How to Secure and Optimize your VPS
From ReduxWiki
[edit] Securing cPanel, WHM & Root
These techniques can definitely help you, but remember, use them at your own risk. A VPS is not all Sunshine and Lollipops. If you don't know what you are doing, it is strongly suggested to do a bit of research before attempting it.
[edit] Checking for formmail
Form mail is used by hackers to send out spam email, by relay and injection methods.
Find Form Mails
find / -name "[Ff]orm[mM]ai*"
Find CGIemail
find / -name "[Cc]giemai*"
[edit] Disable Form Mails
Disabling all form mail
chmod a-rwx /path/to/filename
(a-rwx translates to all types, no read, write or execute permissions).
NOTE: If a client or someone on your vps installs form mail, you will have to let them know you are disabling their script and give them an alternative.
[edit] Root kit checker
Check for root kits and even set a root kit on a cron job. This will show you if anyone has compromised your root. Always update chrootkit to get the latest root kit checker. Hackers and spammers will try to find insecure upload forms on your box and then with injection methods, try to upload the root kit on your server. If he can run it, it will modify alot of files, possibly causing you to have to reinstall.
[edit] chrootkit Install
cd /root/ wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz tar xvzf chkrootkit.tar.gz cd chkrootkit-0.44 make sense
[edit] Running chkrootkit
/root/chkrootkit-0.44/chkrootkit
NOTE: Make sure you run it on a regular basis, perhaps including it in a cron job.
[edit] chkrootkit Execution
These 3 Commands appear to be most common.
./chkrootkit ./chkrootkit -q ./chkrootkit -x | more
[edit] Install a Root Breach Detector & Email Warning
If someone does happen to get root, be warned quickly by installing a detector and warning at your box. You will at least get the hackers/spammers ip address and have knowledge of the situation.
[edit] Notification Email
This simple yet very useful hack will let you know each time someone gains root shell access on your server, this is a good idea to do, as it can let you know very quickly if your machine has been compromised.
First, you'll need to edit .bash_profile with your favorite editor. At the end of this file, put this:
echo 'WARNING - Root Shell Access on:' `date` `who` | mail -s "Warning: Root Access from `who | awk '{print $6}'`" off-site@address.com
NOTE: Make sure that the e-mail address you use is not hosted on the server, as if it was, a hacker could simply delete the email. If it's off site, the email will be sent before the hacker is even able to gain access.
[edit] Set an SSH Legal Message (Optional)
pico /etc/motd
Enter your message, save and exit. *Ex:* (The Fallowing Could be Used)
ALERT! You are entering a secured area! Your IP and login information have been recorded. System Administration has been notified. This system is restricted to authorized access only. All activities on this system are recorded and logged. Unauthorized access will be fully investigated and reported to the appropriate authorities if neccessary.
[edit] WebHost Manager & cPanel Mods
These are items inside of WHM/Cpanel that should be changed to secure your server.
[edit] Tweak Settings
- Domains > Prevent users from parking/adding on common internet domains. (ie 'hotmail.com', 'aol.com')
- Mail > Attempt to prevent pop3 connection floods Default catch-all/default address behavior for new accounts - blackhole
- System > Use jailshell as the default shell for all new accounts and modified accounts
[edit] Tweak Security
- Enable php open_basedir Protection
- Enable mod_userdir Protection
- Disabled Compilers for unprivileged users
Manage Wheel Group Users
- Remove all users except for root and your main account from the wheel group.
Shell Fork Bomb Protection
- Enable Shell Fork Bomb/Memory Protection
Reseller Center (Privileges)
- Disable Allow Creation of Packages with Shell Access
- Enable Never allow creation of accounts with shell access
- Under Root Access disable All Features
FTP Configuration
- Disable Anonymous FTP
Manage Shell Access
- Disable Shell Access for all users (except yourself)
MySQL Root Password
- Change root password for MySQL
Security
- Scan for Trojan Horses, The following and similar items are not Trojans:
/sbin/depmod /sbin/insmod /sbin/insmod.static /sbin/modinfo /sbin/modprobe /sbin/rmmod
[edit] More Security Measures
These are measures that can be taken to secure your server, with SSH access.
- Update OS, Apache and CPanel to the latest stable versions. This can be done from WHM/CPanel.
Restrict SSH Access
- To restrict and secure SSH access, bind sshd to a single IP that is different than the main IP to the server, and on a different port than port 22.
nano /etc/ssh/sshd_config
Locate the Following Section:
#Port 22 #Protocol 2, 1 #ListenAddress 0.0.0.0 #ListenAddress ::
Change this section to the following:
Port 43258
Protocol 2
ListenAddress x.x.x.x %{color:red}Note: Replace x.x.x.x with one of your assigned IP addresses%
NOTE:
- Choose your own 4 to 5 digit port number. Choose a number greater than 1024 and less than 65535.
- You may also disable root SSH Login[1].
- You can also create a custom nameserver specifically for your new SSH IP address. Just create one called something like ssh.xyz.com or whatever. Be sure to add an A address to your zone file for the new nameserver.
Disable root SSH Login
- To disable logging in as root via SSH (direct logins only, you may still become the superuser using the `su` command), locate the following in your */etc/ssh/sshd_config* file:
#PermitRootLogin yes
Change to:
PermitRootLogin no
To apply your changes, restart the SSH Daemon (as *root*) using:
/etc/rc.d/init.d/sshd restart
Exit out of SSH, and then re-login to SSH using the new IP or nameserver, and the new port.
NOTE: If you should have any problems, just Telnet into your server, fix the problem, then SSH in again. Telnet is a very unsecure protocol, so change your root password after you use it.
Disable Telnet
pico -w /etc/xinetd.d/telnet
change disable = no > disable = yes (save & exit)
/etc/init.d/xinetd restart
Disable Shell Accounts
locate shell.php
Also check for: locate irc locate eggdrop locate bnc locate BNC locate ptlink locate BitchX locate guardservices locate psyBNC locate .rhosts
NOTE: There will be several listings that will be OS/CPanel related.
- Examples:
/home/cpapachebuild/buildapache/php-4.3.1/ext/ircg /usr/local/cpanel/etc/sym/eggdrop.sym /usr/local/cpanel/etc/sym/bnc.sym /usr/local/cpanel/etc/sym/psyBNC.sym /usr/local/cpanel/etc/sym/ptlink.sym /usr/lib/libncurses.so /usr/lib/libncurses.a
Disable Identification Output for Apache
This is to hide version numbers from potential hackers
To disable the version output for proftp As Root, Type:
nano /etc/httpd/conf/httpd.conf
Scroll (way) down and change the following line to \ServerSignature Off
Restart Apache /etc/rc.d/init.d/httpd restart
[edit] Install BFD (Brute Force Detection - optional)
Installation
cd /root/ wget http://www.rfxnetworks.com/downloads/bfd-current.tar.gz tar -xvzf bfd-current.tar.gz cd bfd-0.4 ./install.sh
Configuration
pico /usr/local/bfd/conf.bfd
Under Enable brute force hack attempt alerts: Find the following.
ALERT_USR="0" and change it to ALERT_USR="1"
EMAIL_USR="root" and change it to EMAIL_USR="your@email.com"
Save and Exit
Start BFD
/usr/local/sbin/bfd -s
Modify LogWatch Logwatch is a customizable log analysis system. It parses through your system's logs for a given period of time and creates a report analyzing areas that you specify, in as much detail as you require. Logwatch is already installed on most CPanel servers.
Modification
pico -w /etc/log.d/conf/logwatch.conf
\MailTo = root > Mailto = your@email.com
NOTE: Set the e-mail address to an offsite account in case you get hacked.
Detail = Low > Medium or High
Detail = 5 or 10
NOTE: High will give you more detailed logs with all actions.
- Save and exit.
[edit] Suggestions to Improve Security
- Use The Latest Software
- Keep the OS and 3rd party software up to date. Always!
- CPanel itself can be updated from the root WHM
Change Passwords
- Change up your Root login once a month. Consisting of Randomized Letters & Numbers, Uppercase and Lowercase.
Set Up A More Secure SSH Environment
- Disable Telnet, As Root, Type:
pico -w /etc/xinetd.d/telnet
- Change the disable = no line to disable = yes
- Exit and Save - Restart xinted:
/etc/rc.d/init.d/xinetd restart
- Add the following line to /etc/deny.hosts to flag Telnet access attempts as 'emergency' messages.
in.telnetd : ALL : severity emerg
Disable Unnecessary Ports (optional)
- First backup the file that contains your list of ports with:
cp /etc/services /etc/services.original
- Now configure /etc/services so that it only has the ports you need in it. This will match the ports enabled in your firewall.
On a typical CPanel system it would look something like this:
<?php tcpmux 1/tcp # TCP port service multiplexer echo 7/tcp echo 7/udp ftp-data 20/tcp ftp 21/tcp ssh 22/tcp # SSH Remote Login Protocol smtp 25/tcp mail domain 53/tcp # name-domain server domain 53/udp http 80/tcp www www-http # \WorldWideWeb HTTP pop3 110/tcp pop-3 # POP version 3 imap 143/tcp imap2 # Interim Mail Access Proto v2 https 443/tcp # MCom smtps 465/tcp # SMTP over SSL (TLS) syslog 514/udp rndc 953/tcp # rndc control sockets (BIND 9) rndc 953/udp # rndc control sockets (BIND 9) imaps 993/tcp # IMAP over SSL pop3s 995/tcp # POP-3 over SSL cpanel 2082/tcp cpanels 2083/tcp whm 2086/tcp whms 2087/tcp webmail 2095/tcp webmails 2096/tcp mysql 3306/tcp # \MySQL ?>
Additional ports are controlled by /etc/rpc. These aren't generally needed, so get a shot of that file with: mv /etc/rpc /etc/rpc-moved
Watch The Logs
- Install something like logwatch to keep an eye on your system logs. This will extract anything 'interesting' from the logs and e-mail to you on a daily basis.
- Logwatch can be found at: http://www.logwatch.org
Avoid CPanel Demo Mode
- Switch it off via WHM Account Functions => Disable or Enable Demo Mode.
Jail All Users
- Via WHM Account Functions => Manage Shell Access => Jail All Users.
Better still never allow shell access to anyone - no exceptions.
Immediate Notification Of Specific Attackers
- If you need immediate notification of a specific attacker (TCPWrapped services only), add the following to /etc/hosts.deny
- ALL : nnn.nnn.nnn.nnn : spawn /bin/ 'date' %c %d | mail -s"Access attempt by nnn.nnn.nnn.nnn on for hostname" notify@mydomain.com
- Replacing nnn.nnn.nnn.nnn with the attacker's IP address.
- Replacing hostname with your hostname.
- Replacing notify@mydomain.com with your e-mail address. This will deny access to the attacker and e-mail the sysadmin about the access attempt.
Check Open Ports
- From time to time it's worth checking which ports are open to the outside world. This can be done with:
nmap -sT -O localhost
If nmap isn't installed, it can be selected from root WHM's Install an RPM option.
Set The MySQL Root Password
- This can be done in CPanel from the root WHM Server Setup -> Set MySQL Root Password.
- Make it different from your root password!
Tweak Security (CPanel)
- From the root WHM, Server Setup -> Tweak Security, you will most likely want to enable the Fallowing.
- php open_basedir Tweak
- SMTP tweak
mod_userdir Tweak (But this will disable domain preview)
Use SuExec (CPanel)
- From root WHM, Server Setup -> Enable/Disable SuExec. This is CPanel's decription of what it does:
"suexec allows cgi scripts to run with the user's id. It will also make it easier to track which user has sent out an email. If suexec is not enabled, all cgi scripts will run as nobody. " Even if you don't use phpsuexec (which often causes more problems), SuExec should be considered.
Use PHPSuExec (CPanel)
- This needs to built into Apache (Software -> Update Apache from the root WHM) and does the same as SuExec but for PHP scripts.
Wisth PHPSuExec enabled, you users will have to make sure that all their PHP files have permissions no greater than 0755 and that their htaccess files contain no PHP directives.
Disable Compilers
This will prevent hackers from compiling worms, root kits and the like on your machine. To disable them, do the following:
chmod 000 /usr/bin/perlcc chmod 000 /usr/bin/byacc chmod 000 /usr/bin/yacc chmod 000 /usr/bin/bcc chmod 000 /usr/bin/kgcc chmod 000 /usr/bin/cc chmod 000 /usr/bin/gcc chmod 000 /usr/bin/i386*cc chmod 000 /usr/bin/\*c++ chmod 000 /usr/bin/\*g++ chmod 000 /usr/lib/bcc /usr/lib/bcc/bcc-cc1 chmod 000 /usr/i386-glibc21-linux/lib/gcc-lib/i386-redhat-linux/2.96/cc1
You will need to enable them again when you need to perform system updates. To do this, run:
chmod 755 /usr/bin/perlcc chmod 755 /usr/bin/byacc chmod 755 /usr/bin/yacc chmod 755 /usr/bin/bcc chmod 755 /usr/bin/kgcc chmod 755 /usr/bin/cc chmod 755 /usr/bin/gcc chmod 755 /usr/bin/i386*cc chmod 755 /usr/bin/*c++ chmod 755 /usr/bin/*g++ chmod 755 /usr/lib/bcc /usr/lib/bcc/bcc-cc1 chmod 755 /usr/i386-glibc21-linux/lib/gcc-lib/i386-redhat-linux/2.96/cc1
Obfuscate The Apache Version Number
pico /etc/httpd/conf/httpd.confChange the line that begins
ServerSignatureto:
ServerSignature Off. Add a line underneath that which reads:
ServerTokens ProductOnly.
Save and Exit.
Restart Apache/etc/rc.d/init.d/httpd restart
