I hope Elix doesn't mind me posting his great VPS OPTIMIZING techniques. I have posted them at the bottom. These technques can definately help you, but remember, use them at your own risk. If you don't know what your doing, research it before attempting it.


SECURING CPANEL - WHM - AND ROOT on a VPS

This will help but as mentioned in previous posts, with a VPS you do not have access to your kernal. That is good in some ways, because if you don't have access to it, neither to hackers or spammers (which limits what they can do). Its bad in ways, because you lose control and if you secure your box as much as possible, you are still at risk because you cannot control your kernal.

At any rate, here are some helpful hints :)

=========================================
Checking for formmail
=========================================

Form mail is used by hackers to send out spam email, by relay and injection methods. If you are using matts script or a version of it, you may be in jeopardy.


Command to find pesky form mails:
find / -name "[Ff]orm[mM]ai*"

CGIemail is also a security risk:
find / -name "[Cc]giemai*"

Command to disable form mails:
chmod a-rwx /path/to/filename
(a-rwx translates to all types, no read, write or execute permissions).

(this disables all form mail)

If a client or someone on your vps installs form mail, you will have to let them know you are disabling their script and give them an alternative.


=========================================
Root kit checker - http://www.chkrootkit.org/ (http://www.chkrootkit.org/)
=========================================

Check for root kits and even set a root kit on a cron job. This will show you if anyone has compromised your root. Always update chrootkit to get the latest root kit checker. Hackers and spammers will try to find insecure upload forms on your box and then with injection methods, try to upload the root kit on your server. If he can run it, it will modify *alot* of files, possibly causing you to have to reinstall.


To install chrootkit, SSH into server and login as root.
At command prompt type:

cd /root/
wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz
tar xvzf chkrootkit.tar.gz
cd chkrootkit-0.44
make sense


To run chkrootkit

At command prompt type:
/root/chkrootkit-0.44/chkrootkit

Make sure you run it on a regular basis, perhaps including it in a cron job.

Execution

I use these three commands the most.
./chkrootkit
./chkrootkit -q
./chkrootkit -x | more


=========================================
Install a root breach DETECTOR and EMAIL WARNING
=========================================

If someone does happen to get root, be warned quickly by installing a detector and warning at your box. You will at least get the hackers/spammers ip address and be warned someone is in there.


Server e-mail everytime someone logs in as root

To have the server e-mail you everytime someone logs in as root, SSH into server and login as root.


At command prompt type:
pico .bash_profile

Scroll down to the end of the file and add the following line:

echo 'ALERT - Root Shell Access on:' `date` `who` | mail -s "Alert: Root Access from `who | awk '{print $6}'`" your@email.com

Save and exit.


Set an SSH Legal Message

To an SSH legal message, SSH into server and login as root.

At command prompt type:
pico /etc/motd

Enter your message, save and exit.
Note: I use the following message...

ALERT! You are entering a secured area! Your IP and login information
have been recorded. System administration has been notified.
This system is restricted to authorized access only. All activities on
this system are recorded and logged. Unauthorized access will be fully
investigated and reported to the appropriate law enforcement agencies.



=========================================
Web Host manager and CPANEL mods.
=========================================

These are items inside of WHM/Cpanel that should be changed to secure your server.

Goto Server Setup =>> Tweak Settings
Check the following items...

Under Domains
Prevent users from parking/adding on common internet domains. (ie hotmail.com, aol.com)

Under Mail
Attempt to prevent pop3 connection floods
Default catch-all/default address behavior for new accounts - blackhole
(according to ELIX - set this to FAIL, which is what I am going to do to reduce server load)

Under System
Use jailshell as the default shell for all new accounts and modified accounts

Goto Server Setup =>> Tweak Security
Enable php open_basedir Protection
Enable mod_userdir Protection
Disabled Compilers for unprivileged users.

Goto Server Setup =>> Manage Wheel Group Users
Remove all users except for root and your main account from the wheel group.

Goto Server Setup =>> Shell Fork Bomb Protection
Enable Shell Fork Bomb/Memory Protection

When setting up Feature Limits for resellers in Resellers =>> Reseller Center, under Privileges always disable Allow Creation of Packages with Shell Access and enable Never allow creation of accounts with shell access; under Root Access disable All Features.

Goto Service Configuration =>> FTP Configuration
Disable Anonymous FTP

Goto Account Functions =>> Manage Shell Access
Disable Shell Access for all users (except yourself)

Goto Mysql =>> MySQL Root Password
Change root password for MySQL

Goto Security and run Quick Security Scan and Scan for Trojan Horses often. The following and similar items are not Trojans:
/sbin/depmod
/sbin/insmod
/sbin/insmod.static
/sbin/modinfo
/sbin/modprobe
/sbin/rmmod

=========================================
More Security Measures
=========================================

These are measures that can be taken to secure your server, with SSH access.

Update OS, Apache and CPanel to the latest stable versions.
This can be done from WHM/CPanel.


Restrict SSH Access
To restrict and secure SSH access, bind sshd to a single IP that is different than the main IP to the server, and on a different port than port 22.

SSH into server and login as root.
Note: You can download Putty by Clicking Here (http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html). It's a clean running application that will not require installation on Windows-boxes.

At command prompt type:
pico /etc/ssh/sshd_config

Scroll down to the section of the file that looks like this:
#Port 22
#Protocol 2, 1
#ListenAddress 0.0.0.0
#ListenAddress ::

Uncomment and change
#Port 22
to look like
Port 5678 (choose your own 4 to 5 digit port number (49151 is the highest port number AND do not use 5678 :) lol )

Uncomment and change
#Protocol 2, 1
to look like
Protocol 2

Uncomment and change
#ListenAddress 0.0.0.0
to look like
ListenAddress 123.123.123.15 (use one of your own IP Addresses that has been assigned to your server)

Note 1: If you would like to disable direct Root Login, scroll down until you find
#PermitRootLogin yes
and uncomment it and make it look like
PermitRootLogin no

Save by pressing Ctrl o on your keyboard, and then exit by pressing Ctrl x on your keyboard.


Note 2: You can also create a custome nameserver specifically for your new SSH IP address. Just create one called something like ssh.xyz.com or whatever. Be sure to add an A address to your zone file for the new nameserver.

Now restart SSH
At command prompt type:
/etc/rc.d/init.d/sshd restart

Exit out of SSH, and then re-login to SSH using the new IP or nameserver, and the new port.

Note: If you should have any problems, just Telnet into your server, fix the problem, then SSH in again. Telnet is a very unsecure protocol, so change your root password after you use it.

After SSH has been redirected, disable telnet.

Disable Telnet
To disable telnet, SSH into server and login as root.
At command prompt type: pico -w /etc/xinetd.d/telnet
change disable = no to disable = yes
Save and Exit
At command prompt type: /etc/init.d/xinetd restart


Disable Shell Accounts
To disable any shell accounts hosted on your server SSH into server and login as root.
At command prompt type: locate shell.php
Also check for:
locate irc
locate eggdrop
locate bnc
locate BNC
locate ptlink
locate BitchX
locate guardservices
locate psyBNC
locate .rhosts

Note: There will be several listings that will be OS/CPanel related. Examples are
/home/cpapachebuild/buildapache/php-4.3.1/ext/ircg
/usr/local/cpanel/etc/sym/eggdrop.sym
/usr/local/cpanel/etc/sym/bnc.sym
/usr/local/cpanel/etc/sym/psyBNC.sym
/usr/local/cpanel/etc/sym/ptlink.sym
/usr/lib/libncurses.so
/usr/lib/libncurses.a
etc.


Disable identification output for Apache

(do this to hide version numbers from potentional hackers)

To disable the version output for proftp, SSH into server and login as root.
At command prompt type: pico /etc/httpd/conf/httpd.conf

Scroll (way) down and change the following line to
ServerSignature Off

Restart Apache
At command prompt type: /etc/rc.d/init.d/httpd restart



=========================================
Install BFD (Brute Force Detection - optional)
=========================================

To install BFD, SSH into server and login as root.

At command prompt type:
cd /root/
wget http://www.rfxnetworks.com/downloads/bfd-current.tar.gz
tar -xvzf bfd-current.tar.gz
cd bfd-0.4
./install.sh

After BFD has been installed, you need to edit the configuration file.

At command prompt type:
pico /usr/local/bfd/conf.bfd

Under Enable brute force hack attempt alerts:
Find
ALERT_USR="0"
and change it to
ALERT_USR="1"

Find
EMAIL_USR="root"
and change it to
EMAIL_USR="your@email.com"

Save the changes then exit.

To start BFD

At command prompt type:
/usr/local/sbin/bfd -s


Modify LogWatch
Logwatch is a customizable log analysis system. It parses through your system's logs for a given period of time and creates a report analyzing areas that you specify, in as much detail as you require. Logwatch is already installed on most CPanel servers.

To modify LogWatch, SSH into server and login as root.

At command prompt type:
pico -w /etc/log.d/conf/logwatch.conf

Scroll down to
MailTo = root
and change to
Mailto = your@email.com
Note: Set the e-mail address to an offsite account incase you get hacked.

Now scroll down to
Detail = Low
Change that to Medium, or High...
Detail = 5 or Detail = 10
Note: High will give you more detailed logs with all actions.

Save and exit.

A number of suggestions to improve system security. Some of this is specific to CPanel, but much can be applied to most Linux systems.
--------------------------------------------------
Use The Latest Software
Keep the OS and 3rd party software up to date. Always!
CPanel itself can be updated from the root WHM.
--------------------------------------------------
Change Passwords
Change the root passwords at least once a month and try to make them hard to guess. Yes it's a pain to have to keep remembering them, but it's better than being hacked.

--------------------------------------------------
Set Up A More Secure SSH Environment As described here.
--------------------------------------------------
Disable Telnet
1. Type: pico -w /etc/xinetd.d/telnet
2. Change the disable = no line to disable = yes.
3. Hit CTRL+X press y and then enter to save the file.
4. Restart xinted with: /etc/rc.d/init.d/xinetd restart
Also, add the following line to /etc/deny.hosts to flag Telnet access attempts as 'emergency' messages.

in.telnetd : ALL : severity emerg

--------------------------------------------------
Disable Unnecessary Ports (optional)
First backup the file that contains your list of ports with:
cp /etc/services /etc/services.original
Now configure /etc/services so that it only has the ports you need in it. This will match the ports enabled in your firewall.
On a typical CPanel system it would look something like this:
<?php
tcpmux 1/tcp # TCP port service multiplexer
echo 7/tcp
echo 7/udp
ftp-data 20/tcp
ftp 21/tcp
ssh 22/tcp # SSH Remote Login Protocol
smtp 25/tcp mail
domain 53/tcp # name-domain server
domain 53/udp
http 80/tcp www www-http # WorldWideWeb HTTP
pop3 110/tcp pop-3 # POP version 3
imap 143/tcp imap2 # Interim Mail Access Proto v2
https 443/tcp # MCom
smtps 465/tcp # SMTP over SSL (TLS)
syslog 514/udp
rndc 953/tcp # rndc control sockets (BIND 9)
rndc 953/udp # rndc control sockets (BIND 9)
imaps 993/tcp # IMAP over SSL
pop3s 995/tcp # POP-3 over SSL
cpanel 2082/tcp
cpanels 2083/tcp
whm 2086/tcp
whms 2087/tcp
webmail 2095/tcp
webmails 2096/tcp
mysql 3306/tcp # MySQL
?>
Additional ports are controlled by /etc/rpc. These aren't generally needed, so get shot of that file with: mv /etc/rpc /etc/rpc-moved
--------------------------------------------------
Watch The Logs
Install something like logwatch to keep an eye on your system logs. This will extract anything 'interesting' from the logs and e-mail to you on a daily basis.
Logwatch can be found at: http://www.logwatch.org (http://www.logwatch.org/)
Install instructions here.
--------------------------------------------------
Avoid CPanel Demo Mode
Switch it off via WHM Account Functions => Disable or Enable Demo Mode.
--------------------------------------------------
Jail All Users
Via WHM Account Functions => Manage Shell Access => Jail All Users.
Better still never allow shell access to anyone - no exceptions.
--------------------------------------------------
Immediate Notification Of Specific Attackers
If you need immediate notification of a specific attacker (TCPWrapped services only), add the following to /etc/hosts.deny

ALL : nnn.nnn.nnn.nnn : spawn /bin/ 'date' %c %d | mail -s"Access attempt by nnn.nnn.nnn.nnn on for hostname" notify@mydomain.com
Replacing nnn.nnn.nnn.nnn with the attacker's IP address.
Replacing hostname with your hostname.
Replacing notify@mydomain.com with your e-mail address.
This will deny access to the attacker and e-mail the sysadmin about the access attempt.
--------------------------------------------------
Check Open Ports
From time to time it's worth checking which ports are open to the outside world. This can be done with:
nmap -sT -O localhost
If nmap isn't installed, it can be selected from root WHM's Install an RPM option.
--------------------------------------------------
Set The MySQL Root Password
This can be done in CPanel from the root WHM Server Setup -> Set MySQL Root Password.
Make it different to your root password!
--------------------------------------------------
Tweak Security (CPanel)
From the root WHM, Server Setup -> Tweak Security, you will most likely want to enable:
- php open_basedir Tweak.
- SMTP tweak.
You may want to enable:
- mod_userdir Tweak. But that will disable domain preview.
--------------------------------------------------
Use SuExec (CPanel)
From root WHM, Server Setup -> Enable/Disable SuExec. This is CPanel's decription of what it does:
"suexec allows cgi scripts to run with the user's id. It will also make it easier to track which user has sent out an email. If suexec is not enabled, all cgi scripts will run as nobody. "
Even if you don't use phpsuexec (which often causes more problems), SuExec should be considered.
--------------------------------------------------
Use PHPSuExec (CPanel)
This needs to built into Apache (Software -> Update Apache from the root WHM) and does the same as SuExec but for PHP scripts.
Wisth PHPSuExec enabled, you users will have to make sure that all their PHP files have permissions no greater than 0755 and that their htaccess files contain no PHP directives.
--------------------------------------------------
Disable Compilers
This will prevent hackers from compiling worms, root kits and the like on your machine.
To disable them, do the following:

chmod 000 /usr/bin/perlcc
chmod 000 /usr/bin/byacc
chmod 000 /usr/bin/yacc
chmod 000 /usr/bin/bcc
chmod 000 /usr/bin/kgcc
chmod 000 /usr/bin/cc
chmod 000 /usr/bin/gcc
chmod 000 /usr/bin/i386*cc
chmod 000 /usr/bin/*c++
chmod 000 /usr/bin/*g++
chmod 000 /usr/lib/bcc /usr/lib/bcc/bcc-cc1
chmod 000 /usr/i386-glibc21-linux/lib/gcc-lib/i386-redhat-linux/2.96/cc1

You will need to enable them again when you need to perform system updates. To do this, run:

chmod 755 /usr/bin/perlcc
chmod 755 /usr/bin/byacc
chmod 755 /usr/bin/yacc
chmod 755 /usr/bin/bcc
chmod 755 /usr/bin/kgcc
chmod 755 /usr/bin/cc
chmod 755 /usr/bin/gcc
chmod 755 /usr/bin/i386*cc
chmod 755 /usr/bin/*c++
chmod 755 /usr/bin/*g++
chmod 755 /usr/lib/bcc /usr/lib/bcc/bcc-cc1
chmod 755 /usr/i386-glibc21-linux/lib/gcc-lib/i386-redhat-linux/2.96/cc1

--------------------------------------------------
Obfuscate The Apache Version Number
1. Type: pico /etc/httpd/conf/httpd.conf
2. Change the line that begins ServerSignature to:

ServerSignature Off

3. Add a line underneath that which reads:

ServerTokens ProductOnly

4. Hit CTRL+X, they y, the enter to save the file.
5. Restart Apache with: /etc/rc.d/init.d/httpd restart
--------------------

COMMON COMMANDS I USE
System Information
who
List the users logged in on the machine. --

rwho -a
List all users logged in on your network. The rwho service must be enabled for this command to work.

finger user_name
System info about a user. Try: finger root last. This lists the users last logged-in on your system.

history | more
Show the last (1000 or so) commands executed from the command line on the current account. The | more causes the display to stop after each screen fill.

pwd
Print working directory, i.e. display the name of your current directory on the screen.

hostname
Print the name of the local host (the machine on which you are working).

whoami
Print your login name.

id username
Print user id (uid) and his/her group id (gid), effective id (if different than the real id) and the supplementary groups.

date
Print or change the operating system date and time. E.g., change the date and time to 2000-12-31 23:57 using this command

date 123123572000
To set the hardware clock from the system clock, use the command (as root)
setclock

time
Determine the amount of time that it takes for a process to complete+ other info. Don’t confuse it with date command. For e.g. we can find out how long it takes to display a directory content using time ls

uptime
Amount of time since the last reboot

ps
List the processes that are have been run by the current user.

ps aux | more
List all the processes currently running, even those without the controlling terminal, together with the name of the user that owns each process.

top
Keep listing the currently running processes, sorted by cpu usage (top users first).

uname -a
Info on your server.

free
Memory info (in kilobytes).

df -h
Print disk info about all the file systems in a human-readable form.

du / -bh | more
Print detailed disk usage for each subdirectory starting at root (in a human readable form).

lsmod
(as root. Use /sbin/lsmod to execute this command when you are a non-root user.) Show the kernel modules currently loaded.

set|more
Show the current user environment.

echo $PATH
Show the content of the environment variable PATH. This command can be used to show other environment variables as well. Use set to see the full environment.

dmesg | less
Print kernel messages (the current content of the so-called kernel ring buffer). Press q to quit less. Use less /var/log/dmesg to see what dmesg dumped into the file right after bootup. - only works on dedciated systems

Commands for Process control
ps
Display the list of currently running processes with their process IDs (PID) numbers. Use ps aux to see all processes currently running on your system (also those of other users or without a controlling terminal),
each with the name of the owner. Use top to keep listing the processes currently running.

fg
PID Bring a background or stopped process to the foreground.

bg
PID Send the process to the background. This is the opposite of fg. The same can be accomplished with Ctrl z

any_command &
Run any command in the background (the symbol ‘&’ means run the command in the background?).

kill PID
Force a process shutdown. First determine the PID of the process to kill using ps.

killall -9 program_name
Kill program(s) by name.

xkill
(in an xwindow terminal) Kill a GUI-based program with mouse. (Point with your mouse cursor at the window of the process you want to kill and click.)

lpc
(as root) Check and control the printer(s). Type ??? to see the list of available commands.

lpq
Show the content of the printer queue.

lprm job_number
Remove a printing job job_number from the queue.

nice program_name
Run program_name adjusting its priority. Since the priority is not specified in this example, it will be adjusted by 10 (the process will run slower), from the default value (usually 0). The lower the number (of niceness to other users on the system), the higher the priority. The priority value may be in the range -20 to 19. Only root may specify negative values. Use top to display the priorities of the running processes.

renice -1 PID
(as root) Change the priority of a running process to -1. Normal users can only adjust processes they own, and only up from the current value (make them run slower).


Optimizing your VPS server (help it run more efficiently)


VPSes are really hard to use with the memory restrictions and CPU limitations...but with some optimization they can definitely serve your websites fast!

MySQL Optimization
Here are my suggested settings for the my.cnf file. This should work well for a VPS with 256-512MB RAM.


[mysqld]
max_connections = 400
key_buffer = 16M
myisam_sort_buffer_size = 32M
join_buffer_size = 1M
read_buffer_size = 1M
sort_buffer_size = 2M
table_cache = 1024
thread_cache_size = 286
interactive_timeout = 25
wait_timeout = 1000
connect_timeout = 10
max_allowed_packet = 16M
max_connect_errors = 10
query_cache_limit = 1M
query_cache_size = 16M
query_cache_type = 1
tmp_table_size = 16M
skip-innodb

[mysqld_safe]
open_files_limit = 8192

[mysqldump]
quick
max_allowed_packet = 16M

[myisamchk]
key_buffer = 32M
sort_buffer = 32M
read_buffer = 16M
write_buffer = 16M
In order to make things even faster, you can customize these settings specifically for your VPSs' usage. There's a great howto on InterWorx's forum for this --> http://www.interworx.com/forums/showthread.php?p=2346

Lastly, I recommend installing mytop to help you monitor your usage...
wget http://dll.elix.us/mytop-1.4.tar.gz
tar -zxvf mytop-1.4.tar.gz
cd mytop-1.4
perl Makefile.PL
make
make test
make install
Once that's done, just enter in "mytop" .

PHP & Apache Optimization
I strongly recommend installing eAccelerator. There's an easy to follow howto here: http://forum.ev1servers.net/showthread.php?t=23574&highlight=eaccelerator. If you use the default cache dir for eAccelerator (/tmp/eaccelerator) make sure you check it reguarily and clean it every once and a while. (it can really get quite large from my experience)

For httpd.conf I suggest:
Timeout 200
KeepAlive On
maxKeepAliveRequests 100
KeepAliveTimeout 3
MinSpareServers 10
MaxSpareServers 20
StartServers 15
MaxClients 250
MaxRequestsPerChild 0
HostnameLookups Off

You can use ab to benchmark your Apache before and after you make changes.

ab -c 5 -n 20 somephpbasedsiteonyourserver.com/file.php

I suggest doing 2 or 3 tests like that to get an average.

If you want to check the Apache error log, try this -->
cat /usr/local/apache/logs/error_log

Monitoring Usage
On a Virtuozzo VPS you can use cat /proc/usr_beancounters to output your usage of the VZ parameters. You should pay most attention to oomguarpages and privmpages. (although anything with a failure is generally bad)

You can find the amount of connections to Apache with this command:
netstat -nt | grep :80 | wc -l

To find the amount of Apache processes use this command:
ps -A | grep httpd | wc -l (this will show the process count)
ps -aux | grep httpd (this will show the actual processes)

To find the amount of MySQL processes use this command:
ps -A | grep mysql | wc -l (this will show the process count)
ps -aux | grep mysql (this will show the actual processes)

Just simply using top (standard view) or top -c (will show the actual command being used and/or location of each process as opposed to just the name) can help you monitor your VPS usage very wel.

To see your disk space usage, try using this command --> df -h

Mitigating (D)DOS
If you're being DDOS'd or DOS'd you can use this command:
netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n

That will help you see how many connections each IP address has in total to your server.

There's a very decent script you can use to automate the banning of IP addresses available here --> http://forums.deftechgroup.com/showthread.php?t=825

Although I haven't tried it myself, I suggest you take a look at Scrutinizer as well which sounds very useful --> http://www.solutix.ch/cgi-bin/index.pl

Spam Assassin
Spam Assassin can take up a lot of memory and make it really hard to host just a few sites on a VPS, but there is a way around this...

Login to WHM as root, scroll down to "cPanel 10.8.1-R15" (it may be slightly different depending on what version you are using) then goto "Addon Modules" and install "spamdconf". Once it's done, refresh the WHM page, scroll down to "Add-ons" on the nav bar and then click on 'Setup Spamd Startup Configuration". Set "Maximum Children" to "2". Then hit Submit. Wait a few seconds (15-30, but usually less) for exim to restart and you're done .

cPanel Tweak Setings
Login to WHM as root, and under "Server Configuration" on the nav bar hit "Tweak Settings".

Here are some suggested settings:
Default catch-all/default address behavior for new accounts. fail will generally save the most CPU time.
- Use "FAIL". If you already have some accounts setup not to use "FAIL" (by default it will not) then run this command to convert to FAIL from BLACKHOLE --> perl -pi -e "s/:blackhole:/:fail:/g;" /etc/valiases/*

Mailman
- Mailman tends to use a lot of resources, so if you don't need cpanel mailing lists then uncheck this.

Number of minutes between mail server queue runs (default is 60).:
- You may want to set this to 180 to reduce load.

Track the origin of messages sent though the mail server by adding the X-Source headers (exim 4.34+ required)
- This is just generally a good idea. So check this.

Analog Stats
- I find this useless, so uncheck this. If you want to delete the existing analog stats files just run this command --> rm -rf /home/*/tmp/analog/*

Awstats Reverse Dns Resolution
- Make sure this is unchecked, I find it pretty much useless for most users.

Awstats Stats
- You can check this if you need a robust stats software that integrates with cPanel, if you don't need it, then don't check it. *Note most hosting clients will want to use this. If you want to delete the existing awstats stats files just run this command --> rm -rf /home/*/tmp/awstats/*

Webalizer Stats
- Not many hosting clients will want to use this so, you can uncheck this to reduce load. If you want to delete the existing webalizer stats files just run this command --> rm -rf /home/*/tmp/webalizer/*

Delete each domain's access logs after stats run
- Make sure this is checked, otherwise disk space usage can really rack up!

That's about it for now, I may do some more later....

Hope it helps!

Hey - I don't mind it at all :)

Frynge, terrific job putting this together!

Great post, but you forgot the two most important things to secure a VPS (or server):

- You need a firewall (highly recommend APF)
- You need to secure the /tmp partition so that no scripts can run

Great post, good to have all this in one place.

Question1: how to update chkrootkit? Do I need to remove the existing copy first?

Question2: My sysadmin says that they don't recomend APF on VPS.

APF kind works but you have to watch it. If you get over 2000 rules, it pukes out. We don't recommend it.


Will BFD work without APF?

Great post, good to have all this in one place.

Question1: how to update chkrootkit? Do I need to remove the existing copy first?

Question2: My sysadmin says that they don't recomend APF on VPS.



Will BFD work without APF?
Not sure about 1 - but for 2) I don't recommend having over 1000 firewall rules, so your sysadmin is 'tentatively' correct, however I have never personally seen APF puke out from average use. Thus if your VPS provider supports it, I'd go with using APF.

BFD integrates with APF so I don't think it'll work without it. But, I could be wrong there.

Thus if your VPS provider supports it, I'd go with using APF.

Yes, APF will work on their VPS servers. Thanks.

BFD does not require APF to run, and works fine on VDS servers by itself.

Great post, good to have all this in one place.

Question1: how to update chkrootkit? Do I need to remove the existing copy first?

Question2: My sysadmin says that they don't recomend APF on VPS.



Will BFD work without APF?

Thanks!

About chkrootkit. The command I gave you above, installs the latest version. I think they just name the latest version that name, so when you untar it, it opens in to a new folder each time...

So when you want to get the new version, just simply, repeat the steps on getting it and untarring it without changing the command line and your set.

Thanks for more info on this. Its very important to keep your server secure, so these spammers and hackers quickly check your security and move on to easier targets.

Keep adding to this thread so we can create a full security database for VPS'!

Great post, but you forgot the two most important things to secure a VPS (or server):

- You need a firewall (highly recommend APF)
- You need to secure the /tmp partition so that no scripts can run

Can you give details on how to secure /tmp ?

I assume a chmod?

Thanks!

This is a very useful thread- thanks! :)

Can you give details on how to secure /tmp ?

I assume a chmod?

Thanks!


http://www.webhostingtalk.com/showthread.php?t=292259

BFD does not require APF to run, and works fine on VDS servers by itself.

Question: Will BFD be able to block attacks without having APF? Or will it only detect the attack but not block the attacker?

I have BFD installed but not APF and on my alerts I see:
Executed ban command:
/etc/apf/apf -d 210.0.215.4 {bfd.sshd}
I figure that this does nothing since there is no APF to execute the command, correct?

Anyone know if the pangeia link is down? I am logged into my server as root and run the instructions for installing chkrootkit and get the message: Connecting to ftp.pangea.com/ (ftp://ftp.pangea.com/)| 204.251... etc but nothing happens... the site just appears to time out... Is there somewhere else to get chkrootkit.tar? All of my Google searches default back to pangeia...

Vince

Just to answer my own question: to use BFD without APF you need to change the conf.bfd file to use host.deny rather tha APF. This works great.

Change this:
BCMD="/etc/apf/apf -d $ATT_HOST {bfd.$MOD}"

To this:
BCMD="echo ALL:$ATT_HOST >> /etc/hosts.deny"

Thank you very much there is a lot of good information here.:lovewht:

I just ran the trojan scanner on my VPS and it returned 21 possible trojans detected.

Here is a list of the possibles it found:

Possible Trojan - /usr/bin/xmlcatalog
Possible Trojan - /usr/bin/xmllint
Possible Trojan - /sbin/lsmod
Possible Trojan - /usr/bin/dbiprof
Possible Trojan - /usr/bin/curl
Possible Trojan - /usr/lib/python2.2/site-packages/libxml2mod.la
Possible Trojan - /usr/lib/python2.2/site-packages/libxml2mod.so
Possible Trojan - /usr/bin/curl-config
Possible Trojan - /usr/bin/xslt-config
Possible Trojan - /usr/lib/libexslt.la
Possible Trojan - /usr/lib/libxslt.la
Possible Trojan - /usr/bin/xsltproc
Possible Trojan - /usr/bin/pod2man
Possible Trojan - /usr/bin/pod2usage
Possible Trojan - /usr/bin/podchecker
Possible Trojan - /usr/bin/podselect
Possible Trojan - /usr/bin/pstruct
Possible Trojan - /usr/bin/splain
Possible Trojan - /usr/bin/xsubpp
Possible Trojan - /usr/bin/xml2-config
Possible Trojan - /usr/lib/libxml2.la

Are these safe? If not, how do I get rid of them?

What trojan scanner did you use exactly? I would recommend to run rkhunter and see what it says about MB5 matches. If it's showing the same problems then it's very likely you have been hacked.

There isn't really a way to get rid of that because you'll probably never know what exactly has been done by a hacker, if he has removed his traces. The only option in that case would be to get your VPS (or server) reinstalled.

Unless its a "passive" hacker I think i'm ok. I havent had any problems at all out of the server.

I used the trojan scanner within WHM

The trojan scanner in WHM is no good, in my opinion. You should use chkrootkit or rkhunter instead (or better yet: both of them).

Be careful though, never assume there's nothing wrong. Even though you might not notice anything a hacker might be stealing information from your customers and/or send out spam or DoS attacks when you're not looking.

Good post! Anymore tweaks or does this sum it all up?

Is it OK to install Razor (http://razor.sourceforge.net/) and DCC (http://www.rhyolite.com/anti-spam/dcc/) on a VPS?

Quick small update on the original post.

FIRST the pangea link still works for me. Just click it above. If you can't click it there may be something blocking you, as I have no problem getting the file.

Second

In the original post... it was said..
=========================================
Web Host manager and CPANEL mods.
=========================================

These are items inside of WHM/Cpanel that should be changed to secure your server.

Goto Server Setup =>> Tweak Settings
Check the following items...


Under Mail
Attempt to prevent pop3 connection floods
Default catch-all/default address behavior for new accounts - blackhole

I suggest you do not set this to fail, if you have heavy email user or from 30 clients and up. Use blackhole

Fail at the beginning saves cpu time, but over time, with heavy users or many users, this will send bounces back to spammers who spam you. They bounce back to the server and the mail server gets over worked.

Do not use FAIL use BLACKHOLE

I will edit my post above.

cheers

Quick small update on the original post.

FIRST the pangea link still works for me. Just click it above. If you can't click it there may be something blocking you, as I have no problem getting the file.

Second

In the original post... it was said..
=========================================
Web Host manager and CPANEL mods.
=========================================

These are items inside of WHM/Cpanel that should be changed to secure your server.

Goto Server Setup =>> Tweak Settings
Check the following items...


Under Mail
Attempt to prevent pop3 connection floods
Default catch-all/default address behavior for new accounts - blackhole

I suggest you do not set this to fail, if you have heavy email user or from 30 clients and up. Use blackhole

Fail at the beginning saves cpu time, but over time, with heavy users or many users, this will send bounces back to spammers who spam you. They bounce back to the server and the mail server gets over worked.

Do not use FAIL use BLACKHOLE

I will edit my post above.

cheers
There have been MANY debates about this and personally I would say fail is best most of the time. You cannot say blackhole is best for everybody if it is just best for you...

The trojan scanner in WHM is no good, in my opinion. You should use chkrootkit or rkhunter instead (or better yet: both of them).

Be careful though, never assume there's nothing wrong. Even though you might not notice anything a hacker might be stealing information from your customers and/or send out spam or DoS attacks when you're not looking.

hey apoc... it doenst look like you can edit posts?

Do you know how? I wanted to edit the main post.

cheers

I think that you can only edit your post for a short time then there perminate.

Fantastic tutorial!

I got this from logwatch:

--------------------- SSHD Begin ------------------------


SSHD Killed: 1 Time(s)

SSHD Started: 1 Time(s)

Failed logins from these:
Io****/password from ***.***.***.***: 1 Time(s)
Me**/password from ***.***.***.***: 1 Time(s)
aa***/password from ***.***.***.***: 1 Time(s)
...
...
...
ze****/password from ***.***.***.***: 1 Time(s)
ze**/password from ***.***.***.***: 1 Time(s)

**Unmatched Entries**
Illegal user anonymous from ***.***.***.***
Illegal user passwd from ***.***.***.***
Illegal user ch*** from ***.***.***.***
...
...
...
Illegal user re***** from ***.***.***.***
Illegal user ze** from ***.***.***.***

What does it means?
-- for me, it looks like someone is doing dictionary attack on my ssh server.

Can anyone make a suggestion for me?
Thanks.

I also suggest for shared hosting that the setting in the php.ini file for disable_functions
be changed to
disable_functions = "system,exec"

Doing that will disable the function that most exploits call upon.

I also suggest for shared hosting that the setting in the php.ini file for disable_functions
be changed to
disable_functions = "system,exec"

Doing that will disable the function that most exploits call upon.

If you want to do that you should also disable all other functions that enable file execution such as: passthru, escapeshellcmd, popen, pcntl_exec, and I thinkt here might be a few others.

Is it OK to install Razor (http://razor.sourceforge.net/) and DCC (http://www.rhyolite.com/anti-spam/dcc/) on a VPS?

Absolutely. This does not relate to security or optimization though.

For a good tutorial on real advanced spam filtering read this article by rvskin: http://www.rvskin.com/index.php?page=public/antispam

disable_functions = dl,system,exec,passthru,shell_exec

Good job !!!


Originally Posted by elix
VPSes are really hard to use with the memory restrictions and CPU limitations...but with some optimization they can definitely serve your websites fast!

MySQL Optimization
Here are my suggested settings for the my.cnf file. This should work well for a VPS with 256-512MB RAM.
[mysqld] max_connections = 400


max_connections = 400 in a VPS with 256 - 512 Mb + Cpanel seem a little high to me
Server will run out memory before to reach max_connections

Spam Assassin
Spam Assassin can take up a lot of memory and make it really hard to host just a few sites on a VPS, but there is a way around this...

Login to WHM as root, scroll down to "cPanel 10.8.1-R15" (it may be slightly different depending on what version you are using) then goto "Addon Modules" and install "spamdconf". Once it's done, refresh the WHM page, scroll down to "Add-ons" on the nav bar and then click on 'Setup Spamd Startup Configuration". Set "Maximum Children" to "2". Then hit Submit. Wait a few seconds (15-30, but usually less) for exim to restart and you're done .I don't use WHM, what file can I manually edit to change this setting? I have lots of spamd processes running.

max_connections = 400 in a VPS with 256 - 512 Mb + Cpanel seem a little high to me
Server will run out memory before to reach max_connections
That is definitely a possibility but it does depend a lot on what those connections are doing. The config there is really just a template that you should tweak to your own needs.

could someone give a brief example where and how to set this up?

it sounds very useful and i've never managed a sever on my own but i would like to install some of the software lol or what ever it is to protect my site

This is in WMpanel and cpanel.

How about in plesk? do you have the tutorial on that one?

I don't use WHM, what file can I manually edit to change this setting? I have lots of spamd processes running.

It may depend on your installation.

If you're using a Redhat-derived distribution (e.g., CentOS) with spamassassin installed by rpm, you should have a configuration file /etc/sysconfig/spamassassin.

Edit that file and change the "-m" option. Default is "-m5" (five child processes). Try "-m2" (two child processes).

If you're on a different distro, you may need to find the spamassassin startup script and change the "-m" command line option.

Restart spamd for the change to take effect.

How do I remove or edit the service banners without recompiling the packages of my WHM/cPanel server ? I would like to remove or possibly edit the server application and version banners that can be easily get noticed and grabbed by anybody or scripts even with a simple telnet to the listening port. It is a simple problem but it is always the first attempt of somebody who would want to attack or exploit the certain flaws from the running version of the application/service that he could find with that banner grabbing. The quick way to lure the attacker for his initial phase with this issue could be simply removing the banners or replace the banners with the ones from the completely different service platform. Is there a way to accomplish without recompiling any of the default packages of cPanel/WHM server?

If you use Cpanel and WHM, there is a new firewall made by Chirpy that looks great, it uses a lot of less resources than APF and BTF and it is integrated into WHM as an addon as well. And it updates automatically.

Also, you can access CSF from SSH.

You can download CSF with LFD from here:
configserver.com/cp/csf.html

I have just changed APF and BTF for CSF and LFD (both from Chirpy) and it is working really nice in my VPS.

QUESTION:
In your first post you said:
Disable Shell Accounts
To disable any shell accounts hosted on your server SSH into server and login as root.
At command prompt type: locate shell.php
Also check for:
locate irc
locate eggdrop
locate bnc
locate BNC
locate ptlink
locate BitchX
locate guardservices
locate psyBNC
locate .rhosts

Note: There will be several listings that will be OS/CPanel related. Examples are
/home/cpapachebuild/buildapache/php-4.3.1/ext/ircg
/usr/local/cpanel/etc/sym/eggdrop.sym
/usr/local/cpanel/etc/sym/bnc.sym
/usr/local/cpanel/etc/sym/psyBNC.sym
/usr/local/cpanel/etc/sym/ptlink.sym
/usr/lib/libncurses.so
/usr/lib/libncurses.a

But you never mention how to disable them, would you be very kind to explain this step a little bit further?

I really want to thank Frynge for this terrific guide.

Regards,
Sergio

i did not know how to manage a VPS,until i read this ,thank you !

Hello,

This is a very great thread for newbies like me. After reading it and doing all this stuff I feel much more comfortable now about my new VPS. I do have a few questions though about things that are not clear to me.


First: Checking for formmail.

Can I disable these without interferring with cPanel ?

/usr/local/cpanel/cgi-sys/FormMail-clone.cgi
/usr/local/cpanel/cgi-sys/FormMail.cgi
/usr/local/cpanel/cgi-sys/formmail.cgi
/usr/local/cpanel/cgi-sys/FormMail.pl
/usr/local/cpanel/cgi-sys/formmail.pl
/usr/local/cpanel/install/formmail


Second: Disable shell accounts

How do I do that ? The post says to use "locate shell.php" but it doesn't explain how to disable it. These are the only 3 found by locate.

/usr/local/cpanel/base/horde/admin/cmdshell.php
/usr/local/cpanel/base/horde/admin/phpshell.php
/usr/local/cpanel/base/horde/admin/sqlshell.php

It also says that there will be several that are OS/cPanel related such as /usr/local/cpanel/etc/sym/bnc.sym, should they be disabled too or is this sentence meant as a warning NOT to disable those ?

Third: PHPSuExec

It says that all my users will need to make sure their php files have permissions no greater than 0755. On my current reseller hosting account I've installed a few php based applications for my clients that wouldn't work until I change some permissions to 0777. I'm not sure what PHPSuExec does, what problems should I expect if php files do have greater permissions than 0755 ?


That's it.

Hello,

This is a very great thread for newbies like me. After reading it and doing all this stuff I feel much more comfortable now about my new VPS. I do have a few questions though about things that are not clear to me.


First: Checking for formmail.

Can I disable these without interferring with cPanel ?

/usr/local/cpanel/cgi-sys/FormMail-clone.cgi
/usr/local/cpanel/cgi-sys/FormMail.cgi
/usr/local/cpanel/cgi-sys/formmail.cgi
/usr/local/cpanel/cgi-sys/FormMail.pl
/usr/local/cpanel/cgi-sys/formmail.pl
/usr/local/cpanel/install/formmail

That formmail script is a component of cpanel. Users will have access to use it if you make it available to them. Depends on how you have addons, features (Feature Manager) and packages configured in WHM.


Second: Disable shell accounts

How do I do that ? The post says to use "locate shell.php" but it doesn't explain how to disable it. These are the only 3 found by locate.

/usr/local/cpanel/base/horde/admin/cmdshell.php
/usr/local/cpanel/base/horde/admin/phpshell.php
/usr/local/cpanel/base/horde/admin/sqlshell.php

It also says that there will be several that are OS/cPanel related such as /usr/local/cpanel/etc/sym/bnc.sym, should they be disabled too or is this sentence meant as a warning NOT to disable those ?

"Disable shell accounts" means to deny account owners the right to login to a shell command prompt (via SSH). In WHM look at "Manage Shell Users". You can choose to give each user a full shell, a jail shell (where they cannot move outside their home directory), or no shell. Unless you have a good reason to do otherwise, it's recommend that you disable shell access (no shell). Of course give full shell access to your own account so you can login :)

"shell.php" is a separate issue. Essentially you're looking for PHP scripts on your server than can be used to achieve shell access. These may have been uploaded by users or fetched by someone exploiting a vulnerable website. The files you've listed about are a part of cpanel's Horde webmail and can be left alone.


Third: PHPSuExec

It says that all my users will need to make sure their php files have permissions no greater than 0755. On my current reseller hosting account I've installed a few php based applications for my clients that wouldn't work until I change some permissions to 0777. I'm not sure what PHPSuExec does, what problems should I expect if php files do have greater permissions than 0755 ?

PHP is run as either an Apache module or as a CGI (phpsuexec). As a module, PHP scripts run as the Apache user "nobody". In order for the user "nobody" to write to disk (e.g., to save an uploaded photo), directory permissions have to be relaxed, usually by setting the directory chmod 777 (writable by everyone).

When using phpsuexec, PHP scripts run as the account user. The account user owns the account's directories, and therefore, the PHP scripts have ready access to write. There is no need to change permissions.

Incorrect permissions or ownership will cause errors when trying to run the PHP scripts. Usually with phpsuexec, files should be chmodded no higher than 644 and directories 755. The files should be owned by the account username, not "nobody" and not "root" (that will also cause a runtime error).

Is that thread cache setting a typo? That one in particular has always been vodoo for me, but that's ten times what I'm using.

I can't immagine not hitting swap before half that many are cached on burstable 256 meg VPS.

Sleddog,

Thanks a lot for your answers, I really appreciate all the help you've given me in the last few weeks.

Hello,

I searched for FformMmail and have come up with many entries

/cgi-sys/formmail.cgi
/cgi-sys/formmail.pl
/install/formmail

/cgi/FormMail.html
/cgi-sys/FormMail-clone.cgi
/cgi-sys/FormMail.cgi
/cgi-sys/FormMail.pl

Do I need to change the permissions on each and everyone of these files?

and the same for CGIMAIL?

Thanks for the help, I want to make sure I get started right

John

I'd just like to make a quick note on the difference between :blackhole: and :fail: from my personal experience with cPanel servers and Exim:

Since :blackhole: processes the entire email, more resources wind up getting used. I, like many others, have tested replacing :blackhole: with :fail: on some of servers in the past, and can say that easily, without a doubt, less resources (namely CPU and disk I/O) wind up getting used, which helps keep the load average even lower than usual. :fail: will immediately send a 550 error after the invalid RCPT TO: line, vice accepting then discarding the entire email. I'm not saying that will work for everyone, but I have personally seen it immediately decrease resource usage on a shared hosting server with a fairly busy day to day mail flow, and would recommend it to anyone else looking to do the same regardless of the server type.

Excellent tutorial! would you mind if i posted it in my knowledege base?

thanks, that is a great tutorial
it do help me alot, i think i need some help in some of the basic codes,
hope anyone help me, nope these are not too newbie question


1a) Root breach DETECTOR and EMAIL WARNING

At command prompt type:
pico .bash_profile

Scroll down to the end of the file and add the following line:

echo 'ALERT - Root Shell Access on:' `date` `who` | mail -s "Alert: Root Access from `who | awk '{print $6}'`" your@email.com How am i able to set the server to send more then one warning mail to our server admin. what i think is to if anyone have access to the root, the server will send an mail to 2nd, 3rd server admin mail etc etc


Shall i have to do the long way or there a better way then this?

echo 'ALERT - Root Shell Access on:' `date` `who` | mail -s "Alert: Root Access from `who | awk '{print $6}'`" admin1@email.com (your@email.com)

echo 'ALERT - Root Shell Access on:' `date` `who` | mail -s "Alert: Root Access from `who | awk '{print $6}'`" admin2@email.com (your@email.com)

echo 'ALERT - Root Shell Access on:' `date` `who` | mail -s "Alert: Root Access from `who | awk '{print $6}'`" admin3@email.com (your@email.com)





1b) Mail Receive
ALERT - Root Shell Access on: Mon Sep x 00:00:55 SGT 2006 root ttyp0
Sep x 00:01 (bb000-xx-xxx-7.domains.com) root ttyp1 Sep x 00:01
(bb000-xx-xxx-7.domains.com)
i have try the above code to set the to send out an e-mail, when someone access/login to the root account of the server. but for some reason, i unable to see the user login Ip-address. Do anyone know, what code i should add so that it will show the ip-address?



2) Alert Email Sent
Is there a way to set the server to send out more then 1 alert mail (default of 1 mail) to the system admin, Looking at, the server will send to two or more alert to the rest of the system admin.


example 1
BFD, Under Enable brute force hack attempt alerts:

ALERT_USR="1"
EMAIL_USR="your@email.com"
example 2
LogWatch, SSH into server and login as root.

At command prompt type:
pico -w /etc/log.d/conf/logwatch.conf

Scroll down to
Mailto = your@email.com example 3
Immediate Notification Of Specific Attackers
If you need immediate notification of a specific attacker (TCPWrapped services only), add the following to /etc/hosts.deny

ALL : nnn.nnn.nnn.nnn : spawn /bin/ 'date' %c %d | mail -s"Access attempt by nnn.nnn.nnn.nnn on for hostname" notify@mydomain.com
Replacing nnn.nnn.nnn.nnn with the attacker's IP address.
Replacing hostname with your hostname.
Replacing notify@mydomain.com with your e-mail address.
This will deny access to the attacker and e-mail the sysadmin about the access attempt.




really sorry for these newbie question, as we like the alert to be send to at lest 2-3 server admin when such thing happen....

thanks
Feng

Great Tutorial :)

hello everyone!

Good work here with these advices. Thanks a lot for your effort. Thanks

Anyway.. i have 2 questions:

1. not a day goes by and I found perl scripts running on my vps who overload the processors. i restart the apache server and they are gone. how can i prevent those perl scripts to run?
2. another problem si a andos.txt file that i found on my /tmp folder who perform flood to a specific IP adress. how can i prevent this txt running?


An finally i want to know if there is somewhere a script who send mail when CPU is loaded at a specific value... 80-90-100%

regards

FengYun:

I am pretty sure that you can seperate the emails with a comma to send to multiple accounts.

echo 'ALERT - Root Shell Access on:' `date` `who` | mail -s "Alert: Root Access from `who | awk '{print $6}'`" your@email.com, yoursecond@email.com

V Nice tutorial

Great tutorial!

Just a question, I've got 256MB RAM and it seems to be using 140-150MB of it even if nobody is on the website but myself. Is that normal? Right now it's running Directadmin with mail turned off.

top - 18:16:57 up 20:01, 1 user, load average: 0.00, 0.00, 0.00
Tasks: 31 total, 1 running, 30 sleeping, 0 stopped, 0 zombie
Cpu(s): 0.2% us, 0.1% sy, 0.0% ni, 99.7% id, 0.0% wa, 0.0% hi, 0.0% si
Mem: 4136864k total, 4066628k used, 70236k free, 166620k buffers
Swap: 2096472k total, 592k used, 2095880k free, 1933400k cached

httpd.conf
Timeout 200
KeepAlive On
MaxKeepAliveRequests 120
KeepAliveTimeout 3
MinSpareServers 1
MaxSpareServers 5
StartServers 1
MaxClients 250
MaxRequestsPerChild 500

my.cnf
[mysqld]
max_connections = 200
port = 3306
socket = /var/lib/mysql/mysql.sock
skip-locking
interactive_timeout = 25
query_cache_type = 1
query_cache_size = 6M
query_cache_limit = 1M
thread_cache_size = 32
wait_timeout = 25
key_buffer_size = 512K
max_allowed_packet = 1M
table_cache = 4
join_buffer_size = 256K
sort_buffer_size = 100K
read_buffer_size = 256K
read_rnd_buffer_size = 256K
net_buffer_length = 2K
thread_stack = 64K
skip-bdb
skip-innodb

try


Timeout 30
KeepAlive On
MaxKeepAliveRequests 120
KeepAliveTimeout 3
MinSpareServers 1
MaxSpareServers 5
StartServers 1
MaxClients 250
MaxRequestsPerChild 0


For httpd.conf

Find if it's MySQL or Apache that is actually taking up the RAM...ps auxf will show you.

ps auxf | grep httpd
ps auxf | grep mysql

I was watching top -c and one query on the forum looked like it used 3.3% CPU power while each page load took 0.7-1.3% on Apache.

I tried setting Timeout to 30 and MaxReq to 0 but it doesn't seem to have changed anything... I'm not sure how to read the auxf reports!

*8 users on our forum, posting, reading.
up 1 day, 3:51, 1 user, load average: 0.00, 0.02, 0.00
Tasks: 33 total, 1 running, 32 sleeping, 0 stopped, 0 zombie
Cpu(s): 0.0% us, 0.0% sy, 0.0% ni, 100.0% id, 0.0% wa, 0.0% hi, 0.0% si
Mem: 4136864k total, 4044932k used, 91932k free, 218388k buffers
Swap: 2096472k total, 592k used, 2095880k free, 1847572k cached

Dear,

Service Status of my new VPS shows this info:

named (9.2.4) up
cpsrvd up
Server Load 0.04 (2 cpus)
Memory Used 72.6 %
Swap Used 3.94 %
Disk simfs (/) 13 %


is it ok? specially i think for Memory Used 72.6 %

Dear,

Service Status of my new VPS shows this info:

named (9.2.4) up
cpsrvd up
Server Load 0.04 (2 cpus)
Memory Used 72.6 %
Swap Used 3.94 %
Disk simfs (/) 13 %


is it ok? specially i think for Memory Used 72.6 %

That memory used is not for your VPS, but rather for the whole host node itself. I wouldn't worry about it unless you see bad performance.

Awesome tutorial!!!!

These tips are also applicable for VPS built in Fedora Core 6 and Webmin, right?

thanks!

Thanks for posting this. I am adding this to my checklist of all new setups for VPS. Thanks

Is there document also for howto securing and optimizing a windows VPS

Is there document also for howto securing and optimizing a windows VPS

I would say no, because the file system between Linux and Windows is quite different.

Hello, I have a VPS with MySQL4/PHP4/Apache2.

I've tried using the optmised values for my.cnf but they are not accepted. Can someone take a look at my my.cnf and tell me acceptable values like the ones in this tutorial?

[mysqld]
set-variable=local-infile=0
datadir=/var/lib/mysql
socket=/var/lib/mysql/mysql.sock
# Default to using old password format for compatibility with mysql 3.x
# clients (those using the mysqlclient10 compatibility package).
old_passwords=1

skip-bdb

set-variable = innodb_buffer_pool_size=2M
set-variable = innodb_additional_mem_pool_size=500K
set-variable = innodb_log_buffer_size=500K
set-variable = innodb_thread_concurrency=2
[mysql.server]
user=mysql
basedir=/var/lib

[mysqld_safe]
err-log=/var/log/mysqld.log
pid-file=/var/run/mysqld/mysqld.pid
skip-bdb

set-variable = innodb_buffer_pool_size=2M
set-variable = innodb_additional_mem_pool_size=500K
set-variable = innodb_log_buffer_size=500K
set-variable = innodb_thread_concurrency=2

Please ignore my previous message... I have successfully implemented the values in the tutorial.

Cool tut! Thanks!

Great post. Thank you.

Does this works in Ubuntu? Isn't it Linux based?

Does this works in Ubuntu? Isn't it Linux based?

It should work in Ubuntu, which is based on Debian Linux.

Not to dig up, but thanks!

Does this works in Ubuntu? Isn't it Linux based?
Yes, it works even in Ubuntu. I'm not sure about Ubuntu live.

Thanks for the detailed info

Originally Posted by elix

Lastly, I recommend installing mytop to help you monitor your usage...
Code:
wget http://dll.elix.us/mytop-1.4.tar.gztar -zxvf mytop-1.4.tar.gzcd mytop-1.4perl Makefile.PLmakemake testmake install
Once that's done, just enter in "mytop" .



When I ran "mytop" after installing - I got the following error:

[root]# mytop
Can't locate Term/ReadKey.pm in @INC (@INC contains: /usr/lib/perl5/5.8.5/i386-linux-thread-multi /usr/lib/perl5/5.8.5 /usr/lib/perl5/site_perl/5.8.5/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.4/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.3/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.2/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.5 /usr/lib/perl5/site_perl/5.8.4 /usr/lib/perl5/site_perl/5.8.3 /usr/lib/perl5/site_perl/5.8.2 /usr/lib/perl5/site_perl/5.8.1 /usr/lib/perl5/site_perl/5.8.0 /usr/lib/perl5/site_perl /usr/lib/perl5/vendor_perl/5.8.5/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.4/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.3/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.2/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.1/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.0/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.5 /usr/lib/perl5/vendor_perl/5.8.4 /usr/lib/perl5/vendor_perl/5.8.3 /usr/lib/perl5/vendor_perl/5.8.2 /usr/lib/perl5/vendor_perl/5.8.1 /usr/lib/perl5/vendor_perl/5.8.0 /usr/lib/perl5/vendor_perl .) at /usr/bin/mytop line 165.

Any ideas?

Thanks!

It looks like a PERL error, can we know which OS you are using, and whether or not you have perl or perl libs installed?

It looks like a PERL error, can we know which OS you are using, and whether or not you have perl or perl libs installed?

OS: Centos

Perl: Perl 5.8.5 Installed

Thanks

Use CPAN to install the missing module - just type cpan as root. You'll need to do some setting up if you haven't run it before but you can accept the defaults it offers. Then:
cpan> install Term::ReadKey

My belated thanks also to the original authors layer0 and frynge. :)

nice tutorial

1a) Root breach DETECTOR and EMAIL WARNING

1b) Mail Receive

i have try the above code to set the to send out an e-mail, when someone access/login to the root account of the server. but for some reason, i unable to see the user login Ip-address. Do anyone know, what code i should add so that it will show the ip-address?





I have the same problem - all I get are emails which look like this, no IP address:

ALERT - Root Shell Access on: Mon Jul 9 08:07:40 EDT 2007 root pts/0 Jul 9 08:07 (ool.dyn.optonline.net)

I guess the email with no IP will be sent to you when you reboot the server(VPS) :)

I guess the email with no IP will be sent to you when you reboot the server(VPS) :)

What? :eek:

thanks for the info :)

I have the same problem - all I get are emails which look like this, no IP address:

Just go type that in to dynamic tools to get the ip...
ool.dyn.optonline.net

http://www.dnsstuff.com/

Just go type that in to dynamic tools to get the ip...
ool.dyn.optonline.net

http://www.dnsstuff.com/

frynge,

Thanks for responding.

ool.dyn.optonline.net is the hostname of the ISP that logged in. Its not the actual IP or hostname of the individual who logged in.

Running any tests on the hostname will reveal the IP of the general IP of the ISP not the individual subscriber.

Just read the tutorial. Very nice job.

Just read the tutorial.

Was that directed at me?

thanks for this helped me a lot after weeks of trying to find the best solution to optimize my vps

Hello,
I would not recommend to anyone to run this blob list of commands.
The author put an effort in it, but clearly is missing the basic understanding of unix. let alone security practices.

Hello,
I would not recommend to anyone to run this blob list of commands.
The author put an effort in it, but clearly is missing the basic understanding of unix. let alone security practices.

Well, would you like contribute at all? :rolleyes:

thanks for this helped me a lot after weeks of trying to find the best solution to optimize my vps

Im glad so many found this useful! I will eventually be posting new ones that are updated as CPANEL and WHM have updated a bit.

Cheers

frynge,

Thanks for responding.

ool.dyn.optonline.net is the hostname of the ISP that logged in. Its not the actual IP or hostname of the individual who logged in.

Running any tests on the hostname will reveal the IP of the general IP of the ISP not the individual subscriber.

Set UseDNS to off in your sshd_config.

Set UseDNS to off in your sshd_config.

Hi Layer0,

Thanks for your reply. I didint see UseDNS in my sshd_config so I just added this to the end of it but alas it didint change anything:


UseDNS off


Am I doing something wrong?

Regards,

Great thread guys! Thanks for everyone help!

I have a quick question about setting the following:

At command prompt type:
pico .bash_profile

Scroll down to the end of the file and add the following line:

echo 'ALERT - Root Shell Access on:' `date` `who` | mail -s "Alert: Root Access from `who | awk '{print $6}'`" your@email.com

This seems to be working but every email I get is showing the wrong host name but the correct IP address:

Example:

Access from (balyrion.liquidweb.com)
(208.xxx.xxx.xxx)

ALERT - Root Shell Access on: Mon Oct 29 12:50:50 PDT 2007 root ttyp0 Oct 27 20:59 (balyrion.liquidweb.com) root ttyp2 Oct 29 12:50 (208.xxx.xxx.xxx)

How do I fix this? To show the correct hostname with the ip address?

I ran the Root kit checker and it tells me that at Port 425 Possible LKM Trjan Installed. Now what?

Hi Layer0,

Thanks for your reply. I didint see UseDNS in my sshd_config so I just added this to the end of it but alas it didint change anything:


UseDNS off


Am I doing something wrong?

Regards,

I assume you restarted SSH?

UseDNS no.

UseDNS no.

That is correct its UseDNS no and not UseDNS off


I assume you restarted SSH?

Good suggestion! Now It works!

UseDNS no.

My bad. :stickout:

This is good tut for me!

Thank you!

nice tutorial .. thanks for sharing mate

what is the advantages/disadvantages between APF and CSF ? I use CSF couse it can be integrated with WHM

I found APF to be quirky... but that's just me. CSF runs lean and mean and does way better than APF did on my box. I'd recommend combining CSF/LFD with MailScanner (through Chripy's site HERE (http://configserver.com/cp/mailscanner.html).) Great way to go.

any one have use lynis
http://www.rootkit.nl/projects/lynis.html


i have a ask for u whats the best anti rootkit
rootkit hunter or chkrootkit or zeppoo.net or a new anti rootkit

Frynge, awesome tutorial!

Spam Assassin
Spam Assassin can take up a lot of memory and make it really hard to host just a few sites on a VPS, but there is a way around this...

Login to WHM as root, scroll down to "cPanel 10.8.1-R15" (it may be slightly different depending on what version you are using) then goto "Addon Modules" and install "spamdconf". Once it's done, refresh the WHM page, scroll down to "Add-ons" on the nav bar and then click on 'Setup Spamd Startup Configuration". Set "Maximum Children" to "2". Then hit Submit. Wait a few seconds (15-30, but usually less) for exim to restart and you're done .

whm 11.11 and cpanel 11.16 don't seem to have this option, where would I be able to find it?

Hello,
I had to recompile apache now root logins are no longer being emailed to me. I pico .bash_profile and the email and everything is there. Any ideas on how to fix this? thanks,

if i done this steps will my security be perfect??

if i done this steps will my security be perfect??

Perfect security doesn't exist, a proper hardening of your server(s) will help in 99.5% of security threats

for a perfect security you have to unplug your server from network, unplug from power and lock it in a safe (dont lost the key or combination)

or burn it

if i done this steps will my security be perfect??

Although this thread does have some very good information & advice, there is more that can be done to improve the security of your server.

If you are hosting something which is mission critical to security you could always consider hiring a management company to do a once-over hardening on your machine or VPS in this case. The main key to security is to ensure all packages on the server are kept upto date, and to monitor the content of your accounts.

or burn it

- I guess that works too :stickout:

Hi,

Can somebody let me know the exact steps how to harden /tmp on a VPS?

Regards,

Hi,

Can somebody let me know the exact steps how to harden /tmp on a VPS?

Regards,
mount -t tmpfs -o noexec,nosuid tmpfs /tmp/

Can somebody let me know the exact steps how to harden /tmp on a VPS?


Do not think of it as a skill or a trade (as with many other tips around) you need a basic understanding of Unix (file system, superstructure, executables, suid bits...) and things like this would come natural. Anyone running their own server without an operator really should, and easily could learn this.

With jiggerbit's answer you are still unsure what it really does, and if you break functionality of some other system component... It always comes back to the basics.

Hello all,
My forum's (http://forums.tauonline.org/index.php) can sometimes be quite laggy, and I'm not sure why. Load times are averaging at 2+ seconds. I'm on VPS hosting (I have 512Mb of memory - server stats are here (http://forums.tauonline.org/status.php)).

My forums are getting the same amount of people online as usual (e.g. a bit before peak time: "Users Online: 73 Guests, 41 Users over 15 minutes").

I've carried out the optimisation tips mentioned here (i.e. I've changed the relevant settings in my.cnf and httpd.conf).

However I'm not sure what's causing this lag. I use SMF as my forum software, which is a very reliable and speedy software (other forums with millions of posts run SMF fine; I only have 800,000 posts).

Upon inspection, I found out that certain queries are lagging like mad:

DELETE FROM yabbse_sessions
WHERE last_update < 1201713265
in /home/tauonli/public_html/forums/Sources/Load.php line 2180, which took 7.59983802 seconds.
SELECT data
FROM yabbse_sessions
WHERE session_id = '2ab5abd09a2bbebd79065efe0af790e4'
LIMIT 1
in /home/tauonli/public_html/forums/Sources/Load.php line 2110, which took 12.86598301 seconds.
REPLACE INTO yabbse_log_boards(id_msg, id_member, id_board)
VALUES
(1058514905, 1, 1)
in /home/tauonli/public_html/forums/Sources/MessageIndex.php line 140, which took 2.8114779 seconds.


UPDATE yabbse_topics
SET num_views = num_views + 1
WHERE id_topic = 60114
in /home/tauonli/public_html/forums/Sources/Display.php line 174, which took 4.49542999 seconds.



UPDATE yabbse_members
SET last_login = 1201723759, member_ip = '88.105.13.104', member_ip2 = '88.105.13.104', total_time_logged_in = 10197033
WHERE id_member = 1
in /home/tauonli/public_html/forums/Sources/Subs.php line 556, which took 3.65229011 seconds.



SELECT
c.id_cat, b.name AS bname, b.description, b.num_topics, b.member_groups,
b.id_parent, c.name AS cname, IFNULL(mem.id_member, 0) AS ID_MODERATOR,
mem.real_name, b.id_board, b.child_level,
b.id_theme, b.override_theme, b.count_posts, b.id_profile, b.redirect,
b.unapproved_topics, b.unapproved_posts, t.approved, t.id_member_started
FROM yabbse_boards AS b
INNER JOIN yabbse_topics AS t ON (t.id_topic = 60114)
LEFT JOIN yabbse_categories AS c ON (c.id_cat = b.id_cat)
LEFT JOIN yabbse_moderators AS mods ON (mods.id_board = t.id_board)
LEFT JOIN yabbse_members AS mem ON (mem.id_member = mods.id_member)
WHERE b.id_board = t.id_board
in /home/tauonli/public_html/forums/Sources/Load.php line 631, which took 15.63650703 seconds.

Whilst some are completed queries, some are basic queries calling on data from basic table structures.

Runing ps auxf gets:

mysql 20172 0.8 13.1 153012 69060 ? Sl Jan29 9:51 \_ /usr/sbin/mysqld
(0.8% CPU, 13.1% memory)
nobody 1326 1.0 2.6 56680 13900 ? R 13:00 0:02 \_ /usr/local/apache
nobody 1515 0.7 2.9 58256 15524 ? S 13:00 0:01 \_ /usr/local/apache
nobody 1681 0.7 2.6 56388 13636 ? S 13:01 0:01 \_ /usr/local/apache
nobody 2030 0.6 2.6 56468 13700 ? S 13:02 0:00 \_ /usr/local/apache
nobody 3104 0.9 2.8 57708 14944 ? R 13:02 0:00 \_ /usr/local/apache
nobody 3107 0.4 2.4 54824 12660 ? S 13:02 0:00 \_ /usr/local/apache
nobody 3108 0.7 2.5 55876 13124 ? S 13:02 0:00 \_ /usr/local/apache
nobody 3367 1.1 2.3 54244 12072 ? S 13:03 0:00 \_ /usr/local/apache
nobody 3370 0.6 2.4 55500 12672 ? R 13:03 0:00 \_ /usr/local/apache
nobody 3371 1.0 2.4 54888 12716 ? S 13:03 0:00 \_ /usr/local/apache
nobody 3384 0.9 3.0 58000 15820 ? R 13:03 0:00 \_ /usr/local/apache
nobody 3533 0.9 2.4 55276 13024 ? S 13:03 0:00 \_ /usr/local/apache
nobody 3540 1.0 2.5 56072 13608 ? S 13:03 0:00 \_ /usr/local/apache
nobody 3588 0.8 2.3 54776 12084 ? S 13:04 0:00 \_ /usr/local/apache
nobody 3598 3.8 2.6 56260 13704 ? S 13:04 0:00 \_ /usr/local/apache
nobody 3618 0.0 0.6 47104 3412 ? S 13:04 0:00 \_ /usr/local/apache


Any ideas on why my forum's are lagging so much would be great :)
Thanks,
Tristan

Nice and very useful thread, thanks for posting this!

Great thread/article, thanks.

tristanperry (http://www.webhostingtalk.com/member.php?u=156572)

If you use innodb tables, increase your innodb_buffer_pool_size,
and increase your query_cache_size and key_buffer_size.

Good luck.

Hi there,
Great post thank you everyone :)
I have installed apf on my dedi's and it works great, I have come to install it on my cpanel vps servers and my users report they can not send mail has anyone else had this problem? As soon as I stop apf the mail clears from the que.
I have made sure these are open in the config file TCP/UDP 25, 110, 143, 465, 993, 995.
Any ideas?
Kind regards,
Rick

what about sql injection thru the cpanel? i got hacked a few times like these. :mad:

Great post. Thanks!

Now I'm sure I'll stick with shared accounts and going to stay away from VPS as long as I can
=)

When I use:-

At command prompt type:
pico .bash_profile

Scroll down to the end of the file and add the following line:

echo 'ALERT - Root Shell Access on:' `date` `who` | mail -s "Alert: Root Access from `who | awk '{print $6}'`" your@email.com

Save and exit.

On my next SSH login I see the errors:-

-bash :mail command not found
-bash :echo: write error: Broken pipe

When I remove the alert all returns to normal.
cPanel 11.18.3 R21703
Centos 5

Any idea why it breaks it?

tmp can be secured to be noexec in 1 minute, no reboot required. Nothing can execute there - /var/tmp remains a risk - unless that is mounted separately also:

/dev/VolGroup00/LogVol02 /tmp ext3 defaults,nosuid,noexec 1 2

edit the /etc/fstab file, then do a mount -o remount and it will remount /tmp and you are set - just don't be in /tmp when remounting.

thanx for this nice post

Another great tool against ssh brute force is deny hosts. It uses host.deny file which may be more appropriate for VPSs as the number of iptables rules is usually limited by the VPS provider.

Portsentry is one tool that has spared a lot of hacking attempts - I have the same IP's daily trying to get in - here is one way to thwart:

1. Setup Portsentry (against the recommendations) to scan up to port 65000 or so - I saw a lot of scans start at port 1026 - portsentry is default setup to port 1024, so raised to 65000 and allow 3+ port scans before blocking - that way there are less false alarms or in case someone forgets port 22....
2. Change your ssh port to the 2000+ range - remember to open your firewall for this new port..
3. Keep port 22 open on firewall - and now its a honeypot of sort - got to remind users to use the new non-standard port, but script kiddies fall right into it.
4. Anyone port scanning is only looking to harm, so they get dropped completely for a while and cannot do any more harm. Bye bye.

Here we see people start on port 1026 a lot - on a typical portsentry install, Squid, VNC and other services lack a layer of protection that FTP, SMTP have - with this setup - not no more:
From 221.6.145.18 - 2 packets to udp(1026,1027)
From 221.208.208.86 - 2 packets to udp(1026)
From 221.208.208.92 - 2 packets to udp(1026)
From 221.208.208.95 - 2 packets to udp(1026,1027)
From 221.208.208.97 - 2 packets to udp(1026,1027)
From 221.208.208.99 - 4 packets to udp(1026,1027)
From 221.208.208.212 - 4 packets to udp(1026,1027)
From 222.84.225.189 - 2 packets to tcp(5900)
From 222.187.221.27 - 4 packets to tcp(7212,8000)
From 222.216.28.40 - 2 packets to tcp(5900)

And a word about security through obsecurity - technically a lot of existing security is through obsecurity - just differing levels of randomness - port, 8 character password or 1024 character certificate. If someone knew what port a service is running on, or knew a password, or knew the SSH key - either 4, 8, or 1024 characters - they have access. These random characters is why cracking works. Its only a matter of time before the port/password/certificate is found out if being cracked - even if its 20 years - at some point the attacker quits for an easier target. Again, if we can slow down the hacker, they will move on - or the script will move on. Think car alarms, 3 locks on front the door of an apartment, "The CLUB" - all there to say "move on to an easier target".

If you want to do that you should also disable all other functions that enable file execution such as: passthru, escapeshellcmd, popen, pcntl_exec, and I thinkt here might be a few others.

ok, but tell me where to disable that, where is php.ini file?

/etc/php.ini for most installs. When I started this there was about 6 months of no TV and lots of studying - hosting on the net is like jumping into a den of lions and my first few hits woke me up. A test machine with 42,000 failed login attempts scared me into studying. This is a great forum and I have learned from here and from howtoforge.com a massive amount - like going to school.

=========================================
Install a root breach DETECTOR and EMAIL WARNING
=========================================

If someone does happen to get root, be warned quickly by installing a detector and warning at your box. You will at least get the hackers/spammers ip address and be warned someone is in there.


Server e-mail everytime someone logs in as root

To have the server e-mail you everytime someone logs in as root, SSH into server and login as root.


At command prompt type:
pico .bash_profile

Scroll down to the end of the file and add the following line:

echo 'ALERT - Root Shell Access on:' `date` `who` | mail -s "Alert: Root Access from `who | awk '{print $6}'`" your@email.com

Save and exit.


Newbie here....

I added the email alert to .bash_profile but when I login I get this message:

"You must specify direct recipients with -s, -c, or -b."

I checked for typo's three times. Any ideas?

Newbie here....

I added the email alert to .bash_profile but when I login I get this message:

"You must specify direct recipients with -s, -c, or -b."

I checked for typo's three times. Any ideas?

Nevermind...I was missing a space between end of the Email Subject info and my email address. It's working now.

thanks dude great post for n00bs

Great thread. This is really wonderful thread and very helpful to new VPS users.

I love to see more tutorials like this.

Thanks
Nazeer
WebcareSolutions.com

Check out OSSEC for server security - quick install, open 1 port and you are set. It emails every time someone logs in - set your email to cc gmail and if you get rooted, about 10 seconds later a copy will be at gmail also...

I'd just like to make a quick note on the difference between :blackhole: and :fail: from my personal experience with cPanel servers and Exim:

Since :blackhole: processes the entire email, more resources wind up getting used. I, like many others, have tested replacing :blackhole: with :fail: on some of servers in the past, and can say that easily, without a doubt, less resources (namely CPU and disk I/O) wind up getting used, which helps keep the load average even lower than usual. :fail: will immediately send a 550 error after the invalid RCPT TO: line, vice accepting then discarding the entire email. I'm not saying that will work for everyone, but I have personally seen it immediately decrease resource usage on a shared hosting server with a fairly busy day to day mail flow, and would recommend it to anyone else looking to do the same regardless of the server type.

Since Blackhole reduces load, and Fail (in theory) could reduce spam, would it be possible to have a script that checks for load and then if its low sets to :Fail but if load is high it sets to :Blackhole? That way we could get the best of both worlds?

Van

Great thread! /Subscribes. ;)

hello

I have installed chkrootkit and bfd exactly as designed (to the letter) in the first post about 4-8 weeks ago.

Today my vps went down, for absolutely no reason as far as i can find, it was 'up' but i couldn't get onto ssh and it wasn't serving over 80.

I complained, rather harshly because I have been receiving very poor service from them in my mind.

They came back and said "someone has added some extra rules to the firewall". I know that no one has logged in (I changed the port for ssh), other than myself and I have made no configuration changes beyond install the above and moving the ssh port which is basic stuff.

Does bfd or chkrootkit add any firewall rules or lock everyone from accessing the site?

The host has 'deleted the rule and turned off the firewall', but i'm a little confused how the entries got in there that would have cocked it up... unless these did it? I can't tell you the firewall rules now because they've been removed and, surprising the firewall was turned off which just seems plum wrong to say this is a managed service I'm paying for.

Its a simple php/mysql setup, directadmin is there but i haven't changed any configuration; a week or so back my host accidently removed one of my ips and assigned it to another customer, but on my end i haven't touched anything.

So could bfd or chkdisk have done this? what could have done? I've quite literally just done a few steps from this guide and nothing else... how can these rules (that i've not seen so can't tell you what they are) have got there?

Spudlet,
it sounds like your firewall has blocked your IP from the system. It could happen if you have not added your IP to the white list.

To check why or what have you done, just look into the /var/logs for the IP that your ISP has assigned to you, if you don't know what is your IP, then, you can enter into SecmasHost.com/ip and it will tell. This is a handy utility that I use with my customers when the firewall blocks them.

After you have the IP, go and search on /var/logs/messages and if it is not there, then go and check on the apache error_log.

Hope this help you to see what happened.

very useful post thanks for posting it

thanks for the info

csf+lfd works on all GNU/Linux servers with or without cPanel. This f/w script is well maintained and in certain cases betters apf. Install this on your cPanel VPS and test. On the HN, install either shorewall or firestarter. RKHunter is better and well maintained than Chkrootkit.

http://www.configserver.com/cp/csf.html

http://www.rootkit.nl/projects/rootkit_hunter.html

YMMV.

This thread is certainly impressive - I have already performed a few mods via SSH. Great job!

Thanks a lot for this information will definitely put it to good use!

Good job. Thanks a lot!

SQL Optimization specifically designed for Vbulletin, IPB, Phbb bulletin boards using multiple queries and shoutboxes. This WILL get you out of hot water with your host telling you you're using too much CPU.

This has been written to be flexible within the following environments:

- 1-4 gig of ram
- Pent4 w/hyper threading or above cpu speed

Enjoy!

[mysqld]
port = 3306
socket = /var/lib/mysql/mysql.sock
skip-locking
max_connections = 2000
max_user_connections = 250
key_buffer = 128M
max_allowed_packet = 64M
max_connect_errors = 10
thread_concurrency = 8
concurrent_insert = 2
table_lock_wait_timeout = 35
wait_timeout = 35
connect_timeout = 10
tmp_table_size = 256M
max_heap_table_size = 256M
table_cache = 2M
join_buffer_size = 1M
sort_buffer_size = 2M
read_buffer_size = 1M
thread_cache_size = 384
wait_timeout = 900
read_rnd_buffer_size = 1M
bulk_insert_buffer_size = 8M
net_buffer_length = 4M
thread_stack = 256K
skip-bdb
skip-innodb
query_cache_limit = 8M
query_cache_size = 128M
query_cache_type = 1
query_prealloc_size = 131072
query_alloc_block_size = 65536
default-storage-engine = MyISAM

[mysqldump]
quick
max_allowed_packet = 500M

[mysql]
no-auto-rehash
#safe-updates

[myisamchk]
key_buffer = 64M
sort_buffer = 64M
read_buffer = 16M
write_buffer = 16M

[mysqlhotcopy]
interactive-timeout

Is there any help on same topic for LxAdmin panel

Thanks for the tut

Thx for this one. It really helped me last night.

Great post, I am looking at getting a VPS but security is a worry. This helps a lot. Thanks

Great tutorial. Thanks for the help

Great Post. Thanks for the help

Great tut, thanks!

awsome tutorial thanks

This is a good guide, i used it and I saw increased performance.

Some great info here! Thankyou

Thanks, great tutorial, my host should read it, they were hacked

Hey will i need to have mail (smtp and all) set up to use these email utilities?

this tips very usefull for beginner...


thanks 4 share...

Great guide!

Hello guys,

I am new into this field. Any suggestions will be appreciated!

Cheers

thanks alot for your support

Is this still up to date?

cool tutorial, thanx

Good write up!

This is an excellent tutorial even though I use Plesk on top of Virtuozzo. At the moment I am getting spammed to death and I suspect brute force attacked based on IP's going to most of the passworded services. I have over 100 virtual servers running Plesk 8.6 and Virtuozzo 3 (I know - time to upgrade.)

The question I have is this: I have the Plesk firewall enabled through /etc/sysconfig/iptables-config. I can also install APF and BFD even though we use a top-level hardware firewall.

Now then, do I need to add APF to the hardware node? Then do I need to add BFD to the VE? Or can I add APF and BFD to just the hardware node since it sees all IP's anyway? If using the Plesk firewall do I need or want to run APF? I mean, won't they conflict with one another? I can turn off the Plesk firewall just by removing the line from the config and restartiung VZ if APF is the better approach. By default we have most services off and only allow trusted IP's access to ssh.

I am tired of my pager going off and OpManager going crazy.

Issue with hardware firewalls is unless configured, they are typically not responsive firewalls - APF and BFD can do this.

Not a direct answer but might help also - actually, I found spam and brute force fighting quite fun. For spam and bruteforce denyhosts might help - as some of the same bots brute forcing might be sending spam, but have not done a statistical test in a while - I installed but there was not enough email to statistically tell. The really useful part is the central denyhosts server that other denyhosts report bad hosts to and your server gets the updates.

Also are the spams for a certain domain? I am hosting one domain and the spamhaus hits went up 30x when started hosting them, and down 30x when just the MX record was pointed to gmail. Unfort I installed denyhosts after this domain's MX record was migrated..

Thanks for the reply but the question is still unanswered.

Do I need to add APF to the hardware node? Then do I need to add BFD to the VE? Or can I add APF and BFD to just the hardware node since it sees all IP's anyway? If using the Plesk firewall do I need or want to run APF? I mean, won't they conflict with one another? I can turn off the Plesk firewall just by removing the line from the config and restartiung VZ if APF is the better approach.

Thanks again.

It's recommended that you have a hardware firewall in place and have no open public ports on the hypervisor. I wouldn't recommend running a firewall on the host node itself. It should be firewalled with hardware and then allow your users up to 200-300 available rule additions for each vps.

The hardware firewall works but the offending IP's need to entered. The firewall doesn't see them as a brute force attack and is why I asked about installing APF and BFD. I';d love an answer to the actual question.

Thanks a lot for all of these it'll help a lot :D

Not a bad tutorial, Well Done

WOW !! just the one i was looking for !! thanks !!

great tutorial i like it

Now bad security WHM and cPanel You should establish with CSF

Thanks i used this guide:)

thanks a lot for this tutorial ...

great thread :)

Hey Guys! this is a very useful, learning and informative thread. Thanks a lot for sharing your ideas and tips!

Great information, really the most important of all is brute force detection!

Excellent tutorial, thanks!

how can you check the logfile (/var/log/rkhunter.log)
which is the command?

You can use cat /var/log/rkhunter.log or nano /var/log/rkhunter.log

Could anyone suggest me to optimize Apache & MySql for Xen Vps
Cpu: Core i7
Ram: 1G DDR3

Excellent tutorial thx for the info

A great collection of hints. Personally, I'd have added also

1. Port knock module for the firewall used, to set up the proper PK'ing and keep the system shut in most cases. In conjunction with rate limiting, that will give better protection from would-be hackers.

2. Resources monitoring. Early warning about any unusual service/resource usage state could be very useful to pinpoint and handle the problem quickly.

Snort could also be a good intruder detection tool.

Thanks!

(choose your own 4 to 5 digit port number (49151 is the highest port number AND do not use 5678 :) lol )

I thought 65535 was the highest port number?
Is there a reason you can't set SSH to a port higher then 49151?

Thank you. Very nice write up.

This a fantastic guide, thanks very much!

I am currently having problems with the following:

Server e-mail every time someone logs in as root

To have the server e-mail you every time someone logs in as root, SSH into server and login as root.


At command prompt type:
pico .bash_profile

Scroll down to the end of the file and add the following line:

echo 'ALERT - Root Shell Access on:' `date` `who` | mail -s "Alert: Root Access from `who | awk '{print $6}'`" your@email.com

Save and exit.

Everything works fine to begin with but when I access SSH I do not receive an email. Also when I return to the file the line is no longer showing.

I am using PUtty for this. If anything can offer any help I will be truly grateful.

Thanks!

Everything works fine to begin with but when I access SSH I do not receive an email. Also when I return to the file the line is no longer showing.

I am using PUtty for this. If anything can offer any help I will be truly grateful.

Thanks!

Make sure you save the file before exiting. You can also ask your host for help with it if you need it.

Make sure you save the file before exiting. You can also ask your host for help with it if you need it.

Thanks for your reply njoker.

Using PUtty I used ctrl + x then y to save and that seems to be right.

OK I will ask my web host to help me with this, thanks very much for your help.

I did however manage to add the warning message :)

oh wow thanks a lot! I have a VPS of my own this is very helpful

You spent a lot of time making sure we have a secure, safe, VPS. Thank you for this tutorial.

Good, useful!

Awesome ! Really Appreciable work, :)

This really helps me.

I first time come to a hosting forum, that;s worth it.

Thanks!

Elva

Nice work and thank you for the heads up.

Excellent information contained in this thread. I would encourage anyone adding security and locking down a host, to try and grasp an understanding of what the commands and tools are doing. Blindly following a tutorial - does not provide you with added security if you do not understand the possible consequences of the configuration changes.

Check out OSSEC for server security - quick install, open 1 port and you are set. It emails every time someone logs in - set your email to cc gmail and if you get rooted, about 10 seconds later a copy will be at gmail also...

Agreed... http://www.ossec.net (http://www.ossec.net/) is an excellent tool, here is a quick guide - http://hackertarget.com/2009/08/ossec-introduction-and-installation-guide/.

As an additional tip, running Nessus or OpenVas, along with Nikto externally is a great way to check your config, patch levels and general external security.

This is awesome, will come into hand when i purchase my vps. Thanks!

any knows antivirus to protect injection virus, free of cost ?

clamav antivirus from cpanel/whm you can install it

I had ran Quick Security Scan but didn't get any result.
Quick Security Check in Progress...
Note: You may see [FAILED] results below; These are normal as this means the service(s) were already shutdown.

Stopping portmap: [FAILED]
Shutting down console mouse services: [FAILED]
Shutting down SMB services: [FAILED]
Shutting down NMB services: [FAILED]
Shutting down xfs: [FAILED]

that this thread is awesome. I originally registered to say thank you for these tips, I just kinda' forgot until I got here... ;)

Anyone got any idea to this issue:
# /usr/share/logwatch/scripts/logwatch.pl --range today
Can't exec "sendmail": No such file or directory at /usr/share/logwatch/scripts/logwatch.pl line 1017, <TESTFILE> line 2.
Can't execute sendmail -t: No such file or directory

Anyone got any idea to this issue:

Do you have sendmail or any other mail protocol installed?

Very nice article. Thanks for sharing. :D

Excellent tutorial. The information has helped me.

thanks, it is very usefull for me

clamav antivirus from cpanel/whm you can install it

It is not working properly & not detecting any virus eg. iframe/scripts malicious code

Need better solution to this

However i can found manually by editing .html .htm .php pages

nilesh

I think this is the total guide everyone is looking for when they go for a VPS solution.

Thank you very much for sharing knowledge with VPS newbies like us :P

Thanks again.

Wow thank you! This really helped me out on my VPS. Going to need it to possibly serve my customers.

Hello kapz01,

It seems the default mailer entry in logwatch.conf is not set properly.

What is the default mailer you have on your server?

are these general vps settings or is it ok to run a small hosting business using these?

Nice work. It would really help VPS Owners.

Great tutorial, long but great tutorial.

Helped me a lot! I am a new VPS owner and I did some of the things here.

My CCNA class finally starting tonight after 1 month of delay due to lack of participants, ...first part is networking fundamentals, i read in the course overview that on chapter 6 they will teach us how to use a networking utility called "ping" :rolleyes:

Thank's for this, been looking for a good tutorial to keep my VPS secure as it has been hacked once.

thanks for this good tutorial, very helpful

Is this tutorial up to date? it's 5 years old.

Nice tutorial, but maybe you should update it.

5 years old but still an very helpful topic.

nice thread guys! Thanks for everyone help!

Thank you, needed the rootkit checker will install it soon :D

Which firewall is more secure? APF or CSF?

Thanks for the tutorial

Thanks for the tutorial and the help

WoW Nice thanks for share

Which firewall is more secure? APF or CSF?

Thanks for the tutorial

Could also do with knowing this, anyone got any knowledge to part?

Well, they both work with iptables. CSF is easier to use and it's well supported by cpanel/whm.

good tutorial...i do this tutorial on my VPS and i get more better speed

Yeah, this is really great, helped me out a lot :) Thanks!

Very useful thread about VPS tutorial.

Awesome guide! Helped optimize my VPS. hopefully in the future I can start my own hosting business, and apply these techniques.

thanks for the tutorial. now i can hardening my cpanel

greet
<<signatures to be set up in your profile>>

Very Very Very good tutorial.
If you have a VPS I strongly recommend you follow this guide.

An excellent tutorial to read, when I read this i found it all extremly easy to understand and to work.

But I still have problem with kernel patching. does anyone give me the best tutorial of kernel patching.

Your idea would be great to me.

wow you need to write a book about it

If i don't have pico as a cmd that means i dont have the pine right? I dont have any kind of cpannels.

Wow!!! even I was aware of all(well almost) the techniques here I learned a few new softwares and techniques and sites. This is a very very very good thread!

May I suggest you check out also http://securecentos.com/ for a good and structured source of centos hardening?

thanks for the tutorial

Great tutorial! Thanks.

this is a must bookmarked thread, need to see it everytime reload OS :D

Goto Account Functions =>> Manage Shell Access
Disable Shell Access for all users (except yourself)

Goto Mysql =>> MySQL Root Password
Change root password for MySQL

Goto Security and run Quick Security Scan and Scan for Trojan Horses often. The following and similar items are not Trojans:
/sbin/depmod
/sbin/insmod
/sbin/insmod.static
/sbin/modinfo
/sbin/modprobe
/sbin/rmmod


So basically, on my VPS, I should have: the root account and my own account. And both of these accounts should have full access. Am I correct in stating this?

So basically, on my VPS, I should have: the root account and my own account. And both of these accounts should have full access. Am I correct in stating this?

Ideally, root user should not have SSH access, and non-root should be restricted to just a few (using AllowGroups directive in sshd_config, for example).

Non-root can only have 'full access' via sudo.

Ideally, root user should not have SSH access, and non-root should be restricted to just a few (using AllowGroups directive in sshd_config, for example).

Non-root can only have 'full access' via sudo.

To do that, can't you just do this?

Goto Account Functions =>> Manage Shell Access
Disable Shell Access for all users (except yourself)

Where "you" are another user (not root).

To do that, can't you just do this?

Goto Account Functions =>> Manage Shell Access
Disable Shell Access for all users (except yourself)

Where "you" are another user (not root).

What GUI are you talking about?
Myself, I use plain command-line to control everything, to me it's quicker and simpler.

SSH restrictions will all eventually be reflected in /etc/ssh/sshd_config and hosts.allow (if TCP wrappers are installed).

Thanks.

Yep! How I do it is I have a normal user from which I sudo to root, and I disable remote root login.
If I need more people to have root access, I give them normal users that can change through sudo to root, and that way I can see who became root and when.

Hope it makes sense, just woke up :)

What GUI are you talking about?
Myself, I use plain command-line to control everything, to me it's quicker and simpler.

SSH restrictions will all eventually be reflected in /etc/ssh/sshd_config and hosts.allow (if TCP wrappers are installed).

Thanks.
Ah, I'm a bit new to this. I was referring to what OP said.

Yep! How I do it is I have a normal user from which I sudo to root, and I disable remote root login.
If I need more people to have root access, I give them normal users that can change through sudo to root, and that way I can see who became root and when.

Hope it makes sense, just woke up :)
Thanks ;)

Actually, I have another question. Do these security practices work on Kloxo as well?

great guide, thanks for the info

thanks for the guide :)

Great tutorial and advice guys.

I will be using Kloxo instead of cPanel and I noticed that Kloxo comes with LXGuard, which blocks a user's IP after specified number of unsuccessful attempts. Should I still do the section you mentioned about "Toot breach DETECTOR and EMAIL WARNING"?