Results 1 to 10 of 34
-
2nd Oct 2011, 01:35 PM #1OPMember
How To: Secure and Optimize your VPS
Hi, in this thread you will be learning a few tips that help on securing your VPS and optimizing it, you don't have to execute all of the commands, only some which you might find useful for your website.
This tutorial is not fully written by me!
I hope you will enjoy reading this tutorial and find it informative, if you have any queries, issues, questions, on executing these commands or anything related to this post then don't hesitate to reply here, me and other members will be glad to help you.
=========================================
Checking for formmail
=========================================
Form mail is used by hackers to send out spam email, by relay and injection methods. If you are using matts script or a version of it, you may be in jeopardy.
Command to find pesky form mails:
Code:find / -name "[Ff]orm[mM]ai*"
Code:find / -name "[Cc]giemai*"
Code:chmod a-rwx /path/to/filename
(this disables all form mail)
If a client or someone on your vps installs form mail, you will have to let them know you are disabling their script and give them an alternative.
=========================================
Root kit checker -
Code:http://www.chkrootkit.org/
Check for root kits and even set a root kit on a cron job. This will show you if anyone has compromised your root. Always update chrootkit to get the latest root kit checker. Hackers and spammers will try to find insecure upload forms on your box and then with injection methods, try to upload the root kit on your server. If he can run it, it will modify *alot* of files, possibly causing you to have to reinstall.
To install chrootkit, SSH into server and login as root.
At command prompt type:
Code:cd /root/ wget ftp://ftp.pangeia.com .br/pub/seg/pac/chkrootkit.tar.gz tar xvzf chkrootkit.tar.gz cd chkrootkit-0.44 make sense
Code:At command prompt type: /root/chkrootkit-0.44/chkrootkit
Execution
I use these three commands the most.Code:./chkrootkit ./chkrootkit -q ./chkrootkit -x | more
=========================================
Install a root breach DETECTOR and EMAIL WARNING
=========================================
If someone does happen to get root, be warned quickly by installing a detector and warning at your box. You will at least get the hackers/spammers ip address and be warned someone is in there.
Server e-mail everytime someone logs in as root
To have the server e-mail you everytime someone logs in as root, SSH into server and login as root.
At command prompt type:
Code:pico .bash_profile
Code:echo 'ALERT - Root Shell Access on:' `date` `who` | mail -s "Alert: Root Access from `who | awk '{print $6}'`" your@email.com
Set an SSH Legal Message
To an SSH legal message, SSH into server and login as root.
At command prompt type:
Code:pico /etc/motd
Note: I use the following message...
Code:ALERT! You are entering a secured area! Your IP and login information have been recorded. System administration has been notified. This system is restricted to authorized access only. All activities on this system are recorded and logged. Unauthorized access will be fully investigated and reported to the appropriate law enforcement agencies.
=========================================
Web Host manager and CPANEL mods.
=========================================
These are items inside of WHM/Cpanel that should be changed to secure your server.
Goto Server Setup =>> Tweak Settings
Check the following items...
Under Domains
Prevent users from parking/adding on common internet domains.Code:(ie hotmail.com, aol.com)
Attempt to prevent pop3 connection floods
Code:Default catch-all/default address behavior for new accounts - blackhole
Under System
Use jailshell as the default shell for all new accounts and modified accounts
Goto Server Setup =>> Tweak Security
Enable php open_basedir Protection
Enable mod_userdir Protection
Disabled Compilers for unprivileged users.
Goto Server Setup =>> Manage Wheel Group Users
Remove all users except for root and your main account from the wheel group.
Goto Server Setup =>> Shell Fork Bomb Protection
Enable Shell Fork Bomb/Memory Protection
When setting up Feature Limits for resellers in Resellers =>> Reseller Center, under Privileges always disable Allow Creation of Packages with Shell Access and enable Never allow creation of accounts with shell access; under Root Access disable All Features.
Goto Service Configuration =>> FTP Configuration
Disable Anonymous FTP
Goto Account Functions =>> Manage Shell Access
Disable Shell Access for all users (except yourself)
Goto Mysql =>> MySQL Root Password
Change root password for MySQL
Goto Security and run Quick Security Scan and Scan for Trojan Horses often. The following and similar items are not Trojans:Code:/sbin/depmod /sbin/insmod /sbin/insmod.static /sbin/modinfo /sbin/modprobe /sbin/rmmod
=========================================
More Security Measures
=========================================
These are measures that can be taken to secure your server, with SSH access.
Update OS, Apache and CPanel to the latest stable versions.
This can be done from WHM/CPanel.
Restrict SSH Access
To restrict and secure SSH access, bind sshd to a single IP that is different than the main IP to the server, and on a different port than port 22.
SSH into server and login as root.
Note: You can download Putty by Clicking Here:
Code:http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html
It's a clean running application that will not require installation on Windows-boxes.
At command prompt type:
Code:pico /etc/ssh/sshd_config
#Port 22
#Protocol 2, 1
#ListenAddress 0.0.0.0
#ListenAddress ::
Uncomment and change
#Port 22
to look like
Port 5678 (choose your own 4 to 5 digit port number (49151 is the highest port number AND do not use 5678)
Uncomment and change
#Protocol 2, 1
to look like
Protocol 2
Uncomment and change
#ListenAddress 0.0.0.0
to look like
ListenAddress 123.123.123.15 (use one of your own IP Addresses that has been assigned to your server)
Note 1: If you would like to disable direct Root Login, scroll down until you find
#PermitRootLogin yes
and uncomment it and make it look like
PermitRootLogin no
Save by pressing Ctrl o on your keyboard, and then exit by pressing Ctrl x on your keyboard.
Note 2: You can also create a custome nameserver specifically for your new SSH IP address. Just create one called something like ssh.xyz.com or whatever. Be sure to add an A address to your zone file for the new nameserver.
Now restart SSH
At command prompt type:
Code:/etc/rc.d/init.d/sshd restart
Note: If you should have any problems, just Telnet into your server, fix the problem, then SSH in again. Telnet is a very unsecure protocol, so change your root password after you use it.
After SSH has been redirected, disable telnet.
Disable Telnet
To disable telnet, SSH into server and login as root.
At command prompt type:
Code:pico -w /etc/xinetd.d/telnet
Save and Exit
At command prompt type:
Code:/etc/init.d/xinetd restart
To disable any shell accounts hosted on your server SSH into server and login as root.
At command prompt type: locate shell.php
Also check for:Code:locate irc locate eggdrop locate bnc locate BNC locate ptlink locate BitchX locate guardservices locate psyBNC locate .rhosts
Code:/home/cpapachebuild/buildapache/php-4.3.1/ext/ircg /usr/local/cpanel/etc/sym/eggdrop.sym /usr/local/cpanel/etc/sym/bnc.sym /usr/local/cpanel/etc/sym/psyBNC.sym /usr/local/cpanel/etc/sym/ptlink.sym /usr/lib/libncurses.so /usr/lib/libncurses.a etc.
(do this to hide version numbers from potentional hackers)
To disable the version output for proftp, SSH into server and login as root.
At command prompt type: pico /etc/httpd/conf/httpd.conf
Scroll (way) down and change the following line to
ServerSignature Off
Restart Apache
At command prompt type:
Code:/etc/rc.d/init.d/httpd restart
=========================================
Install BFD (Brute Force Detection - optional)
=========================================
To install BFD, SSH into server and login as root.
At command prompt type:Code:cd /root/ wget http://www.rfxnetworks.com/downloads/bfd-current.tar.gz tar -xvzf bfd-current.tar.gz cd bfd-0.4 ./install.sh
At command prompt type:
Code:pico /usr/local/bfd/conf.bfd
FindCode:ALERT_USR="0" and change it to ALERT_USR="1"
Code:EMAIL_USR="root" and change it to EMAIL_USR="your@email.com"
To start BFD
At command prompt type:
Code:/usr/local/sbin/bfd -s
Logwatch is a customizable log analysis system. It parses through your system's logs for a given period of time and creates a report analyzing areas that you specify, in as much detail as you require. Logwatch is already installed on most CPanel servers.
To modify LogWatch, SSH into server and login as root.
At command prompt type:
Code:pico -w /etc/log.d/conf/logwatch.conf
Code:MailTo = root and change to Mailto = your@email.com
Now scroll down toCode:Detail = Low Change that to Medium, or High... Detail = 5 or Detail = 10
Save and exit.
A number of suggestions to improve system security. Some of this is specific to CPanel, but much can be applied to most Linux systems.
--------------------------------------------------
Use The Latest Software
Keep the OS and 3rd party software up to date. Always!
CPanel itself can be updated from the root WHM.
--------------------------------------------------
Change Passwords
Change the root passwords at least once a month and try to make them hard to guess. Yes it's a pain to have to keep remembering them, but it's better than being hacked.
--------------------------------------------------
Set Up A More Secure SSH Environment As described here.
--------------------------------------------------
Disable TelnetCode:1. Type: pico -w /etc/xinetd.d/telnet 2. Change the disable = no line to disable = yes. 3. Hit CTRL+X press y and then enter to save the file. 4. Restart xinted with: /etc/rc.d/init.d/xinetd restart
Code:in.telnetd : ALL : severity emerg
Disable Unnecessary Ports (optional)
First backup the file that contains your list of ports with:
Code:cp /etc/services /etc/services.original
On a typical CPanel system it would look something like this:Code:<?php tcpmux 1/tcp # TCP port service multiplexer echo 7/tcp echo 7/udp ftp-data 20/tcp ftp 21/tcp ssh 22/tcp # SSH Remote Login Protocol smtp 25/tcp mail domain 53/tcp # name-domain server domain 53/udp http 80/tcp www www-http # WorldWideWeb HTTP pop3 110/tcp pop-3 # POP version 3 imap 143/tcp imap2 # Interim Mail Access Proto v2 https 443/tcp # MCom smtps 465/tcp # SMTP over SSL (TLS) syslog 514/udp rndc 953/tcp # rndc control sockets (BIND 9) rndc 953/udp # rndc control sockets (BIND 9) imaps 993/tcp # IMAP over SSL pop3s 995/tcp # POP-3 over SSL cpanel 2082/tcp cpanels 2083/tcp whm 2086/tcp whms 2087/tcp webmail 2095/tcp webmails 2096/tcp mysql 3306/tcp # MySQL ?>
--------------------------------------------------
Watch The Logs
Install something like logwatch to keep an eye on your system logs. This will extract anything 'interesting' from the logs and e-mail to you on a daily basis.
Logwatch can be found at:
Code:http://www.logwatch.org
Avoid CPanel Demo Mode
Switch it off via WHM Account Functions => Disable or Enable Demo Mode.
--------------------------------------------------
Jail All Users
Via WHM Account Functions => Manage Shell Access => Jail All Users.
Better still never allow shell access to anyone - no exceptions.
--------------------------------------------------
Immediate Notification Of Specific Attackers
If you need immediate notification of a specific attacker (TCPWrapped services only), add the following to /etc/hosts.deny
Code:ALL : nnn.nnn.nnn.nnn : spawn /bin/ 'date' %c %d | mail -s"Access attempt by nnn.nnn.nnn.nnn on for hostname" notify@mydomain.com Replacing nnn.nnn.nnn.nnn with the attacker's IP address. Replacing hostname with your hostname. Replacing notify@mydomain.com with your e-mail address.
--------------------------------------------------
Check Open Ports
From time to time it's worth checking which ports are open to the outside world. This can be done with:
nmap -sT -O localhost
If nmap isn't installed, it can be selected from root WHM's Install an RPM option.
--------------------------------------------------
Set The MySQL Root Password
This can be done in CPanel from the root WHM Server Setup -> Set MySQL Root Password.
Make it different to your root password!
--------------------------------------------------
Tweak Security (CPanel)
From the root WHM, Server Setup -> Tweak Security, you will most likely want to enable:
- php open_basedir Tweak.
- SMTP tweak.
You may want to enable:
- mod_userdir Tweak. But that will disable domain preview.
--------------------------------------------------
Use SuExec (CPanel)
From root WHM, Server Setup -> Enable/Disable SuExec. This is CPanel's decription of what it does:
"suexec allows cgi scripts to run with the user's id. It will also make it easier to track which user has sent out an email. If suexec is not enabled, all cgi scripts will run as nobody. "
Even if you don't use phpsuexec (which often causes more problems), SuExec should be considered.
--------------------------------------------------
Use PHPSuExec (CPanel)
This needs to built into Apache (Software -> Update Apache from the root WHM) and does the same as SuExec but for PHP scripts.
Wisth PHPSuExec enabled, you users will have to make sure that all their PHP files have permissions no greater than 0755 and that their htaccess files contain no PHP directives.
--------------------------------------------------
Disable Compilers
This will prevent hackers from compiling worms, root kits and the like on your machine.
To disable them, do the following:
Code:chmod 000 /usr/bin/perlcc chmod 000 /usr/bin/byacc chmod 000 /usr/bin/yacc chmod 000 /usr/bin/bcc chmod 000 /usr/bin/kgcc chmod 000 /usr/bin/cc chmod 000 /usr/bin/gcc chmod 000 /usr/bin/i386*cc chmod 000 /usr/bin/*c++ chmod 000 /usr/bin/*g++ chmod 000 /usr/lib/bcc /usr/lib/bcc/bcc-cc1 chmod 000 /usr/i386-glibc21-linux/lib/gcc-lib/i386-redhat-linux/2.96/cc1
Code:chmod 755 /usr/bin/perlcc chmod 755 /usr/bin/byacc chmod 755 /usr/bin/yacc chmod 755 /usr/bin/bcc chmod 755 /usr/bin/kgcc chmod 755 /usr/bin/cc chmod 755 /usr/bin/gcc chmod 755 /usr/bin/i386*cc chmod 755 /usr/bin/*c++ chmod 755 /usr/bin/*g++ chmod 755 /usr/lib/bcc /usr/lib/bcc/bcc-cc1 chmod 755 /usr/i386-glibc21-linux/lib/gcc-lib/i386-redhat-linux/2.96/cc1
Obfuscate The Apache Version Number
1. Type:Code:pico /etc/httpd/conf/httpd.conf
2. Change the line that begins ServerSignature to:
Code:ServerSignature Off
Code:ServerTokens ProductOnly
5. Restart Apache with:/etc/rc.d/init.d/httpd restart
Common Commands i use:
System Information
Code:who
Code:rwho -a
Code:finger user_name
Code:history | more
Code:pwd
Code:hostname
Code:uptime
Code:ps
Code:ps aux | more
Code:top
Code:uname -a
Code:set|more
Code:echo $PATH
Code:dmesg | less
Processor commands:
Code:kill PID
Code:killall -9 program_name
Code:xkill
[/SIZE]=========================================
MySQL Optimization
=========================================
Here are my suggested settings for the my.cnf file. This should work well for a VPS with 256-512MB RAM.
Code:[mysqld] max_connections = 400 key_buffer = 16M myisam_sort_buffer_size = 32M join_buffer_size = 1M read_buffer_size = 1M sort_buffer_size = 2M table_cache = 1024 thread_cache_size = 286 interactive_timeout = 25 wait_timeout = 1000 connect_timeout = 10 max_allowed_packet = 16M max_connect_errors = 10 query_cache_limit = 1M query_cache_size = 16M query_cache_type = 1 tmp_table_size = 16M skip-innodb [mysqld_safe] open_files_limit = 8192 [mysqldump] quick max_allowed_packet = 16M [myisamchk] key_buffer = 32M sort_buffer = 32M read_buffer = 16M write_buffer = 16M
Code:http://www.interworx.com/forums/showthread.php?p=2346
Code:wget http://dll.elix.us/mytop-1.4.tar.gz tar -zxvf mytop-1.4.tar.gz cd mytop-1.4 perl Makefile.PL make make test make install
PHP & Apache Optimization
I strongly recommend installing eAccelerator. There's an easy to follow howto here:
Code:http://forum.ev1servers.net/showthread.php?t=23574&highlight=eaccelerator
For httpd.conf I suggest:
Code:Timeout 200 KeepAlive On maxKeepAliveRequests 100 KeepAliveTimeout 3 MinSpareServers 10 MaxSpareServers 20 StartServers 15 MaxClients 250 MaxRequestsPerChild 0 HostnameLookups Off
Code:ab -c 5 -n 20 somephpbasedsiteonyourserver.com/file.php
If you want to check the Apache error log, try this -->
Code:cat /usr/local/apache/logs/error_log
Code:netstat -nt | grep :80 | wc -l
Code:ps -A | grep httpd | wc -l
Code:ps -aux | grep httpd
To find the amount of MySQL processes use this command:
ps -A | grep mysql | wc -l
Code:ps -aux | grep mysql
Just simply using top (standard view) or top -c (will show the actual command being used and/or location of each process as opposed to just the name) can help you monitor your VPS usage very wel.
To see your disk space usage, try using this command:
Code:df -h
Mitigating (D)DOS
If you're being DDOS'd or DOS'd you can use this command:
Code:netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n
That will help you see how many connections each IP address has in total to your server.
Spam Assassin
Spam Assassin can take up a lot of memory and make it really hard to host just a few sites on a VPS, but there is a way around this...
Login to WHM as root, scroll down to "cPanel 10.8.1-R15" (it may be slightly different depending on what version you are using) then goto "Addon Modules" and install "spamdconf". Once it's done, refresh the WHM page, scroll down to "Add-ons" on the nav bar and then click on 'Setup Spamd Startup Configuration". Set "Maximum Children" to "2". Then hit Submit. Wait a few seconds (15-30, but usually less) for exim to restart and you're done .
cPanel Tweak Setings
Login to WHM as root, and under "Server Configuration" on the nav bar hit "Tweak Settings".
Here are some suggested settings:
Default catch-all/default address behavior for new accounts. fail will generally save the most CPU time.
- Use "FAIL". If you already have some accounts setup not to use "FAIL" (by default it will not) then run this command to convert to FAIL from BLACKHOLE --> perl -pi -e "s/:blackhole:/:fail:/g;" /etc/valiases/*
Mailman
- Mailman tends to use a lot of resources, so if you don't need cpanel mailing lists then uncheck this.
Number of minutes between mail server queue runs (default is 60).:
- You may want to set this to 180 to reduce load.
Track the origin of messages sent though the mail server by adding the X-Source headers (exim 4.34+ required)
- This is just generally a good idea. So check this.
Analog Stats
- I find this useless, so uncheck this. If you want to delete the existing analog stats files just run this command --> rm -rf /home/*/tmp/analog/*
Awstats Reverse Dns Resolution
- Make sure this is unchecked, I find it pretty much useless for most users.
Awstats Stats
- You can check this if you need a robust stats software that integrates with cPanel, if you don't need it, then don't check it. *Note most hosting clients will want to use this. If you want to delete the existing awstats stats files just run this command --> rm -rf /home/*/tmp/awstats/*
Webalizer Stats
- Not many hosting clients will want to use this so, you can uncheck this to reduce load. If you want to delete the existing webalizer stats files just run this command --> rm -rf /home/*/tmp/webalizer/*
Delete each domain's access logs after stats run
- Make sure this is checked, otherwise disk space usage can really rack up!
Raptile Reviewed by Raptile on . How To: Secure and Optimize your VPS Hi, in this thread you will be learning a few tips that help on securing your VPS and optimizing it, you don't have to execute all of the commands, only some which you might find useful for your website. This tutorial is not fully written by me! I hope you will enjoy reading this tutorial and find it informative, if you have any queries, issues, questions, on executing these commands or anything related to this post then don't hesitate to reply here, me and other members will be glad to help Rating: 5
-
14th Oct 2011, 06:06 PM #2OPMember
Thread has been updated, enjoy.
-
28th Nov 2011, 03:31 PM #3Member
awesome job
go
-
1st Dec 2011, 07:06 PM #4Member
Wow nice stuff here.
Thanks
-
1st Dec 2011, 07:13 PM #5Member
The thread repeats itself more or less in the middle.
Thanks
-
2nd Dec 2011, 03:31 AM #6Banned
good job, reading on
-
2nd Dec 2011, 01:38 PM #7OPMember
Enjoy..
-
4th Dec 2011, 08:02 PM #8Member
Awesome guide! Thank you very much
-
5th Dec 2011, 01:16 PM #9Member
Thank's for the guide. It's awesome. Very helpful
-
9th Dec 2011, 03:03 PM #10MemberWebsite's:
telechargementmu.com magazinemu.comawesome bro, thanks a lot
Sponsored Links
Thread Information
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)
Similar Threads
-
[Hiring] someone to optimize DLE script
By downfreak in forum Completed TransactionsReplies: 4Last Post: 25th Sep 2011, 05:31 AM -
Need Help to Optimize VPS WHM + Vbulletin 4
By blackpaper in forum Server ManagementReplies: 5Last Post: 7th Mar 2011, 07:09 AM -
Optimize or Get a new server.. ? Help
By EvilGenius in forum Technical Help Desk SupportReplies: 3Last Post: 30th Jul 2010, 07:11 AM -
How To Secure&Optimize A cPanel Server! [Full of information]
By NationWebHost in forum Technical and Security TutorialsReplies: 6Last Post: 4th Jul 2010, 10:09 PM -
HOW TO: Secure and Optimize your VPS
By Storming in forum Technical and Security TutorialsReplies: 9Last Post: 25th Nov 2009, 04:11 PM
themaLeecher - leech and manage...
Version 4.94 released. Open older version (or...