نمایش نتایج: از شماره 1 تا 1 , از مجموع 1

موضوع: مهمترین اقدامات برای امنیت بالاتر!

  1. #1
    عضو جدید dr.reza2010 آواتار ها
    تاریخ عضویت
    Mar 2012
    نوشته ها
    52
    تشکر تشکر کرده 
    0
    تشکر تشکر شده 
    17
    تشکر شده در
    12 پست

    پیش فرض مهمترین اقدامات برای امنیت بالاتر!

    سلام.


    Content:
    1) Intruduction
    2) cP/WHM Installation and cP/WHM Configuration
    3) The server and it's services | PHP Installation, Optimization & Security
    4) Kernel Hardening | Linux Kernel + Grsecurity Patch
    5) SSH
    6) Firewall | DDoS Protection
    7) Mod_Security
    8) Anti-Virus - ClamAV
    9) Rootkit
    10) The Rest of Shits

    ===================
    | 1) Intruduction |
    ===================

    I wrote a step by step paper how to secure linux server with cP/WHM and
    Apache installed. By default, linux is not secured enough but you have
    to understand there is no such thing as "totally secured server/system".
    The purpose of this paper is to understand how to at least provide some
    kind of security to the server. I prefer lsws web-server without any
    Control Panel at all but for this paper I have used CentOS 5 with cP/WHM
    and Apache web-server installed since a lot of hosting compaines and
    individuals are using it.

    Let's start

    So, you bought the server with CentOS 5 installed. If you ordered cP/WHM together with the server you can skip 2.1 step

    ============================================
    | 2) cP/WHM installation and configuration |
    ============================================
    2.1) cP/WHM Installation
    To begin your installation, use the following commands into SSH:
    root@server [~]# cd /home
    root@server [/home]# wget http://layer1.cpanel.net/latest
    root@server [/home]# ./latest

    -----------------------------------------------------------------------------------------------------
    cd /home - Opens /home directory
    wget http://layer1.cpanel.net/latest - Fetches the latest installation file from the cPanel servers.
    ./latest - Opens and runs the installation files.
    ------------------------------------------------------------------------------------------------------

    cP/WHM should be installed now. You should be able to access cP via
    http://serverip:2082(SSL-2083) or http://serverip/cpanel and WHM via
    http://serverip:2086(SSL-2087) or http://serverip/whm. Let's configure
    it now.

    2.2) cP/WHM Configuration
    Login to WHM using root username/passwd
    http://serverip:2086 or http://serverip/whm

    WHM - Server setup - Tweak Security:
    -------------------------------------
    Enable open_basedir protection
    Disable Compilers for all accounts(except root)
    Enable Shell Bomb/memory Protection
    Enable cPHulk Brute Force Protection

    WHM - Account Functions:
    -------------------------
    Disable cPanel Demo Mode
    Disable shell access for all accounts(except root)

    WHM - Service Configuration - FTP Configuration:
    -------------------------------------------------
    Disable anonymous FTP access

    WHM - MySQL:
    -------------
    Set some MySQL password(Don't set the same password like for the root access)
    -If you don't set MySQL password and if someone upload shell(E.G c99) on
    some site on server he will be able to login into the DB with username
    "root" without password and delete/edit/download any db on that server

    WHM - Service Configuration - Apache Configuration - PHP and SuExec Configuration
    --------------------
    Enable suEXEC - suEXEC = On
    When PHP runs as an Apache Module it executes as the user/group of the
    webserver which is usually "nobody" or "apache". suEXEC changes this so
    scripts are run as a CGI. Than means scripts are executed as the user
    that created them. With suEXEC script permissions can't be set to
    777(read/write/execute at user/group/world level)

    ================================================== =============================
    | 3) The server and it's services | PHP Installation, Optimization & Security |
    ================================================== =============================

    3.1) Keep all services and scripts up to date and be sure that you running the latest secured version.
    On CentOS type this into SSH to upgrade/update services on the server.
    [root@server ~]# yum upgrade
    or
    [root@server ~]# yum update

    3.2) PHP Installation/Update, configuration and optimization + Suhosin patch
    First download what you need, type into SSH the following:
    root@server [~]# cd /root
    root@server [~]# wget http://www.php.net/get/php-5.2.9.tar...om/this/mirror
    root@server [~]# wget http://download.suhosin.org/suhosin-...9.6.3.patch.gz
    root@server [~]# wget http://download.suhosin.org/suhosin-0.9.27.tgz

    Untar PHP
    root@server [~]# tar xvjf php-5.2.9.tar.bz2

    Patch the source
    root@server [~]# gunzip < suhosin-patch-5.2.8-0.9.6.3.patch.gz | patch -p0

    Configure the source. If you want to use the same config as you used for
    the last php build it's not a problem but you will have to add
    enable-suhosin to old config. To get an old config type this into SSH:
    root@server [~]# php -i | grep ./configure

    root@server [~]# cd php-5.2.9
    root@server [~/php-5.2.9]# ./configure --enable-suhosin + old config(add old config you got from "php -i | grep ./configure" here)
    root@server [~/php-5.2.9]# make
    root@server [~/php-5.2.9]# make install

    Note: If you get an error like make: command not found or patch: Command
    not found, you will have to install "make" and "patch". It can be done
    easly. Just type this into SSH:
    root@server [~]# yum install make
    root@server [~]# yum install patch

    Now check is everything as you want. Upload php script like this on the server:
    <?php
    phpinfo();
    ?>
    And open it via your browser and you will see your PHP configuration there

    3.3) Suhosin
    Now we can install suhosin patch to get better security and performance.
    root@server [~]# tar zxvf suhosin-0.9.27.tgz
    root@server [~]# cd suhosin-0.9.27
    root@server [~/suhosin-0.9.27]# phpize
    root@server [~/suhosin-0.9.27]# ./configure
    root@server [~/suhosin-0.9.27]# make
    root@server [~/suhosin-0.9.27]# make install

    After you installed suhosin you will get something like this: It's installed to /usr/local/lib/php/extensions/no-debug-non-zts-20060613/

    Now edit your php.ini. If you don't know where php.ini located it, type this into SSH.
    root@server [~]# php -i | grep php.ini
    Configuration File (php.ini) Path => /usr/local/lib
    Loaded Configuration File => /usr/local/lib/php.ini

    It means you have to edit /usr/local/lib/php.ini
    Type into SHH:
    root@server [~]# nano /usr/local/lib/php.ini
    If you get an error, nano: Command not found, then:
    root@server [~]# yum install nano

    Find "extension_dir =" and add:
    extension_dir = /usr/local/lib/php/extensions/no-debug-non-zts-20060613/
    To save it, CTRL + O and then Enter button.

    3.4)
    We will install Zend Optimizer to get better perfomance:
    Download Zend Optimizer from Zend Store
    root@server [~]# tar -zxvf ZendOptimizer-3.3.3-linux-glibc23-i386.tar.gz
    root@server [~]# cd ZendOptimizer-3.3.3-linux-glibc23-i386
    root@server [~/ZendOptimizer-3.3.3-linux-glibc23-i386]# ./install.sh
    Welcome to Zend Optimizer installation..... - Press Enter button
    Zend licence agreement... - Press Enter button
    Do you accept the terms of this licence... - Yes, press Enter button
    Location of Zend Optimizer... - /usr/local/Zend, press Enter button
    Confirm the location of your php.ini file...- /usr/local/lib, press Enter button
    Are you using Apache web-server.. - Yes, press Enter button
    Specify the full path to the Apache control utility(apachectl)...-/usr/local/apache/bin/apachectl, press Enter button
    The installation has completed seccessfully...- Press Enter button

    Now restart apache, type this into SSH:
    root@server [~]# service httpd restart

    3.5) php.ini & disabled functions
    Edit php.ini like this:
    root@server [~]# nano /usr/local/lib/php.ini
    ------------------------------------------------------------
    safe_mode = On
    expose_php = Off
    Enable_dl= Off
    magic_quotes = On
    register_globals = off
    display errors = off
    disable_functions = system, show_source, symlink, exec, dl,
    shell_exec, passthru, phpinfo, escapeshellarg,escapeshellcmd
    -------------------------------------------------------------

    root@server [~]# service httpd restart

    Or you can edit php.ini via WHM:
    WHM - Service Configuration - PHP Configuration Editor

    ================================================== =======
    | 4) Kernel Hardening | Linux Kernel + Grsecurity Patch |
    ================================================== =======

    Description : grsecurity is an innovative approach to security utilizing
    a multi-layered detection, prevention, and containment model. It is
    licensed under the GPL. It offers among many other features:
    -An intelligent and robust Role-Based Access Control (RBAC) system that can generate least privilege policies for your
    entire system with no configuration
    -Change root (chroot) hardening
    -/tmp race prevention
    -Extensive auditing
    -Prevention of arbitrary code execution, regardless of the technique used (stack smashing, heap corruption, etc)
    -Prevention of arbitrary code execution in the kernel
    -Randomization of the stack, library, and heap bases
    -Kernel stack base randomization
    -Protection against exploitable null-pointer dereference bugs in the kernel
    -Reduction of the risk of sensitive information being leaked by arbitrary-read kernel bugs
    -A restriction that allows a user to only view his/her processes
    -Security alerts and audits that contain the IP address of the person causing the alert

    Downloading and patching kernel with grsecurity
    root@server [~]# cd /root
    root@server [~]# wget http://www.kernel.org/pub/linux/kern....6.26.5.tar.gz
    root@server [~]# wget http://www.grsecurity.com/test/grsec...09141715.patch
    root@server [~]# tar xzvf linux-2.6.26.5.tar.gz
    root@server [~]# patch -p0 < grsecurity-2.1.12-2.6.26.5-200809141715.patch
    root@server [~]# mv linux-2.6.26.5 linux-2.6.26.5-grsec
    root@server [~]# ln -s linux-2.6.26.5-grsec/ linux
    root@server [~/linux]# cd linux
    root@server [~/linux]# cp /boot/config-`uname -r` .config
    root@server [~/linux]# make oldconfig

    Compile the Kernel:
    root@server [~/linux]# make bzImage
    root@server [~/linux]# make modules
    root@server [~/linux]# make modules_install
    root@server [~/linux]# make install

    Check your grub loader config, and make sure default is 0
    root@server [~/linux]# nano /boot/grub/grub.conf

    Reboot the server
    root@server [~/linux]# reboot

    ==========
    | 5) SSH |
    ==========

    In order to change SSH port and protocol you will have to edit sshd_config
    root@server [~]# nano /etc/ssh/sshd_config

    Change Protocol 2,1 to Protocol 2
    Change #Port 22 to some other port and uncomment it
    Like, Port 1337

    There is a lot of script kiddiez with brute forcers and they will try to crack our ssh pass because they know username is root, port is 22
    But we were smarter, we have changed SSH port
    Also, their "brute forcing" can increase server load, it means our sites(hosted on that server) will be slower

    SSH Legal Message
    edit /etc/motd, write in motd something like this:
    "ALERT! That is a secured area. Your IP is logged. Administrator has been notified"

    When someone login into SSH he will see that message:
    ALERT! That is a secured area. Your IP is logged. Administrator has been notified

    If you want to recieve an email every time when someone logins into SSH as root, edit .bash_profile(It's located in /root directory) and put this at the end of file:
    echo 'ALERT - Root Shell Access on:' `date` `who` | mail -s "Alert: Root Access from `who | awk '{print $6}'`" mail@something.com

    And at the end restart SSH, type "service sshd restart" into SSH

    =================================
    | 6) Firewall | DDoS Protection |
    =================================

    6.1) Firewall, CSF Installation
    root@server [~]# wget http://www.configserver.com/free/csf.tgz
    root@server [~]# tar -xzf csf.tgz
    root@server [~]# cd csf

    In order to install csf your server needs to have some ipt modules
    enabled. csftest is a perl script and it comes with csf. You can check
    those mudules with it.
    root@server [~/csf]# ./csftest.pl
    The output should be like this:

    root@server [~/csf]# ./csftest.pl
    Testing ip_tables/iptable_filter...OK
    Testing ipt_LOG...OK
    Testing ipt_multiport/xt_multiport...OK
    Testing ipt_REJECT...OK
    Testing ipt_state/xt_state...OK
    Testing ipt_limit/xt_limit...OK
    Testing ipt_recent...OK
    Testing ipt_owner...OK
    Testing iptable_nat/ipt_REDIRECT...OK

    No worries if you have no all those mudules enabled, csf will work is
    you didn't get any FATAL errors at the end of the output.

    Now, get to installation
    root@server [~/csf]# ./install.sh

    You will have to edit conf.csf file. It's located here:
    /etc/csf/csf.conf

    You need to edit it like this:
    Testing = "0"

    And have to configure open ports in conf.csf or you won't be able to
    access these ports. In most cases it should be configured like this if
    you are using cP/WHM. If you are running something on some other port
    you will have to enable it here. If you changed SSH port you will have
    to enable a new port here:
    # Allow incoming TCP ports
    TCP_IN = "20,21,22,25,53,80,110,143,443,465,587,993,995 ,207 7,2078,2082,2083,2086,2087,2095,2096"
    # Allow outgoing TCP ports
    TCP_OUT = "20,21,22,25,37,43,53,80,110,113,443,587,873,2 087, 2089,2703"

    6.2) CSF Connection Limit
    There is in csf.conf CT option, configure it like this
    CT_LIMIT = "200"
    It means every IP with more than 200 connections is going to be blocked.
    CT_PERMANENT = "1"
    IP will blocked permanent
    CT_BLOCK_TIME = "1800"
    IP will be blocked 1800 secs(1800 secs = 30 mins)
    CT_INTERVAL = "60"
    Set this to the the number of seconds between connection tracking scans.

    After conf.csf editing you need to restart csf
    root@server [~# service csf restart

    6.3) SYN Cookies
    Edit the /etc/sysctl.conf file and add the following line in order to enable SYN cookies protection:
    -----------------------------------
    # Enable TCP SYN Cookie Protection
    net.ipv4.tcp_syncookies = 1
    -----------------------------------

    root@server [~/]# service network restart

    6.4) CSF as security testing tool
    CSF has an option "Server Security Check". Go to WHM - Plugins - CSF -
    Test Server Security. You will see additional steps how to secure the
    server even more. I'm writing only about most important things here and
    I covered most of them in the paper but if you want you can follow steps
    provided by CSF to get the server even more secured.

    6.5) Mod_Evasive
    ModEvasive module for apache offers protection against DDoS (denial of service attacks) on your server.

    To install it login into SSH and type

    ---------------------------------------------------------------------------------
    root@server [~]# cd /root/
    root@server [~]# wget http://www.zdziarski.com/projects/mo..._1.10.1.tar.gz
    root@server [~]# tar zxf mode_evasive-1.10.1.tar.gz
    root@server [~]# cd mod_evasive

    then type...
    root@server [~/mod_evasive]# /usr/sbin/apxs -cia mod_evasive20.c
    ---------------------------------------------------------------------------------

    When mod_evasive is installed, place the following lines in your httpd.conf (/etc/httpd/conf/httpd.conf)

    --------------------------------
    <IfModule mod_evasive20.c>
    DOSHashTableSize 3097
    DOSPageCount 2
    DOSSiteCount 50
    DOSPageInterval 1
    DOSSiteInterval 1
    DOSBlockingPeriod 10
    </IfModule>
    --------------------------------

    6.6) Random things:
    csf -d IP - Block an IP with CSF
    csf -dr IP - Unblock an IP with CSF
    csf -s - Start firewall rules
    csf -f - Flush/stop firewall rules
    csf -r - Restart firewall rules
    csf -x - Disable CSF
    csf -e - Enable CSF
    csf -c - Check for updates
    csf -h - Show help screen

    -Block an IP via iptables
    iptables -A INPUT -s 208.131.183.169 -j DROP

    -Unblock an IP via iptables
    iptables -I INPUT -s IP -j ACCEPT

    -See how many IP addresses are connected to the server and how many connections has each of them.
    netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n

    ===================
    | 7) Mod_Security |
    ===================

    Mod_Security is a web application firewall and he can help us to secure our sites against RFI, LFI, XSS, SQL Injection etc

    If you use cP/WHM you can easly enable Mod_security in WHM - Plugins - Enable Mod_Security and save

    Now I will explain how to install Mod_security from source.
    You can't install Mod_Security if you don't have libxml2 and http-devel libraries.
    Also, you need to enable mod_unique_id in apache modules, but don't worry, I will explain how to do it

    Login into SSH and type...

    root@server [~]# yum install libxml2 libxml2-devel httpd-devel

    libxml2 libxml2-devel httpd-devel should be installed now

    then you need to edit httpd.conf file, you can find it here:
    root@server [~]# nano /etc/httpd/conf/httpd.conf

    You need to add this in your httpd.conf file
    LoadModule unique_id_module modules/mod_unique_id.so

    Now download the latest version of mod_security for apache2 from ModSecurity: Open Source Web Application Firewall

    login into SSH and type...

    root@server [~]# cd /root/
    root@server [~]# wget http://www.modsecurity.org/download/...e_2.5.6.tar.gz
    root@server [~]# tar zxf modsecurity-apache_2.5.6.tar.gz
    root@server [~]# cd modsecurity-apache_2.5.6
    root@server [~/modsecurity-apache_2.5.6]# cd apache2

    then type:
    root@server [~/modsecurity-apache_2.5.6/apache2]# ./configure
    root@server [~/modsecurity-apache_2.5.6/apache2]# make
    root@server [~/modsecurity-apache_2.5.6/apache2]# make install

    Go at the end of httpd.conf and place an include for our config/rules file...
    Include /etc/httpd/conf/modsecurity.conf

    ---------------------------------------------------------
    # /etc/httpd/conf/httpd.conf

    LoadModule unique_id_module modules/mod_unique_id.so
    LoadFile /usr/lib/libxml2.so
    LoadModule security2_module modules/mod_security2.so
    Include /etc/httpd/conf/modsecurity.conf
    ---------------------------------------------------------

    You need to find good rules for Mod_Security. You can find them at
    official Mod_Security site. Also, give a try to gotroot.com rules. When
    you find a good rules, just put them in /etc/httpd/conf/modsecurity.conf

    And restart httpd at the end, type "service httpd restart" into SSH

    ==========================
    | 8) Anti-Virus - ClamAV |
    ==========================

    You need AV protection to protect the server against worms and trojans
    invading your mailbox and files! Just install clamav (a free open source
    antivirus software for linux). More information can be found on clamav
    website - http://www.clamav.net

    In order to install CLamAV login into SSH and type

    root@server [~]# yum install clamav

    Once you have installed clamav for your CentOS, here are some basic commands you will need:

    Update the antivirus database
    root@server [~]# freshclam

    Run antivirus
    root@server [~]# clamscan -r /home

    Running as Cron Daily Job
    To run antivirus as a cron job (automatically scan daily) just run
    crontab -e from your command line. Then add the following line and save
    the file.
    @daily root clamscan -R /home

    It means clamav will be scanning /home directory every day. You can change the folder to whatever you want to scan.


    ==============
    | 9) Rootkit |
    ==============

    Rootkit scanner is scanning tool to ensure you for about 99.9%* you're clean of nasty tools.
    This tool scans for rootkits, backdoors and local exploits by running tests like:
    -MD5 hash compare
    -Look for default files used by rootkits
    -Wrong file permissions for binaries
    -Look for suspected strings in LKM and KLD modules
    -Look for hidden files
    -Optional scan within plaintext and binary files

    Instalation:

    Login into SSH and type

    root@server [~]# cd /root/
    root@server [~]# wget http://downloads.rootkit.nl/rkhunter-1.2.7.tar.gz
    root@server [~]# tar -zxvf rkhunter-1.2.7.tar.gz
    root@server [~]# cd rkhunter-1.2.7
    root@server [~rkhunter-1.2.7]# ./installer.sh

    Scan the server with rkhunter
    root@server [~]# rkhunter -c

    =========================
    | 10) The Rest of Shits |
    =========================

    10.1) Random suggestions

    If you use bind DNS server then we need to edit named.conf file
    named.conf is located here: /etc/named.conf

    and add
    recursion no; under Options
    ----------------------------
    Options{
    recursion no;
    ----------------------------

    Now restart bind, type into SSH
    root@server [~]# service named restart

    This will prevent lookups from dnstools.com and similar services and reduce server load

    In order to prevent IP spoofing, you need to edit host.conf file like this:
    This file is located here: /etc/host.conf
    Add that in host.conf
    ------------------
    order bind,hosts
    nospoof on
    ------------------

    Hide the Apache version number:

    edit httpd.conf (/etc/httpd/conf/httpd.conf)
    -----------------------
    ServerSignature Off
    -----------------------

    Disable telnet:

    Edit file: /etc/xinetd.d/telnet
    ------------------
    disable = yes
    ------------------

    10.2) Passwords
    Don't use the same password you are using for the server on some other places.
    When the Datacenter contacts you via e-mail or phone, always request
    more informations. Remember, someone alse could contact you to get some
    information or even root passwords.

    10.3) Random thoughts
    No matter what you need to secure the server, don't think you are safe
    only because you are not personally involved in any shits with
    "hackers". When you are hosting hacking/warez related sites you are the
    target. There is no such thing as totally secured server. Most important
    things are backups, make sure you will always have an "up-to-date"
    offsite backups ^^

    Anyhow, this is the end of my paper, I hope it will help you to get some
    kind of security to your server
    vps uk ba poshtbani 24saate
    www.atilhost.ir
    dr.reza2010@yahoo.com
    09353556922


  2. تعداد تشکر ها از dr.reza2010 به دلیل پست مفید


  3. # ADS




     

اطلاعات موضوع

کاربرانی که در حال مشاهده این موضوع هستند

در حال حاضر 1 کاربر در حال مشاهده این موضوع است. (0 کاربران و 1 مهمان ها)

مجوز های ارسال و ویرایش

  • شما نمیتوانید موضوع جدیدی ارسال کنید
  • شما امکان ارسال پاسخ را ندارید
  • شما نمیتوانید فایل پیوست کنید.
  • شما نمیتوانید پست های خود را ویرایش کنید
  •