Tuesday, June 14, 2011

server Hardening

Linux server/cpanel/VPS Hardening for security

1. Install or compile the missing modules in php & apache , Install or compile the missing modules in php & apache

2. Install Fantastico Deluxe

#cd /usr/local/cpanel/whostmgr/docroot/cgi
#wget -N http://files.betaservant.com/files/free/fantastico_whm_admin.tgz
#tar -xzpf fantastico_whm_admin.tgz
#rm -rf fantastico_whm_admin.tgz
Go to WHM, login as root and click on Tweak Settings, then you should ensure that both the Ioncube loader is selected for the backend copy of PHP. Save changes. >>> not done that time installatiom. i didn't do that time

Now go here:
WHM -> Plugins (orAdd-Ons) -> Fantastico De Luxe WHM Admin (scroll down the left menu).

Upon loading, Fantastico De Luxe WHM Admin will auto-update your existing installation (if existing). All admin files (masterfiles, tarballs, settings etc) will be moved to or created at /var/netenberg.

After the installation complete go to settings
PHPsuexec (*): VERY ESSENTIAL!!! Changing this value will not install or de-install phpsuexec for you.
we have to check phpsuexec is installed or not on the server
# httpd -V
-D SUEXEC_BIN="/usr/local/apache/bin/suexec" >>> so we can put PHPsuexec : as INSTALLED

3. Install CSF
cd /usr/src
wget http://www.configserver.com/free/csf.tgz
tar -xvf csf.tgz
cd csf
sh install.sh
sh remove_apf_bfd.sh
vi /etc/csf/csf.conf change testing mode to "0"
service csf restart

4. Check /tmp, /usr/tmp and /var/tmp permissions. Should be chmod 1777
Check /tmp, /usr/tmp and /var/tmp ownership . Should be owned by root:root

5. Check /etc/resolv.conf for localhost entry. You should not specify 127.0.0.1 or localhost as a nameserver

6. Check php for enable_dl. You should modify /usr/local/lib/php.ini and set:
enable_dl = off This prevents users from loading php modules that affect everyone on the server.

7. Add the following disable_functions to the PHP.INI
disable_functions = ini_alter,system,passthru,shell_exec,leak,listen,chgrp,apache_setenv,define_syslog_variables,openlog,syslog,ftp_exec,
posix_getpwuid,posix_getpwnam

8. Set the following for the open_basedir via PHP configuration:
/home:/tmp:/usr

9. To stop the /tmp directory filling up, you can set the following cron job to have files older than x hours deleted:
0 0 * * * /usr/sbin/tmpwatch --mtime --all 48 /tmp

10. Turn off unwanted services from startup

11. install chkrootkit
cd /usr/src/
wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz
tar zxvf chkrootkit.tar.gz
cd chkrootkit-0.49/
make sense
cd /etc/cron.daily
vi chkrootkit.sh
chmod 755 chkrootkit.sh
content :
#!/bin/bash
cd /usr/src/chkrootkit-0.49/
./chkrootkit | mail -s "Daily chkrootkit from server1.tuxunited.com" ajeesh@tuxunited.com

12. INstall rkhunter
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)