A Beginner's Guide to Securing Your Server Part 1 of 3 (Security Inside WHM/CPanel)


These are items inside of WHM/Cpanel that should be changed to secure your server.



Goto Server Setup =>> Tweak Settings


Check the following items...


Under Domains

Prevent users from parking/adding on common internet domains. (ie hotmail.com, aol.com)


Under Mail

Attempt to prevent pop3 connection floods

Default catch-all/default address behavior for new accounts - blackhole


Under System

Use jailshell as the default shell for all new accounts and modified accounts



Goto Server Setup =>> [/B]Tweak Security[/B]

Enable php open_basedir Protection

Enable mod_userdir Protection

Disabled Compilers for unprivileged users.



Goto Server Setup =>> Manage Wheel Group Users

Remove all users except for root and your main account from the wheel group.



Goto Server Setup =>> Shell Fork Bomb Protection

Enable Shell Fork Bomb/Memory Protection



When setting up Feature Limits for resellers in Resellers =>> Reseller Center, under Privileges always disable Allow Creation of Packages with Shell Access and enable Never allow creation of accounts with shell access; under Root Access disable All Features.



Goto Service Configuration =>> FTP Configuration

Disable Anonymous FTP



Goto Account Functions =>> Manage Shell Access

Disable Shell Access for all users (except yourself)


Goto Mysql =>> MySQL Root Password

Change root password for MySQL



Goto [B]Security[B] and run [B]Quick Security Scan[B] and [B]Scan for Trojan Horses[B] often. The following and similar items are not Trojans:

/sbin/depmod
/sbin/insmod
/sbin/insmod.static
/sbin/modinfo
/sbin/modprobe
/sbin/rmmod

A Beginner's Guide to Securing Your Server Part 2 of 3 (with SSH access)


These are measures that can be taken to secure your server, with SSH access.


Udate OS, Apache and CPanel to the latest stable versions. This can be done from WHM/CPanel.



Restrict SSH Access


To restrict and secure SSH access, bind sshd to a single IP that is different than the main IP to the server, and on a different port than port 22.


SSH into server and login as root.

Note: You can download Putty by Clicking Here (http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html). It's a clean running application that will not require installation on Windows-boxes.


At command prompt type: pico /etc/ssh/sshd_config

Scroll down to the section of the file that looks like this:

-------------------------------------------

#Port 22
#Protocol 2, 1
#ListenAddress 0.0.0.0
#ListenAddress ::

-------------------------------------------


Uncomment and change

#Port 22

to look like

Port 5678 (choose your own 4 to 5 digit port number (49151 is the highest port number)


Uncomment and change

#Protocol 2, 1

to look like

Protocol 2


Uncomment and change

#ListenAddress 0.0.0.0

to look like

ListenAddress 123.123.123.15 (use one of your own IP Addresses that has been assigned to your server)


Note 1: If you would like to disable direct Root Login, scroll down until you find

#PermitRootLogin yes

and uncomment it and make it look like

PermitRootLogin no

Save by pressing Ctrl o on your keyboard, and then exit by pressing Ctrl x on your keyboard.


Note 2: You can also create a custome nameserver specifically for your new SSH IP address. Just create one called something like ssh.xyz.com or whatever. Be sure to add an A address to your zone file for the new nameserver.


Now restart SSH

At command prompt type: [B]/etc/rc.d/init.d/sshd restart[B]


Exit out of SSH, and then re-login to SSH using the new IP or nameserver, and the new port.


Note: If you should have any problems, just Telnet into your server, fix the problem, then SSH in again. Telnet is a very unsecure protocol, so change your root password after you use it.




Disable Telnet

To disable telnet, SSH into server and login as root.

At command prompt type: pico -w /etc/xinetd.d/telnet

change disable = no to disable = yes

Save and Exit

At command prompt type: /etc/init.d/xinetd restart




Server e-mail everytime someone logs in as root

To have the server e-mail you everytime someone logs in as root, SSH into server and login as root.

At command prompt type: pico .bash_profile

Scroll down to the end of the file and add the following line:

echo 'ALERT - Root Shell Access on:' `date` `who` | mail -s "Alert: Root Access from `who | awk '{print $6}'`" your@email.com

Save and exit.




Set an SSH Legal Message

To an SSH legal message, SSH into server and login as root.

At command prompt type: pico /etc/motd

Enter your message, save and exit.

Note: I use the following message...

-------------------------------------------

ALERT! You are entering a secured area! Your IP and login information
have been recorded. System administration has been notified.

This system is restricted to authorized access only. All activities on
this system are recorded and logged. Unauthorized access will be fully
investigated and reported to the appropriate law enforcement agencies.

-------------------------------------------

Now everytime someone logs in as root, they will see this message... go ahead a try it.




Disable Shell Accounts

To disable any shell accounts hosted on your server SSH into server and login as root.

At command prompt type: locate shell.php

Also check for:

[B]locate irc
locate eggdrop
locate bnc
locate BNC
locate ptlink
locate BitchX
locate guardservices
locate psyBNC
locate .rhosts[B]


Note: There will be several listings that will be OS/CPanel related. Examples are

/home/cpapachebuild/buildapache/php-4.3.1/ext/ircg
/usr/local/cpanel/etc/sym/eggdrop.sym
/usr/local/cpanel/etc/sym/bnc.sym
/usr/local/cpanel/etc/sym/psyBNC.sym
/usr/local/cpanel/etc/sym/ptlink.sym
/usr/lib/libncurses.so
/usr/lib/libncurses.a
etc.




Disable identification output for Apache

To disable the version output for proftp, SSH into server and login as root.

At command prompt type: pico /etc/httpd/conf/httpd.conf


Scroll (way) down and change the following line to

ServerSignature Off


Restart Apache

At command prompt type: /etc/rc.d/init.d/httpd restart

A Beginner's Guide to Securing Your Server Part 3 of 3 (Apps to install)


These are applications that will help to secure your server.



Install chkrootkit

To install chrootkit, SSH into server and login as root.

At command prompt type: cd /root/

At command prompt type: wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz

At command prompt type: tar xvzf chkrootkit.tar.gz

At command prompt type: cd chkrootkit-0.44

At command prompt type: make sense


To run chkrootkit

At command prompt type: /root/chkrootkit-0.44/chkrootkit

Make sure you run it on a regular basis, perhaps including it in a cron job.




Install APF Firewall

To install APF, SSH into server and login as root.

At command prompt type: cd /root/

At command prompt type: wget http://www.rfxnetworks.com/downloads/apf-current.tar.gz

At command prompt type: tar -xvzf apf-current.tar.gz

At command prompt type: rm -f apf-current.tar.gz

At command prompt type: cd apf-0.9.4-6

At command prompt type: sh ./install.sh


After APF has been installed, you need to edit the configuration file.

At command prompt type: cd /etc/apf

At command prompt type: pico -w conf.apf


Scroll down and find

USE_DS="0"

change it to

USE_DS="1"


Now scroll down and configure the Ports. The following ports are required for CPanel:

-------------------------------------------

Common ingress (inbound) TCP ports
IG_TCP_CPORTS="21,22,25,53,80,110,143,465,953,993,995,2082,2083,2084,2086,2087,2095,2096,3306,6666,7786,3000_3500"

Note: If you changed the port for SSH, be sure to include that port and remove port 22.

-----
21 FTP (TCP)
22 SSH (TCP)
25 SMTP (TCP)
53 DNS - Domain Name Server (TCP)
80 HTTP (TCP)
110 POP3 (TCP)
143 IMAP (TCP)
443 HTTPS (TCP)
465 sSMTP (TCP)
953 ??BIND??
993 IMAP4 protocol over TLS/SSL (TCP)
995 POP3 protocol over TLS/SSL (was spop3) (TCP)
2082 CPANEL (http://sitename.com:2082) (TCP)
2083 CPANEL SSL (https://sitename.com:2083) (TCP)
2084 entropychat server (disable from CPANEL service manager if not used) (TCP)
2086 WHM (http://sitename.com:2086) (TCP)
2087 WHM SSL (https://sitename.com:2087) (TCP)
2095 WebMail (http://sitename.com:2095) (TCP)
2096 WebMail SSL (https://sitename.com:2096)
3306 mySQL remote access (TCP)
6666 Melange chat Server (disable from CPANEL service manager if not used) (TCP)
7786 Interchange (TCP)
3000_3500
-----
5100 for ASP,
8080 and 8443 for JSP if you use them.
-----

-------------------------------------------

Common ingress (inbound) UDP ports
IG_UDP_CPORTS="53,6277

-----
53 DNS - Domain Name Server
6277 SpamAssassin / DCC (email scanning)
-----

-------------------------------------------

Common ICMP (inbound) types
IG_ICMP_TYPES="3,5,11,0,30,8"

-----
0 Echo Reply
3 Destination Unreachable
5 Destination Unreachable
8 Echo
11 Time Exceeded
30 Traceroute
-----

-------------------------------------------

Common egress (outbound) TCP ports
EG_TCP_CPORTS="21,25,37,53,80,110,113,#123,443,43,873,953,2089,2703,3306"

-----
21 FTP
25 SMTP
37 Required for CPANEL Licensing
53 DNS - Domain Name Server
80 HTTP
110 POP3 (if you have scripts that need to retrieve email via POP, e.g. HelpDesk)
113 Authentication Protocol (AUTH)
123 NTP (Network Time)
443 HTTPS
43 WHOIS
873 rsync (CPanel updates)
953 BIND ??
2089 Required for CPANEL Licensing
2703 Razor (email scanning)
3306 mySQL remote access
-----

-------------------------------------------

Common egress (outbound) UDP ports
EG_UDP_CPORTS="20,21,53,873,953,6277"

-----
20 ftp-data
21 FTP
53 DNS - Domain Name Server
873 rsync
953 BIND ??
6277 SpamAssassin / DCC (email scanning)
-----

-------------------------------------------

Common ICMP (outbound) types
EG_ICMP_TYPES="all"

-------------------------------------------


Save the changes then exit.


To start APF

At command prompt type: /usr/local/sbin/apf -s

APF commands are:

-s start
-r restart
-f flush - stop
-l list
-st status
-a HOST allow HOST
-d HOST deny HOST


Log out of SSH and then login again.


After you are sure everything is working fine, change the DEV option

At command prompt type: cd /etc/apf

At command prompt type: pico -w conf.apf


Scroll down and find

DEVM="1"

change it to

DEVM="0"


Save changes, exit and then restart firewall,

At command prompt type: /usr/local/sbin/apf -r




Install BFD (Brute Force Detection)

To install BFD, SSH into server and login as root.

At command prompt type: cd /root/

At command prompt type: wget http://www.rfxnetworks.com/downloads/bfd-current.tar.gz

At command prompt type: tar -xvzf bfd-current.tar.gz

At command prompt type: cd bfd-0.4

At command prompt type: ./install.sh


After BFD has been installed, you need to edit the configuration file.

At command prompt type: pico /usr/local/bfd/conf.bfd


Under Enable brute force hack attempt alerts:

Find

ALERT_USR="0"

and change it to

ALERT_USR="1"


Find

EMAIL_USR="root"

and change it to

EMAIL_USR="your@email.com"


Save the changes then exit.


To start BFD

At command prompt type: /usr/local/sbin/bfd -s




Modify LogWatch

Logwatch is a customizable log analysis system. It parses through your system's logs for a given period of time and creates a report analyzing areas that you specify, in as much detail as you require. Logwatch is already installed on most CPanel servers.


To modify LogWatch, SSH into server and login as root.

At command prompt type: pico -w /etc/log.d/conf/logwatch.conf


Scroll down to

MailTo = root

and change to

Mailto = your@email.com

Note: Set the e-mail address to an offsite account incase you get hacked.


Now scroll down to

Detail = Low

Change that to Medium, or High...

Detail = 5 or Detail = 10

Note: High will give you more detailed logs with all actions.


Save and exit.

I have changed the thread title so that it is more clear ;)

choon

Thank you. That does indeed make things a little more clear.

I was doing the following your tutorial for the config of the SSH, and set the listen address to one IP, I then restarted and was able to get in on multiple IPs.

I do have this in the config should I comment it out?
ListenAddress ::

then above it I have ListenAddress 10.10.10.10

Thanks in advance great tutorial.

Originally posted by rasputinj
I do have this in the config should I comment it out?
ListenAddress ::


Yes, comment that out.


Originally posted by rasputinj
then above it I have ListenAddress 10.10.10.10


That is right (but with the correct IP address that you want SSH to listen on).

Thank you very much for these tutorials, they were awesome
and a good way of learning more ssh commands

Common ingress (inbound) UDP ports
IG_UDP_CPORTS="53,6277

I think you missed the comment at the end for these ports

One other thing, is that how can I check to see if these services are running in whm and how much memory would they be using


Also I already had firewall installed with the server, should I delete the other firewall?
If so how can I?

One other thing, with my ftp, If I start the firewall(apf -s), I cant use ftp, only after I've flushed it can I then use ftp
(apf -f)

Just realised that I didnt ad the port 21 for ftp, so it all works now

:)

it would be nice to be able to edit or delete your posts though

Using your guide I added a PMON tutorial

What is PMON
PMON is a bash scripted network socket monitor. It is designed to track
changes to Network sockets and Unix domain sockets.

A comprehensive alert system, simple program usage & installation make PMON
ideal for deployment in any linux environment (geared for web servers). Using
a rather simple yet logical structure, PMON identifies changes in both
Network Sockets and Unix Domain Sockets. By recording a base set of what
sockets should be active then comparing the currently active socket information
to that of the base comparison files, we highlight otherwise unknown services.

To install pmon, SSH into server and login as root.

At command prompt type: cd /root/

At command prompt type: wget http://www.r-fx.org/downloads/pmon-current.tar.gz

At command prompt type: tar xvzf pmon-current.tar.gz

At command prompt type: cd lsm-0.6

At command prompt type: ./install.sh

After PMON has been installed, you need to edit the configuration file.

At command prompt type: pico /usr/local/lsm/conf.lsm

Find

USER="root"

and change it to

USER="your@email.com"

Save the changes then exit.

To run PMON and set the base config file

At command prompt type: /usr/local/sbin/pmon -g

Then to check for changes in sockets, use the -c argument. This will compare
the current sockets running, with the generated base comparision files. If any
changes are found you will be notified, otherwise it will note if no changes
are present.

At command prompt type: /usr/local/sbin/pmon -c

Though the cron job is already configured to run at every 10 minute intervals

Originally posted by Blueheaven
Using your guide I added a PMON tutorial


Blueheaven

That is an excellent tutorial and a perfect addition to this thread. :beer:


If anyone else would like to contribute a tutorial to this thread, please do. I'm sure there will be many people that will appreciate it.

Originally posted by Blueheaven
Using your guide I added a PMON tutorial

What is PMON
PMON is a bash scripted network socket monitor. It is designed to track
changes to Network sockets and Unix domain sockets.

A comprehensive alert system, simple program usage & installation make PMON
ideal for deployment in any linux environment (geared for web servers). Using
a rather simple yet logical structure, PMON identifies changes in both
Network Sockets and Unix Domain Sockets. By recording a base set of what
sockets should be active then comparing the currently active socket information
to that of the base comparison files, we highlight otherwise unknown services.

To install pmon, SSH into server and login as root.

At command prompt type: cd /root/

At command prompt type: wget http://www.r-fx.org/downloads/pmon-current.tar.gz

At command prompt type: tar xvzf pmon-current.tar.gz

At command prompt type: cd lsm-0.6

At command prompt type: ./install.sh

After PMON has been installed, you need to edit the configuration file.

At command prompt type: pico /usr/local/lsm/conf.lsm

Find

USER="root"

and change it to

USER="your@email.com"

Save the changes then exit.

To run PMON and set the base config file

At command prompt type: /usr/local/sbin/pmon -g

Then to check for changes in sockets, use the -c argument. This will compare
the current sockets running, with the generated base comparision files. If any
changes are found you will be notified, otherwise it will note if no changes
are present.

At command prompt type: /usr/local/sbin/pmon -c

Though the cron job is already configured to run at every 10 minute intervals

for me to get it to run I had to type ]/usr/local/sbin/lsm -g then lsm -c

it showed the executable path as /usr/local/sbin/lsm

Thanks for the tutorial

Restrict SSH Access

I did it on my root SSH and I can't login to root after i followed this tutorial .

Exit out of SSH, and then re-login to SSH using the new IP or nameserver, and the new port , but I can't login to (say time out) .

I think I did wrong about #ListenAddress 0.0.0.0 , so I tried login though Telnet fix this but I can't login it too .

My bad luck !

Help me out this trouble , Thanks alot !

Egress firewall filtering will have some issues with some usage, including Fsock or Fput functions in PHP.

You might of disallowed shell access!

:) , Ater DC reboot my server , so I can login to root SSH and edit Root security again. It works great .

Great tutorial.

I had one issue with the root login alert. I put in

echo 'ALERT - Root Shell Access on:' `date` `who` | mail -s "Alert: Root Access from `who | awk '{print $6}'`" myoffsitemail@mydomain.net

and it worked great, however I have a vps that was showing a red circle for exim in the server status, so I ran

/scripts/exim4 --latest

and the red circle turned green but now my login email alert comes back with an error.

/usr/sbin/sendmail: No such file or directory

And of course there is no sendmail in that directory but there is a shortcut to /usr/sbin/sendmail under /usr/lib/

Hmmm, not sure what's going on here.

Anyone have any ideas how to fix this? Aside from this the mail all seems to be working good.

Thanks

J

Disable insecure Cpanel cgi-sys scripts
--------------------------------------------------
cd /usr/local/cpanel/cgi-sys; ls -lh

chmod 0 addalink.cgi cgiecho cgiemail entropybanner.cgi-wrap entropysearch.cgi formmail.cgi FormMail.cgi FormMail-clone.cgi formmail.pl FormMail.pl guestbook.cgi helpdesk.cgi randhtml.cgi-wrap realhelpdesk.cgi realsignup.cgi scgiwrap signup.cgi

chattr +i addalink.cgi cgiecho cgiemail entropybanner.cgi-wrap entropysearch.cgi formmail.cgi FormMail.cgi FormMail-clone.cgi formmail.pl FormMail.pl guestbook.cgi helpdesk.cgi randhtml.cgi-wrap realhelpdesk.cgi realsignup.cgi scgiwrap signup.cgi;ls -lh


The first command puts you in the correct directory and shows a listing of scripts and related info.

The second command will disable the most insecure scripts.

The third command locks the scripts so they cannot be turned back on, such as from a WHM update, and shows you all scripts with their new related info.

You can copy & paste the above commands directly into your Shell Editor, no need to type them all out. ;)

HTH

2 Q's:
1- How can I disable root ssh login? So I can only login using a username and then do su - root? (I forgot, I had it on my old server)
2- After APF is installed and I try running it this errors shows up about 30 times: hostname: Unknown server error

Fixed question 1 :)

Some of the missing and very good tools to secure your servers are here,

1. mod_security - Prevent your servers from PHP based attacks

2. LSM - You can get email alerts from this tool if a port is opened in your server.

3. mod_dosesave - To prevent DOS attacks based on apache.

4. Snort - A very good and very aggressive tool to prevent attacks.

Anyone knows the answer to my above posted question?
google did not reveal anything to me on this thing..

And what about search here at WHT for APF?

Lots of people here are using it so you should be able to find something.

Originally posted by Website Rob
And what about search here at WHT for APF?

Lots of people here are using it so you should be able to find something.

That was the first thing I did ;)

Thanks a lot for this How To Dude !!
i have run Scan for Trojan Horses using WHM
i got thos error :

1-Possible Trojan - /usr/lib/libgd.so.2.0.0
2-Possible Trojan - /usr/bin/annotate
3-Possible Trojan - /usr/bin/gdlib-config
any idea if thos are really trojans??
Thank you

p.s : im running Fedora i686

I have see same this trojan report . what is it ?
thanks regards

Very nice tutorial, but I have 1 problem; When I try and run APF Firewall, it gives me the error that it was unable to load the iptables module.

Linux-Good but not secure. Its security overwhelms no one because it can easilly be hacked.

A nice tutorial for server owner,a big thanks

Originally posted by techlollu

3. mod_dosesave - To prevent DOS attacks based on apache.

4. Snort - A very good and very aggressive tool to prevent attacks.

Anyone know where to get these or any good setup instructions for them? Did a search here and all that came back was this thread :p

Originally posted by HostCheap.us.com
Anyone know where to get these or any good setup instructions for them? Did a search here and all that came back was this thread :p

Here's one for 1)

http://www.eth0.us/?q=mod_dosevasive

Server e-mail everytime someone logs in as root

To have the server e-mail you everytime someone logs in as root, SSH into server and login as root.

At command prompt type: pico .bash_profile

Scroll down to the end of the file and add the following line:

echo 'ALERT - Root Shell Access on:' `date` `who` | mail -s "Alert: Root Access from `who | awk '{print $6}'`" your@email.com

Save and exit.

I have the problem with this.
When i log in to SSH,it show a message "You must specific your receiption with -s -t ...." or something like that and i do not receive any email when somebody log in to,please help
Thanks

sorry i am not spammer but because i have check my .bash_profile,nothing in it,please help me

If your .bash_profile is etpty, then add that line into it - make sure its all on one line, with no returns in it .

this thread is great! thank you everyone.

does anyone know of any other helpful beginner instructions, or info on how to setup these?

Originally posted by Miky
Thanks a lot for this How To Dude !!
i have run Scan for Trojan Horses using WHM
i got thos error :

1-Possible Trojan - /usr/lib/libgd.so.2.0.0
2-Possible Trojan - /usr/bin/annotate
3-Possible Trojan - /usr/bin/gdlib-config
any idea if thos are really trojans??
Thank you

p.s : im running Fedora i686


thanks!

I as well would like to see some instructions on the step a new dedicated server owner would go through to set up his Fedor Linux sever using Cpanel/WHM.

And thanks for the guides!

I've installed APF now and it seems to be running but when I resart it I get this error.

iptables v1.2.9: invalid TCP port/service `3500IG:TCP:CPORTS=21' specified
Try `iptables -h' or 'iptables --help' for more information.


Is that normal is it still running?

I set it up exactly how it was said here and everything seemed to go smoothly.

I wanted to move ssh to another port/IP. But I cannot get telnet to work incase something goes wrong.

In /etc/xinetd.d/telnet disabled = no. I've restarted xinetd.
I've also executed: chkconfig telnet on

But telnet wont run. (ps -aux | grep telnet, netstat --inet -a | grep LISTEN or nmap -sT -O localhost )

I've not found any setting in WHM and nothing in the WHM manual.

I've opened the telnet port on apf but that's not the problem as the telnet server is not running.

Are there any other settings?

Here is the same thread on the cpanel forum: http://forums.cpanel.net/showthread.php?t=30159&page=1&pp=15

it works without telnet. Just do not logout from your current ssh session after you have changed the ssh settings. You then can login into a new session and test if it works.

Hello,

I recently did a scan using nmap and there are two ports open that I never heard of.

111 - RPCBIND
1 - tcpmux

Any ideas?

Can someone please tell me how to close a port.

For all those who are facing iptables - apf related problems, you can first try the following :

iptables -F (this will flush the iptables)
Then try restarting iptables followed by restarting apf.

This should fix the problems for majority of iptables and apf related probelms. If not then please let me know.

docsharp if you have installed apf and wish to close a particular port then remove that port from the ingress ports in apf's conf.apf.

O wow..this is a great stuff...I was worried about going dedicated but this really helps alot since most of the books I've been reading doesn't have anything to do with whm/cpanel but just linux and apahce only...man and I thought I wouldn't be able to even do basic hardening without paying someone 99$ for my soon to be game server

Thanks, great tutorial.

Originally posted by vnsg
sorry i am not spammer but because i have check my .bash_profile,nothing in it,please help me

/root/.bash_profile

Btw, wicked thread, thanks.

How do you uninstall APF?

i followed this tutorial accuretly, but i get this error:

root@server[~]# /usr/local/sbin/apf -s
: command not found: line 7:
: command not found: line 11:
: command not found: line 15:
: command not found: line 19:
: command not found: line 24:
: command not found: line 26:
: command not found: line 30:
: command not found: line 37:
: command not found: line 41:
: command not found: line 47:
: command not found: line 51:
: command not found: line 55:
: command not found: line 61:
: command not found: line 62:
: command not found: line 66:
: command not found: line 73:
: command not found: line 81:
: command not found: line 87:
: command not found: line 93:
: command not found: line 98:
: command not found: line 102:
: command not found: line 106:
: command not found: line 109:
: command not found: line 125:
: command not found: line 131:
: command not found: line 137:
: command not found: line 142:
: command not found: line 148:
: command not found: line 155:
: command not found: line 161:
: command not found: line 169:
: command not found: line 176:
: command not found: line 182:
: command not found: line 189:
: command not found: line 194:
: command not found: line 199:
: command not found: line 203:
: command not found: line 208:
: command not found: line 215:
: command not found: line 229:
: command not found: line 239:
: command not found: line 245:
: command not found: line 258:
/usr/local/sbin/apf: /etc/apf/conf.apf: line 259: syntax error near unexpected token `('
'usr/local/sbin/apf: /etc/apf/conf.apf: line 259: `Common ingress (inbound) TCP ports
/usr/local/sbin/apf: line 49: eout: command not found
touch: file arguments missing
Try `touch --help' for more information.
chmod: too few arguments
Try `chmod --help' for more information.
touch: file arguments missing
Try `touch --help' for more information.
chmod: too few arguments
Try `chmod --help' for more information.
touch: file arguments missing
Try `touch --help' for more information.
chmod: too few arguments
Try `chmod --help' for more information.
/vnet/vnetgen: No such file or directory
/firewall: No such file or directorypf
/usr/local/sbin/apf: line 69: bandmin: command not found
/usr/local/sbin/apf: line 71: eout: command not found

I've followed loads of different APF tutorials and get the same error, server is CentOs 3.5, APF used to work, but now it doesn't, i must be doing something wrong.

thanks for the post guys :D

Thanks guys. All tested and worked 100% from the first time.

:lovewht:

How do you uninstall APF?
login your root account and try this commands
/etc/init.d/apf stop
iptables -F
rm -Rf /etc/apf
rm -Rf /etc/rc.d/init.d/apf
rm -Rf /var/log/apf_log
rm -Rf /var/log/apfados_log
rm -Rf /usr/local/sbin/apf
/sbin/chkconfig --level 345 apf off

Another good thing to check periodically is what binaries are setuid root (I apologize if this has already been mentioned; 50+ replies in this thread):

find / -user root -perm -4000 -print

Review it on a periodic basis and if anything crops up that you know you aren't using, disable it, remove it, etc.

Restrict SSH Access


To restrict and secure SSH access, bind sshd to a single IP that is different than the main IP to the server, and on a different port than port 22.


SSH into server and login as root.

Note: You can download Putty by Clicking Here. It's a clean running application that will not require installation on Windows-boxes.


At command prompt type: pico /etc/ssh/sshd_config

Scroll down to the section of the file that looks like this:

-------------------------------------------

#Port 22
#Protocol 2, 1
#ListenAddress 0.0.0.0
#ListenAddress ::

-------------------------------------------


Uncomment and change

#Port 22

to look like

Port 5678 (choose your own 4 to 5 digit port number (49151 is the highest port number)


Uncomment and change

#Protocol 2, 1

to look like

Protocol 2


Uncomment and change

#ListenAddress 0.0.0.0

to look like

ListenAddress 123.123.123.15 (use one of your own IP Addresses that has been assigned to your server)


Note 1: If you would like to disable direct Root Login, scroll down until you find

#PermitRootLogin yes

and uncomment it and make it look like

PermitRootLogin no

Save by pressing Ctrl o on your keyboard, and then exit by pressing Ctrl x on your keyboard.


Note 2: You can also create a custome nameserver specifically for your new SSH IP address. Just create one called something like ssh.xyz.com or whatever. Be sure to add an A address to your zone file for the new nameserver.


Now restart SSH

At command prompt type: [b]/etc/rc.d/init.d/sshd restart[b]


Exit out of SSH, and then re-login to SSH using the new IP or nameserver, and the new port.


Note: If you should have any problems, just Telnet into your server, fix the problem, then SSH in again. Telnet is a very unsecure protocol, so change your root password after you use it.



login root in ssh , then I typed pico and got this

----
root@server [~]# pico /etc/ssh/sshd_config
-bash: pico: command not found
-----

anyone have idea on this ?

my friend told my try use nano instead of pico , is there any deference between nano and pico ?

try: nano /etc/ssh/sshd_config

It's just an editor defined in the server to edit your plan text. You can define any other editor instead; every editor has its own functions. But how to re-define another editor? I don’t know.

Note 2: You can also create a custome nameserver specifically for your new SSH IP address. Just create one called something like ssh.xyz.com or whatever. Be sure to add an A address to your zone file for the new nameserver.

thanks for your help mohdjumah but

after changing ssh port, I SUPPOSE to create new namsever other than ns1.abc.com ns2.abc.com ?
Or it an OPTIONAL ? what the advantaged of it ?

I'm really confusing here

Under Mail

Attempt to prevent pop3 connection floods

Default catch-all/default address behavior for new accounts - blackhole


Is this true?
It contradicts the settings for individual accounts discussed here:
http://www.webhostingtalk.com/showthread.php?t=473272

Curious,
Terry

Is this true?
It contradicts the settings for individual accounts discussed here:
http://www.webhostingtalk.com/showthread.php?t=473272
Curious, Terry

The conclusions in that post don't look contradictory to me, but for a more 'authoritive' answer look here:

http://www.configserver.com/free/fail.html

- Vince

Thanks everyone!
Awesome thread!
EXTREMELY useful!
I could go on...LOL.
:lovewht:

What does it mean if I installed APF but after using it for a bit.. it blocks ALL traffic? What am I doing wrong?

I try to edit the .bash_profile and it says "Could not open file for writing: Permission denied.". Chmod is set to -rw-r--r--. I tried to chmod it and it says "changing permissions of '.bash_file': Operation not permitted.

HELP!

A Beginner's Guide to Securing Your Server Part 1 of 3 (Security Inside WHM/CPanel)


These are items inside of WHM/Cpanel that should be changed to secure your server.



Goto Server Setup =>> Tweak Settings


Check the following items...


Under Domains

Prevent users from parking/adding on common internet domains. (ie hotmail.com, aol.com)


Under Mail

Attempt to prevent pop3 connection floods

Default catch-all/default address behavior for new accounts - blackhole


Under System

Use jailshell as the default shell for all new accounts and modified accounts



Goto Server Setup =>> [/b]Tweak Security[/b]

Enable php open_basedir Protection

Enable mod_userdir Protection

Disabled Compilers for unprivileged users.



Goto Server Setup =>> Manage Wheel Group Users

Remove all users except for root and your main account from the wheel group.



Goto Server Setup =>> Shell Fork Bomb Protection

Enable Shell Fork Bomb/Memory Protection



When setting up Feature Limits for resellers in Resellers =>> Reseller Center, under Privileges always disable Allow Creation of Packages with Shell Access and enable Never allow creation of accounts with shell access; under Root Access disable All Features.



Goto Service Configuration =>> FTP Configuration

Disable Anonymous FTP



Goto Account Functions =>> Manage Shell Access

Disable Shell Access for all users (except yourself)


Goto Mysql =>> MySQL Root Password

Change root password for MySQL



Goto [b]Security[b] and run [b]Quick Security Scan[b] and [b]Scan for Trojan Horses[b] often. The following and similar items are not Trojans:

/sbin/depmod
/sbin/insmod
/sbin/insmod.static
/sbin/modinfo
/sbin/modprobe
/sbin/rmmod

Great Guide

Wow, I'm amazed at the quality info on this board, you guys now what you are talking about big time. I just got PMON up and running ... thanks for that rasputinj.

Dear all,

Good day guys.

Is there any skill regarding antispam to learn ?

Thanks

I try to edit the .bash_profile and it says "Could not open file for writing: Permission denied.". Chmod is set to -rw-r--r--. I tried to chmod it and it says "changing permissions of '.bash_file': Operation not permitted.
HELP!

Are you logged in as root? You need to be to be able to access.

I just turned on antispam about 2 weeks ago on my main site. I might recommend turning on the spam box for about a week or two, just to make sure you aren't getting any false positives. I can say that in the last two weeks, I have had not a single false positive for spam, and I am confident soon to turn of spam box and just let it do its thing. Bye Bye spam!

misterdmc
webmaster
http://www.123hostingsolutions.com

I just turned on antispam - spam assassin - about 2 weeks ago on my main site. I might recommend turning on the spam box for about a week or two, just to make sure you aren't getting any false positives. I can say that in the last two weeks, I have had not a single false positive for spam, and I am confident soon to turn of spam box and just let it do its thing. Bye Bye spam!

misterdmc
webmaster
http://www.123hostingsolutions.com

super but when i start APF my server stop 5 mins block everything !

Note 1: If you would like to disable direct Root Login, scroll down until you find

#PermitRootLogin yes

and uncomment it and make it look like

PermitRootLogin no
-----------------------------------------------------------------------------------------------------

i did the permitrootlogin to no but i can still logging with root ?? any idea's ?

Regards
Khaled Mohesen

Hello yes you need to restart ssh daemon :) :


# service sshd restart




Thanks.

APF Blocks All the traffic..!! What is wrong

APF Blocks All the traffic..!! What is wrong
Are you still able to access your server? If yes, reproduce what you have done so far. Otherwise, contact your support.