Results 1 to 7 of 7
  1. #1

    Recommended Security Hardening Procedures

    I am compiling a list of security hardening procedures which should be performed to a server, with the goal of coming up with a comprehensive list of hardening procedures which should be implemented.

    The following lists the details I have compiled so far. Please feel free to contribute additional hardening tips so we may come up with a full and thorough list:

    Install mod_security
    Install mod_evasive
    Install mod_limitipconn
    Install APF
    Install BFD
    Install PRM
    Install SIM
    Install portsentry
    Install chkrootkit and configure reporting cronjob
    Install rkhunder and configure reporting cronjob
    Install snort
    Install tripwire
    Install libsafe
    Install mail header patch to identify cause of spam sent through nobody
    Limit compiler and fetch utilities access to root only
    Correct folder permissions to prevent directory transversal
    Remove unneeded OS packages
    Upgrade kernal to latest OS release
    Ensure MySQL password is set
    Ensure OpenSSH protocol is only using protocol 2
    Ensure cannot SSH directly to root. Must SSH to admin first.
    Enforce noexec & nosuid on temporary directories /tmp and /var/tmp
    Disable used services
    Disable DNS recursion
    Disable IP source routing
    Disable IMCP redirect acceptance
    Disable certain php functions (system, exec, shell_exec)
    Enable IP spoofing protection
    Enable Spoofing protection
    Enable syncookie protection
    Enable misc. sysctl settings
    Harden host.conf

    Thanks for your input!

  2. #2
    Join Date
    Dec 2006
    Posts
    34
    Configure php open_basedir for each account.

    Enable mod_userdir Protection with NO EXCEPTIONS, this is VERY VERY important and is VERY often overlooked. If you REALLY want to have it so users can use http://abc.def.ghi.jkl/~username/ then compile PHP with phpSuExec. If you don't enable mod_userdir prot anyone can read ALL the files in your / and /home/INSERT ANY NAME HERE/public_html folder by using specific php commands. (Commands other than the commonly disabled ones like system, exec)

  3. #3
    Join Date
    Dec 2004
    Location
    New York, NY
    Posts
    10,574
    Install APF
    Install BFD
    Install PRM
    Install SIM
    Don't forget LES, LSM, and SPRI (well not really security, but still useful).

  4. #4
    Join Date
    Dec 2006
    Posts
    38
    bfd and apf are good, though I do prefer lfd/csf

  5. #5
    Join Date
    Dec 2006
    Posts
    34
    I also prefer LFD + CSF, It's a lot easier to manage and keep updated. It's also VERY easy to configure and there's virtually no performance difference if any.

  6. #6
    Join Date
    Jun 2005
    Posts
    697
    Quote Originally Posted by sallyanne
    Disable used services
    That doesn't help.
    ReflexNetworks means Happy Clients!

  7. #7
    Join Date
    Sep 2002
    Location
    Top Secret
    Posts
    11,687
    I also prefer LFD + CSF, It's a lot easier to manage and keep updated. It's also VERY easy to configure and there's virtually no performance difference if any.
    Agreed
    Stick with CSF and LFD, not the RFX junk.
    I was using the RFX stuff for quite some time until I found the other, and immediately switched. Why? Simple really:

    Firstly, the APF DDOS junk hasn't worked for me for years. I've had multiple clients say the same things over and over and over. It just doesn't work.

    Secondly, the KISS (Keep It simple stupid) rule. Hey, if you have the option of configuring 5 products, or configuring one, what are you going to want to do? Obviously, stick with the one. The same goes with downloading, updating, etc.

    Thirdly, the configuration itself:
    Configuring most of the RFX products can be a huge PITA, especially with BFD LSM and the like.

    Fourthly, updates
    Good god, APF/RFX stuff have been around and still have no auto updates? Bad bad bad bad

    Fifthly, participation and knowlege:
    Chirpy has been around and working with the CP forums for years. He has spent many hours helping cpanel individuals or moderating their forums, much of which I'm sure is done for free. While Ryan (owner of RFX) may have helped out slightly, I'm quite sure it's not on the level that Chirpy has.

    CSF/LFD are very easily configurable, and can be accesse through WHM/CPanel, though they're NOT tied to CPanel any longer (thanks !!). This means that the configuration can be easily managed by a n00b or a veteran, easily enough.

    That said, on to the rest:
    Ensure cannot SSH directly to root. Must SSH to admin first.
    This is nothing but a MAJOR pain in the tail end, period. It causes NOTHING but problems and time lost, which could very easily be the difference between finding and solving the problem and being locked out of the server because the load is too high.

    Proper solution?
    Disable PASSWORD logins for root. In sshd_config, find the line that looks something like
    PermitRootLogin without-password
    and change it to match that EXACTLY

    An even better solution? Don't let ANYONE in the server with a password:
    # Change to no to disable s/key passwords
    #ChallengeResponseAuthentication yes
    ChallengeResponseAuthentication no
    Of course that won't work if you've got a bunch of people who don't know how to generate a DSA key, but NEVER disable root login directly. Trust me, it's messy. It SUCKS having to login to a server, then fight the load to get the su command right, then get the paths setup again. Just avoid the whole mess and use PROPER security techniques

    Disable certain php functions (system, exec, shell_exec)
    No
    There is a ballance between usability and security, and disabling system functions takes usability and throws it out the window. Valid php applications require exec, system, and the like, so what you're saying there is that the user can not use php functionality that they may need.

    Solution?
    Check out the hardened-php patch. While this won't provide permament security, it WILL deal with most of the nasty garbage that gets thrown into the system.

    Install snort
    Install tripwire
    Use both of these with caution. BOTH can cause serious issues to a server loadwise. Personally, I wouldn't recommend using either of these applications, as I've seen the effects they've had on multiple servers.

    Another option here for security is to use jailshell. Many users will have many valid needs inside of the server such as uncompressing archives, setting up various things. Denying ssh access isn't always the way to go, but allowing JAILSHELL usually will work.
    WHMCS Guru - WHMCS addons, management, support and more.
    WHMCS Notifications Extended - Add slack, hipchat, SMS, pushover to WHMCS !!
    Always looking for Linux, WHMCS, Support Desk work. PM for details

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •