Linux Server Security
Server security is most important. Hacker are more updated then the developers and administrator. They hack our server and misuse. Hacker can do anything if they hack our server. If once server is hacked then it is difficult to prevent from them .server can hack due to some reasons. These reasons are very small. like port open , no firewall etc. Sometime server get banned due to misuse by the hacker. so server security is most important.
(If you are providing hosting then this is most and most important. I am describing some of security points , by using them you can protect your website from hacker.)
Note:- This is not for only cpanel or whm this can be use on any linux cloud server ,
For every outdated application there will be a chance of greater vulnerability, for overcoming this issue we need to make sure that you have the latest version of cPanel running. You can simply update cPanel by running below command on the command line.
# /scripts/upcp –force
If you are not familiar with command line, you follow below steps
Login into WHM > Software > Update Server Software > Proceed
Also I recommend you enable daily updates by going to WHM > Server Configuration > Update Preferences & Save
Set MySQL password
(Don’t set the same password like for the root access)
-If you didn’t set MySQL password someone will be able to login into the DB with
username “root” without password and delete/edit/download any db on the server.
Disable symlinks from database
The MySQL database starts up by default permitting the usage of symlinks. When a table that is using symlinks is dropped, both the symlink and the file to which the symlink points are dropped.
An unauthorized user can create symlinks within a table that point to key configuration files and then drop the table.
Solution:
Edit /etc/my.cnf file and use –skip-symbolic-links option to disable symlinks. After save changes restart mysql service with below command.
# service mysqld restart
Remove unwanted database user account
There are default anonymous user accounts which are created when MySQL is initially installed. These user accounts have no password by default. A strong password must be set or these accounts removed.
An unauthorized user who discovers that a MySQL server is running can directly log in to the server without entering a password.
Solution:
Remove the anonymous account or set a strong password for it:
# mysql -u root -p
mysql> DELETE FROM mysql.user WHERE User = ”;
mysql> FLUSH PRIVILEGES;
Rename the administrator account
The administrator account in MySQL is called root. This must be renamed to something different.
Malicious user can try to compromise the system using root account. The effort involved in trying to brute force a MySQL password is reduced because the attacker already knows the username.
Solution:
Rename the root account to something else using the following query.
mysql> update user set user=’mydbadmin’ where user=’root’;
mysql> flush privileges;
Enable logs in mysql server
Enabling logging will help administrators to monitor critical events in a MySQL server.
Malicious activities will not be detected. Early warning towards attempts at malicious access will go undetected.
Solution:
Mysql has different types of logs. You can enabled it by adding lines in /etc/my.cnf file.
log-error=/var/log/mysqld.log
log-slow-queries=/var/log/mysql-slow.log
long-query-time=1
Remove unused database from the server
There is a default database that comes preinstalled with MySQL. This database should be removed if not required.
An unauthorized user can access sensitive information stored in this database.
Solution:
Remove the preinstalled database “test” if it is not required. It can be removed as follows:
mysql> drop database test;
Mysql should be run on non default port
Mysql runs on default 3306 port the configuration should be change to run mysql on different port.
The port will be detected as open by a port scanner by an Hacker. By this information Hacker can steal more information about mysql server.
Solution:
You can change port from mysql configuration file /etc/my.cnf. You can set different not default port, for example 5532.
Type php –ini in command line to show the configuration file of php
Configuration File (php.ini) Path => /usr/local/lib
Loaded Configuration File => /usr/local/lib/php.ini
We should edit in /usr/local/lib/php.ini
php .ini & disabled functions
safe_mode = On
Safe Mode is off by default.
Safe Mode does a user check on files that are opened by a process. By default, the users of the file and the process need to match.
expose_php = Off
Setting expose_php = Off just prevents the webserver from sending back the X-Powered-By header.
Potential hackers could look for out of date versions of PHP with security holes to exploit, they could potentially do the same even if the header was turned off
Enable_dl= Off
The configuration directive enable_dl instructs PHP whether or not to enable dynamic loading of PHP modules with dl().
If you enable dynamic module loading, it’s possible to bypass the safe_mode restrictions. Dynamic loading is enabled by default.
magic_quotes = On
It helps to escaping special characters with a ‘\’ to allow a string to be entered into a database. This is considered ‘magic’ because PHP can do this automatically for you if you have magic_quotes_gpc turned on.
NOTE: This feature has been DEPRECATED as of PHP 5.3.0 and REMOVED as of PHP 5.4.0.
register_globals = off
register_globals is an internal PHP setting which registers the $_REQUEST array’s elements as variables. If you submit a value in a form, via POST or GET, the value of that input will automatically be accessible via variable in the PHP script, named after the name of the input field.By Default they have register_globals=on,better to turn it off
display errors = off
This option will helps to not display error on the webpage,so that the others cant find any vulnerabilities.
disable_functions = system, show_source, symlink, exec, dl,shell_exec, passthru, phpinfo, escapeshellarg,escapeshellcmd
According to several Security Websites administrators are strongly encouraged to disable some dangerous php-functions which can be used to exploit several php-installations and software. To protect yourself we encourage you to disable whenever possible the following functions!
# service httpd restart
4.Apache Hardening
Hide Apache Version
To prevent Apache to not to display these information to the world, we need to make some changes in Apache main configuration file.
Open configuration file with vi editor and search for “ServerSignature“, its by default On. We need to Off these server signature and the second line “ServerTokens Prod” tells Apache to return only Apache as product in the server response header on the every page request
ServerSignature Off
ServerTokens Prod
# service httpd restart
or
You can also change this option by going WHM >> Service Configuration >> Apache Configuration >> Global Configuration & Click Save
Disable Directory Listing
By default Apache list all the content of Document root directory in the absence of index file
We can turn off directory listing by using Options directive in configuration file for a specific directory. For that we need to make below entry in httpd.conf
<Directory /var/www/html>
Options -Indexes
</Directory>
Use Allow and Deny to Restrict access to Directories
We can restrict access to directories with “Allow” and “Deny” options in httpd.conf file.
<Directory />
Options None
Order deny,allow
Deny from all
</Directory>
Options “None” – This option will not allow users to enable any optional features.
Order deny, allow – This is the order in which the “Deny” and “Allow” directives will be processed.
Here it will “deny” first and “allow” next.
Deny from all – This will deny request from everybody to the root directory, nobody will be able to access root directory.
Use Mod Security to Secure Apache
Mod Security works as a firewall for our web applications and allows us to monitor traffic on a real time basis. It also helps us to protect our websites or web server from brute force attacks.
Install mod_security
# yum install ea-apache24-mod_security2
# service httpd restart
Installing mod_security is can be done within a few minutes with few changes to existing infrastructure.
You can enable it from Easy Apache configuration.
Also malware.expert is providing advanced Mod_Security rules for Webhosting, which are based on intelligence gathered from real-world investigations, penetration tests and research data in the REAL LIFE environment of over 10 000 domains. These rules are developed over ten years with the help of real traffic to websites.
Changing SSH port to custom
Open the ssh configuration file : /etc/ssh/sshd_config
When someone tries to attack the first thing they will be trying to attack on the default ssh port which is 22 .So we have to change it a custom one .
Port 1313
Here I have set the ssh port to 1313
open the port that you are setting up for SSH in your firewall.
PermitEmptyPasswords no
SSH access without password will be avaialble which is a securtity threat .
PermitRootLogin no
It is always desired to restrict direct root access .You can ssh to server with custom user and gain root access with sudo .
After editing changes in configuration file ,restart the service
# service sshd restart
CSF is commonly used firewall that provides a good level of protection with easy to manage commands. Here are the following steps to install and configure CSF :
# cd /usr/local/src/
# wget&amp;nbsp;http://www.configserver.com/free/csf.tgz
# tar -xzf csf.tgz
# cd csf
# ./install.sh
After installation we have to make few tweaks in CSF configuration file which is located at : /etc/csf/csf.conf
In CSF,for a basic security, stability and settings check on the server we need to performed this actions in configuration file,
-Disable testing
-Change security warning restrict_syslog to 3
-Restrict syslog/rsyslog access to
-SMTP_BLOCK = 0 to 1
-LF_SCRIPT_ALERt =0 to 1
-SYSLOG_CHECK = set to 300
-PT_ALL_USERS = set to 1
-Local-infile=0 in mysql configuration file.
-Change ssh port number to 1313
-Disable PasswordAuthentication
-Enable shell Fork Bomb Protection Whm-security-Shell Fork Bomb-enable
-Enable each item in the WHM > Background Process Killer
-Create the file /root/.forward, and add email address in it
-WHM-Edit System Mail Preferences-Forward mail for “root” to:email address
-Set apache TraceEnable = off and rebuilded configuration
-Change WHM – Apache Configuration – Global Configuration – ServerTokens – ProductOnly in apache configuration
-Change WHM – Apache Configuration – Global Configuration – FileETag – None in apache configuration
-Change WHM – Security Center – mod_userdir Tweak in apache configuration
-Change php version to latest version for more security
easyapache-nextstep-php version selection-save and build
-Modify /usr/local/lib/php.ini and set:
enable_dl = Off
-Disable abused php functions in php configuration file
-Enable php open_basedir Tweak
-WHM – Security Center – php open_basedir Tweak
-Redirected to ssl
WHM > Tweak Settings > Always redirect users to the ssl/tls ports when visiting /cpanel, /webmail.
-Disable WHM – Tweak Settings – BoxTrapper Spam Trap
-Set value for WHM – Tweak Settings -the maximum mail can send out per hour by domains= 20
-Disable compilers WHM – Security Center – Compilers Tweak
-WHM – FTP Server Configuration – Allow Logins with Root Password – No
-WHM – Tweak Settings – Allow Creation of Parked/Addon Domains that resolve to other servers
-Disable WHM – Tweak Settings – Allow users to Park/Addon Domains on top of domains owned by other users
-Disable WHM – Tweak Settings – Proxy subdomains.
WHM – Tweak Settings – Accounts that can access a cPanel user account set to user only
-Enable WHM – Tweak Settings – Blank referrer safety check
-Enable WHM – Tweak Settings – Referrer safety check
-Enable WHM – Tweak Settings – Hide login password from cgi scripts
-Disable WHM – Security Center – SMTP Restrictions and use the csf configuration option SMTP_BLOCK instead
-Stop and disable portreserve
Your Score: 138/142*(you will get a score according to the security you have done in csf)
After saving changes restart csf
# csf -r
Open /etc/sysctl.conf using vi editor
/etc/sysctl.conf file is used to configure kernel parameters at runtime. Linux reads and applies settings from /etc/sysctl.conf at boot time.
Turn on execshield
kernel.exec-shield=1
kernel.randomize_va_space=1
ExecShield is security Linux kernel patch to avoid worms and other problems
Enable IP spoofing protection
net.ipv4.conf.all.rp_filter=1
The spoofing protection prevents your network from being the source of spoofed.
Forged communications that are often used in DoS attacks
Disable IP source routing
net.ipv4.conf.all.accept_source_route=0
These commands disable forwarding of IPv4 packets on all interfaces
net.ipv4.icmp_echo_ignore_broadcasts=1
net.ipv4.icmp_ignore_bogus_error_messages=1
These command disable ping on the server.
Make sure spoofed packets get logged
net.ipv4.conf.all.log_martians = 1
These option enables Martian packet logs
To hide BIND version
# vi /etc/named.conf
version “BIND”;
instead of bind you can give your message so as to hide the DNS version .
Turn off recursion
# vi /etc/named.conf
recursion no;
This will stop recursive queries from the DNS server
To disable anonymous logins
# vi /etc/pure-ftpd.conf
Allow Anonymous Logins No
Allowing anonymous FTP logins in generally considered to weaken the security of the server. Setting this option to “No” is recommended.
To disable anonymous uploads
Allow Anonymous Uploads No
Allowing anonymous FTP uploads in generally considered to weaken the security of the server. Setting this option to “No” is recommended.
Setting FTP Maximum number of connection at a time
Maximum Connections 30
Maximum number of FTP connections to accept.
To enable cphulk run this commands on command line
# /usr/local/cpanel/etc/init/startcphulkd
# /usr/local/cpanel/bin/cphulk_pam_ctl –enable
# mysqlcheck -r cphulkd
Or
You can also change this option by going WHM >> Security Center >> cPHulk Brute Force Protection & change from OFF to On.
Fork Bomb Protection denies users who have terminal access (SSH/Telnet) the ability to use all of the resources on the server.
Login to WHM and click on “Shell Fork Bomb Protection” under “Security Center”. Click on “enable protection” to enable Shell Fork Bomb Protection.
Hardening tmp plays a big role in safeguarding your server from external attacks. All applications use the /tmp directory to temporarily store data. If /tmp are not secure, there is a chance to attack the server using Trojans. Temp hardening restricts all activities in / tmp. This prevents the attacker from enforcing the code in the /tmp folder.
# dd if=/dev/zero of=/var/TMP bs=1024 count=524288
# mke2fs j /var/TMP
# mv&amp;nbsp; /tmp /tmp_backup
# mkdir /tmp
# mount -o loop,noexec,nosuid,rw /var/TMP /tmp
# chmod 1777 /tmp
# cp -R /tmp_backup/* /tmp/
# rm -rf /tmp_backup
Rkhunter (Rootkit Hunter) is an open source Unix/Linux based scanner tool for Linux systems released underGPL that scans backdoors, rootkits and local exploits on your systems. It scans hidden files, wrong permissions set on binaries, suspicious strings in kernel etc.
# cd /tmp
# wget&amp;nbsp;http://ncu.dl.sourceforge.net/project/rkhunter/rkhunter/1.4.0/rkhunter-1.4.0.tar.gz
# tar -xvf rkhunter-1.4.0.tar.gz
# cd rkhunter-1.4.0
# ./installer.sh –layout default –install
# vi /etc/cron.daily/rkhunter.sh
#!/bin/sh
(
/usr/local/bin/rkhunter –versioncheck
/usr/local/bin/rkhunter –update
/usr/local/bin/rkhunter –cronjob –report-warnings-only
) | /bin/mail -s ‘rkhunter Daily Run (PutYourServerNameHere)’ your@email.com
# chmod 755 /etc/cron.daily/rkhunter.sh
# rkhunter –check
There is lot of unnecessary process running on linux server which will slow down the server, we can run the below commands in terminal to stop them all
# echo “ptlink” >> /var/cpanel/killproc.conf
# echo “psyBNC” >> /var/cpanel/killproc.conf
# echo “ircd” >> /var/cpanel/killproc.conf
# echo “guardservices” >> /var/cpanel/killproc.conf
# echo “generic-sniffers” > /var/cpanel/killproc.conf
# echo “eggdrop” >> /var/cpanel/killproc.conf
# echo “bnc” >> /var/cpanel/killproc.conf
# echo “BitchX” >> /var/cpanel/killproc.conf
Compiler Access is used to gain access C or C++ compiler on the server.It is recommended to disable this compiler as Disabling these compilers will result in a more secure server as most of the attacks require a working C or C++ compiler on the server.
Run the command in terminal
# chmod 750 /usr/bin/gcc /usr/bin/i386-redhat-linux-gcc
# chown root:compiler /usr/bin/gcc /usr/bin/i386-redhat-linux-gcc
Install cPguard Plugin – A Complete server security suite
If you are lazy in doing a setup for all the above hardening, you can install cPguard, which is all in one security plugin with artificial intelligence. cPguard security plugin offers fast, light and intuitive protection against viruses and attacks giving you the best protection that’s easy to use and won’t affect server performance.