step 1.Install Cpanel
—–command—–
root@server # cd /home
root@server # yum -y install wget perl screen
root@server # cd /home
root@server # [/home]# wget http://layer1.cpanel.net/latest
root@server # [/home]# sh latest
root@server # /usr/local/cpanel/cpkeyclt
—–command—–
Looking up www.cpanel.net
Unable to locate remote host www.cpanel.net.
Alert!: Unable to connect to remote host.
lynx: Can’t access startfile http://www.cpanel.net/showip.cgi.Try then
—–command—–
iptables –flush
/scripts/upcp –force
rdate -s time.nist.gov
/sbin/hwclock –systohc
/usr/local/cpanel/cpkeyclt
—–command—–
setp 2. Firewall, CSF Installation
—–command—–
root@server # wget http://www.configserver.com/free/csf.tgz
root@server # tar zxfv csf.tgz
root@server # cd csf
root@server # ./install.cpanel.sh
—–command—–
At this point the CSF installation is complete and the configuration file should suit your needs, to edit the CSF configuration issue this command:
—–command—–
pico /etc/csf/csf.conf
root@server # /etc/init.d/csf start
—–command—–
You will have to edit csf.conf file. It’s located here:
—–command—–
root@server # /etc/csf/csf.conf
—–command—–
You need to edit it like this:
Testing = “0″
And you need to configure open ports in csf.conf or you won’t be able to
access these ports. In most cases it should be configured like this if
you are using cP/WHM. If you are running something on some other port
you will have to enable it here. If you changed SSH port you will have
to add a new port here:
# Allow incoming TCP ports
TCP_IN = “20,21,22,25,53,80,110,143,443,465,587,993,995,2077,2078,2082,2083,2086,2087,2095,2096, 43141*”
# Allow outgoing TCP ports
TCP_OUT = “20,21,22,25,37,43,53,80,110,113,443,587,873,2087,2089,2703,43141*”
*43141 If Secure SSH on CPanel port: 43141.
6.2) CSF Connection Limit
There is in csf.conf CT option, configure it like this
CT_LIMIT = “200?
It means every IP with more than 200 connections is going to be blocked.
CT_PERMANENT = “1″
IP will blocked permanenty
CT_BLOCK_TIME = “1800″
IP will be blocked 1800 secs(1800 secs = 30 mins)
CT_INTERVAL = “60?
Set this to the the number of seconds between connection tracking scans.
After csf.conf editing you need to restart csf
—–command—–
root@server [~# service csf restart
—–command—–
Once that is done, save the file and then restart the firewall:
—–command—–
root@server [~# /etc/init.d/csf Stop
—–command—–
Port Flood Protection:
So, a setting of PORTFLOOD = “22;tcp;5;300,80;tcp;20;5″ means:
1. If more than 5 connections to tcp port 22 within 300 seconds, then block
that IP address from port 22 for at least 300 seconds after the last packet is
seen, i.e. there must be a “quiet” period of 300 seconds before the block is
lifted
2. If more than 20 connections to tcp port 80 within 5 seconds, then block
that IP address from port 80 for at least 5 seconds after the last packet is
seen, i.e. there must be a “quiet” period of 5 seconds before the block is
lifted
This will open the ports for you.
Connection Limit Protection:
Syntax for the CONNLIMIT setting:
CONNLIMIT is a comma separated list of:
port;limit
So, a setting of CONNLIMIT = “22;5,80;20″ means:
1. Only allow up to 5 concurrent new connections to port 22 per IP address
2. Only allow up to 20 concurrent new connections to port 80 per IP address
Note: Existing connections are not included in the count, only new SYN packets,
i.e. new connections
Note: Run /etc/csf/csftest.pl to check whether this option will function on the server
setp 3. Installing mytop
—–command—–
root@server # wget http://search.cpan.org/CPAN/authors/…ey-2.30.tar.gz
root@server # tar -zxf TermReadKey-2.30.tar.gz
root@server # cd TermRead*
root@server # perl Makefile.PL
root@server # make test
root@server # make
root@server # make install
—–command—–
Installing DBI
—–command—–
root@server # wget http://cpan.perl.org/modules/by-modu…I-1.616.tar.gz
root@server # tar -zxf DBI-1.616.tar.gz
root@server # cd DBI*
root@server # perl Makefile.PL
root@server # make test
root@server # make
root@server # make install
—–command—–
Installing mytop
—–command—–
root@server # wget http://jeremy.zawodny.com/mysql/mytop/mytop-1.4.tar.gz
root@server # tar -zxf mytop-1.4.tar.gz
root@server # cd mytop*
root@server # perl Makefile.PL
root@server # make test
root@server # make
root@server # make install
—–command—–
Disabling IPV6
—–command—–
root@server # install ipv6 /bin/true
root@server # alias net-pf-10 off
root@server # alias ipv6 off
—–command—–
* Note make sure that ipv6 firewall is disabled:
—–command—–
root@server # chkconfig ip6tables off
—–command—–
chkrootkit install
—–command—–
root@server # cd /root/
root@server # wget http://jp.chkrootkit.org/download/chkrootkit.tar.gz
root@server # tar xvzf chkrootkit.tar.gz
root@server # cd chkrootkit-0.49
root@server # make sense
—–command—–
To run chkrootkit
At command prompt type:
—–command—–
root@server # /root/chkrootkit-0.49/chkrootkit
—–command—–
Make sure you run it on a regular basis, perhaps including it in a cron job.
Execution
I use these three commands the most.
—–command—–
root@server # ./chkrootkit
root@server # ./chkrootkit -q
root@server # ./chkrootkit -x | more
—–command—–
OpenSSL Insall
—–command—–
root@server # cd /usr/local/src
root@server # wget http://www.openssl.org/source/openssl-0.9.8j.tar.gz
root@server # tar -zxf openssl-0.9.8j.tar.gz
root@server # cd openssl-0.9.8j
root@server # ./config
root@server # make
—–command—–
—–command—–
root@server # cd /usr/local/src/
root@server # wget ftp://ftp.openbsd.org/pub/OpenBSD/Op…h-5.2p1.tar.gz
root@server # tar -zxf openssh-5.2p1.tar.gz
root@server # cd openssh-5.2p1
root@server # ./configure –prefix=/usr –sysconfdir=/etc/ssh –with-ssl-dir=/usr/local/src/openssl-0.9.8j –with-pam –with-libs=-ldl –without-zlib-version-check
root@server # make
root@server # make install
—–command—–
Secure SSH on CPanel
Port 43141
Protocol 2
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
Change Protocol 2,1 to Protocol 2
Change #Port 22 to some other port and uncomment it
Like, Port 1337
Restrict SSH Access
To restrict and secure SSH access, bind sshd to a single IP that is different than the main IP to the server, and on a different port than port 22.
SSH into server and login as root.
Note: You can download Putty by Clicking Here (http://www.chiark.greenend.org.uk/~s…/download.html). It’s a clean running application that will not require installation on Windows-boxes.
At command prompt type:
—–command—–
root@server # pico /etc/ssh/sshd_config
—–command—–
Scroll down to the section of the file that looks like this:
#Port 22
#Protocol 2, 1
#ListenAddress 0.0.0.0
#ListenAddress ::
Uncomment and change
#Port 22
to look like
Port 5678 (choose your own 4 to 5 digit port number (43151 is the highest port number AND do not use 5678 lol )
Uncomment and change
#Protocol 2, 1
to look like
Protocol 2
Uncomment and change
#ListenAddress 0.0.0.0
to look like
ListenAddress 123.123.123.15 (use one of your own IP Addresses that has been assigned to your server)
Note 1: If you would like to disable direct Root Login, scroll down until you find
#PermitRootLogin yes
and uncomment it and make it look like
PermitRootLogin no
Save by pressing Ctrl o on your keyboard, and then exit by pressing Ctrl x on your keyboard.
Note 2: You can also create a custome nameserver specifically for your new SSH IP address. Just create one called something like ssh.xyz.com or whatever. Be sure to add an A address to your zone file for the new nameserver.
Now restart SSH
At command prompt type:
—–command—–
root@server # /etc/rc.d/init.d/sshd restart
—–command—–
or
https://yourserver.tld:2087/scripts2…safesshrestart
Exit out of SSH, and then re-login to SSH using the new IP or nameserver, and the new port.
Note: If you should have any problems, just Telnet into your server, fix the problem, then SSH in again. Telnet is a very unsecure protocol, so change your root password after you use it.
After SSH has been redirected, disable telnet.
setp 7.Disable Telnet
To disable telnet, SSH into server and login as root.
At command prompt type:
—–command—–
root@server # pico -w /etc/xinetd.d/telnet
change disable = no to disable = yes
Save and Exit
—–command—–
At command prompt type:
—–command—–
root@server # /etc/init.d/xinetd restart
—–command—–
Disable Shell Accounts
To disable any shell accounts hosted on your server SSH into server and login as root.
At command prompt type: locate shell.php
Also check for:
locate irc
locate eggdrop
locate bnc
locate BNC
locate ptlink
locate BitchX
locate guardservices
locate psyBNC
locate .rhosts
Note: There will be several listings that will be OS/CPanel related. Examples are
/home/cpapachebuild/buildapache/php-4.3.1/ext/ircg
/usr/local/cpanel/etc/sym/eggdrop.sym
/usr/local/cpanel/etc/sym/bnc.sym
/usr/local/cpanel/etc/sym/psyBNC.sym
/usr/local/cpanel/etc/sym/ptlink.sym
/usr/lib/libncurses.so
/usr/lib/libncurses.a
etc.
Disable identification output for Apache
(do this to hide version numbers from potentional hackers)
To disable the version output for proftp, SSH into server and login as root.
At command prompt type:
—–command—–
root@server # pico /etc/httpd/conf/httpd.conf
—–command—–
Scroll (way) down and change the following line to
ServerSignature Off
Restart Apache
At command prompt type:
—–command—–
root@server # /etc/rc.d/init.d/httpd restart
—–command—–
/scripts/perlinstaller Digest:
/scripts/perlinstaller –force Mail:
/scripts/fixspamassassinfailedupdate
/scripts/updatenow
/scripts/installspam –force
/scripts/exim4 –force
/etc/rc.d/init.d/exim restart
/scripts/restartsrv spamd
/etc/rc.d/init.d/chkservd restart
Cpanel Update
—–command—–
root@server # /scripts/upcp
—–command—–
or
—–command—–
root@server # /scripts/upcp –force
—–command—–
sysctl.conf Optimization
NOTICE: Make sure that eth0 is your primary interface, if it is not replace eth0 with eth1 in the code below.
—–command—–
root@server # pico -w /etc/sysctl.conf
—–command—–
Now paste the following into the file, you can overwrite the current information.
#Kernel sysctl configuration file for Red Hat Linux
#
# For binary values, 0 is disabled, 1 is enabled. See sysctl(8) and
# sysctl.conf(5) for more details.
# Disables packet forwarding
net.ipv4.ip_forward=0
# Disables IP source routing
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.lo.accept_source_route = 0
net.ipv4.conf.eth0.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
# Enable IP spoofing protection, turn on source route verification
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.lo.rp_filter = 1
net.ipv4.conf.eth0.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
# Disable ICMP Redirect Acceptance
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.lo.accept_redirects = 0
net.ipv4.conf.eth0.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
# Enable Log Spoofed Packets, Source Routed Packets, Redirect Packets
net.ipv4.conf.all.log_martians = 0
net.ipv4.conf.lo.log_martians = 0
net.ipv4.conf.eth0.log_martians = 0
# Disables IP source routing
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.lo.accept_source_route = 0
net.ipv4.conf.eth0.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
# Enable IP spoofing protection, turn on source route verification
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.lo.rp_filter = 1
net.ipv4.conf.eth0.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
# Disable ICMP Redirect Acceptance
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.lo.accept_redirects = 0
net.ipv4.conf.eth0.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
# Disables the magic-sysrq key
kernel.sysrq = 0
# Decrease the time default value for tcp_fin_timeout connection
net.ipv4.tcp_fin_timeout = 15
# Decrease the time default value for tcp_keepalive_time connection
net.ipv4.tcp_keepalive_time = 1800
# Turn off the tcp_window_scaling
net.ipv4.tcp_window_scaling = 0
# Turn off the tcp_sack
net.ipv4.tcp_sack = 0
# Turn off the tcp_timestamps
net.ipv4.tcp_timestamps = 0
# Enable TCP SYN Cookie Protection
net.ipv4.tcp_syncookies = 1
# Enable ignoring broadcasts request
net.ipv4.icmp_echo_ignore_broadcasts = 1
# Enable bad error message Protection
net.ipv4.icmp_ignore_bogus_error_responses = 1
# Log Spoofed Packets, Source Routed Packets, Redirect Packets
net.ipv4.conf.all.log_martians = 1
# Increases the size of the socket queue (effectively, q0).
net.ipv4.tcp_max_syn_backlog = 1024
# Increase the tcp-time-wait buckets pool size
net.ipv4.tcp_max_tw_buckets = 1440000
# Allowed local port range
net.ipv4.ip_local_port_range = 16384 65536
———————————————————-
After you make the changes to the file you need to run /sbin/sysctl -p and sysctl -w net.ipv4.route.flush=1 to enable the changes without a reboot.
The rules were taken from: http://ipsysctl-tutorial.frozentux.n…-tutorial.html
Secure your temp directories
Every system needs temporary folders that any user is able to read and write BUT these directories should not be able to execute programs or scripts. Though this will only protect you from somebody running the script directly it will help with a large portion of the automated rootkits and trojans that script kiddies use. They will still be able to put the files on the system but they will be unable to execute them and create the back door. One of the biggest problems is php injection via apache in which people will have apache download and then run an exploit. Securing the temp directories is probably the single biggest thing you can do towards securing your server.
This guide will work fine with cPanel, ensim, plesk, and of course with no control panel. It is designed for Redhat but should work on any linux varient.
The first step is to check if /tmp is already secure. Some datacenters do not create a /tmp partition while others do.
—–command—–
root@server # df -h |grep tmp
—–command—–
If that displays nothing then go below to create a tmp partition. If you do have a tmp partition you need to see if it mounted with noexec.
—–command—–
root@server # cat /etc/fstab |grep tmp
—–command—–
If there is a line that includes /tmp and noexec then it is already mounted as non-executable. If not follow the instructions below to create one without having to physically format your disk. Idealy you would make a real partition when the disk was originally formated, that being said I have not had any trouble create a /tmp partition using the following method.
Create a ~800Mb partition
—–command—–
root@server # cd /dev/; dd if=/dev/zero of=tmpMnt bs=1024 count=800000
—–command—–
Format the partion
—–command—–
root@server # mkfs.ext2 /dev/tmpMnt
—–command—–
When it asks about not being a block special device press Y
Make a backup of the old data
—–command—–
root@server # cp -Rp /tmp /tmp_backup
—–command—–
Mount the temp filesystem
—–command—–
root@server # mount -o loop,noexec,nosuid,rw /dev/tmpMnt /tmp
—–command—–
Set the permissions
—–command—–
root@server # chmod 0777 /tmp
—–command—–
Copy the old files back
—–command—–
root@server # cp -Rp /tmp_backup/* /tmp/
—–command—–
Once you do that go ahead and restart mysql and make sure it works ok. We do this because mysql places the mysql.sock in /tmp which neeeds to be moved. If not it migth have trouble starting. If it does you can add this line to the bottom of the /etc/fstab to automatically have it mounted:
Open the file in pico:
—–command—–
root@server # pico -w /etc/fstab
—–command—–
Now add this single line at the bottom:
/dev/tmpMnt /tmp ext2 loop,noexec,nosuid,rw 0 0
While we are at it we are going to secure /dev/shm. Look for the mount line for /dev/shm and change it to the following:
none /dev/shm tmpfs noexec,nosuid 0 0
Umount and remount /dev/shm for the changes to take effect.
—–command—–
root@server # umount /dev/shm
root@server # mount /dev/shm
—–command—–
Next delete the old /var/tmp and create a link to /tmp
—–command—–
root@server # rm -rf /var/tmp/
root@server # ln -s /tmp/ /var/
—–command—–
If everything still works fine you can go ahead and delete the /tmp_backup directory.
—–command—–
root@server # rm -rf /tmp_backup
—–command—–
You /tmp, /var/tmp, and /dev/shm are now mounted in a way that no program can be directly run from these directories. Like I have said in other articles there are still ways in but this is one of the many layers of security you should have on your system.
——————————————————————————————————————-
Many actions can be automated with some bash scripting, something kinda necessary if you are deploying a few cPanel/WHM installations regularly. So there are some directions one can follow:
For example regarding CSF:
sed -i 's/TCP_IN = "20,21,22,25,53,80,110,143,443,465,587,993,995,2077,2078,2082,2083,2086,2087,2095,2096"/TCP_IN = "20,21,22,25,53,80,110,143,443,465,587,993,995,2077,2078,2082,2083,2086,2087,2095,2096,4949,122"/g' /etc/csf/csf.conf
sed -i 's/TCP_OUT = "20,21,22,25,37,43,53,80,110,113,443,587,873,2086,2087,2089,2703"/TCP_OUT = "20,21,22,25,37,43,53,80,110,113,443,587,873,2086,2087,2089,2703,4949,122"/g' /etc/csf/csf.conf
sed -i 's/IPV6 = "0"/IPV6 = "1"/g' /etc/csf/csf.conf
sed -i 's/SYSLOG_CHECK = "0"/SYSLOG_CHECK = "300"/g' /etc/csf/csf.conf
sed -i 's/FASTSTART = "0"/FASTSTART = "1"/g' /etc/csf/csf.conf
or whitelisting your monitoring systems
echo '1.2.3.4 # hostdog monitoring' >> /etc/csf/csf.allow
Where you basically add ports 4949 (munin) and 122 custom SSH port, and the list of seds can continue to complete some other recommended by ConfigServer security adjustments such as:
echo 'local-infile=0' >> /etc/my.cnf
sed -i 's/#UseDNS yes/UseDNS no/g' /etc/ssh/sshd_config
sed -i 's/#Port 22/Port 50022/g' /etc/ssh/sshd_config
sed -i 's/disable_functions =/disable_functions = show_source, system, shell_exec, passthru, exec, phpinfo, popen, proc_open, allow_url_fopen/g' /usr/local/lib/php.ini
Or your standard spamd child ignore message (pretty casual search term) this example ignores the NFS process
echo '' >> /etc/csf/csf.pignore
echo '#NFS' >> /etc/csf/csf.pignore
echo 'cmd:rpcbind' >> /etc/csf/csf.pignore
How To Install Cpanel With Secure All In One
No comments:
Post a Comment