How to secure & optimize your dedicated server...

Collapse

Unconfigured Ad Widget

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts
  • AquariusStorage
    Junior Member
    • Jun 2009
    • 3

    How to secure & optimize your dedicated server...

    Here are some techniques that I recommend for securing your dedicated server. Use these techniques at your own risk. I personally have used all of theses and they have worked great for myself, however I do not guarantee the same results to users who choose to use them .

    This tutorial is open to ideas/criticism and I will do my best to keep it updated. Add your feedback by posting and if I agree, I'll be sure to update this post!


    =========================================
    Install APF (Advanced Policy Firewall)
    =========================================

    APF is a policy based iptables firewall system designed for ease of use and configuration. It employs a subset of features to satisfy the veteran Linux user and the novice alike. Packaged in tar.gz format and RPM formats, make APF ideal for deployment in many server environments based on Linux. APF is developed and maintained by R-fx Networks: Projects | R-fx Networks

    Code:
    cd /
    Code:
    wget http://www.rfxnetworks.com/downloads/apf-current.tar.gz
    Code:
     tar -xvzf apf-current.tar.gz
    Code:
     cd apf-9.7-1
    (or where ever the firewall was extracted)
    Code:
     ./install.sh
    You should then get this message

    You will receive a message saying it has been installed

    .: APF installed
    Install path: /etc/apf
    Config path: /etc/apf/conf.apf
    Executable path: /usr/local/sbin/apf

    Code:
    nano -w /etc/apf/conf.apf
    Code:
    FIND: USE_DS="0"
    CHANGE TO: USE_DS="1"
    
    The following port setup should work correctly for a cPanel server.
    # Common ingress (inbound) TCP ports -3000_3500 = passive port range for Pure FTPD
    IG_TCP_CPORTS="21,22,25,53,80,110,143,443,2082,2083, 2086,2087, 2095, 2096,3000_3500"
    #
    # Common ingress (inbound) UDP ports
    IG_UDP_CPORTS="53"
    
    Common egress (outbound) ports
    # Common egress (outbound) TCP ports
    EG_TCP_CPORTS="21,25,80,443,43,2089"
    #
    # Common egress (outbound) UDP ports
    EG_UDP_CPORTS="20,21,53"
    Save the changes: control + O
    Hit Enter

    Starting the firewall
    Code:
    /usr/local/sbin/apf -s
    Other commands:
    usage /usr/local/sbin/apf [OPTION]
    -s|--start ............. load firewall policies
    -r|--restart ........... flush & load firewall
    -f|--flush|--stop ...... flush firewall
    -l|--list .............. list chain rules
    -st|--status ........... firewall status
    -a HOST|--allow HOST ... add host (IP/FQDN) to allow_hosts.rules and
    immediately load new rule into firewall
    -d HOST|--deny HOST .... add host (IP/FQDN) to deny_hosts.rules and
    immediately load new rule into firewall

    Code:
    nano -w /etc/apf/conf.apf
    Code:
    FIND: DEVM="1"
    CHANGE TO: DEVM="0"
    Save the changes: control + O
    Hit Enter

    Restart the firewall
    Code:
    /usr/local/sbin/apf -r
    To autostart apf on reboot, run this
    Code:
    To autostart apf on reboot, run this
    To remove apf from autostart, run this
    Code:
    chkconfig --del apf

    =========================================
    Install BFD (Brute Force Detection)
    =========================================

    BFD is a modular shell script for parsing applicable logs and checking for authentication failures. There is not much complexity or detail to BFD yet and likewise it is very straight-forward in its installation, configuration and usage. The reason behind BFD is very simple; the fact there is little to no authentication and brute force auditing programs in the linux community that work in conjunction with a firewall or real-time facility to place bans. BFD is available at: http://www.rfxnetworks.com/bfd.php

    Requirements:
    APF Firewall must already be installed.

    cd /
    wget http://www.rfxnetworks.com/downloads/bfd-current.tar.gz
    tar -xvzf bfd-current.tar.gz
    cd bfd-1.2
    ./install.sh

    You will receive a message saying it has been installed

    .: BFD installed
    Install path: /usr/local/bfd
    Config path: /usr/local/bfd/conf.bfd
    Executable path: /usr/local/sbin/bfd

    Code:
    nano -w /usr/local/bfd/conf.bfd
    Find: ALERT_USR="0"
    CHANGE TO: ALERT_USR="1"
    Find: EMAIL_USR="root" CHANGE TO: EMAIL_USR="your@yourdomain.com"
    Save the changes: Ctrl+X then Y

    Code:
    nano -w /usr/local/bfd/ignore.hosts
    and add your own trusted IPs
    Eg: 192.168.1.1

    Run BFD
    Code:
    /usr/local/sbin/bfd -s

    ================================================
    Install CHKROOTKIT w/Cronjob which emails a user-set email address nightly
    ================================================

    Chkrootkit is a powerful tool to scan your Linux server for trojans. We'll show you how to install it, scan your server and setup a daily automated scanning job that emails you the report.

    Code:
     cd /
    Code:
    wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz
    Code:
    tar xvzf chkrootkit.tar.gz
    Code:
    cd chkrootkit*
    Code:
    make sense
    Code:
    ./chkrootkit
    #Everything it outputs should be 'not found' or 'not infected'...
    Code:
    cd ../
    Code:
    rm -Rf chkrootkit.tar.gz
    Code:
    nano -w /etc/cron.daily/chkrootkit.sh
    Code:
    #!/bin/bash 
    cd /chkrootkit-0.48/ 
    ./chkrootkit | mail -s "Daily chkrootkit from Servername" [EMAIL="admin@youremail.com"]admin@youremail.com[/EMAIL]
    Important:
    1. Change 'Servername' to the server your running so you know where it's coming from.
    2. Change 'admin@youremail.com' to your actual email address where the script will mail you.

    Now save the file in SSH:
    Ctrl+X then type Y

    Change the file permissions so we can run it
    Code:
    chmod 755 /etc/cron.daily/chkrootkit.sh
    Now if you like you can run a test report manually in SSH to see how it looks.
    cd /etc/cron.daily/

    Code:
    ./chkrootkit.sh
    You'll now receive a nice email with the report! This will now happen everyday so you don't have to run it manually.


    ================================================
    Install Rkhunter w/Cronjob which emails a user-set email address nightly
    ================================================

    Rkhunter is a very useful tool that is used to check for trojans, rootkits, and other security problems. This tutorial will touch on installing and setting up a daily report for rkhunter.

    Code:
     cd /
    Code:
     wget http://voxel.dl.sourceforge.net/sourceforge/rkhunter/rkhunter-1.3.4.tar.gz
    Code:
     tar -zxvf rkhunt*
    Code:
    cd rkhunt*
    Code:
    ./installer.sh --layout default --install
    Code:
    nano -w /etc/cron.daily/rkhunter.sh
    Code:
    #!/bin/bash
    (/usr/local/bin/rkhunter -c --cronjob 2>&1 | mail -s "Daily Rkhunter Scan Report from Servername" email@domain.com)
    Important:
    1. Change 'Servername' to the server your running so you know where it's coming from.
    2. Change 'email@domain.com' to your actual email address where the script will mail you.

    Now save the file in SSH:
    Ctrl+X then type Y

    Change the file permissions so we can run it
    Code:
    chmod 755 /etc/cron.daily/chkrootkit.sh
    Run your initial scan now!!
    Code:
    /usr/local/bin/rkhunter -c

    =========================================
    /dev/shm Directory hardening
    =========================================


    TMP Directory hardening (/dev/shm) - helps prevents execution of malicious scripts
    Edit your /etc/fstab:

    Code:
    nano -w /etc/fstab
    change:

    Code:
    "none /dev/shm tmpfs defaults,rw 0 0"
    to

    Code:
    "none /dev/shm tmpfs defaults,nosuid,noexec,rw 0 0"
    Remount /dev/shm:

    Code:
    mount -o remount,noexec,nosuid /dev/shm

    =========================================
    /tmp, /var/tmp Directory hardening
    =========================================

    This script will do everything, including backing up your current /tmp and /var/tmp, creating a /tmp partition if it is not created, if it is created, it'll secure it.

    Code:
    /scripts/securetmp

    =========================================
    Moving SSH port off of port 22 (Securing SSH)
    =========================================

    People are looking for port 22 as a possible way to access your servers. Moving SSH to a different port will add a simple way to deter those without specific knowledge of your server from easily discovering your SSH port.

    Code:
    nano -w /etc/ssh/sshd_config
    Note: Port 1652 is just an example, you can choose any port that is not already in use.

    Make sure to keep your current SSH session open when testing the new port so you can change back to port 22 if the new port doesn’t work.


    MORE COMING SOON
Working...
X