Server Security Checklist - Secure your box now!!
Orginally Posted by me at rackshack.
http://forum.rackshack.net/showthrea...threadid=30333
There are alot of things floating around the forums on what to install to get the best degree of safety. Alot of these things are basic, and should be done right after getting ANY server. I have taken the time to do the homework for you and put it in a simple checklist form. To me, an unsecure box on RS's network is a threat to me and anyone else on the network, so please, take the time to secure your box.
The main goal of this checklist will be to help any one person setup a working, secure server.
I run mostly Cpanel servers, but control panel upgrades should be around the same method and most basic thing to perform; therefore I will not go indepth on other control panels.
This checklist assumes you know the basics of linux, the shell, and are using this all VIA SSH with the program putty.
Note: This is a common mistake people have; anything listed here must be done in root. To get root, please use the command "su -" not "su".
######################
~~~~~~~~~~~~~~~~~~~~
######################
Things to do on your server in order of importance:
- Full Cpanel (stable) upgrade [Already installed Cpanel/WHM Feature] [Link]
Note: This should upgrade openssh and all of that good stuff so all those locks show locked. - Recompile Apache [Already installed Cpanel/WHM Feature]
- Bind sshd to only 1 ip, and make it a different ip then your main site, and on a different high level port. Not to forget, disable direct root login.
Note 2: Though you could still login to root logging into admin and su - to root, it would be best to delete the admin login from your server. This'll give hackers an even harder time trying to crack your box. You should keep in mind that the admin login is only a rackshack thing, and is not a default thing, so it might be best to remove it anyways. Delete user admin, add another user, and add that user to the usergroup whell.
pico -w /etc/ssh/sshd_config
Find the line '#Port 22' and uncomment it and change it to look like 'Port [Random high level port here]'.
Request an ip from rackshack and create a nameserver using your registar (like the first time) that will point to that ip and wait till it resolves. (Note: You may have to add an A entry/DNS zone using cpanel or whatever you use as your control panel to get this to function.) Make the name of it something like 'ssh.domain.com', or 'shell1.domain.com'.
When it resolves, ssh into your box and find the line '#ListenAddress 0.0.0.0' and make it look like 'ListenAddress ##.##.##.##' replacing the number signs with the ip address.
Find the line '#Protocol 2, 1' and uncomment it and change it to look like 'Protocol 2'
Find the line '#PermitRootLogin yes' and uncomment it and make it look like 'PermitRootLogin no'.
Now restart SSH using the command:
/etc/rc.d/init.d/sshd restart
Now exit out, enter 'ssh.domain.com' as the host name, and put in your high level random port in the box, ssh into your box and your done.
If you have ANY problem with this, please login to your server VIA telnet, fix the problem, login using SSH2 again, and change your passwords. Telnet is a very unsecure protocol, but it'll get you out of a jam.
Note: If you do not have the most current version of putty, please get it as it will allow you to use ssh2 protocol.
- Have the server e-mail everytime someone logs in as root:
Advice from freddo:- Edit the .bash_profile in the users directory ( in this case /root)
commands:
su -
cd (just cd, nothing else)
pico .bash_profile
And put this at the very end:
echo 'ALERT - Root Shell Access on:' `date` `who` | mail -s "Alert: Root Access on Server #1" webmaster@X***********
Make sure the email address you send to also forwards to an off-server email address. This way the hacker cannot delete the warning email (without hacking another server anyway). - Disable Telnet:
pico -w /etc/xinetd.d/telnet
Note: (change disable = no to yes)
Save and Exit
/etc/init.d/xinetd restart - Chroot/Jail [Link]
[i]Note: If you have a Cpanel server there is a feature already included to Jail the shell account. Please do this ASAP if you plan on giving out shell accounts. - APF Firewall
Originally posted by DavidB
Follow these instructions to perform a new install of APF.
1. Make /usr/src the current working directory.
cd /usr/src
2. Fetch the most curent verison of APF.
wget http://www.r-fx.net/downloads/apf-current.tar.gz
3. Expand the APF tar.gz file.
tar -xvzf apf-current.tar.gz
4. Remove the tar.gz file.
rm -f apf-current.tar.gz
5. Locate the APF directory.
ls -la
Look for a directory named apf-#.#/ where #.# represents the version of APF being installed (APF version 0.8.7 would be in a directory apf-0.8.7/ and version 0.9 would be in a directory named apf-0.9).
6. Make the APF directory the current working directory.
cd apf-0.9
Use the directory name you located in step 5.
Note that the numbers will change as new versions are released.
7. Run the APF install.
sh ./install.sh
8. Make /etc/apf the current working directory.
cd /etc/apf
9. Edit the conf.apf file as desired.
pico -w conf.apf
A very important part of this firewall you have to edit is the ports. These ports will allow services such as mail, ftp, and ssh come in and out of the server. If you have changed any ports, please modify them below and add/remove as needed.
################
# Common TCP Ports
TCP_CPORTS="21,22,25,26,53,80,110,143,443,2082,2083,2086,2087,2095,2096,19638" // please note that ports 2082 to port 2095 is mostly used by cpanel, and port 19638 is only use in ensim.
# Common UDP Ports
UDP_CPORTS="53"
################
Note that you must set the DEVM parameter to "0" BUT only after full testing of the firewall. What DEVM does is that once you start APF with DEVM to 1, it will set a cron job to stop APF in 5 minutes so you don't end up locking yourself out.
Turn on Anti-DOS, and the block list for added security.
10. Start APF.
./apf -start
or
service apf start
Note: To stop or restart apf, use the "service apf restart/stop" commands.
- Tripwire [Link]
- Email Anti-Virus Scanner (MailScanner) & Anti-Virus Scanner (ClamAV) [Link]
- chkrootkit [Link]
- Disable direct root login [Link]
- PRM (Process Resource Monitor) [Link]
- MRTG bandwidth monitor
- Mask apache server & services version numbers [Link]
- Set a SSH Legal Message [Link]
Note: I like to put a legal notice here. Something like:
This computer system is for authorized users only. All activity is logged and regulary checked by systems personal. Individuals using this system without authority or in excess of their authority are subject to having all their services revoked. Any illegal services run by user or attempts to take down this server or its services will be reported to local law enforcement, and said user will be punished to the full extent of the law. Anyone using this system consents to these terms.
######################
~~~~~~~~~~~~~~~~~~~~
######################
Thats about all I have, other then a set of 'always do this' rules.
1.) Always try to use sftp.
2.) Always use ssh2 protocol.
3.) Never ever have passwords lying around or use easily crackable passwords. Nice password holder and gen program is Personal Vault. You can check it out and download it here [Link]
I plan on making a defintive howto page on my website on howto properly secure your cpanel box to its fullest with each howto on its proper page so you don't have to go looking around. However, that is once I get permission from each person that wrote each HOWTO. :p
If you have a comment on this or something you think that should be added, please PM me. I want to keep this thread as clean as possible so newbs don't have to scroll threw pages of stuff.
I will constantly update this when required.
