LinuxWebLog.com

Below are some basic guidelines on setting up new hosting servers. This is only a point of reference to begin with and you should know what you are doing, else it is highly advisable to get an expert to work on setting up and securing the server:

Synopsis:

• Scan server with tools such as netstat, nmap, nessus etc...
  
• Disable services not required.
  
• Remove packages not required.
  
• Update all other packages.
  
• Secure Incoming and Outgoing ports.
  
• Move SSH to a different port and disable direct root login.
  
• Enable Antidos and BruteForce Detection.
  
• Scan for rootkits and setup daily reporting.
  
• Secure tmp and tmpfs.
  
• Secure binaries, paths and profiles.
  
• Secure Apache and PHP, and cofigure to expose minimum info about the applications used.
  
• Secure Ftp via TLS/SSL connection.
  
• ...

1. Setup server hostname and point DNS A record to the IP.

   Plesk setup:

   • Change the 'Full hostname' field at 'Plesk CP'->'Server'->'Server preferences' page. Plesk will update it's database and all needed configuration files such as /etc/hosts, /etc/sysconfig/network, /var/qmail/control/me, etc...

   Cpanel setup:

   • Run `/usr/local/cpanel/cpkeyclt` after updating the hostname to regenerate a valid key for cpanel.
     Note: Stop apf before running cpkeyclt.
2. Setup servers root email alias.

   Plesk setup:

   • Login to plesk control panel and set the admin contact email address for the server which should update "/var/qmail/alias/.qmail-root" file and add an alias for root.
     
   • Either add the hostname (FQDN) to the qmail control locals file or to the virtualdomains file located in "/var/qmail/control/".

   Cpanel setup:

   • Login to cpanel -> Server Contacts -> Change System Mail Preferences.
     
   • Direct nobody and cpanel email to root and roots email to admin.

3. Secure FTP with TLS/SSL:
   • Proftpd is configured to use TLS/SSL and requires a client with tls/ssl support for secure connection.
     
         <IfModule mod_tls.c>
    &nbsp;   TLSEngine on
    &nbsp;   TLSLog /var/log/proftpd/tls.log
    &nbsp;   TLSProtocol TLSv1

    &nbsp;   # Are clients required to use FTP over TLS when talking to this server?
    &nbsp;   TLSRequired off

    &nbsp;   # Server's certificate
    &nbsp;   TLSRSACertificateFile /etc/pki/tls/proftpd/server.cert.pem
    &nbsp;   TLSRSACertificateKeyFile /etc/pki/tls/proftpd/server.key.pem

    &nbsp;   # CA the server trusts
    &nbsp;   #TLSCACertificateFile /etc/pki/tls/proftpd/root.cert.pem

    &nbsp;   # Authenticate clients that want to use FTP over TLS?
    &nbsp;   TLSVerifyClient off

    &nbsp;   # Allow SSL/TLS renegotiations when the client requests them, but
    &nbsp;   # do not force the renegotations.  Some clients do not support
    &nbsp;   # SSL/TLS renegotiations; when mod_tls forces a renegotiation, these
    &nbsp;   # clients will close the data connection, or there will be a timeout
    &nbsp;   # on an idle data connection.
    &nbsp;   TLSRenegotiate required off
    </IfModule>
   
   • Generate self-signed cert and key via:
     
               # openssl req -new -x509 -days 3650 -nodes -out server.cert.pem -keyout server.key.pem
         
4. Turn off anonymous ftp:

   Cpanel setup:

   • Login to Cpanel -> Service Configuration -> FTP Configuration.
5. Remove unnecessary modules:

   Plesk setup:

   • Remove unused Plesk modules through the plesk GUI
     1. Acronis True Image Server Management
        
     2. Battlefield 1942 Server Manager
        
     3. Battlefield 2 Server Manager
        
     4. Counter-Strike Game Server
        
     5. Firewall -- if using a custom firewall.
        
     6. Remote Admin for SiteBuilder3
        
     7. Samba Fileserver Configuration
        
     8. Virtual Private Networking
   • Update Plesk to latest version using the plesk GUI (only select those components which are installed)
6. Secure SSH:
   • Only use protocol 2.
     
   • Disable direct root login.
     
   • Change port#.
     
   • Reduce LoginGraceTime to 20 seconds.
     
   • Set MaxStartups to 10:30:60 .
     
   • Only allow certain users with SSH rights with "AllowUsers".
     
   • Only allow certain users to "su" privileges with pam.
7. Install and setup APF with Antidos.

   Antidos setup:

   • Edit "/etc/apf/conf.apf"
     
             USE_AD="1"
       
   • Edit "/etc/apf/ad/conf.antidos"
     
             LP_KLOG="1"
        USR_ALERT="1"
        USR="root"
       
   • Add to "/etc/crontab"
     
             # Antidos
        */2 * * * * root /etc/apf/ad/antidos -a >> /dev/null 2>&1
       

   Cpanel setup:

   • Below are the Ingress and Egress ports for cpanel:
     
             IG_TCP_CPORTS="21,22,23,25,53,80,110,143,443,993,995,2082,2083,2086,2087,2095,2096"
        IG_UDP_CPORTS="53"r />        EG_TCP_CPORTS="21,25,43,80,443"
        EG_UDP_CPORTS="20,21,53"
       
   • port specifics:
     
             20 ftp tcp inbound/outbound
        21 ftp tcp,udp inbound/outbound
        22 ssh tcp inbound
        25 smtp tcp inbound/outbound
        26 smtp tcp inbound/outbound
        37 rdate tcp outbound
        43 whois tcp outbound
        53 DNS tcp/udp inbound/outbound
        (inbound is only needed if you run your own public DNS server)
        80 http tcp inbound/outbound
        110 pop3 tcp inbound
        113 ident tcp outbound
        143 imap4 tcp inbound
        443 https tcp inbound
        465 smtp tls/ssl tcp/udp inbound/outbound
        873 rsync tcp/udp outbound
        993 imap4 ssl tcp inbound
        995 pop3 ssl tcp inbound
        2077 webdav tcp/udp inbound/outbound
        2078 webdav ssl tcp/udp inbound/outbound
        2082 cpanel tcp inbound
        2083 cpanel ssl tcp inbound
        2086 whm tcp inbound
        2087 whm ssl tcp inbound
        2089 cp licence tcp outbound
        2095 Webmail tcp inbound
        2096 Webmail SSL tcp inbound
        3306 mysql tcp (only if you need to connect remotely)
        6666 chat tcp inbound
       

   Plesk Setup:

   • Open the common inbound and outboud ports.
     
             IG_TCP_CPORTS="21,25,53,80,110,143,443,465,993,995,2022,8443"
        IG_UDP_CPORTS="53"r />        EG_TCP_CPORTS="21,25,53,80,443,43,465"
        EG_UDP_CPORTS="20,21,53"
       
   • Change ssh helper port:
     
             HELPER_SSH_PORT="2022"
       
   • Allow for plesk key updates in allow_hosts.rules:
     
             # Plesk key update
        # need to be able to connect to ka.swsoft.com
        out:d=5224:d=64.131.90.38
       
8. Install and setup BFD.
   • Integrated with APF.
     
   • Daily scan report.
     
             USR_ALERT="1"
        USR="root"
       
9. Install and setup rkhunter for daily reporting.
   • Edit rkhunter.conf to allow for certain hidden directories and files as needed:
     
             ALLOWHIDDENDIR=/dev/.udev
        ALLOWHIDDENFILE=/etc/.pwd.lock
       
   • Edit cronjob at /etc/cron.daily/01-rkhunter to do version checking and database update.
     
             #!/bin/sh
        (
        /usr/bin/rkhunter --versioncheck --update
        /usr/bin/rkhunter --cronjob --rwo
        ) | /bin/mail -s 'rkhunter Daily Run on `hostname`' root
      
10. Secure tmp and tmpfs mounts:
    • Secure "/tmp", "/var/tmp".
      
                #!/bin/bash
          # secure_tmp.sh
          dd if=/dev/zero of=/dev/tmpMnt bs=1024 count=300000
          /sbin/mke2fs -j /dev/tmpMnt
          service httpd stop
          service mysqld stop
          service postgresql stop
          service spamassassin stop
          cp -a /tmp /tmp.orig
          mount -o loop,noexec,nosuid,nodev,rw /dev/tmpMnt /tmp
          chmod 1777 /tmp
          cp -a /tmp.orig/* /tmp
          cp -a /var/tmp/* /tmp
          rm -rf /var/tmp
          ln -s /tmp /var/tmp
          service spamassassin start
          service postgresql start
          service mysqld start
          service httpd start
          echo "/dev/tmpMnt /tmp ext3 loop,noexec,nosuid,nodev,rw 0 0" >> /etc/fstab
          mount -o remount /tmp
         
    • Secure /dev/shm with noexec and nosuid mount option in "/etc/fstab".
      
                tmpfs /dev/shm tmpfs noexec,nosuid,nodev 0 0
         
11. Secure paths, binaries and profiles with LES:
    • Add the below binaries too to "sec_bin" in "/usr/local/les/opt.dat" file.
      
                /usr/bin/lwp-download
          /usr/bin/GET
          /usr/bin/curl
        
    • Add daily cron to secure environments.
      
                #!/bin/bash
          # les
          /usr/local/sbin/les --secure-bin 1 >> /dev/null 2>&1
          /usr/local/sbin/les --secure-path 1 >> /dev/null 2>&1
          /usr/local/sbin/les --secure-prof 1 >> /dev/null 2>&1
         
12. Disable package service not needed via `chkconfig {package_name} off`
    • gpm -- mouse
      
    • mdmonitor -- monitor raid devices
      
    • netfs -- nfs, samba etc...
      
    • autofs -- automount, nfs, usb, cd etc...
      
    • kudzu -- detect new hardware
      
    • restorecond -- monitor selinux file context
      
    • mcstrans -- mandatory access control selinux translation
13. Yum update and configs:

    Plesk setup:

    • Exclude kernel for yum updates (/etc/yum.conf).
      
                  exclude=kernel*
           
    • Set yum-updatesd (/etc/yum/yum-updatesd.conf) to check only once per 24hrs and send an email for notification:
      
                  run_interval = 86400
            updaterefresh = 3600
            emit_via = email
            dbus_listener = no
            email_to = root
            email_from = root
           
    • Do a yum update of all packages.
14. Setup httpd.conf and optimize.
    
    Timeout 60
KeepAlive On
MaxKeepAliveRequests 100
KeepAliveTimeout 5

StartServers       3
MinSpareServers    3
MaxSpareServers   8
MaxClients       50
MaxRequestsPerChild  512

ServerTokens Prod
HostnameLookups Off
ServerSignature Off
15. Setup/Secure php.ini and optimize.
    • PHP Configurations may need to be adjusted if some lax is required.
          ; compress data
    output_handler = ob_gzhandler
    ; problematic php variables
    disable_functions = "phpinfo,shell_exec,exec,virtual,passthru,proc_close,proc_get_status,proc_open,proc_terminate,system"
    ; Disable URLs for file handling functions
    allow_url_fopen = Off
    ; Disable globals
    register_globals = Off
    ; Restrict access to environment variables
    safe_mode_allowed_env_vars = PHP_
    ; Max script execution time
    max_execution_time = 30
    ; Max time spent parsing inputs
    max_input_time = 60
    ; Max memory size used by one script
    memory_limit = 16M
    ; Max upload file size
    upload_max_filesize = 2M
    ; Max post size
    post_max_size = 8M
    ; Do not show errors on screen
    display_errors = Off
    ; Log errors to log file
    log_errors = On
    ; Hide presence of PHP
    expose_php = Off
   

16. Setup my.cnf and optimize.

    Create the mysqld.slow.log file and change context for it in SElinux.
    

            # touch /var/log/mysqld.slow.log
        # chcon --reference=/var/lib/mysql /var/log/mysqld.slow.log
       

    cPanel setup:

    • innodb is needed by horde.
      
    • Comment out "#basedir=/var/lib" under mysql.server
      (not necessary in 11)
    • "pid-file=/var/lib/mysql/{FQDN}.pid" under mysqld_safe
      (not necessary in 11, as it auto-picks up the hostname)
      Note: If changing hostnames, stop mysql first, or kill all mysql pid and start mysql manually.
    • Comment out "#err-log=/var/log/mysqld.log" under mysqld_safe

17. Install and setup eaccelerator.

    cPanel setup:

    • phpize is located at /usr/local/bin/phpize
      
    • php.ini is located at /usr/local/lib/php.ini
      
    • Install:
      
              # export PHP_PREFIX="/usr/local"
        # $PHP_PREFIX/bin/phpize
        # ./configure --enable-eaccelerator=shared --with-php-config=$PHP_PREFIX/bin/php-config
        # make
        # make install
       
    • Copy contents of eaccelerator.ini to /usr/local/lib/php.ini in the Dynamic Extensions section:
      
              zend_extension="/usr/local/lib/php/extensions/no-debug-non-zts-20020429/eaccelerator.so"
        eaccelerator.shm_size = "0"
        eaccelerator.cache_dir = "/var/cache/eaccelerator"
        eaccelerator.enable = "1"
        eaccelerator.optimizer = "1"
        eaccelerator.debug = 0
        eaccelerator.log_file = "/var/log/httpd/eaccelerator_log"
        eaccelerator.name_space = ""
        eaccelerator.check_mtime = "1"
        eaccelerator.filter = ""
        eaccelerator.shm_max = "0"
        eaccelerator.shm_ttl = "3600"
        eaccelerator.shm_prune_period = "0"
        eaccelerator.shm_only = "0"
        eaccelerator.compress = "1"
        eaccelerator.compress_level = "9"
        eaccelerator.keys     = "shm_and_disk"
        eaccelerator.sessions = "shm_and_disk"
        eaccelerator.content  = "shm_and_disk"
        eaccelerator.allowed_admin_path = "/var/www/html/eaccelerator/index.php"
       
    • Prepare:
      
              # mkdir /var/cache/eaccelerator
        # chown nobody:nobody /var/cache/eaccelerator
        # mkdir /var/www/html/eaccelerator
        # cp control.php /var/www/html/eaccelerator/index.php
       
    • Change the admin user and password in the control file.
      
    • Add an include line to the eaccelerator.conf file in httpd.conf
      
              Include /etc/httpd/conf.d/eaccelerator.conf
       
    • eaccelerator.conf
      
      Alias /eaccelerator /var/www/html/eaccelerator

<Location /eaccelerator>
    Order deny,allow
    Deny from all
    Allow from localhost
    # Allow from .example.com
    Allow from xx.xx.xx.xx

    # Basic Authentication
    AuthUserFile /var/www/.htpasswd
    AuthGroupFile /var/www/.htgroup
    AuthName "Protected"
    AuthType Basic
    <Limit GET>
    &nbsp; require group  administrator
    </Limit>

    # "satisfy any" - prompt for password for anyone who's IP is not listed in Allow.
    # "satisfy all" - visitor need IP listed in Allow AND provide a valid user/pass.
    satisfy any

</Location>

    &nbsp;  

18. Install and setup mrtg with apache hits and processes.

    cPanel setup:

    • Add include line in httpd.conf after installing mrtg.
      
            Include /etc/httpd/conf.d/mrtg.conf />     
19. Install and setup vpsinfo.
    
20. Install and setup SIM.
    
21. Install and setup awstats/webalizer.
    
22. Install and setup SPRI.
    
23. Install and setup PRM -- setup email notification.
    
24. Stop recursions in bind:

    NOTE: If using bind-chroot, the named.conf is located at "/var/named/chroot/etc/named.conf".

    Add to the options, allow recursions from main IP, seconday IP and localhost.
    

          options {
              ...
              allow-recursion { 127.0.0.1; xx.xx.xx.xx; xx.xx.xx.xx; };
      };
     

25. Stop logging lame servers in bind:

    cPanel setup:

    • Edit /etc/named.conf and add the below lines just below the options:
      
              logging {
          category notify { null; };
          category lame-servers { null; };
        };