Activity Stream
48,167 MEMBERS
6995 ONLINE
besthostingforums On YouTube Subscribe to our Newsletter besthostingforums On Twitter besthostingforums On Facebook besthostingforums On facebook groups

Page 1 of 2 12 LastLast
Results 1 to 10 of 12
  1.     
    #1
    Banned
    Website's:
    CloudNXT.net

    Default Linux Hardening & Security (cP/WHM + Apache)

    This is a Leeched Tutorial Originally Written by Krun!x | QK


    Code: 
    =======================================
    |-----------:[INFO]:------------------|
    |-------------------------------------|
    | Title: "Linux Hardening & Security" |
    | Author: Krun!x | QK                 |
    =======================================
    
    Content:
    1) Intruduction
    2) cP/WHM Installation and cP/WHM Configuration
    3) The server and it's services | PHP Installation, Optimization & Security
    4) Kernel Hardening | Linux Kernel + Grsecurity Patch
    5) SSH
    6) Firewall | DDoS Protection
    7) Mod_Security
    8) Anti-Virus - ClamAV
    9) Rootkit
    10) The Rest of Shits
    
    ===================
    | 1) Intruduction |
    ===================
    
    I wrote a step by step paper how to secure linux server with cP/WHM and
    Apache installed. By default, linux is not secured enough but you have
    to understand there is no such thing as "totally secured server/system".
    The purpose of this paper is to understand how to at least provide some
    kind of security to the server. I prefer lsws web-server without any
    Control Panel at all but for this paper I have used CentOS 5 with cP/WHM
    and Apache web-server installed since a lot of hosting companies and
    individuals out there are using it.
    
    Let's start :)
    
    So, you bought the server with CentOS 5 installed. If you ordered cP/WHM together with the server you can skip 2.1 step
    
    ============================================
    | 2) cP/WHM installation and configuration |
    ============================================
    2.1) cP/WHM Installation
    To begin your installation, use the following commands into SSH:
       root@server [~]# cd /home
       root@server [/home]# wget http://layer1.cpanel.net/latest
       root@server [/home]# ./latest
    
    -----------------------------------------------------------------------------------------------------
    cd /home - Opens /home directory
    wget http://layer1.cpanel.net/latest - Fetches the latest installation file from the cPanel servers.
    ./latest - Opens and runs the installation files.
    ------------------------------------------------------------------------------------------------------
    
    cP/WHM should be installed now. You should be able to access cP via
    http://serverip:2082(SSL-2083) or http://serverip/cpanel and WHM via
    http://serverip:2086(SSL-2087) or http://serverip/whm. Let's configure
    it now.
    
    2.2) cP/WHM Configuration
    Login to WHM using root username/passwd
    http://serverip:2086 or http://serverip/whm
    
    WHM - Server setup - Tweak Security:
    -------------------------------------
    Enable open_basedir protection
    Disable Compilers for all accounts(except root)
    Enable Shell Bomb/memory Protection
    Enable cPHulk Brute Force Protection
    
    WHM - Account Functions:
    -------------------------
     Disable cPanel Demo Mode
     Disable shell access for all accounts(except root)
    
    WHM - Service Configuration - FTP Configuration:
    -------------------------------------------------
     Disable anonymous FTP access
    
    WHM - MySQL:
    -------------
     Set some MySQL password(Don't set the same password like for the root access)
    -If you didn't set MySQL password someone will be able to login into the DB with
    username "root" without password and delete/edit/download any db on the server.
    
    WHM - Service Configuration - Apache Configuration - PHP and SuExec Configuration
    --------------------
     Enable suEXEC - suEXEC = On
    When PHP runs as an Apache Module it executes as the user/group of the
    webserver which is usually "nobody" or "apache". suEXEC changes this so
    scripts are run as a CGI. Than means scripts are executed as the user
    that created them. With suEXEC script permissions can't be set to
    777(read/write/execute at user/group/world level)
    
    ===============================================================================
    | 3) The server and it's services | PHP Installation, Optimization & Security |
    ===============================================================================
    
    3.1) Keep all services and scripts up to date and make sure that you running the latest secured version.
    On CentOS type this into SSH to upgrade/update services on the server.
    [root@server ~]# yum upgrade
    or
    [root@server ~]# yum update
    
    3.2) PHP installation/update, configuration and optimization + Suhosin patch
    First download what you need, type the following into SSH:
    root@server [~]# cd /root
    root@server [~]# wget http://www.php.net/get/php-5.2.9.tar.bz2/from/this/mirror
    root@server [~]# wget http://download.suhosin.org/suhosin-patch-5.2.8-0.9.6.3.patch.gz
    root@server [~]# wget http://download.suhosin.org/suhosin-0.9.27.tgz
    
    Untar PHP:
    root@server [~]# tar xvjf php-5.2.9.tar.bz2
    
    Patch the source:
    root@server [~]# gunzip < suhosin-patch-5.2.8-0.9.6.3.patch.gz | patch -p0
    
    Configure the source. If you want to use the same config as you used for
    the last php build it's not a problem but you will have to add:
    enable-suhosin to old config. To get an old config type this into SSH:
    root@server [~]# php -i | grep ./configure
    
    root@server [~]# cd php-5.2.9
    root@server [~/php-5.2.9]# ./configure --enable-suhosin + old config(add old config you got from "php -i | grep ./configure" here)
    root@server [~/php-5.2.9]# make
    root@server [~/php-5.2.9]# make install
    
    Note: If you get an error like make: command not found or patch: Command
    not found, you will have to install "make" and "patch". It can be done
    easly. Just type this into SSH:
    root@server [~]# yum install make
    root@server [~]# yum install patch
    
    Now check is everything as you want. Upload php script like this on the server:
    <?php
    phpinfo();
    ?>
    And open it via your browser and you will see your PHP configuration there.
    
    3.3) Suhosin
    We will install Suhosin now, it's an advanced protection system for PHP.
    root@server [~]# tar zxvf suhosin-0.9.27.tgz
    root@server [~]# cd suhosin-0.9.27
    root@server [~/suhosin-0.9.27]# phpize
    root@server [~/suhosin-0.9.27]# ./configure
    root@server [~/suhosin-0.9.27]# make
    root@server [~/suhosin-0.9.27]# make install
    
    After you installed suhosin you will get something like this: It's installed to /usr/local/lib/php/extensions/no-debug-non-zts-20060613/
    
    Now edit your php.ini. If you don't know where php.ini located is, type this into SSH.
    root@server [~]# php -i | grep php.ini
    Configuration File (php.ini) Path => /usr/local/lib
    Loaded Configuration File => /usr/local/lib/php.ini
    
    It means you have to edit /usr/local/lib/php.ini
    Type into SHH:
    root@server [~]# nano /usr/local/lib/php.ini
    If you get an error, nano: Command not found, then:
    root@server [~]# yum install nano
    
    Find "extension_dir =" and add:
    extension_dir = /usr/local/lib/php/extensions/no-debug-non-zts-20060613/
    To save it, CTRL + O and press the enter button on your keyboard.
    
    3.4) Zend Optimizer:
    Download Zend Optimizer from http://www.zend.com/store/products/zend-optimizer.php
    root@server [~]# tar -zxvf ZendOptimizer-3.3.3-linux-glibc23-i386.tar.gz
    root@server [~]# cd ZendOptimizer-3.3.3-linux-glibc23-i386
    root@server [~/ZendOptimizer-3.3.3-linux-glibc23-i386]# ./install.sh
       Welcome to Zend Optimizer installation..... - Press Enter button
       Zend licence agreement...                   - Press Enter button
       Do you accept the terms of this licence...  - Yes, press Enter button
       Location of Zend Optimizer...               - /usr/local/Zend, press Enter button
       Confirm the location of your php.ini file...- /usr/local/lib, press Enter button
       Are you using Apache web-server..           - Yes, press Enter button
       Specify the full path to the Apache control utility(apachectl)...-/usr/local/apache/bin/apachectl, press Enter button
       The installation has completed seccessfully...- Press Enter button
    
    Now restart apache, type this into SSH:
    root@server [~]# service httpd restart
    
    3.5) php.ini & disabled functions
    Edit php.ini like this:
    root@server [~]# nano /usr/local/lib/php.ini
    ------------------------------------------------------------
    safe_mode = On
    expose_php = Off
    Enable_dl= Off
    magic_quotes = On
    register_globals = off
    display errors = off
    disable_functions = system, show_source, symlink, exec, dl,
    shell_exec, passthru, phpinfo, escapeshellarg,escapeshellcmd
    -------------------------------------------------------------
    
    root@server [~]# service httpd restart
    
    Or you can edit php.ini via WHM:
    WHM - Service Configuration - PHP Configuration Editor
    
    =========================================================
    | 4) Kernel Hardening | Linux Kernel + Grsecurity Patch |
    =========================================================
    
    Description : grsecurity is an innovative approach to security utilizing
    a multi-layered detection, prevention, and containment model. It is
    licensed under the GPL. It offers among many other features:
     -An intelligent and robust Role-Based Access Control (RBAC) system that can generate least privilege policies for your   
      entire system with no configuration
     -Change root (chroot) hardening
     -/tmp race prevention
     -Extensive auditing
     -Prevention of arbitrary code execution, regardless of the technique used (stack smashing, heap corruption, etc)
     -Prevention of arbitrary code execution in the kernel
     -Randomization of the stack, library, and heap bases
     -Kernel stack base randomization
     -Protection against exploitable null-pointer dereference bugs in the kernel
     -Reduction of the risk of sensitive information being leaked by arbitrary-read kernel bugs
     -A restriction that allows a user to only view his/her processes
     -Security alerts and audits that contain the IP address of the person causing the alert
    
    Downloading and patching kernel with grsecurity
    root@server [~]# cd /root
    root@server [~]# wget http://www.kernel.org/pub/linux/kernel/v2.6/linux-2.6.26.5.tar.gz
    root@server [~]# wget http://www.grsecurity.com/test/grsecurity-2.1.12-2.6.26.5-200809141715.patch
    root@server [~]# tar xzvf linux-2.6.26.5.tar.gz
    root@server [~]# patch -p0 < grsecurity-2.1.12-2.6.26.5-200809141715.patch
    root@server [~]# mv linux-2.6.26.5 linux-2.6.26.5-grsec
    root@server [~]# ln -s linux-2.6.26.5-grsec/ linux
    root@server [~/linux]# cd linux
    root@server [~/linux]# cp /boot/config-`uname -r` .config
    root@server [~/linux]# make oldconfig
    
    Compile the Kernel:
    root@server [~/linux]# make bzImage
    root@server [~/linux]# make modules
    root@server [~/linux]# make modules_install
    root@server [~/linux]# make install
    
    Check your grub loader config, and make sure default is 0
    root@server [~/linux]# nano /boot/grub/grub.conf
    
    Reboot the server
    root@server [~/linux]# reboot
    
    ==========
    | 5) SSH |
    ==========
    
    In order to change SSH port and protocol you will have to edit sshd_config
    root@server [~]# nano /etc/ssh/sshd_config
    
    Change Protocol 2,1 to Protocol 2
    Change #Port 22 to some other port and uncomment it
    Like, Port 1337
    
    There is a lot of script kiddiez with brute forcers and they will try to crack our ssh pass because they know username is root, port is 22
    But we were smarter, we have changed SSH port :)
    Also, their "brute forcing" can increase server load, which means our sites(hosted on that server) will be slower.
    
    SSH Legal Message
    edit /etc/motd, write in motd something like this:
    "ALERT! That is a secured area. Your IP is logged. Administrator has been notified"
    
    When someone logins into SSH he will see that message:
    ALERT! That is a secured area. Your IP is logged. Administrator has been notified
    
    If you want to recieve an email every time when someone logins into SSH as root, edit .bash_profile(It's located in /root directory) and put this at the end of file:
    echo 'ALERT - Root Shell Access on:' `date` `who` | mail -s "Alert: Root Access from `who | awk '{print $6}'`" mail@something.com
    
    And at the end restart SSH, type "service sshd restart" into SSH
    
    =================================
    | 6) Firewall | DDoS Protection |
    =================================
    
    6.1) Firewall, CSF Installation
    root@server [~]# wget http://www.configserver.com/free/csf.tgz
    root@server [~]# tar -xzf csf.tgz
    root@server [~]# cd csf
    
    In order to install csf your server needs to have some ipt modules
    enabled. csftest is a perl script and it comes with csf. You can check
    those mudules with it.
    root@server [~/csf]# ./csftest.pl
    The output should be like this:
    
    root@server [~/csf]# ./csftest.pl
    Testing ip_tables/iptable_filter...OK
    Testing ipt_LOG...OK
    Testing ipt_multiport/xt_multiport...OK
    Testing ipt_REJECT...OK
    Testing ipt_state/xt_state...OK
    Testing ipt_limit/xt_limit...OK
    Testing ipt_recent...OK
    Testing ipt_owner...OK
    Testing iptable_nat/ipt_REDIRECT...OK
    
    Don't worry if you don't have all those mudules enabled, csf will work if
    you didn't get any FATAL errors at the end of the output.
    
    Now, get to installation
    root@server [~/csf]# ./install.sh
    
    You will have to edit csf.conf file. It's located here:
    /etc/csf/csf.conf
    
    You need to edit it like this:
    Testing = "0"
    
    And you need to configure open ports in csf.conf or you won't be able to
    access these ports. In most cases it should be configured like this if
    you are using cP/WHM. If you are running something on some other port
    you will have to enable it here. If you changed SSH port you will have
    to add a new port here:
    # Allow incoming TCP ports
    TCP_IN = "20,21,22,25,53,80,110,143,443,465,587,993,995,2077,2078,2082,2083,2086,2087,2095,2096"
    # Allow outgoing TCP ports
    TCP_OUT = "20,21,22,25,37,43,53,80,110,113,443,587,873,2087,2089,2703"
    
    6.2) CSF Connection Limit
    There is in csf.conf CT option, configure it like this
    CT_LIMIT = "200"
    It means every IP with more than 200 connections is going to be blocked.
    CT_PERMANENT = "1"
    IP will blocked permanenty
    CT_BLOCK_TIME = "1800"
    IP will be blocked 1800 secs(1800 secs = 30 mins)
    CT_INTERVAL = "60"
    Set this to the the number of seconds between connection tracking scans.
    
    After csf.conf editing you need to restart csf
    root@server [~# service csf restart
    
    6.3) SYN Cookies
    Edit the /etc/sysctl.conf file and add the following line in order to enable SYN cookies protection:
    -----------------------------------
    # Enable TCP SYN Cookie Protection
    net.ipv4.tcp_syncookies = 1
    -----------------------------------
    
    root@server [~/]# service network restart
    
    6.4) CSF as security testing tool
    CSF has an option "Server Security Check". Go to WHM - Plugins - CSF -
    Test Server Security. You will see additional steps how to secure the
    server even more. I'm writing only about most important things here and
    I covered most of them in the paper but if you want you can follow steps
    provided by CSF to get the server even more secured.
    
    6.5) Mod_Evasive
    ModEvasive module for apache offers protection against DDoS (denial of service attacks) on your server. 
    
    To install it login into SSH and type:
    
    ---------------------------------------------------------------------------------
    root@server [~]# cd /root/
    root@server [~]# wget http://www.zdziarski.com/projects/mod_evasive/mod_evasive_1.10.1.tar.gz
    root@server [~]# tar zxf mode_evasive-1.10.1.tar.gz
    root@server [~]# cd mod_evasive
    
    then type...
    root@server [~/mod_evasive]# /usr/sbin/apxs -cia mod_evasive20.c
    ---------------------------------------------------------------------------------
    
    When mod_evasive is  installed, place the following lines in your httpd.conf (/etc/httpd/conf/httpd.conf)
    
    --------------------------------
    <IfModule mod_evasive20.c>
    DOSHashTableSize 3097
    DOSPageCount 2
    DOSSiteCount 50
    DOSPageInterval 1
    DOSSiteInterval 1
    DOSBlockingPeriod 10
    </IfModule>
    --------------------------------
    
    6.6) Random things:
    csf -d IP - Block an IP with CSF
    csf -dr IP - Unblock an IP with CSF
    csf -s - Start firewall rules
    csf -f - Flush/stop firewall rules
    csf -r - Restart firewall rules
    csf -x - Disable CSF
    csf -e - Enable CSF
    csf -c - Check for updates
    csf -h - Show help screen
    
    -Block an IP via iptables
    iptables -A INPUT -s IP -j DROP
    
    -Unblock an IP via iptables
    iptables -A INPUT -s IP -j ACCEPT
    
    -See how many IP addresses are connected to the server and how many connections has each of them.
    netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n
    
    ===================
    | 7) Mod_Security |
    ===================
    
    Mod_Security is a web application firewall and he can help us to secure our sites against RFI, LFI, XSS, SQL Injection etc
    
    If you use cP/WHM you can easly enable Mod_security in WHM - Plugins - Enable Mod_Security and save
    
    Now I will explain how to install Mod_security from source.
    You can't install Mod_Security if you don't have libxml2 and http-devel libraries. 
    Also, you need to enable mod_unique_id in apache modules, but don't worry, I will explain how to do it :)
    
    Login into SSH and type...
    
    root@server [~]# yum install libxml2 libxml2-devel httpd-devel
    
    libxml2 libxml2-devel httpd-devel should be installed now
    
    then you need to edit httpd.conf file, you can find it here:
    root@server [~]# nano /etc/httpd/conf/httpd.conf
    
    You need to add this in your httpd.conf file
    LoadModule unique_id_module modules/mod_unique_id.so
    
    Now download the latest version of mod_security for apache2 from http://www.modsecurity.org
    
    login into SSH and type...
    
    root@server [~]# cd /root/
    root@server [~]# wget http://www.modsecurity.org/download/modsecurity-apache_2.5.6.tar.gz
    root@server [~]# tar zxf modsecurity-apache_2.5.6.tar.gz
    root@server [~]# cd modsecurity-apache_2.5.6
    root@server [~/modsecurity-apache_2.5.6]# cd apache2
    
    then type:
    root@server [~/modsecurity-apache_2.5.6/apache2]#  ./configure
    root@server [~/modsecurity-apache_2.5.6/apache2]# make
    root@server [~/modsecurity-apache_2.5.6/apache2]# make install
    
    Go at the end of httpd.conf and place an include for our config/rules file...
    Include /etc/httpd/conf/modsecurity.conf
    
    ---------------------------------------------------------
    # /etc/httpd/conf/httpd.conf
    
    LoadModule unique_id_module modules/mod_unique_id.so
    LoadFile /usr/lib/libxml2.so
    LoadModule security2_module modules/mod_security2.so
    Include /etc/httpd/conf/modsecurity.conf
    ---------------------------------------------------------
    
    You need to find a good rules for Mod_Security. You can find them at
    official Mod_Security site. Also, give a try to gotroot.com rules. When
    you find a good rules, just put them in /etc/httpd/conf/modsecurity.conf
    
    And restart httpd at the end, type "service httpd restart" into SSH.
    
    ==========================
    | 8) Anti-Virus - ClamAV |
    ==========================
    
    You need AV protection to protect the server against worms and trojans
    invading your mailbox and files! Just install clamav (a free open source
    antivirus software for linux). More information can be found on clamav.
    website - http://www.clamav.net
    
    In order to install CLamAV login into SSH and type
    
    root@server [~]# yum install clamav
    
    Once you have installed clamav for your CentOS, here are some basic commands you will need:
    
    Update the antivirus database
    root@server [~]# freshclam
    
    Run antivirus
    root@server [~]# clamscan -r /home
    
    Running as Cron Daily Job
    To run antivirus as a cron job (automatically scan daily) just run
    crontab -e from your command line. Then add the following line and save
    the file.
    @daily root clamscan -R /home
    
    It means clamav will be scanning /home directory every day. You can change the folder to whatever you want to scan.
    
    
    ==============
    | 9) Rootkit |
    ==============
    
    Rootkit scanner is scanning tool to ensure you for about 99.9%* you're clean of nasty tools. 
    This tool scans for rootkits, backdoors and local exploits by running tests like:
     -MD5 hash compare
     -Look for default files used by rootkits
     -Wrong file permissions for binaries
     -Look for suspected strings in LKM and KLD modules
     -Look for hidden files
     -Optional scan within plaintext and binary files
    
    Instalation:
    
    Login into SSH and type
    
    root@server [~]# cd /root/
    root@server [~]# wget http://downloads.rootkit.nl/rkhunter-1.2.7.tar.gz
    root@server [~]# tar -zxvf rkhunter-1.2.7.tar.gz
    root@server [~]# cd rkhunter
    root@server [~rkhunter]# ./installer.sh
    
    Scan the server with rkhunter
    root@server [~]# rkhunter -c
    
    =========================
    | 10) The Rest of Shits |
    =========================
    
    10.1) Random suggestions
    
    If you use bind DNS server then we need to edit named.conf file
    named.conf is located here: /etc/named.conf
    
    and add
    recursion no; under Options
    ----------------------------
    Options{
    recursion no;
    ----------------------------
    
    Now restart bind, type into SSH
    root@server [~]# service named restart
    
    This will prevent lookups from dnstools.com and similar services and reduce server load
    
    In order to prevent IP spoofing, you need to edit host.conf file like this:
    This file is located here: /etc/host.conf
    Add that in host.conf
    ------------------
    order bind,hosts
    nospoof on
    ------------------
    
    Hide the Apache version number:
    
    edit httpd.conf (/etc/httpd/conf/httpd.conf)
    -----------------------
    ServerSignature Off
    -----------------------
    
    10.2) Passwords
    Don't use the same password you are using for the server on some other places.
    When the Datacenter contacts you via e-mail or phone, always request
    more informations. Remember, someone alse could contact you to get some
    information or even root passwords.
    
    10.3) Random thoughts
    No matter what you need to secure the server, don't think you are safe
    only because you are not personally involved in any shits with
    "hackers". When you are hosting hacking/warez related sites you are the
    target. There is no such thing as totally secured server. Most important
    things are backups, make sure you will always have an "up-to-date"
    offsite backups ^^
    
    Anyhow, this is the end of my paper, I hope it will help you to get some
    kind of security to your server.
    
    -Krun!x
    Original Link
    Code: 
    http://www.milw0rm.com/papers/346
    EnCiPh3r Reviewed by EnCiPh3r on . Linux Hardening & Security (cP/WHM + Apache) This is a Leeched Tutorial Originally Written by Krun!x | QK ======================================= |-----------::------------------| |-------------------------------------| | Title: "Linux Hardening & Security" | | Author: Krun!x | QK | ======================================= Rating: 5

  2.   Sponsored Links

  3.     
    #2
    Banned
    Great tut for those who are new to this stuff.

  4.     
    #3
    mmm mmm!
    Thx for sharing.
    HATERS GONNA probably bring up some valid points considering I am an ignorant little twat so far up my own ass that i blame my problems on everyone and if you criticize me you're automatically wrong.

  5.     
    #4
    Member
    Nice guide, Thanks

  6.     
    #5
    Member
    can any one use it and test this tutorial ? and please check the information are correct which proving in this tutorial ?

  7.     
    #6
    Member
    old thread bumped

  8.     
    #7
    Member
    Here you can check out the most used linux commands .

  9.     
    #8
    Member
    Good guide for some beginners , nice one.

  10.     
    #9
    Member
    Damn... time is passing by so fast, that paper was published somewhere in 2009...

  11.     
    #10
    Member
    Quote Originally Posted by Jason View Post
    Damn... time is passing by so fast, that paper was published somewhere in 2009...
    Yeah, late 2009 or so.
    KnownSRV.com - Quality comes at a price, and we provide it at affordable prices.
    PayPal, Skrill(MoneyBookers), Payza(AlertPay), 2CheckOut and LibertyReserve accepted!

Page 1 of 2 12 LastLast

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Total Linux Hardening in 1 min
    By Ifirst in forum Technical and Security Tutorials
    Replies: 0
    Last Post: 16th Oct 2012, 04:17 AM
  2. Apache 2.2.x security tricks (CentOS)
    By NewEraCracker in forum Technical and Security Tutorials
    Replies: 14
    Last Post: 29th Jun 2012, 08:01 AM
  3. Need help regarding Apache Linux PHP and Perl?
    By Mind Trainer in forum Web Application/Script Support
    Replies: 0
    Last Post: 11th Apr 2012, 02:28 AM
  4. Replies: 10
    Last Post: 22nd Jan 2012, 03:59 PM
  5. Linux Hardening & Security[cP/WHM + Apache]
    By Krun!x in forum Technical and Security Tutorials
    Replies: 5
    Last Post: 22nd Jul 2009, 01:05 AM

Tags for this Thread

BE SOCIAL