نمایش نتایج: از شماره 1 تا 4 , از مجموع 4

موضوع: چکونگی امن کردن سرور اختصاصی

  1. #1
    مدیر کل Vahid آواتار ها
    تاریخ عضویت
    Aug 2008
    نوشته ها
    2,724
    تشکر تشکر کرده 
    435
    تشکر تشکر شده 
    6,958
    تشکر شده در
    2,085 پست

    پیش فرض چکونگی امن کردن سرور اختصاصی

    Finally. You got the dedicated server you always wanted. Now you're a real webhost. No more reseller accounts. Yeah .... ;-). BUT - now all the responsibility in keeping that server up and running is up on your shoulders. The very first things after getting your server is to make it secure.
    But how do you do that? If you are an experienced Linux system admin this will be a piece of cake. But if you are just Joe Average and know only a little Linux this can be quite a challenging task. You can buy a book and read up on it but that takes time. You can hire a Linux System Administrator but that is not cheap and you do not know if you can trust somebody that you don't know. Two companies that got recommended to us are

    http://www.rackaid.com and http://www.easyservermanagement.com

    (if you would like to advertise your services here - please contact us).

    However- we have not used these companies for our needs. They seem to be reliable from user feedback on several web hosting related forums. Please do proper research before hiring anyone.

    Anyway - if you have at least a little Linux knowledge and are good in coming up to speed on new things fairly quick - here's a quickstart guide of how to secure your own server. The good thing is - this will give you a good level of security to start with. Don't stop after you are done with the steps provided here. Security is an ongoing process and this guide is just opening the tool box for you.
    Legal Advisory: Please be aware that we provide the information below with no guarantees. If you feel not confident to really do these steps - hire somebody. We cannot be held liable for problems arising when using the steps below. We tried to research these things as thorough as possible but everyone can make a mistake ....


    1) Get Putty as your SSH client. Don't use telnet - it's not secure. Putty.exe is vital in running and managing a dedicated server.






    2) Get a good understanding of the most basic linux commands. Without the knowledge about these basic commands you will have a hard time getting stuff done:
    How to hange directories?
    Type: cd <directory name>
    Type: cd .. (Go back up one level)
    How to check file permissions?
    Type: ls -l (This will show permissions for all files in a specific directory)
    How to check disk space?
    Type: df -m (This will show the available disk space info on all drives)
    How to see all the files in a directory?
    Type: ls
    How to check all running services?
    Type: ps -xa
    How to view the contents of a text file?
    Type: cat <filename>
    How to edit a file?
    Type: pico <filename>
    How to debug a cgi script?
    Goto the directory the file in question is in.
    Type: ./filename.cgi
    Read the output, and fix errors based on output result.
    How to execute a program, but send it to the background?
    Execute the command as normal but add an "&" at the end.
    How to bring a program back from the background?
    Type: fg
    How to know what your CPU information is?
    Type: cat /proc/cpuinfo
    How to know what your memory information is?
    Type: cat /proc/meminfo
    How to find out information about your hard drives?
    Type: fdisk -l


    3) Install a Firewall. This is a guide to instal APF (Advanced Policy Firewall - http://www.rfxnetworks.com/apf.php).

    APF Site Description of the software:
    APF is a policy based iptables firewall system designed for ease of use and configuration. It employs a subset of features to satisfy the veteran Linux user and the novice alike. Packaged in tar.gz format and RPM formats, make APF ideal for deployment in many server environments based on Linux.
    Summary of features:
    - global port configurtion via simple config file
    - configurable policies for each ip on the system [global config overrides]
    - powerfull postrouting rules for FWMARK and TOS
    - plug-in friendly for QoS [CBQ/HTB]
    - antidos subsystem to stop DOS attacks before they become a significant threat
    - dshield.org block list support to ban networks exhibiting suspicious activity
    - advanced set of sysctl parameters for TCP stack hardening
    - advanced set of filter rules to remove undesired traffic
    - easy to use firewall managment script
    - trust based rule files (allow/deny); with advanced syntax support
    Make /usr/src the current working directory.
    cd /usr/src
    Obtain the most curent verison of APF.
    wget http://rfxnetworks.com/downloads/apf-current.tar.gz
    Expand the APF tar.gz file.
    tar -xvzf apf-current.tar.gz
    Remove the tar.gz file.
    rm -f apf-current.tar.gz
    Locate the APF directory.
    ls -la
    Look for a directory named apf-#.#/ where #.# represents the version number of APF being installed
    (APF version 0.9.4-5 would be in a directory 0.9.4-5 / and version 0.9.4 would be in a directory named apf-0.9.4)
    Make the APF directory the current working directory.
    Use the directory name you located earlier when extracting the software.
    Note that the numbers will change as new versions are released.
    cd apf-0.9.4-5
    Run the APF install.
    sh ./install.sh
    You will receive a message saying it has been installed .:
    APF installed Install path: /etc/apf Config path: /etc/apf/conf.apf Executable path: /usr/local/sbin/apf
    Make /etc/apf the current working directory.
    cd /etc/apf
    Edit the conf.apf file as desired.
    pico -w conf.apf
    This isn't a complete detailed guide of every feature the firewall has. Look through the README and the configuration for an explanation of each feature.
    In order for this firewall to work properly you have to edit/add/delete ports.
    These ports will allow services such as mail, ftp, and ssh to come in and out of the server.
    If you have changed any ports, please modify them below and add/remove as needed.
    # Common ingress (inbound) TCP ports
    IG_TCP_CPORTS="20,21,22,25,53,80,110,143,443,465,9 93,995,2082,2083,2086,
    2087,2095,2096,3306,9999,10000,3000_3500"
    please note that ports 2082 to port 2095 is mostly used by cpanel, WHM, and port 19638 is only use in
    ensim. Port 9999 might be used for Urchin.
    # Common ingress (inbound) UDP ports
    IG_UDP_CPORTS="20,21,53,1040"
    Common egress (outbound) ports
    # Common egress (outbound) TCP ports
    EG_TCP_CPORTS="21,25,80,443,43,2089"
    #
    # Common egress (outbound) UDP ports
    EG_UDP_CPORTS="20,21,53"

    Turn on DShield.org's "block" list of top networks that have exhibited
    FIND: USE_DS="0" //(0=disabled)
    CHANGE TO: USE_DS="1"
    After you have finished editing the port list and turned on DShield save the file and test APF.
    Save the changes: Ctrl+X then Y to save enter to confirm
    Starting the firewall
    /usr/local/sbin/apf -s
    or
    service apf start


    If APF is functioning properly and you are not locked out edit the conf.apf again


    pico -w conf.apf
    Set the DEVM parameter to 0
    DEVM="0"
    Once done Exit and save the file.
    Save the changes: Ctrl+X then Y to save enter to confirm
    Restart APF
    service apf restart
    Enabling connections for server monitoring.
    Some service providers that offer monitoring need access to your server, and access without setting off alarms, firewalls etc. is a good thing. Just becareful which IP(s) you put in here.
    To allow connections from xx.xx.xx.xx/24
    pico -w /etc/apf/allow_hosts.rules
    At the very end of the file add this line
    xx.xx.xx.xx/24
    Of course replace the xx.xx.xx.xx with the IP address provided to you by your data center.
    Make APF Start automatically at boot time
    To autostart apf on reboot, run this:
    chkconfig --level 2345 apf on
    To remove it from the autostart function, run this command:
    chkconfig --del apf
    برای پیش رفت در علم آسانسوری وجود ندارد پله ها را باید پیاده رفت /./ همیشه این یادتان باشد که دست بالای دست بسیار است.
    يادمان باشد براي يك بار ايستادن صد ها بار افتاده ايم /./ بک آپ مهمترین رمز موفقیت هاستینگ /./ امنیت مطلق نیست.
    ارتباط مستقیم با من :
    Admin -{(@)}- WebHostingTalk . ir

  2. # ADS




     

  3. #2
    مدیر کل Vahid آواتار ها
    تاریخ عضویت
    Aug 2008
    نوشته ها
    2,724
    تشکر تشکر کرده 
    435
    تشکر تشکر شده 
    6,958
    تشکر شده در
    2,085 پست

    پیش فرض

    4) Install Brute Force Detection, from the makers of APF. What is BFD (Brute Force Detection)?

    BFD is a modular shell script for parsing applicable logs and checking for authentication failures. There is not much complexity or detail to BFD yet and likewise it is very straight-forward in its installation, configuration and usage. The reason behind BFD is very simple; the fact there is little to no authentication and brute force auditing programs in the linux community that work in conjunction with a firewall or real-time facility to place bans. BFD is available at: http://www.rfxnetworks.com/bfd.php
    Requirements before installing BFD:
    - You MUST have APF Firewall Installed before installig BFD - it works with APF and requires some of APF files to properly operate.
    - You need to have Root SSH access to your server
    Login to your server through SSH and "su" to the root user.
    1. cd /root/downloads or to another temporary folder where you want to store your download files.
    2. wget http://www.rfxnetworks.com/downloads/bfd-current.tar.gz
    3. tar -xvzf bfd-current.tar.gz
    4. cd bfd-0.5
    5. Run the install file: ./install.sh
    You will receive a message saying it has been installed
    .: BFD installed
    Install path: /usr/local/bfd
    Config path: /usr/local/bfd/conf.bfd
    Executable path: /usr/local/sbin/bfd
    6. Lets edit the configuration file: pico /usr/local/bfd/conf.bfd
    7. Enable brute force hack attempt alerts:
    Find: ALERT_USR="0" CHANGE TO: ALERT_USR="1"
    Find: EMAIL_USR="root" CHANGE TO: EMAIL_USR="you@exampledomain.com"
    Save the changes: Ctrl+X then Y
    8. Prevent locking yourself out!
    pico -w /usr/local/bfd/ignore.hosts and add your own trusted IPs (if you have static IP's)
    Eg: 10.0.1.1
    Save the changes: Ctrl+X then Y
    BFD uses the APF' cli insert feature
    and as such will override any allow_hosts.rules entries users have in-place.
    So be sure to add your trusted ip addresses to the ignore file to prevent
    locking yourself out.
    9. Run the program!
    /usr/local/sbin/bfd -s



    5) Disable Direct Root Login.
    This will force you to login as another user in (in cpanel the user must be in the wheel group), and then su to root. This helps to protect the server from 'wanna-be' hackers.
    If you're using cPanel make sure you add a new user to the 'wheel' group so that you will be able to 'su -' to root, otherwise you may lock yourself out of root.
    Set up anotheruser if you haven't already got one:
    1. Type: groupadd newuser
    2. Type: useradd newuserr -gnewuser
    3. Type: passwd newuser passwordhere
    On a CPanel system, you must add the new user to the wheel group via WHM "Manage Wheel Group Users".
    After you have done this, you will have to login as newuser and then you will do 'su - root' to get to root.
    Now copy and paste the following line to edit the necessary file for SSH logins
    pico -w /etc/ssh/sshd_config
    You should now be in the actual file - find the line
    Protocol 2, 1
    Uncomment this line and change it to look like this:
    Protocol 2
    As the next step find the line
    PermitRootLogin yes
    Uncomment that line and make it look like
    PermitRootLogin no
    Save and exit the file with Ctrl+X and then Y then enter
    Now restart SSH
    /etc/rc.d/init.d/sshd restart
    From now on nobody will be able to login directly as root. To gain root access you will need to login as a different user and then switch to root.


    6) Disable Telnet Access. Telnet is not secure, and your password is sent in plain text, so don't use it! Disable it now and forever and use SSH isntead.
    1. Login to your server through SSH and su to root.
    2. Type pico /etc/xinetd.d/telnet
    3. Look for the line: disable = no and replace with disable = yes
    4. Now restart the inetd service: /etc/rc.d/init.d/xinetd restart
    5. Also - Turn it off through chkconfig as well because it can still start through hat.
    /sbin/chkconfig telnet off


    7) Force SSH Protocol 2.
    Force SSH Protocol 2
    pico -w /etc/ssh/sshd_config
    Find the line '#Protocol 2, 1' and uncomment it and change it to look like 'Protocol 2'


    8) Disable cPanel Demo Mode
    Disable cPanel Demo Mode
    9) Disable normal user Shell Access


    You can disable shell access for all your hosting clients from WHM. It's a good habit to disable it by default. Nowadays shell access is not really needed by hosting clients. You can still enable it on a single base if really needed.


    10) Enable SUEXEC
    Enable SuExec from WHM. Quick and easy.


    11) Receive an e-mail when someone logs in as root.
    It can be very useful to know when/if somebody logs in as root to your server. This helps you to keep track of authorized and valid logins and to alarm you in cases it is not authorized. It is recommended to use an off-site email address for this in case an attacker will gain access to your email account on the server after login in.
    1. Login to your server and (as always) su to root.
    2. cd /root
    3. pico .bashrc
    4. Scroll down to the end of the file and then add the following:
    echo 'ALERT - Root Shell Access (YourserverName) on:' `date` `who` | mail -s "Alert: Root Access from `who | cut -d"(" -f2 | cut -d")" -f1`" you@yourexternaldomain.com
    Replace YourServerName with the handle for your actual server
    Replace you@yourexternaldomain.com with your actual email address at an off-site email account.
    5. Ctrl + X then Y to save and close the file
    Now logout of SSH, close the connection and log back in! You should receive an email address of the root login alert within few minutes after login in.
    Please keep in mind - This will not magically alert you when a hacker runs the latest kernel exploit on your server and logs into SSH because they will create their own SSH/telnet connection - something you won't even know about until it is too late. Keep your system up to date and follow common security practice.


    12) Set a MySQL Root Password
    This can be done in WHM - either during the server setup or manually. Make it a different password as compared to your root password.


    13) Show a legal message for Shell access
    Even if it does not actively protects your machine - for legal purposes and prosecution it might be useful to display a legal message for anyone who logs on to your server via Shell. Example of such a message:
    This computer system is for authorized users only. All activity is logged and regulary checked by systems personal. Individuals using this system without authority or in excess of their authority are subject to having all their services revoked and will be prosecuted. Any illegal services run by user or attempts to take down this server or its services will be reported to local law enforcement. Anyone using this system consents to these terms.
    How to set up this kind of a message on your system? Logon to your system from the Shell. SU to root and type the following:
    pico -w /etc/motd
    Type your message and hit ctrl + x and Y to save the message. Logoff from the system and log back on again to see the results.


    14) Stay secure
    Sign up to the free email alerts at http://secunia.com/ - you will receive security alerts for all different kind of software and operating systems. You will not need all of these in most case but at least you won't miss any major security issue published.
    Run A Root Kit Checker on a regular base.
    You can get a root kit checker from http://www.chkrootkit.org as free software. Rkhunter is another root kit checking tool available free of charge. http://www.rootkit.nl/ Run it against your system once or twice a month.
    برای پیش رفت در علم آسانسوری وجود ندارد پله ها را باید پیاده رفت /./ همیشه این یادتان باشد که دست بالای دست بسیار است.
    يادمان باشد براي يك بار ايستادن صد ها بار افتاده ايم /./ بک آپ مهمترین رمز موفقیت هاستینگ /./ امنیت مطلق نیست.
    ارتباط مستقیم با من :
    Admin -{(@)}- WebHostingTalk . ir

  4. #3
    مدیر کل Vahid آواتار ها
    تاریخ عضویت
    Aug 2008
    نوشته ها
    2,724
    تشکر تشکر کرده 
    435
    تشکر تشکر شده 
    6,958
    تشکر شده در
    2,085 پست

    پیش فرض

    سوالی بود من در خدمتم
    برای پیش رفت در علم آسانسوری وجود ندارد پله ها را باید پیاده رفت /./ همیشه این یادتان باشد که دست بالای دست بسیار است.
    يادمان باشد براي يك بار ايستادن صد ها بار افتاده ايم /./ بک آپ مهمترین رمز موفقیت هاستینگ /./ امنیت مطلق نیست.
    ارتباط مستقیم با من :
    Admin -{(@)}- WebHostingTalk . ir

  5. تعداد تشکر ها از Vahid به دلیل پست مفید


  6. #4
    عضو دائم nimafire آواتار ها
    تاریخ عضویت
    Aug 2008
    محل سکونت
    تهران - اصفهان
    نوشته ها
    1,510
    تشکر تشکر کرده 
    208
    تشکر تشکر شده 
    3,207
    تشکر شده در
    1,869 پست

    پیش فرض

    البته اینا مثل این هست که یه دوچرخه داشته باشیم بخوایم راهش بندازیم.باید باد لاستیکش رو تنظیم کنیم.
    این امن کردن هم مال سال 2004 هست.
    به نظر من اصلا کار خاصی نیست

اطلاعات موضوع

کاربرانی که در حال مشاهده این موضوع هستند

در حال حاضر 1 کاربر در حال مشاهده این موضوع است. (0 کاربران و 1 مهمان ها)

موضوعات مشابه

  1. پاسخ ها: 2
    آخرين نوشته: December 7th, 2016, 20:17
  2. پاسخ ها: 0
    آخرين نوشته: October 21st, 2016, 23:26
  3. پاسخ ها: 15
    آخرين نوشته: August 30th, 2014, 19:39
  4. پاسخ ها: 0
    آخرين نوشته: April 8th, 2014, 04:40
  5. پاسخ ها: 13
    آخرين نوشته: November 20th, 2012, 17:02

مجوز های ارسال و ویرایش

  • شما نمیتوانید موضوع جدیدی ارسال کنید
  • شما امکان ارسال پاسخ را ندارید
  • شما نمیتوانید فایل پیوست کنید.
  • شما نمیتوانید پست های خود را ویرایش کنید
  •