Here are some techniques that I recommend for securing your dedicated server. Use these techniques at your own risk. I personally have used all of theses and they have worked great for myself, however I do not guarantee the same results to users who choose to use them .
This tutorial is open to ideas/criticism and I will do my best to keep it updated. Add your feedback by posting and if I agree, I'll be sure to update this post!
=========================================
Install APF (Advanced Policy Firewall)
=========================================
APF is a policy based iptables firewall system designed for ease of use and configuration. It employs a subset of features to satisfy the veteran Linux user and the novice alike. Packaged in tar.gz format and RPM formats, make APF ideal for deployment in many server environments based on Linux. APF is developed and maintained by R-fx Networks: Projects | R-fx Networks
(or where ever the firewall was extracted)
You should then get this message
You will receive a message saying it has been installed
.: APF installed
Install path: /etc/apf
Config path: /etc/apf/conf.apf
Executable path: /usr/local/sbin/apf
Save the changes: control + O
Hit Enter
Starting the firewall
Other commands:
usage /usr/local/sbin/apf [OPTION]
-s|--start ............. load firewall policies
-r|--restart ........... flush & load firewall
-f|--flush|--stop ...... flush firewall
-l|--list .............. list chain rules
-st|--status ........... firewall status
-a HOST|--allow HOST ... add host (IP/FQDN) to allow_hosts.rules and
immediately load new rule into firewall
-d HOST|--deny HOST .... add host (IP/FQDN) to deny_hosts.rules and
immediately load new rule into firewall
Save the changes: control + O
Hit Enter
Restart the firewall
To autostart apf on reboot, run this
To remove apf from autostart, run this
=========================================
Install BFD (Brute Force Detection)
=========================================
BFD is a modular shell script for parsing applicable logs and checking for authentication failures. There is not much complexity or detail to BFD yet and likewise it is very straight-forward in its installation, configuration and usage. The reason behind BFD is very simple; the fact there is little to no authentication and brute force auditing programs in the linux community that work in conjunction with a firewall or real-time facility to place bans. BFD is available at: http://www.rfxnetworks.com/bfd.php
Requirements:
APF Firewall must already be installed.
cd /
wget http://www.rfxnetworks.com/downloads/bfd-current.tar.gz
tar -xvzf bfd-current.tar.gz
cd bfd-1.2
./install.sh
You will receive a message saying it has been installed
.: BFD installed
Install path: /usr/local/bfd
Config path: /usr/local/bfd/conf.bfd
Executable path: /usr/local/sbin/bfd
Find: ALERT_USR="0"
CHANGE TO: ALERT_USR="1"
Find: EMAIL_USR="root" CHANGE TO: EMAIL_USR="your@yourdomain.com"
Save the changes: Ctrl+X then Y
and add your own trusted IPs
Eg: 192.168.1.1
Run BFD
================================================
Install CHKROOTKIT w/Cronjob which emails a user-set email address nightly
================================================
Chkrootkit is a powerful tool to scan your Linux server for trojans. We'll show you how to install it, scan your server and setup a daily automated scanning job that emails you the report.
#Everything it outputs should be 'not found' or 'not infected'...
Important:
1. Change 'Servername' to the server your running so you know where it's coming from.
2. Change 'admin@youremail.com' to your actual email address where the script will mail you.
Now save the file in SSH:
Ctrl+X then type Y
Change the file permissions so we can run it
Now if you like you can run a test report manually in SSH to see how it looks.
cd /etc/cron.daily/
You'll now receive a nice email with the report! This will now happen everyday so you don't have to run it manually.
================================================
Install Rkhunter w/Cronjob which emails a user-set email address nightly
================================================
Rkhunter is a very useful tool that is used to check for trojans, rootkits, and other security problems. This tutorial will touch on installing and setting up a daily report for rkhunter.
Important:
1. Change 'Servername' to the server your running so you know where it's coming from.
2. Change 'email@domain.com' to your actual email address where the script will mail you.
Now save the file in SSH:
Ctrl+X then type Y
Change the file permissions so we can run it
Run your initial scan now!!
=========================================
/dev/shm Directory hardening
=========================================
TMP Directory hardening (/dev/shm) - helps prevents execution of malicious scripts
Edit your /etc/fstab:
change:
to
Remount /dev/shm:
=========================================
/tmp, /var/tmp Directory hardening
=========================================
This script will do everything, including backing up your current /tmp and /var/tmp, creating a /tmp partition if it is not created, if it is created, it'll secure it.
=========================================
Moving SSH port off of port 22 (Securing SSH)
=========================================
People are looking for port 22 as a possible way to access your servers. Moving SSH to a different port will add a simple way to deter those without specific knowledge of your server from easily discovering your SSH port.
Note: Port 1652 is just an example, you can choose any port that is not already in use.
Make sure to keep your current SSH session open when testing the new port so you can change back to port 22 if the new port doesn’t work.
MORE COMING SOON
This tutorial is open to ideas/criticism and I will do my best to keep it updated. Add your feedback by posting and if I agree, I'll be sure to update this post!
=========================================
Install APF (Advanced Policy Firewall)
=========================================
APF is a policy based iptables firewall system designed for ease of use and configuration. It employs a subset of features to satisfy the veteran Linux user and the novice alike. Packaged in tar.gz format and RPM formats, make APF ideal for deployment in many server environments based on Linux. APF is developed and maintained by R-fx Networks: Projects | R-fx Networks
Code:
cd /
Code:
wget http://www.rfxnetworks.com/downloads/apf-current.tar.gz
Code:
tar -xvzf apf-current.tar.gz
Code:
cd apf-9.7-1
Code:
./install.sh
You will receive a message saying it has been installed
.: APF installed
Install path: /etc/apf
Config path: /etc/apf/conf.apf
Executable path: /usr/local/sbin/apf
Code:
nano -w /etc/apf/conf.apf
Code:
FIND: USE_DS="0" CHANGE TO: USE_DS="1" The following port setup should work correctly for a cPanel server. # Common ingress (inbound) TCP ports -3000_3500 = passive port range for Pure FTPD IG_TCP_CPORTS="21,22,25,53,80,110,143,443,2082,2083, 2086,2087, 2095, 2096,3000_3500" # # Common ingress (inbound) UDP ports IG_UDP_CPORTS="53" Common egress (outbound) ports # Common egress (outbound) TCP ports EG_TCP_CPORTS="21,25,80,443,43,2089" # # Common egress (outbound) UDP ports EG_UDP_CPORTS="20,21,53"
Hit Enter
Starting the firewall
Code:
/usr/local/sbin/apf -s
usage /usr/local/sbin/apf [OPTION]
-s|--start ............. load firewall policies
-r|--restart ........... flush & load firewall
-f|--flush|--stop ...... flush firewall
-l|--list .............. list chain rules
-st|--status ........... firewall status
-a HOST|--allow HOST ... add host (IP/FQDN) to allow_hosts.rules and
immediately load new rule into firewall
-d HOST|--deny HOST .... add host (IP/FQDN) to deny_hosts.rules and
immediately load new rule into firewall
Code:
nano -w /etc/apf/conf.apf
Code:
FIND: DEVM="1" CHANGE TO: DEVM="0"
Hit Enter
Restart the firewall
Code:
/usr/local/sbin/apf -r
Code:
To autostart apf on reboot, run this
Code:
chkconfig --del apf
=========================================
Install BFD (Brute Force Detection)
=========================================
BFD is a modular shell script for parsing applicable logs and checking for authentication failures. There is not much complexity or detail to BFD yet and likewise it is very straight-forward in its installation, configuration and usage. The reason behind BFD is very simple; the fact there is little to no authentication and brute force auditing programs in the linux community that work in conjunction with a firewall or real-time facility to place bans. BFD is available at: http://www.rfxnetworks.com/bfd.php
Requirements:
APF Firewall must already be installed.
cd /
wget http://www.rfxnetworks.com/downloads/bfd-current.tar.gz
tar -xvzf bfd-current.tar.gz
cd bfd-1.2
./install.sh
You will receive a message saying it has been installed
.: BFD installed
Install path: /usr/local/bfd
Config path: /usr/local/bfd/conf.bfd
Executable path: /usr/local/sbin/bfd
Code:
nano -w /usr/local/bfd/conf.bfd
CHANGE TO: ALERT_USR="1"
Find: EMAIL_USR="root" CHANGE TO: EMAIL_USR="your@yourdomain.com"
Save the changes: Ctrl+X then Y
Code:
nano -w /usr/local/bfd/ignore.hosts
Eg: 192.168.1.1
Run BFD
Code:
/usr/local/sbin/bfd -s
================================================
Install CHKROOTKIT w/Cronjob which emails a user-set email address nightly
================================================
Chkrootkit is a powerful tool to scan your Linux server for trojans. We'll show you how to install it, scan your server and setup a daily automated scanning job that emails you the report.
Code:
cd /
Code:
wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz
Code:
tar xvzf chkrootkit.tar.gz
Code:
cd chkrootkit*
Code:
make sense
Code:
./chkrootkit
Code:
cd ../
Code:
rm -Rf chkrootkit.tar.gz
Code:
nano -w /etc/cron.daily/chkrootkit.sh
Code:
#!/bin/bash cd /chkrootkit-0.48/ ./chkrootkit | mail -s "Daily chkrootkit from Servername" [EMAIL="admin@youremail.com"]admin@youremail.com[/EMAIL]
1. Change 'Servername' to the server your running so you know where it's coming from.
2. Change 'admin@youremail.com' to your actual email address where the script will mail you.
Now save the file in SSH:
Ctrl+X then type Y
Change the file permissions so we can run it
Code:
chmod 755 /etc/cron.daily/chkrootkit.sh
cd /etc/cron.daily/
Code:
./chkrootkit.sh
================================================
Install Rkhunter w/Cronjob which emails a user-set email address nightly
================================================
Rkhunter is a very useful tool that is used to check for trojans, rootkits, and other security problems. This tutorial will touch on installing and setting up a daily report for rkhunter.
Code:
cd /
Code:
wget http://voxel.dl.sourceforge.net/sourceforge/rkhunter/rkhunter-1.3.4.tar.gz
Code:
tar -zxvf rkhunt*
Code:
cd rkhunt*
Code:
./installer.sh --layout default --install
Code:
nano -w /etc/cron.daily/rkhunter.sh
Code:
#!/bin/bash (/usr/local/bin/rkhunter -c --cronjob 2>&1 | mail -s "Daily Rkhunter Scan Report from Servername" email@domain.com)
1. Change 'Servername' to the server your running so you know where it's coming from.
2. Change 'email@domain.com' to your actual email address where the script will mail you.
Now save the file in SSH:
Ctrl+X then type Y
Change the file permissions so we can run it
Code:
chmod 755 /etc/cron.daily/chkrootkit.sh
Code:
/usr/local/bin/rkhunter -c
=========================================
/dev/shm Directory hardening
=========================================
TMP Directory hardening (/dev/shm) - helps prevents execution of malicious scripts
Edit your /etc/fstab:
Code:
nano -w /etc/fstab
Code:
"none /dev/shm tmpfs defaults,rw 0 0"
Code:
"none /dev/shm tmpfs defaults,nosuid,noexec,rw 0 0"
Code:
mount -o remount,noexec,nosuid /dev/shm
=========================================
/tmp, /var/tmp Directory hardening
=========================================
This script will do everything, including backing up your current /tmp and /var/tmp, creating a /tmp partition if it is not created, if it is created, it'll secure it.
Code:
/scripts/securetmp
=========================================
Moving SSH port off of port 22 (Securing SSH)
=========================================
People are looking for port 22 as a possible way to access your servers. Moving SSH to a different port will add a simple way to deter those without specific knowledge of your server from easily discovering your SSH port.
Code:
nano -w /etc/ssh/sshd_config
Make sure to keep your current SSH session open when testing the new port so you can change back to port 22 if the new port doesn’t work.
MORE COMING SOON