Here are some techniques that I recommend for securing your dedicated server. Use these techniques at your own risk. I personally have used all of theses and they have worked great for myself, however I do not guarantee the same results to users who choose to use them .

This tutorial is open to ideas/criticism and I will do my best to keep it updated. Add your feedback by posting and if I agree, I'll be sure to update this post!


=========================================
Install APF (Advanced Policy Firewall)
=========================================

APF is a policy based iptables firewall system designed for ease of use and configuration. It employs a subset of features to satisfy the veteran Linux user and the novice alike. Packaged in tar.gz format and RPM formats, make APF ideal for deployment in many server environments based on Linux. APF is developed and maintained by R-fx Networks: Projects | R-fx Networks

Code:
cd /
Code:
wget http://www.rfxnetworks.com/downloads/apf-current.tar.gz
Code:
 tar -xvzf apf-current.tar.gz
Code:
 cd apf-9.7-1
(or where ever the firewall was extracted)
Code:
 ./install.sh
You should then get this message

You will receive a message saying it has been installed

.: APF installed
Install path: /etc/apf
Config path: /etc/apf/conf.apf
Executable path: /usr/local/sbin/apf

Code:
nano -w /etc/apf/conf.apf
Code:
FIND: USE_DS="0"
CHANGE TO: USE_DS="1"

The following port setup should work correctly for a cPanel server.
# Common ingress (inbound) TCP ports -3000_3500 = passive port range for Pure FTPD
IG_TCP_CPORTS="21,22,25,53,80,110,143,443,2082,2083, 2086,2087, 2095, 2096,3000_3500"
#
# Common ingress (inbound) UDP ports
IG_UDP_CPORTS="53"

Common egress (outbound) ports
# Common egress (outbound) TCP ports
EG_TCP_CPORTS="21,25,80,443,43,2089"
#
# Common egress (outbound) UDP ports
EG_UDP_CPORTS="20,21,53"
Save the changes: control + O
Hit Enter

Starting the firewall
Code:
/usr/local/sbin/apf -s
Other commands:
usage /usr/local/sbin/apf [OPTION]
-s|--start ............. load firewall policies
-r|--restart ........... flush & load firewall
-f|--flush|--stop ...... flush firewall
-l|--list .............. list chain rules
-st|--status ........... firewall status
-a HOST|--allow HOST ... add host (IP/FQDN) to allow_hosts.rules and
immediately load new rule into firewall
-d HOST|--deny HOST .... add host (IP/FQDN) to deny_hosts.rules and
immediately load new rule into firewall

Code:
nano -w /etc/apf/conf.apf
Code:
FIND: DEVM="1"
CHANGE TO: DEVM="0"
Save the changes: control + O
Hit Enter

Restart the firewall
Code:
/usr/local/sbin/apf -r
To autostart apf on reboot, run this
Code:
To autostart apf on reboot, run this
To remove apf from autostart, run this
Code:
chkconfig --del apf

=========================================
Install BFD (Brute Force Detection)
=========================================

BFD is a modular shell script for parsing applicable logs and checking for authentication failures. There is not much complexity or detail to BFD yet and likewise it is very straight-forward in its installation, configuration and usage. The reason behind BFD is very simple; the fact there is little to no authentication and brute force auditing programs in the linux community that work in conjunction with a firewall or real-time facility to place bans. BFD is available at: http://www.rfxnetworks.com/bfd.php

Requirements:
APF Firewall must already be installed.

cd /
wget http://www.rfxnetworks.com/downloads/bfd-current.tar.gz
tar -xvzf bfd-current.tar.gz
cd bfd-1.2
./install.sh

You will receive a message saying it has been installed

.: BFD installed
Install path: /usr/local/bfd
Config path: /usr/local/bfd/conf.bfd
Executable path: /usr/local/sbin/bfd

Code:
nano -w /usr/local/bfd/conf.bfd
Find: ALERT_USR="0"
CHANGE TO: ALERT_USR="1"
Find: EMAIL_USR="root" CHANGE TO: EMAIL_USR="[email protected]"
Save the changes: Ctrl+X then Y

Code:
nano -w /usr/local/bfd/ignore.hosts
and add your own trusted IPs
Eg: 192.168.1.1

Run BFD
Code:
/usr/local/sbin/bfd -s

================================================
Install CHKROOTKIT w/Cronjob which emails a user-set email address nightly
================================================

Chkrootkit is a powerful tool to scan your Linux server for trojans. We'll show you how to install it, scan your server and setup a daily automated scanning job that emails you the report.

Code:
 cd /
Code:
wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz
Code:
tar xvzf chkrootkit.tar.gz
Code:
cd chkrootkit*
Code:
make sense
Code:
./chkrootkit
#Everything it outputs should be 'not found' or 'not infected'...
Code:
cd ../
Code:
rm -Rf chkrootkit.tar.gz
Code:
nano -w /etc/cron.daily/chkrootkit.sh
Code:
#!/bin/bash 
cd /chkrootkit-0.48/ 
./chkrootkit | mail -s "Daily chkrootkit from Servername" [email protected]
Important:
1. Change 'Servername' to the server your running so you know where it's coming from.
2. Change '[email protected]' to your actual email address where the script will mail you.

Now save the file in SSH:
Ctrl+X then type Y

Change the file permissions so we can run it
Code:
chmod 755 /etc/cron.daily/chkrootkit.sh
Now if you like you can run a test report manually in SSH to see how it looks.
cd /etc/cron.daily/

Code:
./chkrootkit.sh
You'll now receive a nice email with the report! This will now happen everyday so you don't have to run it manually.


================================================
Install Rkhunter w/Cronjob which emails a user-set email address nightly
================================================

Rkhunter is a very useful tool that is used to check for trojans, rootkits, and other security problems. This tutorial will touch on installing and setting up a daily report for rkhunter.

Code:
 cd /
Code:
 wget http://voxel.dl.sourceforge.net/sourceforge/rkhunter/rkhunter-1.3.4.tar.gz
Code:
 tar -zxvf rkhunt*
Code:
cd rkhunt*
Code:
./installer.sh --layout default --install
Code:
nano -w /etc/cron.daily/rkhunter.sh
Code:
#!/bin/bash
(/usr/local/bin/rkhunter -c --cronjob 2>&1 | mail -s "Daily Rkhunter Scan Report from Servername" [email protected])
Important:
1. Change 'Servername' to the server your running so you know where it's coming from.
2. Change '[email protected]' to your actual email address where the script will mail you.

Now save the file in SSH:
Ctrl+X then type Y

Change the file permissions so we can run it
Code:
chmod 755 /etc/cron.daily/chkrootkit.sh
Run your initial scan now!!
Code:
/usr/local/bin/rkhunter -c

=========================================
/dev/shm Directory hardening
=========================================


TMP Directory hardening (/dev/shm) - helps prevents execution of malicious scripts
Edit your /etc/fstab:

Code:
nano -w /etc/fstab
change:

Code:
"none /dev/shm tmpfs defaults,rw 0 0"
to

Code:
"none /dev/shm tmpfs defaults,nosuid,noexec,rw 0 0"
Remount /dev/shm:

Code:
mount -o remount,noexec,nosuid /dev/shm

=========================================
/tmp, /var/tmp Directory hardening
=========================================

This script will do everything, including backing up your current /tmp and /var/tmp, creating a /tmp partition if it is not created, if it is created, it'll secure it.

Code:
/scripts/securetmp

=========================================
Moving SSH port off of port 22 (Securing SSH)
=========================================

People are looking for port 22 as a possible way to access your servers. Moving SSH to a different port will add a simple way to deter those without specific knowledge of your server from easily discovering your SSH port.

Code:
nano -w /etc/ssh/sshd_config
Note: Port 1652 is just an example, you can choose any port that is not already in use.

Make sure to keep your current SSH session open when testing the new port so you can change back to port 22 if the new port doesn’t work.


MORE COMING SOON