HowTo Server Auditing - Noncpanel

 Command - hostname

 Command - ifconfig

 Command -date

 Command - uptime

 Command - df -h

 Command - free -m

Note-maldet always on screen

 Command - maldet -a /home/?/domain/?/public_html

or /usr/local/sbin/maldet -a

(ForStijn you can go with /usr/local/sbin/maldet -a /home/?/public_html and

/usr/local/sbin/maldet -a /tmp)

It shows the output like :

maldet(18341): {scan} signatures loaded: 17045 (14225 MD5 | 2035 HEX | 785 YARA | 0 USER)

maldet(18341): {scan} building file list for /home/?/public_html, this might take awhile...

maldet(18341): {scan} setting nice scheduler priorities for all operations: cpunice 19 , ionice 6

maldet(18341): {scan} file list completed in 1s, found 1 files...

maldet(18341): {scan} scan of /home/?/public_html (1 files) in progress...

maldet(18341): {scan} 1/1 files scanned: 0 hits 0 cleaned

maldet(18341): {scan} scan completed on /home/?/public_html: files 1, malware hits 0, cleaned hits 0, time 1s

maldet(18341): {scan} scan report saved, to view run: maldet --report 200804-2355.18341

You can also verify the report using the saved path like

maldet --report 200804-2355.18341

 Command - rkhunter -c -sk (or) sudo rkhunter -c -sk

Old version 1.3.6

New Hunter version 1.4.2

 Command - uname -srm

Current kernel version: 3.10.0-1127.8.2.el7.x86_64

New kernel version: 3.10.0-1127.18.2.el7.x86_64

Change SSH port

check the port by using the below mentioned commands.

 grep Port /etc/ssh/sshd_config

 lsof -Pi|grep ssh

If we need to change the SSH default port to custom port, we use below three steps,

Run the following command:

 nano /etc/ssh/sshd_config

Locate the following line:

1. Port 22

Remove # and change 22 to your desired port number and save it.

Remove Unwanted Services -NIL.

Disable direct root login and enable wheel user account - If wheel user created means details about wheel and root user updated in admit panel.

We always want to check 3 permissions in server.

First, we need to go cd /home directory.

After that we need to check the file permission.

 find /home/*/public_html -type d -perm 777 > /tmp/folders_777_perm_list.txt
 find /home/*/public_html -type f -perm 755 > /tmp/files_755_perm_list.txt
 find /home/*/public_html -type f -perm 777 > /tmp/files_777_perm_list.txt

Rebooting Instrctions

Note:
(i) Reboot should be happened at peak off for internal servers (at 10:00pm)
(ii) We need to send mail notification to the respective client morning before 09:30 am, if required we need to get the contact mail ID from billing team

(iii) One dev team person should be available at the time of rebooting, they also need to confirm the functionality of the site
(iv) We have sent completion mail to the client after rebooting also

Steps:

1. We need to check/take snapshot of the service before rebooting
netstat -nltp - to get the service list

netstat -nltp | wc -l. - to check count

2. After rebooting the service list and service count should be verified

3. If there is any pm2 services, check whether pm2 list is saved or not, esle follow the below before rebooting

(i) pm2 save

(ii) pm2 startup and follow the command which is shared while doing pm2 startup

(iii) Internal servers pm2 list and its path

• Portal & HMS - 173.208.157.45

Need to confirm

• Taxary - 142.54.163.115
  

  User: root
  

  Path: /var/www/taxary

Command: pm2 start server.js --name server

• Iambfab - 142.54.163.118
  

  User: Phoenix
  

  Path: /var/www/bfab_backend/unitedgrooves_be

Command: pm2 start server.js --name unitedgrooves

• Dfinance - 173.208.177.116
  

  User: Phoenix
  

  Path: /var/www/html/dfinance.pheonixsolutions.com_be

Command:

cd /var/www/html/dfinance.pheonixsolutions.com_be

pm2 start ./bin/www--name dapifinance

• Agribreeders - 173.208.177.118
  

  User: Phoenix
  

  Path: /var/www/html/agribreeders_be/

Command:

cd /var/www/html/agribreeders_be/

pm2 start ./bin/www --name agribreeders_be



User: Phoenix
Path: /var/www/html/agribreeders_be/stageapi

Command:
cd /var/www/html/agribreeders_be/stageapi

pm2 start ./bin/www--name stageapi