ToddW
Mar 10 2004, 02:26 PM
This is a collective of information regarding setting up, and securing your new redhat server.
Before we can even start doing anything security modifications we have to know and understand how to use SSH.
Putty is the best, and free SSH Client.
1) Instal & Understand Putty
Learn to use SSH
2) Understand some basic linux commands. This goes a long way with the ret of the guide because you will have a better 'general' understanding of what each command does.
Basic Shell Commands
More Basic Shell Commands
3) Install a Firewall. This is a guide to instal APF. Make sure you enable connections for monitoring if you have SM any level of monitoring. You can find the IP SM supplys in the e-mail from them when you signed up. Or start a ticket asking for the spyglass/admin/monitoring IP. (Note, the ip will be in CIDR form so the slash and # after NEED to be there.)
APF Install
4) Install Brute Force Detection, from the makers of APF.
BFD is a modular shell script for parsing applicable logs and checking for authentication failures.
Brute Force Detection
5) Dsiable Direct Root Login. This will force you to login as another user in (in cpanel the user must be in the wheel group), and then su to root. This helps deny 'wanna-be' hackers.
Disable Root Login
6) Dsiable Telnet Access. Telnet is not secure, and your password is sent in plain text, so don't use it! Disable it forever, and use SSH isntead.
Disable Telnet
7) Force SSH Protocol 2.
Force SSH Protocol 2
Install CHKROOTKIT.
CHKROOTKIT is a shell script that checks system binaries for rootkit modification. Then notifying you.
CHKROOKIT
-- The rest are for cPanel Only Servers --
9) Disable cPanel Demo Mode
Disable cPanel Demo Mode
10) Jail All Users' Shell Access
Jail All Users
11) Modify WHM Security Settings
Modify WHM Settings
12) Enable SUEXEC
Enable SuExec
This next one is optional..
13) Receive an e-mail when someone logs in as root.
Root Login E-Mail
14) RKHunter Installation Guide (Root Kit Hunter).. scan your box daily for root kits.. with Root Kit Hunter v1.1.4
RKHunter Installation[/url]
klaude
Mar 10 2004, 03:27 PM
*stickied*
Good stuff!
Paul
Mar 10 2004, 04:58 PM
QUOTE (ToddW)
4) Install Brute Force Detection, from the makers of APF.
BFD is a modular shell script for parsing applicable logs and checking for authentication failures.
Brute Force DetectionWhat if you login to your server from multiple locations, or you don't have a static IP address (and can't get one)? any suggestions?
ToddW
Mar 10 2004, 06:12 PM
QUOTE (Paul)
QUOTE (ToddW)
4) Install Brute Force Detection, from the makers of APF.
BFD is a modular shell script for parsing applicable logs and checking for authentication failures.
Brute Force DetectionWhat if you login to your server from multiple locations, or you don't have a static IP address (and can't get one)? any suggestions?
Well logging in from multiple places is fine, it's the same as logging in with a dynamic ip, you just don't have anything to add to the file.. you shuld be fine adding your IP is just an extra precaution.
Paul
Mar 10 2004, 06:32 PM
I'll pass on that info to the guy who asked me, thanks
georgiek
Mar 12 2004, 10:57 PM
Great post, I'm a little hesitant to install it yet though. I don't quite understand yet what the situation is when you have a dynamic IP address. Could you please clarify this issue? Thanks in advance.
Fatsie
Mar 13 2004, 05:29 AM
As long as you don't fail a login several times there is no problem, if you should happen to mistype several time's than your IP will be denied access.
If you are on a dynamic IP, chances are your IP is leased for your ISP's DHCP server, just reset you inet connection, he presto...new IP, and that IP offcourse isn't banned so you can login again
Xia
Mar 13 2004, 06:30 AM
Is an IP that is banned banned for life or just for a few hours?
georgiek
Mar 13 2004, 12:39 PM
Great, thanks...Installed it and I'm not locked out. Will this process start on it own during boot-up or do we need to chkconfig it?
Also, is there any compatibility issues with this and tripwire (or is tripwire analogous to this program?)
Thanks again.
Imago
Mar 15 2004, 10:40 AM
Thank you, Todd! :-)
N: jail all users and disable demo point to one and the same file.
georgiek
Mar 16 2004, 12:57 PM
I must come back to this article and repeat that it is a great start and I'm sure a lot of newbies (such as myself) have been saved by these measures. It would be great if the advanced users could post a follow-up to this post with advanced security measures (possibly ones that aren't that high risk but nonetheless a safer box is a better box)
How about it guys?
newguy
Mar 17 2004, 12:19 PM
I have some information for setup to:
QUOTE
Disable Unnecessary Ports
First backup the file that contains your list of ports with:
cp /etc/services /etc/services.original
Now configure /etc/services so that it only has the ports you need in it. This will match the ports enabled in your firewall.
pico /etc/services
On a typical CPanel system it would look something like this:
tcpmux 1/tcp # TCP port service multiplexer
echo 7/tcp
echo 7/udp
ftp-data 20/tcp
ftp 21/tcp
ssh 22/tcp # SSH Remote Login Protocol
smtp 25/tcp mail
domain 53/tcp # name-domain server
domain 53/udp
http 80/tcp www www-http # WorldWideWeb HTTP
pop3 110/tcp pop-3 # POP version 3
imap 143/tcp imap2 # Interim Mail Access Proto v2
https 443/tcp # MCom
smtps 465/tcp # SMTP over SSL (TLS)
syslog 514/udp
rndc 953/tcp # rndc control sockets (BIND 9)
rndc 953/udp # rndc control sockets (BIND 9)
imaps 993/tcp # IMAP over SSL
pop3s 995/tcp # POP-3 over SSL
cpanel 2082/tcp
cpanels 2083/tcp
whm 2086/tcp
whms 2087/tcp
webmail 2095/tcp
webmails 2096/tcp
mysql 3306/tcp # MySQL
Am i supposed to just comment out all the other ports except these ones listed?
I am creating a nice word doc with information consolidated and step by step on how to setup and harden the server, I will have to post it when finished.
Thanks
Enigma
Mar 29 2004, 06:13 PM
Hi. I plan on ordering a server in a day or two. I wanted to know if this information on securing a server is still current.
thanks
ToddW
Mar 29 2004, 06:15 PM
QUOTE (Enigma)
Hi. I plan on ordering a server in a day or two. I wanted to know if this information on securing a server is still current.
thanks
Yes. And if it's not let me know which isn't and I`ll make it
alex042
Mar 30 2004, 06:48 AM
Is there a security hole with cpanel demo mode?
Ronny AcuNett
Apr 8 2004, 02:14 PM
QUOTE (newguy)
I have some information for setup to:
QUOTE
Disable Unnecessary Ports
First backup the file that contains your list of ports with:
cp /etc/services /etc/services.original
Now configure /etc/services so that it only has the ports you need in it. This will match the ports enabled in your firewall.
pico /etc/services
On a typical CPanel system it would look something like this:
tcpmux 1/tcp # TCP port service multiplexer
echo 7/tcp
echo 7/udp
ftp-data 20/tcp
ftp 21/tcp
ssh 22/tcp # SSH Remote Login Protocol
smtp 25/tcp mail
domain 53/tcp # name-domain server
domain 53/udp
http 80/tcp www www-http # WorldWideWeb HTTP
pop3 110/tcp pop-3 # POP version 3
imap 143/tcp imap2 # Interim Mail Access Proto v2
https 443/tcp # MCom
smtps 465/tcp # SMTP over SSL (TLS)
syslog 514/udp
rndc 953/tcp # rndc control sockets (BIND 9)
rndc 953/udp # rndc control sockets (BIND 9)
imaps 993/tcp # IMAP over SSL
pop3s 995/tcp # POP-3 over SSL
cpanel 2082/tcp
cpanels 2083/tcp
whm 2086/tcp
whms 2087/tcp
webmail 2095/tcp
webmails 2096/tcp
mysql 3306/tcp # MySQL
Am i supposed to just comment out all the other ports except these ones listed?
I am creating a nice word doc with information consolidated and step by step on how to setup and harden the server, I will have to post it when finished.
Thanks
You can comment it out, or just delete everything and paste that in there.
BeerUser
Apr 16 2004, 08:56 AM
QUOTE
Disabling Direct Root Login (SSH)
If you're using cPanel make sure you add your anotheruser user to the 'wheel' group so that you will be able to 'su -' to root, otherwise you may lock yourself out of root.
Set up anotheruser if you haven't already got one:
a. Type: groupadd anotheruser
b. Type: useradd anotheruser -ganotheruser
c. Type: passwd anotheruser passwordhere
and add a password for the new account.
On a CPanel system, you can (MUST) now go into root WHM and add anotheruser to the wheel group.
After you do this, you will have to login as anotheruser then you will 'su -' to get to root.
This is what I did:
groupadd john
useradd john -gjohn
passwd john mypassword
it says please specify one user... So what i did was just type passwd john and it said enter a password so i did.
Can that way be done also?? or did i do something wrong?
Also didnt we just create another user basicly?? Is it suppose to stop root logins?
Edit: nevermind understand it now
BeerUser
Apr 16 2004, 11:08 AM
Running chrootkit...
QUOTE
Checking `bindshell'... INFECTED (PORTS: 465)
Um...?? :S :S :S
Edit: that seems to be okay
BeerUser
Apr 16 2004, 12:38 PM
with apf install...
This is the welcome server email i get, so im guessing 12.96.160 is the monitoring ip and /24 means *wildcard ?
"
If you set firewall or IPTable rules on your server, please be sure to have them configured to allow inbound and outbound traffic on all ports (TCP & UDP 1-65535) from 12.96.160/24 (12.96.160.*). If access is blocked by your server or firewall, we will not be able to monitor your server to report downtime or provide emergency support as needed. More details are available in Orbit under the Services tab.
In /etc/apf/allow_hosts.rules
I have
QUOTE
12.96.160/24
and in /usr/local/bfd/ignore.hosts
I have
QUOTE
127.0.0.1
12.96.160/24
1) Is that all right?
2) Last thing i dont understand about step 10 for ABD is
QUOTE
You should also add your home IP if you hadn't done so before.
If your home IP is dynamic this is not a good idea, and you should get a static IP.
3) What are we talking about here? which is home ip? the my ip the isp gives me? the ip for the server?
AlexAT
Apr 16 2004, 12:46 PM
I have "12.96.160/24" in apf allow file.
ToddW
Apr 24 2004, 01:14 AM
New monitorying / security how-to guide.
SIM (System Integrity Monitor)[/url]
BeerUser
Apr 24 2004, 01:29 AM
Edit: nevermind...
carlaron
Apr 26 2004, 12:00 PM
QUOTE (BeerUser)
This is what I did:
groupadd john
useradd john -gjohn
passwd john mypassword
it says please specify one user... So what i did was just type passwd john and it said enter a password so i did.
As I think you figured out, the instructions for the passwd command were a bit off... you did it correctly.
QUOTE (BeerUser)
Also didnt we just create another user basicly?? Is it suppose to stop root logins?
For your second question, though, I think it is important to note that the instructions forgot to tell how to actually Deny Root SSH... As you noted, these steps only set up another user who will be able to log in and su to root, but do nothing to stop root using SSH...
So here it is:
edit /etc/ssh/sshd_config
find the line #PermitRootLogin yes
uncomment it and change it to PermitRootLogin no
then restart SSHD with /etc/rc.d/init.d/sshd restart
As the instructions did note, on cPanel, you must add your new user to the "wheel" group. Only members of "wheel" are allowed to su to root. Luckily, that can be done in WHM if you forgot and are now "locked out".
If you are cautious, then after you turn off root SSH, you can remain logged in with your regular root login (it won't kick you out, it just prevents new root connections via SSH) while you open another terminal window and try to log in as your other user and su to root. If that succeeds, then you can more confidently log out of your direct root log in, which you'll never be able to do again.
openmind
May 22 2004, 11:44 PM
Hi,
I'm currently running RH Enterprise Edition 3, do I still need to install APF or does RH Enterprise Edition 3 already come with a firewall?
Also I'm planning to host a few sites that are running a CMS (content mangement system) and will allow the users to upload images and some other files. If I install APF will I still be able to run sites like these?
Sorry if this is a bit of a dumb newbie question.
Thanks
buybeach
May 31 2004, 08:55 AM
I may be a bit dense but I don't get it. I followed the directions given:
QUOTE
=======================
If you're using cPanel make sure you add your anotheruser user to the 'wheel' group so that you will be able to 'su -' to root, otherwise you may lock yourself out of root.
Set up anotheruser if you haven't already got one:
a. Type: groupadd anotheruser
b. Type: useradd anotheruser -ganotheruser
c. Type: passwd anotheruser passwordhere
and add a password for the new account.
On a CPanel system, you can (MUST) now go into root WHM and add anotheruser to the wheel group.
After you do this, you will have to login as anotheruser then you will 'su -' to get to root.
============
All of which works like a charm; but it does
not disable direct root login. How do you then disable login as root once you have an additional user who can become the SuperUser?
carlaron
May 31 2004, 11:16 AM
[quote=buybeach]I may be a bit dense but I don't get it. I followed the directions given:
[quote=carlaron]Find the line that says "PermitRootLogin Yes", and Change it to "PermitRootLogin No", and uncomment the line if it is commented.[/quote]
I'm editing this to be correct, so noone else gets hosed by my mistake, since I tripped up buybeach already. But I want to leave the mistake quoted above for "educational" purposes (so everyone learns to take what I write with a handful of salt...)
CORECTED: Find the line that says "PermitRootLogin yes", and Change it to "PermitRootLogin no", and uncomment the line if it is commented. VERY IMPORTANT: Do not do a capital "No", as that hoses SSH, and will require you to get SM to get in and fix it for you.
Then restart SSHD with /etc/rc.d/init.d/sshd restart[/i][/b]
Matt Brown
May 31 2004, 12:30 PM
do not do
PermitRootLogin No
do
PermitRootLogin no
Trust me, if you use No it will not work and thus making openssh broken
it's happened to me trust me on this
buybeach
May 31 2004, 12:32 PM
Since I already "broke" it not recognizing the capitalization issue.
Matt Brown
May 31 2004, 12:34 PM
ouch, sorry I didn't see this earlier, I think it needs to be in big red letters somewhere
hopefully you'll figure out how to fix it, (call SM support)
buybeach
May 31 2004, 12:42 PM
Well, I called support and the tech told me to open a ticket, which I did. I hope someone helps me out as I have tried every other scheme I can think of the repair the config file from where I sit and it's a no-go.
Anyway, what really hurts is that I originally typed in "no" but then had one of those Linux moments and figured, "Gee, the value might be case-sensitive," so I went back and put in an upper-case "N" in "No".
So it goes.
carlaron
May 31 2004, 02:48 PM
QUOTE (buybeach)
Well, I called support and the tech told me to open a ticket, which I did. I hope someone helps me out as I have tried every other scheme I can think of the repair the config file from where I sit and it's a no-go.
Anyway, what really hurts is that I originally typed in "no" but then had one of those Linux moments and figured, "Gee, the value might be case-sensitive," so I went back and put in an upper-case "N" in "No".
So it goes.
Sorry, my bad, there... Mental note... double-check, everything I write... I could be full of it... I am a "celery" rather than "supergeek"
I have altered the post so noone else gets tripped up by it, but so that it still illustrates the possible error, and warns people away from it.
I had it right in my earlier post a few weeks ago, but then typed without thinking this time.
I'm sure they can get in on the console without SSH, and fix the SSH config file, and get you back in again.
buybeach
May 31 2004, 03:33 PM
Please do not feel bad; I am grateful to you for having answered my question. Why this was not included in the article on how to do this is "a puzzlement" to me.
And yes, we got it ironed out and working right.
buybeach
Jun 1 2004, 06:46 PM
So you follow the steps on hardening your server given at the head of this thread and disable log-in to SSH as root. Good idea.
But if running cPanel, for example, you log into WHM as "root" and I cannot find a way to change that. So although the "hacker" can't get in by throwing passwords at the "root" SSH login he can do the same thing to the web-based interface (WHM). Once in he can reset root password etc., take over the server, etc.
Has anyone got a workaround for this weakness? Seems like locking the front door and leaving the other open.
On a related issue: does anyone know where cPanel stores the default web page it returns on the main ip port 80 for a new server if there are no web sites running on that ip?
speedcore
Jun 10 2004, 08:10 PM
QUOTE (buybeach)
On a related issue: does anyone know where cPanel stores the default web page it returns on the main ip port 80 for a new server if there are no web sites running on that ip?
No idea about the WHM lockdown, but in regards to your second question, Apache's default documents location is /etc/httpd/htdocs.
Blue|Fusion
Jul 17 2004, 04:08 PM
APF Firewall
I successfully got this to work on my SM box, however last night when I went to start apf up, I got a bunch of IPTABLES errors and then I was locked out until the devmode cleared it. I gave up around 11PM last night, and I just got home from work an hour ago, and i see that the download source is a newer version (so upgrade everyone...if it works) and I do not get the errors when I start afp, however I am still completely locked out of the server although I opened up all the same ports as my old server (SSH, FTP, web, Plesk, etc.) and still have to wait til the devmode kills it.
apf_log:
QUOTE
Jul 17 16:50:00 richgannon apf(21351): flushing & zeroing chain policies
Jul 17 16:50:00 richgannon apf(21351): firewall offline
Jul 17 16:51:25 richgannon apf(21397): flushing & zeroing chain policies
Jul 17 16:51:25 richgannon apf(21397): firewall offline
Jul 17 16:51:28 richgannon apf(21425): activating firewall
Jul 17 16:51:28 richgannon apf(21460): development mode enabled!; firewall will flush every 5 minutes.
Jul 17 16:51:28 richgannon apf(21460): determined (IN_IF) eth0 has address
Jul 17 16:51:28 richgannon apf(21460): determined (OUT_IF) eth0 has address
Jul 17 16:51:28 richgannon apf(21460): loading sysctl.rules
Jul 17 16:51:28 richgannon apf(21460): setting sysctl_tcp enabled.
Jul 17 16:51:28 richgannon apf(21460): setting sysctl_syn enabled.
Jul 17 16:51:28 richgannon apf(21460): loading preroute.rules
Jul 17 16:51:28 richgannon apf(21460): loading allow_hosts.rules
Jul 17 16:51:28 richgannon apf(21460): allow all to/from 12.96.160/24
Jul 17 16:51:28 richgannon apf(21460): loading bt.rules
Jul 17 16:51:28 richgannon apf(21460): loading log.rules
Jul 17 16:51:28 richgannon apf(21460): virtual net subsystem disabled.
Jul 17 16:51:28 richgannon apf(21460): loading main.rules
Jul 17 16:51:28 richgannon apf(21460): opening inbound tcp port 20 on 0/0
Jul 17 16:51:28 richgannon apf(21460): opening inbound tcp port 21 on 0/0
Jul 17 16:51:28 richgannon apf(21460): opening inbound tcp port 22 on 0/0
Jul 17 16:51:28 richgannon apf(21460): opening inbound tcp port 24 on 0/0
Jul 17 16:51:28 richgannon apf(21460): opening inbound tcp port 25 on 0/0
Jul 17 16:51:28 richgannon apf(21460): opening inbound tcp port 53 on 0/0
Jul 17 16:51:28 richgannon apf(21460): opening inbound tcp port 80 on 0/0
Jul 17 16:51:28 richgannon apf(21460): opening inbound tcp port 110 on 0/0
Jul 17 16:51:28 richgannon apf(21460): opening inbound tcp port 143 on 0/0
Jul 17 16:51:28 richgannon apf(21460): opening inbound tcp port 443 on 0/0
Jul 17 16:51:28 richgannon apf(21460): opening inbound tcp port 465 on 0/0
Jul 17 16:51:28 richgannon apf(21460): opening inbound tcp port 993 on 0/0
Jul 17 16:51:28 richgannon apf(21460): opening inbound tcp port 995 on 0/0
Jul 17 16:51:28 richgannon apf(21460): opening inbound tcp port 2083 on 0/0
Jul 17 16:51:28 richgannon apf(21460): opening inbound tcp port 2086 on 0/0
Jul 17 16:51:28 richgannon apf(21460): opening inbound tcp port 2087 on 0/0
Jul 17 16:51:28 richgannon apf(21460): opening inbound tcp port 2096 on 0/0
Jul 17 16:51:28 richgannon apf(21460): opening inbound tcp port 3306 on 0/0
Jul 17 16:51:28 richgannon apf(21460): opening inbound tcp port 8000:8003 on 0/0
Jul 17 16:51:28 richgannon apf(21460): opening inbound tcp port 8443 on 0/0
Jul 17 16:51:29 richgannon apf(21460): opening inbound tcp port 9000 on 0/0
Jul 17 16:51:29 richgannon apf(21460): opening inbound tcp port 9999 on 0/0
Jul 17 16:51:29 richgannon apf(21460): opening inbound tcp port 10000 on 0/0
Jul 17 16:51:29 richgannon apf(21460): opening inbound tcp port 14534 on 0/0
Jul 17 16:51:29 richgannon apf(21460): opening inbound tcp port 20045 on 0/0
Jul 17 16:51:29 richgannon apf(21460): opening inbound tcp port 35000:35999 on 0/0
Jul 17 16:51:29 richgannon apf(21460): opening inbound tcp port 51234 on 0/0
Jul 17 16:51:29 richgannon apf(21460): opening inbound udp port 20 on 0/0
Jul 17 16:51:29 richgannon apf(21460): opening inbound udp port 21 on 0/0
Jul 17 16:51:29 richgannon apf(21460): opening inbound udp port 24 on 0/0
Jul 17 16:51:29 richgannon apf(21460): opening inbound udp port 53 on 0/0
Jul 17 16:51:29 richgannon apf(21460): opening inbound udp port 1040 on 0/0
Jul 17 16:51:29 richgannon apf(21460): opening inbound udp port 1716 on 0/0
Jul 17 16:51:29 richgannon apf(21460): opening inbound udp port 1717 on 0/0
Jul 17 16:51:29 richgannon apf(21460): opening inbound udp port 1718 on 0/0
Jul 17 16:51:29 richgannon apf(21460): opening inbound udp port 8767:8773 on 0/0
Jul 17 16:51:29 richgannon apf(21460): opening inbound udp port 8777 on 0/0
Jul 17 16:51:29 richgannon apf(21460): opening inbound udp port 9000 on 0/0
Jul 17 16:51:29 richgannon apf(21460): opening inbound udp port 27900 on 0/0
Jul 17 16:51:29 richgannon apf(21460): opening inbound icmp type 3 on 0/0
Jul 17 16:51:29 richgannon apf(21460): opening inbound icmp type 5 on 0/0
Jul 17 16:51:29 richgannon apf(21460): opening inbound icmp type 11 on 0/0
Jul 17 16:51:29 richgannon apf(21460): opening inbound icmp type 0 on 0/0
Jul 17 16:51:29 richgannon apf(21460): opening inbound icmp type 30 on 0/0
Jul 17 16:51:29 richgannon apf(21460): opening inbound icmp type 8 on 0/0
Jul 17 16:51:29 richgannon apf(21460): default (egress) output accept
Jul 17 16:51:29 richgannon apf(21460): default (ingress) input drop
Jul 17 16:51:29 richgannon apf(21425): firewall initalized
Jul 17 16:55:00 richgannon apf(22193): flushing & zeroing chain policies
Jul 17 16:55:00 richgannon apf(22193): firewall offline
Jul 17 17:00:00 richgannon apf(22317): flushing & zeroing chain policies
Jul 17 17:00:00 richgannon apf(22317): firewall offline
Jul 17 17:05:00 richgannon apf(22370): flushing & zeroing chain policies
Jul 17 17:05:00 richgannon apf(22370): firewall offline
Comparing it to the working APF logs, it seems that the 0/0 at the end of the lines should be the IP addresses, however it seems to not be detecting the IPs, or I am missing something in the setup.
EDIT:
I rebooted the server with a new hostname that I made sure was correct on my own domain, bacause I though that maybe the subdomain TP put my server on wasn't a fully qualified domain or just not propogated yet. I also set the /etc/hosts file with the new hostname. I started APF, and it totally crashed my server.
Is anyone else having trouble with this?
Ronny AcuNett
Jul 17 2004, 05:11 PM
Try reinstalling APF and checking for syntax errors.
Also type "ifconfig" Make sure your NIC is on eth0. If not, change it in conf.apf accordingly
Blue|Fusion
Jul 17 2004, 06:08 PM
Thank you very much Ronny. That was the problem.
Didn't even think about the eth cards
Cheers.
method1
Jul 20 2004, 09:27 AM
I get the same problem but my NIC is set to eth0 already. I'm using apf-0.9.4-5
Any suggestions?
Blue|Fusion
Jul 20 2004, 01:20 PM
My problem was it was set to eth0 when infact the traffic was all on eth1.
method1
Jul 22 2004, 10:30 AM
Sorry, I meant this part:
QUOTE
Comparing it to the working APF logs, it seems that the 0/0 at the end of the lines should be the IP addresses, however it seems to not be detecting the IPs, or I am missing something in the setup.
But the weird thing is, APF seems to be working.
ToddW
Aug 10 2004, 12:20 PM
New Site Complete!! & New Guides Added!!
RKHunter Installation Guide (Root Kit Hunter).. scan your box daily for root kits.. with Root Kit Hunter v1.1.4
RKHunter Installation
Secure tmp directory
Remove T0rnKit v8
mih
Sep 28 2004, 04:05 AM
[quote="newguy"]I have some information for setup to:
[quote]
I am creating a nice word doc with information consolidated and step by step on how to setup and harden the server, I will have to post it when finished.
Thanks[/quote]
Hello New Guy,
Did you made that word doc you quote above.
If yes, where can i find that.?
Thanks.
alkatraz
Nov 5 2004, 03:37 PM
Just wanted to give a HUGE THANKS to ToddW for his easy to follow tutorials and guides.
I'm brand new to dedicated servers and to be honest, was quite overwhelmed when I first opened up WHM and SSH'd into my server. lol
After completing your "checklist" on this thread and other tutorials on your site I feel much more comfortable with running my own server.
Thanks again and keep up the great work! (PS: I clicked on a ton of your banners to try and support you
)
Bruceleeon
Nov 27 2004, 09:54 PM
One thing I think is SUPER IMPORTANT that I don't see listed is:
Changing your default SSH port.
QUOTE
pico -w /etc/ssh/sshd_config
Find the line '#Port 22' and uncomment it and change it to look like 'Port [Random high level port here]'.
Remember to add that port to your allowed opens in your Firewall... otherwise... LOL you are locked out.
This has stopped so many attempts at my server!!
klaude
Nov 28 2004, 12:05 AM
If you change your SSH port please let us know via a support ticket or by updating the notes in your server's password profiles. Failing to do so may void your SLA, and we may see a false outage if we can't get to port 22.
wmshub
Nov 28 2004, 01:57 AM
QUOTE (Bruceleeon)
One thing I think is SUPER IMPORTANT that I don't see listed is:
Changing your default SSH port.
I would (mostly) disagree here. Breaking through SSH, hidden port or no hidden port, is difficult. Usually people who do this have snooped around and found the password of one of your users.
If they have found a way to do this, do you really think that they'll give up after failing to connect on port 22? Or will they set up a script to port scan your server and then try connecting on their hits, looking for your real SSH server? Or, even more likely, if they can find your user's password, probably they'll find the port the user connects to at the same time.
Not that this is worthless. There is a chance it will save you. But the chance is probably very small, so I wouldn't recommend to somebody that they spend their time doing nonstandard configurations on SSH (and then the word to tell your clients to update, telling servermatrix, etc.). If you're worried about security, you are better off running scripts to look for weak passwords or reading security alert mailing lists or something like that.
Bruceleeon
Nov 28 2004, 02:07 AM
QUOTE (wmshub)
QUOTE (Bruceleeon)
One thing I think is SUPER IMPORTANT that I don't see listed is:
Changing your default SSH port.
I would (mostly) disagree here. Breaking through SSH, hidden port or no hidden port, is difficult. Usually people who do this have snooped around and found the password of one of your users.
If they have found a way to do this, do you really think that they'll give up after failing to connect on port 22? Or will they set up a script to port scan your server and then try connecting on their hits, looking for your real SSH server? Or, even more likely, if they can find your user's password, probably they'll find the port the user connects to at the same time.
Not that this is worthless. There is a chance it will save you. But the chance is probably very small, so I wouldn't recommend to somebody that they spend their time doing nonstandard configurations on SSH (and then the word to tell your clients to update, telling servermatrix, etc.). If you're worried about security, you are better off running scripts to look for weak passwords or reading security alert mailing lists or something like that.
I feel -
It takes under 5 minutes to do all the above. Change the port, update orbit, and send an email to your customers.
Security is done in layers... This is one layer.
If changing my ssh port from 22 to another one keeps some kiddies from banging away at usernames and passwords on the most common port then i am all for it. If you look in these threads you will see posts with people getting attemps like:
http://forums.servermatrix.com/viewtopic.php?t=11844 I see it everywhere. This is one less headache for people.
Besides... I don't give shell access to ANYONE! IF - by some remote chance I do for some short period of time... its jailed. (big rule) Then again... I'm not advertising, and not really looking to get customers that would require shell access.
______________________________________________________
I always look forward to reading peoples ideas on security. I am still learning! I started off not knowing anyting... now i can type "top" and "w".
AlexAT
Nov 29 2004, 04:13 AM
I use non-standard SSH port for a monthes.
It is **very** helpfull.
Yes, it is only 1 more security layer.
hulkster
Jan 30 2005, 12:51 PM
As a new SM customer, I've read through the various forum threads looking for what I hoped was a quick list to answer what I'm guessing would be come common questions that are touched upon above - I understand/agree that this isn't SM's responsibility, so I'm just looking for some generic points/best practices.
While every case varies, I suspect many people basically just need ssh/httpd ... so what would be the minimal set of services/processes to be running? I.e. the default install fires up cups, portmap, rpc.statd, cannaserver (!), etc. ... so is there perhaps a checklist of which ones can be safely turned off (for instance, syslogd is NOT a good one to turn off!) and recommended best approach so that they aren't accidentally re-enabled on future patches. Ditto for xinetd.d entries. Best would be what exactly IS needed (and then added from there), so yea, too bad that RedHat doesn't offer a minimal configuration that SM could offer to customers.
On the firewall front, it seems like apf is what everyone recommends, although my guess is a static set of iptables rules would probably do 90% of that without the added complexity - anyone have a handy set of rules that basically just allow ssh/httpd?
Yes, I did read through a bunch of forum threads that touch upon each of these, so apologies if I missed it, but I didn't see definitive/summarized answers
Thanx,
alek
hulkster
Feb 3 2005, 10:21 PM
OK - I think I'll answer my own question and say I just went with apf. Still haven't decided on if I want to compliment with bfd, since I had a bad experience where it got a bit overzealous (at a site managed by someone else) and locked me out for some reason.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please
click here.