Securing Dedicated Server?

Is there a step by step tutorial/instructions, on how to secure your server?.
I need help. Things i normally do on my server:
setup iptables, only open ports that is needed the rest is closed.
always update the server kernel. install clamav and rookit hunter, run them everyday. anymore steps?. Thanks

 

It depends on what websites are hosted on the server and what it is used for. But a few of them are as below.

SSH Port changed to other than 22.
/dev/shm is mounted noexec,nosuid.
Enable Background Process Killer.
Enable Apache weak SSL/TLS Ciphers (SSLCipherSuite)
Enable apache for TraceEnable
Enable apache for ServerSignature
Enable apache for ServerTokens
Enable apache for FileETag .
mod_userdir protection
disabled php vulnerable functions - leak, apache_child_terminate, posix_kill, posix_mkfifo, posix_setpgid, posix_setsid, posix_setuid => leak, apache_child_terminate, posix_kill, posix_mkfifo, posix_setpgid, posix_setsid, posix_setuid, ini_set
Compile php with suhosin.
Enable Boxtrapper.
Disable FTP Logins with Root Password.
Tweak mysql.
Tweak csf firewall on the server.
Disable FrontPage.

 

This should help you out.

whmsecurity.com/linux-security/

 

Also read docs.cpanel.net/twiki/bin/view/AllDocumentation/WHMDocs/SecuringYourServer

 

Hire a security business. Don't chance it by learning how to do stuff yourself.

 

@ MilesGeek
thanks for the tips.

@ SolidShellSecurity
can't afford one since i using my server for hobby related.


is there are any free/open-source monitoring script for dedicated server?.
i want to monitor my incoming traffics.

 

You are welcome, RiotMan.

 

In my opinion, the best way to secure the server is to istall CSF Firewall instead of iptables and to install mod_security.
Here are the CSF installation instructions:

Installation
============
Installation is quite straightforward:

Login as the root user to SSH and run the following commands. rm -fv csf.tgz
wget http://www.configserver.com/free/csf.tgz
tar -xzf csf.tgz
cd csf
sh install.sh
If you would like to disable APF+BFD (which you will need to do if you have
them installed otherwise they will conflict horribly):
sh disable_apf_bfd.sh
That's it. You can then configure csf and lfd in WHM, or edit the files
directly in /etc/csf/*
Installation Completed
Don't forget to:
1. Configure the TCP_IN, TCP_OUT, UDP_IN and UDP_OUT options in the csf configuration to suite your server
2. Restart csf and lfd
3. Set TESTING to 0 once you're happy with the firewall

csf is preconfigured to work on a cPanel server with all the standard cPanel
ports open. It also auto-configures your SSH port if it's non-standard on
installation.
You should ensure that kernel logging daemon (klogd) is enabled. Typically, VPS
servers have this disabled and you should check /etc/init.d/syslog and make
sure that any klogd lines are not commented out. If you change the file,
remember to restart syslog.
Now - login to your cPanel server's WHM as root and go to the bottom left menu. If already logged in then reload the page. In Plugins - you will see: ConfigServer Security&Firewall
The firewall is STOPPED by default - it is not running. We need to configured it, and then take it out of Test Mode.

Click on Firewall Configuration

ETH_DEVICE =: Set this to eth+

TCP_IN/TCP_OUT/UDP_IN/UDP_OUT = : These are the ports you want to leave open for your server to operate. If you change the default SSH port make sure to add it here. Also add any other services you might have running such as Shoutcast or game servers. By default most of the ports used should already be configured.


MONOLITHIC_KERNEL = : 0 Only change this to 1 if your firewall will not start - otherwise leave it as it.


LF_DSHIELD = 0: Change this option to 86400. This is an automatic updated list of known attacking IPs. Enabling this will stop them from being able to connect to your server.

Spam Protection Alerts
If you want to add some spam protection, CSF can help. Look in the configuraiton for the following:

LF_SCRIPT_ALERT = 0 change this to 1. This will send an email alert to the system administrator when the limit configured below is reached within an hour.

LF_SCRIPT_LIMIT = 100 change this to 250. This will alert you when any scripts sends out 250 email messages in an hour.


Configuration Complete - Almost
Scroll down to the bottom and click on Change to save the settings. Then click Restart csf+lfd

You should see a big page of ACCEPT and near the bottom you should see:

csf: TESTING mode is enabled - don't forget to disable it in the configuration
Starting lfd:[ OK ]

Click on Return

Now TEST all your services to make sure everything is working - SSH, FTP, http. After you do a few quick tests go back into the Firewall Configuration page.
TESTING = 1 change this to 0 and click Change at the bottom. Then Restart csf+lfd


That's it, the firewall is successfully installed and running!!
Firewall Status: Running - you should see this on the main CSF page in WHM.

To install mod_security, follow the steps:

First your going to start out by grabbing the latest version of mod_security
wget http://www.modsecurity.org/download/mod_security-1.7.4.tar.gz

3. Next we untar the archive and cd into the directory:
tar zxvf mod_security-1.7.4.tar.gz
cd mod_security-1.7.4/ 4. Now you need to determine which version of apache you use:
APACHE 1.3.x users
cd apache1/
APACHE 2.x users
cd apache2/

5.Lets Compile the module now:
/usr/local/apache/bin/apxs -cia mod_security.c

6. Ok, now its time to edit the httpd conf file. First we will make a backup just incase something goes wrong:
cp /usr/local/apache/conf/httpd.conf /usr/local/apache/conf/httpd.conf.backup

7. Now that we have backed it all up, we can edit the httpd.conf. Replace pico with nano depending on what you have
pico /usr/local/apache/conf/httpd.conf

8. Lets look for something in the config, do this by holding control and pressing W and you are going to search for
<IfModule mod_dir.c> (altho any of the IfModules would work fine)
9. Now add this

<IfModule mod_security.c>
# Turn the filtering engine On or Off
SecFilterEngine On
# Change Server: string
SecServerSignature " "
# Make sure that URL encoding is valid
SecFilterCheckURLEncoding On
# This setting should be set to On only if the Web site is
# using the Unicode encoding. Otherwise it may interfere with
# the normal Web site operation.
SecFilterCheckUnicodeEncoding Off
# Only allow bytes from this range
SecFilterForceByteRange 1 255
# The audit engine works independently and
# can be turned On of Off on the per-server or
# on the per-directory basis. "On" will log everything,
# "DynamicOrRelevant" will log dynamic requests or violations,
# and "RelevantOnly" will only log policy violations
SecAuditEngine RelevantOnly
# The name of the audit log file
SecAuditLog /var/log/httpd/audit_log
# Should mod_security inspect POST payloads
SecFilterScanPOST On
# Action to take by default
SecFilterDefaultAction "deny,log,status:500"
# Require HTTP_USER_AGENT and HTTP_HOST in all requests
SecFilterSelective "HTTP_USER_AGENT|HTTP_HOST" "^$"
# Prevent path traversal (..) attacks
SecFilter "\.\./"
# Weaker XSS protection but allows common HTML tags
SecFilter "<[[:space:]]*script"
# Prevent XSS atacks (HTML/Javascript injection)
SecFilter "<(.|n)+>"
# Very crude filters to prevent SQL injection attacks
SecFilter "delete[[:space:]]+from"
SecFilter "insert[[:space:]]+into"
SecFilter "select.+from"
# Protecting from XSS attacks through the PHP session cookie
SecFilterSelective ARG_PHPSESSID "!^[0-9a-z]*$"
SecFilterSelective COOKIE_PHPSESSID "!^[0-9a-z]*$"
</IfModule>
10. Save the file Ctrl + X then Y

11. Restart Apache

/etc/rc.d/init.d/httpd stop
/etc/rc.d/init.d/httpd start

You've successfully installed mod_security

 

[ SCRIPTS ]

MALWARE/HACK PROTECTION
→ Chkrootkit Automatic Script Installer (instructions and FREE download)
→ RKHunter Automatic Script Installer (instructions and FREE download)

FIREWALL/(d)DoS Protection
→ Syn Deflate Automatic Script Installer (instructions and FREE download)
→ CSF ConfigServer Firewall Automatic Script Installer (instructions and FREE download)

 

Once you are done employ a white hat hacker to give your site a good penetration test and go with their recommmendations

 

If you have no clue what these tutorials are about, you can shoot yourself in a foot.

If you need your server secured, you need a server admin.