Ways to Secure Server

[taslayer]

yes im back


and to condem (yes i know i said condem) my return im gonna give you all a few simple practices on how to just keep your stuff somewhat secure

so yeah this tutorial i made is made for vps but can be used for regular ervers too

lets start with SSH

now theres 2 tthings that we really must do with ssh. ssh is like your fence at your house. You can lock the doors but if your fence is wide open someone can just break a window and get in.

so lets start by editing the SSHd config file

Code:

 /etc/ssh/sshd_config

the easiest way to fix up ssh security is to change the port and protocol version.

Change these lines:

Code:

Port 22
Protocol 2, 1

to

Code:

Port 666
Protocol 2

you can make the port to what ever you please (mines on 69) :P just do not leave the port on 22

ok now save the file
and restart ssh
For RedHat/CentOS you get to cheat

Code:

service sshd restart

for all the other os's you gotta do

Code:

/usr/sbin/sshd

now just this one change that you just did will throw off any bot that will try to bruteforce its way into your server.

[taslayer]

ok heres part 2...2..2...2 (echo) :P

the thing am about to show you is called the....(drumroll) scanscript

i actualy use this on my personal server

Code:

#!/bin/bash
rm -f ttt
touch tmp
# disabled IPs can be obtained from /etc/sysconfig/iptables
grep DROP /etc/sysconfig/iptables|awk '{print $5}' >tmp
# ------------------------ DoS attacks rule -------------------------
# ------------------------ DoS = bad -------------------------
#identity mismatch in secure
grep Did /var/log/secure|awk '{print $12}' >>tmp
#Invalid user
grep "Invalid user" /var/log/secure|awk '{print $10}' >>tmp
# Maximum login
grep "Maximum login" /var/log/secure|awk '{print $7}'|sed 's/.*\[\(.*\)\])/\1/g' >>tmp
#
# ------------------ dont mess up the temp lul -------------
size=`/usr/bin/wc tmp|awk '{print $1}'`
i=0
while test $i -lt $size
do
      us=`sed -n 1p tmp`
      sed /$us/d tmp >tmps
      echo $us >>ttt
      cp -f tmps tmp
      size=`/usr/bin/wc tmp|awk '{print $1}'`
done
rm -f tmp tmps temp0 temp
#
# ------------------ EVIL PPL!!! --------------------------
size=`wc ttt|awk '{print $1}'`
size=`expr $size + 1`
/sbin/iptables -F
i=1
while test $i -lt $size
do
        ip=`sed -n "$i"p ttt`
        i=`expr $i + 1`
/sbin/iptables -A INPUT -s $ip -j DROP
done
# -----------------EOF NOOB!-------------------------

copy al of that and save it into a file like umm lets call it badbotbad.sh

now you have to make sure its an excutable file so you gotta do this

Code:

chmod +x badbotbad.sh

now you probly want it to run like every 5 mins or so, so you are going to want to do this:

Code:

crontab -e

and at the bottom of the file add a line it should look something like this

Code:

0-59/5 * * * * /root/badbotbad.sh

Basically what all this crap does is, scan your /var/log/secure logfile every 5 minutes, looking for failed logins, dictionary attacks, and some DoS attempts. If it finds any, it adds them to iptables and blocks them mean ppls out.

[taslayer]

ok heres the last part of my extreamly awesome post of doom

for this post we are going to edit /etc/passwd

what Your /etc/passwd file does is tell your server what users exist on your server, what groups they are in, and what stuff they are to have access to when they log in.

ok now In order to seal up yet another tiny but deadly security hole, we're just goign to make sure that only the people you select can login to ssh. so Open up your /etc/passwd in your text editor.
every line in the file will look like this

Code:

root:x:0:0:root:/root:/bin/bash

if you see a line with :: in it anywhere make sure you force that user to put a password on their account
anyways This tells the server some info such as the userid, the groupid, and so forth

In this case, root gets /bin/bash.

Any user account you want to be able to login, should end with /bin/bash
Any other account should get /sbin/nologin.

there ya go your server is more secure :D


omg a bannana >> :dancing:

[Christina]

Welcome back Taslayer,

Thanks for this informative post.

[taslayer]

any time christina <3 glad to be back

[Glenn]

Hello,


If you have static ip address and you want to secure your server from brute force attack on ssh service with ssh port 22. Then simply edit /etc/hosts.allow

and add the following line

sshd : "Your static IP" : allow
sshd : ALL : deny

Above rule in hosts.allow will allow ssh only for your ip, you can add any number of ips in the same file.

Regards,
Angelo S.

[sharron]

Thanx Glenn,

Can you please explain us how to add IP's in that file?

[tommyg]

in ssh

Quote:

pico /etc/hosts.allow

then add the lines

Quote:

sshd : "your ip here" : allow
sshd : ALL : deny

most isps that offer dial up or dsl and others are giving out dynamic ips so i would not reccomend that

[VPS@Support]

We do following to Secure a Linux VPS (Basic Steps):

1) Disable root logins:

We generally create a SSH user lets say "admin" from shell and provide him it shell access. Then we disable direct root login to SSH by changing the value "PermitRootLogin" to "no" in /etc/ssh/sshd_config.

Quote:

PermitRootLogin no

2) Changing SSH Port

"taslayer" has already provided the steps to change SSH port which are quite simple.

3) Installation of firewall (CSF)

We always recommend installing CSF on the server as it is easy to manage with cPanel as well as for other control panels. CSF provides a plug-in for WHM using which users can manage firewall through WHM (No need to login to shell or remember commands :P );

4) Securing /tmp

We mount /tmp using noexec- This would protect's the Server from MANY local and remote exploits of rootkits being run from /tmp folder.

5) Securing PHP Functions:

There are many PHP functions which hackers can use to hack OR get information about your Server. We disable all these functions on the server and if you need any of the functions to be enabled you can just enable them using .htaccess. Following are the functions which we generally disable:

Quote:

disable_function=system,passthru,exec,popen,proc_c lose,proc_get_status,proc_nice,proc_open,proc_term inate,shell_exec,highlight_file,escapeshellcmd, define_syslog_variables,posix_uname,posix_getpwuid ,apache_child_terminate,posix_kill,posix_mkfifo,po six_setpgid,posix_setsid,posix_setuid, escapeshellarg,posix_uname,ftp_exec,ftp_connect,ft p_login,ftp_get,ftp_put,ftp_nb_fput,ftp_raw,ftp_ra wlist,ini_alter,ini_restore,inject_code,syslog,ope nlog, define_syslog_variables,apache_setenv,mysql_pconne ct,php_uname

We do lot other basic tweaks on the server like enabling open_basedir protection, SMTP tweak, and installation of Mod_Security etc. too. There are many things which can be done to secure the server but make sure you know what you are doing other wise you will lock yourself out of the server.

-Mikey

[taslayer]

mikey if you want, set up a blank linux vps and upload a php shell and pm me the link ill see if i can do anything to the vps and i may be able to help you guys secure the systems more

[aliya]

I appreciate your generousness and kindness profoundly. Thank you for your kind assistance,I will definitely let you know whenever I have to improve the security of a VPS hosting server.