Documente Academic
Documente Profesional
Documente Cultură
1 :: Server Security
User can login to server via ssh and you can set an
idel timeout interval to avoid unattended ssh
session. Open sshd_config and make sure following
values are configured:
ClientAliveInterval 300
ClientAliveCountMax 0
You are setting an idle timeout interval in seconds
(300 secs = 5 minutes). After this interval has
passed, the idle user will be automatically kicked
out (read as logged out).
For CSF you can either login to WHM and goto Plugins and
view the CSF configuration. From here you can select "Firewall
Allow IPs" and add in your IP address then save & restart.
Example:
csf -a 202.18.64.12
You can also block access to the SSH port using CSF.
vi /etc/csf/csf.conf
2. Remove your SSH port eg. 22, from from the line containing
TCP_IN for allowed incoming TCP ports.
csf -r
You can do this in Host Access Control area in WHM. It's the
easier way to do it and pretty straightforward to setup.
Simply put the following into WHM > Host Access Control
area:
Code:
Daemon Access List Action Comment
whostmgrdYourIP allow
whostmgrd all deny
What is ModSecurity?
ModSecurity is an open source intrusion detection and
prevention engine for web applications. Operating as an
Apache Web server module, the purpose of ModSecurity
is to increase web application security, protecting web
applications
ModSecurity Rules
cp /usr/local/apache/conf/modsec.user.conf.default
/usr/local/apache/conf/modsec.user.conf
You will then need to restart Apache to have the rules take
affect. You will be able to use the WHM build-in editor to
modify the configuration.
If you want to create your own rules you will need to follow
some basics. Please be aware that every rule consists of
5 parameters (Title, Description, Action, Focus, Rule). At
this point we do not recommed to use rules outside of the
ones that come with cPanel to avoid breaking your server
Include /usr/local/apache/conf/modsec2.conf
Use the following link for more about mod security options and
rules.
http://www.modsecurity.org/documentation/modsecurity-
apache/2.5.5/modsecurity2-apache-reference.html#N109A9
what is cloudlinux
CloudLinux is a commercially supported Linux
operating system interchangeable with CentOS. It
includes kernel level technology called LVE that
allows you to control CPU and memory on per
tenant bases. It is a bases for application level
virtualization. CloudLinux delivers advanced
resource management, better security and
performance optimizations specifically targeted to
multi-tenant hosting environment. This improved
performance helps hosting service providers and
datacenters provide better support to their
customers, reduce churn and save money.
How do memory limits work?
cPanel
Plesk
HostingController
ISP Manager
InterWorx
DirectAdmin
H-Sphere
Webmin
Confixx
wget
http://repo.cloudlinux.com/cloudlinux/sources/cln/cpanel2c
l &&
sh cpanel2cl -k <activation_key>&&
reboot
# /scripts/easyapache --build
G :: Disable wget, find and lynx for normal
users
whichwget
which lynx
which find
/usr/bin/wget
/usr/bin/lynx
/usr/bin/find
groupadd xyz
Now change the group for the wget, lynx and find
binaries.
Fixes
At present there are two possible fixes
1. In .htaccess or global httpd.conf, add
SymLinksIfOwnerMatch
2. Change permissions on config .php files (or all
executable/data files) to be mode 600
Both of these have weaknesses #1 as exploiter can often
simply disable SymLinksIfOwnerMatch by overwriting
.htaccess, #2 as users have to remember to secure their files and
many users will not even know this is needed.
Important point: changing permissions blocks the symlink
hack in the kernel. The weakness with changing permissions is
only if you leave it up to users; if you enforce restricted
permissions on .php files I believe the protection is 100%.
TCPD Benefits
1. Logging - Connections that are monitored by tcpd are
reported through the syslog facility.
2. Access Control - tcpd supports a simple form of access
control that is based on pattern matching. You can evern
hook the execution of shell commands / script when a
pattern matches.
3. Host Name Verification - tcpd verifies the client host
name that is returned by the address->name DNS server by
looking at the host name and address that are returned by
the name->address DNS server.
4. Spoofing Protection
How do I Find Out If Program Is Compiled
With TCP Wrappers Or Not?
To determine whether a given executable daemon
/path/to/daemon supports TCP Wrapper, check the man page, or
ennter:
sshd: /usr/sbin/sshd
/usr/share/man/man8/sshd.8.gz
$ ldd /usr/sbin/sshd | grep libwrap.so
Sample Output:
Important Files
Above will denies all service to all hosts, unless they are
permitted access by entries in the allow file. For example, allow
access as follows via /etc/hosts.allow:
ALL : .crackers.com \
: spawn (/bin/echo %a from %h attempted
to access %d >> \
/var/log/connections.log) \
: deny
ALL : ALL
Reject All Connections
Restrict all connections to non-public services to localhost only.
Suppose sshd and ftpd are the names of service which must be
accessed remotely. Edit /etc/hosts.allow. Add the following
lines:
ALL: ALL
Default Log Files
TCP Wrappers will do all its logging via syslog according to
your /etc/syslog.conf file. The following table lists the standard
locations where messages from TCP Wrappers will appear:
1.AIX - /var/adm/messages
2.HP-UX - /usr/spool/mqueue/syslog
3.Linux - /var/log/messages
4.FreeBSD / OpenBSD / NetBSD -
/var/log/messages
5.Mac OS X - /var/log/system.log
6.Solaris - /var/log/syslog
Use the following command to view logs:
# tail -f /path/to/log/file
# grep 'ip' /path/to/log/file
# egrep -i 'ip|hostname' /path/to/log/file
:.
If you need an SSL certificate, you can either purchase one from
(mt) Media Temple or install a third-party certificate yourself.
You can purchase a certificate from any certifying authority that
provides Apache certificates. Regardless of which provider you
choose, the basic steps for your (mt) Media Temple server are
the same.
1. Generate a CSR (certificate request).
2. Submit the CSR to your third-party certifying authority,
and fill out their requested information.
3. Receive the certificate (and any chain certificates, if
necessary) from your certifying authority.
4. Import the certificate and any chain certificates to your (mt)
Media Temple server.
===============================
===============================
How to configure the ssl certificate on the service
(http, exim., pop, imap, ftp)
Step 1.Goto the location /etc/ssl/certs
Step2. Create the file via \*.securehostdns.com.crt
and copy the certificate and save the file
Step3. Create the file vi \*.securehostdns.com.csr
and copy the csr and save the file
Step 4.Goto the location /etc/ssl/private
Step 5 create the file \*.securehostdns.com.key and
copy the private key and save the file
Step 6 Login into the whm panel of the server
Step 7 goto Home SSL/TLS Install an SSL
Certificate and Setup the Domain
Step 8: Enter the SSL Certificate into the first box
and hit the tab button. After hitting the tab button,
all information related to CSR and public key will be
displayed.
Step 9: Now, enter username as nobody and IP of
the hostname in IP Address field.
Step 10 Now, click on Submit button at the top
and wait for the message of successful installation
of SSL Certificate.
Step 11 goto at Home Service Configuration
Manage Service SSL Certificates
Step 12 Now, Click on "Install new Certificate"
option in front of the each services one by one.
After click on said option, you will get a window to
enter the certificate.
Step 13 :: Enter the SSL Certificate into the first
box and hit the tab button. After hitting the tab
button, all information related to CSR and public
key will be displayed.
Step 14 Now, click on Submit button at the top and
wait for the message of successful installation of
SSL Certificate. After successful installation, service
will restart.
Its all Done.