Shell Commands for Security

Posted on

Last week I did an article on increasing your WordPress security. This week I want to go over some useful shell commands that will let you know what’s going wrong with your security and then how to fix them. Most of these commands are going to be useful commands involving the find command.

Even though these are all pretty much the same find command with a few things changed, they should still be helpful. I like having them all here with the ability to copy-paste everything too – being lazy FTW! You can either use them or just check out the techniques to come up with your own commands – either way you will hopefully learn something new.

BEWARE! I don’t take any responsibility for you messing up your server. Think carefully before executing any of the commands below – especially those that actually change file permissions or ownership. Look over everything extremely carefully and make sure the command you are executing will work on your server in your case.

CAREFULLY READ OVER EVERY COMMAND BEFORE EXECUTING!

In all the scripts you will find below, you will find the path /path/to/wordpress/installs/. This is the path to all your WordPress installs should you have more than one on your server. All the scripts are making the assumption that you manage more than one site on your server.

Also note that some of the scripts will contain the path /httpdocs. This folder might not exist at all on your server so be sure to check out how your WordPress installations are put onto your server.

Find All 777 Directories

The following shell script will give you a list of all directories (including subdirectories) that have 777 file permissions. If you read my previous article on security then you know that you should go about changing these so hopefully this list will help.

If you want to output the list of directories to a file then you can use the following addition:

Change Permissions on All 777 Directories

This command uses the technique of chaining a find command with an exec to execute a chmod on the results of the find. You can use this to do a lot of things and I would highly recommend getting familiar with this technique. It’s extremely useful all the time I find so try it out and practice it as much as you can – you’ll be happy to have it in your bag of tricks.

Be Careful Using this Command! Think about what you're doing!

Find All Upload Folders Without Apache Ownership

The following script will allow you to find all the upload folders (it will also give subfolders) where the ownership is not apache. Note that if your server requires a different owner then change the apache portion of this script.

You may also notice that this script finds the folders where apache is neither the owner or the group. If you want just one or the other take out the portion that says  ! -user apache (for the user) or ! -group apache (for the group).

Change All Upload Folders Without Apache Ownership to Apache Ownership

This command uses the same technique that we used when changing all permissions on 777 directories. We use the same command when finding all folders without apache ownership and then simply execute a recursive chown command.

Be Careful Using this Command! Think about what you're doing!

Find All .htaccess Files Without 644 Permissions

For those of you who don’t know, your .htaccess file should have 644 permissions. This script will find all the .htaccess files that don’t have this permission set.

Change All .htaccess Files Without 644 Permissions

This command uses the same technique that we used when changing all permissions on 777 directories but instead of directories we just do it with a file. We use the same command when finding all .htaccess without 644 permissions and then simply execute a chmod command on all of them.

Be Careful Using this Command! Think about what you're doing!

Check for Brute Force

The following example will show you how to check who is trying to brute force into your website. Please note that these scripts again assume that your access_logs are located in the same location as on my server once you are in the path to all your WordPress installs. The first script below will display all the IP addresses that are accessing your server and how many times in the last day they have accessed your site (assuming your access_logs only keep one day’s worth of info). This is sorted so that the IP address at the bottom of the output will be the one that has accessed your server the most.

Next you’ll want to perform the following command on any IP addresses that have pinged your server an inordinate amount of times. Once you run this command it will show what the exact request from the IP address was – so if you see a bunch of POST requests to wp-login.php page then that person is definitely try to brute force you.

From there you can use the All In One WP Security & Firewall plugin to blacklist the IP address if it hasn’t been blacklisted automatically by the plugin already. Note that I use an obviously fake IP address but you’ll want to replace that with the ones you find from the first command.

As always thank you for reading and please share it around as much as you can! Please feel free to put any suggestions or ideas for future tutorials in the comments section below. Include any awesome shell scripts or commands you use on your own WordPress server!