(RedHat Linux + Cpanel)
Finally. You got the dedicated server you always wanted. Now you’re a real webhost. No more reseller accounts. Yeah …. . BUT – now all the responsibility in keeping that server up and running is up on your shoulders. The very first things after getting your server is to make it secure.
But how do you do that? If you are an experienced Linux system admin this will be a piece of cake. But if you are just Joe Average and know only a little Linux this can be quite a challenging task. You can buy a book and read up on it but that takes time. You can hire a Linux System Administrator but that is not cheap and you do not know if you can trust somebody that you don’t know. Two companies that got recommended to us are
http://www.rackaid.com and http://www.easyservermanagement.com
(if you would like to advertise your services here – please contact us).
However- we have not used these companies for our needs. They seem to be reliable from user feedback on several web hosting related forums. Please do proper research before hiring anyone.
Anyway – if you have at least a little Linux knowledge and are good in coming up to speed on new things fairly quick – here’s a quickstart guide of how to secure your own server. The good thing is – this will give you a good level of security to start with. Don’t stop after you are done with the steps provided here. Security is an ongoing process and this guide is just opening the tool box for you.
Legal Advisory: Please be aware that we provide the information below with no guarantees. If you feel not confident to really do these steps – hire somebody. We cannot be held liable for problems arising when using the steps below. We tried to research these things as thorough as possible but everyone can make a mistake ….
1) Get Putty as your SSH client. Don’t use telnet – it’s not secure. Putty.exe is vital in running and managing a dedicated server.
2) Get a good understanding of the most basic linux commands. Without the knowledge about these basic commands you will have a hard time getting stuff done:&&” at the end.
How to bring a program back from the background?
Type: fg
How to know what your CPU information is?
Type: cat /proc/cpuinfo
How to know what your memory information is?
Type: cat /proc/meminfo
How to find out information about your hard drives?
Type: fdisk -l
3) Install a Firewall. This is a guide to instal APF (Advanced Policy Firewall –http://www.rfxnetworks.com/apf.php).
APF Site Description of the software:
APF is a policy based iptables firewall system designed for ease of use and configuration. It employs a subset of features to satisfy the veteran Linux user and the novice alike. Packaged in tar.gz format and RPM formats, make APF ideal for deployment in many server environments based on Linux.
Summary of features:
– global port configurtion via simple config file
– configurable policies for each ip on the system [global config overrides]
– powerfull postrouting rules for FWMARK and TOS
– plug-in friendly for QoS [CBQ/HTB]
– antidos subsystem to stop DOS attacks before they become a significant threat
– dshield.org block list support to ban networks exhibiting suspicious activity
– advanced set of sysctl parameters for TCP stack hardening
– advanced set of filter rules to remove undesired traffic
– easy to use firewall managment script
– trust based rule files (allow/deny); with advanced syntax support
Make /usr/src the current working directory.
cd /usr/src
Obtain the most curent verison of APF.
Run the following commands to install APF:
cd /usr/src
rm -rf apf*
wget http://www.r-fx.ca/downloads/apf-current.tar.gz
tar -zxvf apf-current.tar.gz
cd apf-*
./install.sh
perl -p -i -e ‘s/eth0/venet0/g’ /etc/apf/conf.apf
perl -p -i -e ‘s/eth0/venet0/g’ /etc/apf/ad/antidos
perl -p -i -e ‘s/DEVEL_MODE=”1″/DEVEL_MODE=”0″/g’ /etc/apf/conf.apf
perl -p -i -e ‘s/SET_MONOKERN=”0″/SET_MONOKERN=”1″/g’ /etc/apf/conf.apf
perl -p -i -e ‘s/USE_AD=”0″/USE_AD=”1″/g’ /etc/apf/conf.apf
/etc/init.d/apf restart
Make sure the following ports are open (you can usually ignore the egress ports unless you want egress filtering):
Cpanel
IG_TCP_CPORTS=” 20,21,22,25,26,53,80,110,143,443,465,993,995,2082, 2083,2086,2087,2095,2096,61001_65535″
EG_TCP_CPORTS=” 21,22,25,26,27,37,43,53,80,110,113,443,465,873,208 9″
Plesk
IG_TCP_CPORTS=” 20,21,22,25,26,53,80,110,143,443,465,993,995,3389, 8443,8880,30000,61001_65535″
EG_TCP_CPORTS=” 21,22,25,26,27,37,43,53,80,110,113,443,465,873,338 9,8443,8880,30000″
DA
IG_TCP_CPORTS=” 20,21,22,25,26,53,80,110,143,443,465,993,995,2222, 61001_65535″
EG_TCP_CPORTS=” 21,22,25,26,27,37,43,53,80,110,113,443,465,873,222 2″
You will receive a message saying it has been installed .:
APF installed Install path: /etc/apf Config path: /etc/apf/conf.apf Executable path: /usr/local/sbin/apf
Make /etc/apf the current working directory.
cd /etc/apf
Edit the conf.apf file as desired.
pico -w conf.apf
This isn’t a complete detailed guide of every feature the firewall has. Look through the README and the configuration for an explanation of each feature.
In order for this firewall to work properly you have to edit/add/delete ports.
These ports will allow services such as mail, ftp, and ssh to come in and out of the server.
If you have changed any ports, please modify them below and add/remove as needed.
# Common ingress (inbound) TCP ports
IG_TCP_CPORTS=”20,21,22,25,53,80,110,143,443,465,993,995,2082,2083,2086,
2087,2095,2096,3306,9999,10000,3000_3500″
please note that ports 2082 to port 2095 is mostly used by cpanel, WHM, and port 19638 is only use in
ensim. Port 9999 might be used for Urchin.
# Common ingress (inbound) UDP ports
IG_UDP_CPORTS=”20,21,53,1040″
Common egress (outbound) ports
# Common egress (outbound) TCP ports
EG_TCP_CPORTS=”21,25,80,443,43,2089″
#
# Common egress (outbound) UDP ports
EG_UDP_CPORTS=”20,21,53″
Turn on DShield.org’s “block” list of top networks that have exhibited
FIND: USE_DS=”0″ //(0=disabled)
CHANGE TO: USE_DS=”1″
After you have finished editing the port list and turned on DShield save the file and test APF.
Save the changes: Ctrl+X then Y to save enter to confirm
Starting the firewall
/usr/local/sbin/apf -s
or
service apf start
If APF is functioning properly and you are not locked out edit the conf.apf again
pico -w conf.apf
Set the DEVM parameter to 0
DEVM=”0″
Once done Exit and save the file.
Save the changes: Ctrl+X then Y to save enter to confirm
Restart APF
service apf restart
Enabling connections for server monitoring.
Some service providers that offer monitoring need access to your server, and access without setting off alarms, firewalls etc. is a good thing. Just becareful which IP(s) you put in here.
To allow connections from xx.xx.xx.xx/24
pico -w /etc/apf/allow_hosts.rules
At the very end of the file add this line
xx.xx.xx.xx/24
Of course replace the xx.xx.xx.xx with the IP address provided to you by your data center.
Make APF Start automatically at boot time
To autostart apf on reboot, run this:
chkconfig –level 2345 apf on
To remove it from the autostart function, run this command:
chkconfig –del apf
4) Install Brute Force Detection, from the makers of APF. What is BFD (Brute Force Detection)?
BFD is a modular shell script for parsing applicable logs and checking for authentication failures. There is not much complexity or detail to BFD yet and likewise it is very straight-forward in its installation, configuration and usage. The reason behind BFD is very simple; the fact there is little to no authentication and brute force auditing programs in the linux community that work in conjunction with a firewall or real-time facility to place bans. BFD is available at:http://www.rfxnetworks.com/bfd.php
Requirements before installing BFD:
– You MUST have APF Firewall Installed before installig BFD – it works with APF and requires some of APF files to properly operate.
– You need to have Root SSH access to your server
Login to your server through SSH and “su” to the root user.
1. cd /root/downloads or to another temporary folder where you want to store your download files.
2. wget http://www.rfxnetworks.com/downloads/bfd-current.tar.gz
3. tar -xvzf bfd-current.tar.gz
4. cd bfd-0.5
5. Run the install file: ./install.sh
You will receive a message saying it has been installed
.: BFD installed
Install path: /usr/local/bfd
Config path: /usr/local/bfd/conf.bfd
Executable path: /usr/local/sbin/bfd
6. Lets edit the configuration file: pico /usr/local/bfd/conf.bfd
7. Enable brute force hack attempt alerts:
Find: ALERT_USR=”0″ CHANGE TO: ALERT_USR=”1″
Find: EMAIL_USR=”root” CHANGE TO: EMAIL_USR=”you@exampledomain.com”
Save the changes: Ctrl+X then Y
8. Prevent locking yourself out!
pico -w /usr/local/bfd/ignore.hosts and add your own trusted IPs (if you have static IP’s)
Eg: 10.0.1.1
Save the changes: Ctrl+X then Y
BFD uses the APF’ cli insert feature
and as such will override any allow_hosts.rules entries users have in-place.
So be sure to add your trusted ip addresses to the ignore file to prevent
locking yourself out.
9. Run the program!
/usr/local/sbin/bfd -s
5) Disable Direct Root Login.
This will force you to login as another user in (in cpanel the user must be in the wheel group), and then su to root. This helps to protect the server from ‘wanna-be’ hackers.
If you’re using cPanel make sure you add a new user to the ‘wheel’ group so that you will be able to ‘su -’ to root, otherwise you may lock yourself out of root.
Set up anotheruser if you haven’t already got one:
1. Type: groupadd newuser
2. Type: useradd newuserr -gnewuser
3. Type: passwd newuser passwordhere
On a CPanel system, you must add the new user to the wheel group via WHM “Manage Wheel Group Users”.
After you have done this, you will have to login as newuser and then you will do ‘su – root’ to get to root.
Now copy and paste the following line to edit the necessary file for SSH logins
pico -w /etc/ssh/sshd_config
You should now be in the actual file – find the line
Protocol 2, 1
Uncomment this line and change it to look like this:
Protocol 2
As the next step find the line
PermitRootLogin yes
Uncomment that line and make it look like
PermitRootLogin no
Save and exit the file with Ctrl+X and then Y then enter
Now restart SSH
/etc/rc.d/init.d/sshd restart
From now on nobody will be able to login directly as root. To gain root access you will need to login as a different user and then switch to root.
6) Disable Telnet Access. Telnet is not secure, and your password is sent in plain text, so don’t use it! Disable it now and forever and use SSH isntead.
1. Login to your server through SSH and su to root.
2. Type pico /etc/xinetd.d/telnet
3. Look for the line: disable = no and replace with disable = yes
4. Now restart the inetd service: /etc/rc.d/init.d/xinetd restart
5. Also – Turn it off through chkconfig as well because it can still start through hat.
/sbin/chkconfig telnet off
7) Force SSH Protocol 2.
Force SSH Protocol 2
pico -w /etc/ssh/sshd_config
Find the line ‘#Protocol 2, 1′ and uncomment it and change it to look like ‘Protocol 2′
8) Disable cPanel Demo Mode
Disable cPanel Demo Mode
9) Disable normal user Shell Access
You can disable shell access for all your hosting clients from WHM. It’s a good habit to disable it by default. Nowadays shell access is not really needed by hosting clients. You can still enable it on a single base if really needed.
10) Enable SUEXEC
Enable SuExec from WHM. Quick and easy.
11) Receive an e-mail when someone logs in as root.
It can be very useful to know when/if somebody logs in as root to your server. This helps you to keep track of authorized and valid logins and to alarm you in cases it is not authorized. It is recommended to use an off-site email address for this in case an attacker will gain access to your email account on the server after login in.
1. Login to your server and (as always) su to root.
2. cd /root
3. pico .bashrc
4. Scroll down to the end of the file and then add the following:
echo ‘ALERT – Root Shell Access (YourserverName) on:’ `date` `who` | mail -s “Alert: Root Access from `who | cut -d”(” -f2 | cut -d”)” -f1`” you@yourexternaldomain.com
Replace YourServerName with the handle for your actual server
Replace you@yourexternaldomain.com with your actual email address at an off-site email account.
5. Ctrl + X then Y to save and close the file
Now logout of SSH, close the connection and log back in! You should receive an email address of the root login alert within few minutes after login in.
Please keep in mind – This will not magically alert you when a hacker runs the latest kernel exploit on your server and logs into SSH because they will create their own SSH/telnet connection – something you won’t even know about until it is too late. Keep your system up to date and follow common security practice.
12) Set a MySQL Root Password
This can be done in WHM – either during the server setup or manually. Make it a different password as compared to your root password.
13) Show a legal message for Shell access
Even if it does not actively protects your machine – for legal purposes and prosecution it might be useful to display a legal message for anyone who logs on to your server via Shell. Example of such a message:
This computer system is for authorized users only. All activity is logged and regulary checked by systems personal. Individuals using this system without authority or in excess of their authority are subject to having all their services revoked and will be prosecuted. Any illegal services run by user or attempts to take down this server or its services will be reported to local law enforcement. Anyone using this system consents to these terms.
How to set up this kind of a message on your system? Logon to your system from the Shell. SU to root and type the following:
pico -w /etc/motd
Type your message and hit ctrl + x and Y to save the message. Logoff from the system and log back on again to see the results.
14) Stay secure
Sign up to the free email alerts at http://secunia.com/ – you will receive security alerts for all different kind of software and operating systems. You will not need all of these in most case but at least you won’t miss any major security issue published.
Run A Root Kit Checker on a regular base.
You can get a root kit checker from http://www.chkrootkit.org as free software. Rkhunter is another root kit checking tool available free of charge. http://www.rootkit.nl/ Run it against your system once or twice a month.
http://www.webhostingresourcekit.com/109.html