Page 1 of 13 123411 ... LastLast
Results 1 to 25 of 309
  1. #1

    HOW TO: Secure and Optimize your VPS

    I hope Elix doesn't mind me posting his great VPS OPTIMIZING techniques. I have posted them at the bottom. These technques can definately help you, but remember, use them at your own risk. If you don't know what your doing, research it before attempting it.


    SECURING CPANEL - WHM - AND ROOT on a VPS

    This will help but as mentioned in previous posts, with a VPS you do not have access to your kernal. That is good in some ways, because if you don't have access to it, neither to hackers or spammers (which limits what they can do). Its bad in ways, because you lose control and if you secure your box as much as possible, you are still at risk because you cannot control your kernal.

    At any rate, here are some helpful hints

    =========================================
    Checking for formmail
    =========================================

    Form mail is used by hackers to send out spam email, by relay and injection methods. If you are using matts script or a version of it, you may be in jeopardy.


    Command to find pesky form mails:
    find / -name "[Ff]orm[mM]ai*"

    CGIemail is also a security risk:
    find / -name "[Cc]giemai*"

    Command to disable form mails:
    chmod a-rwx /path/to/filename
    (a-rwx translates to all types, no read, write or execute permissions).

    (this disables all form mail)

    If a client or someone on your vps installs form mail, you will have to let them know you are disabling their script and give them an alternative.


    =========================================
    Root kit checker - http://www.chkrootkit.org/
    =========================================

    Check for root kits and even set a root kit on a cron job. This will show you if anyone has compromised your root. Always update chrootkit to get the latest root kit checker. Hackers and spammers will try to find insecure upload forms on your box and then with injection methods, try to upload the root kit on your server. If he can run it, it will modify *alot* of files, possibly causing you to have to reinstall.


    To install chrootkit, SSH into server and login as root.
    At command prompt type:

    cd /root/
    wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz
    tar xvzf chkrootkit.tar.gz
    cd chkrootkit-0.44
    make sense


    To run chkrootkit

    At command prompt type:
    /root/chkrootkit-0.44/chkrootkit

    Make sure you run it on a regular basis, perhaps including it in a cron job.

    Execution

    I use these three commands the most.
    ./chkrootkit
    ./chkrootkit -q
    ./chkrootkit -x | more


    =========================================
    Install a root breach DETECTOR and EMAIL WARNING
    =========================================

    If someone does happen to get root, be warned quickly by installing a detector and warning at your box. You will at least get the hackers/spammers ip address and be warned someone is in there.


    Server e-mail everytime someone logs in as root

    To have the server e-mail you everytime someone logs in as root, SSH into server and login as root.


    At command prompt type:
    pico .bash_profile

    Scroll down to the end of the file and add the following line:

    echo 'ALERT - Root Shell Access on:' `date` `who` | mail -s "Alert: Root Access from `who | awk '{print $6}'`" your@email.com

    Save and exit.


    Set an SSH Legal Message

    To an SSH legal message, SSH into server and login as root.

    At command prompt type:
    pico /etc/motd

    Enter your message, save and exit.
    Note: I use the following message...

    ALERT! You are entering a secured area! Your IP and login information
    have been recorded. System administration has been notified.
    This system is restricted to authorized access only. All activities on
    this system are recorded and logged. Unauthorized access will be fully
    investigated and reported to the appropriate law enforcement agencies.



    =========================================
    Web Host manager and CPANEL mods.
    =========================================

    These are items inside of WHM/Cpanel that should be changed to secure your server.

    Goto Server Setup =>> Tweak Settings
    Check the following items...

    Under Domains
    Prevent users from parking/adding on common internet domains. (ie hotmail.com, aol.com)

    Under Mail
    Attempt to prevent pop3 connection floods
    Default catch-all/default address behavior for new accounts - blackhole
    (according to ELIX - set this to FAIL, which is what I am going to do to reduce server load)

    Under System
    Use jailshell as the default shell for all new accounts and modified accounts

    Goto Server Setup =>> Tweak Security
    Enable php open_basedir Protection
    Enable mod_userdir Protection
    Disabled Compilers for unprivileged users.

    Goto Server Setup =>> Manage Wheel Group Users
    Remove all users except for root and your main account from the wheel group.

    Goto Server Setup =>> Shell Fork Bomb Protection
    Enable Shell Fork Bomb/Memory Protection

    When setting up Feature Limits for resellers in Resellers =>> Reseller Center, under Privileges always disable Allow Creation of Packages with Shell Access and enable Never allow creation of accounts with shell access; under Root Access disable All Features.

    Goto Service Configuration =>> FTP Configuration
    Disable Anonymous FTP

    Goto Account Functions =>> Manage Shell Access
    Disable Shell Access for all users (except yourself)

    Goto Mysql =>> MySQL Root Password
    Change root password for MySQL

    Goto Security and run Quick Security Scan and Scan for Trojan Horses often. The following and similar items are not Trojans:
    /sbin/depmod
    /sbin/insmod
    /sbin/insmod.static
    /sbin/modinfo
    /sbin/modprobe
    /sbin/rmmod

    =========================================
    More Security Measures
    =========================================

    These are measures that can be taken to secure your server, with SSH access.

    Update OS, Apache and CPanel to the latest stable versions.
    This can be done from WHM/CPanel.


    Restrict SSH Access
    To restrict and secure SSH access, bind sshd to a single IP that is different than the main IP to the server, and on a different port than port 22.

    SSH into server and login as root.
    Note: You can download Putty by Clicking Here (http://www.chiark.greenend.org.uk/~s.../download.html). It's a clean running application that will not require installation on Windows-boxes.

    At command prompt type:
    pico /etc/ssh/sshd_config

    Scroll down to the section of the file that looks like this:
    #Port 22
    #Protocol 2, 1
    #ListenAddress 0.0.0.0
    #ListenAddress ::

    Uncomment and change
    #Port 22
    to look like
    Port 5678 (choose your own 4 to 5 digit port number (49151 is the highest port number AND do not use 5678 lol )

    Uncomment and change
    #Protocol 2, 1
    to look like
    Protocol 2

    Uncomment and change
    #ListenAddress 0.0.0.0
    to look like
    ListenAddress 123.123.123.15 (use one of your own IP Addresses that has been assigned to your server)

    Note 1: If you would like to disable direct Root Login, scroll down until you find
    #PermitRootLogin yes
    and uncomment it and make it look like
    PermitRootLogin no

    Save by pressing Ctrl o on your keyboard, and then exit by pressing Ctrl x on your keyboard.


    Note 2: You can also create a custome nameserver specifically for your new SSH IP address. Just create one called something like ssh.xyz.com or whatever. Be sure to add an A address to your zone file for the new nameserver.

    Now restart SSH
    At command prompt type:
    /etc/rc.d/init.d/sshd restart

    Exit out of SSH, and then re-login to SSH using the new IP or nameserver, and the new port.

    Note: If you should have any problems, just Telnet into your server, fix the problem, then SSH in again. Telnet is a very unsecure protocol, so change your root password after you use it.

    After SSH has been redirected, disable telnet.

    Disable Telnet
    To disable telnet, SSH into server and login as root.
    At command prompt type: pico -w /etc/xinetd.d/telnet
    change disable = no to disable = yes
    Save and Exit
    At command prompt type: /etc/init.d/xinetd restart


    Disable Shell Accounts
    To disable any shell accounts hosted on your server SSH into server and login as root.
    At command prompt type: locate shell.php
    Also check for:
    locate irc
    locate eggdrop
    locate bnc
    locate BNC
    locate ptlink
    locate BitchX
    locate guardservices
    locate psyBNC
    locate .rhosts

    Note: There will be several listings that will be OS/CPanel related. Examples are
    /home/cpapachebuild/buildapache/php-4.3.1/ext/ircg
    /usr/local/cpanel/etc/sym/eggdrop.sym
    /usr/local/cpanel/etc/sym/bnc.sym
    /usr/local/cpanel/etc/sym/psyBNC.sym
    /usr/local/cpanel/etc/sym/ptlink.sym
    /usr/lib/libncurses.so
    /usr/lib/libncurses.a
    etc.


    Disable identification output for Apache

    (do this to hide version numbers from potentional hackers)

    To disable the version output for proftp, SSH into server and login as root.
    At command prompt type: pico /etc/httpd/conf/httpd.conf

    Scroll (way) down and change the following line to
    ServerSignature Off

    Restart Apache
    At command prompt type: /etc/rc.d/init.d/httpd restart



    =========================================
    Install BFD (Brute Force Detection - optional)
    =========================================

    To install BFD, SSH into server and login as root.

    At command prompt type:
    cd /root/
    wget http://www.rfxnetworks.com/downloads/bfd-current.tar.gz
    tar -xvzf bfd-current.tar.gz
    cd bfd-0.4
    ./install.sh

    After BFD has been installed, you need to edit the configuration file.

    At command prompt type:
    pico /usr/local/bfd/conf.bfd

    Under Enable brute force hack attempt alerts:
    Find
    ALERT_USR="0"
    and change it to
    ALERT_USR="1"

    Find
    EMAIL_USR="root"
    and change it to
    EMAIL_USR="your@email.com"

    Save the changes then exit.

    To start BFD

    At command prompt type:
    /usr/local/sbin/bfd -s


    Modify LogWatch
    Logwatch is a customizable log analysis system. It parses through your system's logs for a given period of time and creates a report analyzing areas that you specify, in as much detail as you require. Logwatch is already installed on most CPanel servers.

    To modify LogWatch, SSH into server and login as root.

    At command prompt type:
    pico -w /etc/log.d/conf/logwatch.conf

    Scroll down to
    MailTo = root
    and change to
    Mailto = your@email.com
    Note: Set the e-mail address to an offsite account incase you get hacked.

    Now scroll down to
    Detail = Low
    Change that to Medium, or High...
    Detail = 5 or Detail = 10
    Note: High will give you more detailed logs with all actions.

    Save and exit.

    A number of suggestions to improve system security. Some of this is specific to CPanel, but much can be applied to most Linux systems.
    --------------------------------------------------
    Use The Latest Software
    Keep the OS and 3rd party software up to date. Always!
    CPanel itself can be updated from the root WHM.
    --------------------------------------------------
    Change Passwords
    Change the root passwords at least once a month and try to make them hard to guess. Yes it's a pain to have to keep remembering them, but it's better than being hacked.

    --------------------------------------------------
    Set Up A More Secure SSH Environment As described here.
    --------------------------------------------------
    Disable Telnet
    1. Type: pico -w /etc/xinetd.d/telnet
    2. Change the disable = no line to disable = yes.
    3. Hit CTRL+X press y and then enter to save the file.
    4. Restart xinted with: /etc/rc.d/init.d/xinetd restart
    Also, add the following line to /etc/deny.hosts to flag Telnet access attempts as 'emergency' messages.

    in.telnetd : ALL : severity emerg

    --------------------------------------------------
    Disable Unnecessary Ports (optional)
    First backup the file that contains your list of ports with:
    cp /etc/services /etc/services.original
    Now configure /etc/services so that it only has the ports you need in it. This will match the ports enabled in your firewall.
    On a typical CPanel system it would look something like this:
    <?php
    tcpmux 1/tcp # TCP port service multiplexer
    echo 7/tcp
    echo 7/udp
    ftp-data 20/tcp
    ftp 21/tcp
    ssh 22/tcp # SSH Remote Login Protocol
    smtp 25/tcp mail
    domain 53/tcp # name-domain server
    domain 53/udp
    http 80/tcp www www-http # WorldWideWeb HTTP
    pop3 110/tcp pop-3 # POP version 3
    imap 143/tcp imap2 # Interim Mail Access Proto v2
    https 443/tcp # MCom
    smtps 465/tcp # SMTP over SSL (TLS)
    syslog 514/udp
    rndc 953/tcp # rndc control sockets (BIND 9)
    rndc 953/udp # rndc control sockets (BIND 9)
    imaps 993/tcp # IMAP over SSL
    pop3s 995/tcp # POP-3 over SSL
    cpanel 2082/tcp
    cpanels 2083/tcp
    whm 2086/tcp
    whms 2087/tcp
    webmail 2095/tcp
    webmails 2096/tcp
    mysql 3306/tcp # MySQL
    ?>
    Additional ports are controlled by /etc/rpc. These aren't generally needed, so get shot of that file with: mv /etc/rpc /etc/rpc-moved
    --------------------------------------------------
    Watch The Logs
    Install something like logwatch to keep an eye on your system logs. This will extract anything 'interesting' from the logs and e-mail to you on a daily basis.
    Logwatch can be found at: http://www.logwatch.org
    Install instructions here.
    --------------------------------------------------
    Avoid CPanel Demo Mode
    Switch it off via WHM Account Functions => Disable or Enable Demo Mode.
    --------------------------------------------------
    Jail All Users
    Via WHM Account Functions => Manage Shell Access => Jail All Users.
    Better still never allow shell access to anyone - no exceptions.
    --------------------------------------------------
    Immediate Notification Of Specific Attackers
    If you need immediate notification of a specific attacker (TCPWrapped services only), add the following to /etc/hosts.deny

    ALL : nnn.nnn.nnn.nnn : spawn /bin/ 'date' %c %d | mail -s"Access attempt by nnn.nnn.nnn.nnn on for hostname" notify@mydomain.com
    Replacing nnn.nnn.nnn.nnn with the attacker's IP address.
    Replacing hostname with your hostname.
    Replacing notify@mydomain.com with your e-mail address.
    This will deny access to the attacker and e-mail the sysadmin about the access attempt.
    --------------------------------------------------
    Check Open Ports
    From time to time it's worth checking which ports are open to the outside world. This can be done with:
    nmap -sT -O localhost
    If nmap isn't installed, it can be selected from root WHM's Install an RPM option.
    --------------------------------------------------
    Set The MySQL Root Password
    This can be done in CPanel from the root WHM Server Setup -> Set MySQL Root Password.
    Make it different to your root password!
    --------------------------------------------------
    Tweak Security (CPanel)
    From the root WHM, Server Setup -> Tweak Security, you will most likely want to enable:
    - php open_basedir Tweak.
    - SMTP tweak.
    You may want to enable:
    - mod_userdir Tweak. But that will disable domain preview.
    --------------------------------------------------
    Use SuExec (CPanel)
    From root WHM, Server Setup -> Enable/Disable SuExec. This is CPanel's decription of what it does:
    "suexec allows cgi scripts to run with the user's id. It will also make it easier to track which user has sent out an email. If suexec is not enabled, all cgi scripts will run as nobody. "
    Even if you don't use phpsuexec (which often causes more problems), SuExec should be considered.
    --------------------------------------------------
    Use PHPSuExec (CPanel)
    This needs to built into Apache (Software -> Update Apache from the root WHM) and does the same as SuExec but for PHP scripts.
    Wisth PHPSuExec enabled, you users will have to make sure that all their PHP files have permissions no greater than 0755 and that their htaccess files contain no PHP directives.
    --------------------------------------------------
    Disable Compilers
    This will prevent hackers from compiling worms, root kits and the like on your machine.
    To disable them, do the following:

    chmod 000 /usr/bin/perlcc
    chmod 000 /usr/bin/byacc
    chmod 000 /usr/bin/yacc
    chmod 000 /usr/bin/bcc
    chmod 000 /usr/bin/kgcc
    chmod 000 /usr/bin/cc
    chmod 000 /usr/bin/gcc
    chmod 000 /usr/bin/i386*cc
    chmod 000 /usr/bin/*c++
    chmod 000 /usr/bin/*g++
    chmod 000 /usr/lib/bcc /usr/lib/bcc/bcc-cc1
    chmod 000 /usr/i386-glibc21-linux/lib/gcc-lib/i386-redhat-linux/2.96/cc1

    You will need to enable them again when you need to perform system updates. To do this, run:

    chmod 755 /usr/bin/perlcc
    chmod 755 /usr/bin/byacc
    chmod 755 /usr/bin/yacc
    chmod 755 /usr/bin/bcc
    chmod 755 /usr/bin/kgcc
    chmod 755 /usr/bin/cc
    chmod 755 /usr/bin/gcc
    chmod 755 /usr/bin/i386*cc
    chmod 755 /usr/bin/*c++
    chmod 755 /usr/bin/*g++
    chmod 755 /usr/lib/bcc /usr/lib/bcc/bcc-cc1
    chmod 755 /usr/i386-glibc21-linux/lib/gcc-lib/i386-redhat-linux/2.96/cc1

    --------------------------------------------------
    Obfuscate The Apache Version Number
    1. Type: pico /etc/httpd/conf/httpd.conf
    2. Change the line that begins ServerSignature to:

    ServerSignature Off

    3. Add a line underneath that which reads:

    ServerTokens ProductOnly

    4. Hit CTRL+X, they y, the enter to save the file.
    5. Restart Apache with: /etc/rc.d/init.d/httpd restart
    --------------------

    COMMON COMMANDS I USE
    System Information
    who
    List the users logged in on the machine. --

    rwho -a
    List all users logged in on your network. The rwho service must be enabled for this command to work.

    finger user_name
    System info about a user. Try: finger root last. This lists the users last logged-in on your system.

    history | more
    Show the last (1000 or so) commands executed from the command line on the current account. The | more causes the display to stop after each screen fill.

    pwd
    Print working directory, i.e. display the name of your current directory on the screen.

    hostname
    Print the name of the local host (the machine on which you are working).

    whoami
    Print your login name.

    id username
    Print user id (uid) and his/her group id (gid), effective id (if different than the real id) and the supplementary groups.

    date
    Print or change the operating system date and time. E.g., change the date and time to 2000-12-31 23:57 using this command

    date 123123572000
    To set the hardware clock from the system clock, use the command (as root)
    setclock

    time
    Determine the amount of time that it takes for a process to complete+ other info. Don’t confuse it with date command. For e.g. we can find out how long it takes to display a directory content using time ls

    uptime
    Amount of time since the last reboot

    ps
    List the processes that are have been run by the current user.

    ps aux | more
    List all the processes currently running, even those without the controlling terminal, together with the name of the user that owns each process.

    top
    Keep listing the currently running processes, sorted by cpu usage (top users first).

    uname -a
    Info on your server.

    free
    Memory info (in kilobytes).

    df -h
    Print disk info about all the file systems in a human-readable form.

    du / -bh | more
    Print detailed disk usage for each subdirectory starting at root (in a human readable form).

    lsmod
    (as root. Use /sbin/lsmod to execute this command when you are a non-root user.) Show the kernel modules currently loaded.

    set|more
    Show the current user environment.

    echo $PATH
    Show the content of the environment variable PATH. This command can be used to show other environment variables as well. Use set to see the full environment.

    dmesg | less
    Print kernel messages (the current content of the so-called kernel ring buffer). Press q to quit less. Use less /var/log/dmesg to see what dmesg dumped into the file right after bootup. - only works on dedciated systems

    Commands for Process control
    ps
    Display the list of currently running processes with their process IDs (PID) numbers. Use ps aux to see all processes currently running on your system (also those of other users or without a controlling terminal),
    each with the name of the owner. Use top to keep listing the processes currently running.

    fg
    PID Bring a background or stopped process to the foreground.

    bg
    PID Send the process to the background. This is the opposite of fg. The same can be accomplished with Ctrl z

    any_command &
    Run any command in the background (the symbol ‘&’ means run the command in the background?).

    kill PID
    Force a process shutdown. First determine the PID of the process to kill using ps.

    killall -9 program_name
    Kill program(s) by name.

    xkill
    (in an xwindow terminal) Kill a GUI-based program with mouse. (Point with your mouse cursor at the window of the process you want to kill and click.)

    lpc
    (as root) Check and control the printer(s). Type ??? to see the list of available commands.

    lpq
    Show the content of the printer queue.

    lprm job_number
    Remove a printing job job_number from the queue.

    nice program_name
    Run program_name adjusting its priority. Since the priority is not specified in this example, it will be adjusted by 10 (the process will run slower), from the default value (usually 0). The lower the number (of niceness to other users on the system), the higher the priority. The priority value may be in the range -20 to 19. Only root may specify negative values. Use top to display the priorities of the running processes.

    renice -1 PID
    (as root) Change the priority of a running process to -1. Normal users can only adjust processes they own, and only up from the current value (make them run slower).


    Optimizing your VPS server (help it run more efficiently)


    Quote Originally Posted by elix
    VPSes are really hard to use with the memory restrictions and CPU limitations...but with some optimization they can definitely serve your websites fast!

    MySQL Optimization
    Here are my suggested settings for the my.cnf file. This should work well for a VPS with 256-512MB RAM.
    Code:
     
    [mysqld]
    max_connections = 400
    key_buffer = 16M
    myisam_sort_buffer_size = 32M
    join_buffer_size = 1M
    read_buffer_size = 1M
    sort_buffer_size = 2M
    table_cache = 1024
    thread_cache_size = 286
    interactive_timeout = 25
    wait_timeout = 1000
    connect_timeout = 10
    max_allowed_packet = 16M
    max_connect_errors = 10
    query_cache_limit = 1M
    query_cache_size = 16M
    query_cache_type = 1
    tmp_table_size = 16M
    skip-innodb
     
    [mysqld_safe]
    open_files_limit = 8192
     
    [mysqldump]
    quick
    max_allowed_packet = 16M
     
    [myisamchk]
    key_buffer = 32M
    sort_buffer = 32M
    read_buffer = 16M
    write_buffer = 16M
    In order to make things even faster, you can customize these settings specifically for your VPSs' usage. There's a great howto on InterWorx's forum for this --> http://www.interworx.com/forums/showthread.php?p=2346

    Lastly, I recommend installing mytop to help you monitor your usage...
    Code:
    wget http://dll.elix.us/mytop-1.4.tar.gz
    tar -zxvf mytop-1.4.tar.gz
    cd mytop-1.4
    perl Makefile.PL
    make
    make test
    make install
    Once that's done, just enter in "mytop" .

    PHP & Apache Optimization
    I strongly recommend installing eAccelerator. There's an easy to follow howto here: http://forum.ev1servers.net/showthre...t=eaccelerator. If you use the default cache dir for eAccelerator (/tmp/eaccelerator) make sure you check it reguarily and clean it every once and a while. (it can really get quite large from my experience)

    For httpd.conf I suggest:
    Timeout 200
    KeepAlive On
    maxKeepAliveRequests 100
    KeepAliveTimeout 3
    MinSpareServers 10
    MaxSpareServers 20
    StartServers 15
    MaxClients 250
    MaxRequestsPerChild 0
    HostnameLookups Off

    You can use ab to benchmark your Apache before and after you make changes.

    ab -c 5 -n 20 somephpbasedsiteonyourserver.com/file.php

    I suggest doing 2 or 3 tests like that to get an average.

    If you want to check the Apache error log, try this -->
    cat /usr/local/apache/logs/error_log

    Monitoring Usage
    On a Virtuozzo VPS you can use cat /proc/usr_beancounters to output your usage of the VZ parameters. You should pay most attention to oomguarpages and privmpages. (although anything with a failure is generally bad)

    You can find the amount of connections to Apache with this command:
    netstat -nt | grep :80 | wc -l

    To find the amount of Apache processes use this command:
    ps -A | grep httpd | wc -l (this will show the process count)
    ps -aux | grep httpd (this will show the actual processes)

    To find the amount of MySQL processes use this command:
    ps -A | grep mysql | wc -l (this will show the process count)
    ps -aux | grep mysql (this will show the actual processes)

    Just simply using top (standard view) or top -c (will show the actual command being used and/or location of each process as opposed to just the name) can help you monitor your VPS usage very wel.

    To see your disk space usage, try using this command --> df -h

    Mitigating (D)DOS
    If you're being DDOS'd or DOS'd you can use this command:
    netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n

    That will help you see how many connections each IP address has in total to your server.

    There's a very decent script you can use to automate the banning of IP addresses available here --> http://forums.deftechgroup.com/showthread.php?t=825

    Although I haven't tried it myself, I suggest you take a look at Scrutinizer as well which sounds very useful --> http://www.solutix.ch/cgi-bin/index.pl

    Spam Assassin
    Spam Assassin can take up a lot of memory and make it really hard to host just a few sites on a VPS, but there is a way around this...

    Login to WHM as root, scroll down to "cPanel 10.8.1-R15" (it may be slightly different depending on what version you are using) then goto "Addon Modules" and install "spamdconf". Once it's done, refresh the WHM page, scroll down to "Add-ons" on the nav bar and then click on 'Setup Spamd Startup Configuration". Set "Maximum Children" to "2". Then hit Submit. Wait a few seconds (15-30, but usually less) for exim to restart and you're done .

    cPanel Tweak Setings
    Login to WHM as root, and under "Server Configuration" on the nav bar hit "Tweak Settings".

    Here are some suggested settings:
    Default catch-all/default address behavior for new accounts. fail will generally save the most CPU time.
    - Use "FAIL". If you already have some accounts setup not to use "FAIL" (by default it will not) then run this command to convert to FAIL from BLACKHOLE --> perl -pi -e "s/:blackhole:/:fail:/g;" /etc/valiases/*

    Mailman
    - Mailman tends to use a lot of resources, so if you don't need cpanel mailing lists then uncheck this.

    Number of minutes between mail server queue runs (default is 60).:
    - You may want to set this to 180 to reduce load.

    Track the origin of messages sent though the mail server by adding the X-Source headers (exim 4.34+ required)
    - This is just generally a good idea. So check this.

    Analog Stats
    - I find this useless, so uncheck this. If you want to delete the existing analog stats files just run this command --> rm -rf /home/*/tmp/analog/*

    Awstats Reverse Dns Resolution
    - Make sure this is unchecked, I find it pretty much useless for most users.

    Awstats Stats
    - You can check this if you need a robust stats software that integrates with cPanel, if you don't need it, then don't check it. *Note most hosting clients will want to use this. If you want to delete the existing awstats stats files just run this command --> rm -rf /home/*/tmp/awstats/*

    Webalizer Stats
    - Not many hosting clients will want to use this so, you can uncheck this to reduce load. If you want to delete the existing webalizer stats files just run this command --> rm -rf /home/*/tmp/webalizer/*

    Delete each domain's access logs after stats run
    - Make sure this is checked, otherwise disk space usage can really rack up!

    That's about it for now, I may do some more later....

    Hope it helps!
    Web design :: Frynge.com - http://www.frynge.com
    Web Design - Web Hosting - Web Site Submission and Analysis - Advertising to 1.4 million engines/indexes
      3 Not allowed!

  2. #2
    Join Date
    Dec 2004
    Location
    New York, NY
    Posts
    10,710
    Hey - I don't mind it at all
    MediaLayer, LLC - www.medialayer.com Learn how we can make your website load faster, translating to better conversion rates for your business!
    The pioneers of optimized web hosting, featuring LiteSpeed Web Server & SSD Storage - Celebrating 10 Years in Business
      0 Not allowed!

  3. #3
    Join Date
    Nov 2005
    Posts
    79
    Frynge, terrific job putting this together!
      0 Not allowed!

  4. #4
    Join Date
    Dec 2002
    Location
    Amsterdam/Rotterdam, NL
    Posts
    2,135
    Great post, but you forgot the two most important things to secure a VPS (or server):

    - You need a firewall (highly recommend APF)
    - You need to secure the /tmp partition so that no scripts can run
      0 Not allowed!

  5. #5
    Join Date
    Aug 2005
    Posts
    35
    Great post, good to have all this in one place.

    Question1: how to update chkrootkit? Do I need to remove the existing copy first?

    Question2: My sysadmin says that they don't recomend APF on VPS.

    APF kind works but you have to watch it. If you get over 2000 rules, it pukes out. We don't recommend it.
    Will BFD work without APF?
      0 Not allowed!

  6. #6
    Join Date
    Dec 2004
    Location
    New York, NY
    Posts
    10,710
    Quote Originally Posted by zeca40
    Great post, good to have all this in one place.

    Question1: how to update chkrootkit? Do I need to remove the existing copy first?

    Question2: My sysadmin says that they don't recomend APF on VPS.



    Will BFD work without APF?
    Not sure about 1 - but for 2) I don't recommend having over 1000 firewall rules, so your sysadmin is 'tentatively' correct, however I have never personally seen APF puke out from average use. Thus if your VPS provider supports it, I'd go with using APF.

    BFD integrates with APF so I don't think it'll work without it. But, I could be wrong there.
    MediaLayer, LLC - www.medialayer.com Learn how we can make your website load faster, translating to better conversion rates for your business!
    The pioneers of optimized web hosting, featuring LiteSpeed Web Server & SSD Storage - Celebrating 10 Years in Business
      1 Not allowed!

  7. #7
    Join Date
    Aug 2005
    Posts
    35
    Thus if your VPS provider supports it, I'd go with using APF.
    Yes, APF will work on their VPS servers. Thanks.
      0 Not allowed!

  8. #8
    BFD does not require APF to run, and works fine on VDS servers by itself.
      0 Not allowed!

  9. #9
    Quote Originally Posted by zeca40
    Great post, good to have all this in one place.

    Question1: how to update chkrootkit? Do I need to remove the existing copy first?

    Question2: My sysadmin says that they don't recomend APF on VPS.



    Will BFD work without APF?
    Thanks!

    About chkrootkit. The command I gave you above, installs the latest version. I think they just name the latest version that name, so when you untar it, it opens in to a new folder each time...

    So when you want to get the new version, just simply, repeat the steps on getting it and untarring it without changing the command line and your set.

    Thanks for more info on this. Its very important to keep your server secure, so these spammers and hackers quickly check your security and move on to easier targets.

    Keep adding to this thread so we can create a full security database for VPS'!
    Web design :: Frynge.com - http://www.frynge.com
    Web Design - Web Hosting - Web Site Submission and Analysis - Advertising to 1.4 million engines/indexes
      0 Not allowed!

  10. #10
    Quote Originally Posted by Apoc
    Great post, but you forgot the two most important things to secure a VPS (or server):

    - You need a firewall (highly recommend APF)
    - You need to secure the /tmp partition so that no scripts can run
    Can you give details on how to secure /tmp ?

    I assume a chmod?

    Thanks!
    Web design :: Frynge.com - http://www.frynge.com
    Web Design - Web Hosting - Web Site Submission and Analysis - Advertising to 1.4 million engines/indexes
      0 Not allowed!

  11. #11
    Join Date
    Dec 2002
    Location
    Chester, UK
    Posts
    231
    This is a very useful thread- thanks!
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    www.4sites.com|| cPanel, php & mySQL hosting
      0 Not allowed!

  12. #12
    Join Date
    Feb 2002
    Posts
    2,120
    Quote Originally Posted by frynge
    Can you give details on how to secure /tmp ?

    I assume a chmod?

    Thanks!

    http://www.webhostingtalk.com/showthread.php?t=292259
      0 Not allowed!

  13. #13
    Join Date
    Aug 2005
    Posts
    35
    BFD does not require APF to run, and works fine on VDS servers by itself.
    Question: Will BFD be able to block attacks without having APF? Or will it only detect the attack but not block the attacker?

    I have BFD installed but not APF and on my alerts I see:
    Code:
    Executed ban command:
    /etc/apf/apf -d 210.0.215.4 {bfd.sshd}
    I figure that this does nothing since there is no APF to execute the command, correct?
      0 Not allowed!

  14. #14
    Anyone know if the pangeia link is down? I am logged into my server as root and run the instructions for installing chkrootkit and get the message: Connecting to ftp.pangea.com/| 204.251... etc but nothing happens... the site just appears to time out... Is there somewhere else to get chkrootkit.tar? All of my Google searches default back to pangeia...

    Vince
      0 Not allowed!

  15. #15
    Join Date
    Aug 2005
    Posts
    35
    Just to answer my own question: to use BFD without APF you need to change the conf.bfd file to use host.deny rather tha APF. This works great.

    Change this:
    Code:
    BCMD="/etc/apf/apf -d $ATT_HOST {bfd.$MOD}"
    To this:
    Code:
    BCMD="echo ALL:$ATT_HOST >> /etc/hosts.deny"
      0 Not allowed!

  16. #16
    Join Date
    Jun 2004
    Location
    Rockford, Michigan 49341
    Posts
    30

    Thumbs up

    Thank you very much there is a lot of good information here.
      0 Not allowed!

  17. #17
    I just ran the trojan scanner on my VPS and it returned 21 possible trojans detected.

    Here is a list of the possibles it found:

    Possible Trojan - /usr/bin/xmlcatalog
    Possible Trojan - /usr/bin/xmllint
    Possible Trojan - /sbin/lsmod
    Possible Trojan - /usr/bin/dbiprof
    Possible Trojan - /usr/bin/curl
    Possible Trojan - /usr/lib/python2.2/site-packages/libxml2mod.la
    Possible Trojan - /usr/lib/python2.2/site-packages/libxml2mod.so
    Possible Trojan - /usr/bin/curl-config
    Possible Trojan - /usr/bin/xslt-config
    Possible Trojan - /usr/lib/libexslt.la
    Possible Trojan - /usr/lib/libxslt.la
    Possible Trojan - /usr/bin/xsltproc
    Possible Trojan - /usr/bin/pod2man
    Possible Trojan - /usr/bin/pod2usage
    Possible Trojan - /usr/bin/podchecker
    Possible Trojan - /usr/bin/podselect
    Possible Trojan - /usr/bin/pstruct
    Possible Trojan - /usr/bin/splain
    Possible Trojan - /usr/bin/xsubpp
    Possible Trojan - /usr/bin/xml2-config
    Possible Trojan - /usr/lib/libxml2.la

    Are these safe? If not, how do I get rid of them?
      0 Not allowed!

  18. #18
    Join Date
    Dec 2002
    Location
    Amsterdam/Rotterdam, NL
    Posts
    2,135
    What trojan scanner did you use exactly? I would recommend to run rkhunter and see what it says about MB5 matches. If it's showing the same problems then it's very likely you have been hacked.

    There isn't really a way to get rid of that because you'll probably never know what exactly has been done by a hacker, if he has removed his traces. The only option in that case would be to get your VPS (or server) reinstalled.
      0 Not allowed!

  19. #19
    Unless its a "passive" hacker I think i'm ok. I havent had any problems at all out of the server.

    I used the trojan scanner within WHM
      0 Not allowed!

  20. #20
    Join Date
    Dec 2002
    Location
    Amsterdam/Rotterdam, NL
    Posts
    2,135
    The trojan scanner in WHM is no good, in my opinion. You should use chkrootkit or rkhunter instead (or better yet: both of them).

    Be careful though, never assume there's nothing wrong. Even though you might not notice anything a hacker might be stealing information from your customers and/or send out spam or DoS attacks when you're not looking.
      0 Not allowed!

  21. #21
    Good post! Anymore tweaks or does this sum it all up?
      0 Not allowed!

  22. #22
    Join Date
    Aug 2005
    Posts
    35
    Is it OK to install Razor (http://razor.sourceforge.net/) and DCC (http://www.rhyolite.com/anti-spam/dcc/) on a VPS?
      0 Not allowed!

  23. #23
    Quick small update on the original post.

    FIRST the pangea link still works for me. Just click it above. If you can't click it there may be something blocking you, as I have no problem getting the file.

    Second

    In the original post... it was said..
    =========================================
    Web Host manager and CPANEL mods.
    =========================================

    These are items inside of WHM/Cpanel that should be changed to secure your server.

    Goto Server Setup =>> Tweak Settings
    Check the following items...


    Under Mail
    Attempt to prevent pop3 connection floods
    Default catch-all/default address behavior for new accounts - blackhole

    I suggest you do not set this to fail, if you have heavy email user or from 30 clients and up. Use blackhole

    Fail at the beginning saves cpu time, but over time, with heavy users or many users, this will send bounces back to spammers who spam you. They bounce back to the server and the mail server gets over worked.

    Do not use FAIL use BLACKHOLE

    I will edit my post above.

    cheers
    Web design :: Frynge.com - http://www.frynge.com
    Web Design - Web Hosting - Web Site Submission and Analysis - Advertising to 1.4 million engines/indexes
      0 Not allowed!

  24. #24
    Join Date
    Dec 2004
    Location
    New York, NY
    Posts
    10,710
    Quote Originally Posted by frynge
    Quick small update on the original post.

    FIRST the pangea link still works for me. Just click it above. If you can't click it there may be something blocking you, as I have no problem getting the file.

    Second

    In the original post... it was said..
    =========================================
    Web Host manager and CPANEL mods.
    =========================================

    These are items inside of WHM/Cpanel that should be changed to secure your server.

    Goto Server Setup =>> Tweak Settings
    Check the following items...


    Under Mail
    Attempt to prevent pop3 connection floods
    Default catch-all/default address behavior for new accounts - blackhole

    I suggest you do not set this to fail, if you have heavy email user or from 30 clients and up. Use blackhole

    Fail at the beginning saves cpu time, but over time, with heavy users or many users, this will send bounces back to spammers who spam you. They bounce back to the server and the mail server gets over worked.

    Do not use FAIL use BLACKHOLE

    I will edit my post above.

    cheers
    There have been MANY debates about this and personally I would say fail is best most of the time. You cannot say blackhole is best for everybody if it is just best for you...
    MediaLayer, LLC - www.medialayer.com Learn how we can make your website load faster, translating to better conversion rates for your business!
    The pioneers of optimized web hosting, featuring LiteSpeed Web Server & SSD Storage - Celebrating 10 Years in Business
      0 Not allowed!

  25. #25
    Quote Originally Posted by Apoc
    The trojan scanner in WHM is no good, in my opinion. You should use chkrootkit or rkhunter instead (or better yet: both of them).

    Be careful though, never assume there's nothing wrong. Even though you might not notice anything a hacker might be stealing information from your customers and/or send out spam or DoS attacks when you're not looking.
    hey apoc... it doenst look like you can edit posts?

    Do you know how? I wanted to edit the main post.

    cheers
    Web design :: Frynge.com - http://www.frynge.com
    Web Design - Web Hosting - Web Site Submission and Analysis - Advertising to 1.4 million engines/indexes
      0 Not allowed!

Page 1 of 13 123411 ... LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •