Is there a step by step tutorial/instructions, on how to secure your server?. I need help. Things i normally do on my server: setup iptables, only open ports that is needed the rest is closed. always update the server kernel. install clamav and rookit hunter, run them everyday. anymore steps?. Thanks
It depends on what websites are hosted on the server and what it is used for. But a few of them are as below. SSH Port changed to other than 22. /dev/shm is mounted noexec,nosuid. Enable Background Process Killer. Enable Apache weak SSL/TLS Ciphers (SSLCipherSuite) Enable apache for TraceEnable Enable apache for ServerSignature Enable apache for ServerTokens Enable apache for FileETag . mod_userdir protection disabled php vulnerable functions - leak, apache_child_terminate, posix_kill, posix_mkfifo, posix_setpgid, posix_setsid, posix_setuid => leak, apache_child_terminate, posix_kill, posix_mkfifo, posix_setpgid, posix_setsid, posix_setuid, ini_set Compile php with suhosin. Enable Boxtrapper. Disable FTP Logins with Root Password. Tweak mysql. Tweak csf firewall on the server. Disable FrontPage.
@ MilesGeek thanks for the tips. @ SolidShellSecurity can't afford one since i using my server for hobby related. is there are any free/open-source monitoring script for dedicated server?. i want to monitor my incoming traffics.
In my opinion, the best way to secure the server is to istall CSF Firewall instead of iptables and to install mod_security. Here are the CSF installation instructions: Installation ============ Installation is quite straightforward: Login as the root user to SSH and run the following commands. rm -fv csf.tgz wget http://www.configserver.com/free/csf.tgz tar -xzf csf.tgz cd csf sh install.sh If you would like to disable APF+BFD (which you will need to do if you have them installed otherwise they will conflict horribly): sh disable_apf_bfd.sh That's it. You can then configure csf and lfd in WHM, or edit the files directly in /etc/csf/* Installation Completed Don't forget to: 1. Configure the TCP_IN, TCP_OUT, UDP_IN and UDP_OUT options in the csf configuration to suite your server 2. Restart csf and lfd 3. Set TESTING to 0 once you're happy with the firewall csf is preconfigured to work on a cPanel server with all the standard cPanel ports open. It also auto-configures your SSH port if it's non-standard on installation. You should ensure that kernel logging daemon (klogd) is enabled. Typically, VPS servers have this disabled and you should check /etc/init.d/syslog and make sure that any klogd lines are not commented out. If you change the file, remember to restart syslog. Now - login to your cPanel server's WHM as root and go to the bottom left menu. If already logged in then reload the page. In Plugins - you will see: ConfigServer Security&Firewall The firewall is STOPPED by default - it is not running. We need to configured it, and then take it out of Test Mode. Click on Firewall Configuration ETH_DEVICE =: Set this to eth+ TCP_IN/TCP_OUT/UDP_IN/UDP_OUT = : These are the ports you want to leave open for your server to operate. If you change the default SSH port make sure to add it here. Also add any other services you might have running such as Shoutcast or game servers. By default most of the ports used should already be configured. MONOLITHIC_KERNEL = : 0 Only change this to 1 if your firewall will not start - otherwise leave it as it. LF_DSHIELD = 0: Change this option to 86400. This is an automatic updated list of known attacking IPs. Enabling this will stop them from being able to connect to your server. Spam Protection Alerts If you want to add some spam protection, CSF can help. Look in the configuraiton for the following: LF_SCRIPT_ALERT = 0 change this to 1. This will send an email alert to the system administrator when the limit configured below is reached within an hour. LF_SCRIPT_LIMIT = 100 change this to 250. This will alert you when any scripts sends out 250 email messages in an hour. Configuration Complete - Almost Scroll down to the bottom and click on Change to save the settings. Then click Restart csf+lfd You should see a big page of ACCEPT and near the bottom you should see: csf: TESTING mode is enabled - don't forget to disable it in the configuration Starting lfd:[ OK ] Click on Return Now TEST all your services to make sure everything is working - SSH, FTP, http. After you do a few quick tests go back into the Firewall Configuration page. TESTING = 1 change this to 0 and click Change at the bottom. Then Restart csf+lfd That's it, the firewall is successfully installed and running!! Firewall Status: Running - you should see this on the main CSF page in WHM. To install mod_security, follow the steps: First your going to start out by grabbing the latest version of mod_security wget http://www.modsecurity.org/download/mod_security-1.7.4.tar.gz 3. Next we untar the archive and cd into the directory: tar zxvf mod_security-1.7.4.tar.gz cd mod_security-1.7.4/ 4. Now you need to determine which version of apache you use: APACHE 1.3.x users cd apache1/ APACHE 2.x users cd apache2/ 5.Lets Compile the module now: /usr/local/apache/bin/apxs -cia mod_security.c 6. Ok, now its time to edit the httpd conf file. First we will make a backup just incase something goes wrong: cp /usr/local/apache/conf/httpd.conf /usr/local/apache/conf/httpd.conf.backup 7. Now that we have backed it all up, we can edit the httpd.conf. Replace pico with nano depending on what you have pico /usr/local/apache/conf/httpd.conf 8. Lets look for something in the config, do this by holding control and pressing W and you are going to search for <IfModule mod_dir.c> (altho any of the IfModules would work fine) 9. Now add this <IfModule mod_security.c> # Turn the filtering engine On or Off SecFilterEngine On # Change Server: string SecServerSignature " " # Make sure that URL encoding is valid SecFilterCheckURLEncoding On # This setting should be set to On only if the Web site is # using the Unicode encoding. Otherwise it may interfere with # the normal Web site operation. SecFilterCheckUnicodeEncoding Off # Only allow bytes from this range SecFilterForceByteRange 1 255 # The audit engine works independently and # can be turned On of Off on the per-server or # on the per-directory basis. "On" will log everything, # "DynamicOrRelevant" will log dynamic requests or violations, # and "RelevantOnly" will only log policy violations SecAuditEngine RelevantOnly # The name of the audit log file SecAuditLog /var/log/httpd/audit_log # Should mod_security inspect POST payloads SecFilterScanPOST On # Action to take by default SecFilterDefaultAction "deny,log,status:500" # Require HTTP_USER_AGENT and HTTP_HOST in all requests SecFilterSelective "HTTP_USER_AGENT|HTTP_HOST" "^$" # Prevent path traversal (..) attacks SecFilter "\.\./" # Weaker XSS protection but allows common HTML tags SecFilter "<[[:space:]]*script" # Prevent XSS atacks (HTML/Javascript injection) SecFilter "<(.|n)+>" # Very crude filters to prevent SQL injection attacks SecFilter "delete[[:space:]]+from" SecFilter "insert[[:space:]]+into" SecFilter "select.+from" # Protecting from XSS attacks through the PHP session cookie SecFilterSelective ARG_PHPSESSID "!^[0-9a-z]*$" SecFilterSelective COOKIE_PHPSESSID "!^[0-9a-z]*$" </IfModule> 10. Save the file Ctrl + X then Y 11. Restart Apache /etc/rc.d/init.d/httpd stop /etc/rc.d/init.d/httpd start You've successfully installed mod_security
[ SCRIPTS ] MALWARE/HACK PROTECTION → Chkrootkit Automatic Script Installer (instructions and FREE download) → RKHunter Automatic Script Installer (instructions and FREE download) FIREWALL/(d)DoS Protection → Syn Deflate Automatic Script Installer (instructions and FREE download) → CSF ConfigServer Firewall Automatic Script Installer (instructions and FREE download)
Once you are done employ a white hat hacker to give your site a good penetration test and go with their recommmendations
If you have no clue what these tutorials are about, you can shoot yourself in a foot. If you need your server secured, you need a server admin.