1. Advertising
    y u no do it?

    Advertising (learn more)

    Advertise virtually anything here, with CPM banner ads, CPM email ads and CPC contextual links. You can target relevant areas of the site and show ads based on geographical location of the user if you wish.

    Starts at just $1 per CPM or $0.10 per CPC.

Securing Dedicated Server?

Discussion in 'Security' started by RiotMan, Oct 3, 2012.

  1. #1
    Is there a step by step tutorial/instructions, on how to secure your server?.
    I need help. Things i normally do on my server:
    setup iptables, only open ports that is needed the rest is closed.
    always update the server kernel. install clamav and rookit hunter, run them everyday. anymore steps?. Thanks
    RiotMan, Oct 3, 2012 IP
  2. MilesWeb

    MilesWeb Well-Known Member

    Likes Received:
    Best Answers:
    Trophy Points:
    It depends on what websites are hosted on the server and what it is used for. But a few of them are as below.

    SSH Port changed to other than 22.
    /dev/shm is mounted noexec,nosuid.
    Enable Background Process Killer.
    Enable Apache weak SSL/TLS Ciphers (SSLCipherSuite)
    Enable apache for TraceEnable
    Enable apache for ServerSignature
    Enable apache for ServerTokens
    Enable apache for FileETag .
    mod_userdir protection
    disabled php vulnerable functions - leak, apache_child_terminate, posix_kill, posix_mkfifo, posix_setpgid, posix_setsid, posix_setuid => leak, apache_child_terminate, posix_kill, posix_mkfifo, posix_setpgid, posix_setsid, posix_setuid, ini_set
    Compile php with suhosin.
    Enable Boxtrapper.
    Disable FTP Logins with Root Password.
    Tweak mysql.
    Tweak csf firewall on the server.
    Disable FrontPage.
    MilesWeb, Oct 5, 2012 IP
  3. CN-Jeremy

    CN-Jeremy Guest

    Likes Received:
    Best Answers:
    Trophy Points:
    This should help you out.

    CN-Jeremy, Oct 9, 2012 IP
  4. backupgreen

    backupgreen Peon

    Likes Received:
    Best Answers:
    Trophy Points:
    Also read docs.cpanel.net/twiki/bin/view/AllDocumentation/WHMDocs/SecuringYourServer
    backupgreen, Oct 9, 2012 IP
  5. SolidShellSecurity

    SolidShellSecurity Banned

    Likes Received:
    Best Answers:
    Trophy Points:
    Hire a security business. Don't chance it by learning how to do stuff yourself.
    SolidShellSecurity, Oct 10, 2012 IP
  6. RiotMan

    RiotMan Active Member

    Likes Received:
    Best Answers:
    Trophy Points:
    @ MilesGeek
    thanks for the tips.

    @ SolidShellSecurity
    can't afford one since i using my server for hobby related.

    is there are any free/open-source monitoring script for dedicated server?.
    i want to monitor my incoming traffics.
    RiotMan, Oct 14, 2012 IP
  7. MilesWeb

    MilesWeb Well-Known Member

    Likes Received:
    Best Answers:
    Trophy Points:
    You are welcome, RiotMan. :)
    MilesWeb, Oct 14, 2012 IP
  8. wetbupa

    wetbupa Peon

    Likes Received:
    Best Answers:
    Trophy Points:
    In my opinion, the best way to secure the server is to istall CSF Firewall instead of iptables and to install mod_security.
    Here are the CSF installation instructions:

    Installation is quite straightforward:

    Login as the root user to SSH and run the following commands. rm -fv csf.tgz
    wget http://www.configserver.com/free/csf.tgz
    tar -xzf csf.tgz
    cd csf
    sh install.sh
    If you would like to disable APF+BFD (which you will need to do if you have
    them installed otherwise they will conflict horribly):
    sh disable_apf_bfd.sh
    That's it. You can then configure csf and lfd in WHM, or edit the files
    directly in /etc/csf/*
    Installation Completed
    Don't forget to:
    1. Configure the TCP_IN, TCP_OUT, UDP_IN and UDP_OUT options in the csf configuration to suite your server
    2. Restart csf and lfd
    3. Set TESTING to 0 once you're happy with the firewall

    csf is preconfigured to work on a cPanel server with all the standard cPanel
    ports open. It also auto-configures your SSH port if it's non-standard on
    You should ensure that kernel logging daemon (klogd) is enabled. Typically, VPS
    servers have this disabled and you should check /etc/init.d/syslog and make
    sure that any klogd lines are not commented out. If you change the file,
    remember to restart syslog.
    Now - login to your cPanel server's WHM as root and go to the bottom left menu. If already logged in then reload the page. In Plugins - you will see: ConfigServer Security&Firewall
    The firewall is STOPPED by default - it is not running. We need to configured it, and then take it out of Test Mode.

    Click on Firewall Configuration

    ETH_DEVICE =: Set this to eth+

    TCP_IN/TCP_OUT/UDP_IN/UDP_OUT = : These are the ports you want to leave open for your server to operate. If you change the default SSH port make sure to add it here. Also add any other services you might have running such as Shoutcast or game servers. By default most of the ports used should already be configured.

    MONOLITHIC_KERNEL = : 0 Only change this to 1 if your firewall will not start - otherwise leave it as it.

    LF_DSHIELD = 0: Change this option to 86400. This is an automatic updated list of known attacking IPs. Enabling this will stop them from being able to connect to your server.

    Spam Protection Alerts
    If you want to add some spam protection, CSF can help. Look in the configuraiton for the following:

    LF_SCRIPT_ALERT = 0 change this to 1. This will send an email alert to the system administrator when the limit configured below is reached within an hour.

    LF_SCRIPT_LIMIT = 100 change this to 250. This will alert you when any scripts sends out 250 email messages in an hour.

    Configuration Complete - Almost
    Scroll down to the bottom and click on Change to save the settings. Then click Restart csf+lfd

    You should see a big page of ACCEPT and near the bottom you should see:

    csf: TESTING mode is enabled - don't forget to disable it in the configuration
    Starting lfd:[ OK ]

    Click on Return

    Now TEST all your services to make sure everything is working - SSH, FTP, http. After you do a few quick tests go back into the Firewall Configuration page.
    TESTING = 1 change this to 0 and click Change at the bottom. Then Restart csf+lfd

    That's it, the firewall is successfully installed and running!!
    Firewall Status: Running - you should see this on the main CSF page in WHM.

    To install mod_security, follow the steps:

    First your going to start out by grabbing the latest version of mod_security
    wget http://www.modsecurity.org/download/mod_security-1.7.4.tar.gz

    3. Next we untar the archive and cd into the directory:
    tar zxvf mod_security-1.7.4.tar.gz
    cd mod_security-1.7.4/
    4. Now you need to determine which version of apache you use:
    APACHE 1.3.x users
    cd apache1/
    APACHE 2.x users
    cd apache2/

    5.Lets Compile the module now:
    /usr/local/apache/bin/apxs -cia mod_security.c

    6. Ok, now its time to edit the httpd conf file. First we will make a backup just incase something goes wrong:
    cp /usr/local/apache/conf/httpd.conf /usr/local/apache/conf/httpd.conf.backup

    7. Now that we have backed it all up, we can edit the httpd.conf. Replace pico with nano depending on what you have
    pico /usr/local/apache/conf/httpd.conf

    8. Lets look for something in the config, do this by holding control and pressing W and you are going to search for
    <IfModule mod_dir.c> (altho any of the IfModules would work fine)
    9. Now add this

    <IfModule mod_security.c>
    # Turn the filtering engine On or Off
    SecFilterEngine On

    # Change Server: string
    SecServerSignature " "

    # Make sure that URL encoding is valid
    SecFilterCheckURLEncoding On

    # This setting should be set to On only if the Web site is
    # using the Unicode encoding. Otherwise it may interfere with
    # the normal Web site operation.
    SecFilterCheckUnicodeEncoding Off

    # Only allow bytes from this range
    SecFilterForceByteRange 1 255

    # The audit engine works independently and
    # can be turned On of Off on the per-server or
    # on the per-directory basis. "On" will log everything,
    # "DynamicOrRelevant" will log dynamic requests or violations,
    # and "RelevantOnly" will only log policy violations
    SecAuditEngine RelevantOnly

    # The name of the audit log file
    SecAuditLog /var/log/httpd/audit_log

    # Should mod_security inspect POST payloads
    SecFilterScanPOST On

    # Action to take by default
    SecFilterDefaultAction "deny,log,status:500"

    # Require HTTP_USER_AGENT and HTTP_HOST in all requests
    SecFilterSelective "HTTP_USER_AGENT|HTTP_HOST" "^$"

    # Prevent path traversal (..) attacks
    SecFilter "\.\./"

    # Weaker XSS protection but allows common HTML tags
    SecFilter "<[[:space:]]*script"

    # Prevent XSS atacks (HTML/Javascript injection)
    SecFilter "<(.|n)+>"

    # Very crude filters to prevent SQL injection attacks
    SecFilter "delete[[:space:]]+from"
    SecFilter "insert[[:space:]]+into"
    SecFilter "select.+from"

    # Protecting from XSS attacks through the PHP session cookie
    SecFilterSelective ARG_PHPSESSID "!^[0-9a-z]*$"
    SecFilterSelective COOKIE_PHPSESSID "!^[0-9a-z]*$"

    10. Save the file Ctrl + X then Y

    11. Restart Apache

    /etc/rc.d/init.d/httpd stop
    /etc/rc.d/init.d/httpd start

    You've successfully installed mod_security
    wetbupa, Oct 17, 2012 IP
  9. SolidShellSecurity

    SolidShellSecurity Banned

    Likes Received:
    Best Answers:
    Trophy Points:

    [ SCRIPTS ]

    → Chkrootkit Automatic Script Installer (instructions and FREE download)
    → RKHunter Automatic Script Installer (instructions and FREE download)

    FIREWALL/(d)DoS Protection
    → Syn Deflate Automatic Script Installer (instructions and FREE download)
    → CSF ConfigServer Firewall Automatic Script Installer (instructions and FREE download)
    SolidShellSecurity, Oct 17, 2012 IP
  10. icroak

    icroak Peon

    Likes Received:
    Best Answers:
    Trophy Points:
    Once you are done employ a white hat hacker to give your site a good penetration test and go with their recommmendations
    icroak, Nov 2, 2012 IP
  11. mangoo

    mangoo Peon

    Likes Received:
    Best Answers:
    Trophy Points:
    If you have no clue what these tutorials are about, you can shoot yourself in a foot.

    If you need your server secured, you need a server admin.
    mangoo, Nov 2, 2012 IP