How to Secure your Dedicated Server

(RedHat Linux + Cpanel)

 

Finally. You got the dedicated server you always wanted. Now you’re a real webhost. No more reseller accounts. Yeah …. ;-) . BUT – now all the responsibility in keeping that server up and running is up on your shoulders. The very first things after getting your server is to make it secure.

 

But how do you do that? If you are an experienced Linux system admin this will be a piece of cake. But if you are just Joe Average and know only a little Linux this can be quite a challenging task. You can buy a book and read up on it but that takes time. You can hire a Linux System Administrator but that is not cheap and you do not know if you can trust somebody that you don’t know. Two companies that got recommended to us are

 

http://www.rackaid.com and http://www.easyservermanagement.com

(if you would like to advertise your services here – please contact us).

 

However- we have not used these companies for our needs. They seem to be reliable from user feedback on several web hosting related forums. Please do proper research before hiring anyone.

 

Anyway – if you have at least a little Linux knowledge and are good in coming up to speed on new things fairly quick – here’s a quickstart guide of how to secure your own server. The good thing is – this will give you a good level of security to start with. Don’t stop after you are done with the steps provided here. Security is an ongoing process and this guide is just opening the tool box for you.

 

Legal Advisory: Please be aware that we provide the information below with no guarantees. If you feel not confident to really do these steps – hire somebody. We cannot be held liable for problems arising when using the steps below. We tried to research these things as thorough as possible but everyone can make a mistake ….

 

1) Get Putty as your SSH client. Don’t use telnet – it’s not secure. Putty.exe is vital in running and managing a dedicated server.

 

2) Get a good understanding of the most basic linux commands. Without the knowledge about these basic commands you will have a hard time getting stuff done:&&” at the end.

 

How to bring a program back from the background?

Type: fg

 

How to know what your CPU information is?

Type: cat /proc/cpuinfo

 

How to know what your memory information is?

Type: cat /proc/meminfo

 

How to find out information about your hard drives?

Type: fdisk -l

 

3) Install a Firewall. This is a guide to instal APF (Advanced Policy Firewall –http://www.rfxnetworks.com/apf.php).

APF Site Description of the software:

APF is a policy based iptables firewall system designed for ease of use and configuration. It employs a subset of features to satisfy the veteran Linux user and the novice alike. Packaged in tar.gz format and RPM formats, make APF ideal for deployment in many server environments based on Linux.

 

Summary of features:

– global port configurtion via simple config file

– configurable policies for each ip on the system [global config overrides]

– powerfull postrouting rules for FWMARK and TOS

– plug-in friendly for QoS [CBQ/HTB]

– antidos subsystem to stop DOS attacks before they become a significant threat

– dshield.org block list support to ban networks exhibiting suspicious activity

– advanced set of sysctl parameters for TCP stack hardening

– advanced set of filter rules to remove undesired traffic

– easy to use firewall managment script

– trust based rule files (allow/deny); with advanced syntax support

 

Make /usr/src the current working directory.

cd /usr/src

 

Obtain the most curent verison of APF.

Run the following commands to install APF:



cd /usr/src

rm -rf apf*

wget http://www.r-fx.ca/downloads/apf-current.tar.gz

tar -zxvf apf-current.tar.gz

cd apf-*

./install.sh

perl -p -i -e ‘s/eth0/venet0/g’ /etc/apf/conf.apf

perl -p -i -e ‘s/eth0/venet0/g’ /etc/apf/ad/antidos

perl -p -i -e ‘s/DEVEL_MODE=»1″/DEVEL_MODE=»0″/g’ /etc/apf/conf.apf

perl -p -i -e ‘s/SET_MONOKERN=»0″/SET_MONOKERN=»1″/g’ /etc/apf/conf.apf

perl -p -i -e ‘s/USE_AD=»0″/USE_AD=»1″/g’ /etc/apf/conf.apf

/etc/init.d/apf restart



Make sure the following ports are open (you can usually ignore the egress ports unless you want egress filtering):



Cpanel

IG_TCP_CPORTS=» 20,21,22,25,26,53,80,110,143,443,465,993,995,2082, 2083,2086,2087,2095,2096,61001_65535″

EG_TCP_CPORTS=» 21,22,25,26,27,37,43,53,80,110,113,443,465,873,208 9″



Plesk

IG_TCP_CPORTS=» 20,21,22,25,26,53,80,110,143,443,465,993,995,3389, 8443,8880,30000,61001_65535″

EG_TCP_CPORTS=» 21,22,25,26,27,37,43,53,80,110,113,443,465,873,338 9,8443,8880,30000″



DA

IG_TCP_CPORTS=» 20,21,22,25,26,53,80,110,143,443,465,993,995,2222, 61001_65535″

EG_TCP_CPORTS=» 21,22,25,26,27,37,43,53,80,110,113,443,465,873,222 2″

You will receive a message saying it has been installed .:

APF installed Install path: /etc/apf Config path: /etc/apf/conf.apf Executable path: /usr/local/sbin/apf

 

Make /etc/apf the current working directory.

cd /etc/apf

 

Edit the conf.apf file as desired.

pico -w conf.apf

This isn’t a complete detailed guide of every feature the firewall has. Look through the README and the configuration for an explanation of each feature.

 

 

In order for this firewall to work properly you have to edit/add/delete ports.

These ports will allow services such as mail, ftp, and ssh to come in and out of the server.

If you have changed any ports, please modify them below and add/remove as needed.

 

# Common ingress (inbound) TCP ports

IG_TCP_CPORTS=”20,21,22,25,53,80,110,143,443,465,993,995,2082,2083,2086,

2087,2095,2096,3306,9999,10000,3000_3500″

please note that ports 2082 to port 2095 is mostly used by cpanel, WHM, and port 19638 is only use in

ensim.  Port 9999 might be used for Urchin.

 

# Common ingress (inbound) UDP ports

IG_UDP_CPORTS=”20,21,53,1040″

 

Common egress (outbound) ports

# Common egress (outbound) TCP ports

EG_TCP_CPORTS=”21,25,80,443,43,2089″

#

# Common egress (outbound) UDP ports

EG_UDP_CPORTS=”20,21,53″

Turn on DShield.org’s “block” list of top networks that have exhibited
FIND: USE_DS=”0″ //(0=disabled)
CHANGE TO: USE_DS=”1″

 

After you have finished editing the port list and turned on DShield save the file and test APF.

Save the changes: Ctrl+X then Y to save enter to confirm

 

Starting the firewall

/usr/local/sbin/apf -s

 

or

service apf start

 

If APF is functioning properly and you are not locked out edit the conf.apf again

 

pico -w conf.apf

Set the DEVM parameter to 0

DEVM=”0″

Once done Exit and save the file.

Save the changes: Ctrl+X then Y to save enter to confirm

Restart APF

service apf restart

 

Enabling connections for server monitoring.

Some service providers that offer monitoring need access to your server, and access without setting off alarms, firewalls etc. is a good thing. Just becareful which IP(s) you put in here.

 

To allow connections from xx.xx.xx.xx/24

pico -w /etc/apf/allow_hosts.rules

At the very end of the file add this line

xx.xx.xx.xx/24

Of course replace the xx.xx.xx.xx with the IP address provided to you by your data center.

 

Make APF Start automatically at boot time

To autostart apf on reboot, run this:

 

chkconfig –level 2345 apf on

 

To remove it from the autostart function, run this command:

 

chkconfig –del apf

 

4) Install Brute Force Detection, from the makers of APF. What is BFD (Brute Force Detection)?

BFD is a modular shell script for parsing applicable logs and checking for authentication failures. There is not much complexity or detail to BFD yet and likewise it is very straight-forward in its installation, configuration and usage. The reason behind BFD is very simple; the fact there is little to no authentication and brute force auditing programs in the linux community that work in conjunction with a firewall or real-time facility to place bans. BFD is available at:http://www.rfxnetworks.com/bfd.php

 

Requirements before installing BFD:

 

– You MUST have APF Firewall Installed before installig BFD – it works with APF and requires some of APF files to properly operate.

– You need to have Root SSH access to your server

 

Login to your server through SSH and “su” to the root user.

 

1. cd /root/downloads or to another temporary folder where you want to store your download files.

 

2. wget http://www.rfxnetworks.com/downloads/bfd-current.tar.gz

 

3. tar -xvzf bfd-current.tar.gz

 

4. cd bfd-0.5

 

5. Run the install file: ./install.sh

You will receive a message saying it has been installed

 

.: BFD installed

Install path: /usr/local/bfd

Config path: /usr/local/bfd/conf.bfd

Executable path: /usr/local/sbin/bfd

 

6. Lets edit the configuration file: pico /usr/local/bfd/conf.bfd

 

7. Enable brute force hack attempt alerts:

Find: ALERT_USR=”0″ CHANGE TO: ALERT_USR=”1″

 

Find: EMAIL_USR=”root” CHANGE TO: EMAIL_USR=”you@exampledomain.com”

 

Save the changes: Ctrl+X then Y

 

8. Prevent locking yourself out!

pico -w /usr/local/bfd/ignore.hosts and add your own trusted IPs (if you have static IP’s)

Eg: 10.0.1.1

 

Save the changes: Ctrl+X then Y

 

BFD uses the APF’ cli insert feature

and as such will override any allow_hosts.rules entries users have in-place.

So be sure to add your trusted ip addresses to the ignore file to prevent

locking yourself out.

 

9. Run the program!

/usr/local/sbin/bfd -s

 

 

5) Disable Direct Root Login.
This will force you to login as another user in (in cpanel the user must be in the wheel group), and then su to root. This helps to protect the server from ‘wanna-be’ hackers.

 

If you’re using cPanel make sure you add a new user to the ‘wheel’ group so that you will be able to ‘su -’ to root, otherwise you may lock yourself out of root.

 

Set up anotheruser if you haven’t already got one:

 

1. Type: groupadd newuser

2. Type: useradd newuserr -gnewuser

3. Type: passwd newuser passwordhere

 

On a CPanel system, you must add the new user to the wheel group via WHM “Manage Wheel Group Users”.

 

After you have done this, you will have to login as newuser and then you will do ‘su – root’ to get to root.

 

Now copy and paste the following line to edit the necessary file for SSH logins

pico -w /etc/ssh/sshd_config

 

You should now be in the actual file – find the line

Protocol 2, 1

 

Uncomment this line and change it to look like this:

Protocol 2

 

As the next step find the line

PermitRootLogin yes

 

Uncomment that line and make it look like

PermitRootLogin no

 

Save and exit the file with Ctrl+X and then Y then enter

 

Now restart SSH

/etc/rc.d/init.d/sshd restart

 

From now on nobody will be able to login directly as root. To gain root access you will need to login as a different user and then switch to root.

 

 

6) Disable Telnet Access. Telnet is not secure, and your password is sent in plain text, so don’t use it! Disable it now and forever and use SSH isntead.

 

1. Login to your server through SSH and su to root.

 

2. Type pico /etc/xinetd.d/telnet

 

3. Look for the line: disable = no and replace with disable = yes

 

4. Now restart the inetd service: /etc/rc.d/init.d/xinetd restart

 

5. Also – Turn it off through chkconfig as well because it can still start through hat.

/sbin/chkconfig telnet off

 

 

7) Force SSH Protocol 2.

Force SSH Protocol 2

 

pico -w /etc/ssh/sshd_config

 

Find the line ‘#Protocol 2, 1′ and uncomment it and change it to look like ‘Protocol 2′

 

8) Disable cPanel Demo Mode

Disable cPanel Demo Mode

 

9) Disable normal user Shell Access

You can disable shell access for all your hosting clients from WHM. It’s a good habit to disable it by default. Nowadays shell access is not really needed by hosting clients. You can still enable it on a single base if really needed.

 

10) Enable SUEXEC

Enable SuExec from WHM. Quick and easy.

 

11) Receive an e-mail when someone logs in as root.

It can be very useful to know when/if somebody logs in as root to your server. This helps you to keep track of authorized and valid logins and to alarm you in cases it is not authorized. It is recommended to use an off-site email address for this in case an attacker will gain access to your email account on the server after login in.

 

1. Login to your server and (as always) su to root.

 

2. cd /root

 

3. pico .bashrc

 

4. Scroll down to the end of the file and then add the following:

echo ‘ALERT – Root Shell Access (YourserverName) on:’ `date` `who` | mail -s “Alert: Root Access from `who | cut -d”(” -f2 | cut -d”)” -f1`” you@yourexternaldomain.com

 

Replace YourServerName with the handle for your actual server

Replace you@yourexternaldomain.com with your actual email address at an off-site email account.

 

5. Ctrl + X then Y to save and close the file

 

Now logout of SSH, close the connection and log back in! You should receive an email address of the root login alert within few minutes after login in.

 

Please keep in mind – This will not magically alert you when a hacker runs the latest kernel exploit on your server and logs into SSH because they will create their own SSH/telnet connection – something you won’t even know about until it is too late. Keep your system up to date and follow common security practice.

 

12) Set a MySQL Root Password

This can be done in WHM – either during the server setup or manually. Make it a different password as compared to your root password.

 

13) Show a legal message for Shell access

Even if it does not actively protects your machine – for legal purposes and prosecution it might be useful to display a legal message for anyone who logs on to your server via Shell. Example of such a message:

 

This computer system is for authorized users only. All activity is logged and regulary checked by systems personal. Individuals using this system without authority or in excess of their authority are subject to having all their services revoked and will be prosecuted. Any illegal services run by user or attempts to take down this server or its services will be reported to local law enforcement. Anyone using this system consents to these terms.

 

How to set up this kind of a message on your system? Logon to your system from the Shell. SU to root and type the following:

 

pico -w /etc/motd

 

Type your message and hit ctrl + x and Y to save the message. Logoff from the system and log back on again to see the results.

 

14) Stay secure

 

Sign up to the free email alerts at http://secunia.com/ – you will receive security alerts for all different kind of software and operating systems. You will not need all of these in most case but at least you won’t miss any major security issue published.

 

Run A Root Kit Checker on a regular base.

 

You can get a root kit checker from http://www.chkrootkit.org as free software. Rkhunter is another root kit checking tool available free of charge. http://www.rootkit.nl/ Run it against your system once or twice a month.

 

http://www.webhostingresourcekit.com/109.html

Comments

comments