چکونگی امن کردن سرور اختصاصی
Finally. You got the dedicated server you always wanted. Now you're a real webhost. No more reseller accounts. Yeah .... ;-). BUT - now all the responsibility in keeping that server up and running is up on your shoulders. The very first things after getting your server is to make it secure.
But how do you do that? If you are an experienced Linux system admin this will be a piece of cake. But if you are just Joe Average and know only a little Linux this can be quite a challenging task. You can buy a book and read up on it but that takes time. You can hire a Linux System Administrator but that is not cheap and you do not know if you can trust somebody that you don't know. Two companies that got recommended to us are
http://www.rackaid.com and http://www.easyservermanagement.com
(if you would like to advertise your services here - please contact us).
However- we have not used these companies for our needs. They seem to be reliable from user feedback on several web hosting related forums. Please do proper research before hiring anyone.
Anyway - if you have at least a little Linux knowledge and are good in coming up to speed on new things fairly quick - here's a quickstart guide of how to secure your own server. The good thing is - this will give you a good level of security to start with. Don't stop after you are done with the steps provided here. Security is an ongoing process and this guide is just opening the tool box for you.
Legal Advisory: Please be aware that we provide the information below with no guarantees. If you feel not confident to really do these steps - hire somebody. We cannot be held liable for problems arising when using the steps below. We tried to research these things as thorough as possible but everyone can make a mistake ....
1) Get Putty as your SSH client. Don't use telnet - it's not secure. Putty.exe is vital in running and managing a dedicated server.
2) Get a good understanding of the most basic linux commands. Without the knowledge about these basic commands you will have a hard time getting stuff done:
How to hange directories?
Type: cd <directory name>
Type: cd .. (Go back up one level)
How to check file permissions?
Type: ls -l (This will show permissions for all files in a specific directory)
How to check disk space?
Type: df -m (This will show the available disk space info on all drives)
How to see all the files in a directory?
Type: ls
How to check all running services?
Type: ps -xa
How to view the contents of a text file?
Type: cat <filename>
How to edit a file?
Type: pico <filename>
How to debug a cgi script?
Goto the directory the file in question is in.
Type: ./filename.cgi
Read the output, and fix errors based on output result.
How to execute a program, but send it to the background?
Execute the command as normal but add an "&" at the end.
How to bring a program back from the background?
Type: fg
How to know what your CPU information is?
Type: cat /proc/cpuinfo
How to know what your memory information is?
Type: cat /proc/meminfo
How to find out information about your hard drives?
Type: fdisk -l
3) Install a Firewall. This is a guide to instal APF (Advanced Policy Firewall - http://www.rfxnetworks.com/apf.php).
APF Site Description of the software:
APF is a policy based iptables firewall system designed for ease of use and configuration. It employs a subset of features to satisfy the veteran Linux user and the novice alike. Packaged in tar.gz format and RPM formats, make APF ideal for deployment in many server environments based on Linux.
Summary of features:
- global port configurtion via simple config file
- configurable policies for each ip on the system [global config overrides]
- powerfull postrouting rules for FWMARK and TOS
- plug-in friendly for QoS [CBQ/HTB]
- antidos subsystem to stop DOS attacks before they become a significant threat
- dshield.org block list support to ban networks exhibiting suspicious activity
- advanced set of sysctl parameters for TCP stack hardening
- advanced set of filter rules to remove undesired traffic
- easy to use firewall managment script
- trust based rule files (allow/deny); with advanced syntax support
Make /usr/src the current working directory.
cd /usr/src
Obtain the most curent verison of APF.
wget http://rfxnetworks.com/downloads/apf-current.tar.gz
Expand the APF tar.gz file.
tar -xvzf apf-current.tar.gz
Remove the tar.gz file.
rm -f apf-current.tar.gz
Locate the APF directory.
ls -la
Look for a directory named apf-#.#/ where #.# represents the version number of APF being installed
(APF version 0.9.4-5 would be in a directory 0.9.4-5 / and version 0.9.4 would be in a directory named apf-0.9.4)
Make the APF directory the current working directory.
Use the directory name you located earlier when extracting the software.
Note that the numbers will change as new versions are released.
cd apf-0.9.4-5
Run the APF install.
sh ./install.sh
You will receive a message saying it has been installed .:
APF installed Install path: /etc/apf Config path: /etc/apf/conf.apf Executable path: /usr/local/sbin/apf
Make /etc/apf the current working directory.
cd /etc/apf
Edit the conf.apf file as desired.
pico -w conf.apf
This isn't a complete detailed guide of every feature the firewall has. Look through the README and the configuration for an explanation of each feature.
In order for this firewall to work properly you have to edit/add/delete ports.
These ports will allow services such as mail, ftp, and ssh to come in and out of the server.
If you have changed any ports, please modify them below and add/remove as needed.
# Common ingress (inbound) TCP ports
IG_TCP_CPORTS="20,21,22,25,53,80,110,143,443,465,9 93,995,2082,2083,2086,
2087,2095,2096,3306,9999,10000,3000_3500"
please note that ports 2082 to port 2095 is mostly used by cpanel, WHM, and port 19638 is only use in
ensim. Port 9999 might be used for Urchin.
# Common ingress (inbound) UDP ports
IG_UDP_CPORTS="20,21,53,1040"
Common egress (outbound) ports
# Common egress (outbound) TCP ports
EG_TCP_CPORTS="21,25,80,443,43,2089"
#
# Common egress (outbound) UDP ports
EG_UDP_CPORTS="20,21,53"
Turn on DShield.org's "block" list of top networks that have exhibited
FIND: USE_DS="0" //(0=disabled)
CHANGE TO: USE_DS="1"
After you have finished editing the port list and turned on DShield save the file and test APF.
Save the changes: Ctrl+X then Y to save enter to confirm
Starting the firewall
/usr/local/sbin/apf -s
or
service apf start
If APF is functioning properly and you are not locked out edit the conf.apf again
pico -w conf.apf
Set the DEVM parameter to 0
DEVM="0"
Once done Exit and save the file.
Save the changes: Ctrl+X then Y to save enter to confirm
Restart APF
service apf restart
Enabling connections for server monitoring.
Some service providers that offer monitoring need access to your server, and access without setting off alarms, firewalls etc. is a good thing. Just becareful which IP(s) you put in here.
To allow connections from xx.xx.xx.xx/24
pico -w /etc/apf/allow_hosts.rules
At the very end of the file add this line
xx.xx.xx.xx/24
Of course replace the xx.xx.xx.xx with the IP address provided to you by your data center.
Make APF Start automatically at boot time
To autostart apf on reboot, run this:
chkconfig --level 2345 apf on
To remove it from the autostart function, run this command:
chkconfig --del apf
پاسخ با نقل قول