt-get install spawn-fcgi fcgiwrap
location /nginx_status {
          stub_status on;
          access_log off;
          deny all;
		location ~ .cgi$ {
	        	root /var/www;
	        	fastcgi_pass unix:/var/run/fcgiwrap.socket;
	        	include /etc/nginx/fastcgi_params;

		location /collection3/share/ {
			alias /var/www/collection3/share/;
service nginx restart

Secure Ubuntu 12.04 Wordpress Server Outline

  1. Operating System
    • Minimal os install
    • Minimal services running
    • Disable IPv6
    • Ossec to watch filesystem integrity, monitor log files and watch for rootkits
    • Script to alert when os/package updates are needed (patching)
    • Firewall (iptables)
  2. SSH
    • Harden the sshd config
  3. Apache
    • Harden apache
  4. MySql
    • Harden MySQL
  5. Postfix
    • Configured as satellite, will only send email to our domain from our relay
  6. Wordpress
    • Install security plugins
      1. iThemes Security
      2. Wordfence
      3. InfiniteWP
  7. Backup
    • Backup database (mysql)
    • Backup file system (wordpress directory)
    • Document how to perform full recovery

The process to patch is to apt-get update. apt-get upgrade, then update ossec’s database. This might be automated in the future. I’m leaving the default ubuntu 12.04 AppArmor policies in place.

How to Put a KVM Guest Domain on a Bridged Network

I want to put some of the KVM domains that I’ve been using a bridged network so I can access them on my LAN directly.

I’m using my old mac pro as my KVM server and it has two interfaces. I’m going to bridge the second interface.
Install bridge-utils:

Wordpress Security Cleanup Notes

Infected PHP Pages: I’ve been looking for infected php pages with this command:

find . -name "*.php" | xargs grep "gzinflate(base64_decode"

Basically, there’s malicious code inserted into the beginning of the php script and it is base64 enconded and compressed so if you look at the file, the first line looks like garbarge. There’s a backdoor on the system that keeps it coming back. I remove it with the following one liner: