Server Security
The Server Security Configuration.
**************************
Summary
---------
(1) Upgrade Apache/PHP, MySQL, OpenSSH, OpenSSL, cP/WHM etc
(2) cP/WHM Configuration
(3) SSH Access
(4) Mod_Security
(5) Firewall
6) DDoS Protection
(7) Rootkit
(8) PHP Configuration
(9) Other
(10)The End[/COLOR]
[COLOR="Lime"]
1) Upgrade Apache/PHP, MySQL, OpenSSH, OpenSSL cP/WHM etc
[CODE]
Update your Apache/PHP, MySQL, OpenSSH, OpenSSL, cP/WHM... and be sure that you running the latest secured version.[/CODE]
2) cP/WHM Configuration[/COLOR]
[CODE]
WHM - Server setup - Tweak Security:
-------------------------------------
Enable php open_basedir protection
Enable mod_userdir protection
Disable Compilers for all accounts(except root)
Enable Shell Bomb/memory Protection
WHM - Account Functions:
-------------------------
Disable cPanel Demo Mode
Disable shell access for all accounts(except root)
WHM - Service Configuration - FTP Configuration:
-------------------------------------------------
Disable anonymous FTP access
WHM - MySQL:
-------------
Set some MySQL password(Don't set the same password like for the root access)
-If you don't set MySQL password and if someone upload shell(E.G c99) on some site on server he will be able to login into db with username "root" without password
and delete/edit/download any db on that server
WHM - Server Setup:
--------------------
Go to Server Setup and enable suEXEC and PHPsuEXEC
When PHP runs as an Apache Module it executes as the user/group of the webserver which is usually "nobody" or "apache".
PHPsuEXEC changes this so scripts are run as a CGI. Than means scripts are executed as the user that created them.
With PHPsuEXEC script permissions can't be set to 777(read/write/execute at user/group/world level)
3) SSH Access[/COLOR]
[CODE] Change SSH port(set something like 1334)
You can change it in /etc/ssh/sshd_conf
There is a lot of script kiddiez with brute forcers and they will try to crack our ssh pass because they know username is root, port is 22
But we are smarter, we changed SSH port :)
Also, their "brute forcing" can reduce server load, that means our sites(hosted on that server) will be slower
SSH Legal Message
edit /etc/motd, write in motd something like that:
"ALERT! That is a secured area. Your IP is logged. Administrator has been notified"
When someone login into SSH he will see that message:
ALERT! That is a secured area. Your IP is logged. Administrator has been notified
And at the end restart SSH, type "service sshd restart" into SSH[/COLOR]
[/CODE]
4) Mod_Security
Mod_Security is a web application firewall and he can help us to secure our sites against RFI, LFI, XSS, SQL Injection etc
If you use cP/WHM you can easly enable Mod_security in WHM - Plugins - Enable Mod_Security and save
Now I will explain how to install Mod_security from source.
You can't install Mod_Security if you don't have libxml2 and http-devel libraries.
Also, you need to enable mod_unique_id in apache modules, but don't worry, I will explain how to do it :)
Login into SSH and type...
----------------------------------------------------
yum install libxml2 libxml2-devel httpd-devel
----------------------------------------------------
libxml2 libxml2-devel httpd-devel should be installed now
then you need to edit httpd.conf file, you can find it here:
/etc/httpd/conf/httpd.conf
You need to add this in your httpd.conf file
LoadModule unique_id_module modules/mod_unique_id.so
Now download the latest version of mod_security for apache2 from http://www.modsecurity.org
login into SSH and type...
-----------------------------------------------------------------------------
cd /root/downloads
wget http://www.modsecurity.org/download/...e_2.1.7.tar.gz
tar zxf modsecurity-apache_2.1.7.tar.gz
cd modsecurity-apache_2.1.7
cd apache2
------------------------------------------------------------------------------
Now we need to edit Makefile, file is located here:
/root/download/modsecurity-apache_2.1.7/apache2/
change "top_dir =" with "top_dir = /usr/lib/httpd"
then type:
-------------------
make
make install
-------------------
---------------------------------------------------------
# /etc/httpd/conf/httpd.conf
LoadModule unique_id_module modules/mod_unique_id.so
LoadFile /usr/lib/libxml2.so
LoadModule security2_module modules/mod_security2.so
Include /etc/httpd/conf/modsecurity.conf
---------------------------------------------------------
go at the end of httpd.conf and place an include for our config/rules file...
Include /etc/httpd/conf/modsecurity.conf
Content of /etc/httpd/conf/modsecurity.conf
------------------------------------------------------------------------------------------------------------------------
<IfModule mod_security.c>
# Only inspect dynamic requests
# (YOU MUST TEST TO MAKE SURE IT WORKS AS EXPECTED)
SecFilterEngine DynamicOnly
# Reject requests with status 403
SecFilterDefaultAction "deny,log,status:403"
# Some sane defaults
SecFilterScanPOST On
SecFilterCheckURLEncoding On
SecFilterCheckCookieFormat On
SecFilterCheckUnicodeEncoding Off
# Accept almost all byte values
SecFilterForceByteRange 1 255
# Server masking is optional
# SecServerSignature "Microsoft-IIS/5.0"
SecUploadDir /tmp
SecUploadKeepFiles Off
# Only record the interesting stuff
SecAuditEngine RelevantOnly
SecAuditLog logs/audit_log
# You normally won't need debug logging
SecFilterDebugLevel 0
SecFilterDebugLog logs/modsec_debug_log
# Only accept request encodings we know how to handle
# we exclude GET requests from this because some (automated)
# clients supply "text/html" as Content-Type
SecFilterSelective REQUEST_METHOD "!^GET$" chain
SecFilterSelective HTTP_Content-Type "!(^$|^application/x-www-form-urlencoded$|^multipart/form-data)"
# Require Content-Length to be provided with
# every POST request
SecFilterSelective REQUEST_METHOD "^POST$" chain
SecFilterSelective HTTP_Content-Length "^$"
# Don't accept transfer encodings we know we don't handle
# (and you don't need it anyway)
SecFilterSelective HTTP_Transfer-Encoding "!^$"
# WEB-ATTACKS /bin/sh command attempt
SecFilter "/bin/sh"
# WEB-ATTACKS ps command attempt
SecFilterSelective THE_REQUEST "/bin/ps"
# WEB-ATTACKS /bin/ps command attempt
# SecFilterSelective THE_REQUEST "ps\x20"
# WEB-ATTACKS wget command attempt
SecFilter "wget\x20"
# WEB-ATTACKS uname -a command attempt
SecFilter "uname\x20-a"
# WEB-ATTACKS /usr/bin/id command attempt
SecFilter "/usr/bin/id"
# WEB-ATTACKS id command attempt
SecFilter "\;id"
# WEB-ATTACKS echo command attempt
SecFilter "/bin/echo"
[CODE]
5) Firewall
[CODE]
We will install APF (Advanced Policy Firewall) now...
APF is a policy based iptables firewall system designed for ease of use and configuration
Let's begin!
Login into SSH and type
----------------------------------------------------------------
cd /root/downloads
wget http://www.rfxnetworks.com/downloads/apf-current.tar.gz
tar -xvzf apf-current.tar.gz
cd apf-0.9.5-1 // or whatever the latest version is
./install.sh
----------------------------------------------------------------
--------------------------------------------------------
Installing APF 0.9.5-1: Completed.
Installation Details:
Install path: /etc/apf/
Config path: /etc/apf/conf.apf
Executable path: /usr/local/sbin/apf
AntiDos install path: /etc/apf/ad/
AntiDos config path: /etc/apf/ad/conf.antidos
DShield Client Parser: /etc/apf/extras/dshield/
---------------------------------------------------------
Now we need to configure our new firewall...
We need to edit apf.conf
That is located here: /etc/apf/conf.apf
If you use cP/WHM, like me, you need to configure apf like this(to we can access cP/WHM
because firewall will block our cP/WHM ports and we will not be able to access cP/WHM)
----------------------------------------------------------------------------------------
Common ingress (inbound) ports
# Common ingress (inbound) TCP ports -3000_3500 = passive port range for Pure FTPD
IG_TCP_CPORTS="21,22,25,53,80,110,143,443,2082,208 3, 2086,2087, 2095, 2096,3000_3500"
#
# Common ingress (inbound) UDP ports
IG_UDP_CPORTS="53"
Common egress (outbound) ports
# Egress filtering [0 = Disabled / 1 = Enabled]
EGF="1"
# Common egress (outbound) TCP ports
EG_TCP_CPORTS="21,25,80,443,43,2089"
#
# Common egress (outbound) UDP ports
EG_UDP_CPORTS="20,21,53"
-----------------------------------------------------------------------------------------
Then... (apf.conf)
----------------------
FIND: DEVM="1"
CHANGE TO: DEVM="0"
----------------------
now start apf, type in ssh
-----------
apf -s
-----------
Some other apf commands:
---------------------------
apf -s - start apf
apf -r - restart apf
apf -f - flush firewall
apf -st - firewall status
apf -d IP - bann IP
apf -u IP - unbann IP
---------------------------
6) Ddos Protection
[CODE][COLOR="Lime"] We will install mod_evasive and DDoS Deflate to prevent DDoS attacks on our server
###################
# Mod Evasive #
###################
ModEvasive module for apache offers protection against DDoS (denial of service attacks) on your server.
To install it login into SSH and type
---------------------------------------------------------------------------------
cd /root/dawnloads
wget http://www.zdziarski.com/blog/wp-content/uploads/2010/02/mod_evasive_1.10.1.tar.gz
tar zxf mode_evasive-1.10.1.tar.gz
cd mod_evasive
then type...
/usr/sbin/apxs -cia mod_evasive20.c
---------------------------------------------------------------------------------
When mod_evasive is installed, place the following lines in your httpd.conf (/etc/httpd/conf/httpd.conf)
--------------------------------
<IfModule mod_evasive20.c>
DOSHashTableSize 3097
DOSPageCount 2
DOSSiteCount 50
DOSPageInterval 1
DOSSiteInterval 1
DOSBlockingPeriod 10
</IfModule>
--------------------------------
####################
# DDoS Deflate #
####################
Installation
-----------------------------------------------------------
wget http://www.inetbase.com/scripts/ddos/install.sh
chmod 0700 install.sh
./install.sh
-----------------------------------------------------------
Uninstalling
-----------------------------------------------------------
wget http://www.inetbase.com/scripts/ddos/uninstall.ddos
chmod 0700 uninstall.ddos
./uninstall.ddos
-------------------------------------------
7) RootKit
[CODE]
Ok, we will install RKHunter now:
Rootkit scanner is scanning tool to ensure you for about 99.9%* you're clean of nasty tools.
This tool scans for rootkits, backdoors and local exploits by running tests like:
- MD5 hash compare
- Look for default files used by rootkits
- Wrong file permissions for binaries
- Look for suspected strings in LKM and KLD modules
- Look for hidden files
- Optional scan within plaintext and binary files
Instalation:
Login into SSH and type
-----------------------------------------------------------
cd /root/downloads
wget http://downloads.rootkit.nl/rkhunter-1.2.7.tar.gz
tar -zxvf rkhunter-1.2.7.tar.gz
cd rkhunter-1.2.7
./installer.sh
-----------------------------------------------------------
PHP Configuration[/COLOR]
We need to edit php.ini
php.ini is located here /usr/local/lib/php.ini
----------------------------------------------------------
safe_mode = On
expose_php = Off
magic_quotes = On
register_globals = off
display errors = off
disable_functions = show_source, system, proc_terminate,
shell_exec, exec, passthru, proc_open, phpinfo, popen
-----------------------------------------------------------
Or if you running cP/WHM you can configure it here:
WHM - Service Configuration - PHP Configuration Editor
9) Other
If you use bind DNS server then we need to edit named.conf file
named.conf is located here: /etc/named.conf
and add
recursion no; under Options
----------------------------
Options{
recursion no;
----------------------------
Now restart bind
type into SSH
-----------------------
service named restart
-----------------------
That will prevent lookups from dnstools.com and similar services and reduce server load
Now we will prevent IP spoofing, to do it we need to edit host.conf file
This file is located here: /etc/host.conf
Add that in host.conf
------------------
order bind,hosts
nospoof on
------------------
Hide the Apache version number:
edit httpd.conf (/etc/httpd/conf/httpd.conf)
-----------------------
ServerSignature Off
-----------------------
Disable telnet:
Edit file: /etc/xinetd.d/telnet
------------------
disable = yes
------------------
The Server Security Configuration.
**************************
Summary
---------
(1) Upgrade Apache/PHP, MySQL, OpenSSH, OpenSSL, cP/WHM etc
(2) cP/WHM Configuration
(3) SSH Access
(4) Mod_Security
(5) Firewall
6) DDoS Protection
(7) Rootkit
(8) PHP Configuration
(9) Other
(10)The End[/COLOR]
[COLOR="Lime"]
1) Upgrade Apache/PHP, MySQL, OpenSSH, OpenSSL cP/WHM etc
[CODE]
Update your Apache/PHP, MySQL, OpenSSH, OpenSSL, cP/WHM... and be sure that you running the latest secured version.[/CODE]
2) cP/WHM Configuration[/COLOR]
[CODE]
WHM - Server setup - Tweak Security:
-------------------------------------
Enable php open_basedir protection
Enable mod_userdir protection
Disable Compilers for all accounts(except root)
Enable Shell Bomb/memory Protection
WHM - Account Functions:
-------------------------
Disable cPanel Demo Mode
Disable shell access for all accounts(except root)
WHM - Service Configuration - FTP Configuration:
-------------------------------------------------
Disable anonymous FTP access
WHM - MySQL:
-------------
Set some MySQL password(Don't set the same password like for the root access)
-If you don't set MySQL password and if someone upload shell(E.G c99) on some site on server he will be able to login into db with username "root" without password
and delete/edit/download any db on that server
WHM - Server Setup:
--------------------
Go to Server Setup and enable suEXEC and PHPsuEXEC
When PHP runs as an Apache Module it executes as the user/group of the webserver which is usually "nobody" or "apache".
PHPsuEXEC changes this so scripts are run as a CGI. Than means scripts are executed as the user that created them.
With PHPsuEXEC script permissions can't be set to 777(read/write/execute at user/group/world level)
3) SSH Access[/COLOR]
[CODE] Change SSH port(set something like 1334)
You can change it in /etc/ssh/sshd_conf
There is a lot of script kiddiez with brute forcers and they will try to crack our ssh pass because they know username is root, port is 22
But we are smarter, we changed SSH port :)
Also, their "brute forcing" can reduce server load, that means our sites(hosted on that server) will be slower
SSH Legal Message
edit /etc/motd, write in motd something like that:
"ALERT! That is a secured area. Your IP is logged. Administrator has been notified"
When someone login into SSH he will see that message:
ALERT! That is a secured area. Your IP is logged. Administrator has been notified
And at the end restart SSH, type "service sshd restart" into SSH[/COLOR]
[/CODE]
4) Mod_Security
Mod_Security is a web application firewall and he can help us to secure our sites against RFI, LFI, XSS, SQL Injection etc
If you use cP/WHM you can easly enable Mod_security in WHM - Plugins - Enable Mod_Security and save
Now I will explain how to install Mod_security from source.
You can't install Mod_Security if you don't have libxml2 and http-devel libraries.
Also, you need to enable mod_unique_id in apache modules, but don't worry, I will explain how to do it :)
Login into SSH and type...
----------------------------------------------------
yum install libxml2 libxml2-devel httpd-devel
----------------------------------------------------
libxml2 libxml2-devel httpd-devel should be installed now
then you need to edit httpd.conf file, you can find it here:
/etc/httpd/conf/httpd.conf
You need to add this in your httpd.conf file
LoadModule unique_id_module modules/mod_unique_id.so
Now download the latest version of mod_security for apache2 from http://www.modsecurity.org
login into SSH and type...
-----------------------------------------------------------------------------
cd /root/downloads
wget http://www.modsecurity.org/download/...e_2.1.7.tar.gz
tar zxf modsecurity-apache_2.1.7.tar.gz
cd modsecurity-apache_2.1.7
cd apache2
------------------------------------------------------------------------------
Now we need to edit Makefile, file is located here:
/root/download/modsecurity-apache_2.1.7/apache2/
change "top_dir =" with "top_dir = /usr/lib/httpd"
then type:
-------------------
make
make install
-------------------
---------------------------------------------------------
# /etc/httpd/conf/httpd.conf
LoadModule unique_id_module modules/mod_unique_id.so
LoadFile /usr/lib/libxml2.so
LoadModule security2_module modules/mod_security2.so
Include /etc/httpd/conf/modsecurity.conf
---------------------------------------------------------
go at the end of httpd.conf and place an include for our config/rules file...
Include /etc/httpd/conf/modsecurity.conf
Content of /etc/httpd/conf/modsecurity.conf
------------------------------------------------------------------------------------------------------------------------
<IfModule mod_security.c>
# Only inspect dynamic requests
# (YOU MUST TEST TO MAKE SURE IT WORKS AS EXPECTED)
SecFilterEngine DynamicOnly
# Reject requests with status 403
SecFilterDefaultAction "deny,log,status:403"
# Some sane defaults
SecFilterScanPOST On
SecFilterCheckURLEncoding On
SecFilterCheckCookieFormat On
SecFilterCheckUnicodeEncoding Off
# Accept almost all byte values
SecFilterForceByteRange 1 255
# Server masking is optional
# SecServerSignature "Microsoft-IIS/5.0"
SecUploadDir /tmp
SecUploadKeepFiles Off
# Only record the interesting stuff
SecAuditEngine RelevantOnly
SecAuditLog logs/audit_log
# You normally won't need debug logging
SecFilterDebugLevel 0
SecFilterDebugLog logs/modsec_debug_log
# Only accept request encodings we know how to handle
# we exclude GET requests from this because some (automated)
# clients supply "text/html" as Content-Type
SecFilterSelective REQUEST_METHOD "!^GET$" chain
SecFilterSelective HTTP_Content-Type "!(^$|^application/x-www-form-urlencoded$|^multipart/form-data)"
# Require Content-Length to be provided with
# every POST request
SecFilterSelective REQUEST_METHOD "^POST$" chain
SecFilterSelective HTTP_Content-Length "^$"
# Don't accept transfer encodings we know we don't handle
# (and you don't need it anyway)
SecFilterSelective HTTP_Transfer-Encoding "!^$"
# WEB-ATTACKS /bin/sh command attempt
SecFilter "/bin/sh"
# WEB-ATTACKS ps command attempt
SecFilterSelective THE_REQUEST "/bin/ps"
# WEB-ATTACKS /bin/ps command attempt
# SecFilterSelective THE_REQUEST "ps\x20"
# WEB-ATTACKS wget command attempt
SecFilter "wget\x20"
# WEB-ATTACKS uname -a command attempt
SecFilter "uname\x20-a"
# WEB-ATTACKS /usr/bin/id command attempt
SecFilter "/usr/bin/id"
# WEB-ATTACKS id command attempt
SecFilter "\;id"
# WEB-ATTACKS echo command attempt
SecFilter "/bin/echo"
[CODE]
5) Firewall
[CODE]
We will install APF (Advanced Policy Firewall) now...
APF is a policy based iptables firewall system designed for ease of use and configuration
Let's begin!
Login into SSH and type
----------------------------------------------------------------
cd /root/downloads
wget http://www.rfxnetworks.com/downloads/apf-current.tar.gz
tar -xvzf apf-current.tar.gz
cd apf-0.9.5-1 // or whatever the latest version is
./install.sh
----------------------------------------------------------------
--------------------------------------------------------
Installing APF 0.9.5-1: Completed.
Installation Details:
Install path: /etc/apf/
Config path: /etc/apf/conf.apf
Executable path: /usr/local/sbin/apf
AntiDos install path: /etc/apf/ad/
AntiDos config path: /etc/apf/ad/conf.antidos
DShield Client Parser: /etc/apf/extras/dshield/
---------------------------------------------------------
Now we need to configure our new firewall...
We need to edit apf.conf
That is located here: /etc/apf/conf.apf
If you use cP/WHM, like me, you need to configure apf like this(to we can access cP/WHM
because firewall will block our cP/WHM ports and we will not be able to access cP/WHM)
----------------------------------------------------------------------------------------
Common ingress (inbound) ports
# Common ingress (inbound) TCP ports -3000_3500 = passive port range for Pure FTPD
IG_TCP_CPORTS="21,22,25,53,80,110,143,443,2082,208 3, 2086,2087, 2095, 2096,3000_3500"
#
# Common ingress (inbound) UDP ports
IG_UDP_CPORTS="53"
Common egress (outbound) ports
# Egress filtering [0 = Disabled / 1 = Enabled]
EGF="1"
# Common egress (outbound) TCP ports
EG_TCP_CPORTS="21,25,80,443,43,2089"
#
# Common egress (outbound) UDP ports
EG_UDP_CPORTS="20,21,53"
-----------------------------------------------------------------------------------------
Then... (apf.conf)
----------------------
FIND: DEVM="1"
CHANGE TO: DEVM="0"
----------------------
now start apf, type in ssh
-----------
apf -s
-----------
Some other apf commands:
---------------------------
apf -s - start apf
apf -r - restart apf
apf -f - flush firewall
apf -st - firewall status
apf -d IP - bann IP
apf -u IP - unbann IP
---------------------------
6) Ddos Protection
[CODE][COLOR="Lime"] We will install mod_evasive and DDoS Deflate to prevent DDoS attacks on our server
###################
# Mod Evasive #
###################
ModEvasive module for apache offers protection against DDoS (denial of service attacks) on your server.
To install it login into SSH and type
---------------------------------------------------------------------------------
cd /root/dawnloads
wget http://www.zdziarski.com/blog/wp-content/uploads/2010/02/mod_evasive_1.10.1.tar.gz
tar zxf mode_evasive-1.10.1.tar.gz
cd mod_evasive
then type...
/usr/sbin/apxs -cia mod_evasive20.c
---------------------------------------------------------------------------------
When mod_evasive is installed, place the following lines in your httpd.conf (/etc/httpd/conf/httpd.conf)
--------------------------------
<IfModule mod_evasive20.c>
DOSHashTableSize 3097
DOSPageCount 2
DOSSiteCount 50
DOSPageInterval 1
DOSSiteInterval 1
DOSBlockingPeriod 10
</IfModule>
--------------------------------
####################
# DDoS Deflate #
####################
Installation
-----------------------------------------------------------
wget http://www.inetbase.com/scripts/ddos/install.sh
chmod 0700 install.sh
./install.sh
-----------------------------------------------------------
Uninstalling
-----------------------------------------------------------
wget http://www.inetbase.com/scripts/ddos/uninstall.ddos
chmod 0700 uninstall.ddos
./uninstall.ddos
-------------------------------------------
7) RootKit
[CODE]
Ok, we will install RKHunter now:
Rootkit scanner is scanning tool to ensure you for about 99.9%* you're clean of nasty tools.
This tool scans for rootkits, backdoors and local exploits by running tests like:
- MD5 hash compare
- Look for default files used by rootkits
- Wrong file permissions for binaries
- Look for suspected strings in LKM and KLD modules
- Look for hidden files
- Optional scan within plaintext and binary files
Instalation:
Login into SSH and type
-----------------------------------------------------------
cd /root/downloads
wget http://downloads.rootkit.nl/rkhunter-1.2.7.tar.gz
tar -zxvf rkhunter-1.2.7.tar.gz
cd rkhunter-1.2.7
./installer.sh
-----------------------------------------------------------
PHP Configuration[/COLOR]
We need to edit php.ini
php.ini is located here /usr/local/lib/php.ini
----------------------------------------------------------
safe_mode = On
expose_php = Off
magic_quotes = On
register_globals = off
display errors = off
disable_functions = show_source, system, proc_terminate,
shell_exec, exec, passthru, proc_open, phpinfo, popen
-----------------------------------------------------------
Or if you running cP/WHM you can configure it here:
WHM - Service Configuration - PHP Configuration Editor
9) Other
If you use bind DNS server then we need to edit named.conf file
named.conf is located here: /etc/named.conf
and add
recursion no; under Options
----------------------------
Options{
recursion no;
----------------------------
Now restart bind
type into SSH
-----------------------
service named restart
-----------------------
That will prevent lookups from dnstools.com and similar services and reduce server load
Now we will prevent IP spoofing, to do it we need to edit host.conf file
This file is located here: /etc/host.conf
Add that in host.conf
------------------
order bind,hosts
nospoof on
------------------
Hide the Apache version number:
edit httpd.conf (/etc/httpd/conf/httpd.conf)
-----------------------
ServerSignature Off
-----------------------
Disable telnet:
Edit file: /etc/xinetd.d/telnet
------------------
disable = yes
------------------
HACKERGAMER
No comments:
Post a Comment