Linux server security?

BillEssley · Feb 21, 2016

Hey there,

How can I make my Linux box (cPanel/WHM installed on my VPS) more secure?

Do you guys share any tips?

Thanks,

Bill

Localnode · Feb 22, 2016

A good start is installing and configuring CSF - ConfigServer Security & Firewall. Configure cPHulk Brute Force Protection. Rootkit hunter.
Changing SSH port is also another good thing. Making sure the root password is long and obscure. Securing Apache, hardening PHP... the list goes on.

This guide should help somewhat - http://www.whmsecurity.com/whm/how-to-whm-server-hardening-and-security-basics
And this one: http://www.webhostgear.com/cid_6.html

I'd highly suggest getting someone to harden it for you if this is a production environment, as asking on a forum is generally a good indication that you don't know how

Keep in mind hardening isn't a fire and forget thing - you need to update these things regularly. Whenever there is a security hole - patches are released fairly quickly - you need to keep on top of such things.

ProxyRadar · Feb 26, 2016

First of all - change your SSH port, disable services that you don't use, install all package updates, install and configure Fail2Ban, it will help you to prevent brute force attacks, analyze your web server logs on a regular basis to detect and to suppress suspicious activities.

defsec · Mar 2, 2016

http://www.whmsecurity.com/whm/how-to-whm-server-hardening-and-security-basics is good

My 2 cents:-
- Stop unwanted network services from startup
- Allow set of ips in firewall for ssh or run ssh on different port with set of ips allowed. You ISP network range /16 or /24
- Configure OUTPUT firewall chain, to only allow ESTABLISHED state traffic. Log & drop other requests. Make sure you dont lock yourself out
- grsecurity definitely helps in memory overflow exploits
- Check for overlayfs kernel module. Disable the module, if running. I recollect it is vulnerable
- Disable ssh root login. Login as normal user(UID>500/1000). Sudo to root with password
- You can checkout Duo security 2FA for ssh login
- Make sure you keep all your applications updated regularly
- Ensure that your CMS is updated regularly
- If using wordpress, consider using plugins like wordfence, succuri, 6scan, All in One WP Security & Firewall

Remember that security is a practice.

BillEssley · Mar 2, 2016

Localnode said:
A good start is installing and configuring CSF - ConfigServer Security & Firewall. Configure cPHulk Brute Force Protection. Rootkit hunter.
Changing SSH port is also another good thing. Making sure the root password is long and obscure. Securing Apache, hardening PHP... the list goes on.

I have ever not heard of this before, which ports should I allow to open and how to change SSH port?

defsec said:
My 2 cents:-
- Stop unwanted network services from startup

defsec said:
- Allow set of ips in firewall for ssh or run ssh on different port with set of ips allowed. You ISP network range /16 or /24

defsec said:
- grsecurity definitely helps in memory overflow exploits

defsec said:
- Check for overlayfs kernel module. Disable the module, if running. I recollect it is vulnerable

defsec said:
- Disable ssh root login. Login as normal user(UID>500/1000). Sudo to root with password

Too much useful info for this answer.

Can you elaborate these steps on how to do them?

AND

I read your article from your link

php.ini & disabled functions
Edit php.ini like this:

nano /usr/local/lib/php.ini

safe_mode = On
expose_php = Off
Enable_dl= Off
magic_quotes = On
register_globals = off
display errors = off
disable_functions = system, show_source, symlink, exec, dl,
shell_exec, passthru, phpinfo, escapeshellarg,escapeshellcmd

Then restart Apache

service httpd restart

Or you can edit php.ini via WHM:
WHM Service Configuration PHP Configuration Editor

IF I disabled these functions, it can affect to my CMS or OS works?

defsec · Mar 2, 2016

- Changing ssh port
/etc/ssh/sshd_config

Port 22

Restart ser
- Find running network services (either of the following commands)
ss -nlp
netstat -nlp

Stop services using
service <service_name> stop

Remove from startup using update-rc.d or chkconfig

- Allow your ISP subnet in firewall for ssh
Port scanning sometimes can reveal ssh ports. Using high port range for ssh, can also be a good idea.

- Overlayfs vulnerability can help unprivileged user to gain root access.
http://securitytracker.com/id/1034548

Ah! Ubuntu has issued a fix for 15.10/15.04 server. Overlayfs module is/was enabled by default(least on Ubuntu), which helps in merging mounts to existing directory of files.

Disable kernel module by adding "blacklist <module_name>" in /etc/modprobe.d/<name>.conf

- Disable root login
/etc/ssh/sshd_config

PermitRootLogin no

- Password sudo
Login in as any other user than root, and sudo to root, using password. Users have a bad habit of not keeping sudo password.

Edit /etc/sudoers using visudo
=> use PASSWD, instead of ALL/NOPASSWD. Refer manual.

BillEssley · Oct 6, 2016

radwebhosting said:
I recommend asking your provider to assist you with this task. Let their support team handle it.

I agree but it is difficult if I am owning an unmanaged VPS

defsec said:
Stop services using
service <service_name> stop

- Disable root login
/etc/ssh/sshd_config

Disable root login I need to switch to SSH keys to login?

It is good to stop any services but how to do know which services we should stop, it is a problem.

LJSHost · Oct 6, 2016

Everyone has made some excellent technical points. If you are unmanaged and the provider will not help with this your simplest solution is just use a good firewall like CSF or as your server has cPanel turn on cpHulk. Just taking these simple measures will help in hardening your system. Many attacks these days come from sql injection or other web based exploit.

These steps will keep you safe from brute force login attacks.
I would also suggest a malware scanner such Maldet, malware can do all sorts of nasty things compromising your system from the inside out.

Always use passwords such as 9dkfj93!kdifk

Optimidia · Oct 11, 2016

Start with making sure iptables is running well and then aadd interface like CSF. If you are not linux savvy their interface will make great suggestions as to improvements you can make in order to make your server more secure. Also take a quick look at cPanel Security Advisory option in WHM. Make sure before you do any changes that you read up on what each change does, and that you are not blocking any type of functionality that will later affect the performance or usability of your website. After that you can search for many guides on the web that will provide you with more extensive information as to setting up something like MailScanner with ClamAV and other solutions to cover aspects such as incoming/outgoing emails and uploaded files to the servers.

Linux server security?

BillEssley

Well-known member

Localnode

Well-known member

ProxyRadar

New member

defsec

New member

BillEssley

Well-known member

radwebhosting

Well-known member

defsec

New member

BillEssley

Well-known member

LJSHost

Well-known member

Optimidia

Member

Latest posts New threads

Latest posts

New threads

Latest Hosting Offers New Reviews

Latest hosting offers

Popular Contributors - Past 30 Days

Sponsors

Tag Cloud