چکونگی امن کردن سرور اختصاصی

[Vahid]

4) Install Brute Force Detection, from the makers of APF. What is BFD (Brute Force Detection)?

BFD is a modular shell script for parsing applicable logs and checking for authentication failures. There is not much complexity or detail to BFD yet and likewise it is very straight-forward in its installation, configuration and usage. The reason behind BFD is very simple; the fact there is little to no authentication and brute force auditing programs in the linux community that work in conjunction with a firewall or real-time facility to place bans. BFD is available at: http://www.rfxnetworks.com/bfd.php
Requirements before installing BFD:
- You MUST have APF Firewall Installed before installig BFD - it works with APF and requires some of APF files to properly operate.
- You need to have Root SSH access to your server
Login to your server through SSH and "su" to the root user.
1. cd /root/downloads or to another temporary folder where you want to store your download files.
2. wget http://www.rfxnetworks.com/downloads/bfd-current.tar.gz
3. tar -xvzf bfd-current.tar.gz
4. cd bfd-0.5
5. Run the install file: ./install.sh
You will receive a message saying it has been installed
.: BFD installed
Install path: /usr/local/bfd
Config path: /usr/local/bfd/conf.bfd
Executable path: /usr/local/sbin/bfd
6. Lets edit the configuration file: pico /usr/local/bfd/conf.bfd
7. Enable brute force hack attempt alerts:
Find: ALERT_USR="0" CHANGE TO: ALERT_USR="1"
Find: EMAIL_USR="root" CHANGE TO: EMAIL_USR="you@exampledomain.com"
Save the changes: Ctrl+X then Y
8. Prevent locking yourself out!
pico -w /usr/local/bfd/ignore.hosts and add your own trusted IPs (if you have static IP's)
Eg: 10.0.1.1
Save the changes: Ctrl+X then Y
BFD uses the APF' cli insert feature
and as such will override any allow_hosts.rules entries users have in-place.
So be sure to add your trusted ip addresses to the ignore file to prevent
locking yourself out.
9. Run the program!
/usr/local/sbin/bfd -s



5) Disable Direct Root Login.
This will force you to login as another user in (in cpanel the user must be in the wheel group), and then su to root. This helps to protect the server from 'wanna-be' hackers.
If you're using cPanel make sure you add a new user to the 'wheel' group so that you will be able to 'su -' to root, otherwise you may lock yourself out of root.
Set up anotheruser if you haven't already got one:
1. Type: groupadd newuser
2. Type: useradd newuserr -gnewuser
3. Type: passwd newuser passwordhere
On a CPanel system, you must add the new user to the wheel group via WHM "Manage Wheel Group Users".
After you have done this, you will have to login as newuser and then you will do 'su - root' to get to root.
Now copy and paste the following line to edit the necessary file for SSH logins
pico -w /etc/ssh/sshd_config
You should now be in the actual file - find the line
Protocol 2, 1
Uncomment this line and change it to look like this:
Protocol 2
As the next step find the line
PermitRootLogin yes
Uncomment that line and make it look like
PermitRootLogin no
Save and exit the file with Ctrl+X and then Y then enter
Now restart SSH
/etc/rc.d/init.d/sshd restart
From now on nobody will be able to login directly as root. To gain root access you will need to login as a different user and then switch to root.


6) Disable Telnet Access. Telnet is not secure, and your password is sent in plain text, so don't use it! Disable it now and forever and use SSH isntead.
1. Login to your server through SSH and su to root.
2. Type pico /etc/xinetd.d/telnet
3. Look for the line: disable = no and replace with disable = yes
4. Now restart the inetd service: /etc/rc.d/init.d/xinetd restart
5. Also - Turn it off through chkconfig as well because it can still start through hat.
/sbin/chkconfig telnet off


7) Force SSH Protocol 2.
Force SSH Protocol 2
pico -w /etc/ssh/sshd_config
Find the line '#Protocol 2, 1' and uncomment it and change it to look like 'Protocol 2'


8) Disable cPanel Demo Mode
Disable cPanel Demo Mode
9) Disable normal user Shell Access


You can disable shell access for all your hosting clients from WHM. It's a good habit to disable it by default. Nowadays shell access is not really needed by hosting clients. You can still enable it on a single base if really needed.


10) Enable SUEXEC
Enable SuExec from WHM. Quick and easy.


11) Receive an e-mail when someone logs in as root.
It can be very useful to know when/if somebody logs in as root to your server. This helps you to keep track of authorized and valid logins and to alarm you in cases it is not authorized. It is recommended to use an off-site email address for this in case an attacker will gain access to your email account on the server after login in.
1. Login to your server and (as always) su to root.
2. cd /root
3. pico .bashrc
4. Scroll down to the end of the file and then add the following:
echo 'ALERT - Root Shell Access (YourserverName) on:' `date` `who` | mail -s "Alert: Root Access from `who | cut -d"(" -f2 | cut -d")" -f1`" you@yourexternaldomain.com
Replace YourServerName with the handle for your actual server
Replace you@yourexternaldomain.com with your actual email address at an off-site email account.
5. Ctrl + X then Y to save and close the file
Now logout of SSH, close the connection and log back in! You should receive an email address of the root login alert within few minutes after login in.
Please keep in mind - This will not magically alert you when a hacker runs the latest kernel exploit on your server and logs into SSH because they will create their own SSH/telnet connection - something you won't even know about until it is too late. Keep your system up to date and follow common security practice.


12) Set a MySQL Root Password
This can be done in WHM - either during the server setup or manually. Make it a different password as compared to your root password.


13) Show a legal message for Shell access
Even if it does not actively protects your machine - for legal purposes and prosecution it might be useful to display a legal message for anyone who logs on to your server via Shell. Example of such a message:
This computer system is for authorized users only. All activity is logged and regulary checked by systems personal. Individuals using this system without authority or in excess of their authority are subject to having all their services revoked and will be prosecuted. Any illegal services run by user or attempts to take down this server or its services will be reported to local law enforcement. Anyone using this system consents to these terms.
How to set up this kind of a message on your system? Logon to your system from the Shell. SU to root and type the following:
pico -w /etc/motd
Type your message and hit ctrl + x and Y to save the message. Logoff from the system and log back on again to see the results.


14) Stay secure
Sign up to the free email alerts at http://secunia.com/ - you will receive security alerts for all different kind of software and operating systems. You will not need all of these in most case but at least you won't miss any major security issue published.
Run A Root Kit Checker on a regular base.
You can get a root kit checker from http://www.chkrootkit.org as free software. Rkhunter is another root kit checking tool available free of charge. http://www.rootkit.nl/ Run it against your system once or twice a month.