Results 1 to 8 of 8
  1. #1
    Join Date
    Oct 2003
    Posts
    459

    Require Guideline to Secure Linux Box for Newbie

    Hi,

    I have read a lot documentation about how to secure the linux box. However I am still no any idea how to get start.

    Could you please provide some guidelines for me how to get start?

    Any step by step good tutorials for the newbie?

    Thanks~
    seekhosting
    My friends, it's nice to know that you are there when I need you.

  2. #2
    Join Date
    Jan 2004
    Location
    <<Canada>>
    Posts
    734
    well reading first page will get you going...

    did you try how to in WHT?
    <<< Please see Forum Guidelines for signature setup. >>>

  3. #3
    Join Date
    Feb 2004
    Posts
    322
    If you are newbie in hosting . you should have :
    Cpanel
    Phpsuexe

    And 2 place you should go everyday is :
    webhostingtalk.com , best place when you have trouble , post your problem and probaly you will have an answear in a few minute .
    forum.ev1servers.net : big resource about server manager .

  4. #4
    Join Date
    Jan 2002
    Posts
    462
    Search for how tos about security on WHT as well as on forum.ev1servers.net

    A good idea if you are a newbie is to get a professional server admin securing the box.

  5. #5
    Check out hostinglife.com

    They've got good sections on Getting Started, CPanel, Nameservers, and Security issues.

    Pretty helpful.

  6. #6
    ******** - ASP, ASP.NET. Windows 2008 Hosting - Windows Reseller Plans

    1 Exabyte = two to the sixtieth power byte, 1,152,921,504,606,846,976 bytes

  7. #7
    Join Date
    Apr 2002
    Location
    UK
    Posts
    429
    Just some suggestions:

    --------------------------------------------------

    Use The Latest Software

    Keep the OS and 3rd party software up to date. Always!

    --------------------------------------------------

    Change Passwords

    Change the root passwords at least once a month and try to make them hard to guess. Yes it's a pain to have to keep remembering them, but it's better than being hacked.

    --------------------------------------------------

    Set Up A More Secure SSH Environment

    Disabling direct root login will force a hacker to have to guess 2 seperate passwords to gain root access.

    After you do this, you will have to login as anotheruser then you will 'su -' to get to root.

    We also will be forcing the use of SSH protocol 2, which is a newer, more secure SSH protocol

    If you're using cPanel make sure you add your anotheruser user to the 'wheel' group so that you will be able to 'su -' to root, otherwise you may lock yourself out of root.

    1. Set up anotheruser if you haven't already got one.


    i. Type: groupadd anotheruser
    ii. Type: useradd anotheruser -ganotheruser
    iii. Type: passwd anotheruser and add a password for the new account.


    On a CPanel system, you can now go into root WHM and add anotheruser to the wheel group.

    2. SSH into your server as anotheruser and gain root access by going su - root and entering the root password.

    3. Type: pico -w /etc/ssh/sshd_config

    4. Find the line:

    Code:
    #Protocol 2, 1
    Uncomment it and change it to look like:

    Code:
    Protocol 2
    5. Next, find the line:

    Code:
    #PermitRootLogin yes
    Uncomment it and make it look like:

    Code:
    PermitRootLogin no
    6. It is also recommended that the following additional lines are added to the file:

    Code:
    LoginGraceTime 300
    IgnoreRhosts yes
    X11Forwarding no
    UseLogin no
    7. Hit CTRL+x, then y then enter to save the file.

    8. Restart SSH with /etc/rc.d/init.d/sshd restart

    --------------------------------------------------

    Disable Telnet

    1. Type: pico -w /etc/xinetd.d/telnet
    2. Change the disable = no line to disable = yes.
    3. Hit CTRL+X press y and then enter to save the file.
    4. Restart xinted with: /etc/rc.d/init.d/xinetd restart

    --------------------------------------------------

    Install Firewall & Block Unnecessary Ports

    I recommend APF firewall personally, but they all do a similar job.

    APF can be found at: http://www.rfxnetworks.com/apf.php

    Also guard against 'brute force' attacks with: http://www.rfxnetworks.com/bfd.php


    --------------------------------------------------

    Watch The Logs

    Install something like logwatch to keep an eye on your system logs. This will extract anything 'interesting' from the logs and e-mail to you on a daily basis.

    Logwatch can be found at: http://www.logwatch.org

    Install instructions here.

    --------------------------------------------------

    Run A Root Kit Checker Regularly

    You can get a root kit from http://www.chkrootkit.org and make sure you run it on a regular basis, perhaps including it in a cron job.

    Install instructions here

    --------------------------------------------------

    Limit The Kernel's Capabilities

    1. Type: wget ftp://rpmfind.net/linux/PLD/current/...0.6-3.i686.rpm
    2. Type: rpm -Uvh lcap-0.0.6-3.i686.rpm
    3. Type: lcap CAP_SYS_PTRACE

    This will limit the ptrace option which allows attaching to, and controlling the execution of, arbitrary processes. Debuggers do this sort of thing.

    Much can be done with LCAP, but it's also worth remembering that you can lock yourself out of things you actually need, so research it well.

    LCAP changes will be forgotten after reboot (unless you include them in a startup file of course).

    --------------------------------------------------

    Avoid CPanel Demo Mode

    Switch it off via WHM Account Functions => Disable or Enable Demo Mode.

    --------------------------------------------------

    Jail All Users

    Via WHM Account Functions => Manage Shell Access => Jail All Users.

    Better still never allow shell access to anyone - no exceptions.

    --------------------------------------------------

    Disable Troublesome Formmails

    Cpanel's formmails are known to be insecure and, worse, every time one attempts to disable them, the next CPanel upgrade comes along and enables them again.

    This is the recommended procedure for disabling them:

    1. SSH into the box.

    2. Type: cd /usr/local/cpanel/cgi-sys

    3. Type: chmod 0 cgiemail formmail.cgi FormMail.cgi FormMail-clone.cgi formmail.pl FormMail.pl helpdesk.cgi realhelpdesk.cgi realsignup.cgi signup.cgi

    4. Type: chattr +i cgiemail formmail.cgi FormMail.cgi FormMail-clone.cgi formmail.pl FormMail.pl helpdesk.cgi realhelpdesk.cgi realsignup.cgi signup.cgi

    --------------------------------------------------

    Immediate Notification Of Specific Attackers

    If you need immediate notification of a specific attacker (TCPWrapped services only), add the following to /etc/hosts.deny

    ALL : nnn.nnn.nnn.nnn : spawn /bin/ 'date' %c %d | mail -s"Access attempt by nnn.nnn.nnn.nnn on for hostname" [email protected]

    Replacing nnn.nnn.nnn.nnn with the attacker's IP address.
    Replacing hostname with your hostname.
    Replacing [email protected] with your e-mail address.

    This will deny access to the attacker and e-mail the sysadmin about the access attempt.

    --------------------------------------------------

    Check Open Ports

    From time to time it's worth checking which ports are open to the outside world. This can be done with:

    nmap -sT -O localhost

    If nmap isn't installed, it can be selected from root WHM's Install an RPM option.

    --------------------------------------------------

    Set The MySQL Root Password

    This can be done in CPanel from the root WHM Server Setup -> Set MySQL Root Password.

    Make it different to your root password!

    --------------------------------------------------

    Tweak Security (CPanel)

    From the root WHM, Server Setup -> Tweak Security, you will most likely want to enable:

    - php open_basedir Tweak.
    - SMTP tweak.

    You may want to enable:

    - mod_userdir Tweak. But that will disable domain preview.

    --------------------------------------------------

    Use SuExec (CPanel)

    From root WHM, Server Setup -> Enable/Disable SuExec. This is CPanel's decription of what it does:

    "suexec allows cgi scripts to run with the user's id. It will also make it easier to track which user has sent out an email. If suexec is not enabled, all cgi scripts will run as nobody. "

    Even if you don't use phpsuexec (which often causes more problems), SuExec should be considered.

    --------------------------------------------------

    Use PHPSuExec (CPanel)

    This needs to built into Apache (Software -> Update Apache from the root WHM) and does the same as SuExec but for PHP scripts.

    Wisth PHPSuExec enabled, you users will have to make sure that all their PHP files have permissions no greater than 0755 and that their htaccess files contain no PHP directives.

    --------------------------------------------------

    Disable Compilers

    This will prevent hackers from compiling worms, root kits and the like on your machine.

    To disable them, do the following:

    Code:
    chmod 000 /usr/bin/perlcc 
    chmod 000 /usr/bin/byacc 
    chmod 000 /usr/bin/yacc 
    chmod 000 /usr/bin/bcc 
    chmod 000 /usr/bin/kgcc 
    chmod 000 /usr/bin/cc 
    chmod 000 /usr/bin/gcc 
    chmod 000 /usr/bin/i386*cc
    chmod 000 /usr/bin/*c++ 
    chmod 000 /usr/bin/*g++ 
    chmod 000 /usr/lib/bcc /usr/lib/bcc/bcc-cc1 
    chmod 000 /usr/i386-glibc21-linux/lib/gcc-lib/i386-redhat-linux/2.96/cc1
    You will need to enable them again when you need to perform system updates. To do this, run:

    Code:
    chmod 755 /usr/bin/perlcc 
    chmod 755 /usr/bin/byacc 
    chmod 755 /usr/bin/yacc 
    chmod 755 /usr/bin/bcc 
    chmod 755 /usr/bin/kgcc 
    chmod 755 /usr/bin/cc 
    chmod 755 /usr/bin/gcc 
    chmod 755 /usr/bin/i386*cc
    chmod 755 /usr/bin/*c++ 
    chmod 755 /usr/bin/*g++ 
    chmod 755 /usr/lib/bcc /usr/lib/bcc/bcc-cc1 
    chmod 755 /usr/i386-glibc21-linux/lib/gcc-lib/i386-redhat-linux/2.96/cc1
    --------------------------------------------------

    Obfuscate The Apache Version Number

    1. Type: pico /etc/httpd/conf/httpd.conf

    2. Change the line that begins ServerSignature to:
    Code:
    ServerSignature Off
    3. Add a line underneath that which reads:
    Code:
    ServerTokens ProductOnly
    4. Hit CTRL+X, they y, the enter to save the file.

    5. Restart Apache with: /etc/rc.d/init.d/httpd restart

  8. #8
    Join Date
    Oct 2003
    Posts
    459
    disoft,

    Wow...... this is a great guide for me! It takes me at least a few days to learn and play around.

    Thanks~~~~~
    seekhosting
    My friends, it's nice to know that you are there when I need you.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •