Web Hosting Talk : Web Hosting Main Forums : Hosting Security and Technology : Hosting Security and Technology Tutorials : Server Security Checklist - Secure your box now!!

[GetWired]

Last updated:5/30/04

Orginal post located at EV1 Forums

There are alot of things floating around the forums on what to install to get the best degree of safety. Alot of these things are basic, and should be done right after getting ANY server. I have taken the time to do the homework for you and put it in a simple checklist form. To me, an unsecure box on RS's network is a threat to me and anyone else on the network, so please, take the time to secure your box.

The main goal of this checklist will be to help any one person setup a working, secure server.

I run mostly Cpanel servers, but control panel upgrades should be around the same method and most basic thing to perform; therefore I will not go indepth on other control panels.

This checklist assumes you know the basics of linux, the shell, and are using this all VIA SSH with the program putty.

Note: This is a common mistake people have; anything listed here must be done in root. To get root, please use the command "su -" not "su".

######################
~~~~~~~~~~~~~~~~~~~~
######################

Things to do on your server in order of importance:

• Full Cpanel (stable) upgrade [Already installed Cpanel/WHM Feature] [Link]
  Note: This should upgrade openssh and all of that good stuff so all those locks show locked.
• Recompile Apache [Already installed Cpanel/WHM Feature]
• Bind sshd to only 1 ip, and make it a different ip then your main site, and on a different high level port. Not to forget, disable direct root login.
  
  
  Quote:

  
  pico -w /etc/ssh/sshd_config
  
  Find the line '#Port 22' and uncomment it and change it to look like 'Port [Random high level port here]'.
  
  Request an ip from rackshack and create a nameserver using your registar (like the first time) that will point to that ip and wait till it resolves. (Note: You may have to add an A entry/DNS zone using cpanel or whatever you use as your control panel to get this to function.) Make the name of it something like 'ssh.domain.com', or 'shell1.domain.com'.
  
  When it resolves, ssh into your box and find the line '#ListenAddress 0.0.0.0' and make it look like 'ListenAddress ##.##.##.##' replacing the number signs with the ip address.
  
  Find the line '#Protocol 2, 1' and uncomment it and change it to look like 'Protocol 2'
  
  Find the line '#PermitRootLogin yes' and uncomment it and make it look like 'PermitRootLogin no'.
  
  Now restart SSH using the command:
  
  /etc/rc.d/init.d/sshd restart
  
  Now exit out, enter 'ssh.domain.com' as the host name, and put in your high level random port in the box, ssh into your box and your done.
  
  If you have ANY problem with this, please login to your server VIA telnet, fix the problem, login using SSH2 again, and change your passwords. Telnet is a very unsecure protocol, but it'll get you out of a jam.
  
  Note: If you do not have the most current version of putty, please get it as it will allow you to use ssh2 protocol.
  

  Note 2: Though you could still login to root logging into admin and su - to root, it would be best to delete the admin login from your server. This'll give hackers an even harder time trying to crack your box. You should keep in mind that the admin login is only a rackshack thing, and is not a default thing, so it might be best to remove it anyways. Delete user admin, add another user, and add that user to the usergroup whell.
  
• Have the server e-mail everytime someone logs in as root:
  
  
  Quote:

  - Edit the .bash_profile in the users directory ( in this case /root)
  commands:
  su -
  cd (just cd, nothing else)
  pico .bash_profile
  
  And put this at the very end:
  echo 'ALERT - Root Shell Access on:' `date` `who` | mail -s "Alert: Root Access from `who | awk '{print $6}'`" offsite@emailaddress.com

  Advice from freddo:
  Make sure the email address you send to also forwards to an off-server email address. This way the hacker cannot delete the warning email (without hacking another server anyway).
  
• Disable Telnet:
  
  
  Quote:

  pico -w /etc/xinetd.d/telnet
  Note: (change disable = no to yes)
  Save and Exit
  /etc/init.d/xinetd restart

• Chroot/Jail [Link]
  Note: If you have a Cpanel server there is a feature already included to Jail the shell account. Please do this ASAP if you plan on giving out shell accounts.
• APF Firewall
  
  Quote:

  Originally posted by DavidB
  
  Follow these instructions to perform a new install of APF.
  
  1. Make /usr/src the current working directory.
  cd /usr/src
  
  2. Fetch the most curent verison of APF.
  wget http://www.r-fx.net/downloads/apf-current.tar.gz
  
  3. Expand the APF tar.gz file.
  tar -xvzf apf-current.tar.gz
  
  4. Remove the tar.gz file.
  rm -f apf-current.tar.gz
  
  5. Locate the APF directory.
  ls -la
  
  Look for a directory named apf-#.#/ where #.# represents the version of APF being installed (APF version 0.8.7 would be in a directory apf-0.8.7/ and version 0.9 would be in a directory named apf-0.9).
  
  6. Make the APF directory the current working directory.
  cd apf-0.9
  
  Use the directory name you located in step 5.
  Note that the numbers will change as new versions are released.
  
  7. Run the APF install.
  sh ./install.sh
  
  8. Make /etc/apf the current working directory.
  cd /etc/apf
  
  9. Edit the conf.apf file as desired.
  pico -w conf.apf
  
  A very important part of this firewall you have to edit is the ports. These ports will allow services such as mail, ftp, and ssh come in and out of the server. If you have changed any ports, please modify them below and add/remove as needed.
  
  ################
  
  # Common TCP Ports
  TCP_CPORTS="21,22,25,26,53,80,110,143,443,2082,2083,2086,2087,2095,2096,19638" // please note that ports 2082 to port 2095 is mostly used by cpanel, and port 19638 is only use in ensim.
  
  # Common UDP Ports
  UDP_CPORTS="53"
  
  ################
  
  Note that you must set the DEVM parameter to "0" BUT only after full testing of the firewall. What DEVM does is that once you start APF with DEVM to 1, it will set a cron job to stop APF in 5 minutes so you don't end up locking yourself out.
  
  Turn on Anti-DOS, and the block list for added security.
  
  10. Start APF.
  ./apf -start
  or
  service apf start
  
  Note: To stop or restart apf, use the "service apf restart/stop" commands.
  

• Use sftp (secure ftp via ssh2) instead of ftp[Link]
  [i]Note: FTP is a global protocol, everyone knows about it. Its best to do this when you don't have that many clients on your server. Some people aren't that smart to figure out how to use the SFTP protocol sometimes. :p
• Tripwire [Link]
• Email Anti-Virus Scanner (MailScanner) & Anti-Virus Scanner (ClamAV) [Link]
• chkrootkit [Link]
• Disable direct root login [Link]
• PRM (Process Resource Monitor) [Link]
• MRTG bandwidth monitor
• Mask apache server & services version numbers [Link]
• Set a SSH Legal Message [Link]
  Note: I like to put a legal notice here. Something like:
  
  This computer system is for authorized users only. All activity is logged and regulary checked by systems personal. Individuals using this system without authority or in excess of their authority are subject to having all their services revoked. Any illegal services run by user or attempts to take down this server or its services will be reported to local law enforcement, and said user will be punished to the full extent of the law. Anyone using this system consents to these terms.

######################
~~~~~~~~~~~~~~~~~~~~
######################

Thats about all I have, other then a set of 'always do this' rules.

1.) Always try to use sftp.
2.) Always use ssh2 protocol.
3.) Never ever have passwords lying around or use easily crackable passwords. Nice password holder and gen program is Personal Vault. You can check it out and download it here [Link]

I plan on making a defintive howto page on my website on howto properly secure your cpanel box to its fullest with each howto on its proper page so you don't have to go looking around. However, that is once I get permission from each person that wrote each HOWTO. :p

If you have a comment on this or something you think that should be added, please PM me. I want to keep this thread as clean as possible so newbs don't have to scroll threw pages of stuff.

I will constantly update this when required.

[GetWired]

Thanks to whoever moved this by the way to the correct forum, I didn't see it :p

[Apoc]

It's a great tuturial, however there are a couple of things that I would add:

- you should chmod programs such as wget to 750 so that only root can execute it.
- as a good addition to APF, also install BFD (brute force detection). It's from the same author, and it works great.
- as for PRM: it's quite important to note that programs such as apache should be added to the ignore list, otherwise it's likely to crash
- your link to the mailscanner tuturial isn't working.
- mod_security would be a good idea
- pmon is a nice security improvement too
- it's important to secure the /tmp partition
- I'd recommend to disable compilers for all users but root. On cpanel you can do this with "/scripts/compilers off"

Also note that telnet is already disabled by default on Fedora Core 2.

Just my $0.02, feel free to implement that in your list.

Regards,
André van Vliet

[GetWired]

Yeah, it is in sore need of an update.

I was planning on putting it on a website with nice javascript drop downs to make it look neater.

I'll get to that sooner or later, but for now this is the tip of the iceburg.

[Apoc]

Nice!

If you need any help on the points that I suggested (asin if you need a howto), feel free to ask me any time.

I'd mainly like to suggest mod_security, or snort.

[GetWired]

Yeah, thanks! I sometimes find it really hard to find a howto on how to install some of the programs I find that could be useful.

I know there is a nice nice thread on mod_security, or plenty of them around on these forums. I have a few bookmarked. Could you help me with snort? Point me to a few howto's?

Also is there more information on disabling compilers and what exactly is the benefit? First time I heard of that.

Thanks

[Apoc]

The advantages of disabling compilers are:

- if you disallow IRC, people won't be able to compile eggdrops for instance
- Most rootkits come precompiled but not all of them do, the ones that are not would be prevented (it only takes a way a part of the problem, but a part is at least something)


I'm not using snort myself, but I have heard good things about it. I'll see if I can find any howtos about i.

[Apoc]

Here you go: http://forum.ev1servers.net/showthre...ht=snort+howto

[GetWired]

Hmm thanks.

[Georgecooldude]

this is a good guide. Are there any books along this topic I can buy to gain an even greater knowledge of security?

[Apoc]

I've actually been considering to write something like that, but I don't have the time.

There are plenty of books available already though, try amazon.com.

[wowtim]

Recomended Hot fixes.

1) Disable Telnet Server.
2) Update Openssl www.openssl.org openssl-0.9.7d (current)
3) Update Openssh www.openssh.org openssh-3.9p1 (current)
4) Disable Ping
"echo 1 >> /proc/sys/net/ipv4/icmp_echo_ignore_all 1"
5) Shut down any unnecasarry servers. (daytime, nameserver, finger, & sunrpc).
6) Istall & Configure a firewall (iptables) or (ipchains).
7) Use Languard and Scan the IP, ( your server should now be a ghost ) people will have to telnet each individual port to see if its open.

The only ports you should need open for public is:
21 FTP
22 SSHD
25 SMTP
80 HTTPD
110 Pop3
143 Imap >> This port can be private, Allow only 127.0.0.1 Connects or localhost.
443 Secure WebServer SSL enabled Only if using secure websites.

And Finally if you want to allow users to have a unix shell. You will want to update to the latest 2.4 or 2.6 kernel. Earlier versions of the kernel are vulnerable to local attacks ViA Unix Shell.

[Steven]

Quote:

And Finally if you want to allow users to have a unix shell. You will want to update to the latest 2.4 or 2.6 kernel. Earlier versions of the kernel are vulnerable to local attacks ViA Unix Shell.

Who cares about unix shell? It can be rooted with some php.

[wowtim]

please do elaborate on this a little more.

[Apoc]

Quote:

Originally posted by wowtim
Recomended Hot fixes.

1) Disable Telnet Server.
2) Update Openssl www.openssl.org openssl-0.9.7d (current)
3) Update Openssh www.openssh.org openssh-3.9p1 (current)
4) Disable Ping
"echo 1 >> /proc/sys/net/ipv4/icmp_echo_ignore_all 1"
5) Shut down any unnecasarry servers. (daytime, nameserver, finger, & sunrpc).
6) Istall & Configure a firewall (iptables) or (ipchains).
7) Use Languard and Scan the IP, ( your server should now be a ghost ) people will have to telnet each individual port to see if its open.

The only ports you should need open for public is:
21 FTP
22 SSHD
25 SMTP
80 HTTPD
110 Pop3
143 Imap >> This port can be private, Allow only 127.0.0.1 Connects or localhost.
443 Secure WebServer SSL enabled Only if using secure websites.

And Finally if you want to allow users to have a unix shell. You will want to update to the latest 2.4 or 2.6 kernel. Earlier versions of the kernel are vulnerable to local attacks ViA Unix Shell.

I disagree with several points you made there.

Disable ping? Why? That really doesn't help much in server security and will probably only get you people shouting about this, and on top of that pings can be very useful for monitoring purposes.

Disable nameservers? Well if you don't need them: ok. But nearly every webhosting environment needs nameservers.

Leaving port 22 open? Bad advise. Change the port for SSH to a different port.

I appreciate that you're trying to give people advise, but only give advise if it's any good please.