1)Never work with root accout.You can create an admin account.
useradd & passwd vpsadmin
add some basic permissions to the account. By adding the user to the wheel group we are giving it some administrative rights.
usermod -a -G wheel vpsadmin
2)SSH security
vim /etc/ssh/sshd_config
Port 12345
PermitRootLogin no
/etc/init.d/sshd restart
3)Install firewall (APF)
wget http://www.rfxnetworks.com/downloads/apf-current.tar.gz
tar -xvf apf-current.tar.gz
cd apf-current.tar.gz
./install.sh
vim /etc/apf/conf.ap
First look for the line that says
DEVEL_MODE=”1″
Leaving this option as “1″ will disable your firewall after 5 minutes, so make sure to change it to “0″.
So replace 1 eith 0 and it look like this:-
DEVEL_MODE=”0″
Next, take a look at the allowed inbound ports. You should see something like
IG_TCP_CPORTS=”22,80,443″
Notice that port 22, the default SSH port is open. We want to change this to the port we gave SSH earlier. You can leave port 80 (HTTP) and 443 (HTTPS) open if you plan on running a website.
If you want to open any port, you have to give an entry in to the above place.
By default, APF will not filter outbound traffic but if would like to change that look for the following line
EGF=”0″
And change this value to “1″. On the line directly below it you should see the allowed outbound ports
EG_TCP_CPORTS=”21,25,80,443″
Change these if you have enabled outbound filtering and save the firewall config. Now we should add the firewall to start when we reboot our VPS and enable it
chkconfig --add apf
chkconfig --level 345 apf on
/etc/init.d/apf start
4)SECURING CPANEL AND WHM
These are items inside of WHM/Cpanel that should be changed to secure your server.
Goto Server Setup =>> Tweak Settings
Check the following items...
Under Domains
Prevent users from parking/adding on common internet domains. (ie hotmail.com, aol.com)
Under Mail
Attempt to prevent pop3 connection floods
Default catch-all/default address behavior for new accounts - blackhole
(SET TO FAIL)
Under System
Use jailshell as the default shell for all new accounts and modified accounts
Goto Security =>> Security Center
Enable php open_basedir Protection
Enable mod_userdir Protection
Disabled Compilers for unprivileged users.
Goto Security =>> Manage Wheel Group Users
Remove all users except for root and your main account from the wheel group.
Goto Security =>> Security Center =>> Shell Fork Bomb Protection
Enable Shell Fork Bomb/Memory Protection
When setting up Feature Limits for resellers in Resellers =>> Reseller Center, under Privileges always disable Allow Creation of Packages with Shell Access and enable Never allow creation of accounts with shell access; under Root Access disable All Features.
Goto Service Configuration =>> FTP Configuration
Disable Anonymous FTP
Goto Account Functions =>> Manage Shell Access
Disable Shell Access for all users
Goto Mysql =>> MySQL Root Password
Change root password for MySQL (Use a very hard, random password that is not used elsewhere as the chances of actually using it are probably slim and actually using it for databases is a security risk.)
Goto Security and run Quick Security Scan and Scan for Trojan Horses often.
6)INSTALLING CSF
wget http://www.configserver.com/free/csf.tgz
tar -zxf csf.tar.gz
sh /csf/install.sh
If you want to remove apf or any other firewall,
sh /etc/csf/remove_apf_bfd.sh
For starting firewall---
csf -s
restart the firewall---
csf -r
flush the rules or stop the firewall.
csf -f
If you are running a VPS plan,
Open the /etc/csf/csf.conf and look for a line MONOLITHIC_KERNEL = "0" and change to
MONOLITHIC_KERNEL = "1"
Config Files
/etc/csf/csf.conf => CSF Firewall configuration file
/etc/csf/csf.allow => Config file to allow IPs
/etc/csf/csf.deny => Config file to deny IPs
/etc/csf/ => Alert files with TXT extension are stored within this directory
Harden the firewall security by performing the system security check. To do this go to Cpanel WHM > CSF Firewall & Security > Check System Security. There it will list WARNINGS based on your server.
-bash-3.2# chkconfig --add csf
-bash-3.2# chkconfig --level 345 csf on
-bash-3.2# chkconfig --list | grep csf
csf 0:off 1:off 2:on 3:on 4:on 5:on 6:off
-bash-3.2#
Remove the CSF Firewall
sh /etc/csf/uninstall.sh
7)Install a root breach DETECTOR and EMAIL WARNING
vim .bash_profile
add the following line..
echo 'ALERT - Root Shell Access (YourserverName) on:' `date` `who` | mail -s "Alert: Root Access from `who | cut -d"(" -f2 | cut -d")" -f1`" you@yourdomain.com
Set an SSH Legal Message
----------------------------
To an SSH legal message, SSH into server and login as root.
At command prompt type:
vim /etc/motd
Enter your message, save and exit.
Note: I use the following message…
ALERT! You are entering a secured area! Your IP and login information
have been recorded. System administration has been notified.
This system is restricted to authorized access only. All activities on
this system are recorded and logged. Unauthorized access will be fully
investigated and reported to the appropriate law enforcement agencies.
=========================================
9)) Securing /tmp
first check whether /tmp is exist or not using df -h
Finally, if you don’t have the ability to create a fresh /tmp partition on existing drives, you can use the loopback capabilities of the Linux kernel by creating a loopback filesystem that will be mounted as /tmp and can use the same restrictive mount options. To create a 1GB loopback filesystem, execute:
# dd if=/dev/zero of=/.tmpfs bs=1024 count=1000000
# mke2fs -j /.tmpfs
# cp -av /tmp /tmp.old
# mount -o loop,noexec,nosuid,rw /.tmpfs /tmp
# chmod 1777 /tmp
# mv -f /tmp.old/* /tmp/
# rmdir /tmp.old
Once this is complete, edit /etc/fstab to have the loopback filesystem mounted automatically at boot:
/.tmpfs /tmp ext3 loop,nosuid,noexec,rw 0 0
Little things like ensuring proper permissions and using restrictive mount options will prevent a lot of harm coming to the system. If a bot lands on a filesystem that is unable to execute, that bot is essentially worthless
10)securing /etc/sysctl.conf
------------------------------
vim /etc/sysctl.conf
1)If you're not forwarding traffic between interfaces or if you have only a single interface, its usually a good idea to disable forwarding:
/proc/sys/net/ipv4/ip_forward 0
2)rp_filter can reject incoming packets if their source does not match the networks interface from which they are arriving from. This is a good way to prevent IP spoofing (usually not a good idea if you have several IP addresses on different interfaces or if a single interface has multiple IP addys).
/proc/sys/net/ipv4/conf/all/rp_filter 1
3)Enable TCP SYN Cookie Protection
A "SYN Attack" is a denial of service attack that consumes all the resources on a machine. Any server that is connected to a network is potentially subject to this attack.
To enable TCP SYN Cookie Protection, edit the /etc/sysctl.conf file and add the following line:
net.ipv4.tcp_syncookies = 1
4)Disable IP Source Routing
Source Routing is used to specify a path or route through the network from source to destination. This feature can be used by network people for diagnosing problems. However, if an intruder was able to send a source routed packet into the network, then he could intercept the replies and your server might not know that it's not communicating with a trusted server.
To enable Source Route Verification, edit the /etc/sysctl.conf file and add the following line:
net.ipv4.conf.all.accept_source_route = 0
5)Disable ICMP Redirect Acceptance
ICMP redirects are used by routers
to tell the server that there is a better path to other networks than the one chosen by the server. However, an intruder could potentially use ICMP redirect packets to alter the hosts's routing table by causing traffic to use a path you didn't intend.
To disable ICMP Redirect Acceptance, edit the /etc/sysctl.conf file and add the following line:
net.ipv4.conf.all.accept_redirects = 0
6)Enable IP Spoofing Protection
IP spoofing is a technique where an intruder sends out packets which claim to be from another host by manipulating the source address. IP spoofing is very often used for denial of service attacks. For more information on IP Spoofing, I recommend the article IP Spoofing: Understanding the basics.
To enable IP Spoofing Protection, turn on Source Address Verification. Edit the /etc/sysctl.conf file and add the following line:
net.ipv4.conf.all.rp_filter = 1
7)Enable Ignoring Broadcasts Request
If you want or need Linux to ignore broadcast requests, edit the /etc/sysctl.conf file and add the following line:
net.ipv4.icmp_echo_ignore_broadcasts = 1
8)Enable Bad Error Message Protection
To alert you about bad error messages in the network, edit the /etc/sysctl.conf file and add the following line:
net.ipv4.icmp_ignore_bogus_error_responses = 1
9)Enable Logging of Spoofed Packets, Source Routed Packets, Redirect Packets
To turn on logging for Spoofed Packets, Source Routed Packets, and Redirect Packets, edit the /etc/sysctl.conf file and add the following line:
net.ipv4.conf.all.log_martians = 1
-----------------------------------------------------------------------
11)Securing /dev/shm
Rename it and create a symbolic link to /tmp:
mv /var/tmp /var/tmp1
ln -s /tmp /var/tmp
vim /etc/fstab
change:
"none /dev/shm tmpfs defaults,rw 0 0" to
"none /dev/shm tmpfs defaults,nosuid,noexec,rw 0 0"
mount -a
-----------------------------------------------------------
12) Harden host.conf
Log into each server as root.
Edit the /etc/host.conf file.
Ensure this file has the following settings:
# Lookup names via DNS first then fall back to etc/hosts.
order bind,hosts
# We have machines with multiple IP addresses.
multi on
# Check for IP address spoofing.
nospoof on
spoofalert on
Save the file.
for details see :--------
http://www.faqs.org/docs/securing/chap5sec39.html
--------------------------
13) Installing rootkit
RKHunter - (RootKit Hunter) Is a security scanning tool which will scan for rootkits, backdoors, and local exploits. RKHunter will ensure you about 99.9% that your dedicated web server is secure.
1. Login to your server via SSH as root.
Then Type: cd /usr/local/src/
2. Download RKHunter Version 1.1.4
Type: wget http://optusnet.dl.sourceforge.net/sourceforge/rkhunter/rkhunter-1.3.0.tar.gz
3. Extract files
Type: tar -xzvf rkhunter-1.3.0.tar.gz
4. Type: cd rkhunter-1.3.0.tar.gz
5. Type: ./installer.sh --help
The default should do
./installer.sh --layout /usr/local --install
vi /etc/cron.daily/rkhunter.sh
#!/bin/bash
(/usr/local/bin/rkhunter -c --cronjob 2>&1 | mail -s "Daily Rkhunter Scan
Report" email@domain.com)
chmod 700 /etc/cron.daily/rkhunter.sh
rkhunter --update
14)apache OPtimizing
change Timeout 300 to
Timeout 45
# change KeepAlive Off to
KeepAlive On
# MaxKeepAliveRequests: The maximum number of requests to allow
# during a persistent connection. Set to 0 to allow an unlimited amount.
# We recommend you leave this number high, for maximum performance.
# -- change MaxKeepAliveRequests 100 to 500
MaxKeepAliveRequests 500
# KeepAliveTimeout: Number of seconds to wait for the next request from the
# same client on the same connection.
# change KeepAliveTimeout 15 to
KeepAliveTimeout 5
# Increase MaxClients after benchmarking. mine is
MaxClients 200
# Turn off ServerSignature
ServerSignature Off
#ServerTokens Product
ServerTokens ProductOnly
More Details
http://www.mysql-apache-php.com/basic-linux-security.htm
15)APF in lxadmin
This may help, I have modified a tutorial for apf so it will work for LXAdmin. If you see any changes that need to be made let me know.
Important: Be sure Iptables were enabled when the VM was created (openvz)
1. cd /root/downloads or another temporary folder where you store your files.
2. wget http://www.rfxnetworks.com/downloads/apf-current.tar.gz
3. tar -xvzf apf-current.tar.gz
4. cd apf-0.9.6-2/ or whatever the latest version is.
5. Run the install file: ./install.sh
You will receive a message saying it has been installed
Installing APF 0.9.6-2: Completed.
Installation Details:
Install path: /etc/apf/
Config path: /etc/apf/conf.apf
Executable path: /usr/local/sbin/apf
AntiDos install path: /etc/apf/ad/
AntiDos config path: /etc/apf/ad/conf.antidos
DShield Client Parser: /etc/apf/extras/dshield/
Other Details:
Listening TCP ports: 1,21,22,25,53,80,110,111,143,443,465,993,995,7776,7777,7778, 7779,3306
Listening UDP ports: 53,55880
Note: These ports are not auto-configured; they are simply presented for information purposes. You must manually configure all port options.
6. Lets configure the firewall: pico /etc/apf/conf.apf (or nano /etc/apf/conf.apf)
We will go over the general configuration to get your firewall running. This isn't a complete detailed guide of every feature the firewall has. Look through the README and the configuration for an explanation of each feature.
We like to use DShield.org's "block" list of top networks that have exhibited
suspicious activity.
FIND: USE_DS="0"
CHANGE TO: USE_DS="1"
Find the following lines:
IFACE_IN="eth0"
IFACE_OUT="eth0"
and change them to
IFACE_IN="venet0"
IFACE_OUT="venet0"
7. Configuring Firewall Ports:
LxAdmin Servers
We like to use the following on our Cpanel Servers
Common ingress (inbound) ports
# Common ingress (inbound) TCP ports -3000_3500 = passive port range for Pure FTPD
IG_TCP_CPORTS="21,22,25,53,80,110,143,443,7777,7778,7779,3000_3500 "
#
# Common ingress (inbound) UDP ports
IG_UDP_CPORTS="53"
Common egress (outbound) ports
# Egress filtering [0 = Disabled / 1 = Enabled]
EGF="1"
# Common egress (outbound) TCP ports
EG_TCP_CPORTS="21,25,80,443,43,7777,7778,7779"
#
# Common egress (outbound) UDP ports
EG_UDP_CPORTS="20,21,53"
Save the changes: Ctrl+X then Y
8. Starting the firewall
/usr/local/sbin/apf -s
Other commands:
usage ./apf [OPTION]
-s|--start ......................... load firewall policies
-r|--restart ....................... flush & load firewall
-f|--flush|--stop .................. flush firewall
-l|--list .......................... list chain rules
-st|--status ....................... firewall status
-a HOST CMT|--allow HOST COMMENT ... add host (IP/FQDN) to allow_hosts.rules and
immediately load new rule into firewall
-d HOST CMT|--deny HOST COMMENT .... add host (IP/FQDN) to deny_hosts.rules and
immediately load new rule into firewall
9. After everything is fine, change the DEV option
Stop the firewall from automatically clearing itself every 5 minutes from cron.
We recommend changing this back to "0" after you've had a chance to ensure everything is working well and tested the server out.
pico /etc/apf/conf.apf
FIND: DEVM="1"
CHANGE TO: DEVM="0"
10. Configure AntiDOS for APF
Relatively new to APF is the new AntiDOS feature which can be found in: /etc/apf/ad
The log file will be located at /var/log/apfados_log so you might want to make note of it and watch it!
pico /etc/apf/ad/conf.antidos
There are various things you might want to fiddle with but I'll get the ones that will alert you by email.
# [E-Mail Alerts]
Under this heading we have the following:
# Organization name to display on outgoing alert emails
CONAME="Your Company"
Enter your company information name or server name..
# Send out user defined attack alerts [0=off,1=on]
USR_ALERT="0"
Change this to 1 to get email alerts
No comments:
Post a Comment