Topics

0

Secure, Optimize and Harden Server

The following is a list of software and configurations that we can now
installed to secure, optimize and harden your server. The following software
is not resource intensive, therefore you will not see any decrease in
performance.

CHKRootKit, which is a program that looks for known
signatures in trojaned system binaries, it basically detects if your system
has been compomised.

Rootkit Hunter, which is scanning tool to find most types of
exploits (backdoors, suspicious files, md5 hash comparisons, and is over 99%
accurate in detecting such exploits.

APF Firewall to be installed and configured to only allow traffic on the
ports that are used.
In addition, we can configur the Anti-DOS function in APF. This additional
module helps mitigate and prevent certain types of DOS (denial of service)
attacks to your server. A daily cron has been inserted to flush the firewall
deny list. This prevents common problems associated with the deny list
growing so huge, such as hanging upon bootup, slow down in server
performance, etc.

BFD (Brute Force Detection) to be install. This program works real time
in conjunction with APF firewall to block any IP Addresses of users that
fail authentication more than 3 times in 10 minutes.

Logwatch has to be install. This program parses through your server’s
logs and reports to you via e-mail on a daily basis with tabulated
information.

SIM (System Integrity Monitor) has to be install on your server now, this
software checks all services 24×7 and restarts them if they are down. An
e-mail is dispatched a downed service is detected and restarted.

Apache (HTTPD) web server has to be optimized and secured. For extra http/php
security, we can install mod_security, it is not installed
by default because it can interfere with certain common functions.

MySQL Server has to be optimized to perform at it’s best under the most
common and standard environments.

System Configuration File host.conf has to be secured and hardened to prevent
DNS lookup poisoning and also provide protection against spoofs.

System Configuration File nsswitch.conf has to be secured and hardened. We can
also optimized it to perform DNS lookups more efficiently.

System Configuration File sysctl.conf has to be secured and hardened to help
prevent the TCP/IP stack from syn-flood attacks. It is also configured to
prevet other various and similar network abuse.

All of vulnerable directories (/tmp, /var/tmp, /dev/shm and
/usr/local/apache/proxy) needs to reviewed and cleaned now.

/tmp and /var/tmp have to be hardened and secured to prevent the execution of
malicious scripts

The old archived logs files that have to be rotated located in /var/log have
been removed to free up space in the /var partition/directory.

MyTOP has to be installed. This is an administrative console based tool for
monitoring MySQL threads/processes and performance.

We can setup a root login notification script and logger. This will send an
e-mail to ‘root’ everytime someone logs into your server as root. Also, it
will keep track of all logins in a history file located in
/var/log/rootlogins

SPRI has to be installed. This program changes the priority of different
processes in accordance to their level of importance. You should see at
least a 5-20% decrease in the average load level of your server on average.

We can disabled the Mchat, Cgiecho, Cgiemail, Guestbook, Counter and
Formmails from CPanel’s system wide cgi-sys directory. The are the most
commonly exploited scripts since they are in the same location on every
CPanel server in the world.

Unused programs have to be disabled from the OS of your server. This reduces
the chance of being compromised through software exploits on old or
deprecated programs.

MultiTail has to be installed and gives you the ability to tail (view
realtime activity) multiple log files simultaneously.

PHPSysInfo has to be installed. This is a GUI (graphical user interface) to
your server’s vital statistics. You can view it by going to

http://0.0.0.0:2086/phpsysinfo-dev/index.php

Replace 0.0.0.0 with your own server’s IP Address. You will have to enter
your root login information to gain access as it is protected under your
root WHM login.

Telnet has to be disabled to prevent insecure transmissions of data and
passwords, SSH must be used instead of Telnet, and functions the same way.

SSH has to be hardened by restricting the SSH Protocol to SSH 2. SSH will
still function the same way, just more secure. If you would like your ssh
port changed, or direct root login disabled, just let us know and we’ll be
more than glad to do this for you.

Fileman (Filemanager developed by gossamer-threads.com) has to be installed
into WHM with root level permissions. This allows system root files to be
edited in an emergency situation when SSH is not accessible. You can access
Fileman by going to http://0.0.0.0:2086/fileman/fileman.cgi
Replace 0.0.0.0 with your own server’s IP Address. You will have to enter
your root login information to gain access as it is protected under your
root WHM login.
!!IMPORTANT!! This simulates SSH access, treat it as such, do not use it
unless you are familiar with SSH. Moreover, do not execute any commands you
are not fluent with. As with SSH, damage can be done if Fileman is not used
properly. If you are unfamiliar with SSH, do NOT use this program. It should
be left in case of such an emergency.
Again, this file can only be accessed through WHM while being logged in as
root.

Shell Fork Bomb/Memory Hog Protection has to be enabled. Fork Bomb/Memory Hog
protection will prevent users logged into a shell (ssh/telnet) from using up
all the resources on the server and causing a crash.

Background Process Killer has to to enabled to kill any of the following
which are commonly recognized bad processes: BitchX, bnc, eggdrop,
generic-sniffers, guardservices, ircd, psyBNC, ptlink and related services.

A warning message has to be created for the SSH login welcome screen. Any
user that logs into your server via SSH, will see a message stating SSH is
for authorized users only, and any unauthorized access will be reported to
the law enforcement authorities.

Your FTP server software has to be upgraded and secured.

We’ve ran and simulated a basic password scan hack attempt, the results have
been emailed to ‘root’ and a copy of the results have been saved on your
server at /root/security/passwordscanner.output

If you would like any other security software installed, just let us know
and we’ll be more than glad to do so.

Please note that over 99% of hacks come from insecure php scripts. These
insecurities in php scripts come from the programming code, and therefore
there is absolutely no way search to find “all” insecure scripts.

Remote based hacks are extremely rare. If there is no weak passwords, and no
insecure php scripts, you have an very rare chance of ever being hacked.

So as long as you and your users keep all of your scripts up to date, and
remove any unused scripts and remove any insecure scripts, then the chances
of being hacked through the most common method is greatly reduced. If you
feel your users do not know how to check or are not responsible enough to
keep their scripts secure, we can secure php by enabling safemode (and other
similar restrictions for php such as openbasedir restriction, disabling of
commonly exploited functions, phpsuexec, etc.), and this will make php much
more secure. However, the downside to doing this is that it will also
interfere with a lot of scripts that don’t work under these restrictions. If
you would like this done, just let us know and we’ll be more than glad to.

Thank you,
rrTeam

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Cancel

Connecting to %s