Gabriel Petrelli Posted December 5, 2010 Share Posted December 5, 2010 Well securing at least if someone could possibly help me with that. I'm flat out broke and I need to move off my current web space since I can't pay, remembered I had credit with another host for a VPS so I'm going to be moving my site there for the time being and hope things get better in the next month. It's a semi-managed Cpanel host, I already have ConfigServer Security and Firewall installed with CSF/LFD. I tried updating Apache and PHP with EasyApache but it's complaining the packages or package manager is broke. CSF lists many security issues that need to be addressed, and I'm not familiar with Linux. I'm broke, so I don't have money to pay but I will offer my gratitude and thanks to whoever can help and maybe Paypal a payment at a later date if I have the money. I have less than five or six days to be off of my current host, so I can't wait very long for someone to offer to help. Thanks. :) Link to comment Share on other sites More sharing options...
Gabriel Petrelli Posted December 5, 2010 Author Share Posted December 5, 2010 Okay I took care of most of it, but I have the following left when I check server security in CSF: /tmp should be mounted as a separate filesystem with the noexec,nosuid options set Due to a bug in logrotate if /tmp is mounted with the noexec option, you need to have logrotate use a different temporary directory. If you don't do this syslog may not restart correctly and will write to the wrong (older) log files. See [u]here[/u] for a way to do this /var/tmp should either be symlinked to /tmp or mounted as a filesystem You are running a legacy version of MySQL (v..) and should consider upgrading to v5.* as recommended by MySQL syslogd appears to be running, but not klogd which logs kernel firewall messages to syslog. You should ensure that klogd is running For ultimate SSH security, you should consider disabling PasswordAuthentication and only allow access using PubkeyAuthentication The root account should have a forwarder set so that you receive essential email from your server You are running a legacy version of apache (v2.0.63) and should consider upgrading to v2.2.* as recommended by the Apache developers Microsoft Frontpage Extensions were EOL in 2006 and there is no support for bugs or security issues. For this reason, it should be considered a security risk to continue using them. You should rebuild apache through easyapache and deselect the option to build them You should install the mod_security apache module during the easyapache build process to help prevent exploitation of vulnerable web scripts, together with a set of SecFilters Unable to examine PHP settings due to an error in the output from: /usr/local/bin/php -i Since the Virtuozzo VPS iptables ip_conntrack_ftp kernel module is currently broken you have to open a PASV port hole in iptables for incoming FTP connections to work correctly. See the csf readme.txt under 'A note about FTP Connection Issues' on how to do this You should disable this option after use. WHM > [u]Tweak Settings[/u] > Disable login with root or reseller password into the users' cPanel interface On most servers xfs is not needed and should be stopped and disabled from starting, as it could pose a security threat. This service is currently enabled in init and can be disabled using: service xfs stop chkconfig xfs off On most servers gpm is not needed and should be stopped and disabled from starting, as it could pose a security threat. This service is currently enabled in init and can be disabled using: service gpm stop chkconfig gpm off On most servers saslauthd is not needed and should be stopped and disabled from starting, as it could pose a security threat. This service is currently enabled in init and can be disabled using: service saslauthd stop chkconfig saslauthd off The errors in bold I can solve myself if I can fix the issue with the packages/package manager when using EasyApache. The italicized errors are errors I either don't know how to fix or am having trouble finding. I tried looking for the following option under WHM > Tweak Settings but it doesn't seem to be worded as it is shown in CSF:You should disable this option after use. WHM > [u]Tweak Settings[/u] > Disable login with root or reseller password into the users' cPanel interface Link to comment Share on other sites More sharing options...
Gary. Posted December 5, 2010 Share Posted December 5, 2010 CSF is just Basic security and you should no assume your system is secure based on CSF, There is more to it as CSF reports just an averge 10% of system security. You will also find it very difficuly to get the system fully secure and optimized for free. ip_conntrack_ftp kernel module Read here:http://kb.parallels.com/en/746 /var/tmp should either be symlinked to /tmp or mounted as a filesystem Open: /etc/fstab Open the existing line and make it show the following: none /tmp tmpfs nodev,nosuid,noexec 0 0 Then restart the Machine:You should disable this option after use. WHM > Tweak Settings > Disable login with root or reseller password into the users' cPanel interface This is not an option in CP 11.28 - Wait for the next CSF release. syslogd appears to be running, but not klogd which logs kernel firewall messages to syslog. You should ensure that klogd is running Run this command:service syslog restart or /etc/rc.d/init.d/syslog restartThe root account should have a forwarder set so that you receive essential email from your serverWHM > Server Contacts > Change System Mail Preferences, You will have a option to specify the email ID which will have the root's mail. Link to comment Share on other sites More sharing options...
Gabriel Petrelli Posted December 5, 2010 Author Share Posted December 5, 2010 Okay thanks. I am also going to implement other security measures as well. I presume I don't need brute force protection since Cpanel has Cphulk brute force protection which should take care of brute forcing Cpanel and SSH. I got at least 75% - 85% of it taken care of so far. Any suggestions for what else I should do to secure the VPS? Do I need to install a rootkit scanner or install another firewall, or is CSF sufficient as a firewall solution? When I run the command for the following, it says these can't be found so I'm not sure how to disable them:On most servers xfs is not needed and should be stopped and disabled from starting, as it could pose a security threat. This service is currently enabled in init and can be disabled using: service xfs stop chkconfig xfs off On most servers gpm is not needed and should be stopped and disabled from starting, as it could pose a security threat. This service is currently enabled in init and can be disabled using: service gpm stop chkconfig gpm off On most servers saslauthd is not needed and should be stopped and disabled from starting, as it could pose a security threat. This service is currently enabled in init and can be disabled using: service saslauthd stop chkconfig saslauthd off Link to comment Share on other sites More sharing options...
Gary. Posted December 5, 2010 Share Posted December 5, 2010 If you do everything CSF asks you will secure your server around 12% and cPanel cphulk is not worth even enabling, Its horrible. CSF will do exactly as it says but there is much more to security than that, Mostly hardening of apache. You need CHKRootKit, RootKit Hunter, BFD , sysctl.conf hardening, Root Logger, TMP Directory hardening, nsswitch.conf Hardening, Mod_Security with GotRoot rules and much more but those mentioned are a must at first. Never reply on CSF and you need to be secure incase the Firewall or LFD stops for some random reason then your other scripts are there to back it up. Link to comment Share on other sites More sharing options...
Gabriel Petrelli Posted December 5, 2010 Author Share Posted December 5, 2010 Wow, I didn't think there was so much to securing and hardening a VPS. I don't think I can do all that in less than five days, especially since I don't know much about Linux other than testing Ubuntu once in a while. I have less than five days before my current host gives me the boot for non payment and only have the vps. :( Link to comment Share on other sites More sharing options...
Gary. Posted December 6, 2010 Share Posted December 6, 2010 You do not need it all, Just a suggestion ! But you know that the more popular the website is the more you will get the odd "script kiddie" lurching about. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.