Below are some basic guidelines on setting up new hosting servers. This is only a point of reference to begin with and you should know what you are doing, else it is highly advisable to get an expert to work on setting up and securing the server:
Synopsis:
-
Scan server with tools such as netstat, nmap, nessus etc...
Disable services not required.
Remove packages not required.
Update all other packages.
Secure Incoming and Outgoing ports.
Move SSH to a different port and disable direct root login.
Enable Antidos and BruteForce Detection.
Scan for rootkits and setup daily reporting.
Secure tmp and tmpfs.
Secure binaries, paths and profiles.
Secure Apache and PHP, and cofigure to expose minimum info about the applications used.
Secure Ftp via TLS/SSL connection.
...
-
Setup server hostname and point DNS A record to the IP.
Plesk setup:
-
Change the 'Full hostname' field at 'Plesk CP'->'Server'->'Server preferences' page. Plesk will update it's database and all needed configuration files such as /etc/hosts, /etc/sysconfig/network, /var/qmail/control/me, etc...
Cpanel setup:
-
Run `/usr/local/cpanel/cpkeyclt` after updating the hostname to regenerate a valid key for cpanel.
Note: Stop apf before running cpkeyclt.
Plesk setup:
-
Login to plesk control panel and set the admin contact email address for the server which should update "/var/qmail/alias/.qmail-root"
Either add the hostname (FQDN) to the qmail control locals file or to the virtualdomains file located in "/var/qmail/control/".
Cpanel setup:
-
Login to cpanel -> Server Contacts -> Change System Mail Preferences.
Direct nobody and cpanel email to root and roots email to admin.
-
Proftpd is configured to use TLS/SSL and requires a client with tls/ssl support for secure connection.
<IfModule mod_tls.c>
&nbs p; TLSEngine on
&nbs p; TLSLog /var/log/proftpd/tls.log
&nbs p; TLSProtocol TLSv1
&nbs p; # Are clients required to use FTP over TLS when talking to this server?
&nbs p; TLSRequired off
&nbs p; # Server's certificate
&nbs p; TLSRSACertificateFile /etc/pki/tls/proftpd/server.ce rt.pem
&nbs p; TLSRSACertificateKeyFile /etc/pki/tls/proftpd/server.ke y.pem
&nbs p; # CA the server trusts
&nbs p; #TLSCACertificateFile /etc/pki/tls/proftpd/root.cert .pem
&nbs p; # Authenticate clients that want to use FTP over TLS?
&nbs p; TLSVerifyClient off
&nbs p; # Allow SSL/TLS renegotiations when the client requests them, but
&nbs p; # do not force the renegotations. Some clients do not support
&nbs p; # SSL/TLS renegotiations; when mod_tls forces a renegotiation, these
&nbs p; # clients will close the data connection, or there will be a timeout
&nbs p; # on an idle data connection.
&nbs p; TLSRenegotiate required off
</IfModule>
# openssl req -new -x509 -days 3650 -nodes -out server.cert.pem -keyout server.key.pem
&nbs p;
Cpanel setup:
-
Login to Cpanel -> Service Configuration -> FTP Configuration.
Plesk setup:
-
Remove unused Plesk modules through the plesk GUI
-
Acronis True Image Server Management
Battlefield 1942 Server Manager
Battlefield 2 Server Manager
Counter-Strike Game Server
Firewall -- if using a custom firewall.
Remote Admin for SiteBuilder3
Samba Fileserver Configuration
Virtual Private Networking
-
Only use protocol 2.
Disable direct root login.
Change port#.
Reduce LoginGraceTime to 20 seconds.
Set MaxStartups to 10:30:60 .
Only allow certain users with SSH rights with "AllowUsers".
Only allow certain users to "su" privileges with pam.
Antidos setup:
-
Edit "/etc/apf/conf.apf"
USE_AD="1"
&nbs p;
LP_KLOG="1"
&nbs p; USR_ALERT="1"
&nbs p; USR="root"
&nbs p;
# Antidos
&nbs p; */2 * * * * root /etc/apf/ad/antidos -a >> /dev/null 2>&1
&nbs p;
Cpanel setup:
-
Below are the Ingress and Egress ports for cpanel:
IG_TCP_CPORTS="21,22,23,2 5,53,80,110,143,443,993,995,20 82,2083,2086,2087,2095,2096&qu ot;
&nbs p; IG_UDP_CPORTS="53"r /> &nbs p; EG_TCP_CPORTS="21,25,43,8 0,443"
&nbs p; EG_UDP_CPORTS="20,21,53&q uot;
&nbs p;
20 ftp tcp inbound/outbound
&nbs p; 21 ftp tcp,udp inbound/outbound
&nbs p; 22 ssh tcp inbound
&nbs p; 25 smtp tcp inbound/outbound
&nbs p; 26 smtp tcp inbound/outbound
&nbs p; 37 rdate tcp outbound
&nbs p; 43 whois tcp outbound
&nbs p; 53 DNS tcp/udp inbound/outbound
&nbs p; (inbound is only needed if you run your own public DNS server)
&nbs p; 80 http tcp inbound/outbound
&nbs p; 110 pop3 tcp inbound
&nbs p; 113 ident tcp outbound
&nbs p; 143 imap4 tcp inbound
&nbs p; 443 https tcp inbound
&nbs p; 465 smtp tls/ssl tcp/udp inbound/outbound
&nbs p; 873 rsync tcp/udp outbound
&nbs p; 993 imap4 ssl tcp inbound
&nbs p; 995 pop3 ssl tcp inbound
&nbs p; 2077 webdav tcp/udp inbound/outbound
&nbs p; 2078 webdav ssl tcp/udp inbound/outbound
&nbs p; 2082 cpanel tcp inbound
&nbs p; 2083 cpanel ssl tcp inbound
&nbs p; 2086 whm tcp inbound
&nbs p; 2087 whm ssl tcp inbound
&nbs p; 2089 cp licence tcp outbound
&nbs p; 2095 Webmail tcp inbound
&nbs p; 2096 Webmail SSL tcp inbound
&nbs p; 3306 mysql tcp (only if you need to connect remotely)
&nbs p; 6666 chat tcp inbound
&nbs p;
Plesk Setup:
-
Open the common inbound and outboud ports.
IG_TCP_CPORTS="21,25,53,8 0,110,143,443,465,993,995,2022 ,8443"
&nbs p; IG_UDP_CPORTS="53"r /> &nbs p; EG_TCP_CPORTS="21,25,53,8 0,443,43,465"
&nbs p; EG_UDP_CPORTS="20,21,53&q uot;
&nbs p;
HELPER_SSH_PORT="2022&quo t;
&nbs p;
# Plesk key update
&nbs p; # need to be able to connect to ka.swsoft.com
&nbs p; out:d=5224:d=64.131.90.38
&nbs p;
-
Integrated with APF.
Daily scan report.
USR_ALERT="1"
&nbs p; USR="root"
&nbs p;
-
Edit rkhunter.conf to allow for certain hidden directories and files as needed:
ALLOWHIDDENDIR=/dev/.udev
&nbs p; ALLOWHIDDENFILE=/etc/.pwd.lock
&nbs p;
#!/bin/sh
&nbs p; (
&nbs p; /usr/bin/rkhunter --versioncheck --update
&nbs p; /usr/bin/rkhunter --cronjob --rwo
&nbs p; ) | /bin/mail -s 'rkhunter Daily Run on `hostname`' root
&nbs p;
-
Secure "/tmp", "/var/tmp".
#!/bin/bash
&nbs p; # secure_tmp.sh
&nbs p; dd if=/dev/zero of=/dev/tmpMnt bs=1024 count=300000
&nbs p; /sbin/mke2fs -j /dev/tmpMnt
&nbs p; service httpd stop
&nbs p; service mysqld stop
&nbs p; service postgresql stop
&nbs p; service spamassassin stop
&nbs p; cp -a /tmp /tmp.orig
&nbs p; mount -o loop,noexec,nosuid,nodev,rw /dev/tmpMnt /tmp
&nbs p; chmod 1777 /tmp
&nbs p; cp -a /tmp.orig/* /tmp
&nbs p; cp -a /var/tmp/* /tmp
&nbs p; rm -rf /var/tmp
&nbs p; ln -s /tmp /var/tmp
&nbs p; service spamassassin start
&nbs p; service postgresql start
&nbs p; service mysqld start
&nbs p; service httpd start
&nbs p; echo "/dev/tmpMnt /tmp ext3 loop,noexec,nosuid,nodev,rw 0 0" >> /etc/fstab
&nbs p; mount -o remount /tmp
&nbs p;
tmpfs /dev/shm tmpfs noexec,nosuid,nodev 0 0
&nbs p;
-
Add the below binaries too to "sec_bin" in "/usr/local/les/opt.dat" file.
/usr/bin/lwp-download
&nbs p; /usr/bin/GET
&nbs p; /usr/bin/curl
&nbs p;
#!/bin/bash
&nbs p; # les
&nbs p; /usr/local/sbin/les --secure-bin 1 >> /dev/null 2>&1
&nbs p; /usr/local/sbin/les --secure-path 1 >> /dev/null 2>&1
&nbs p; /usr/local/sbin/les --secure-prof 1 >> /dev/null 2>&1
&nbs p;
-
gpm -- mouse
mdmonitor -- monitor raid devices
netfs -- nfs, samba etc...
autofs -- automount, nfs, usb, cd etc...
kudzu -- detect new hardware
restorecond -- monitor selinux file context
mcstrans -- mandatory access control selinux translation
Plesk setup:
-
Exclude kernel for yum updates (/etc/yum.conf).
exclude=kernel*
&nbs p; &nbs p;
run_interval = 86400
&nbs p; &nbs p; updaterefresh = 3600
&nbs p; &nbs p; emit_via = email
&nbs p; &nbs p; dbus_listener = no
&nbs p; &nbs p; email_to = root
&nbs p; &nbs p; email_from = root
&nbs p; &nbs p;
Timeout 60
KeepAlive On
MaxKeepAliveRequests 100
KeepAliveTimeout 5
StartServers &nbs p; 3
MinSpareServers & nbsp; 3
MaxSpareServers 8
MaxClients 50
MaxRequestsPerChild 512
ServerTokens Prod
HostnameLookups Off
ServerSignature Off
-
PHP Configurations may need to be adjusted if some lax is required.
; compress data
output_handler = ob_gzhandler
; problematic php variables
disable_functions = "phpinfo,shell_exec,exec, virtual,passthru,proc_close,pr oc_get_status,proc_open,proc_t erminate,system"
; Disable URLs for file handling functions
allow_url_fopen = Off
; Disable globals
register_globals = Off
; Restrict access to environment variables
safe_mode_allowed_env_vars = PHP_
; Max script execution time
max_execution_time = 30
; Max time spent parsing inputs
max_input_time = 60
; Max memory size used by one script
memory_limit = 16M
; Max upload file size
upload_max_filesize = 2M
; Max post size
post_max_size = 8M
; Do not show errors on screen
display_errors = Off
; Log errors to log file
log_errors = On
; Hide presence of PHP
expose_php = Off
Create the mysqld.slow.log file and change context for it in SElinux.
# touch /var/log/mysqld.slow.log
&nbs p; # chcon --reference=/var/lib/mysql /var/log/mysqld.slow.log
&nbs p;
cPanel setup:
-
innodb is needed by horde.
Comment out "#basedir=/var/lib" under mysql.server
(not necessary in 11) "pid-file=/var/lib/mysql/{FQDN
(not necessary in 11, as it auto-picks up the hostname)
Note: If changing hostnames, stop mysql first, or kill all mysql pid and start mysql manually. Comment out "#err-log=/var/log/mysqld.log"
cPanel setup:
-
phpize is located at /usr/local/bin/phpize
php.ini is located at /usr/local/lib/php.ini
Install:
# export PHP_PREFIX="/usr/local&qu ot;
&nbs p; # $PHP_PREFIX/bin/phpize
&nbs p; # ./configure --enable-eaccelerator=shared --with-php-config=$PHP_PREFIX/ bin/php-config
&nbs p; # make
&nbs p; # make install
&nbs p;
zend_extension="/usr/loca l/lib/php/extensions/no-debug- non-zts-20020429/eaccelerator. so"
&nbs p; eaccelerator.shm_size = "0"
&nbs p; eaccelerator.cache_dir = "/var/cache/eaccelerator& quot;
&nbs p; eaccelerator.enable = "1"
&nbs p; eaccelerator.optimizer = "1"
&nbs p; eaccelerator.debug = 0
&nbs p; eaccelerator.log_file = "/var/log/httpd/eaccelera tor_log"
&nbs p; eaccelerator.name_space = ""
&nbs p; eaccelerator.check_mtime = "1"
&nbs p; eaccelerator.filter = ""
&nbs p; eaccelerator.shm_max = "0"
&nbs p; eaccelerator.shm_ttl = "3600"
&nbs p; eaccelerator.shm_prune_period = "0"
&nbs p; eaccelerator.shm_only = "0"
&nbs p; eaccelerator.compress = "1"
&nbs p; eaccelerator.compress_level = "9"
&nbs p; eaccelerator.keys & nbsp; = "shm_and_disk"
&nbs p; eaccelerator.sessions = "shm_and_disk"
&nbs p; eaccelerator.content = "shm_and_disk"
&nbs p; eaccelerator.allowed_admin_pat h = "/var/www/html/eaccelerat or/index.php"
&nbs p;
# mkdir /var/cache/eaccelerator
&nbs p; # chown nobody:nobody /var/cache/eaccelerator
&nbs p; # mkdir /var/www/html/eaccelerator
&nbs p; # cp control.php /var/www/html/eaccelerator/ind ex.php
&nbs p;
Add an include line to the eaccelerator.conf file in httpd.conf
Include /etc/httpd/conf.d/eaccelerator .conf
&nbs p;
Alias /eaccelerator /var/www/html/eaccelerator
<Location /eaccelerator>
Order deny,allow
Deny from all
Allow from localhost
# Allow from .example.com
Allow from xx.xx.xx.xx
# Basic Authentication
AuthUserFile /var/www/.htpasswd
AuthGroupFile /var/www/.htgroup
AuthName "Protected"
AuthType Basic
<Limit GET>
&nbs p; require group administrator
</Limit>
# "satisfy any" - prompt for password for anyone who's IP is not listed in Allow.
# "satisfy all" - visitor need IP listed in Allow AND provide a valid user/pass.
satisfy any
</Location>
&nbs p;
cPanel setup:
-
Add include line in httpd.conf after installing mrtg.
Include /etc/httpd/conf.d/mrtg.conf
/> &nbs p;
Install and setup SIM.
Install and setup awstats/webalizer.
Install and setup SPRI.
Install and setup PRM -- setup email notification.
Stop recursions in bind:
NOTE: If using bind-chroot, the named.conf is located at "/var/named/chroot/etc/named.c
Add to the options, allow recursions from main IP, seconday IP and localhost.
options {
&nbs p; &nbs p; ...
&nbs p; &nbs p; allow-recursion { 127.0.0.1; xx.xx.xx.xx; xx.xx.xx.xx; };
&nbs p; };
&nbs p;
cPanel setup:
-
Edit /etc/named.conf and add the below lines just below the options:
logging {
&nbs p; category notify { null; };
&nbs p; category lame-servers { null; };
&nbs p; };
&nbs p;
- sandip's blog
- Login or register to post comments