How to Secure and Optimize a Server or VPS – 2

Tutorials following continued discussions from How to Secure and Optimize a Server or VPS part 1

=========================================
Install BFD (Brute Force Detection – optional)
=========================================

To install BFD, SSH into server and login as root.

At command prompt type:

After BFD has been installed, you need to edit the configuration file.

At command prompt type:

Under Enable brute force hack attempt alerts:
Find

and change it to

Find

and change it to

Save the changes then exit.

To start BFD

At command prompt type:

Modify LogWatch

Logwatch is a customizable log analysis system. It parses through your system’s logs for a given period of time and creates a report analyzing areas that you specify, in as much detail as you require. Logwatch is already installed on most CPanel servers.

To modify LogWatch, SSH into server and login as root.

At command prompt type:

Scroll down to

and change to

[note]
Note: Set the e-mail address to an offsite account incase you get hacked.
[/note]
Now scroll down to

Change that to Medium, or High…

[note]
Note: High will give you more detailed logs with all actions.
[/note]
Save and exit.

A number of suggestions to improve system security. Some of this is specific to CPanel, but much can be applied to most Linux systems.
[info]
Use The Latest Software
Keep the OS and 3rd party software up to date. Always!
CPanel itself can be updated from the root WHM.
[/info]
Change Passwords

Change the root passwords at least once a month and try to make them hard to guess. Yes it’s a pain to have to keep remembering them, but it’s better than being hacked.

————————————————–
Set Up A More Secure SSH Environment As described here.
————————————————–

Disable Telnet
1. Type: pico -w /etc/xinetd.d/telnet
2. Change the disable = no line to disable = yes.
3. Hit CTRL+X press y and then enter to save the file.
4. Restart xinted with: /etc/rc.d/init.d/xinetd restart
Also, add the following line to /etc/deny.hosts to flag Telnet access attempts as ’emergency’ messages.

in.telnetd : ALL : severity emerg

————————————————–
Disable Unnecessary Ports (optional)
First backup the file that contains your list of ports with:

Now configure /etc/services so that it only has the ports you need in it. This will match the ports enabled in your firewall.
On a typical CPanel system it would look something like this:

Additional ports are controlled by /etc/rpc. These aren’t generally needed, so get shot of that file with: mv /etc/rpc /etc/rpc-moved
————————————————–
Watch The Logs
Install something like logwatch to keep an eye on your system logs. This will extract anything ‘interesting’ from the logs and e-mail to you on a daily basis.
Logwatch can be found at: http://www.logwatch.org
Install instructions here.
————————————————–
Avoid CPanel Demo Mode
Switch it off via WHM Account Functions => Disable or Enable Demo Mode.
————————————————–
Jail All Users
Via WHM Account Functions => Manage Shell Access => Jail All Users.
Better still never allow shell access to anyone – no exceptions.
————————————————–
Immediate Notification Of Specific Attackers
If you need immediate notification of a specific attacker (TCPWrapped services only), add the following to /etc/hosts.deny

Replacing nnn.nnn.nnn.nnn with the attacker’s IP address.
Replacing hostname with your hostname.
Replacing notify@mydomain.com with your e-mail address.
This will deny access to the attacker and e-mail the sysadmin about the access attempt.
————————————————–

Check Open Ports

From time to time it’s worth checking which ports are open to the outside world. This can be done with:

If nmap isn’t installed, it can be selected from root WHM’s Install an RPM option.
————————————————–

Set The MySQL Root Password

This can be done in CPanel from the root WHM Server Setup -> Set MySQL Root Password.
Make it different to your root password!
————————————————–
Tweak Security (CPanel)

From the root WHM, Server Setup -> Tweak Security, you will most likely want to enable:
– php open_basedir Tweak.
– SMTP tweak.
You may want to enable:
– mod_userdir Tweak. But that will disable domain preview.
————————————————–

Use SuExec (CPanel)
From root WHM, Server Setup -> Enable/Disable SuExec. This is CPanel’s decription of what it does:
“suexec allows cgi scripts to run with the user’s id. It will also make it easier to track which user has sent out an email. If suexec is not enabled, all cgi scripts will run as nobody. ”
Even if you don’t use phpsuexec (which often causes more problems), SuExec should be considered.
————————————————–

Use PHPSuExec (CPanel)
This needs to built into Apache (Software -> Update Apache from the root WHM) and does the same as SuExec but for PHP scripts.
Wisth PHPSuExec enabled, you users will have to make sure that all their PHP files have permissions no greater than 0755 and that their htaccess files contain no PHP directives.
————————————————–

Disable Compilers
This will prevent hackers from compiling worms, root kits and the like on your machine.
To disable them, do the following:

You will need to enable them again when you need to perform system updates. To do this, run:

————————————————–

Obfuscate The Apache Version Number

1. Type: pico /etc/httpd/conf/httpd.conf
2. Change the line that begins ServerSignature to:

3. Add a line underneath that which reads:

4. Hit CTRL+X, they y, the enter to save the file.
5. Restart Apache with:

——————–

So I’ve mentioned how we are to How to Secure and Optimize a Server or VPS