Need help securing and optimizing a VPS.

[Gabriel Petrelli]

Well securing at least if someone could possibly help me with that. I'm flat out broke and I need to move off my current web space since I can't pay, remembered I had credit with another host for a VPS so I'm going to be moving my site there for the time being and hope things get better in the next month.

It's a semi-managed Cpanel host, I already have ConfigServer Security and Firewall installed with CSF/LFD. I tried updating Apache and PHP with EasyApache but it's complaining the packages or package manager is broke. CSF lists many security issues that need to be addressed, and I'm not familiar with Linux.

I'm broke, so I don't have money to pay but I will offer my gratitude and thanks to whoever can help and maybe Paypal a payment at a later date if I have the money. I have less than five or six days to be off of my current host, so I can't wait very long for someone to offer to help.

Thanks. :)

[Gabriel Petrelli]

Okay I took care of most of it, but I have the following left when I check server security in CSF:

/tmp should be mounted as a separate filesystem with the noexec,nosuid options set

Due to a bug in logrotate if /tmp is mounted with the noexec option, you need to have logrotate use a different temporary directory. If you don't do this syslog may not restart correctly and will write to the wrong (older) log files. See [u]here[/u] for a way to do this

/var/tmp should either be symlinked to /tmp or mounted as a filesystem

You are running a legacy version of MySQL (v..) and should consider upgrading to v5.* as recommended by MySQL

syslogd appears to be running, but not klogd which logs kernel firewall messages to syslog. You should ensure that klogd is running

For ultimate SSH security, you should consider disabling PasswordAuthentication and only allow access using PubkeyAuthentication

The root account should have a forwarder set so that you receive essential email from your server

You are running a legacy version of apache (v2.0.63) and should consider upgrading to v2.2.* as recommended by the Apache developers

Microsoft Frontpage Extensions were EOL in 2006 and there is no support for bugs or security issues. For this reason, it should be considered a security risk to continue using them. You should rebuild apache through easyapache and deselect the option to build them

You should install the mod_security apache module during the easyapache build process to help prevent exploitation of vulnerable web scripts, together with a set of SecFilters

Unable to examine PHP settings due to an error in the output from: /usr/local/bin/php -i

Since the Virtuozzo VPS iptables ip_conntrack_ftp kernel module is currently broken you have to open a PASV port hole in iptables for incoming FTP connections to work correctly. See the csf readme.txt under 'A note about FTP Connection Issues' on how to do this

You should disable this option after use. WHM > [u]Tweak Settings[/u] > Disable login with root or reseller password into the users' cPanel interface

On most servers xfs is not needed and should be stopped and disabled from starting, as it could pose a security threat. This service is currently enabled in init and can be disabled using:

service xfs stop

chkconfig xfs off

On most servers gpm is not needed and should be stopped and disabled from starting, as it could pose a security threat. This service is currently enabled in init and can be disabled using:

service gpm stop

chkconfig gpm off

On most servers saslauthd is not needed and should be stopped and disabled from starting, as it could pose a security threat. This service is currently enabled in init and can be disabled using:

service saslauthd stop

chkconfig saslauthd off

The errors in bold I can solve myself if I can fix the issue with the packages/package manager when using EasyApache.

The italicized errors are errors I either don't know how to fix or am having trouble finding. I tried looking for the following option under WHM > Tweak Settings but it doesn't seem to be worded as it is shown in CSF:

You should disable this option after use. WHM > [u]Tweak Settings[/u] > Disable login with root or reseller password into the users' cPanel interface

[Gary.]

CSF is just Basic security and you should no assume your system is secure based on CSF, There is more to it as CSF reports just an averge 10% of system security. You will also find it very difficuly to get the system fully secure and optimized for free.

ip_conntrack_ftp kernel module

Read here:

http://kb.parallels.com/en/746

/var/tmp should either be symlinked to /tmp or mounted as a filesystem


Open:

/etc/fstab

Open the existing line and make it show the following:

none /tmp tmpfs nodev,nosuid,noexec 0 0

Then restart the Machine:

You should disable this option after use. WHM > Tweak Settings > Disable login with root or reseller password into the users' cPanel interface

This is not an option in CP 11.28 - Wait for the next CSF release.


syslogd appears to be running, but not klogd which logs kernel firewall messages to syslog. You should ensure that klogd is running

Run this command:

service syslog restart

or

/etc/rc.d/init.d/syslog restart

The root account should have a forwarder set so that you receive essential email from your server

WHM > Server Contacts > Change System Mail Preferences, You will have a option to specify the email ID which will have the root's mail.

[Gabriel Petrelli]

Okay thanks.

I am also going to implement other security measures as well. I presume I don't need brute force protection since Cpanel has Cphulk brute force protection which should take care of brute forcing Cpanel and SSH.

I got at least 75% - 85% of it taken care of so far. Any suggestions for what else I should do to secure the VPS? Do I need to install a rootkit scanner or install another firewall, or is CSF sufficient as a firewall solution?

When I run the command for the following, it says these can't be found so I'm not sure how to disable them:

On most servers xfs is not needed and should be stopped and disabled from starting, as it could pose a security threat. This service is currently enabled in init and can be disabled using:

service xfs stop

chkconfig xfs off

On most servers gpm is not needed and should be stopped and disabled from starting, as it could pose a security threat. This service is currently enabled in init and can be disabled using:

service gpm stop

chkconfig gpm off

On most servers saslauthd is not needed and should be stopped and disabled from starting, as it could pose a security threat. This service is currently enabled in init and can be disabled using:

service saslauthd stop

chkconfig saslauthd off

[Gary.]

If you do everything CSF asks you will secure your server around 12% and cPanel cphulk is not worth even enabling, Its horrible.

CSF will do exactly as it says but there is much more to security than that, Mostly hardening of apache.

You need CHKRootKit, RootKit Hunter, BFD , sysctl.conf hardening, Root Logger, TMP Directory hardening, nsswitch.conf Hardening, Mod_Security with GotRoot rules and much more but those mentioned are a must at first.

Never reply on CSF and you need to be secure incase the Firewall or LFD stops for some random reason then your other scripts are there to back it up.

[Gabriel Petrelli]

Wow, I didn't think there was so much to securing and hardening a VPS. I don't think I can do all that in less than five days, especially since I don't know much about Linux other than testing Ubuntu once in a while. I have less than five days before my current host gives me the boot for non payment and only have the vps. :(

[Gary.]

You do not need it all, Just a suggestion !

But you know that the more popular the website is the more you will get the odd "script kiddie" lurching about.