- 1 SSH Rootkit Test
- 2 User Error Logs
- 3 Find Install Files and Find PHP.ini Files
- 4 Fix Nobody Files and Fix Root Files
- 5 Fix 777
- 6 Failed SSH Logins
- 7 Bash History
- 8 SSH Logins
- 9 Apache/PHP Security Tester
- 10 Advanced Policy Firewall
- 11 CSF
- 12 Fail2Ban
- 13 RK Hunter
- 14 CHK Rootkit Hunter
- 15 Unhide
- 16 System Integrity Monitor
- 17 Process Resource Monitor
- 18 Linux Socket Monitor
- 19 Network Socket Inode Validation
- 20 Linux Malware Detect
- 21 Wget / Lynx
- 22 TripWire
- 23 Snort
- 24 Lynis
- 25 MySQL Performance (also known as MySQL Tuner)
- 26 List Open Ports
- 27 List Connections
- 28 List User ID's
- 29 On Guard
- 30 Secure Partitions
- 31 Find Shell Scripts
- 32 Find Open Proxies
- 33 Process Checker
SSH Rootkit Test
Tests SSH, OpenSSL and LibKey Utils to see if they have been compromised. These tests do not guarantee your server has not been compromised but will do some quick tests to help determine if binaries have been compromised.
User Error Logs
Find old user error logs that might be taking up way too much space and need to be removed.
Find Install Files and Find PHP.ini Files
Find and remove old leftover install files which can provide an attack vector for hackers as well as users custom php.ini files.
Fix Nobody Files and Fix Root Files
Find and fix folders and files on user accounts that are improperly owned by root or nobody users.
Find and fix folders and files on user accounts that are improperly chmod to 777. Find will create a viewable/downloadable report. Fix will repair the permissions. 644 will be used for files. 755 will be used for folders. Scans will report results of clean if everything is ok and Folders/Files Found if it finds any chmod to 777.
Failed SSH Logins
View list of failed ssh login attempts.
View bash history for root or a specific user.
View SSH Logins, view by last logged in, users, IP's or month.
Apache/PHP Security Tester
Test installed apache and php for security issues. Can only be used via the Remote Control Plugin.
Advanced Policy Firewall
Install, remove, configure and manage Advanced Policy Firewall and Brute Force Detection. Note this feature also has an advanced management area we call APF Central for managing APF and BFD, including editing the config, adding and removing IP's and more.
Install and remove Config Server Firewall and LFD protection. Note we only provide the means to install and remove CSF. Management of CSF is done via configservers on addon that will be visible after you install and refresh your screen. You can find it in the plugins section of the WHM menu where Xtra is also located.
Scans logs and bans IP's that it finds are making to many connections (eg brute force attacks).
RK Hunter is one of the more popular rootkit detectors. This part of Xtra will allow you to install, upgrade, remove and overall manage RK Hunter. This interface will also allow you to run it and view realtime results as well as view the log generated after it finishes running. You may also toggle the cron on and off as well as set the email to send the results to if you wish to receive them via email.
CHK Rootkit Hunter
Similar to RK Hunter but performing slightly different checks. Useful to run with RK Hunter. This interface allows the installation, removal and management of CHK as well as turning the cron on and off and setting the email to send the results to (if you wish). You can also run it from this interface and view the results live.
Performs several types of checks for hidden processes and suspicious processes. Install, remove and view live results with this script.
System Integrity Monitor
SIM is a system and services monitor. It is designed to be intuitive and modular in nature, and to provide a clean and informative status system. Install, remove, update and manage this program via Xtra.
Process Resource Monitor
PRM monitors the process table on a given system and matches process id's with set resource limits in the config file or per-process based rules. Process id's that match or exceed the set limits are logged and killed; includes e-mail alerts, kernel logging routine and more. Install, remove, update and manage this feature in this section.
Linux Socket Monitor
LSM is a bash scripted network socket monitor. It is designed to track changes to Network sockets and Unix domain sockets. LSM identifies changes in both Network Sockets and Unix Domain Sockets. By recording a base set of what sockets should be active then comparing the currently active socket information to that of the base comparison files, we highlight otherwise unknown services.
Network Socket Inode Validation
Network socket inode validation is a rule based utility intended to aid in the validation of inodes against each LISTEN socket on a system. The nature for this app is such that rouge binaries can easily hijack a user, program privileges, or work space; and utilize such to kill the old service & execute a new service on the known port they crashed. The best known examples of this trend is ÃƒÂ¢Ã‚Â€Ã‚Â˜tmpÃƒÂ¢Ã‚Â€Ã‚Â™ path uploaded content via php remote include exploits; which is executed, crashes the web server and starts a rouge httpd process and other such items. The execution cycle of NSIV is very simple, first it determines the running process ID of your binary followed by the trusted inode (that which is associated to the BIN variable). Then, the PORT value is used to check that the binary holding said port open actually references back to the trusted inode, if it does not then we assume the service has been hijacked and the PID is killed / RST executed with optional e-mail alert dispatched.
Linux Malware Detect
Linux Malware Detect is a malware scanner for Linux that is designed around the threats faced in shared hosted environments. It uses threat data from network edge intrusion detection systems to extract malware that is actively being used in attacks and generates signatures for detection.
Wget / Lynx
Used for updating software and cpanel (and Xtra) WGET and Lynx can also be used by hackers to get exploits onto your server. For security we suggest using this feature to disable them until you need them to upgrade something.
Open Source Tripwire software is a security and data integrity tool useful for monitoring and alerting on specific file change(s) on a range of systems.
Snort is an open source network intrusion prevention and detection system (IDS/IPS) developed by Sourcefire. Takes about 5 minutes to install.
Note: Requires some manual work to complete the install, if you aren't familiar with it already don't mess with it. This version not for 64 bit systems.
Lynis is an auditing tool for Unix. It scans the system and available software, to detect security issues. Beside security related information it will also scan for general system information, installed packages and configuration mistakes.
MySQL Performance (also known as MySQL Tuner)
Reports various data on how MySQL is performing on your server and suggests possible ways to improve it. Original script by Major Hayden.
List Open Ports
This little script will show you which ports on your server and are currently actively listening for traffic. Useful to check and see if a hacker may have opened a port that you want closed.
Shows current and recent connections to the server along with the full status of apache.
List User ID's
Lists the ID's of all system users.
On Guard is a script designed by us to monitor files in /tmp, /var/tmp and /dev/shm for malicious files and exploits uploaded to your server by hackers. Once activated the script will monitor these directories and email you if it detects a possibly malicious file so you can check it out before a hacker does any serious damage. Use the interface to install, configure and manage the script as well as the cron job.
Secure and set proper permissions on /tmp, /var/tmp and /dev/shm.
Find Shell Scripts
This will search for cgi and php scripts containing shell commands most often used by hackers. Default search checks /home and /home2. If you just want to check a specific user account or a different directory you can use the custom search option.
Find Open Proxies
This script checks your server for open proxy servers. Note there is nothing to run, it quickly checks whenever you visit the page.
Scans all running processes for suspicious ones and kills any it finds. Nothing to run, scan and results come up right away (yes it's real time scanning).