1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

A Beginner's Guide to Securing Your Server

Discussion in 'Security' started by 000000000, Oct 2, 2004.

  1. 000000000

    000000000 New Member

    Joined:
    Sep 5, 2004
    Messages:
    18
    Likes Received:
    1
    Trophy Points:
    3
    A Beginner's Guide to Securing Your Server Part 1 of 3 (Security Inside WHM/CPanel)


    These are items inside of WHM/Cpanel that should be changed to secure your server.



    Goto Server Setup =>> Tweak Settings


    Check the following items...


    Under Domains

    Prevent users from parking/adding on common internet domains. (ie hotmail.com, aol.com)


    Under Mail

    Attempt to prevent pop3 connection floods

    Default catch-all/default address behavior for new accounts - blackhole


    Under System

    Use jailshell as the default shell for all new accounts and modified accounts



    Goto Server Setup =>> Tweak Security

    Enable php open_basedir Protection

    Enable mod_userdir Protection

    Disabled Compilers for unprivileged users.



    Goto Server Setup =>> Manage Wheel Group Users

    Remove all users except for root and your main account from the wheel group.



    Goto Server Setup =>> Shell Fork Bomb Protection

    Enable Shell Fork Bomb/Memory Protection



    When setting up Feature Limits for resellers in Resellers =>> Reseller Center, under Privileges always disable Allow Creation of Packages with Shell Access and enable Never allow creation of accounts with shell access; under Root Access disable All Features.



    Goto Service Configuration =>> FTP Configuration

    Disable Anonymous FTP



    Goto Account Functions =>> Manage Shell Access

    Disable Shell Access for all users (except yourself)


    Goto Mysql =>> MySQL Root Password

    Change root password for MySQL



    Goto Security and run Quick Security Scan and Scan for Trojan Horses often. The following and similar items are not Trojans:

    /sbin/depmod
    /sbin/insmod
    /sbin/insmod.static
    /sbin/modinfo
    /sbin/modprobe
    /sbin/rmmod
     
    gorilla likes this.
  2. 000000000

    000000000 New Member

    Joined:
    Sep 5, 2004
    Messages:
    18
    Likes Received:
    1
    Trophy Points:
    3
    A Beginner's Guide to Securing Your Server Part 2 of 3 (with SSH access)


    These are measures that can be taken to secure your server, with SSH access.


    Udate OS, Apache and CPanel to the latest stable versions.

    This can be done from WHM/CPanel.



    Restrict SSH Access


    To restrict and secure SSH access, bind sshd to a single IP that is different than the main IP to the server, and on a different port than port 22.


    SSH into server and login as root.

    Note: You can download Putty by Clicking Here. It's a clean running application that will not require installation on Windows-boxes.


    At command prompt type: pico /etc/ssh/sshd_config

    Scroll down to the section of the file that looks like this:

    Code:
    
    #Port 22
    #Protocol 2, 1
    #ListenAddress 0.0.0.0
    #ListenAddress ::
    
    

    Uncomment and change

    #Port 22

    to look like

    Port 5678 (choose your own 4 to 5 digit port number (49151 is the highest port number)


    Uncomment and change

    #Protocol 2, 1

    to look like

    Protocol 2


    Uncomment and change

    #ListenAddress 0.0.0.0

    to look like

    ListenAddress 123.123.123.15 (use one of your own IP Addresses that has been assigned to your server)


    Note 1: If you would like to disable direct Root Login, scroll down until you find

    #PermitRootLogin yes

    and uncomment it and make it look like

    PermitRootLogin no

    Save by pressing Ctrl o on your keyboard, and then exit by pressing Ctrl x on your keyboard.


    Note 2: You can also create a custome nameserver specifically for your new SSH IP address. Just create one called something like ssh.xyz.com or whatever. Be sure to add an A address to your zone file for the new nameserver.


    Now restart SSH

    At command prompt type: /etc/rc.d/init.d/sshd restart


    Exit out of SSH, and then re-login to SSH using the new IP or nameserver, and the new port.


    Note: If you should have any problems, just Telnet into your server, fix the problem, then SSH in again. Telnet is a very unsecure protocol, so change your root password after you use it.




    Disable Telnet

    To disable telnet, SSH into server and login as root.

    At command prompt type: pico -w /etc/xinetd.d/telnet

    change disable = no to disable = yes

    Save and Exit

    At command prompt type: /etc/init.d/xinetd restart




    Server e-mail everytime someone logs in as root

    To have the server e-mail you everytime someone logs in as root, SSH into server and login as root.

    At command prompt type: pico .bash_profile

    Scroll down to the end of the file and add the following line:

    echo 'ALERT - Root Shell Access on:' `date` `who` | mail -s "Alert: Root Access from `who | awk '{print $6}'`" your@email.com

    Save and exit.




    Set an SSH Legal Message

    To an SSH legal message, SSH into server and login as root.

    At command prompt type: pico /etc/motd

    Enter your message, save and exit.

    Note: I use the following message...

    Code:
    
    ALERT! You are entering a secured area! Your IP and login information
    have been recorded. System administration has been notified.
    
    This system is restricted to authorized access only. All activities on
    this system are recorded and logged. Unauthorized access will be fully
    investigated and reported to the appropriate law enforcement agencies.
    
    
    Now everytime someone logs in as root, they will see this message... go ahead a try it.




    Disable Shell Accounts

    To disable any shell accounts hosted on your server SSH into server and login as root.

    At command prompt type: locate shell.php

    Also check for:

    locate irc
    locate eggdrop
    locate bnc
    locate BNC
    locate ptlink
    locate BitchX
    locate guardservices
    locate psyBNC
    locate .rhosts



    Note: There will be several listings that will be OS/CPanel related. Examples are

    /home/cpapachebuild/buildapache/php-4.3.1/ext/ircg
    /usr/local/cpanel/etc/sym/eggdrop.sym
    /usr/local/cpanel/etc/sym/bnc.sym
    /usr/local/cpanel/etc/sym/psyBNC.sym
    /usr/local/cpanel/etc/sym/ptlink.sym
    /usr/lib/libncurses.so
    /usr/lib/libncurses.a
    etc.




    Disable identification output for Apache

    To disable the version output for proftp, SSH into server and login as root.

    At command prompt type: pico /etc/httpd/conf/httpd.conf


    Scroll (way) down and change the following line to

    ServerSignature Off


    Restart Apache

    At command prompt type: /etc/rc.d/init.d/httpd restart
     
  3. 000000000

    000000000 New Member

    Joined:
    Sep 5, 2004
    Messages:
    18
    Likes Received:
    1
    Trophy Points:
    3
    A Beginner's Guide to Securing Your Server Part 3 of 3 (Apps to install)


    These are applications that will help to secure your server.



    Install chkrootkit

    To install chrootkit, SSH into server and login as root.

    At command prompt type: cd /root/

    At command prompt type: wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz

    At command prompt type: tar xvzf chkrootkit.tar.gz

    At command prompt type: cd chkrootkit-0.44

    At command prompt type: make sense


    To run chkrootkit

    At command prompt type: /root/chkrootkit-0.44/chkrootkit

    Make sure you run it on a regular basis, perhaps including it in a cron job.




    Install APF Firewall

    To install APF, SSH into server and login as root.

    At command prompt type: cd /root/

    At command prompt type: wget http://www.rfxnetworks.com/downloads/apf-current.tar.gz

    At command prompt type: tar -xvzf apf-current.tar.gz

    At command prompt type: rm -f apf-current.tar.gz

    At command prompt type: cd apf-0.9.4-6

    At command prompt type: sh ./install.sh


    After APF has been installed, you need to edit the configuration file.

    At command prompt type: cd /etc/apf

    At command prompt type: pico -w conf.apf


    Scroll down and find

    USE_DS="0"

    change it to

    USE_DS="1"


    Now scroll down and configure the Ports. The following ports are required for CPanel:

    Code:
    
    Common ingress (inbound) TCP ports
    IG_TCP_CPORTS="21,22,25,53,80,110,143,465,953,993,995,2082,2083,2084,2086,2087,2095,2096,3306,6666,7786,3000_3500"
    
    
    Note: If you changed the port for SSH, be sure to include that port and remove port 22.

    -----
    21 FTP (TCP)
    22 SSH (TCP)
    25 SMTP (TCP)
    53 DNS - Domain Name Server (TCP)
    80 HTTP (TCP)
    110 POP3 (TCP)
    143 IMAP (TCP)
    443 HTTPS (TCP)
    465 sSMTP (TCP)
    953 ??BIND??
    993 IMAP4 protocol over TLS/SSL (TCP)
    995 POP3 protocol over TLS/SSL (was spop3) (TCP)
    2082 CPANEL (http://sitename.com:2082) (TCP)
    2083 CPANEL SSL (https://sitename.com:2083) (TCP)
    2084 entropychat server (disable from CPANEL service manager if not used) (TCP)
    2086 WHM (http://sitename.com:2086) (TCP)
    2087 WHM SSL (https://sitename.com:2087) (TCP)
    2095 WebMail (http://sitename.com:2095) (TCP)
    2096 WebMail SSL (https://sitename.com:2096)
    3306 mySQL remote access (TCP)
    6666 Melange chat Server (disable from CPANEL service manager if not used) (TCP)
    7786 Interchange (TCP)
    3000_3500
    -----
    5100 for ASP,
    8080 and 8443 for JSP if you use them.
    -----


    Code:
    
    Common ingress (inbound) UDP ports
    IG_UDP_CPORTS="53,6277
    
    
    -----
    53 DNS - Domain Name Server
    6277 SpamAssassin / DCC (email scanning)
    -----


    Code:
    
    Common ICMP (inbound) types
    IG_ICMP_TYPES="3,5,11,0,30,8"
    
    
    -----
    0 Echo Reply
    3 Destination Unreachable
    5 Destination Unreachable
    8 Echo
    11 Time Exceeded
    30 Traceroute
    -----


    Code:
    
    Common egress (outbound) TCP ports
    EG_TCP_CPORTS="21,25,37,53,80,110,113,#123,443,43,873,953,2089,2703,3306"
    
    
    -----
    21 FTP
    25 SMTP
    37 Required for CPANEL Licensing
    53 DNS - Domain Name Server
    80 HTTP
    110 POP3 (if you have scripts that need to retrieve email via POP, e.g. HelpDesk)
    113 Authentication Protocol (AUTH)
    123 NTP (Network Time)
    443 HTTPS
    43 WHOIS
    873 rsync (CPanel updates)
    953 BIND ??
    2089 Required for CPANEL Licensing
    2703 Razor (email scanning)
    3306 mySQL remote access
    -----


    Code:
    
    Common egress (outbound) UDP ports
    EG_UDP_CPORTS="20,21,53,873,953,6277"
    
    
    -----
    20 ftp-data
    21 FTP
    53 DNS - Domain Name Server
    873 rsync
    953 BIND ??
    6277 SpamAssassin / DCC (email scanning)
    -----


    Code:
    
    Common ICMP (outbound) types
    EG_ICMP_TYPES="all"
    
    


    Save the changes then exit.


    To start APF

    At command prompt type: /usr/local/sbin/apf -s

    APF commands are:

    -s start
    -r restart
    -f flush - stop
    -l list
    -st status
    -a HOST allow HOST
    -d HOST deny HOST


    Log out of SSH and then login again.


    After you are sure everything is working fine, change the DEV option

    At command prompt type: cd /etc/apf

    At command prompt type: pico -w conf.apf


    Scroll down and find

    DEVM="1"

    change it to

    DEVM="0"


    Save changes, exit and then restart firewall,

    At command prompt type: /usr/local/sbin/apf -r




    Install BFD (Brute Force Detection)

    To install BFD, SSH into server and login as root.

    At command prompt type: cd /root/

    At command prompt type: wget http://www.rfxnetworks.com/downloads/bfd-current.tar.gz

    At command prompt type: tar -xvzf bfd-current.tar.gz

    At command prompt type: cd bfd-0.4

    At command prompt type: ./install.sh


    After BFD has been installed, you need to edit the configuration file.

    At command prompt type: pico /usr/local/bfd/conf.bfd


    Under Enable brute force hack attempt alerts:

    Find

    ALERT_USR="0"

    and change it to

    ALERT_USR="1"


    Find

    EMAIL_USR="root"

    and change it to

    EMAIL_USR="your@email.com"


    Save the changes then exit.


    To start BFD

    At command prompt type: /usr/local/sbin/bfd -s




    Modify LogWatch

    Logwatch is a customizable log analysis system. It parses through your system's logs for a given period of time and creates a report analyzing areas that you specify, in as much detail as you require. Logwatch is already installed on most CPanel servers.


    To modify LogWatch, SSH into server and login as root.

    At command prompt type: pico -w /etc/log.d/conf/logwatch.conf


    Scroll down to

    MailTo = root

    and change to

    Mailto = your@email.com

    Note: Set the e-mail address to an offsite account incase you get hacked.


    Now scroll down to

    Detail = Low

    Change that to Medium, or High...

    Detail = 5 or Detail = 10

    Note: High will give you more detailed logs with all actions.


    Save and exit.
     
  4. dezignguy

    dezignguy Member

    Joined:
    Sep 26, 2004
    Messages:
    533
    Likes Received:
    0
    Trophy Points:
    16
    You really should just open a new putty window and login again with that to make sure it works... rather than logging out of your current ssh session. Then you won't be forced to use telnet.
     
  5. mr.wonderful

    mr.wonderful BANNED

    Joined:
    Feb 1, 2004
    Messages:
    348
    Likes Received:
    0
    Trophy Points:
    0
    I would never ever recommended anyone set their default to, blackhole. This is just stupid. This wastes bandwidth and cpu time. :fail: no such user is a much better option.

    Also, this has been hashed and rehashed millions of times. One just needs to do a search. It must be much nicer if you wrote about things that havent been repeated about a million times.
     
  6. Sheldon

    Sheldon Member

    Joined:
    Jun 7, 2004
    Messages:
    378
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Canada
    how so is it a waste of bandwidth and cpu time?

    it seems to me :fail: would be more of a waste?

    instead of flaming at the guy why not give examples.
     
  7. 000000000

    000000000 New Member

    Joined:
    Sep 5, 2004
    Messages:
    18
    Likes Received:
    1
    Trophy Points:
    3
    Yep, it has been rehashed millions of times. I just did it again with everything in one place. The reason why is because back when I was learning how to do it, I had to search all over the place to find it. Now months later I see that new comers are still having to do the same thing.

    But there is more to it than that... when ever someone new comes into these forums looking for help, they get the same treatment, like at this thread: http://forums.cpanel.net/showthread.php?t=29457.

    Honestly, I posted this for people that need the information. Not to argue with people who have nothing better to do than run around a forum ranting on every one.


    dezignguy
    You make a very excellent suggestion. I can't believe I never thought of that. It certainly would lower the stress level about 10 notches when doing this.

    Had I never posted this thread, I would have never learned this excellent suggestion.


    Sheldon
    I agree. Thanks for your support.



    .
     
  8. dezignguy

    dezignguy Member

    Joined:
    Sep 26, 2004
    Messages:
    533
    Likes Received:
    0
    Trophy Points:
    16
    Well, the other is guy is right... ::fail:: is preferable than blackhole. The reasons...
    Blackhole accepts everything sent to it and throws away the email not going to an actual account. This uses the full amount of bandwidth, and also requires that the server be reading and writing messages to disk before they are deleted... multiply this by 1,000 messages a day or so, (i've got a domain that gets way more than that - especially when the latest fast spreading virus comes out) and you can have a fair amount of load just processing junk messages.
    Fail stops invalid recipients from entering the mailserver inthe first place... exim will reject the message during the smtp conversation, and for invalid recipients - it should reject during the header phase, saving you the bandwidth of the data... not insignificant when you're getting 130 kb or so in a binary attachment virus thousands of times per day (Remember the virus that sent itself out looking like window update emails from microsoft?). The sending mailserver then has to deal with the unwanted email. Rejecting messages means your server doesn't have to deal with them. It's also nice for people accidentally mistyping an address to get an error back, instead of it just disappearing so they think it went through.

    My server can do many hundreds of thousands more ::fails:: than it can do ::blackholes::.


    Yes... simply opening a new ssh window and logging in for a new session will let you test your settings when you monkey with anything having to do with ssh. If it won't let you login, you can still use your open window to edit the config files and try again. However, it won't help you if you've managed to block access to SSH with a firewall, or totally kill ssh (like up2date did to me once). Then it's really nice to have webmin (www.webmin.com), or some other alternate way of getting in to your server to edit config files or get a command prompt.
     
  9. PWSowner

    PWSowner Active Member

    Joined:
    Nov 10, 2001
    Messages:
    2,991
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    ON, Canada
    Yes, mr.wonderful's reply is true. Fail is better than blackhole for the reasons explained by dezignguy. I was using blackhole for a while until one day I saw a post by chirpy explaining what each does. I then switched to fail and noticed a difference, plus the advantage of people who mistype being notified.
     
  10. aroop

    aroop New Member

    Joined:
    Dec 4, 2003
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    Thanks a lot!!!!!!!!11

    Hi,

    It was really a wonderful. post.. it .saved my time:-D
    :)

    Thanks a looooooooooooooooooooooooooot
     
  11. errsolutions

    errsolutions New Member

    Joined:
    Sep 13, 2004
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    Thanks for the great post. This is really useful to me, a cPanel newbie.
     
  12. nettigritty

    nettigritty Member

    Joined:
    Jan 21, 2004
    Messages:
    194
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Bangalore, India
    is there any way to receive an alert if the number of messages in the mail queue is more than a certain number ?
     
  13. spiff06

    spiff06 Member

    Joined:
    Jan 17, 2004
    Messages:
    87
    Likes Received:
    0
    Trophy Points:
    6
    For those of you wanting to disallow access to WHM / cPanel via the insecure ports (2082 & 2086), all you need is exclude these ports from the IG_TCP_CPORTS environment variable; access to either one of these ports will then time out.

    For this fine, comprehensive how-to,
    THANK YOU,
    Eric
     
  14. gcluk

    gcluk New Member

    Joined:
    Oct 27, 2004
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1
    Thank you

    A most excellent and useful post.
    Got me started and gave me plenty of info to at least protect myself from most of the script kiddies.

    FYI, disallowing root access and limiting to SSH2 through a single port reduced the Brute-Force attacks BFD was reporting far more than anything else I did.

    Just don't forget to add the user you SU from to the wheel group !
     
  15. s_2_s

    s_2_s Member

    Joined:
    Aug 9, 2004
    Messages:
    215
    Likes Received:
    0
    Trophy Points:
    16
    it saved alot of time
    i know its written many where but thanks to that guy forrewritting and taking time to collect themand post here :)
     
  16. eth00

    eth00 Member

    Joined:
    Mar 30, 2003
    Messages:
    725
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    NC
    If you guys are interested in even more stuff that can be applied to your server take a look at my website http://eth0.us . I am constantly updating it with new information.

    Nice post above, there is a lot of really good information :) The fail vs blackhole thing saved me a lot of problems with my server. It went from having to scan ~90k emails to only ~20k per day.
     
  17. d-woo

    d-woo Member

    Joined:
    Aug 9, 2003
    Messages:
    88
    Likes Received:
    0
    Trophy Points:
    6
    WHM email notification upon access

    This works great!!!

    Is there any way to get an email when WHM is accessed? ...since WHM is accessed using the same username (root) and password as SSH.
     
  18. benito

    benito Member

    Joined:
    Jan 8, 2004
    Messages:
    282
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Mar del Plata - Argentina
    Hi!

    Just a question, BFD automatically restart on every server reboot ?
     
  19. ctbhost

    ctbhost Member

    Joined:
    May 31, 2002
    Messages:
    139
    Likes Received:
    0
    Trophy Points:
    16

    i have done as suggested above and found a filder called /dev/shm/.../ with the below content:

    /dev/shm/... /eggdrop.txt.1
    /dev/shm/... /eggdrop.txt.1
    /dev/shm/... /eggz/doc/man1/eggdrop.1
    /dev/shm/... /eggz/eggdrop.simple.conf
    /dev/shm/... /eggz/eggdrop.complete.conf
    /dev/shm/... /eggz/eggdrop.advanced.conf
    /dev/shm/... /eggz/eggdrop
    /dev/shm/... /eggz/eggdrop-1.6.10
    /dev/shm/... /eggdrop.txt

    is this a problem ?? - should i delete these files

    hmmmm tried to navigate into the folder /dev/shm/.../ but it says its an invalid directory
     
    #19 ctbhost, Dec 14, 2004
    Last edited: Dec 14, 2004
  20. rs-freddo

    rs-freddo Member

    Joined:
    May 13, 2003
    Messages:
    857
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Australia
    /dev/shm should be empty.

    I believe it is ram memory, anyway should be empty. Somebody with more knowledge might be able to tell you more.
     

Share This Page