A Beginner's Guide to Securing Your Server

x-man

Well-Known Member
Jan 25, 2004
118
1
166
000000000 said:
Disable identification output for Apache

To disable the version output for proftp, SSH into server and login as root.

At command prompt type: pico /etc/httpd/conf/httpd.conf


Scroll (way) down and change the following line to

ServerSignature Off


Restart Apache

At command prompt type: /etc/rc.d/init.d/httpd restart
But when I ask here about that somebody tell to me that if I disable that cPanel can work on update like when that is ON, is that true?!

thanks
 

Edizon

Well-Known Member
Feb 18, 2003
90
0
156
AZ
Tutorial Revision?

A Beginner's Guide to Securing Your Server Part 3 of 3 (Apps to install)

Code:
Common ingress (inbound) TCP ports
IG_TCP_CPORTS="21,22,25,53,80,110,143,465,953,993,995,2082,2083,2084,2086,2087,2095,2096,3306,6666,7786,3000_3500"
It was a great tutorial. However my SSL server was unreachable after the APF install. I replaced the code given by 00000000 for the inbound ports. 443 was not included. After I included it my SSL server awas up again. Just added this in case anyone else has a problem with this in the future.

Revised Code:

Code:
Common ingress (inbound) TCP ports
IG_TCP_CPORTS="21,22,25,53,80,110,143,443,465,953,993,995,2082,2083,2084,2086,2087,2095,2096,3306,6666,7786,3000_3500"

Kyle
 

equens

Well-Known Member
Feb 8, 2002
283
5
318
What about the option: IF="eth0", would I have problems if this option is not set correctly?

I have seen #123 in Common egress (outbound) TCP ports???

Common egress (outbound) TCP ports
EG_TCP_CPORTS="21,25,37,53,80,110,113,#123,443,43,873,953,2089,2703,3306"

Thanks!
 
Last edited:

RandyO

Well-Known Member
Jun 17, 2003
173
0
166
equens said:
What about the option: IF="eth0", would I have problems if this option is not set correctly?

I have seen #123 in Common egress (outbound) TCP ports???

Common egress (outbound) TCP ports
EG_TCP_CPORTS="21,25,37,53,80,110,113,#123,443,43,873,953,2089,2703,3306"

Thanks!
If that is the location of your ethernet connection you will have a problem indeed. Majority of connections are on eth0
 

cbwass

Well-Known Member
Mar 29, 2002
149
0
316
I disabled direct login to root 'PermitRootLogin no' now when I login as 'admin' and su to root commands like 'service cpanel restart' produce 'bash: service: command not found'. Why is that? Is there somthing I can do to allow these commands, they are so easy to remember?
 

ZapX.net

Well-Known Member
Feb 24, 2005
51
0
156
Sidman, PA
Very useful; I especially like chkrootkit; I have it running daily.

Anyway, with the apf ports, isn't there a typing mistake; there seems to be two spaces in the middle of port 2084. I'm assuming that is a typing error...

IG_TCP_CPORTS="21,22,25,53,80,110,143,465,953,993,995,2082,2083,2 084,2086,2087,2095,2096,3306,6666,7786,3000_3500"
 

webits

Well-Known Member
May 15, 2004
114
0
166
I've updated everything to the new BFD b4 i had the old bfd version
 

chirpy

Well-Known Member
Verifed Vendor
Jun 15, 2002
13,437
31
473
Go on, have a guess
I'd like to add that there is no need at all to open ports 3000_3500 unless you have a very specific reason. Remember that APF is an SPI firewall and so it's completely unnecessary to open ethereal ports for something like FTP access. Opening ports with nothing attached to them makes having a firewall relatively pointless.
 

chirpy

Well-Known Member
Verifed Vendor
Jun 15, 2002
13,437
31
473
Go on, have a guess
nazoreen,

There's no need for a security thread about exim as far as I can see. With a default cPanel exim installation, you can only relay through exim if you have been authenticated. The other issues I have addressed in the other thread you started on the subject.
 

digitard

Well-Known Member
Aug 13, 2004
70
0
156
I just want to say thanks for taking everything that was scattered and making a VERY easy to follow guide.

I had a few tiny bugs that I mostly worked out w/ my server. I cant see, though, to get the 'root login email' part to work. Other than that everything works VERY well and I have already found 2 people trying to login to my server. Thankfully ROOT is already turned off through immediate login from my hosting company but it still banned 2 IP's right away and everything else is looking great.

Had a user, quite brightly I might add, ban himself and his second IP in the house trying to login into FTP w/ the wrong info from his activation email, but after a quick search I was able to modify that and get him up and off the banned list.

Thanks again. I think I may be missing, or adding, a space in the 'root login email' portion. If someone could maybe post a <space> type thing of the line to add. What happens is when I add that to my .bash_profile upon logging in w/ my root the next time I login I get a mail <Access denied> type error thats just below my security MOTD. Once I remove that line the login is flawless... so I dunno.

I've had APF running forever, but I dont know why (I'm slow...lol) I didn't have BFD running.
 

wtw

Registered
Jan 17, 2005
4
0
151
Excellent

Thank you for taking the time to place all of this in one section. This is uber kewl!
 

dwh2

Well-Known Member
Jan 14, 2004
106
0
166
This thread was a godsend. One thing though on the apf, it doesn't say to change the defaults on a few things that say disable but I would think should be enabled. Are these settings ok or do they need to be changed:

PHP:
# Egress filtering [0 = Disabled / 1 = Enabled]
EGF="0"
----snip----
# Import /etc/apf/ad/ad.rules ban list generated by antidos;
# this is essentialy a quick enable/disable feature for
# the insertion of such bans. [0 = Disabled / 1 = Enabled]
USE_AD="0"
----snip----