New Hosting Server Checklist

Below are some basic guidelines on setting up new hosting servers. This is only a point of reference to begin with and you should know what you are doing, else it is highly advisable to get an expert to work on setting up and securing the server:

Synopsis:

  • Scan server with tools such as netstat, nmap, nessus etc...
  • Disable services not required.
  • Remove packages not required.
  • Update all other packages.
  • Secure Incoming and Outgoing ports.
  • Move SSH to a different port and disable direct root login.
  • Enable Antidos and BruteForce Detection.
  • Scan for rootkits and setup daily reporting.
  • Secure tmp and tmpfs.
  • Secure binaries, paths and profiles.
  • Secure Apache and PHP, and cofigure to expose minimum info about the applications used.
  • Secure Ftp via TLS/SSL connection.
  • ...
  1. Setup server hostname and point DNS A record to the IP.

    Plesk setup:

    • Change the 'Full hostname' field at 'Plesk CP'->'Server'->'Server preferences' page. Plesk will update it's database and all needed configuration files such as /etc/hosts, /etc/sysconfig/network, /var/qmail/control/me, etc...

    Cpanel setup:

    • Run `/usr/local/cpanel/cpkeyclt` after updating the hostname to regenerate a valid key for cpanel.
      Note: Stop apf before running cpkeyclt.
  2. Setup servers root email alias.

    Plesk setup:

    • Login to plesk control panel and set the admin contact email address for the server which should update "/var/qmail/alias/.qmail-root" file and add an alias for root.
    • Either add the hostname (FQDN) to the qmail control locals file or to the virtualdomains file located in "/var/qmail/control/".

    Cpanel setup:

    • Login to cpanel -> Server Contacts -> Change System Mail Preferences.
    • Direct nobody and cpanel email to root and roots email to admin.

  3. Secure FTP with TLS/SSL:
    • Proftpd is configured to use TLS/SSL and requires a client with tls/ssl support for secure connection.
          <IfModule mod_tls.c>
          &nbsp;   TLSEngine on
          &nbsp;   TLSLog /var/log/proftpd/tls.log
          &nbsp;   TLSProtocol TLSv1

          &nbsp;   # Are clients required to use FTP over TLS when talking to this server?
          &nbsp;   TLSRequired off

          &nbsp;   # Server's certificate
          &nbsp;   TLSRSACertificateFile /etc/pki/tls/proftpd/server.cert.pem
          &nbsp;   TLSRSACertificateKeyFile /etc/pki/tls/proftpd/server.key.pem

          &nbsp;   # CA the server trusts
          &nbsp;   #TLSCACertificateFile /etc/pki/tls/proftpd/root.cert.pem

          &nbsp;   # Authenticate clients that want to use FTP over TLS?
          &nbsp;   TLSVerifyClient off

          &nbsp;   # Allow SSL/TLS renegotiations when the client requests them, but
          &nbsp;   # do not force the renegotations.  Some clients do not support
          &nbsp;   # SSL/TLS renegotiations; when mod_tls forces a renegotiation, these
          &nbsp;   # clients will close the data connection, or there will be a timeout
          &nbsp;   # on an idle data connection.
          &nbsp;   TLSRenegotiate required off
          </IfModule>
         
    • Generate self-signed cert and key via:
                # openssl req -new -x509 -days 3650 -nodes -out server.cert.pem -keyout server.key.pem
          &nbsp;    
  4. Turn off anonymous ftp:

    Cpanel setup:

    • Login to Cpanel -> Service Configuration -> FTP Configuration.
  5. Remove unnecessary modules:

    Plesk setup:

    • Remove unused Plesk modules through the plesk GUI
      1. Acronis True Image Server Management
      2. Battlefield 1942 Server Manager
      3. Battlefield 2 Server Manager
      4. Counter-Strike Game Server
      5. Firewall -- if using a custom firewall.
      6. Remote Admin for SiteBuilder3
      7. Samba Fileserver Configuration
      8. Virtual Private Networking
    • Update Plesk to latest version using the plesk GUI (only select those components which are installed)
  6. Secure SSH:
    • Only use protocol 2.
    • Disable direct root login.
    • Change port#.
    • Reduce LoginGraceTime to 20 seconds.
    • Set MaxStartups to 10:30:60 .
    • Only allow certain users with SSH rights with "AllowUsers".
    • Only allow certain users to "su" privileges with pam.
  7. Install and setup APF with Antidos.

    Antidos setup:

    • Edit "/etc/apf/conf.apf"
              USE_AD="1"
          &nbsp;  
    • Edit "/etc/apf/ad/conf.antidos"
              LP_KLOG="1"
          &nbsp;   USR_ALERT="1"
          &nbsp;   USR="root"
          &nbsp;  
    • Add to "/etc/crontab"
              # Antidos
          &nbsp;   */2 * * * * root /etc/apf/ad/antidos -a >> /dev/null 2>&1
          &nbsp;  

    Cpanel setup:

    • Below are the Ingress and Egress ports for cpanel:
              IG_TCP_CPORTS="21,22,23,25,53,80,110,143,443,993,995,2082,2083,2086,2087,2095,2096&quot;
          &nbsp;   IG_UDP_CPORTS="53"r />    &nbsp;   EG_TCP_CPORTS="21,25,43,80,443"
          &nbsp;   EG_UDP_CPORTS="20,21,53&quot;
          &nbsp;  
    • port specifics:
              20 ftp tcp inbound/outbound
          &nbsp;   21 ftp tcp,udp inbound/outbound
          &nbsp;   22 ssh tcp inbound
          &nbsp;   25 smtp tcp inbound/outbound
          &nbsp;   26 smtp tcp inbound/outbound
          &nbsp;   37 rdate tcp outbound
          &nbsp;   43 whois tcp outbound
          &nbsp;   53 DNS tcp/udp inbound/outbound
          &nbsp;   (inbound is only needed if you run your own public DNS server)
          &nbsp;   80 http tcp inbound/outbound
          &nbsp;   110 pop3 tcp inbound
          &nbsp;   113 ident tcp outbound
          &nbsp;   143 imap4 tcp inbound
          &nbsp;   443 https tcp inbound
          &nbsp;   465 smtp tls/ssl tcp/udp inbound/outbound
          &nbsp;   873 rsync tcp/udp outbound
          &nbsp;   993 imap4 ssl tcp inbound
          &nbsp;   995 pop3 ssl tcp inbound
          &nbsp;   2077 webdav tcp/udp inbound/outbound
          &nbsp;   2078 webdav ssl tcp/udp inbound/outbound
          &nbsp;   2082 cpanel tcp inbound
          &nbsp;   2083 cpanel ssl tcp inbound
          &nbsp;   2086 whm tcp inbound
          &nbsp;   2087 whm ssl tcp inbound
          &nbsp;   2089 cp licence tcp outbound
          &nbsp;   2095 Webmail tcp inbound
          &nbsp;   2096 Webmail SSL tcp inbound
          &nbsp;   3306 mysql tcp (only if you need to connect remotely)
          &nbsp;   6666 chat tcp inbound
          &nbsp;  

    Plesk Setup:

    • Open the common inbound and outboud ports.
              IG_TCP_CPORTS="21,25,53,80,110,143,443,465,993,995,2022,8443"
          &nbsp;   IG_UDP_CPORTS="53"r />    &nbsp;   EG_TCP_CPORTS="21,25,53,80,443,43,465"
          &nbsp;   EG_UDP_CPORTS="20,21,53&quot;
          &nbsp;  
    • Change ssh helper port:
              HELPER_SSH_PORT="2022&quot;
          &nbsp;  
    • Allow for plesk key updates in allow_hosts.rules:
              # Plesk key update
          &nbsp;   # need to be able to connect to ka.swsoft.com
          &nbsp;   out:d=5224:d=64.131.90.38
          &nbsp;  
  8. Install and setup BFD.
    • Integrated with APF.
    • Daily scan report.
              USR_ALERT="1"
          &nbsp;   USR="root"
          &nbsp;  
  9. Install and setup rkhunter for daily reporting.
    • Edit rkhunter.conf to allow for certain hidden directories and files as needed:
              ALLOWHIDDENDIR=/dev/.udev
          &nbsp;   ALLOWHIDDENFILE=/etc/.pwd.lock
          &nbsp;  
    • Edit cronjob at /etc/cron.daily/01-rkhunter to do version checking and database update.
              #!/bin/sh
          &nbsp;   (
          &nbsp;   /usr/bin/rkhunter --versioncheck --update
          &nbsp;   /usr/bin/rkhunter --cronjob --rwo
          &nbsp;   ) | /bin/mail -s 'rkhunter Daily Run on `hostname`' root
          &nbsp; 
  10. Secure tmp and tmpfs mounts:
    • Secure "/tmp", "/var/tmp".
                #!/bin/bash
          &nbsp;     # secure_tmp.sh
          &nbsp;     dd if=/dev/zero of=/dev/tmpMnt bs=1024 count=300000
          &nbsp;     /sbin/mke2fs -j /dev/tmpMnt
          &nbsp;     service httpd stop
          &nbsp;     service mysqld stop
          &nbsp;     service postgresql stop
          &nbsp;     service spamassassin stop
          &nbsp;     cp -a /tmp /tmp.orig
          &nbsp;     mount -o loop,noexec,nosuid,nodev,rw /dev/tmpMnt /tmp
          &nbsp;     chmod 1777 /tmp
          &nbsp;     cp -a /tmp.orig/* /tmp
          &nbsp;     cp -a /var/tmp/* /tmp
          &nbsp;     rm -rf /var/tmp
          &nbsp;     ln -s /tmp /var/tmp
          &nbsp;     service spamassassin start
          &nbsp;     service postgresql start
          &nbsp;     service mysqld start
          &nbsp;     service httpd start
          &nbsp;     echo "/dev/tmpMnt /tmp ext3 loop,noexec,nosuid,nodev,rw 0 0" >> /etc/fstab
          &nbsp;     mount -o remount /tmp
          &nbsp;    
    • Secure /dev/shm with noexec and nosuid mount option in "/etc/fstab".
                tmpfs /dev/shm tmpfs noexec,nosuid,nodev 0 0
          &nbsp;    
  11. Secure paths, binaries and profiles with LES:
    • Add the below binaries too to "sec_bin" in "/usr/local/les/opt.dat" file.
                /usr/bin/lwp-download
          &nbsp;     /usr/bin/GET
          &nbsp;     /usr/bin/curl
          &nbsp;   
    • Add daily cron to secure environments.
                #!/bin/bash
          &nbsp;     # les
          &nbsp;     /usr/local/sbin/les --secure-bin 1 >> /dev/null 2>&1
          &nbsp;     /usr/local/sbin/les --secure-path 1 >> /dev/null 2>&1
          &nbsp;     /usr/local/sbin/les --secure-prof 1 >> /dev/null 2>&1
          &nbsp;    
  12. Disable package service not needed via `chkconfig {package_name} off`
    • gpm -- mouse
    • mdmonitor -- monitor raid devices
    • netfs -- nfs, samba etc...
    • autofs -- automount, nfs, usb, cd etc...
    • kudzu -- detect new hardware
    • restorecond -- monitor selinux file context
    • mcstrans -- mandatory access control selinux translation
  13. Yum update and configs:

    Plesk setup:

    • Exclude kernel for yum updates (/etc/yum.conf).
                  exclude=kernel*
          &nbsp;    &nbsp; 
    • Set yum-updatesd (/etc/yum/yum-updatesd.conf) to check only once per 24hrs and send an email for notification:
                  run_interval = 86400
          &nbsp;    &nbsp;  updaterefresh = 3600
          &nbsp;    &nbsp;  emit_via = email
          &nbsp;    &nbsp;  dbus_listener = no
          &nbsp;    &nbsp;  email_to = root
          &nbsp;    &nbsp;  email_from = root
          &nbsp;    &nbsp; 
    • Do a yum update of all packages.
  14. Setup httpd.conf and optimize.
    Timeout 60
    KeepAlive On
    MaxKeepAliveRequests 100
    KeepAliveTimeout 5

    StartServers  &nbsp;    3
    MinSpareServers  &nbsp; 3
    MaxSpareServers   8
    MaxClients       50
    MaxRequestsPerChild  512

    ServerTokens Prod
    HostnameLookups Off
    ServerSignature Off
  15. Setup/Secure php.ini and optimize.
    • PHP Configurations may need to be adjusted if some lax is required.

          ; compress data
          output_handler = ob_gzhandler
          ; problematic php variables
          disable_functions = "phpinfo,shell_exec,exec,virtual,passthru,proc_close,proc_get_status,proc_open,proc_terminate,system"
          ; Disable URLs for file handling functions
          allow_url_fopen = Off
          ; Disable globals
          register_globals = Off
          ; Restrict access to environment variables
          safe_mode_allowed_env_vars = PHP_
          ; Max script execution time
          max_execution_time = 30
          ; Max time spent parsing inputs
          max_input_time = 60
          ; Max memory size used by one script
          memory_limit = 16M
          ; Max upload file size
          upload_max_filesize = 2M
          ; Max post size
          post_max_size = 8M
          ; Do not show errors on screen
          display_errors = Off
          ; Log errors to log file
          log_errors = On
          ; Hide presence of PHP
          expose_php = Off
         

  16. Setup my.cnf and optimize.

    Create the mysqld.slow.log file and change context for it in SElinux.

            # touch /var/log/mysqld.slow.log
        &nbsp;   # chcon --reference=/var/lib/mysql /var/log/mysqld.slow.log
        &nbsp;  

    cPanel setup:

    • innodb is needed by horde.
    • Comment out "#basedir=/var/lib" under mysql.server
      (not necessary in 11)
    • "pid-file=/var/lib/mysql/{FQDN}.pid" under mysqld_safe
      (not necessary in 11, as it auto-picks up the hostname)
      Note: If changing hostnames, stop mysql first, or kill all mysql pid and start mysql manually.
    • Comment out "#err-log=/var/log/mysqld.log" under mysqld_safe

  17. Install and setup eaccelerator.

    cPanel setup:

    • phpize is located at /usr/local/bin/phpize
    • php.ini is located at /usr/local/lib/php.ini
    • Install:
              # export PHP_PREFIX="/usr/local&quot;
          &nbsp;   # $PHP_PREFIX/bin/phpize
          &nbsp;   # ./configure --enable-eaccelerator=shared --with-php-config=$PHP_PREFIX/bin/php-config
          &nbsp;   # make
          &nbsp;   # make install
          &nbsp;  
    • Copy contents of eaccelerator.ini to /usr/local/lib/php.ini in the Dynamic Extensions section:
              zend_extension="/usr/local/lib/php/extensions/no-debug-non-zts-20020429/eaccelerator.so"
          &nbsp;   eaccelerator.shm_size = "0"
          &nbsp;   eaccelerator.cache_dir = "/var/cache/eaccelerator&quot;
          &nbsp;   eaccelerator.enable = "1"
          &nbsp;   eaccelerator.optimizer = "1"
          &nbsp;   eaccelerator.debug = 0
          &nbsp;   eaccelerator.log_file = "/var/log/httpd/eaccelerator_log"
          &nbsp;   eaccelerator.name_space = ""
          &nbsp;   eaccelerator.check_mtime = "1"
          &nbsp;   eaccelerator.filter = ""
          &nbsp;   eaccelerator.shm_max = "0"
          &nbsp;   eaccelerator.shm_ttl = "3600"
          &nbsp;   eaccelerator.shm_prune_period = "0"
          &nbsp;   eaccelerator.shm_only = "0"
          &nbsp;   eaccelerator.compress = "1"
          &nbsp;   eaccelerator.compress_level = "9"
          &nbsp;   eaccelerator.keys  &nbsp;  = "shm_and_disk"
          &nbsp;   eaccelerator.sessions = "shm_and_disk"
          &nbsp;   eaccelerator.content  = "shm_and_disk"
          &nbsp;   eaccelerator.allowed_admin_path = "/var/www/html/eaccelerator/index.php"
          &nbsp;  
    • Prepare:
              # mkdir /var/cache/eaccelerator
          &nbsp;   # chown nobody:nobody /var/cache/eaccelerator
          &nbsp;   # mkdir /var/www/html/eaccelerator
          &nbsp;   # cp control.php /var/www/html/eaccelerator/index.php
          &nbsp;  
    • Change the admin user and password in the control file.
    • Add an include line to the eaccelerator.conf file in httpd.conf
              Include /etc/httpd/conf.d/eaccelerator.conf
          &nbsp;  
    • eaccelerator.conf
      Alias /eaccelerator /var/www/html/eaccelerator

      <Location /eaccelerator>
          Order deny,allow
          Deny from all
          Allow from localhost
          # Allow from .example.com
          Allow from xx.xx.xx.xx

          # Basic Authentication
          AuthUserFile /var/www/.htpasswd
          AuthGroupFile /var/www/.htgroup
          AuthName "Protected"
          AuthType Basic
          <Limit GET>
          &nbsp; require group  administrator
          </Limit>

          # "satisfy any" - prompt for password for anyone who's IP is not listed in Allow.
          # "satisfy all" - visitor need IP listed in Allow AND provide a valid user/pass.
          satisfy any

      </Location>

          &nbsp;  

  18. Install and setup mrtg with apache hits and processes.

    cPanel setup:

    • Add include line in httpd.conf after installing mrtg.
            Include /etc/httpd/conf.d/mrtg.conf />    &nbsp;
  19. Install and setup vpsinfo.
  20. Install and setup SIM.
  21. Install and setup awstats/webalizer.
  22. Install and setup SPRI.
  23. Install and setup PRM -- setup email notification.
  24. Stop recursions in bind:

    NOTE: If using bind-chroot, the named.conf is located at "/var/named/chroot/etc/named.conf".

    Add to the options, allow recursions from main IP, seconday IP and localhost.

          options {
        &nbsp;    &nbsp;    ...
        &nbsp;    &nbsp;    allow-recursion { 127.0.0.1; xx.xx.xx.xx; xx.xx.xx.xx; };
        &nbsp; };
        &nbsp;

  25. Stop logging lame servers in bind:

    cPanel setup:

    • Edit /etc/named.conf and add the below lines just below the options:
              logging {
          &nbsp;     category notify { null; };
          &nbsp;     category lame-servers { null; };
          &nbsp;   };
          &nbsp;  

Comment