Here we will be covering some steps to take to help protect servers from common attacks

Main Topics
Local security measures
Protecting against common remote attacks
Having and following a Security Policy
Make sure existing users have decent pass words

Crack your own users’ passwords using JTR, crack. Preferably run the crackers on a dedicated machine, not the server, due to load

Crack your own users’ passwords using JTR, crack Preferably run the crackers on a dedicated machine, not the server, due to load
Turning off unrequired daemons in

    Check /etc/xinetd.conf

    Check /etc/xinetd.d/*

Common ones are cupsd (printing daemon nfs/statd (unless using nfs mounted FS)

gpm and xfs services

Find locally running processes

Often script kiddies will launch backdoor scripts on the server using vulnerable php scripts,bad clients or hacked accounts will be used to launch IRC bots / bouncers

`ps auxww`

`lsof -n`

Try to find processes hidden by a rootkit, such as

mpid=`sysctl kernel.pid_max | cut -d " " -f 3`; for i in

`seq 1 $mpid`; do test -f /proc/$i/cmdline && (echo -n

"[$i] "; strings /proc/$i/cmdline; echo); done

Login Access

Setting login access definitions

/etc/login.defs

­    Expire passwords after PASS_MAX_DAYS

     Set minimum password length to PASS_MIN_LEN

     Set number of days before pass expires to send reminder with PASS_WARN_AGE

There are more options that are well documented in the default file
/etc/hosts.allow and /etc/hosts.deny

Suggest to use firewall instead as it will protect all services, not just the ones written to obey the rules set in the hosts.* files

Shell limits

Setting resource limits for shell accounts Set in /etc/security/limits.conf Protect against fork bombs and out of control applications, scripts.Will want to start out very lax, make stricter after testing with current settings; as need arises

Example settings:

    @users     hard  nofile 500

    @users     hard  cpu 30

    @users     hard  nproc 150

    @users     soft  nproc 100

    @users     hard  rss 50000

    @users     maxlogins 3

    nobody     hard  nofile 16384

Permissions

Find all world writable files and directories

find / \( -perm -a+w \) ! -type l >> world_writable.txt

reveals target locations an attacker can use to store their file fixing bad perms breaks some poorly written php/cgi scripts leave (/var)/tmp alone, secure it with /scripts/securetmp

Find all setuid/gid files

find / \( -perm -4000 -o -perm -2000 \) -exec ls -ldb {} \; >> suid_files.txt

Many files need these elevated permissions, do not “fix” without knowing exactly how it will affect the system. sudo, su, mount, traceroute, etc

 Find all files with no owner/group
    find / -nouser -o -nogroup

Mount Points

Use "nosuid" option when mounting /tmp and /home

Consider "noexec" on /tmp after cPanel installation

Use /scripts/securetmp to have /tmp be mounted nosuid,noexec on a temporary file

IDS / Basic Forensics

Tripwire

Monitors checksums of files, reports when they have changed. A good way of helping ensure files are not replaced by rootkits/trojans/etc

Commercial : http://www.tripwire.com

OSS Branch: http://sourceforge.net/projects/tripwire

Chkrootkit

http://www.chkrootkit.org

Scans system for common signs of rootkits, backdoors, lkm, etc.

Rkhunter

http://www.rootkit.nl/projects/rootkit_hunter.html

Same as chkrootkit

Logwatch

http://www.logwatch.org

Scans through logs and emails a daily report of system activity

Remote Attacks
Bound ports

Find out what programs are listening on what ports

netstat -nap

Backdoor scripts/irc apps are usually launched from a writable directory, /tmp or in the user’s directory. Most will bind to a port and wait for connections, some will “call home” in an attempt to get around P/NAT firewalling

‘/proc’ tunables
tcp syn cookies
Helps protect against SYN flood DoS attacks

sysctl -w net.ipv4.tcp_syncookies=1

echo 1 > /proc/sys/net/ipv4/tcp_syncookies

Firewalling

ipchains/iptables

Suggest using APF or similar if not familiar with iptables for ease of use and quality protection

Be sure to enable all the ports cPanel requires:

http://faq.cpanel.net/show.cgi?qa=108499296901804

Apache

Most all attacks are against poorly coded web-based applications php makes poor programming easy to pull off, most target scripts are written in php Backdoors, shell imitation scripts, etc can be launched to give full shell access to the server, even if the account has no shell access itself

Enable openbase_dir protection in WHM

This will stop some scripts from accessing other user accounts.

Enable suexec for perl scripts, phpsuexec for php scripts

This allows tracking of scripts and forces them to run as the user of the account, rather that the “nobody” user.

Enforces sane permissions and environment, such as not running if world writable, or in a world writable directory Greatly helps when tracking exploited scripts used by spammers

Keeps users from doing stuff like

system("killall -11 httpd");
enable "safe_mode" for php

Edit the relevant php.ini

php -i |grep php.ini

safe_mode = On

Edit “disable_functions” for php

disable_functions = exec, shell_exec, system, passthru,popen,virtual, show_source, readfile, pclose

Using mod_security

Can be installed in WHM in the addons section.
Main website at http://www.modsecurity.org/

General Policy

Give users a jailshell rather than a fullfledged shell Have clients use sftp, scp, smtp+ssl, pop+ssl, https://site.tld/cpanel whenever possible to avoid plain text passwords Use SSHv2 only, as SSHv1 is decryptable on the fly. Change root/admin passwords frequently using a mix of upper/lowercase letters, num- bers and symbols Constantly monitor logs.

Prince Joseph Articles, Controlpanel cpanel security