How to do the Server Auditing for non cpanel?

The hostname of the server, which is its unique name within a network. It helps in identifying the server in communications and network operations

 hostname

Displays the network configuration details, including IP addresses assigned to the server's network interfaces

 ifconfig

Prints the current system date and time.

 date

Shows the server's uptime, indicating how long the server has been running since its last reboot.

 uptime

Presents a summary of disk space usage on the server's file systems in a human-readable format.

 df -h

Provides information about the server's memory usage, displaying the total, used, and free memory in megabytes.

 free -m

Runs a malware scan using Linux Malware Detect (maldet). Scans specified directories (/home/?/domain/?/public_html) for potential malware threats. The provided output shows the scan results.

Note-maldet always on screen

 maldet -a /home/?/domain/?/public_html

              or
 /usr/local/sbin/maldet -a

(ForStijn you can go with /usr/local/sbin/maldet -a /home/?/public_html and

 /usr/local/sbin/maldet -a /tmp)

It shows the output like :

 maldet(18341): {scan} signatures loaded: 17045 (14225 MD5 | 2035 HEX | 785 YARA | 0 USER)
 maldet(18341): {scan} building file list for /home/?/public_html, this might take awhile...
 maldet(18341): {scan} setting nice scheduler priorities for all operations: cpunice 19 , ionice 6
 maldet(18341): {scan} file list completed in 1s, found 1 files...
 maldet(18341): {scan} scan of /home/?/public_html (1 files) in progress...
 maldet(18341): {scan} 1/1 files scanned: 0 hits 0 cleaned
 maldet(18341): {scan} scan completed on /home/?/public_html: files 1, malware hits 0, cleaned hits 0, time 1s
 maldet(18341): {scan} scan report saved, to view run: maldet --report 200804-2355.18341

You can also verify the report using the saved path like

 maldet --report 200804-2355.18341

Executes Rootkit Hunter (rkhunter) to check for rootkits on the system. It compares system binaries against known checksums and performs various checks for rootkits.

 rkhunter -c -sk (or) sudo rkhunter -c -sk

Old version 1.3.6

New Hunter version 1.4.2

Retrieves and displays the current and potentially updated kernel versions running on the server.

 uname -srm

Current kernel version: 3.10.0-1127.8.2.el7.x86_64

New kernel version: 3.10.0-1127.18.2.el7.x86_64

Step10: Change SSH port

check the port by using the below mentioned commands.

 grep Port /etc/ssh/sshd_config

 lsof -Pi|grep ssh

If we need to change the SSH default port to custom port, we use below three steps,

Run the following command:

 nano /etc/ssh/sshd_config

Locate the following line:

 #Port 22

Remove # and change 22 to your desired port number and save it.

Remove Unwanted Services -NIL.

Disable direct root login and enable wheel user account - If wheel user created means details about wheel and root user updated in admit panel.

We always want to check 3 permissions in server.

First, we need to go cd /home directory.

After that we need to check the file permission.

 find /home/*/public_html -type d -perm 777 > /tmp/folders_777_perm_list.txt
 find /home/*/public_html -type f -perm 755 > /tmp/files_755_perm_list.txt
 find /home/*/public_html -type f -perm 777 > /tmp/files_777_perm_list.txt

Step 12: Rebooting Instrctions

Note:

(i) Reboot should be happened at peak off for internal servers (at 10:00pm)

(ii) We need to send mail notification to the respective client morning before 09:30 am, if required we need to get the contact mail ID from billing team.

(iii) One dev team person should be available at the time of rebooting, they also need to confirm the functionality of the site.

(iv) We have sent completion mail to the client after rebooting also

Steps:

1. We need to check/take snapshot of the service before rebooting netstat -nltp - to get the service list

 netstat -nltp | wc -l. - to check count

2. After rebooting the service list and service count should be verified

3. If there is any pm2 services, check whether pm2 list is saved or not, esle follow the below before rebooting

(i) pm2 save

(ii) pm2 startup and follow the command which is shared while doing pm2 startup

(iii) Internal servers pm2 list and its path

Portal & HMS - 173.208.157.45 Need to confirm

Taxary - 142.54.163.115

User: root

Path: /var/www/taxary

Command: pm2 start server.js --name server

Iambfab - 142.54.163.118

User: Phoenix

Path: /var/www/bfab_backend/unitedgrooves_be

Command:

pm2 start server.js --name unitedgrooves

Dfinance - 173.208.177.116

User: Phoenix

Path: /var/www/html/dfinance.pheonixsolutions.com_be

Command: cd /var/www/html/dfinance.pheonixsolutions.com_be

pm2 start ./bin/www--name dfinanceapi

Agribreeders - 173.208.177.118

User: Phoenix

Path: /var/www/html/agribreeders_be/

Command:

cd /var/www/html/agribreeders_be/

pm2 start ./bin/www--name agribreeders_be

User: Phoenix

Path: /var/www/html/agribreeders_be/stageapi

Command:

cd /var/www/html/agribreeders_be/stageapi

pm2 start ./bin/www--name stageapi