I am compiling a list of security hardening procedures which should be performed to a server, with the goal of coming up with a comprehensive list of hardening procedures which should be implemented.
The following lists the details I have compiled so far. Please feel free to contribute additional hardening tips so we may come up with a full and thorough list:
Install mod_security
Install mod_evasive
Install mod_limitipconn
Install APF
Install BFD
Install PRM
Install SIM
Install portsentry
Install chkrootkit and configure reporting cronjob
Install rkhunder and configure reporting cronjob
Install snort
Install tripwire
Install libsafe
Install mail header patch to identify cause of spam sent through nobody
Limit compiler and fetch utilities access to root only
Correct folder permissions to prevent directory transversal
Remove unneeded OS packages
Upgrade kernal to latest OS release
Ensure MySQL password is set
Ensure OpenSSH protocol is only using protocol 2
Ensure cannot SSH directly to root. Must SSH to admin first.
Enforce noexec & nosuid on temporary directories /tmp and /var/tmp
Disable used services
Disable DNS recursion
Disable IP source routing
Disable IMCP redirect acceptance
Disable certain php functions (system, exec, shell_exec)
Enable IP spoofing protection
Enable Spoofing protection
Enable syncookie protection
Enable misc. sysctl settings
Harden host.conf
So I did something terribly dumb early this AM...go me...and I had to reinstall. Yes, it was that bad. Kernel panics, a hoarked up bootloader, nothing in the execution path, etc. Let's just say that between the 2.6.18-128.el5 kernel (I've been reading that there are a lot of reports of file corruption after this update, something I saw as well...) and yum doing something it wasn't supposed to, I'm having to start over. Thank goodness for backups. Anyways, to my questions:
CentOS 5.3 64-bit, clean install, no CP yet. I'm trying to get the base OS clean, simple and hardened before I put DA on there again and restore my websites but I have a few questions since I'm a network dork and normally pay for people to do the extended server hardening for me.
What a few things you would do to boost the security of your VPS? So far I have securing/restricting SSH access, installing chkrootkit and putting up a firewall. Any other things I should do?
Just noticed I put VPS Server Hardening, should be VPS Hardening
There are many people who sell server hardening for windows and linux and all the packages are pretty much the same. I don't want to give anyone outside access to my server no matter how much they claim to be good, fact is once it's out, it's out.
Is there an online resource with some sort of check list and links for a quality server hardening for windows and linux servers?
I.E. install this, install that, configure this?
Seems that do it yourself is worth the training and $100
while the ELS script looks pretty sexy on paper, it appears that the hardening of the /tmp and /shm is fairly problematic on CentOS 5 systems. Apparently the entire process is mucking up /etc/fstab and yes, I know, I'm being 100% lazy by using a script...so sue me.
Wanted to see if anyone had any success or complete disaster stories running ELS on a CentOS 5, preferrably 64-bit, system in the past few months and would be willing to share their experience. There's more than just the filesystem hardening in it and I'm looking for some of the other aspects but that seems to be the reoccuring nightmare scenario people are having.
For those wondering what ELS is, here's a good (and bad) discussion about it on the DirectAdmin forums. I'm sure there's others but this is where my search started.
1. I don't use nor will I EVER use cPanel (royal POS in my opinion). I might, however, have DirectAdmin installed (not sure yet)
2. CentOS 5, 64-bit edition
3. Apache 2.2 latest, MYSQL 5.1 latest, PHP 5.2 latest
I usually use appears to be super busy and just not able to get the job done. No slight on him, he has a busy work schedule. So I'm looking to go outside of my comfort zone and see other companies to use. I don't think I can use Platinum as I outright refuse to even discuss cPanel as an option. If I want an underperforming, unsecure and incompatible web and database server, I'll run Windows.
So I'm looking for the usual end-to-end hardening package. I'm too lazy to do it myself and I'll forget to do something. Any recommendations out there in WHT land?
Since this got lost (google cache of thread discussion so far) [url] im reposting because i think it was an interesting discussion.
I'm setting up a cpanel server for the first time. I was wondering if i could harden the default cpanel permissions for the user folders in /home The idea is to prevent users viewing each others files. Please don't suggest the php open_basedir option as its not secure and doesn't work with cgi based file browsers.
Note I'm using suexec/suphp.
currently new cpanel users folders are created with group and user ownership and the permissions 755
I was thinking if i changed this to 711 would this break anything?
Could i lock this down even more by changing the group ownership to "nobody" and thus have permissions 710.
We have a linux server running cPanel/WHM and using Exim for mail, we're also using SpamAssassin to label messages as spam. I have made a few modifications to settings and installed things like DomainKeys, but am wondering if I am doing enough.
My objectives are to:
1) Prevent mail users on the server from being inundated with spam, and/or be able to effectively manage any spam that does come through.
2) Ensure that messages that my mail users send out remains as highly deliverable as possible.
3) Make it difficult for third parties to exploit my mail server for their own spamming needs.
Are there any good tutorials out there on this stuff that should at least cover some of my bases? Where should I begin? The only thing preventing me from hiring out the work to someone else is that I'd like to learn how to do it myself.
We have discussed all the basic methods of securing and hardening the server. Lets leave all the basic and general server securing and hardening I have started this to get advance knowledge in securing and hardening of the server so that it will usefull for all the person So i request all to provide all the vaulable tips and suggestions in advance securing and hardening of linux servers I welcome all the comments related to advance securing and hardening of linux servers.
I've just ordered my new Windows 2003 server with 49Pence.com and will be taking "delivery" of it once they have commissioned it.
Anyway, I would appreciate some advice on how to secure it. I have been used to the luxury of a hardware firewall, but budgetary constraints mean I will have to rely upon a software firewall (something that scares me a little). It will be running our company websites, MSSQL and MDaemon mailserver.
I am not sure exactly how the server will be delivered, but I assume it will arrive fully patched with Remote Desktop access, and Windows Firewall installed.
First question: Is Windows Firewall sufficent? I am more used to configuring firewalls with Ports/Protocols/IP's rather than "applications". I also understand that Windows Firewall cannot restrict access to specific IP's.
I read that IPSec / TCP Filtering should also be used. I've looked at various links and have an idea how to do this, but I do not want to make a mistake and get "locked out". I saw a post saying that during testing they set up a scheduled job to reset the IPSec policies every x minutes so that they can log back in if they do make a mistake. How would this be done (in terms of IPSec) .. or is this a matter of stopping a service?
If I go with another software firewall, is there an easy way to install remotely without getting locked out of the Remote Desktop? KVM over IP is a charged by the hour.
It is "safe" to leave Port 3389 open and rely upon passwords (and potentially IPSEC IP policies), or should I administer by VPN?
If so, it seems that in order to create a VPN connection on the server, it requires that the Windows Firewall is shut down (at least on my test server here). Obviously this is something I don't want to do!
I am using epicvps right now. But it has been baught by vaserv days before. Where it came a lot server downtime and server problems. My storage will automaticly decrease. I send tickets to them many times, they just respond me that the nod that where i host have too much vps on it. They tell me that they will move my account to new nod. But it still happen again today!
My budget is something around $50 per month, can anyone recommend some reliable company?
Twice in two years now, as a very responsible host with ZERO tolerance to spam (incoming or outgoing!), I have been hampered by the efforts of the anti-spam "reputation service" offered by [url]
We host something like 2000 websites across a cluster of servers, and while we do everything possible to prevent spam, it's inevitable there will be the occasional outbreak.
A couple of days back, sure enough, one of our hosted sites was compromised. As far as I could tell, the culprit was too simple a password. There were no signs of compromised scripts, permissions, anything. Just a spam script uploaded via FTP from a foreign IP address. We do have limits on password strength now, but may not have when this account was set up.
Anyhow, within 120 minutes or so, we had removed the spam script, blocked the offending IP, secured the site and delisted our IP from the ONE RBL it appeared on - Spamcop.
You would think that would be the end of the story, right? Wrong.
Here we are, over two days later, NO listings on any RBLs, NO further spam from ANY of our servers. What Senderbase reputation do you think that server has? Poor.
This is an IP that as far as I know has NEVER had a spam issue, other than the single outbreak two days ago.
The net result of this "Poor" listing is that we have now had outgoing email sitting in our mail queue for 50+ hours because the recipient mail systems are STILL blocking us based on our "Poor" reputation.
Furthermore, I quote directly from the Senderbase site: "Why is the reputation Poor? This host is sending spam!". That one really tipped me over the edge.
As I say, this is at least the second time two years running that this has happened to us. Single spam problem; Cleaned up quickly and efficiently; Wait on Senderbase for days.
It is hard enough dealing with spammers and problems like this, without having to fight the "good guys" too. All I can say is that I will personally NEVER use, nor recommend, the services of Senderbase or Ironport.
I am currently with Lunarpages. Up until a few months ago I was on a regular plan (not VPS). Their service and uptime was great. But they moved me to a VPS due to the traffic which I completely understand. However, since I have been moved to their VPS servers the downtime has been horrible. And by horrible I mean horrible! So I am on the hunt for a new web hosting company.
I really do not know what I need, I believe I do need VPS hosting though. The bad news is that I know nothing about VPS hosting. Lunarpages has me on Plesk now and I could not be more lost with it.
My main dilemma is that I have a php forum that generates a good amount of traffic. I am getting about 40,000 page views per day on the forum and about 6,000 page views per day on the main website portion.
I am scared to death to move the forum. I fear I will need a tech friendly host to help me set the forum back up. Once I am back up and running I never need any help. I just want to get to that point again.
But I have questions, like what the heck is "Guaranteed RAM"? Is that important to me? Could this be part of the reason that now that LP has moved me to their VPS servers that I can no longer just simply download my large database for the forum through phpMyAdmin? It just craps out and LP told me something like VPS servers didn't have enough memory (or was it RAM?) to preform the task?
So far I am hating my VPS experience. I just want to be up and running smooth again without fearing the downtime.
I think LP's hosting for the VPS is around $45.00 per month or so/ I would like to be lower if possible, but I do not want to get a new host with the same downtime issues.
I'm in the process of looking at a new firewall... What we need in a firewall:
- Deep packet inspection - BGP Routing (just for active/passive uplink failover) - support for up to 150 Mbps+ - Gbit uplinks - Active/Active setup for firewalls - Budget around 3k Each firewall
Possible choices: - Juniper Netscreen 140 SSG - SonicWALL® PRO 4060
So far I'm really leaning towards the Juniper NetScreen 140 SSG.
My network consultant started to recommend SonicWall but from previous reviews here and else where kinda turned me off them.
Dell PowerEdge R300 1U Server 1 x QuadCore Intel Xeon X5460 3.16 GHz Processor 8GB RAM ( 4x2 GB DIMMs ) 2 x 500 GB SATA II Drives OS: CentOS 5 64bit
I would like to run this as a virtualization instance for my clients ( 3-4 max. on this box depending on their needs ). I need a provider that can get me the following:
3-4 TB of bandwidth depending on need ( 100 Mbps preferred ) Windows Server OS's / licenses to install as needed cPanel licenses to install as needed
Which providers can meet these requirements? Which do you recommend for value, support, and network?
This is a long review, but I think it has to be so long.
I’m using DNS Made Easy and on the left side of the main menu I saw a ad for [url]. It’s the same company that owns DNS Made Easy that owns VPSit.com
I did sign up for a Windows VPS with 25 GB of storage, 384 MB of RAM, 700 GB of DDoS protected bandwidth and Plesk 30 domains. The price was little high, but not a big problem: $38.95/mo
At first I was amazed about the speed of their VPS setup. It was instant, and I got my VPS up and running within 5 minutes from I made the payment.
The speed of the VPS was also VERY fast. When I looked at what hardware I got on my VPS I saw that they “only” used a Intel Core 2 Duo E8400 @ 3.0 Ghz CPU. But that was OK since the VPS was lightning fast.
I uploaded my websites (a live backup of my main VPS) and did not take any more action, since the VPS is only used when my main VPS is down.
Before I tell you about the main problem I have to say that VPSit.com do not offer any option for managed/unmanaged VPS plans. And since they have no option for managed plan, or no information about their VPS's are unmanaged I assumed that the VPS was managed. They also write this on their info page: ....
I'm about to put my site online, firstly so that I can post links which will quickly summarize problems that I'm having, and secondly so that, of course, people will visit the site
What hosting providers can you recommend?
I'm looking for a service provider that is robust (will not go down), scalable (will handle large amounts of bandwidth), supports shttp, and will provide authenticity certificates.