while the ELS script looks pretty sexy on paper, it appears that the hardening of the /tmp and /shm is fairly problematic on CentOS 5 systems. Apparently the entire process is mucking up /etc/fstab and yes, I know, I'm being 100% lazy by using a script...so sue me.
Wanted to see if anyone had any success or complete disaster stories running ELS on a CentOS 5, preferrably 64-bit, system in the past few months and would be willing to share their experience. There's more than just the filesystem hardening in it and I'm looking for some of the other aspects but that seems to be the reoccuring nightmare scenario people are having.
For those wondering what ELS is, here's a good (and bad) discussion about it on the DirectAdmin forums. I'm sure there's others but this is where my search started.
So I did something terribly dumb early this AM...go me...and I had to reinstall. Yes, it was that bad. Kernel panics, a hoarked up bootloader, nothing in the execution path, etc. Let's just say that between the 2.6.18-128.el5 kernel (I've been reading that there are a lot of reports of file corruption after this update, something I saw as well...) and yum doing something it wasn't supposed to, I'm having to start over. Thank goodness for backups. Anyways, to my questions:
CentOS 5.3 64-bit, clean install, no CP yet. I'm trying to get the base OS clean, simple and hardened before I put DA on there again and restore my websites but I have a few questions since I'm a network dork and normally pay for people to do the extended server hardening for me.
What a few things you would do to boost the security of your VPS? So far I have securing/restricting SSH access, installing chkrootkit and putting up a firewall. Any other things I should do?
Just noticed I put VPS Server Hardening, should be VPS Hardening
There are many people who sell server hardening for windows and linux and all the packages are pretty much the same. I don't want to give anyone outside access to my server no matter how much they claim to be good, fact is once it's out, it's out.
Is there an online resource with some sort of check list and links for a quality server hardening for windows and linux servers?
I.E. install this, install that, configure this?
Seems that do it yourself is worth the training and $100
1. I don't use nor will I EVER use cPanel (royal POS in my opinion). I might, however, have DirectAdmin installed (not sure yet)
2. CentOS 5, 64-bit edition
3. Apache 2.2 latest, MYSQL 5.1 latest, PHP 5.2 latest
I usually use appears to be super busy and just not able to get the job done. No slight on him, he has a busy work schedule. So I'm looking to go outside of my comfort zone and see other companies to use. I don't think I can use Platinum as I outright refuse to even discuss cPanel as an option. If I want an underperforming, unsecure and incompatible web and database server, I'll run Windows.
So I'm looking for the usual end-to-end hardening package. I'm too lazy to do it myself and I'll forget to do something. Any recommendations out there in WHT land?
Since this got lost (google cache of thread discussion so far) [url] im reposting because i think it was an interesting discussion.
I'm setting up a cpanel server for the first time. I was wondering if i could harden the default cpanel permissions for the user folders in /home The idea is to prevent users viewing each others files. Please don't suggest the php open_basedir option as its not secure and doesn't work with cgi based file browsers.
Note I'm using suexec/suphp.
currently new cpanel users folders are created with group and user ownership and the permissions 755
I was thinking if i changed this to 711 would this break anything?
Could i lock this down even more by changing the group ownership to "nobody" and thus have permissions 710.
We have a linux server running cPanel/WHM and using Exim for mail, we're also using SpamAssassin to label messages as spam. I have made a few modifications to settings and installed things like DomainKeys, but am wondering if I am doing enough.
My objectives are to:
1) Prevent mail users on the server from being inundated with spam, and/or be able to effectively manage any spam that does come through.
2) Ensure that messages that my mail users send out remains as highly deliverable as possible.
3) Make it difficult for third parties to exploit my mail server for their own spamming needs.
Are there any good tutorials out there on this stuff that should at least cover some of my bases? Where should I begin? The only thing preventing me from hiring out the work to someone else is that I'd like to learn how to do it myself.
I am compiling a list of security hardening procedures which should be performed to a server, with the goal of coming up with a comprehensive list of hardening procedures which should be implemented.
The following lists the details I have compiled so far. Please feel free to contribute additional hardening tips so we may come up with a full and thorough list:
Install mod_security Install mod_evasive Install mod_limitipconn Install APF Install BFD Install PRM Install SIM Install portsentry Install chkrootkit and configure reporting cronjob Install rkhunder and configure reporting cronjob Install snort Install tripwire Install libsafe Install mail header patch to identify cause of spam sent through nobody Limit compiler and fetch utilities access to root only Correct folder permissions to prevent directory transversal Remove unneeded OS packages Upgrade kernal to latest OS release Ensure MySQL password is set Ensure OpenSSH protocol is only using protocol 2 Ensure cannot SSH directly to root. Must SSH to admin first. Enforce noexec & nosuid on temporary directories /tmp and /var/tmp Disable used services Disable DNS recursion Disable IP source routing Disable IMCP redirect acceptance Disable certain php functions (system, exec, shell_exec) Enable IP spoofing protection Enable Spoofing protection Enable syncookie protection Enable misc. sysctl settings Harden host.conf
We have discussed all the basic methods of securing and hardening the server. Lets leave all the basic and general server securing and hardening I have started this to get advance knowledge in securing and hardening of the server so that it will usefull for all the person So i request all to provide all the vaulable tips and suggestions in advance securing and hardening of linux servers I welcome all the comments related to advance securing and hardening of linux servers.
I've just ordered my new Windows 2003 server with 49Pence.com and will be taking "delivery" of it once they have commissioned it.
Anyway, I would appreciate some advice on how to secure it. I have been used to the luxury of a hardware firewall, but budgetary constraints mean I will have to rely upon a software firewall (something that scares me a little). It will be running our company websites, MSSQL and MDaemon mailserver.
I am not sure exactly how the server will be delivered, but I assume it will arrive fully patched with Remote Desktop access, and Windows Firewall installed.
First question: Is Windows Firewall sufficent? I am more used to configuring firewalls with Ports/Protocols/IP's rather than "applications". I also understand that Windows Firewall cannot restrict access to specific IP's.
I read that IPSec / TCP Filtering should also be used. I've looked at various links and have an idea how to do this, but I do not want to make a mistake and get "locked out". I saw a post saying that during testing they set up a scheduled job to reset the IPSec policies every x minutes so that they can log back in if they do make a mistake. How would this be done (in terms of IPSec) .. or is this a matter of stopping a service?
If I go with another software firewall, is there an easy way to install remotely without getting locked out of the Remote Desktop? KVM over IP is a charged by the hour.
It is "safe" to leave Port 3389 open and rely upon passwords (and potentially IPSEC IP policies), or should I administer by VPN?
If so, it seems that in order to create a VPN connection on the server, it requires that the Windows Firewall is shut down (at least on my test server here). Obviously this is something I don't want to do!
I've made a how to, based on my personal knowledge about upgrading a CentOS 3, RedHat 9, or 8?, Fedora Core, and maybe others, to the new CentOS 4.5 OS. (or CentOS 4.x)
[url]
Please post, comments, questions, etc. here. I've myself upgraded many servers this way, (even, tonight, I upgraded another, so I finally decided to do this with all my notes)
linux and after several days testing different distributions and a bunch of different ways (e.g. freenx,vnc XFCE ...) I've decided to setup a vnc-server on CentOS-5-i386-minimal and use KDE as a desktop environment.
After reloading my vps with centos-5-i386-minimal, I logged in as root and executed:
Code:
yum update
yum -y groupinstall "KDE (K Desktop Environment)"
yum -y install vnc vnc-server firefox X11 xorg
I then added a user "abt" and set the password. Then I logged in as abt and execute : vncserver, it asked for the password and created the appropriate .vnc directory and files.
I then edited xstartup file and replaced "twm &" with "startkde &" and executed vncserver once again, this created desktop number 2 for me.
The problem is that after running TightVNC(on vista) and entering IPNUMBER:2, It successfully connects to vnc-server but what i get is a black screen with X cursor!
i have a colo server, lately im having problem, every 2-3 oclock in the morning my server crash, i asked the server management to have a look at it but no luck, they install rpm, reduce the http max, etc, etc ( i dont want to mention the name since my server management have helped me alot and its not fair for them if i speak a bad thing about them ) anyway,
I bought the server from siliconmechanics iServ R254
CPU: 2 x Intel Xeon E5410 Quad-Core 2.33GHz, 12MB Cache, 1333MHz FSB, 45nmHi-k RAM: 12GB (6 x 2GB) DDR2-667 Registered ECC - Interleaved NIC: Intel 82573V & 82573L Gigabit Ethernet Controllers - Integrated Hot-Swap Drive - 1: 150GB Western Digital Raptor (1.5Gb/s,10Krpm,16MB Cache,NCQ) SATA Hot-Swap Drive - 2: 500GB Seagate Barracuda ES.2 (3Gb/s, 7.2Krpm, 32MB Cache, NCQ) SATA Optical Drive: Low-Profile DVD-ROM Drive Power Supply: 520W Power Supply with PFC - 87% Maximum Efficiency Rail Kit: 2-Piece Ball-Bearing Rail Kit OS: CentOS 5 - 64-bit - Preload, No Media Warranty: Standard 3 Year - Return to Depot - Advanced Component Exchange
I have dedicated works on Centos 4. Now I have to reinstall OS. Administrators recommend me to put again Centos 4 and I would like to install Centos 5. Would like to hear opinion of professionals what it is better to put?
I've just leased my first dedicated server from managemybox, which has come loaded with centos 4.5.
I need to install all the ffmpeg/transcoding junk - something I've done before...
...but now, I'm having huge issues. Yum and up2date don't seem to have *any* idea of where anything, from ffmpeg to flvtool2 is.
I'm crap at quite a bit (read most) of the command line stuff. Whadddoo I need to do? Why is yum telling me there are no matches for the damn stuff?
How can I get from A to B properly without the hassle?
I did have a VPS before, with memset.com - and all this stuff installed fine on Fedora 4 (it was a VMWare based VPS so everything worked, unlike the Xen based ones I've experienced).
-------------------------------------------------------------- --------------------ERRORS I AM GETTING----------------------- -------------------------------------------------------------- -*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*- xauth: creating new authority file /root/.Xauthority sh: cannot redirect standard input from /dev/null: No such file or directory
New 'server.xnwo.net:1 (root)' desktop is server.xnwo.net:1
Creating default startup script /root/.vnc/xstartup Starting applications specified in /root/.vnc/xstartup Log file is /root/.vnc/server.xnwo.net:1.log
sh: cannot redirect standard input from /dev/null: No such file or directory [root@server ~]# -*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-
and when i connect using vnc viewer, i get this grey background and a box on the top left. has it been installed correctly? any other steps needed?
Here is the screenshot of the background i see when connecting. [url]