Credits: This how-to was compiled after hours of browsing the EV1Servers forums as well as the Plesk documentation (and Plesk forums). Thanks are definitely in order to everyone that gave this information. I won’t list any specific names because I know that I will forget too many people.

Use this How-To at your own risk. I will not take responsibility if you mess your server up.

If you have something to add that I have missed... PLEASE let me know… because this is what I am going by to set my server up. If something is wrong with what I have put here… PLEASE let me know that as well.

1. Change admin & root passwords

Login as Admin
Type: /usr/bin/passwd then set your new password at the prompts

Login as Root (su -)
Type: /usr/bin/passwd then set your new password at the prompts

2. Install Pine if Pico doesn’t exist on your server If you don’t know how to use Pico check this link http://www.dedicated-resources.com/guide/2...o-Use-Pico.html

Check for Pine:
Type: rpm -q pine
If it says package pine is not installed continue to get & install Pine

Get Pine:
Type: wget ftp://ftp.cac.washington.edu/pine/pine-4.61-1.i386.rpm

Install Pine:
Type: rpm -ivh pine-4.61-1.i386.rpm

3. Upgrade SSH if needed

To see SSH version installed (as root)
Type: cd
Type: pico -w install.log
Use the 'Where' command (type Ctrl + W)
Type: SSH at the prompt
Pico should scroll to the SSH packages installed

See comments under 7. Update RPMs regarding downloading upgrades from RedHat

4. Disable direct root login (do before disabling telnet, just in case you mess up and need to get back in)

Type: pico -w /etc/ssh/sshd_config
Edit #Protocol 2, 1 and change it to Protocol 2
Edit #PermitRootLogin yes and change it to PermitRootLogin no
Save and exit
Type: /etc/rc.d/init.d/sshd restart to restart ssh

5. Disable Telnet (make sure you are logged in via SSH)

Type: pico -w /etc/xinetd.d/telnet
change disable to YES
Save and Exit
Type: /etc/init.d/xinetd restart

6. Setup the server to send an email everytime someone logs into root

Type: cd
Type: pico .bash_profile
At the end add: echo 'ALERT - Root Shell Access on:' `date` `who` | mail -s "Alert: Root Access from `who | awk '{print $6}'`" offsite@emailaddress.com

**you can add multiple emails just leave a space between each email. Make sure the whole thing is on ONE line or it comes out looking strange**

7. Update RPMs

Use Pages 17-23 of http://download1.sw-soft.com/Plesk/Plesk7....ation-guide.pdf as a guide; yes I know this is for RedHat 9 and you are most likely running RedHat Enterprise... just make sure to get the updated versions

Make sure that you have access to run up2date. You will have to submit a trouble ticket requesting your server to be setup for the Red Hat Network to update RPMs

8. Setup Hostname

Apparently I didn’t do this part right… so if someone could fill in THIS information for me it would be great

9. Setup Firewall

This was VERY simple to setup. Just go to this link http://forum.ev1servers.net/showthread.php...&threadid=50867 and follow directions.

I didn't get any further than the above post. In the end, I felt it was in my best interest to use a service to finish setting up the server as well as making sure that it is updated and secure on a regular basis.

However, if anyone has anything to add to the above post, or anything that should be changed, etc, please feel free to post it here and I will make sure to add it so that there is a semi-decent setup guide for Plesk 7 Reloaded here.

I have noticed in the past that there have really been very little in the way of Checklists or How-Tos geared specifically for Plesk, and though most of what I have done is not control panel specific, I hope it helps the Plesk users at least a little.

Thanks to everyone that I borrowed/stole how-tos from in getting as far as I did, I couldn't have done it without you

nice post, let me add a few things:

- instead of afp firewall, I use kiss: http://forum.ev1servers.net/showthread.php...&highlight=kiss
- hostname is easy to change, see this thread:
http://forum.ev1servers.net/showthread.php...tname+and+plesk
- install chkrootkit and run to ensure you have a clean server:
http://forum.ev1servers.net/showthread.php...ight=chkrootkit
- run system updater from your plesk control panel to ensure you are running the latest plesk release
- configure up2date, edit the file /etc/sysconfig/rhn/up2date and change the following line:
pkgSkipList=kernel*;
to
pkgSkipList=kernel*;*psa*;*spam*;*perl-Mail-Spam*;
- run up2date -l to verify your config and up2date -u to update your rhel packages

also:
- in plesk admin panel, under server, click Administrator Information and update with your proper info to ensure you get notifications
- in plesk admin panel, under server, click IP Addresses and verify your IP addresses

Thanks Luke

Definitely very good suggestions

Adding, make sure you're not running an open mail relay via the Plesk CP.

Additionally, make sure 127.0.0.1/8 is not whitelisted in the admin > mail area of the control panel. If it is, no matter what you have set above that, you're still running an open relay. Change that to 127.0.0.1/32 and you're good to go.

wow - did not even realise that those settings were there. I have changed the subnet mask on my whitelists (thanks) but my preferences show 'authorization is required' and smtp is ticked. Should that be set to 'closed'? will that affect regular mail in any way?

thanks!

It kind of depends Luke. If you want to allow people to send and receive email through their domain that you're hosting you won't be able to completely close the relaying ability. That's the most common setup.

I've always set up all of my Plesk servers with authorization is required being ticked, and POP3 ticked with a lock time of 20 minutes.

What that does in English is require that a user log in to check their mail before they can send any mail. But if they've logged in to check their mail within the last 20 minutes they get a free pass. Most will check their mail throughout the day before needing to send anything, or will need to retrieve their email before trying to send anything, so it works well.

And no I have no idea why that particular subnet mask is whitelisted as a default setting in Plesk. It's been that way for as far back as I can remember, going all the way back to Ver 2.5 that I know of. It would be so much nicer if they would just change the default setup to be a /32 subnet so these Plesk boxes don't come with an open relay by default.

makes sense, thanks!.

Just got a new Plesk Box, one thing im fuzzy on, because im a plesk newb.

How should I setup my domain on the box? Like a client? Im mainly concerned as to how the SSL cert is going to effect control panel logins. Am i going to need 2 certs? One for my main site to acceppt CC transactions, and one for the Control Panel??

Thanks for any help on the subject.

-Sav

I tried to set up the email section so everytime someone logs in as root it sends an email, but it doen't send anything. I used nano -w and added the single line of code, added my email address, which is on a different machine and saved it. When I log into my server it requires a different user name first. Then I us su with root pw and I am logged in as root but no email is sent. Any suggestions?

I also noticed that I do not have a telnet file. Is this because it is not reunning nor installed?

Hello,
I follow this steps and try to install pine. I get this file and try to install, but all time I get this error message:

rpm -ivh pine-4.61-1.i386.rpm
rpmdb: Program version 4.2 doesn't match environment version
error: db4 error(22) from dbenv->open: Invalid argument
error: cannot open Packages index using db3 - Invalid argument (22)
error: cannot open Packages database in /var/lib/rpm

Too, I try to install Midnight Commander and get the same error. What maybe is problem, do anyone know?

Thank you and regards,
Mladen

I believe your solution is in this thread:

http://forums.ev1servers.net/showthread.php?t=51740

Also, which version of Plesk are you running? If you're still on 7.1.x you may wnat to consider updating to 7.5.2... but you may want to do it through the rpm and not the Plesk updater, since unless you revert rpmdb you'll run into the same rpmdb problem.

I solve this previuosly problem, but now have another one. When I try to install pine I get this message:

# rpm -ivh pine-4.61-1.i386.rpm
Preparing... ########################################### [100%]
file /usr/bin/mailutil from install of pine-4.61-1 conflicts with file from package imap-utils-2002d-9


What is now problem, do anybody know?

This thread helped me to get started, great thread!

The rpm up2date step seems to be quite important, it downloaded more than 250 rpms for my server.

But I still have this problem!

Thanks for the info. I am trying to do this part, but how do I check the linux version. The manual has instructions for RHE for Linux 2 and 3. How do I know which one I have? I used "uname -a" command but does not tell me whether it was version 2 or 3.

Sam

Unless it's an older machine, you're going to be RHE3.

Thanks, Yivit!

Now I have problem installing pine like Mladja04 mentioned above.

# rpm -ivh pine-4.62-1.i386.rpm
Preparing... ########################################### [100%]
file /usr/bin/mailutil from install of pine-4.62-1 conflicts with file f
rom package imap-utils-2002d-9

I don't have pico either.

I'm not sure what you should do on that one. I don't use pine/pico so I haven't run across the conflict. The little bit of investigating I did makes it sound like to get things to coexist you have to download SRPMs of pine and compile from the source, excluding mailutil.

Since the real reason you're trying to get pine is to get pico, why not use nano? It may be installed already, or it may not be... it's the GNU equiv of pico, and it's available via up2date ('up2date --showall |grep nano' to see). Optionally, you could learn vi - it's installed already, though it's got a BIT of a learning curve for lots of people (it's what I use and prefer though).

Boy, it took me hours to try different ways to install pico, all unsuccessfully, until I found out I already have nano that comes with RedHat.

Question: if we disable root access. Don't we need it in the future? If so how to turn it back on?

I am reluctant to do this until I am sure I can reverse the situation.

Sam

-------

I just found your answer posted right before me. You are right I got nano, just found out what it was from WHT.

You're not disabling root access... you're disabling direct root login. Added layer of security by not allowing ssh as root. It's SOP to ssh as admin (or another user of your choosing), then once on the server, use 'su -' to become root (or use 'sudo' where applicable). It becomes second nature to NOT directly log in as root.

One thing that the how-to doesn't address that may be overlooked by the novice admin: If you disable direct root login, you're not giving yourself much more security if you have the same password for admin (or your su-to-root username) and root, so don't let them be the same (at least for normal operations - temporarily changing to the same for EV1S access during a ticket is an acceptable level of risk. Sure, it's another password to remember, but like has been said in these forums multiple times, security is a layered approach.

Now that I've soapboxed, the answer is: you just set PermitRootLogin back to yes (after logging in as another user and switching to root).

Got it Yivit. Thanks!

As I was gathering security information all over, I also found a couple of other basic security suggestions that might be helpful for the list.


Install Brute Force Detection, from the makers of APF.
BFD is a modular shell script for parsing applicable logs and checking for authentication failures.
Brute Force Detection
http://www.dedicated-resources.com/guide/3.../30/Install-BFD

-------

Install RKHunter www.rootkit.nl

download:
# wget http://downloads.rootkit.nl/rkhunter-1.2.3.tar.gz
Note: It doesn't matter where you save the tarball

extract:
# tar zxf rkhunter-.tar.gz

installation:
# cd rkhunter
# ./installer.sh

I also added it to the crontab.

-----

I found a gem, a documentation of server setup and security tweaks gather from around the web in one pdf file. Not complete but quite extensive.

http://www.worxcenter.net/linux_server_setup_guide.pdf

i have 127.0.0.0/8 listed in my whitelist. is this ok? thank you.

I have 127.0.0.0/8 as well.

No, change it to 127.0.0.1/30. This will reduce your relay space to network+ip+broadcast.

m.

Thank you! Thank you!

That how-to was perfect. Tye firewall is running smoothly on my Plesk server.

(Oddly, changing my hostname was about the only thing I got right.)

I spent a few horrible days hosting with GoDaddy and one of the things I came away with was that using SMPT logged in as admin or root; if I FTP'd web pages, etc. into the virtual hosts' httpdoc directories, those uploaded files would be owned by root and would cause problems down the road.

If that's true, how am I supposed to securely transfer files to the virtual domains? It appears that only FTP is available to the domain FTP account.

Thanks again for the how-to.

Richard

Hey Richard,

On the FTP question, if you're actually going to FTP everything down from another server to your new EV1 server, yes you'll want to use the FTP login/password for that particular domain.

On the other hand, if you're going to SSH into the new server as Root and connect via ftp that way (server-to-server transfers are much faster, especially if you can tar it up on the other end first) you can simply grab all of the files and then change the ownership to be whatever you need it to be. eg, when you're at /home/httpd/vhosts/domain.tld/ and have all of the files in the httpdocs folder you can chown -R ftpuser:psaserv httpdocs

Where "ftpuser" is the ftp logon you created when setting up the domain. The above will change the file ownership for all of the files from httpdocs and every file/folder below that in the tree. If they have cgi/perl scripts that are being put into cgi-bin you'll need to do those too.