请前往 模块插件 激活 UI Manage 然后刷新
webtechhost

Account Center

Support

  1. Home
  2. Knowledgebase
  3. Commonly tutorials
  4. Harden and Secure a Linux/cPanel Server
Login
Knowledgebase

Harden and Secure a Linux/cPanel Server

Here I am describing some easier steps to secure a Linux based server. So of the steps are applicable only for cPanel installed servers.

1.)chkrootkit (Check Rootkit) is a common Unix-based program intended to help system administrators check their system for known rootkits

cd /usr/local/src
wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz
wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz
tar -xzf chkrootkit.tar.gz
cd chkrootkit-0.50
make sense
./chkrootkit
cd ..

Adding program to daily cron job
===============================
You can add a cron entry for running chkrootkit automatically and send a scan report to your mail address.
Create and add the following entries to “/etc/cron.daily/chkrootkit.sh”

#!/bin/sh
(
/usr/local/chkrootkit/chkrootkit
) | /bin/mail -s ‘CHROOTKIT Daily Run (ServerName)’ your@email.com
chmod +x /etc/cron.daily/chkrootkit.sh


2.)RootKit Hunter – A tool which scans for backdoors and malicious softwares present in the server.
cd /usr/local/src
wget http://downloads.sourceforge.net/projec ... 4.2.tar.gz
tar -zxvf rkhunter*
cd rkhunter*
./installer.sh --install
rkhunter --check
log : /var/log/rkhunter.log

To update it
=========
rkhunter --update
rkhunter --propupd
=========

How to setup a daily scan report
================================
pico /etc/cron.daily/rkhunter.sh

set crontab to scan and email the report

#!/bin/sh
(
/usr/local/bin/rkhunter –versioncheck
/usr/local/bin/rkhunter –update
/usr/local/bin/rkhunter –cronjob –report-warnings-only
) | /bin/mail -s ‘rkhunter Daily Run (PutYourServerNameHere)’ your@email.com
chmod +x /etc/cron.daily/rkhunter.sh


3.) APF or CSF – A policy based iptables firewall system used for the easy configuration of iptables rules.
APF or CSF – A policy based iptables firewall system used for the easy configuration of iptables rules.

CSF
================
cd /usr/local/src
wget http://www.configserver.com/free/csf.tgz
tar -xzf csf.tgz
cd csf
sh install.sh
echo "CSF successfully installed!"
When your configuration is complete, you need to set the following in /etc/csf/csf.conf to disable “TESTING” mode and enable your firewall:
TESTING = “1?
to
TESTING = “0?

csf -r
===============

APF
===============
cd /usr/local
wget http://www.rfxnetworks.com/downloads/apf-current.tar.gz
tar -xvzf apf-current.tar.gz
cd apf*
./install.sh

in config file 

Change the value of USE_AD to
USE_AD=”1?

Change the Value of DEVEL_MODE to
DEVEL_MODE=”1?

Save and quit.
chkconfig –del apf
apf -s
If there are no issues and the firewall gets flushed every five minutes,
You can get into the conf file and edit the value of 
DEVEL_MODE="1? 
that is, change it to 
DEVEL_MODE=”0?
===============

sample
TCP_CPORTS=”21,22,25,26,53,80,110,143,443,465,953,993,995,2082,2083,2086,2087,2095,2096,3306,5666,3000_3500?

4.) Brute Force Detection – BFD is a shell script for parsing applicable logs and checking for authentication failures and blocks the attackers ip in the firewall


cd /usr/local/src
wget http://www.rfxn.com/downloads/bfd-current.tar.gz
tar -xvzf bfd-current.tar.gz
cd bfd*
./install.sh

echo -e "Please enter your email:"
read email
echo "You entered: $email"
echo "ALERT_USR="1"" >> /usr/local/bfd/conf.bfd
echo "EMAIL_USR="$email"" >> /usr/local/bfd/conf.bfd
echo "Brute Force Detection has been installed!"
echo "Email would be sent to $email"
/usr/local/sbin/bfd -s

5.) SSH Securing – For a better security of ssh connections.
Disabling Root Login and changing the listening port .

1.create a user for ssh like sshadminz
2.give the user wheel privilage through Whm
3.in /etc/ssh/sshd_config change the entry PermitRootLogin to no
4.in /etc/ssh/sshd_config change the entry #Port to Port xxxx (needed port,make sure that port is open in csf/iprules)
5.restart the sshd service

>ssh sshadmin@***.***.***.*** -p xxxx

Setting an SSH Legal Message          

The message is contained within the following file: /etc/motd

ALERT! You are entering a secured area! Your IP and login information
have been recorded. System administration has been notified.

This system is restricted to authorized access only. All activities on
this system are recorded and logged. Unauthorized access will be fully
investigated and reported to the appropriate law enforcement agencies.

6.) Host.conf Hardening –Prevents IP spoofing and dns poisoning

The host.conf file resides in /etc/host.conf. 
order bind,hosts
multi on
nospoof on

7.) Sysctl.conf Hardening – Prevents syn-flood attacks and other network abuses.
#Kernel sysctl configuration file for Red Hat Linux
#
# For binary values, 0 is disabled, 1 is enabled. See sysctl(8) and
# sysctl.conf(5) for more details.

# Disables packet forwarding
net.ipv4.ip_forward=0

# Disables IP source routing
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.lo.accept_source_route = 0
net.ipv4.conf.eth0.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0

# Enable IP spoofing protection, turn on source route verification
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.lo.rp_filter = 1
net.ipv4.conf.eth0.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1

# Disable ICMP Redirect Acceptance
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.lo.accept_redirects = 0
net.ipv4.conf.eth0.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0

# Enable Log Spoofed Packets, Source Routed Packets, Redirect Packets
net.ipv4.conf.all.log_martians = 0
net.ipv4.conf.lo.log_martians = 0
net.ipv4.conf.eth0.log_martians = 0

# Disables IP source routing
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.lo.accept_source_route = 0
net.ipv4.conf.eth0.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0

# Enable IP spoofing protection, turn on source route verification
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.lo.rp_filter = 1
net.ipv4.conf.eth0.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1

# Disable ICMP Redirect Acceptance
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.lo.accept_redirects = 0
net.ipv4.conf.eth0.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0

# Disables the magic-sysrq key
kernel.sysrq = 0

# Decrease the time default value for tcp_fin_timeout connection
net.ipv4.tcp_fin_timeout = 15

# Decrease the time default value for tcp_keepalive_time connection
net.ipv4.tcp_keepalive_time = 1800

# Turn off the tcp_window_scaling
net.ipv4.tcp_window_scaling = 0

# Turn off the tcp_sack
net.ipv4.tcp_sack = 0

# Turn off the tcp_timestamps

  • 0 Users Found This Useful
  • Was this answer helpful?

    Related Articles

    How to change the display language on Windows Server 2012 R2 and Windows Server 2016

    If you want to change the display language the following guide will help you to perform this on...

    How to check Server hack and exim spamming issues

    I am hereby providing some commands to have a basic checking on a server hack issue.  This will...

    How to Install CSF in a cPanel server

    What is CSF?CSF or Config server firewall is a firewall for Linux operating system. CSF has many...

    How do I connect to my VPS/Dedicated server? (SSH) (Linux)

    We recommend the program PuTTY for SSH. You can download it here:...

    FFmpeg Installation on a cPanel Server

    What is FFmpeg?FFmpeg is a very fast video and audio converter. It can also convert between...