Hello fellows !!

i just got my server and the WHM & Cpanel all set,(my ISP set that up) and i m not that good at setting up security on webserver.
so, what do i need to do next in order tighten up my server, any help guys as to how do i do it ?

expecting any links, notes, descriptions, help or comments etc. etc.

thanks

Hi oc3, security is a pretty complex thing, the "easiest" thing to do, which will still keep you pretty secure, would be to make sure all of the applications run which are bound to a port, or which are used along side apache, are ALWAYS up to date, with the latest security patches. Don't allow anonymous access on anything.
Don't allow your user's to allow anonymous access on FTP.

If you'd like a friend of mine to give your server the highest security possible at this current time, send me a private message and we can sort a price out.

At this time WHM/cPanel is the best control panel out there so you are offf to a good start.

Whm/cPanel updated it's self every night, so that is a big help. One importent thing to remember is that you have a cPanel/Linux server not just a Linux server. What I mean is that cPanel makes changes to files that you would not see on a regular Linux box.

So if you were to install something that overwrote one of these configuation files it could me trouble.

Search here or at http://cpanel.net before you think about adding any features like, Java, ASP, or Mod_Gzip.

Do not offer telnet period, or SSH unless you know why the client need access to it. Many hosts get a copy of a photo Id first.

Use a good password with mixed chars. like: 1ThiS~Ab2

Don't ever give anyone root unless you are sure about that person. If you need something done to the server use someone from you host. If you do use someone else check that person out very carefully. If they don't have a few good references forget about them. There are some on this board that have been around while.

Sending the root password through email is not a good idea either.

Good Luck

hmm let me see...though not necessarily in this order:

1) really understand you OS!
2) see number 1
3) see number 2
4) update and install the latest patches
5) only enable the services that you really need and stop all the other services that you don't.
6) don't use telnet but use ssh to connect to your server remotely. if possible never telnet/ftp out from your server to a different server. this is a security risk.
7) check out www.securityfocus.com - an excellent resource.
8) make a backup of all your binaries on a fresh OS install in case you need it in the future.

there's more to security than what i've mentioned above. there were just some that I could think of... :)

thank you guys soo much....please keep comming !!! its really a booster.


regards

I am far from a security expert but you should make the .. i dont know what they are officially called... MD5 checksums of important binaries and store them so you can compare them at a later date, remove unrequired entries in the password files, whatelse... I guess what everyone else was saying, update update update...

I'm surprised no one has mentioned make sure that you access your server ONLY via SSH - NEVER use Telnet; ensure that you have the latest and greatest OpenSSH installed; prefer the use of Secure FTP and just be sensible with your user policies.

(6) don't use telnet but use ssh to connect to your server remotely. if possible never telnet/ftp out from your server to a different server. this is a security risk.


I think it was covered...

Cheers.. reading too fast and missed it!

Is that all,

so, i can take it as if it is done, and need not worry much about it.

regards/-

Originally posted by oc3
Is that all,

so, i can take it as if it is done, and need not worry much about it.

regards/-

Well, yes, if you consider this to be easy:


1) really understand you OS!
2) see number 1
3) see number 2



I would like to add one more thing, read a security book. I read "Hacking Linux Exposed" myself and I find it great.

never allow shell access to your customers, i believe 95% of servers are hacked because of this, turn telnet off, use only ssh to access yourself. make sure you allocate /bin/false shell to all your customers.

never allow shell access to your customers,

Boooooooo. Luckily my current host allows me a shell. Makes it a lot easier for me to maintain my web site.

Originally posted by hostchamp
never allow shell access to your customers, i believe 95% of servers are hacked because of this, turn telnet off, use only ssh to access yourself. make sure you allocate /bin/false shell to all your customers.

If you use the right directory permissions, your server will be secure. Don't use the right permissions, your just asking for it.

I only provide shell access to customers that have had an account for over 3 months.

Originally posted by sitekeeper
At this time WHM/cPanel is the best control panel out there so you are offf to a good start.


I dont know who lied to you and why you believed it. You can search these forums to find that's not true. I have yet to see any host now using WHM who have actually previously used Hsphere in a live environment. There are however, a great number of hosts that have dumped WHM for Hsphere...myself included.

On another note, I visited your site. Reading the part about mod_gzip, thought I would update you about the new one, mod_hs. It's by the same makers, but it's not free. It's $1500 per CPU. I am about to test it to see if it's worth it...

If you use the right directory permissions, your server will be secure. Don't use the right permissions, your just asking for it.


the elf could you pls elaborate on the above, may be i can learn too.

Hello,

so, can some one tell me how do u go about setting up a secured ssh on the server. i mean in detail !!!

Thanks

While I believe that shell access is important for my web hosting and I also think it should be an option for service I don't agree with the following:

If you use the right directory permissions, your server will be secure

Thats a false sense of security. Every now and again a vulnerability will come out that will allow a local user to gain root regardless of directory permissions.

I don't think thats a great reason for disallowing this access however. Just subscribe to bugtraq, know your security and update as soon as there is a problem.

Sadistikal