Debian Lenny Hardening
Mar 19, 2009where I can find a guide or how-to to hardening Debian Lenny web server (a xen vps one)?
View 0 Replieswhere I can find a guide or how-to to hardening Debian Lenny web server (a xen vps one)?
View 0 RepliesI use Debian Lenny and I would like to host 2 sites on my apache web server.
So I created two virtualhost files site1 and site2.
Site 1 configuration file:
<VirtualHost *:80>
ServerAdmin mymail@admin.com
ServerName www.mydomain.com
ServerAlias mydomain.com
DocumentRoot /var/www/premier
<Directory /var/www/peremier>
[...]
Site 2 config file:
<VirtualHost *:80>
ServerAdmin mymail@admin.com
ServerName lemonsite.mydomain.com
ServerAlias /lemonsite
DocumentRoot /var/www/lemonsite/
[...]
Obviously I a2ensite both sites and reload Apache2.
When I digit lemonsite.mydomain.com on address bar of firefox, it returns Address not found.
When I digit MYIP/lemonsite, I get a 404 not found error generated by www.mydomain.com CMS.
When I digit MYIP on bar I get www.mydomain.com.
I would like to see lemonsite.
I just ordered a server which has that setup:
AMD Athlon 64 X2 6000+ Dual Core
8MB RAM
2x750GB RAID 1 HD
Now I wanna run it with DirectAdmin, but obviously DirectAdmin doesn´t support the Debian 64 which is installed but only 32 bit Debian.
Now I wonder wether I could setup a Debian 32 as well on that system and if yes, wether it would give me a deficit in Performance?
Or would you rather go with CentOS 64 which Directadmin supports?
So I did something terribly dumb early this AM...go me...and I had to reinstall. Yes, it was that bad. Kernel panics, a hoarked up bootloader, nothing in the execution path, etc. Let's just say that between the 2.6.18-128.el5 kernel (I've been reading that there are a lot of reports of file corruption after this update, something I saw as well...) and yum doing something it wasn't supposed to, I'm having to start over. Thank goodness for backups. Anyways, to my questions:
CentOS 5.3 64-bit, clean install, no CP yet. I'm trying to get the base OS clean, simple and hardened before I put DA on there again and restore my websites but I have a few questions since I'm a network dork and normally pay for people to do the extended server hardening for me.
/etc/passwd/ ....
Does any one know of any good articles/tutorials on how to harden PHP and Apache on a cPanel VPS?
View 6 Replies View RelatedI have a dedicated server, and want to make it safe...
I once had a HOWTO to do that with things as APF and such, but is there some howto out there that is recent?
I want to restrict ALL port 25 and port 26 email only to users who authenticate first.
I thought it came this way on Cpanel boxes, but yet there's a ton of crap being relayed through my box and getting me on tons of blacklists.
What a few things you would do to boost the security of your VPS? So far I have securing/restricting SSH access, installing chkrootkit and putting up a firewall. Any other things I should do?
Just noticed I put VPS Server Hardening, should be VPS Hardening
There are many people who sell server hardening for windows and linux and all the packages are pretty much the same. I don't want to give anyone outside access to my server no matter how much they claim to be good, fact is once it's out, it's out.
Is there an online resource with some sort of check list and links for a quality server hardening for windows and linux servers?
I.E. install this, install that, configure this?
Seems that do it yourself is worth the training and $100
Is there a guide or check list of settings to make on a new box that I can follow to lock it down?
View 1 Replies View Relatedwhile the ELS script looks pretty sexy on paper, it appears that the hardening of the /tmp and /shm is fairly problematic on CentOS 5 systems. Apparently the entire process is mucking up /etc/fstab and yes, I know, I'm being 100% lazy by using a script...so sue me.
Wanted to see if anyone had any success or complete disaster stories running ELS on a CentOS 5, preferrably 64-bit, system in the past few months and would be willing to share their experience. There's more than just the filesystem hardening in it and I'm looking for some of the other aspects but that seems to be the reoccuring nightmare scenario people are having.
For those wondering what ELS is, here's a good (and bad) discussion about it on the DirectAdmin forums. I'm sure there's others but this is where my search started.
[url]
1. I don't use nor will I EVER use cPanel (royal POS in my opinion). I might, however, have DirectAdmin installed (not sure yet)
2. CentOS 5, 64-bit edition
3. Apache 2.2 latest, MYSQL 5.1 latest, PHP 5.2 latest
I usually use appears to be super busy and just not able to get the job done. No slight on him, he has a busy work schedule. So I'm looking to go outside of my comfort zone and see other companies to use. I don't think I can use Platinum as I outright refuse to even discuss cPanel as an option. If I want an underperforming, unsecure and incompatible web and database server, I'll run Windows.
So I'm looking for the usual end-to-end hardening package. I'm too lazy to do it myself and I'll forget to do something. Any recommendations out there in WHT land?
Since this got lost (google cache of thread discussion so far)
[url]
im reposting because i think it was an interesting discussion.
I'm setting up a cpanel server for the first time. I was wondering if i could harden the default cpanel permissions for the user folders in /home The idea is to prevent users viewing each others files. Please don't suggest the php open_basedir option as its not secure and doesn't work with cgi based file browsers.
Note I'm using suexec/suphp.
currently new cpanel users folders are created with
group and user ownership and the permissions 755
I was thinking if i changed this to 711 would this break anything?
Could i lock this down even more by changing the group ownership to "nobody" and thus have permissions 710.
Other than anti-virus
View 8 Replies View RelatedWe have a linux server running cPanel/WHM and using Exim for mail, we're also using SpamAssassin to label messages as spam. I have made a few modifications to settings and installed things like DomainKeys, but am wondering if I am doing enough.
My objectives are to:
1) Prevent mail users on the server from being inundated with spam, and/or be able to effectively manage any spam that does come through.
2) Ensure that messages that my mail users send out remains as highly deliverable as possible.
3) Make it difficult for third parties to exploit my mail server for their own spamming needs.
Are there any good tutorials out there on this stuff that should at least cover some of my bases? Where should I begin? The only thing preventing me from hiring out the work to someone else is that I'd like to learn how to do it myself.
I am compiling a list of security hardening procedures which should be performed to a server, with the goal of coming up with a comprehensive list of hardening procedures which should be implemented.
The following lists the details I have compiled so far. Please feel free to contribute additional hardening tips so we may come up with a full and thorough list:
Install mod_security
Install mod_evasive
Install mod_limitipconn
Install APF
Install BFD
Install PRM
Install SIM
Install portsentry
Install chkrootkit and configure reporting cronjob
Install rkhunder and configure reporting cronjob
Install snort
Install tripwire
Install libsafe
Install mail header patch to identify cause of spam sent through nobody
Limit compiler and fetch utilities access to root only
Correct folder permissions to prevent directory transversal
Remove unneeded OS packages
Upgrade kernal to latest OS release
Ensure MySQL password is set
Ensure OpenSSH protocol is only using protocol 2
Ensure cannot SSH directly to root. Must SSH to admin first.
Enforce noexec & nosuid on temporary directories /tmp and /var/tmp
Disable used services
Disable DNS recursion
Disable IP source routing
Disable IMCP redirect acceptance
Disable certain php functions (system, exec, shell_exec)
Enable IP spoofing protection
Enable Spoofing protection
Enable syncookie protection
Enable misc. sysctl settings
Harden host.conf
We have discussed all the basic methods of securing and hardening the server. Lets leave all the basic and general server securing and hardening I have started this to get advance knowledge in securing and hardening of the server so that it will usefull for all the person So i request all to provide all the vaulable tips and suggestions in advance securing and hardening of linux servers I welcome all the comments related to advance securing and hardening of linux servers.
View 5 Replies View RelatedI've just ordered my new Windows 2003 server with 49Pence.com and will be taking "delivery" of it once they have commissioned it.
Anyway, I would appreciate some advice on how to secure it. I have been used to the luxury of a hardware firewall, but budgetary constraints mean I will have to rely upon a software firewall (something that scares me a little). It will be running our company websites, MSSQL and MDaemon mailserver.
I am not sure exactly how the server will be delivered, but I assume it will arrive fully patched with Remote Desktop access, and Windows Firewall installed.
First question: Is Windows Firewall sufficent? I am more used to configuring firewalls with Ports/Protocols/IP's rather than "applications". I also understand that Windows Firewall cannot restrict access to specific IP's.
I read that IPSec / TCP Filtering should also be used. I've looked at various links and have an idea how to do this, but I do not want to make a mistake and get "locked out". I saw a post saying that during testing they set up a scheduled job to reset the IPSec policies every x minutes so that they can log back in if they do make a mistake. How would this be done (in terms of IPSec) .. or is this a matter of stopping a service?
If I go with another software firewall, is there an easy way to install remotely without getting locked out of the Remote Desktop? KVM over IP is a charged by the hour.
It is "safe" to leave Port 3389 open and rely upon passwords (and potentially IPSEC IP policies), or should I administer by VPN?
If so, it seems that in order to create a VPN connection on the server, it requires that the Windows Firewall is shut down (at least on my test server here). Obviously this is something I don't want to do!
I want to backup a entire folder thats in / not in any other folders.
I've tried this command but I get the error described below..
tar cvpzf opensim.tgz
tar: Cowardly refusing to create an empty archive
Try `tar --help' or `tar --usage' for more information.
The folder is called opensim. I was logged into SSH with root access and tried the command directly, not going into other folders because well I dont want to, I wanna backup that 1st opensim folder that I can see on the FTP also.
I'm having some trouble finding a VPS host that offers Debian and Plesk. I've searched the forum but nothing's really panned out. I'm currently with Geekstorage but the server has been slow (same problem reported by others).
Anyone have recommendations for Debian + Plesk VPS host?
i can't get java installed correctly on my debian server.
i downloaded the .bin file from java sun's website and run it says "done."
but when i type :
Code:
whereis java
the terminal shows
Code:
host:/# whereis java
java:
i just installed debian but when i try to start it, it just give me "error 2 " when i try to boot it
What is error 2 google gave me nothing
Install Required software
NX server needs ssh and some libraries to run. These packages are normally not installed during the basic installation process.Use the following comamnd to install
#aptitude libstdc++2.10-glibc2.2 ssh
Install Free NX Server in Debian Etch
First you need to download the .deb packages using the follwoing commands
i did the three steps..
Now you need to install .deb packages in the following order this is very important
#dpkg -i nxclient_2.1.0-17_i386.deb
#dpkg -i nxnode_2.1.0-22_i386.deb
#dpkg -i nxserver_2.1.0-22_i386.deb
If you get any errors use the following comamnd to fix
#apt-get -f install
Now you need to make sure ssh and nx servers are running if not start with the following commands
#/etc/init.d/ssh start
#/etc/init.d/nxserver start
--------------------
but the problem is i cannot connect to the nx .
i installed the program on windows but what is the username and password should i use? i tried to use the root but it said that the user root cannot be used.
i have the vps with debian 3.1
i digit on ssh /etc/init.d/mysql start and i see this error
Starting MySQL database server: mysqld.
Checking for crashed MySQL tables in the background.
/etc/mysql/debian-start: line 13: logger: command not found
I have just installed my vps with webmin on debian 5 and I need a guide to how to configure my system to use suphp, Ive googled it but not come back with any clear guide.
I better add Ive plunged in at the deepend and after the secuity breach at Vaserv, I can not take the easy option and install lxadmin any longer.
Which OS is better in security and easy to use for vps beginner:
CentOS™, Debian™, Ubuntu™, Fedora™, or Gentoo™.?
I'm leaning towards centos but am concerned that development priority in that distro will switch over from Xen to KVM as RHEL does. Which distro would you choose for dom0 and why?
View 3 Replies View RelatedFrom some weeks I try to have a secure install for my Debian. THis server will be a shared hosting host so need special security but I don't know how to do this.
My requirement are :
- Apache
- PHP (mod, not cgi)
Actually, users can navigate into my server by using phpshell script. And someone put lots of file into /tmp directory so I tri to secure all of that but don't find good tuto for that; do you know where can i have some?
And what about php using cron so execute with php-cli how to secure it?
installing Debian. I choose Standard package without anything, No DNS Server, No Web Server, No Mail Server.
But ssh is not working, how do I install sshd and get it work?
I've just ordered a dedicated server with Ubuntu server, but they've come back to me to say that they've had trouble installing Ubuntu server on these particular servers.
As an alternative, they're offering to install Debian. My concern is that I come from a windows background and have spent the last month reading and playing with Ubuntu Server in vmware. I'll be running a small handful of sites on the server and will rely on the apt-get and package installer in webmin to get things set up and for administration. I'll dabble in the shell a little, but only when needed.
Should I go with a different host that can offer Ubuntu, or will I be okay with Debian?
my os is debian
how can disable iptables on it?
part12:/# service iptables restart
-bash: service: command not found