Results 1 to 4 of 4
Like Tree1Likes
  • 1 Post By zeropid

Thread: VPS Securing VPS very UsfuL

  1. #1
    yohansmid is offline Unknown Net Builder
    Join Date
    Oct 2011
    Posts
    4
    Thanks
    0
    Thanked 0 Times in 0 Posts

    VPS Securing VPS very UsfuL

    VPS Securing VPS very UsfuL

    Bookmark and Share

    VPS Securing VPS


    Securing Your VPS

    How to secure your VPS.

    SECURING CPANEL - WHM - AND ROOT on a VPS

    With a VPS hosting account, you do not have access to your kernel. That is good because if you don't have access to it, neither to hackers or spammers (which limits what they can do).


    1- Checking for formmail

    Form mail is used by hackers to send out spam email, by relay and injection methods. If you are using matts script or a version of it, you may be in jeopardy.

    Command to find pesky form mails:
    find / -name "[Ff]orm[mM]ai*"

    CGIemail is also a security risk:
    find / -name "[Cc]giemai*"

    Command to disable form mails:
    chmod a-rwx /path/to/filename
    (a-rwx translates to all types, no read, write or execute permissions).

    (this disables all form mail)

    If a client or someone on your VPS installs form mail, you will have to let them know you are disabling their script and give them an alternative.


    2- Root kit checker chkrootkit -- locally checks for signs of a rootkit

    Check for root kits and even set a root kit on a cron job. This will show you if anyone has compromised your root. Always update chrootkit to get the latest root kit checker. Hackers and spammers will try to find insecure upload forms on your box and then with injection methods, try to upload the root kit on your server. If he can run it, it will modify *alot* of files, possibly causing you to have to reinstall.


    To install chrootkit, SSH into server and login as root.
    At command prompt type:

    - cd /root/
    - wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz
    - tar xvzf chkrootkit.tar.gz
    - cd chkrootkit-0.44
    - make sense

    To run chkrootkit

    At command prompt type:
    - /root/chkrootkit-0.44/chkrootkit

    Make sure you run it on a regular basis, perhaps including it in a cron job.

    Execution:

    I use these three commands the most.
    ./chkrootkit
    ./chkrootkit -q
    ./chkrootkit -x | more


    3- Install a root breach DETECTOR and EMAIL WARNING

    If someone does happen to get root, be warned quickly by installing a detector and warning at your box. You will at least get the hackers/spammers ip address and be warned someone is in there.

    Server e-mail everytime someone logs in as root

    To have the server e-mail you everytime someone logs in as root, SSH into server and login as root.

    At command prompt type:

    - pico .bash_profile

    Scroll down to the end of the file and add the following line:

    echo 'ALERT - Root Shell Access on:' `date` `who` | mail -s "Alert: Root Access from `who | awk '{print $6}'`" your@email.com

    Save and exit.


    Set an SSH Legal Message

    To an SSH legal message, SSH into server and login as root.

    At command prompt type:
    pico /etc/motd

    Enter your message, save and exit.
    Note: I use the following message...

    ALERT! You are entering a secured area! Your IP and login information
    have been recorded. System administration has been notified.
    This system is restricted to authorized access only. All activities on
    this system are recorded and logged. Unauthorized access will be fully
    investigated and reported to the appropriate law enforcement agencies.


    4- Web Host manager and CPANEL mods.


    These are items inside of WHM/Cpanel that should be changed to secure your server.

    Goto server Setup =>> Tweak Settings

    Check the following items...

    - Under Domains
    Prevent users from parking/adding on common internet domains. (ie hotmail.com, aol.com)

    - Under Mail
    Attempt to prevent pop3 connection floods
    Default catch-all/default address behavior for new accounts - blackhole
    (according to ELIX - set this to FAIL, which is what I am going to do to reduce server load)

    - Under System
    Use jailshell as the default shell for all new accounts and modified accounts

    Goto server Setup =>> Tweak Security

    - Enable PHP open_basedir Protection
    - Enable mod_userdir Protection
    - Disabled Compilers for unprivileged users.

    Goto server Setup =>> Manage Wheel Group Users

    - Remove all users except for root and your main account from the wheel group.

    Goto server Setup =>> Shell Fork Bomb Protection

    - Enable Shell Fork Bomb/Memory Protection

    When setting up Feature Limits for resellers in Resellers =>> Reseller Center, under Privileges always disable Allow Creation of Packages with Shell Access and enable Never allow creation of accounts with shell access; under Root Access disable All Features.

    Goto Service Configuration =>> FTP Configuration

    -Disable Anonymous FTP

    Goto Account Functions =>> Manage Shell Access

    - Disable Shell Access for all users (except yourself)

    Goto Mysql =>> MySQL Root Password

    - Change root password for MySQL

    Goto Security and run Quick Security Scan and Scan for Trojan Horses often.

    The following and similar items are not Trojans:

    - /sbin/depmod
    - /sbin/insmod
    - /sbin/insmod.static
    - /sbin/modinfo
    - /sbin/modprobe
    - /sbin/rmmod


    4 - Update your softwares

    Update OS, Apache and CPanel to the latest stable versions.This can be done from WHM/CPanel.


    5 - Restrict SSH Access

    To restrict and secure SSH access, bind sshd to a single IP that is different than the main IP to the server, and on a different port than port 22.

    SSH into server and login as root.

    At command prompt type:
    pico /etc/ssh/sshd_config

    Scroll down to the section of the file that looks like this:
    #Port 22
    #Protocol 2, 1
    #ListenAddress 0.0.0.0
    #ListenAddress ::

    Uncomment and change
    #Port 22
    to look like
    Port 5678 (choose your own 4 to 5 digit port number (49151 is the highest port number AND do not use 5678 lol )

    Uncomment and change
    #Protocol 2, 1
    to look like
    Protocol 2

    Uncomment and change
    #ListenAddress 0.0.0.0
    to look like
    ListenAddress 123.123.123.15 (use one of your own IP Addresses that has been assigned to your server)

    Note 1: If you would like to disable direct Root Login, scroll down until you find
    #PermitRootLogin yes
    and uncomment it and make it look like
    PermitRootLogin no

    Save by pressing Ctrl o on your keyboard, and then exit by pressing Ctrl x on your keyboard.


    Note 2: You can also create a custome nameserver specifically for your new SSH IP address. Just create one called something like ssh.xyz.com or whatever. Be sure to add an A address to your zone file for the new nameserver.

    Now restart SSH
    At command prompt type:
    /etc/rc.d/init.d/sshd restart

    Exit out of SSH, and then re-login to SSH using the new IP or nameserver, and the new port.

    Note: If you should have any problems, just Telnet into your server, fix the problem, then SSH in again. Telnet is a very unsecure protocol, so change your root password after you use it.

    After SSH has been redirected, disable telnet.


    6 - Disable Telnet

    To disable telnet, SSH into server and login as root.
    At command prompt type: pico -w /etc/xinetd.d/telnet
    change disable = no to disable = yes
    Save and Exit
    At command prompt type: /etc/init.d/xinetd restart

    7 - Disable Shell Accounts

    To disable any shell accounts hosted on your server SSH into server and login as root.
    At command prompt type: locate shell.php
    Also check for:
    locate irc
    locate eggdrop
    locate bnc
    locate BNC
    locate ptlink
    locate BitchX
    locate guardservices
    locate psyBNC
    locate .rhosts

    Note: There will be several listings that will be OS/CPanel related. Examples are
    /home/cpapachebuild/buildapache/php-4.3.1/ext/ircg
    /usr/local/cpanel/etc/sym/eggdrop.sym
    /usr/local/cpanel/etc/sym/bnc.sym
    /usr/local/cpanel/etc/sym/psyBNC.sym
    /usr/local/cpanel/etc/sym/ptlink.sym
    /usr/lib/libncurses.so
    /usr/lib/libncurses.a
    etc.


    8 - Disable identification output for Apache

    Hide the Apache version. Hackers are checking your apache version for detect the security breach.

    To disable the version output for proftp, SSH into server and login as root.
    At command prompt type: pico /etc/httpd/conf/httpd.conf

    Scroll (way) down and change the following line to
    ServerSignature Off

    Restart Apache
    At command prompt type: /etc/rc.d/init.d/httpd restart



    9 - Install Brute Force Detection (BFD)


    To install BFD, SSH into server and login as root.

    At command prompt type:
    cd /root/
    wget http://www.rfxnetworks.com/downloads/bfd-current.tar.gz
    tar -xvzf bfd-current.tar.gz
    cd bfd-0.4
    ./install.sh

    After BFD has been installed, you need to edit the configuration file.

    At command prompt type:
    pico /usr/local/bfd/conf.bfd

    Under Enable brute force hack attempt alerts:
    Find
    ALERT_USR="0"
    and change it to
    ALERT_USR="1"

    Find
    EMAIL_USR="root"
    and change it to
    EMAIL_USR="your@email.com"

    Save the changes then exit.

    To start BFD

    At command prompt type:
    /usr/local/sbin/bfd -s


    Modify LogWatch
    Logwatch is a customizable log analysis system. It parses through your system's logs for a given period of time and creates a report analyzing areas that you specify, in as much detail as you require. Logwatch is already installed on most CPanel servers.

    To modify LogWatch, SSH into server and login as root.

    At command prompt type:
    pico -w /etc/log.d/conf/logwatch.conf

    Scroll down to
    MailTo = root
    and change to
    Mailto = your@email.com
    Note: Set the e-mail address to an offsite account incase you get hacked.

    Now scroll down to
    Detail = Low
    Change that to Medium, or High...
    Detail = 5 or Detail = 10
    Note: High will give you more detailed logs with all actions.

    Save and exit.



    10 - Suggestions to improve system security.

    Some of this is specific to CPanel, but much can be applied to most Linux systems.

    Use The Latest Software

    Keep the OS and 3rd party software up to date. Always! CPanel itself can be updated from the root WHM.


    Change Passwords

    Change the root passwords at least once a month and try to make them hard to guess. Yes it's a pain to have to keep remembering them, but it's better than being hacked.

    Set Up A More Secure SSH Environment

    Disable Telnet
    1. Type: pico -w /etc/xinetd.d/telnet
    2. Change the disable = no line to disable = yes.
    3. Hit CTRL+X press y and then enter to save the file.
    4. Restart xinted with: /etc/rc.d/init.d/xinetd restart
    Also, add the following line to /etc/deny.hosts to flag Telnet access attempts as 'emergency' messages.
    in.telnetd : ALL : severity emerg

    Disable Unnecessary Ports

    First backup the file that contains your list of ports with:
    cp /etc/services /etc/services.original
    Now configure /etc/services so that it only has the ports you need in it. This will match the ports enabled in your firewall.
    On a typical CPanel system it would look something like this:
    tcpmux 1/tcp # TCP port service multiplexer
    echo 7/tcp
    echo 7/udp
    ftp-data 20/tcp
    ftp 21/tcp
    ssh 22/tcp # SSH Remote Login Protocol
    smtp 25/tcp mail
    domain 53/tcp # name-domain server
    domain 53/udp
    http 80/tcp www www-http # WorldWideWeb HTTP
    pop3 110/tcp pop-3 # POP version 3
    imap 143/tcp imap2 # Interim Mail Access Proto v2
    https 443/tcp # MCom
    smtps 465/tcp # SMTP over SSL (TLS)
    syslog 514/udp
    rndc 953/tcp # rndc control sockets (BIND 9)
    rndc 953/udp # rndc control sockets (BIND 9)
    imaps 993/tcp # IMAP over SSL
    pop3s 995/tcp # POP-3 over SSL
    cpanel 2082/tcp
    cpanels 2083/tcp
    whm 2086/tcp
    whms 2087/tcp
    webmail 2095/tcp
    webmails 2096/tcp
    mysql 3306/tcp # MySQL
    ?>
    Additional ports are controlled by /etc/rpc. These aren't generally needed, so get shot of that file with: mv /etc/rpc /etc/rpc-moved


    Watch The Logs

    Install something like logwatch to keep an eye on your system logs. This will extract anything 'interesting' from the logs and e-mail to you on a daily basis.
    Logwatch can be found at: Logwatch - Browse Files at SourceForge.net
    Install instructions here.

    Avoid CPanel Demo Mode

    Switch it off via WHM Account Functions => Disable or Enable Demo Mode.


    Jail All Users

    Via WHM Account Functions => Manage Shell Access => Jail All Users.
    Better still never allow shell access to anyone - no exceptions.


    Immediate Notification Of Specific Attackers

    If you need immediate notification of a specific attacker (TCPWrapped services only), add the following to /etc/hosts.deny

    ALL : nnn.nnn.nnn.nnn : spawn /bin/ 'date' %c %d | mail -s"Access attempt by nnn.nnn.nnn.nnn on for hostname" notify@mydomain.com
    Replacing nnn.nnn.nnn.nnn with the attacker's IP address.
    Replacing hostname with your hostname.
    Replacing notify@mydomain.com with your e-mail address.
    This will deny access to the attacker and e-mail the sysadmin about the access attempt.


    Check Open Ports

    From time to time it's worth checking which ports are open to the outside world. This can be done with:
    nmap -sT -O localhost
    If nmap isn't installed, it can be selected from root WHM's Install an RPM option.


    Set The MySQL Root Password

    This can be done in CPanel from the root WHM server Setup -> Set MySQL Root Password.
    Make it different to your root password!


    Tweak Security (CPanel)

    From the root WHM, server Setup -> Tweak Security, you will most likely want to enable:
    - PHP open_basedir Tweak.
    - SMTP tweak.
    You may want to enable:
    - mod_userdir Tweak. But that will disable domain preview.


    Use SuExec (CPanel)

    From root WHM, server Setup -> Enable/Disable SuExec. This is CPanel's decription of what it does:
    "suexec allows cgi scripts to run with the user's id. It will also make it easier to track which user has sent out an email. If suexec is not enabled, all cgi scripts will run as nobody. "
    Even if you don't use phpsuexec (which often causes more problems), SuExec should be considered.


    Use PHPSuExec (CPanel)

    This needs to built into Apache (Software -> Update Apache from the root WHM) and does the same as SuExec but for PHP scripts.
    Wisth PHPSuExec enabled, you users will have to make sure that all their PHP files have permissions no greater than 0755 and that their htaccess files contain no PHP directives.


    Disable Compilers

    This will prevent hackers from compiling worms, root kits and the like on your machine.
    To disable them, do the following:

    chmod 000 /usr/bin/perlcc
    chmod 000 /usr/bin/byacc
    chmod 000 /usr/bin/yacc
    chmod 000 /usr/bin/bcc
    chmod 000 /usr/bin/kgcc
    chmod 000 /usr/bin/cc
    chmod 000 /usr/bin/gcc
    chmod 000 /usr/bin/i386*cc
    chmod 000 /usr/bin/*c++
    chmod 000 /usr/bin/*g++
    chmod 000 /usr/lib/bcc /usr/lib/bcc/bcc-cc1
    chmod 000 /usr/i386-glibc21-linux/lib/gcc-lib/i386-redhat-linux/2.96/cc1

    You will need to enable them again when you need to perform system updates. To do this, run:

    chmod 755 /usr/bin/perlcc
    chmod 755 /usr/bin/byacc
    chmod 755 /usr/bin/yacc
    chmod 755 /usr/bin/bcc
    chmod 755 /usr/bin/kgcc
    chmod 755 /usr/bin/cc
    chmod 755 /usr/bin/gcc
    chmod 755 /usr/bin/i386*cc
    chmod 755 /usr/bin/*c++
    chmod 755 /usr/bin/*g++
    chmod 755 /usr/lib/bcc /usr/lib/bcc/bcc-cc1
    chmod 755 /usr/i386-glibc21-linux/lib/gcc-lib/i386-redhat-linux/2.96/cc1
    Source | Web host - Free hosting - Domain hosting - Server Hosting

  2. #2
    zeropid is offline Newbie Net Builder
    Join Date
    Sep 2011
    Posts
    24
    Thanks
    0
    Thanked 0 Times in 0 Posts
    I believe this should be managed by your hosts stuff
    yohansmid likes this.

  3. #3
    Natcoweb is offline Banned
    Join Date
    Sep 2012
    Posts
    28
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Overall that info is useful.

  4. #4
    KVChosting is offline Banned
    Join Date
    Oct 2012
    Posts
    11
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Nice to read about that.

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •