Last updated:9/30/03

There are alot of things floating around the forums on what to install to get the best degree of safety. Alot of these things are basic, and should be done right after getting ANY server. I have taken the time to do the homework for you and put it in a simple checklist form. To me, an unsecure box on RS's network is a threat to me and anyone else on the network, so please, take the time to secure your box.

The main goal of this checklist will be to help any one person setup a working, secure server.

I run mostly Cpanel servers, but control panel upgrades should be around the same method and most basic thing to perform; therefore I will not go indepth on other control panels.

This checklist assumes you know the basics of linux, the shell, and are using this all VIA SSH with the program putty.

Note: This is a common mistake people have; anything listed here must be done in root. To get root, please use the command "su -" not "su".

######################
~~~~~~~~~~~~~~~~~~~~
######################

Things to do on your server in order of importance:

• Full Cpanel (stable) upgrade [Already installed Cpanel/WHM Feature] [Link]
  Note: This should upgrade openssh and all of that good stuff so all those locks show locked.
• Recompile Apache [Already installed Cpanel/WHM Feature]
• Bind sshd to only 1 ip, and make it a different ip then your main site, and on a different high level port. Not to forget, disable direct root login.
  
  
  QUOTE
  
  pico -w /etc/ssh/sshd_config
  
  Find the line '#Port 22' and uncomment it and change it to look like 'Port [Random high level port here]'.
  
  Request an ip from rackshack and create a nameserver using your registar (like the first time) that will point to that ip and wait till it resolves. (Note: You may have to add an A entry/DNS zone using cpanel or whatever you use as your control panel to get this to function.) Make the name of it something like 'ssh.domain.com', or 'shell1.domain.com'.
  
  When it resolves, ssh into your box and find the line '#ListenAddress 0.0.0.0' and make it look like 'ListenAddress ##.##.##.##' replacing the number signs with the ip address.
  
  Find the line '#Protocol 2, 1' and uncomment it and change it to look like 'Protocol 2'
  
  Find the line '#PermitRootLogin yes' and uncomment it and make it look like 'PermitRootLogin no'.
  
  Now restart SSH using the command:
  
  /etc/rc.d/init.d/sshd restart
  
  Now exit out, enter 'ssh.domain.com' as the host name, and put in your high level random port in the box, ssh into your box and your done.
  
  If you have ANY problem with this, please login to your server VIA telnet, fix the problem, login using SSH2 again, and change your passwords. Telnet is a very unsecure protocol, but it'll get you out of a jam.
  
  Note: If you do not have the most current version of putty, please get it as it will allow you to use ssh2 protocol.
  
  
  
  Note 2: Though you could still login to root logging into admin and su - to root, it would be best to delete the admin login from your server. This'll give hackers an even harder time trying to crack your box. You should keep in mind that the admin login is only a rackshack thing, and is not a default thing, so it might be best to remove it anyways. Delete user admin, add another user, and add that user to the usergroup whell. Do not log out of root without adding a user to the whell group. If you do not know how to add a user to the whell group, skip this step.
  
• Have the server e-mail everytime someone logs in as root:
  
  
  QUOTE
  - Edit the .bash_profile in the users directory ( in this case /root)
  commands:
  su -
  cd (just cd, nothing else)
  pico .bash_profile
  
  And put this at the very end:
  echo 'ALERT - Root Shell Access on:' `date` `who` | mail -s "Alert: Root Access from `who | awk '{print $6}'`" offsite@emailaddress.com
  
  
  Advice from freddo:
  Make sure the email address you send to also forwards to an off-server email address. This way the hacker cannot delete the warning email (without hacking another server anyway).
  
• Disable Telnet:
  
  
  QUOTE
  pico -w /etc/xinetd.d/telnet
  Note: (change disable = no to yes)
  Save and Exit
  /etc/init.d/xinetd restart
  
  
• Chroot/Jail [Link]
  Note: If you have a Cpanel server there is a feature already included to Jail the shell account. Please do this ASAP if you plan on giving out shell accounts.
• APF Firewall
  
  QUOTE
  Originally posted by DavidB
  
  Follow these instructions to perform a new install of APF.
  
  1. Make /usr/src the current working directory.
  cd /usr/src
  
  2. Fetch the most curent verison of APF.
  wget http://www.rfxnetworks.com/downloads/apf-c...-current.tar.gz
  
  3. Expand the APF tar.gz file.
  tar -xvzf apf-current.tar.gz
  
  4. Remove the tar.gz file.
  rm -f apf-current.tar.gz
  
  5. Locate the APF directory.
  ls -la
  
  Look for a directory named apf-#.#/ where #.# represents the version of APF being installed (APF version 0.8.7 would be in a directory apf-0.8.7/ and version 0.9 would be in a directory named apf-0.9).
  
  6. Make the APF directory the current working directory.
  cd apf-0.9
  
  Use the directory name you located in step 5.
  Note that the numbers will change as new versions are released.
  
  7. Run the APF install.
  sh ./install.sh
  
  8. Make /etc/apf the current working directory.
  cd /etc/apf
  
  9. Edit the conf.apf file as desired.
  pico -w conf.apf
  
  A very important part of this firewall you have to edit is the ports. These ports will allow services such as mail, ftp, and ssh come in and out of the server. If you have changed any ports, please modify them below and add/remove as needed.
  
  ################
  
  # Common TCP Ports
  TCP_CPORTS="21,22,25,26,53,80,110,143,443,2082,2083,2086,2087,2095,2096,19638" // please note that ports 2082 to port 2095 is mostly used by cpanel, and port 19638 is only use in ensim.
  
  # Common UDP Ports
  UDP_CPORTS="53"
  
  ################
  
  Note that you must set the DEVM parameter to "0" BUT only after full testing of the firewall. What DEVM does is that once you start APF with DEVM to 1, it will set a cron job to stop APF in 5 minutes so you don't end up locking yourself out.
  
  Turn on Anti-DOS, and the block list for added security.
  
  10. Start APF.
  ./apf -start
  or
  service apf start
  
  Note: To stop or restart apf, use the "service apf restart/stop" commands.
  
  11. Set APF to auto restart on reboot:  
  
  chkconfig --level 2345 apf on
  remove it: chkconfig --del apf
  
  
  
  
• Use sftp (secure ftp via ssh2) instead of ftp[Link]
  Note: FTP is a global protocol, everyone knows about it. Its best to do this when you don't have that many clients on your server. Some people aren't that smart to figure out how to use the SFTP protocol sometimes.
• Tripwire [Link]
• Email Anti-Virus Scanner (MailScanner) & Anti-Virus Scanner (ClamAV) [Link]
• chkrootkit [Link]
• Disable direct root login [Link]
• PRM (Process Resource Monitor) [Link]
• MRTG bandwidth monitor
• Mask apache server & services version numbers [Link]
• Set a SSH Legal Message [Link]
  [i]Note: I like to put a legal notice here. Something like:
  
  This computer system is for authorized users only. All activity is logged and regulary checked by systems personal. Individuals using this system without authority or in excess of their authority are subject to having all their services revoked. Any illegal services run by user or attempts to take down this server or its services will be reported to local law enforcement, and said user will be punished to the full extent of the law. Anyone using this system consents to these terms.

[*] Chmod 700 /usr/sbin/wget

######################
~~~~~~~~~~~~~~~~~~~~
######################

Thats about all I have, other then a set of 'always do this' rules.

1.) Always try to use sftp.
2.) Always use ssh2 protocol.
3.) Never ever have passwords lying around or use easily crackable passwords. Nice password holder and gen program is Personal Vault. You can check it out and download it here [Link]

I plan on making a defintive howto page on my website on howto properly secure your cpanel box to its fullest with each howto on its proper page so you don't have to go looking around. However, that is once I get permission from each person that wrote each HOWTO.

If you have a comment on this or something you think that should be added, please PM me. I want to keep this thread as clean as possible so newbs don't have to scroll threw pages of stuff.

I will constantly update this when required.

I'm going to keep this space here open incase I expand it to much for one post.

Kudos GETWIRED!!! Kudos!

Some great reading material on server security posted by unspawn @ LinuxQuestions.org

kudos on a good post...

I like your How-To regarding using a different IP and port for SSH. Very good idea.

but what happens when RS or someone needs to get in to fix somethingother then me?

That's a great question. They can't unless you give them the details. What I would do is remove the limitations and change the password so the RS tech can SSH normally. I would then re-do the above and then change all passwords just in case.

Originally posted by GetWired

WoW!! This is GREAT!

This is definately worth a book mark!!

Thanks for your time and hard work!!

This should be made sticky

What I do is when submitting a trouble ticket, I just add the extra information the tech needs to get into my box.

They don't mind.

Thanks guys

Remember, if you have anything you think should be in that checklist, PM me and i'll put it up ASAP.

Might I add ... XCELLENT POST!
It's well defined and written in plain and understandable english. Keep up the good posts!

David K.

Just a tip:

Even if you don't get another IP address for SSH, you can still change the port from default 22 to a random port number, and use a firewall to block 22, and opening up that random port number. This adds another level of security to the whole thing.

I also heard that with something like port sentry, you can configure it to blackhole port 22, and block anyone trying to access it, but thats beyond my scope, not to mention i've heard alot of bad things about port sentry. If anyone knows though.. PM me

Don't forget TCP port 19638 if you're using Ensim.

This is mainly for cpanel, but I agree. I'll add it to the list. Thank you

By the way, the list was a great help.

I had been afraid to install apf until I saw DavidB's instructions, very easy to follow (except ensim was broke until I found in another thread that it needed port 19638).

Many people think they've given instructions by saying what to do--completely useless to tell a lot of us something like "unpack the tarball" without saying how to do it.

These instructions say what AND how--the way instructions should.

THANKS!

Oh, I didn't notice it said edit instead of using pico. I'll be sure to edit it.

Please please please, if you find something like this, PM me. I rather keep the replys down on this thread so people don't have to wade threw pages of things.

Thank you.

Never type your passwords with your keyboard.
Always use Copy-n-paste and keep your password(s)
stored in a program like Personal Vault.

This is cause if u type ur pw all haxor do is drop
keylogger on ur windoze machine and ur info
sent to haxor via internet arrrrrrrggg!
tyvm

I think that follows under basic computer security.

If you can't keep your computer safe, how do you expect to keep your server safe?

Anyways, a majority of keyloggers nowadays montior the clippad anyways, so it really wouldn't matter at all.

Thanks for the tip though.

Hmm, I hadn't considered that.
This being the case, there truly is NO way to keep a comp secure...

So go back to old-school security-related thinking:
-- If it's linux, you're automatically safe from 99% of the world --
ok, 98% nowadays

I don't mean to be rude, but please do not post comments that are not directly related to this checklist.

I just wanted to thank you for this How To. It's one of the best ones I've found. I didn't have problems with anything and learned a lot. Thanks again.

I think another good addition to your How-To would be from aussie concerning keeping Urchin Scheduker up and running located here http://forum.rackshack.net/showthread.php?...&threadid=31481

This was a great how to and many people utilizing Urchin will benefit from this post!

Just a thought!

RWN

This post is meant for security purposes only. I do however plan on making a howto on things to do on your server that are really neat.

Please PM if you have anymore comments.

GetWired, could you maybe post or have a "Change log" post for whenever you update the original post? I see that it says it's been updated today, but I'm not sure what's been changed.

Very very good point.

I'll post which section I added/modifyed each time I do so.

Changes 9/06:

Sections added:

• Have the server e-mail everytime someone logs in as root:

- Added a part on how to have your server e-mail you each time someone logs into root with when/what server/and the IP address of the person.

Note: Pretty soon I'll transfer this to a website where it'll look ALOT neater, and there'll be javascript drop downs and what not Till then, I still hope this checklist is easy enough to read.

As mentioned by GetWired: "Anyways, a majority of keyloggers nowadays montior the clippad anyways, so it really wouldn't matter at all."

Which brings me to my question.

I use a Macro program to store PWs and login. Not being familiar with keylogger programs I'm wondering if anyone knows - can they read what is used by a macro-key?

BTW, excellent thread GetWired and hat's off for the accuracy and details of the information.

Thanks for the detailed updates!

So you can see just the ip in the subject. Handy so you don't have to view the message body and can quickly delete when it's your ip:

echo 'ALERT - Root Shell Access on:' `date` `who` | mail -s "Alert: Root Access from `who | awk '{print $6}'`" offsite@emailaddress.com



mez

Thank you. I'll make the change now.

Please, I cannot stress this enough, PM me if you want something changed. I rather keep this thread CLEAN of useless posts that could have easily been solved threw PM. Not that your post was useless however.

Is there a problem in that mail syntax? It doesn't send out the mails.

Works fine for me.

Make sure there are no breaks in the code when its in your bash file, that you have it set to the right e-mail address, and that you're 'su -'ing into root.

Ah ok, the 'su -' part I didnt get around to yet. Thanks.

sorry I will try to remember to delete this post I have pm off so it wont let me pm out

Add some backslashes to those "root mail me when someone logs on"
lines they get a bit long, and you can use -c anothermail@whereever.net for a easy cc: to another mail account as a back up

oh yea, use pico -w

I think if you mailed to an internal address that then forwarded to a outside mail address, it would happen too fast for anyone to stop it. I use the forwarding in case I get a new ISP, so I don't have to change everything.

Hmm, It still doesnt send out the email. Any other suggestions?

It seems that the domain has expired for r-fx.net.

Where can we get apf from now?

Thanks

Give it a go at

RFX-Networks

Thanks for the link.

On their site the links still point to r-fx.net to download, however if you change the domain the files are there:

http://www.rfxnetworks.com/downloads/apf-c...-current.tar.gz

Can someone break down the instructions for this part?

TIA

--
Rodney

Just a tip - you don't have to A name a subdomain at all. When you get the new IP, just use the IP address as it is for SSH.

Sorry I wasn't to clear on that. At the time of making it, I didn't quite think it threw. I'll break it down here and edit it later.

1.) Request IP
2.) Go to WHM to the DNS Functions part. Select "Create DNS Zone"
3.) Put in ip and hostname you want.
4.) let it propagate and bind it to sshd.

I answered your PM rrr with this same exact information.

thanks GetWired and Erwin!

one question though...how does moving the IP address improve security of the box?

Like i've said many a time, please use the PM system if you have a question.

Its been stated a few times, you just have to search it.

Binding sshd under a different ip then your main site or server ip will make it harder for those trying to hack into your box even harder. First they'd have to find the ip its running on, then figure out which port, then they have to crack a username and a password, then crack the root password, etc...

Basic stuff.

Have the server e-mail everytime someone logs in as root:


quote:
--------------------------------------------------------------------------------

- Edit the .bash_profile in the users directory ( in this case /root)
commands:
su -
cd (just cd, nothing else)
pico .bash_profile

And put this at the very end:
echo 'ALERT - Root Shell Access on:' `date` `who` | mail -s "Alert: Root Access from `who | awk '{print $6}'`" offsite@emailaddress.com
--------------------------------------------------------------------------------


and this what we get :

Last login: Wed Oct 29 03:34:14 2003 from 211.24.241.83
You must specify direct recipients with -s, -c, or -b.
bash: ssh@domain.com: command not found

any help please?

That one should work better.

Many things on this quick checklist have been addressed in this thread...

except this one:

* Remove common user access to compilers and fetching software (wget, fetch, lynx, etc.).

is you do this... then how do you update your box?

[edited in order to make thread cleaner]

Greetings Miso:

Thank you for qouting our bullet points.

This is an excellent thread with great points.

http://forum.ev1servers.net/showthread.php...rch+for+hackers

>Have the server e-mail everytime someone logs in as root:

I really like this and use it very successfully. Makes me sleep a bit better at night. I want to repeat to all the newbies like me who might have done a copy and paste into BASH. Make sure their are no line breaks in the code line!

My question is, this works great for people login in as root, how about any user successfully login in? How would I do that? I only allow 2 other people to log in, but seeing that they have, and from what IP via an email would be very nice. Especially if they login but from a weird IP. Or in a worse case, someone somehow getting in that I don't know. (Shouldn't happen but ...)

Or is this a bad idea, as I'll be getting emails all the time. But I'm not talking about attempts, just successes.

Also, about the root login email. Would be nice to get some other info in that email. Like what? Hmm.. not sure..

Cheers,