When you have a Dedicated Server or Virtual Private Server (VPS) security issues and optimization of a server is a necessity that must be considered by a sysadmin. Here I have to say a few ways that can be used to secure and optimize a Dedicate server or Virtual Private Server (VPS).
=========================================
Checking for formmail
=========================================
Form mail is used by hackers to send out spam email, by relay and injection methods.
Command to find pesky form mails:
|
1 |
find / -name "[Ff]orm[mM]ai*" |
CGIemail is also a security risk:
|
1 |
find / -name "[Cc]giemai*" |
Command to disable form mails:
|
1 |
chmod a-rwx /path/to/filename |
(a-rwx translates to all types, no read, write or execute permissions).
(this disables all form mail)
If a client or someone on your vps installs form mail, you will have to let them know you are disabling their script and give them an alternative.
=========================================
Root kit checker – http://www.chkrootkit.org/
=========================================
Check for root kits and even set a root kit on a cron job. This will show you if anyone has compromised your root. Always update chrootkit to get the latest root kit checker. Hackers and spammers will try to find insecure upload forms on your box and then with injection methods, try to upload the root kit on your server. If he can run it, it will modify many files, possibly causing you to have to reinstall.
To install chrootkit, SSH into server and login as root.
At command prompt type:
|
1 2 3 4 5 |
cd /root/ wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz tar xvzf chkrootkit.tar.gz cd chkrootkit-0.44 make sense |
To run chkrootkit
At command prompt type:
|
1 |
/root/chkrootkit-0.44/chkrootkit |
Make sure you run it on a regular basis, perhaps including it in a cron job.
Execution
I use these three commands the most.
|
1 2 3 |
./chkrootkit ./chkrootkit -q ./chkrootkit -x | more |
=========================================
Install a root breach DETECTOR and EMAIL WARNING
=========================================
If someone does happen to get root, be warned quickly by installing a detector and warning at your box. You will at least get the hackers/spammers ip address and be warned someone is in there.
Server e-mail everytime someone logs in as root
To have the server e-mail you everytime someone logs in as root, SSH into server and login as root.
At command prompt type:
|
1 |
pico .bash_profile |
Scroll down to the end of the file and add the following line:
|
1 |
echo 'ALERT - Root Shell Access on:' `date` `who` | mail -s "Alert: Root Access from `who | awk '{print $6}'`" your@email.com |
Save and exit.
Set an SSH Legal Message
To an SSH legal message, SSH into server and login as root.
At command prompt type:
|
1 |
pico /etc/motd |
Enter your message, save and exit.
=========================================
Web Host manager and CPANEL mods.
=========================================
These are items inside of WHM/Cpanel that should be changed to secure your server.
Goto Server Setup =>> Tweak Settings
Check the following items…
Under Domains
Prevent users from parking/adding on common internet domains. (ie hotmail.com, aol.com)
Under Mail
Attempt to prevent pop3 connection floods
Default catch-all/default address behavior for new accounts – blackhole
Under System
Use jailshell as the default shell for all new accounts and modified accounts
Goto Server Setup =>> Tweak Security
Enable php open_basedir Protection
Enable mod_userdir Protection
Disabled Compilers for unprivileged users.
Goto Server Setup =>> Manage Wheel Group Users
Remove all users except for root and your main account from the wheel group.
Goto Server Setup =>> Shell Fork Bomb Protection
Enable Shell Fork Bomb/Memory Protection
When setting up Feature Limits for resellers in Resellers =>> Reseller Center, under Privileges always disable Allow Creation of Packages with Shell Access and enable Never allow creation of accounts with shell access; under Root Access disable All Features.
Goto Service Configuration =>> FTP Configuration
Disable Anonymous FTP
Goto Account Functions =>> Manage Shell Access
Disable Shell Access for all users (except yourself)
Goto Mysql =>> MySQL Root Password
Change root password for MySQL
Goto Security and run Quick Security Scan and Scan for Trojan Horses often. The following and similar items are not Trojans:
|
1 2 3 4 5 6 |
/sbin/depmod /sbin/insmod /sbin/insmod.static /sbin/modinfo /sbin/modprobe /sbin/rmmod |
=========================================
More Security Measures
=========================================
These are measures that can be taken to secure your server, with SSH access.
Update OS, Apache and CPanel to the latest stable versions.
This can be done from WHM/CPanel.
Restrict SSH Access
To restrict and secure SSH access, bind sshd to a single IP that is different than the main IP to the server, and on a different port than port 22.
SSH into server and login as root.
Note: You can download Putty by Clicking Here (http://www.chiark.greenend.org.uk/~s…/download.html). It’s a clean running application that will not require installation on Windows-boxes.
At command prompt type:
|
1 |
pico /etc/ssh/sshd_config |
Scroll down to the section of the file that looks like this:
|
1 2 3 4 |
#Port 22 #Protocol 2, 1 #ListenAddress 0.0.0.0 #ListenAddress :: |
Uncomment and change
|
1 2 3 |
#Port 22 to look like Port 5678 (choose your own 4 to 5 digit port number (49151 is the highest port number, do not use 5678) |
Uncomment and change
|
1 2 3 |
#Protocol 2, 1 to look like Protocol 2 |
Uncomment and change
|
1 2 3 |
#ListenAddress 0.0.0.0 to look like ListenAddress 123.123.123.15 (use one of your own IP Addresses that has been assigned to your server) |
Note 1: If you would like to disable direct Root Login, scroll down until you find
|
1 2 3 |
#PermitRootLogin yes and uncomment it and make it look like PermitRootLogin no |
Save by pressing Ctrl o on your keyboard, and then exit by pressing Ctrl x on your keyboard.
Note 2: You can also create a custome nameserver specifically for your new SSH IP address. Just create one called something like ssh.xyz.com. Be sure to add an A address to your zone file for the new nameserver.
Now restart SSH
At command prompt type:
|
1 |
/etc/rc.d/init.d/sshd restart |
Exit out of SSH, and then re-login to SSH using the new IP or nameserver, and the new port.
[note]
Note: If you should have any problems, just Telnet into your server, fix the problem, then SSH in again. Telnet is a very unsecure protocol, so change your root password after you use it.
[/note]
After SSH has been redirected, disable telnet.
Disable Telnet
To disable telnet, SSH into server and login as root.
At command prompt type:
|
1 |
pico -w /etc/xinetd.d/telnet |
change disable = no to disable = yes
Save and Exit
At command prompt type:
|
1 |
/etc/init.d/xinetd restart |
Disable Shell Accounts
To disable any shell accounts hosted on your server SSH into server and login as root.
At command prompt type:
|
1 |
locate shell.php |
Also check for:
|
1 2 3 4 5 6 7 8 9 |
locate irc locate eggdrop locate bnc locate BNC locate ptlink locate BitchX locate guardservices locate psyBNC locate .rhosts |
[note]
Note: There will be several listings that will be OS/CPanel related. Examples are
[/note]
|
1 2 3 4 5 6 7 |
/home/cpapachebuild/buildapache/php-4.3.1/ext/ircg /usr/local/cpanel/etc/sym/eggdrop.sym /usr/local/cpanel/etc/sym/bnc.sym /usr/local/cpanel/etc/sym/psyBNC.sym /usr/local/cpanel/etc/sym/ptlink.sym /usr/lib/libncurses.so /usr/lib/libncurses.a |
etc.
Disable identification output for Apache
(do this to hide version numbers from potentional hackers)
To disable the version output for proftp, SSH into server and login as root.
At command prompt type:
|
1 |
pico /etc/httpd/conf/httpd.conf |
Scroll (way) down and change the following line to
|
1 |
ServerSignature Off |
Restart Apache
At command prompt type:
|
1 |
/etc/rc.d/init.d/httpd restart |
This tutorial will be continued to part 2 – How to Secure and Optimize a Server or VPS – 2