Portal Home > Knowledgebase > Industry Announcements > Web Hosting Main Forums > HOW TO: Secure and Optimize...


HOW TO: Secure and Optimize...




Posted by frynge, 12-09-2005, 09:07 PM
I hope Elix doesn't mind me posting his great VPS OPTIMIZING techniques. I have posted them at the bottom. These technques can definately help you, but remember, use them at your own risk. If you don't know what your doing, research it before attempting it.


SECURING CPANEL - WHM - AND ROOT on a VPS

This will help but as mentioned in previous posts, with a VPS you do not have access to your kernal. That is good in some ways, because if you don't have access to it, neither to hackers or spammers (which limits what they can do). Its bad in ways, because you lose control and if you secure your box as much as possible, you are still at risk because you cannot control your kernal.

At any rate, here are some helpful hints

=========================================
Checking for formmail
=========================================

Form mail is used by hackers to send out spam email, by relay and injection methods. If you are using matts script or a version of it, you may be in jeopardy.


Command to find pesky form mails:
find / -name "[Ff]orm[mM]ai*"

CGIemail is also a security risk:
find / -name "[Cc]giemai*"

Command to disable form mails:
chmod a-rwx /path/to/filename
(a-rwx translates to all types, no read, write or execute permissions).

(this disables all form mail)

If a client or someone on your vps installs form mail, you will have to let them know you are disabling their script and give them an alternative.


=========================================
Root kit checker - http://www.chkrootkit.org/
=========================================

Check for root kits and even set a root kit on a cron job. This will show you if anyone has compromised your root. Always update chrootkit to get the latest root kit checker. Hackers and spammers will try to find insecure upload forms on your box and then with injection methods, try to upload the root kit on your server. If he can run it, it will modify *alot* of files, possibly causing you to have to reinstall.


To install chrootkit, SSH into server and login as root.
At command prompt type:

cd /root/
wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz
tar xvzf chkrootkit.tar.gz
cd chkrootkit-0.44
make sense


To run chkrootkit

At command prompt type:
/root/chkrootkit-0.44/chkrootkit

Make sure you run it on a regular basis, perhaps including it in a cron job.

Execution

I use these three commands the most.
./chkrootkit
./chkrootkit -q
./chkrootkit -x | more


=========================================
Install a root breach DETECTOR and EMAIL WARNING
=========================================

If someone does happen to get root, be warned quickly by installing a detector and warning at your box. You will at least get the hackers/spammers ip address and be warned someone is in there.


Server e-mail everytime someone logs in as root

To have the server e-mail you everytime someone logs in as root, SSH into server and login as root.


At command prompt type:
pico .bash_profile

Scroll down to the end of the file and add the following line:

echo 'ALERT - Root Shell Access on:' `date` `who` | mail -s "Alert: Root Access from `who | awk '{print $6}'`" your@email.com

Save and exit.


Set an SSH Legal Message

To an SSH legal message, SSH into server and login as root.

At command prompt type:
pico /etc/motd

Enter your message, save and exit.
Note: I use the following message...

ALERT! You are entering a secured area! Your IP and login information
have been recorded. System administration has been notified.
This system is restricted to authorized access only. All activities on
this system are recorded and logged. Unauthorized access will be fully
investigated and reported to the appropriate law enforcement agencies.



=========================================
Web Host manager and CPANEL mods.
=========================================

These are items inside of WHM/Cpanel that should be changed to secure your server.

Goto Server Setup =>> Tweak Settings
Check the following items...

Under Domains
Prevent users from parking/adding on common internet domains. (ie hotmail.com, aol.com)

Under Mail
Attempt to prevent pop3 connection floods
Default catch-all/default address behavior for new accounts - blackhole
(according to ELIX - set this to FAIL, which is what I am going to do to reduce server load)

Under System
Use jailshell as the default shell for all new accounts and modified accounts

Goto Server Setup =>> Tweak Security
Enable php open_basedir Protection
Enable mod_userdir Protection
Disabled Compilers for unprivileged users.

Goto Server Setup =>> Manage Wheel Group Users
Remove all users except for root and your main account from the wheel group.

Goto Server Setup =>> Shell Fork Bomb Protection
Enable Shell Fork Bomb/Memory Protection

When setting up Feature Limits for resellers in Resellers =>> Reseller Center, under Privileges always disable Allow Creation of Packages with Shell Access and enable Never allow creation of accounts with shell access; under Root Access disable All Features.

Goto Service Configuration =>> FTP Configuration
Disable Anonymous FTP

Goto Account Functions =>> Manage Shell Access
Disable Shell Access for all users (except yourself)

Goto Mysql =>> MySQL Root Password
Change root password for MySQL

Goto Security and run Quick Security Scan and Scan for Trojan Horses often. The following and similar items are not Trojans:
/sbin/depmod
/sbin/insmod
/sbin/insmod.static
/sbin/modinfo
/sbin/modprobe
/sbin/rmmod

=========================================
More Security Measures
=========================================

These are measures that can be taken to secure your server, with SSH access.

Update OS, Apache and CPanel to the latest stable versions.
This can be done from WHM/CPanel.


Restrict SSH Access
To restrict and secure SSH access, bind sshd to a single IP that is different than the main IP to the server, and on a different port than port 22.

SSH into server and login as root.
Note: You can download Putty by Clicking Here (http://www.chiark.greenend.org.uk/~s.../download.html). It's a clean running application that will not require installation on Windows-boxes.

At command prompt type:
pico /etc/ssh/sshd_config

Scroll down to the section of the file that looks like this:
#Port 22
#Protocol 2, 1
#ListenAddress 0.0.0.0
#ListenAddress ::

Uncomment and change
#Port 22
to look like
Port 5678 (choose your own 4 to 5 digit port number (49151 is the highest port number AND do not use 5678 lol )

Uncomment and change
#Protocol 2, 1
to look like
Protocol 2

Uncomment and change
#ListenAddress 0.0.0.0
to look like
ListenAddress 123.123.123.15 (use one of your own IP Addresses that has been assigned to your server)

Note 1: If you would like to disable direct Root Login, scroll down until you find
#PermitRootLogin yes
and uncomment it and make it look like
PermitRootLogin no

Save by pressing Ctrl o on your keyboard, and then exit by pressing Ctrl x on your keyboard.


Note 2: You can also create a custome nameserver specifically for your new SSH IP address. Just create one called something like ssh.xyz.com or whatever. Be sure to add an A address to your zone file for the new nameserver.

Now restart SSH
At command prompt type:
/etc/rc.d/init.d/sshd restart

Exit out of SSH, and then re-login to SSH using the new IP or nameserver, and the new port.

Note: If you should have any problems, just Telnet into your server, fix the problem, then SSH in again. Telnet is a very unsecure protocol, so change your root password after you use it.

After SSH has been redirected, disable telnet.

Disable Telnet
To disable telnet, SSH into server and login as root.
At command prompt type: pico -w /etc/xinetd.d/telnet
change disable = no to disable = yes
Save and Exit
At command prompt type: /etc/init.d/xinetd restart


Disable Shell Accounts
To disable any shell accounts hosted on your server SSH into server and login as root.
At command prompt type: locate shell.php
Also check for:
locate irc
locate eggdrop
locate bnc
locate BNC
locate ptlink
locate BitchX
locate guardservices
locate psyBNC
locate .rhosts

Note: There will be several listings that will be OS/CPanel related. Examples are
/home/cpapachebuild/buildapache/php-4.3.1/ext/ircg
/usr/local/cpanel/etc/sym/eggdrop.sym
/usr/local/cpanel/etc/sym/bnc.sym
/usr/local/cpanel/etc/sym/psyBNC.sym
/usr/local/cpanel/etc/sym/ptlink.sym
/usr/lib/libncurses.so
/usr/lib/libncurses.a
etc.


Disable identification output for Apache

(do this to hide version numbers from potentional hackers)

To disable the version output for proftp, SSH into server and login as root.
At command prompt type: pico /etc/httpd/conf/httpd.conf

Scroll (way) down and change the following line to
ServerSignature Off

Restart Apache
At command prompt type: /etc/rc.d/init.d/httpd restart



=========================================
Install BFD (Brute Force Detection - optional)
=========================================

To install BFD, SSH into server and login as root.

At command prompt type:
cd /root/
wget http://www.rfxnetworks.com/downloads/bfd-current.tar.gz
tar -xvzf bfd-current.tar.gz
cd bfd-0.4
./install.sh

After BFD has been installed, you need to edit the configuration file.

At command prompt type:
pico /usr/local/bfd/conf.bfd

Under Enable brute force hack attempt alerts:
Find
ALERT_USR="0"
and change it to
ALERT_USR="1"

Find
EMAIL_USR="root"
and change it to
EMAIL_USR="your@email.com"

Save the changes then exit.

To start BFD

At command prompt type:
/usr/local/sbin/bfd -s


Modify LogWatch
Logwatch is a customizable log analysis system. It parses through your system's logs for a given period of time and creates a report analyzing areas that you specify, in as much detail as you require. Logwatch is already installed on most CPanel servers.

To modify LogWatch, SSH into server and login as root.

At command prompt type:
pico -w /etc/log.d/conf/logwatch.conf

Scroll down to
MailTo = root
and change to
Mailto = your@email.com
Note: Set the e-mail address to an offsite account incase you get hacked.

Now scroll down to
Detail = Low
Change that to Medium, or High...
Detail = 5 or Detail = 10
Note: High will give you more detailed logs with all actions.

Save and exit.

A number of suggestions to improve system security. Some of this is specific to CPanel, but much can be applied to most Linux systems.
--------------------------------------------------
Use The Latest Software
Keep the OS and 3rd party software up to date. Always!
CPanel itself can be updated from the root WHM.
--------------------------------------------------
Change Passwords
Change the root passwords at least once a month and try to make them hard to guess. Yes it's a pain to have to keep remembering them, but it's better than being hacked.

--------------------------------------------------
Set Up A More Secure SSH Environment As described here.
--------------------------------------------------
Disable Telnet
1. Type: pico -w /etc/xinetd.d/telnet
2. Change the disable = no line to disable = yes.
3. Hit CTRL+X press y and then enter to save the file.
4. Restart xinted with: /etc/rc.d/init.d/xinetd restart
Also, add the following line to /etc/deny.hosts to flag Telnet access attempts as 'emergency' messages.

in.telnetd : ALL : severity emerg

--------------------------------------------------
Disable Unnecessary Ports (optional)
First backup the file that contains your list of ports with:
cp /etc/services /etc/services.original
Now configure /etc/services so that it only has the ports you need in it. This will match the ports enabled in your firewall.
On a typical CPanel system it would look something like this:
<?php
tcpmux 1/tcp # TCP port service multiplexer
echo 7/tcp
echo 7/udp
ftp-data 20/tcp
ftp 21/tcp
ssh 22/tcp # SSH Remote Login Protocol
smtp 25/tcp mail
domain 53/tcp # name-domain server
domain 53/udp
http 80/tcp www www-http # WorldWideWeb HTTP
pop3 110/tcp pop-3 # POP version 3
imap 143/tcp imap2 # Interim Mail Access Proto v2
https 443/tcp # MCom
smtps 465/tcp # SMTP over SSL (TLS)
syslog 514/udp
rndc 953/tcp # rndc control sockets (BIND 9)
rndc 953/udp # rndc control sockets (BIND 9)
imaps 993/tcp # IMAP over SSL
pop3s 995/tcp # POP-3 over SSL
cpanel 2082/tcp
cpanels 2083/tcp
whm 2086/tcp
whms 2087/tcp
webmail 2095/tcp
webmails 2096/tcp
mysql 3306/tcp # MySQL
?>
Additional ports are controlled by /etc/rpc. These aren't generally needed, so get shot of that file with: mv /etc/rpc /etc/rpc-moved
--------------------------------------------------
Watch The Logs
Install something like logwatch to keep an eye on your system logs. This will extract anything 'interesting' from the logs and e-mail to you on a daily basis.
Logwatch can be found at: http://www.logwatch.org
Install instructions here.
--------------------------------------------------
Avoid CPanel Demo Mode
Switch it off via WHM Account Functions => Disable or Enable Demo Mode.
--------------------------------------------------
Jail All Users
Via WHM Account Functions => Manage Shell Access => Jail All Users.
Better still never allow shell access to anyone - no exceptions.
--------------------------------------------------
Immediate Notification Of Specific Attackers
If you need immediate notification of a specific attacker (TCPWrapped services only), add the following to /etc/hosts.deny

ALL : nnn.nnn.nnn.nnn : spawn /bin/ 'date' %c %d | mail -s"Access attempt by nnn.nnn.nnn.nnn on for hostname" notify@mydomain.com
Replacing nnn.nnn.nnn.nnn with the attacker's IP address.
Replacing hostname with your hostname.
Replacing notify@mydomain.com with your e-mail address.
This will deny access to the attacker and e-mail the sysadmin about the access attempt.
--------------------------------------------------
Check Open Ports
From time to time it's worth checking which ports are open to the outside world. This can be done with:
nmap -sT -O localhost
If nmap isn't installed, it can be selected from root WHM's Install an RPM option.
--------------------------------------------------
Set The MySQL Root Password
This can be done in CPanel from the root WHM Server Setup -> Set MySQL Root Password.
Make it different to your root password!
--------------------------------------------------
Tweak Security (CPanel)
From the root WHM, Server Setup -> Tweak Security, you will most likely want to enable:
- php open_basedir Tweak.
- SMTP tweak.
You may want to enable:
- mod_userdir Tweak. But that will disable domain preview.
--------------------------------------------------
Use SuExec (CPanel)
From root WHM, Server Setup -> Enable/Disable SuExec. This is CPanel's decription of what it does:
"suexec allows cgi scripts to run with the user's id. It will also make it easier to track which user has sent out an email. If suexec is not enabled, all cgi scripts will run as nobody. "
Even if you don't use phpsuexec (which often causes more problems), SuExec should be considered.
--------------------------------------------------
Use PHPSuExec (CPanel)
This needs to built into Apache (Software -> Update Apache from the root WHM) and does the same as SuExec but for PHP scripts.
Wisth PHPSuExec enabled, you users will have to make sure that all their PHP files have permissions no greater than 0755 and that their htaccess files contain no PHP directives.
--------------------------------------------------
Disable Compilers
This will prevent hackers from compiling worms, root kits and the like on your machine.
To disable them, do the following:

chmod 000 /usr/bin/perlcc
chmod 000 /usr/bin/byacc
chmod 000 /usr/bin/yacc
chmod 000 /usr/bin/bcc
chmod 000 /usr/bin/kgcc
chmod 000 /usr/bin/cc
chmod 000 /usr/bin/gcc
chmod 000 /usr/bin/i386*cc
chmod 000 /usr/bin/*c++
chmod 000 /usr/bin/*g++
chmod 000 /usr/lib/bcc /usr/lib/bcc/bcc-cc1
chmod 000 /usr/i386-glibc21-linux/lib/gcc-lib/i386-redhat-linux/2.96/cc1

You will need to enable them again when you need to perform system updates. To do this, run:

chmod 755 /usr/bin/perlcc
chmod 755 /usr/bin/byacc
chmod 755 /usr/bin/yacc
chmod 755 /usr/bin/bcc
chmod 755 /usr/bin/kgcc
chmod 755 /usr/bin/cc
chmod 755 /usr/bin/gcc
chmod 755 /usr/bin/i386*cc
chmod 755 /usr/bin/*c++
chmod 755 /usr/bin/*g++
chmod 755 /usr/lib/bcc /usr/lib/bcc/bcc-cc1
chmod 755 /usr/i386-glibc21-linux/lib/gcc-lib/i386-redhat-linux/2.96/cc1

--------------------------------------------------
Obfuscate The Apache Version Number
1. Type: pico /etc/httpd/conf/httpd.conf
2. Change the line that begins ServerSignature to:

ServerSignature Off

3. Add a line underneath that which reads:

ServerTokens ProductOnly

4. Hit CTRL+X, they y, the enter to save the file.
5. Restart Apache with: /etc/rc.d/init.d/httpd restart
--------------------

COMMON COMMANDS I USE
System Information
who
List the users logged in on the machine. --

rwho -a
List all users logged in on your network. The rwho service must be enabled for this command to work.

finger user_name
System info about a user. Try: finger root last. This lists the users last logged-in on your system.

history | more
Show the last (1000 or so) commands executed from the command line on the current account. The | more causes the display to stop after each screen fill.

pwd
Print working directory, i.e. display the name of your current directory on the screen.

hostname
Print the name of the local host (the machine on which you are working).

whoami
Print your login name.

id username
Print user id (uid) and his/her group id (gid), effective id (if different than the real id) and the supplementary groups.

date
Print or change the operating system date and time. E.g., change the date and time to 2000-12-31 23:57 using this command

date 123123572000
To set the hardware clock from the system clock, use the command (as root)
setclock

time
Determine the amount of time that it takes for a process to complete+ other info. Don’t confuse it with date command. For e.g. we can find out how long it takes to display a directory content using time ls

uptime
Amount of time since the last reboot

ps
List the processes that are have been run by the current user.

ps aux | more
List all the processes currently running, even those without the controlling terminal, together with the name of the user that owns each process.

top
Keep listing the currently running processes, sorted by cpu usage (top users first).

uname -a
Info on your server.

free
Memory info (in kilobytes).

df -h
Print disk info about all the file systems in a human-readable form.

du / -bh | more
Print detailed disk usage for each subdirectory starting at root (in a human readable form).

lsmod
(as root. Use /sbin/lsmod to execute this command when you are a non-root user.) Show the kernel modules currently loaded.

set|more
Show the current user environment.

echo $PATH
Show the content of the environment variable PATH. This command can be used to show other environment variables as well. Use set to see the full environment.

dmesg | less
Print kernel messages (the current content of the so-called kernel ring buffer). Press q to quit less. Use less /var/log/dmesg to see what dmesg dumped into the file right after bootup. - only works on dedciated systems

Commands for Process control
ps
Display the list of currently running processes with their process IDs (PID) numbers. Use ps aux to see all processes currently running on your system (also those of other users or without a controlling terminal),
each with the name of the owner. Use top to keep listing the processes currently running.

fg
PID Bring a background or stopped process to the foreground.

bg
PID Send the process to the background. This is the opposite of fg. The same can be accomplished with Ctrl z

any_command &
Run any command in the background (the symbol ‘&’ means run the command in the background?).

kill PID
Force a process shutdown. First determine the PID of the process to kill using ps.

killall -9 program_name
Kill program(s) by name.

xkill
(in an xwindow terminal) Kill a GUI-based program with mouse. (Point with your mouse cursor at the window of the process you want to kill and click.)

lpc
(as root) Check and control the printer(s). Type ??? to see the list of available commands.

lpq
Show the content of the printer queue.

lprm job_number
Remove a printing job job_number from the queue.

nice program_name
Run program_name adjusting its priority. Since the priority is not specified in this example, it will be adjusted by 10 (the process will run slower), from the default value (usually 0). The lower the number (of niceness to other users on the system), the higher the priority. The priority value may be in the range -20 to 19. Only root may specify negative values. Use top to display the priorities of the running processes.

renice -1 PID
(as root) Change the priority of a running process to -1. Normal users can only adjust processes they own, and only up from the current value (make them run slower).


Optimizing your VPS server (help it run more efficiently)


Quote:
Originally Posted by elix
VPSes are really hard to use with the memory restrictions and CPU limitations...but with some optimization they can definitely serve your websites fast!

MySQL Optimization
Here are my suggested settings for the my.cnf file. This should work well for a VPS with 256-512MB RAM.
Code:
 
[mysqld]
max_connections = 400
key_buffer = 16M
myisam_sort_buffer_size = 32M
join_buffer_size = 1M
read_buffer_size = 1M
sort_buffer_size = 2M
table_cache = 1024
thread_cache_size = 286
interactive_timeout = 25
wait_timeout = 1000
connect_timeout = 10
max_allowed_packet = 16M
max_connect_errors = 10
query_cache_limit = 1M
query_cache_size = 16M
query_cache_type = 1
tmp_table_size = 16M
skip-innodb
 
[mysqld_safe]
open_files_limit = 8192
 
[mysqldump]
quick
max_allowed_packet = 16M
 
[myisamchk]
key_buffer = 32M
sort_buffer = 32M
read_buffer = 16M
write_buffer = 16M
In order to make things even faster, you can customize these settings specifically for your VPSs' usage. There's a great howto on InterWorx's forum for this --> http://www.interworx.com/forums/showthread.php?p=2346

Lastly, I recommend installing mytop to help you monitor your usage...
Code:
wget http://dll.elix.us/mytop-1.4.tar.gz
tar -zxvf mytop-1.4.tar.gz
cd mytop-1.4
perl Makefile.PL
make
make test
make install
Once that's done, just enter in "mytop" .

PHP & Apache Optimization
I strongly recommend installing eAccelerator. There's an easy to follow howto here: http://forum.ev1servers.net/showthre...t=eaccelerator. If you use the default cache dir for eAccelerator (/tmp/eaccelerator) make sure you check it reguarily and clean it every once and a while. (it can really get quite large from my experience)

For httpd.conf I suggest:
Timeout 200
KeepAlive On
maxKeepAliveRequests 100
KeepAliveTimeout 3
MinSpareServers 10
MaxSpareServers 20
StartServers 15
MaxClients 250
MaxRequestsPerChild 0
HostnameLookups Off

You can use ab to benchmark your Apache before and after you make changes.

ab -c 5 -n 20 somephpbasedsiteonyourserver.com/file.php

I suggest doing 2 or 3 tests like that to get an average.

If you want to check the Apache error log, try this -->
cat /usr/local/apache/logs/error_log

Monitoring Usage
On a Virtuozzo VPS you can use cat /proc/usr_beancounters to output your usage of the VZ parameters. You should pay most attention to oomguarpages and privmpages. (although anything with a failure is generally bad)

You can find the amount of connections to Apache with this command:
netstat -nt | grep :80 | wc -l

To find the amount of Apache processes use this command:
ps -A | grep httpd | wc -l (this will show the process count)
ps -aux | grep httpd (this will show the actual processes)

To find the amount of MySQL processes use this command:
ps -A | grep mysql | wc -l (this will show the process count)
ps -aux | grep mysql (this will show the actual processes)

Just simply using top (standard view) or top -c (will show the actual command being used and/or location of each process as opposed to just the name) can help you monitor your VPS usage very wel.

To see your disk space usage, try using this command --> df -h

Mitigating (D)DOS
If you're being DDOS'd or DOS'd you can use this command:
netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n

That will help you see how many connections each IP address has in total to your server.

There's a very decent script you can use to automate the banning of IP addresses available here --> http://forums.deftechgroup.com/showthread.php?t=825

Although I haven't tried it myself, I suggest you take a look at Scrutinizer as well which sounds very useful --> http://www.solutix.ch/cgi-bin/index.pl

Spam Assassin
Spam Assassin can take up a lot of memory and make it really hard to host just a few sites on a VPS, but there is a way around this...

Login to WHM as root, scroll down to "cPanel 10.8.1-R15" (it may be slightly different depending on what version you are using) then goto "Addon Modules" and install "spamdconf". Once it's done, refresh the WHM page, scroll down to "Add-ons" on the nav bar and then click on 'Setup Spamd Startup Configuration". Set "Maximum Children" to "2". Then hit Submit. Wait a few seconds (15-30, but usually less) for exim to restart and you're done .

cPanel Tweak Setings
Login to WHM as root, and under "Server Configuration" on the nav bar hit "Tweak Settings".

Here are some suggested settings:
Default catch-all/default address behavior for new accounts. fail will generally save the most CPU time.
- Use "FAIL". If you already have some accounts setup not to use "FAIL" (by default it will not) then run this command to convert to FAIL from BLACKHOLE --> perl -pi -e "s/:blackhole:/:fail:/g;" /etc/valiases/*

Mailman
- Mailman tends to use a lot of resources, so if you don't need cpanel mailing lists then uncheck this.

Number of minutes between mail server queue runs (default is 60).:
- You may want to set this to 180 to reduce load.

Track the origin of messages sent though the mail server by adding the X-Source headers (exim 4.34+ required)
- This is just generally a good idea. So check this.

Analog Stats
- I find this useless, so uncheck this. If you want to delete the existing analog stats files just run this command --> rm -rf /home/*/tmp/analog/*

Awstats Reverse Dns Resolution
- Make sure this is unchecked, I find it pretty much useless for most users.

Awstats Stats
- You can check this if you need a robust stats software that integrates with cPanel, if you don't need it, then don't check it. *Note most hosting clients will want to use this. If you want to delete the existing awstats stats files just run this command --> rm -rf /home/*/tmp/awstats/*

Webalizer Stats
- Not many hosting clients will want to use this so, you can uncheck this to reduce load. If you want to delete the existing webalizer stats files just run this command --> rm -rf /home/*/tmp/webalizer/*

Delete each domain's access logs after stats run
- Make sure this is checked, otherwise disk space usage can really rack up!

That's about it for now, I may do some more later....

Hope it helps!

Posted by layer0, 12-09-2005, 09:22 PM
Hey - I don't mind it at all

Posted by simplestar, 12-16-2005, 08:10 PM
Frynge, terrific job putting this together!

Posted by Apoc, 12-21-2005, 07:08 PM
Great post, but you forgot the two most important things to secure a VPS (or server):

- You need a firewall (highly recommend APF)
- You need to secure the /tmp partition so that no scripts can run

Posted by zeca40, 12-26-2005, 07:56 AM
Great post, good to have all this in one place.

Question1: how to update chkrootkit? Do I need to remove the existing copy first?

Question2: My sysadmin says that they don't recomend APF on VPS.

Quote:
APF kind works but you have to watch it. If you get over 2000 rules, it pukes out. We don't recommend it.
Will BFD work without APF?

Posted by layer0, 12-26-2005, 10:45 AM
Quote:
Originally Posted by zeca40
Great post, good to have all this in one place.

Question1: how to update chkrootkit? Do I need to remove the existing copy first?

Question2: My sysadmin says that they don't recomend APF on VPS.



Will BFD work without APF?
Not sure about 1 - but for 2) I don't recommend having over 1000 firewall rules, so your sysadmin is 'tentatively' correct, however I have never personally seen APF puke out from average use. Thus if your VPS provider supports it, I'd go with using APF.

BFD integrates with APF so I don't think it'll work without it. But, I could be wrong there.

Posted by zeca40, 12-26-2005, 11:20 AM
Quote:
Thus if your VPS provider supports it, I'd go with using APF.
Yes, APF will work on their VPS servers. Thanks.

Posted by jpetersen, 12-26-2005, 06:32 PM
BFD does not require APF to run, and works fine on VDS servers by itself.

Posted by frynge, 12-27-2005, 08:30 PM
Quote:
Originally Posted by zeca40
Great post, good to have all this in one place.

Question1: how to update chkrootkit? Do I need to remove the existing copy first?

Question2: My sysadmin says that they don't recomend APF on VPS.



Will BFD work without APF?
Thanks!

About chkrootkit. The command I gave you above, installs the latest version. I think they just name the latest version that name, so when you untar it, it opens in to a new folder each time...

So when you want to get the new version, just simply, repeat the steps on getting it and untarring it without changing the command line and your set.

Thanks for more info on this. Its very important to keep your server secure, so these spammers and hackers quickly check your security and move on to easier targets.

Keep adding to this thread so we can create a full security database for VPS'!

Posted by frynge, 12-27-2005, 08:51 PM
Quote:
Originally Posted by Apoc
Great post, but you forgot the two most important things to secure a VPS (or server):

- You need a firewall (highly recommend APF)
- You need to secure the /tmp partition so that no scripts can run
Can you give details on how to secure /tmp ?

I assume a chmod?

Thanks!

Posted by alexrobonlin, 01-03-2006, 09:24 PM
This is a very useful thread- thanks!

Posted by apollo, 01-25-2006, 04:28 PM
Quote:
Originally Posted by frynge
Can you give details on how to secure /tmp ?

I assume a chmod?

Thanks!

http://www.webhostingtalk.com/showthread.php?t=292259

Posted by zeca40, 01-30-2006, 06:43 AM
Quote:
BFD does not require APF to run, and works fine on VDS servers by itself.
Question: Will BFD be able to block attacks without having APF? Or will it only detect the attack but not block the attacker?

I have BFD installed but not APF and on my alerts I see:
Code:
Executed ban command:
/etc/apf/apf -d 210.0.215.4 {bfd.sshd}
I figure that this does nothing since there is no APF to execute the command, correct?

Posted by Vince2006, 02-01-2006, 01:52 AM
Anyone know if the pangeia link is down? I am logged into my server as root and run the instructions for installing chkrootkit and get the message: Connecting to ftp.pangea.com/| 204.251... etc but nothing happens... the site just appears to time out... Is there somewhere else to get chkrootkit.tar? All of my Google searches default back to pangeia...

Vince

Posted by zeca40, 02-02-2006, 07:00 AM
Just to answer my own question: to use BFD without APF you need to change the conf.bfd file to use host.deny rather tha APF. This works great.

Change this:
Code:
BCMD="/etc/apf/apf -d $ATT_HOST {bfd.$MOD}"
To this:
Code:
BCMD="echo ALL:$ATT_HOST >> /etc/hosts.deny"

Posted by deticatedhosting, 02-09-2006, 01:59 AM
Thank you very much there is a lot of good information here.

Posted by build-a-host, 02-14-2006, 01:53 PM
I just ran the trojan scanner on my VPS and it returned 21 possible trojans detected.

Here is a list of the possibles it found:

Possible Trojan - /usr/bin/xmlcatalog
Possible Trojan - /usr/bin/xmllint
Possible Trojan - /sbin/lsmod
Possible Trojan - /usr/bin/dbiprof
Possible Trojan - /usr/bin/curl
Possible Trojan - /usr/lib/python2.2/site-packages/libxml2mod.la
Possible Trojan - /usr/lib/python2.2/site-packages/libxml2mod.so
Possible Trojan - /usr/bin/curl-config
Possible Trojan - /usr/bin/xslt-config
Possible Trojan - /usr/lib/libexslt.la
Possible Trojan - /usr/lib/libxslt.la
Possible Trojan - /usr/bin/xsltproc
Possible Trojan - /usr/bin/pod2man
Possible Trojan - /usr/bin/pod2usage
Possible Trojan - /usr/bin/podchecker
Possible Trojan - /usr/bin/podselect
Possible Trojan - /usr/bin/pstruct
Possible Trojan - /usr/bin/splain
Possible Trojan - /usr/bin/xsubpp
Possible Trojan - /usr/bin/xml2-config
Possible Trojan - /usr/lib/libxml2.la

Are these safe? If not, how do I get rid of them?

Posted by Apoc, 02-16-2006, 01:03 PM
What trojan scanner did you use exactly? I would recommend to run rkhunter and see what it says about MB5 matches. If it's showing the same problems then it's very likely you have been hacked.

There isn't really a way to get rid of that because you'll probably never know what exactly has been done by a hacker, if he has removed his traces. The only option in that case would be to get your VPS (or server) reinstalled.

Posted by build-a-host, 02-17-2006, 04:31 AM
Unless its a "passive" hacker I think i'm ok. I havent had any problems at all out of the server.

I used the trojan scanner within WHM

Posted by Apoc, 02-17-2006, 06:41 AM
The trojan scanner in WHM is no good, in my opinion. You should use chkrootkit or rkhunter instead (or better yet: both of them).

Be careful though, never assume there's nothing wrong. Even though you might not notice anything a hacker might be stealing information from your customers and/or send out spam or DoS attacks when you're not looking.

Posted by SamOwen, 02-23-2006, 02:14 AM
Good post! Anymore tweaks or does this sum it all up?

Posted by zeca40, 02-26-2006, 09:53 AM
Is it OK to install Razor (http://razor.sourceforge.net/) and DCC (http://www.rhyolite.com/anti-spam/dcc/) on a VPS?

Posted by frynge, 03-02-2006, 06:58 PM
Quick small update on the original post.

FIRST the pangea link still works for me. Just click it above. If you can't click it there may be something blocking you, as I have no problem getting the file.

Second

In the original post... it was said..
=========================================
Web Host manager and CPANEL mods.
=========================================

These are items inside of WHM/Cpanel that should be changed to secure your server.

Goto Server Setup =>> Tweak Settings
Check the following items...


Under Mail
Attempt to prevent pop3 connection floods
Default catch-all/default address behavior for new accounts - blackhole

I suggest you do not set this to fail, if you have heavy email user or from 30 clients and up. Use blackhole

Fail at the beginning saves cpu time, but over time, with heavy users or many users, this will send bounces back to spammers who spam you. They bounce back to the server and the mail server gets over worked.

Do not use FAIL use BLACKHOLE

I will edit my post above.

cheers

Posted by layer0, 03-02-2006, 07:19 PM
Quote:
Originally Posted by frynge
Quick small update on the original post.

FIRST the pangea link still works for me. Just click it above. If you can't click it there may be something blocking you, as I have no problem getting the file.

Second

In the original post... it was said..
=========================================
Web Host manager and CPANEL mods.
=========================================

These are items inside of WHM/Cpanel that should be changed to secure your server.

Goto Server Setup =>> Tweak Settings
Check the following items...


Under Mail
Attempt to prevent pop3 connection floods
Default catch-all/default address behavior for new accounts - blackhole

I suggest you do not set this to fail, if you have heavy email user or from 30 clients and up. Use blackhole

Fail at the beginning saves cpu time, but over time, with heavy users or many users, this will send bounces back to spammers who spam you. They bounce back to the server and the mail server gets over worked.

Do not use FAIL use BLACKHOLE

I will edit my post above.

cheers
There have been MANY debates about this and personally I would say fail is best most of the time. You cannot say blackhole is best for everybody if it is just best for you...

Posted by frynge, 03-02-2006, 07:23 PM
Quote:
Originally Posted by Apoc
The trojan scanner in WHM is no good, in my opinion. You should use chkrootkit or rkhunter instead (or better yet: both of them).

Be careful though, never assume there's nothing wrong. Even though you might not notice anything a hacker might be stealing information from your customers and/or send out spam or DoS attacks when you're not looking.
hey apoc... it doenst look like you can edit posts?

Do you know how? I wanted to edit the main post.

cheers

Posted by deticatedhosting, 03-02-2006, 08:30 PM
I think that you can only edit your post for a short time then there perminate.

Posted by Gibran, 03-05-2006, 10:17 PM
Fantastic tutorial!

Posted by SepedaTua, 03-07-2006, 02:18 PM
I got this from logwatch:

--------------------- SSHD Begin ------------------------


SSHD Killed: 1 Time(s)

SSHD Started: 1 Time(s)

Failed logins from these:
Io****/password from ***.***.***.***: 1 Time(s)
Me**/password from ***.***.***.***: 1 Time(s)
aa***/password from ***.***.***.***: 1 Time(s)
...
...
...
ze****/password from ***.***.***.***: 1 Time(s)
ze**/password from ***.***.***.***: 1 Time(s)

**Unmatched Entries**
Illegal user anonymous from ***.***.***.***
Illegal user passwd from ***.***.***.***
Illegal user ch*** from ***.***.***.***
...
...
...
Illegal user re***** from ***.***.***.***
Illegal user ze** from ***.***.***.***

What does it means?
-- for me, it looks like someone is doing dictionary attack on my ssh server.

Can anyone make a suggestion for me?
Thanks.

Posted by Funkadelic, 03-08-2006, 01:32 AM
I also suggest for shared hosting that the setting in the php.ini file for disable_functions
be changed to
disable_functions = "system,exec"

Doing that will disable the function that most exploits call upon.

Posted by Apoc, 03-13-2006, 12:21 AM
Quote:
Originally Posted by Wizardkid101
I also suggest for shared hosting that the setting in the php.ini file for disable_functions
be changed to
disable_functions = "system,exec"

Doing that will disable the function that most exploits call upon.
If you want to do that you should also disable all other functions that enable file execution such as: passthru, escapeshellcmd, popen, pcntl_exec, and I thinkt here might be a few others.

Posted by Apoc, 03-13-2006, 12:23 AM
Quote:
Originally Posted by zeca40
Is it OK to install Razor (http://razor.sourceforge.net/) and DCC (http://www.rhyolite.com/anti-spam/dcc/) on a VPS?
Absolutely. This does not relate to security or optimization though.

For a good tutorial on real advanced spam filtering read this article by rvskin: http://www.rvskin.com/index.php?page=public/antispam

Posted by Funkadelic, 03-13-2006, 12:38 AM
disable_functions = dl,system,exec,passthru,shell_exec

Posted by Datacenter1, 03-17-2006, 03:32 PM
Good job !!!

Quote:
Originally Posted by elix
VPSes are really hard to use with the memory restrictions and CPU limitations...but with some optimization they can definitely serve your websites fast!

MySQL Optimization
Here are my suggested settings for the my.cnf file. This should work well for a VPS with 256-512MB RAM.
[mysqld] max_connections = 400
max_connections = 400 in a VPS with 256 - 512 Mb + Cpanel seem a little high to me
Server will run out memory before to reach max_connections

Posted by SamOwen, 03-25-2006, 02:15 AM
Quote:
Spam Assassin
Spam Assassin can take up a lot of memory and make it really hard to host just a few sites on a VPS, but there is a way around this...

Login to WHM as root, scroll down to "cPanel 10.8.1-R15" (it may be slightly different depending on what version you are using) then goto "Addon Modules" and install "spamdconf". Once it's done, refresh the WHM page, scroll down to "Add-ons" on the nav bar and then click on 'Setup Spamd Startup Configuration". Set "Maximum Children" to "2". Then hit Submit. Wait a few seconds (15-30, but usually less) for exim to restart and you're done .
I don't use WHM, what file can I manually edit to change this setting? I have lots of spamd processes running.

Posted by layer0, 03-26-2006, 11:48 AM
Quote:
max_connections = 400 in a VPS with 256 - 512 Mb + Cpanel seem a little high to me
Server will run out memory before to reach max_connections
That is definitely a possibility but it does depend a lot on what those connections are doing. The config there is really just a template that you should tweak to your own needs.

Posted by xclusive illz, 04-22-2006, 01:34 PM
could someone give a brief example where and how to set this up?

it sounds very useful and i've never managed a sever on my own but i would like to install some of the software lol or what ever it is to protect my site

Posted by Hybird71, 06-13-2006, 10:16 AM
This is in WMpanel and cpanel.

How about in plesk? do you have the tutorial on that one?

Posted by sleddog, 06-13-2006, 11:19 AM
Quote:
Originally Posted by SamOwen
I don't use WHM, what file can I manually edit to change this setting? I have lots of spamd processes running.
It may depend on your installation.

If you're using a Redhat-derived distribution (e.g., CentOS) with spamassassin installed by rpm, you should have a configuration file /etc/sysconfig/spamassassin.

Edit that file and change the "-m" option. Default is "-m5" (five child processes). Try "-m2" (two child processes).

If you're on a different distro, you may need to find the spamassassin startup script and change the "-m" command line option.

Restart spamd for the change to take effect.

Posted by visualblink, 06-23-2006, 12:17 AM
How do I remove or edit the service banners without recompiling the packages of my WHM/cPanel server ? I would like to remove or possibly edit the server application and version banners that can be easily get noticed and grabbed by anybody or scripts even with a simple telnet to the listening port. It is a simple problem but it is always the first attempt of somebody who would want to attack or exploit the certain flaws from the running version of the application/service that he could find with that banner grabbing. The quick way to lure the attacker for his initial phase with this issue could be simply removing the banners or replace the banners with the ones from the completely different service platform. Is there a way to accomplish without recompiling any of the default packages of cPanel/WHM server?

Posted by secmas, 07-10-2006, 10:15 AM
If you use Cpanel and WHM, there is a new firewall made by Chirpy that looks great, it uses a lot of less resources than APF and BTF and it is integrated into WHM as an addon as well. And it updates automatically.

Also, you can access CSF from SSH.

You can download CSF with LFD from here:
configserver.com/cp/csf.html

I have just changed APF and BTF for CSF and LFD (both from Chirpy) and it is working really nice in my VPS.

QUESTION:
In your first post you said:
Quote:
Disable Shell Accounts
To disable any shell accounts hosted on your server SSH into server and login as root.
At command prompt type: locate shell.php
Also check for:
locate irc
locate eggdrop
locate bnc
locate BNC
locate ptlink
locate BitchX
locate guardservices
locate psyBNC
locate .rhosts

Note: There will be several listings that will be OS/CPanel related. Examples are
/home/cpapachebuild/buildapache/php-4.3.1/ext/ircg
/usr/local/cpanel/etc/sym/eggdrop.sym
/usr/local/cpanel/etc/sym/bnc.sym
/usr/local/cpanel/etc/sym/psyBNC.sym
/usr/local/cpanel/etc/sym/ptlink.sym
/usr/lib/libncurses.so
/usr/lib/libncurses.a
But you never mention how to disable them, would you be very kind to explain this step a little bit further?

I really want to thank Frynge for this terrific guide.

Regards,
Sergio

Posted by wwwbug, 07-16-2006, 01:52 AM
i did not know how to manage a VPS,until i read this ,thank you !

Posted by EricG, 07-18-2006, 03:13 PM
Hello,

This is a very great thread for newbies like me. After reading it and doing all this stuff I feel much more comfortable now about my new VPS. I do have a few questions though about things that are not clear to me.


First: Checking for formmail.

Can I disable these without interferring with cPanel ?

/usr/local/cpanel/cgi-sys/FormMail-clone.cgi
/usr/local/cpanel/cgi-sys/FormMail.cgi
/usr/local/cpanel/cgi-sys/formmail.cgi
/usr/local/cpanel/cgi-sys/FormMail.pl
/usr/local/cpanel/cgi-sys/formmail.pl
/usr/local/cpanel/install/formmail


Second: Disable shell accounts

How do I do that ? The post says to use "locate shell.php" but it doesn't explain how to disable it. These are the only 3 found by locate.

/usr/local/cpanel/base/horde/admin/cmdshell.php
/usr/local/cpanel/base/horde/admin/phpshell.php
/usr/local/cpanel/base/horde/admin/sqlshell.php

It also says that there will be several that are OS/cPanel related such as /usr/local/cpanel/etc/sym/bnc.sym, should they be disabled too or is this sentence meant as a warning NOT to disable those ?

Third: PHPSuExec

It says that all my users will need to make sure their php files have permissions no greater than 0755. On my current reseller hosting account I've installed a few php based applications for my clients that wouldn't work until I change some permissions to 0777. I'm not sure what PHPSuExec does, what problems should I expect if php files do have greater permissions than 0755 ?


That's it.

Posted by sleddog, 07-23-2006, 10:30 PM
Quote:
Originally Posted by EricG
Hello,

This is a very great thread for newbies like me. After reading it and doing all this stuff I feel much more comfortable now about my new VPS. I do have a few questions though about things that are not clear to me.


First: Checking for formmail.

Can I disable these without interferring with cPanel ?

/usr/local/cpanel/cgi-sys/FormMail-clone.cgi
/usr/local/cpanel/cgi-sys/FormMail.cgi
/usr/local/cpanel/cgi-sys/formmail.cgi
/usr/local/cpanel/cgi-sys/FormMail.pl
/usr/local/cpanel/cgi-sys/formmail.pl
/usr/local/cpanel/install/formmail
That formmail script is a component of cpanel. Users will have access to use it if you make it available to them. Depends on how you have addons, features (Feature Manager) and packages configured in WHM.

Quote:
Originally Posted by EricG
Second: Disable shell accounts

How do I do that ? The post says to use "locate shell.php" but it doesn't explain how to disable it. These are the only 3 found by locate.

/usr/local/cpanel/base/horde/admin/cmdshell.php
/usr/local/cpanel/base/horde/admin/phpshell.php
/usr/local/cpanel/base/horde/admin/sqlshell.php

It also says that there will be several that are OS/cPanel related such as /usr/local/cpanel/etc/sym/bnc.sym, should they be disabled too or is this sentence meant as a warning NOT to disable those ?
"Disable shell accounts" means to deny account owners the right to login to a shell command prompt (via SSH). In WHM look at "Manage Shell Users". You can choose to give each user a full shell, a jail shell (where they cannot move outside their home directory), or no shell. Unless you have a good reason to do otherwise, it's recommend that you disable shell access (no shell). Of course give full shell access to your own account so you can login

"shell.php" is a separate issue. Essentially you're looking for PHP scripts on your server than can be used to achieve shell access. These may have been uploaded by users or fetched by someone exploiting a vulnerable website. The files you've listed about are a part of cpanel's Horde webmail and can be left alone.

Quote:
Originally Posted by EricG
Third: PHPSuExec

It says that all my users will need to make sure their php files have permissions no greater than 0755. On my current reseller hosting account I've installed a few php based applications for my clients that wouldn't work until I change some permissions to 0777. I'm not sure what PHPSuExec does, what problems should I expect if php files do have greater permissions than 0755 ?
PHP is run as either an Apache module or as a CGI (phpsuexec). As a module, PHP scripts run as the Apache user "nobody". In order for the user "nobody" to write to disk (e.g., to save an uploaded photo), directory permissions have to be relaxed, usually by setting the directory chmod 777 (writable by everyone).

When using phpsuexec, PHP scripts run as the account user. The account user owns the account's directories, and therefore, the PHP scripts have ready access to write. There is no need to change permissions.

Incorrect permissions or ownership will cause errors when trying to run the PHP scripts. Usually with phpsuexec, files should be chmodded no higher than 644 and directories 755. The files should be owned by the account username, not "nobody" and not "root" (that will also cause a runtime error).

Posted by Velvet Elvis, 07-25-2006, 05:01 PM
Is that thread cache setting a typo? That one in particular has always been vodoo for me, but that's ten times what I'm using.

I can't immagine not hitting swap before half that many are cached on burstable 256 meg VPS.

Posted by EricG, 07-29-2006, 10:16 AM
Sleddog,

Thanks a lot for your answers, I really appreciate all the help you've given me in the last few weeks.

Posted by johnm160, 08-01-2006, 10:24 AM
Hello,

I searched for FformMmail and have come up with many entries

/cgi-sys/formmail.cgi
/cgi-sys/formmail.pl
/install/formmail

/cgi/FormMail.html
/cgi-sys/FormMail-clone.cgi
/cgi-sys/FormMail.cgi
/cgi-sys/FormMail.pl

Do I need to change the permissions on each and everyone of these files?

and the same for CGIMAIL?

Thanks for the help, I want to make sure I get started right

John

Posted by jpetersen, 08-26-2006, 07:54 AM
I'd just like to make a quick note on the difference between :blackhole: and :fail: from my personal experience with cPanel servers and Exim:

Since :blackhole: processes the entire email, more resources wind up getting used. I, like many others, have tested replacing :blackhole: with :fail: on some of servers in the past, and can say that easily, without a doubt, less resources (namely CPU and disk I/O) wind up getting used, which helps keep the load average even lower than usual. :fail: will immediately send a 550 error after the invalid RCPT TO: line, vice accepting then discarding the entire email. I'm not saying that will work for everyone, but I have personally seen it immediately decrease resource usage on a shared hosting server with a fairly busy day to day mail flow, and would recommend it to anyone else looking to do the same regardless of the server type.

Posted by Chris.S, 08-31-2006, 04:49 PM
Excellent tutorial! would you mind if i posted it in my knowledege base?

Posted by FengYun, 09-05-2006, 05:14 AM
thanks, that is a great tutorial
it do help me alot, i think i need some help in some of the basic codes,
hope anyone help me, nope these are not too newbie question


1a) Root breach DETECTOR and EMAIL WARNING
Quote:

At command prompt type:
pico .bash_profile

Scroll down to the end of the file and add the following line:

echo 'ALERT - Root Shell Access on:' `date` `who` | mail -s "Alert: Root Access from `who | awk '{print $6}'`" your@email.com
How am i able to set the server to send more then one warning mail to our server admin. what i think is to if anyone have access to the root, the server will send an mail to 2nd, 3rd server admin mail etc etc


Shall i have to do the long way or there a better way then this?
Quote:
echo 'ALERT - Root Shell Access on:' `date` `who` | mail -s "Alert: Root Access from `who | awk '{print $6}'`" admin1@email.com

echo 'ALERT - Root Shell Access on:' `date` `who` | mail -s "Alert: Root Access from `who | awk '{print $6}'`" admin2@email.com

echo 'ALERT - Root Shell Access on:' `date` `who` | mail -s "Alert: Root Access from `who | awk '{print $6}'`" admin3@email.com



1b) Mail Receive
Quote:
ALERT - Root Shell Access on: Mon Sep x 00:00:55 SGT 2006 root ttyp0
Sep x 00:01 (bb000-xx-xxx-7.domains.com) root ttyp1 Sep x 00:01
(bb000-xx-xxx-7.domains.com)
i have try the above code to set the to send out an e-mail, when someone access/login to the root account of the server. but for some reason, i unable to see the user login Ip-address. Do anyone know, what code i should add so that it will show the ip-address?



2) Alert Email Sent
Is there a way to set the server to send out more then 1 alert mail (default of 1 mail) to the system admin, Looking at, the server will send to two or more alert to the rest of the system admin.


example 1
Quote:
BFD, Under Enable brute force hack attempt alerts:

ALERT_USR="1"
EMAIL_USR="your@email.com"
example 2
Quote:
LogWatch, SSH into server and login as root.

At command prompt type:
pico -w /etc/log.d/conf/logwatch.conf

Scroll down to
Mailto = your@email.com
example 3
Quote:
Immediate Notification Of Specific Attackers
If you need immediate notification of a specific attacker (TCPWrapped services only), add the following to /etc/hosts.deny

ALL : nnn.nnn.nnn.nnn : spawn /bin/ 'date' %c %d | mail -s"Access attempt by nnn.nnn.nnn.nnn on for hostname" notify@mydomain.com
Replacing nnn.nnn.nnn.nnn with the attacker's IP address.
Replacing hostname with your hostname.
Replacing notify@mydomain.com with your e-mail address.
This will deny access to the attacker and e-mail the sysadmin about the access attempt.


really sorry for these newbie question, as we like the alert to be send to at lest 2-3 server admin when such thing happen....

thanks
Feng

Posted by comdexxsoftwarell, 10-04-2006, 11:55 AM
Great Tutorial

Posted by Bibicu, 10-14-2006, 10:41 AM
hello everyone!

Good work here with these advices. Thanks a lot for your effort. Thanks

Anyway.. i have 2 questions:

1. not a day goes by and I found perl scripts running on my vps who overload the processors. i restart the apache server and they are gone. how can i prevent those perl scripts to run?
2. another problem si a andos.txt file that i found on my /tmp folder who perform flood to a specific IP adress. how can i prevent this txt running?


An finally i want to know if there is somewhere a script who send mail when CPU is loaded at a specific value... 80-90-100%

regards

Posted by zeca40, 10-18-2006, 02:13 PM
FengYun:

I am pretty sure that you can seperate the emails with a comma to send to multiple accounts.

Quote:
echo 'ALERT - Root Shell Access on:' `date` `who` | mail -s "Alert: Root Access from `who | awk '{print $6}'`" your@email.com, yoursecond@email.com

Posted by groomi, 10-31-2006, 06:49 PM
V Nice tutorial

Posted by Ogg, 12-02-2006, 11:13 AM
Great tutorial!

Just a question, I've got 256MB RAM and it seems to be using 140-150MB of it even if nobody is on the website but myself. Is that normal? Right now it's running Directadmin with mail turned off.

Quote:
top - 18:16:57 up 20:01, 1 user, load average: 0.00, 0.00, 0.00
Tasks: 31 total, 1 running, 30 sleeping, 0 stopped, 0 zombie
Cpu(s): 0.2% us, 0.1% sy, 0.0% ni, 99.7% id, 0.0% wa, 0.0% hi, 0.0% si
Mem: 4136864k total, 4066628k used, 70236k free, 166620k buffers
Swap: 2096472k total, 592k used, 2095880k free, 1933400k cached
httpd.conf
Quote:
Timeout 200
KeepAlive On
MaxKeepAliveRequests 120
KeepAliveTimeout 3
MinSpareServers 1
MaxSpareServers 5
StartServers 1
MaxClients 250
MaxRequestsPerChild 500
my.cnf
Quote:
[mysqld]
max_connections = 200
port = 3306
socket = /var/lib/mysql/mysql.sock
skip-locking
interactive_timeout = 25
query_cache_type = 1
query_cache_size = 6M
query_cache_limit = 1M
thread_cache_size = 32
wait_timeout = 25
key_buffer_size = 512K
max_allowed_packet = 1M
table_cache = 4
join_buffer_size = 256K
sort_buffer_size = 100K
read_buffer_size = 256K
read_rnd_buffer_size = 256K
net_buffer_length = 2K
thread_stack = 64K
skip-bdb
skip-innodb

Posted by layer0, 12-02-2006, 11:41 AM
try

PHP Code:
Timeout 30
KeepAlive On
MaxKeepAliveRequests 120
KeepAliveTimeout 3
MinSpareServers 1
MaxSpareServers 5
StartServers 1
MaxClients 250
MaxRequestsPerChild 0
For httpd.conf

Find if it's MySQL or Apache that is actually taking up the RAM...ps auxf will show you.

ps auxf | grep httpd
ps auxf | grep mysql

Posted by Ogg, 12-02-2006, 07:01 PM
I was watching top -c and one query on the forum looked like it used 3.3% CPU power while each page load took 0.7-1.3% on Apache.

I tried setting Timeout to 30 and MaxReq to 0 but it doesn't seem to have changed anything... I'm not sure how to read the auxf reports!

*8 users on our forum, posting, reading.
Quote:
up 1 day, 3:51, 1 user, load average: 0.00, 0.02, 0.00
Tasks: 33 total, 1 running, 32 sleeping, 0 stopped, 0 zombie
Cpu(s): 0.0% us, 0.0% sy, 0.0% ni, 100.0% id, 0.0% wa, 0.0% hi, 0.0% si
Mem: 4136864k total, 4044932k used, 91932k free, 218388k buffers
Swap: 2096472k total, 592k used, 2095880k free, 1847572k cached

Posted by nex99, 12-31-2006, 10:31 AM
Dear,

Service Status of my new VPS shows this info:

named (9.2.4) up
cpsrvd up
Server Load 0.04 (2 cpus)
Memory Used 72.6 %
Swap Used 3.94 %
Disk simfs (/) 13 %


is it ok? specially i think for Memory Used 72.6 %

Posted by layer0, 12-31-2006, 10:33 AM
Quote:
Originally Posted by nex99
Dear,

Service Status of my new VPS shows this info:

named (9.2.4) up
cpsrvd up
Server Load 0.04 (2 cpus)
Memory Used 72.6 %
Swap Used 3.94 %
Disk simfs (/) 13 %


is it ok? specially i think for Memory Used 72.6 %
That memory used is not for your VPS, but rather for the whole host node itself. I wouldn't worry about it unless you see bad performance.

Posted by talkhostrunner, 02-17-2007, 06:08 AM
Awesome tutorial!!!!

Posted by ivytony, 03-19-2007, 01:36 AM
These tips are also applicable for VPS built in Fedora Core 6 and Webmin, right?

thanks!

Posted by lcubehost, 03-19-2007, 12:24 PM
Thanks for posting this. I am adding this to my checklist of all new setups for VPS. Thanks

Posted by jacky84, 03-20-2007, 01:01 PM
Is there document also for howto securing and optimizing a windows VPS

Posted by ivytony, 03-20-2007, 01:03 PM
Quote:
Originally Posted by jacky84
Is there document also for howto securing and optimizing a windows VPS
I would say no, because the file system between Linux and Windows is quite different.

Posted by mark_s, 04-30-2007, 02:48 PM
Hello, I have a VPS with MySQL4/PHP4/Apache2.

I've tried using the optmised values for my.cnf but they are not accepted. Can someone take a look at my my.cnf and tell me acceptable values like the ones in this tutorial?

Code:
[mysqld]
set-variable=local-infile=0
datadir=/var/lib/mysql
socket=/var/lib/mysql/mysql.sock
# Default to using old password format for compatibility with mysql 3.x
# clients (those using the mysqlclient10 compatibility package).
old_passwords=1
     
skip-bdb

set-variable = innodb_buffer_pool_size=2M
set-variable = innodb_additional_mem_pool_size=500K
set-variable = innodb_log_buffer_size=500K
set-variable = innodb_thread_concurrency=2
[mysql.server]
user=mysql
basedir=/var/lib

[mysqld_safe]
err-log=/var/log/mysqld.log
pid-file=/var/run/mysqld/mysqld.pid
skip-bdb

set-variable = innodb_buffer_pool_size=2M
set-variable = innodb_additional_mem_pool_size=500K
set-variable = innodb_log_buffer_size=500K
set-variable = innodb_thread_concurrency=2

Posted by mark_s, 04-30-2007, 08:42 PM
Please ignore my previous message... I have successfully implemented the values in the tutorial.

Posted by ThisNameWillDo!, 05-02-2007, 08:43 AM
Cool tut! Thanks!

Posted by Verm, 05-11-2007, 02:23 PM
Great post. Thank you.

Posted by blacktooner, 05-15-2007, 02:03 PM
Does this works in Ubuntu? Isn't it Linux based?

Posted by Orien, 05-17-2007, 11:54 PM
Quote:
Originally Posted by blacktooner
Does this works in Ubuntu? Isn't it Linux based?
It should work in Ubuntu, which is based on Debian Linux.

Posted by Dougy, 06-18-2007, 08:25 PM
Not to dig up, but thanks!

Posted by trooperx, 06-21-2007, 01:18 PM
Quote:
Originally Posted by blacktooner
Does this works in Ubuntu? Isn't it Linux based?
Yes, it works even in Ubuntu. I'm not sure about Ubuntu live.

Posted by dayo, 06-26-2007, 12:37 PM
Thanks for the detailed info

Posted by amex, 07-07-2007, 11:40 PM
Quote:
Originally Posted by elix

Lastly, I recommend installing mytop to help you monitor your usage...
Code:
wget http://dll.elix.us/mytop-1.4.tar.gztar -zxvf mytop-1.4.tar.gzcd mytop-1.4perl Makefile.PLmakemake testmake install
Once that's done, just enter in "mytop" .
When I ran "mytop" after installing - I got the following error:

[root]# mytop
Can't locate Term/ReadKey.pm in @INC (@INC contains: /usr/lib/perl5/5.8.5/i386-linux-thread-multi /usr/lib/perl5/5.8.5 /usr/lib/perl5/site_perl/5.8.5/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.4/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.3/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.2/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.5 /usr/lib/perl5/site_perl/5.8.4 /usr/lib/perl5/site_perl/5.8.3 /usr/lib/perl5/site_perl/5.8.2 /usr/lib/perl5/site_perl/5.8.1 /usr/lib/perl5/site_perl/5.8.0 /usr/lib/perl5/site_perl /usr/lib/perl5/vendor_perl/5.8.5/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.4/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.3/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.2/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.1/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.0/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.5 /usr/lib/perl5/vendor_perl/5.8.4 /usr/lib/perl5/vendor_perl/5.8.3 /usr/lib/perl5/vendor_perl/5.8.2 /usr/lib/perl5/vendor_perl/5.8.1 /usr/lib/perl5/vendor_perl/5.8.0 /usr/lib/perl5/vendor_perl .) at /usr/bin/mytop line 165.

Any ideas?

Thanks!

Posted by r00ter, 07-07-2007, 11:44 PM
It looks like a PERL error, can we know which OS you are using, and whether or not you have perl or perl libs installed?

Posted by amex, 07-07-2007, 11:49 PM
Quote:
Originally Posted by SteadComJoe
It looks like a PERL error, can we know which OS you are using, and whether or not you have perl or perl libs installed?
OS: Centos

Perl: Perl 5.8.5 Installed

Thanks

Posted by foobic, 07-09-2007, 09:47 AM
Use CPAN to install the missing module - just type cpan as root. You'll need to do some setting up if you haven't run it before but you can accept the defaults it offers. Then:
Code:
cpan> install Term::ReadKey
My belated thanks also to the original authors layer0 and frynge.

Posted by Shining Star, 07-09-2007, 09:48 AM
nice tutorial

Posted by amex, 07-15-2007, 06:17 PM
Quote:
Originally Posted by FengYun

1a) Root breach DETECTOR and EMAIL WARNING

1b) Mail Receive

i have try the above code to set the to send out an e-mail, when someone access/login to the root account of the server. but for some reason, i unable to see the user login Ip-address. Do anyone know, what code i should add so that it will show the ip-address?


I have the same problem - all I get are emails which look like this, no IP address:

Quote:
ALERT - Root Shell Access on: Mon Jul 9 08:07:40 EDT 2007 root pts/0 Jul 9 08:07 (ool.dyn.optonline.net)

Posted by phuongdong, 07-19-2007, 04:54 AM
I guess the email with no IP will be sent to you when you reboot the server(VPS)

Posted by amex, 07-19-2007, 10:34 AM
Quote:
Originally Posted by phuongdong
I guess the email with no IP will be sent to you when you reboot the server(VPS)
What?

Posted by dewd, 07-22-2007, 11:43 PM
thanks for the info

Posted by frynge, 07-23-2007, 12:42 AM
Quote:
Originally Posted by amex
I have the same problem - all I get are emails which look like this, no IP address:
Just go type that in to dynamic tools to get the ip...
ool.dyn.optonline.net

http://www.dnsstuff.com/

Posted by amex, 07-23-2007, 01:15 AM
Quote:
Originally Posted by frynge
Just go type that in to dynamic tools to get the ip...
ool.dyn.optonline.net

http://www.dnsstuff.com/
frynge,

Thanks for responding.

ool.dyn.optonline.net is the hostname of the ISP that logged in. Its not the actual IP or hostname of the individual who logged in.

Running any tests on the hostname will reveal the IP of the general IP of the ISP not the individual subscriber.

Posted by Volt.Networks, 07-25-2007, 06:49 PM
Just read the tutorial. Very nice job.

Posted by amex, 07-25-2007, 07:00 PM
Quote:
Originally Posted by Volt.Networks
Just read the tutorial.
Was that directed at me?

Posted by sherwinaval, 09-01-2007, 02:29 PM
thanks for this helped me a lot after weeks of trying to find the best solution to optimize my vps

Posted by nixadm, 09-10-2007, 01:09 AM
Hello,
I would not recommend to anyone to run this blob list of commands.
The author put an effort in it, but clearly is missing the basic understanding of unix. let alone security practices.

Posted by amex, 09-10-2007, 09:55 PM
Quote:
Originally Posted by nixadm
Hello,
I would not recommend to anyone to run this blob list of commands.
The author put an effort in it, but clearly is missing the basic understanding of unix. let alone security practices.
Well, would you like contribute at all?

Posted by frynge, 10-27-2007, 09:32 PM
Quote:
Originally Posted by sherwinaval
thanks for this helped me a lot after weeks of trying to find the best solution to optimize my vps
Im glad so many found this useful! I will eventually be posting new ones that are updated as CPANEL and WHM have updated a bit.

Cheers

Posted by layer0, 10-27-2007, 09:40 PM
Quote:
Originally Posted by amex
frynge,

Thanks for responding.

ool.dyn.optonline.net is the hostname of the ISP that logged in. Its not the actual IP or hostname of the individual who logged in.

Running any tests on the hostname will reveal the IP of the general IP of the ISP not the individual subscriber.
Set UseDNS to off in your sshd_config.

Posted by amex, 10-28-2007, 09:56 PM
Quote:
Originally Posted by layer0
Set UseDNS to off in your sshd_config.
Hi Layer0,

Thanks for your reply. I didint see UseDNS in my sshd_config so I just added this to the end of it but alas it didint change anything:

Code:
UseDNS off
Am I doing something wrong?

Regards,

Posted by GBSF, 10-29-2007, 03:52 PM
Great thread guys! Thanks for everyone help!

I have a quick question about setting the following:

At command prompt type:
pico .bash_profile

Scroll down to the end of the file and add the following line:

echo 'ALERT - Root Shell Access on:' `date` `who` | mail -s "Alert: Root Access from `who | awk '{print $6}'`" your@email.com


This seems to be working but every email I get is showing the wrong host name but the correct IP address:

Example:

Access from (balyrion.liquidweb.com)
(208.xxx.xxx.xxx)

ALERT - Root Shell Access on: Mon Oct 29 12:50:50 PDT 2007 root ttyp0 Oct 27 20:59 (balyrion.liquidweb.com) root ttyp2 Oct 29 12:50 (208.xxx.xxx.xxx)

How do I fix this? To show the correct hostname with the ip address?

Posted by diggleblop, 11-13-2007, 05:34 PM
I ran the Root kit checker and it tells me that at Port 425 Possible LKM Trjan Installed. Now what?

Posted by layer0, 11-13-2007, 05:38 PM
Quote:
Originally Posted by amex
Hi Layer0,

Thanks for your reply. I didint see UseDNS in my sshd_config so I just added this to the end of it but alas it didint change anything:

Code:
UseDNS off
Am I doing something wrong?

Regards,
I assume you restarted SSH?

Posted by foobic, 11-13-2007, 07:48 PM
Code:
UseDNS no
.

Posted by amex, 11-17-2007, 07:41 PM
Quote:
Originally Posted by foobic
Code:
UseDNS no
.
That is correct its
Quote:
UseDNS no
and not
Code:
UseDNS off

Quote:
Originally Posted by layer0
I assume you restarted SSH?
Good suggestion! Now It works!

Posted by layer0, 11-17-2007, 07:44 PM
Quote:
Originally Posted by foobic
Code:
UseDNS no
.
My bad.

Posted by bigu_c, 11-30-2007, 05:53 PM
This is good tut for me!

Thank you!

Posted by mimozo, 12-02-2007, 08:54 AM
nice tutorial .. thanks for sharing mate

Posted by remotehost, 12-04-2007, 03:32 AM
what is the advantages/disadvantages between APF and CSF ? I use CSF couse it can be integrated with WHM

Posted by Vince2006, 12-04-2007, 04:18 AM
I found APF to be quirky... but that's just me. CSF runs lean and mean and does way better than APF did on my box. I'd recommend combining CSF/LFD with MailScanner (through Chripy's site HERE.) Great way to go.

Posted by etusha, 12-11-2007, 01:49 PM
any one have use lynis
http://www.rootkit.nl/projects/lynis.html


i have a ask for u whats the best anti rootkit
rootkit hunter or chkrootkit or zeppoo.net or a new anti rootkit

Posted by mcgyver8, 12-12-2007, 03:45 AM
Frynge, awesome tutorial!

Posted by betoranaldi, 12-27-2007, 02:31 PM
Quote:
Spam Assassin
Spam Assassin can take up a lot of memory and make it really hard to host just a few sites on a VPS, but there is a way around this...

Login to WHM as root, scroll down to "cPanel 10.8.1-R15" (it may be slightly different depending on what version you are using) then goto "Addon Modules" and install "spamdconf". Once it's done, refresh the WHM page, scroll down to "Add-ons" on the nav bar and then click on 'Setup Spamd Startup Configuration". Set "Maximum Children" to "2". Then hit Submit. Wait a few seconds (15-30, but usually less) for exim to restart and you're done .
whm 11.11 and cpanel 11.16 don't seem to have this option, where would I be able to find it?

Posted by labeach, 01-04-2008, 07:36 PM
Hello,
I had to recompile apache now root logins are no longer being emailed to me. I pico .bash_profile and the email and everything is there. Any ideas on how to fix this? thanks,

Posted by hero525252, 01-23-2008, 11:51 AM
if i done this steps will my security be perfect??

Posted by Datacenter1, 01-23-2008, 09:13 PM
Quote:
Originally Posted by hero525252
if i done this steps will my security be perfect??
Perfect security doesn't exist, a proper hardening of your server(s) will help in 99.5% of security threats

for a perfect security you have to unplug your server from network, unplug from power and lock it in a safe (dont lost the key or combination)

Posted by etusha, 01-24-2008, 08:22 AM
or burn it

Posted by PCS-Chris, 01-24-2008, 08:47 AM
Quote:
Originally Posted by hero525252
if i done this steps will my security be perfect??
Although this thread does have some very good information & advice, there is more that can be done to improve the security of your server.

If you are hosting something which is mission critical to security you could always consider hiring a management company to do a once-over hardening on your machine or VPS in this case. The main key to security is to ensure all packages on the server are kept upto date, and to monitor the content of your accounts.

Quote:
or burn it
- I guess that works too

Posted by zwtint, 01-27-2008, 09:16 AM
Hi,

Can somebody let me know the exact steps how to harden /tmp on a VPS?

Regards,

Posted by jiggerbit, 01-28-2008, 02:26 PM
Quote:
Originally Posted by zwtint
Hi,

Can somebody let me know the exact steps how to harden /tmp on a VPS?

Regards,
mount -t tmpfs -o noexec,nosuid tmpfs /tmp/

Posted by nixadm, 01-29-2008, 06:56 AM
Quote:
Originally Posted by zwtint
Can somebody let me know the exact steps how to harden /tmp on a VPS?
Do not think of it as a skill or a trade (as with many other tips around) you need a basic understanding of Unix (file system, superstructure, executables, suid bits...) and things like this would come natural. Anyone running their own server without an operator really should, and easily could learn this.

With jiggerbit's answer you are still unsure what it really does, and if you break functionality of some other system component... It always comes back to the basics.

Posted by Tristan Perry, 01-31-2008, 09:53 AM
Hello all,
My forum's can sometimes be quite laggy, and I'm not sure why. Load times are averaging at 2+ seconds. I'm on VPS hosting (I have 512Mb of memory - server stats are here).

My forums are getting the same amount of people online as usual (e.g. a bit before peak time: "Users Online: 73 Guests, 41 Users over 15 minutes").

I've carried out the optimisation tips mentioned here (i.e. I've changed the relevant settings in my.cnf and httpd.conf).

However I'm not sure what's causing this lag. I use SMF as my forum software, which is a very reliable and speedy software (other forums with millions of posts run SMF fine; I only have 800,000 posts).

Upon inspection, I found out that certain queries are lagging like mad:

Quote:
DELETE FROM yabbse_sessions
WHERE last_update < 1201713265
in /home/tauonli/public_html/forums/Sources/Load.php line 2180, which took 7.59983802 seconds.
Quote:
SELECT data
FROM yabbse_sessions
WHERE session_id = '2ab5abd09a2bbebd79065efe0af790e4'
LIMIT 1
in /home/tauonli/public_html/forums/Sources/Load.php line 2110, which took 12.86598301 seconds.
Quote:
REPLACE INTO yabbse_log_boards(id_msg, id_member, id_board)
VALUES
(1058514905, 1, 1)
in /home/tauonli/public_html/forums/Sources/MessageIndex.php line 140, which took 2.8114779 seconds.


UPDATE yabbse_topics
SET num_views = num_views + 1
WHERE id_topic = 60114
in /home/tauonli/public_html/forums/Sources/Display.php line 174, which took 4.49542999 seconds.



UPDATE yabbse_members
SET last_login = 1201723759, member_ip = '88.105.13.104', member_ip2 = '88.105.13.104', total_time_logged_in = 10197033
WHERE id_member = 1
in /home/tauonli/public_html/forums/Sources/Subs.php line 556, which took 3.65229011 seconds.



SELECT
c.id_cat, b.name AS bname, b.description, b.num_topics, b.member_groups,
b.id_parent, c.name AS cname, IFNULL(mem.id_member, 0) AS ID_MODERATOR,
mem.real_name, b.id_board, b.child_level,
b.id_theme, b.override_theme, b.count_posts, b.id_profile, b.redirect,
b.unapproved_topics, b.unapproved_posts, t.approved, t.id_member_started
FROM yabbse_boards AS b
INNER JOIN yabbse_topics AS t ON (t.id_topic = 60114)
LEFT JOIN yabbse_categories AS c ON (c.id_cat = b.id_cat)
LEFT JOIN yabbse_moderators AS mods ON (mods.id_board = t.id_board)
LEFT JOIN yabbse_members AS mem ON (mem.id_member = mods.id_member)
WHERE b.id_board = t.id_board
in /home/tauonli/public_html/forums/Sources/Load.php line 631, which took 15.63650703 seconds.
Whilst some are completed queries, some are basic queries calling on data from basic table structures.

Runing ps auxf gets:

Quote:
mysql 20172 0.8 13.1 153012 69060 ? Sl Jan29 9:51 \_ /usr/sbin/mysqld
(0.8% CPU, 13.1% memory)
nobody 1326 1.0 2.6 56680 13900 ? R 13:00 0:02 \_ /usr/local/apache
nobody 1515 0.7 2.9 58256 15524 ? S 13:00 0:01 \_ /usr/local/apache
nobody 1681 0.7 2.6 56388 13636 ? S 13:01 0:01 \_ /usr/local/apache
nobody 2030 0.6 2.6 56468 13700 ? S 13:02 0:00 \_ /usr/local/apache
nobody 3104 0.9 2.8 57708 14944 ? R 13:02 0:00 \_ /usr/local/apache
nobody 3107 0.4 2.4 54824 12660 ? S 13:02 0:00 \_ /usr/local/apache
nobody 3108 0.7 2.5 55876 13124 ? S 13:02 0:00 \_ /usr/local/apache
nobody 3367 1.1 2.3 54244 12072 ? S 13:03 0:00 \_ /usr/local/apache
nobody 3370 0.6 2.4 55500 12672 ? R 13:03 0:00 \_ /usr/local/apache
nobody 3371 1.0 2.4 54888 12716 ? S 13:03 0:00 \_ /usr/local/apache
nobody 3384 0.9 3.0 58000 15820 ? R 13:03 0:00 \_ /usr/local/apache
nobody 3533 0.9 2.4 55276 13024 ? S 13:03 0:00 \_ /usr/local/apache
nobody 3540 1.0 2.5 56072 13608 ? S 13:03 0:00 \_ /usr/local/apache
nobody 3588 0.8 2.3 54776 12084 ? S 13:04 0:00 \_ /usr/local/apache
nobody 3598 3.8 2.6 56260 13704 ? S 13:04 0:00 \_ /usr/local/apache
nobody 3618 0.0 0.6 47104 3412 ? S 13:04 0:00 \_ /usr/local/apache
Any ideas on why my forum's are lagging so much would be great
Thanks,
Tristan

Posted by rub3n, 02-10-2008, 03:54 PM
Nice and very useful thread, thanks for posting this!

Posted by arkin, 02-11-2008, 11:29 AM
Great thread/article, thanks.

Posted by jamesmoey, 02-24-2008, 08:02 PM
tristanperry

If you use innodb tables, increase your innodb_buffer_pool_size,
and increase your query_cache_size and key_buffer_size.

Good luck.

Posted by Rick Ce, 03-07-2008, 05:41 AM
Hi there,
Great post thank you everyone
I have installed apf on my dedi's and it works great, I have come to install it on my cpanel vps servers and my users report they can not send mail has anyone else had this problem? As soon as I stop apf the mail clears from the que.
I have made sure these are open in the config file TCP/UDP 25, 110, 143, 465, 993, 995.
Any ideas?
Kind regards,
Rick

Posted by likepeas, 04-25-2008, 11:59 AM
what about sql injection thru the cpanel? i got hacked a few times like these.

Posted by 3dom, 04-26-2008, 05:29 PM
Great post. Thanks!

Now I'm sure I'll stick with shared accounts and going to stay away from VPS as long as I can
=)

Posted by grandad, 04-27-2008, 03:59 AM
When I use:-
Quote:
At command prompt type:
pico .bash_profile

Scroll down to the end of the file and add the following line:

echo 'ALERT - Root Shell Access on:' `date` `who` | mail -s "Alert: Root Access from `who | awk '{print $6}'`" your@email.com

Save and exit.
On my next SSH login I see the errors:-
Quote:
-bash :mail command not found
-bash :echo: write error: Broken pipe
When I remove the alert all returns to normal.
cPanel 11.18.3 R21703
Centos 5

Any idea why it breaks it?

Posted by greggster, 04-30-2008, 06:06 AM
tmp can be secured to be noexec in 1 minute, no reboot required. Nothing can execute there - /var/tmp remains a risk - unless that is mounted separately also:

/dev/VolGroup00/LogVol02 /tmp ext3 defaults,nosuid,noexec 1 2

edit the /etc/fstab file, then do a mount -o remount and it will remount /tmp and you are set - just don't be in /tmp when remounting.

Posted by altaibskt, 05-16-2008, 02:42 PM
thanx for this nice post

Posted by vikashk, 05-18-2008, 10:57 AM
Another great tool against ssh brute force is deny hosts. It uses host.deny file which may be more appropriate for VPSs as the number of iptables rules is usually limited by the VPS provider.

Posted by greggster, 05-20-2008, 10:39 PM
Portsentry is one tool that has spared a lot of hacking attempts - I have the same IP's daily trying to get in - here is one way to thwart:

1. Setup Portsentry (against the recommendations) to scan up to port 65000 or so - I saw a lot of scans start at port 1026 - portsentry is default setup to port 1024, so raised to 65000 and allow 3+ port scans before blocking - that way there are less false alarms or in case someone forgets port 22....
2. Change your ssh port to the 2000+ range - remember to open your firewall for this new port..
3. Keep port 22 open on firewall - and now its a honeypot of sort - got to remind users to use the new non-standard port, but script kiddies fall right into it.
4. Anyone port scanning is only looking to harm, so they get dropped completely for a while and cannot do any more harm. Bye bye.

Here we see people start on port 1026 a lot - on a typical portsentry install, Squid, VNC and other services lack a layer of protection that FTP, SMTP have - with this setup - not no more:
From 221.6.145.18 - 2 packets to udp(1026,1027)
From 221.208.208.86 - 2 packets to udp(1026)
From 221.208.208.92 - 2 packets to udp(1026)
From 221.208.208.95 - 2 packets to udp(1026,1027)
From 221.208.208.97 - 2 packets to udp(1026,1027)
From 221.208.208.99 - 4 packets to udp(1026,1027)
From 221.208.208.212 - 4 packets to udp(1026,1027)
From 222.84.225.189 - 2 packets to tcp(5900)
From 222.187.221.27 - 4 packets to tcp(7212,8000)
From 222.216.28.40 - 2 packets to tcp(5900)

And a word about security through obsecurity - technically a lot of existing security is through obsecurity - just differing levels of randomness - port, 8 character password or 1024 character certificate. If someone knew what port a service is running on, or knew a password, or knew the SSH key - either 4, 8, or 1024 characters - they have access. These random characters is why cracking works. Its only a matter of time before the port/password/certificate is found out if being cracked - even if its 20 years - at some point the attacker quits for an easier target. Again, if we can slow down the hacker, they will move on - or the script will move on. Think car alarms, 3 locks on front the door of an apartment, "The CLUB" - all there to say "move on to an easier target".

Posted by Spacial, 06-13-2008, 02:55 AM
Quote:
Originally Posted by Apoc
If you want to do that you should also disable all other functions that enable file execution such as: passthru, escapeshellcmd, popen, pcntl_exec, and I thinkt here might be a few others.
ok, but tell me where to disable that, where is php.ini file?

Posted by greggster, 06-20-2008, 02:56 AM
/etc/php.ini for most installs. When I started this there was about 6 months of no TV and lots of studying - hosting on the net is like jumping into a den of lions and my first few hits woke me up. A test machine with 42,000 failed login attempts scared me into studying. This is a great forum and I have learned from here and from howtoforge.com a massive amount - like going to school.

Posted by robr3004, 07-24-2008, 10:30 PM
Quote:
Originally Posted by frynge
=========================================
Install a root breach DETECTOR and EMAIL WARNING
=========================================

If someone does happen to get root, be warned quickly by installing a detector and warning at your box. You will at least get the hackers/spammers ip address and be warned someone is in there.


Server e-mail everytime someone logs in as root

To have the server e-mail you everytime someone logs in as root, SSH into server and login as root.


At command prompt type:
pico .bash_profile

Scroll down to the end of the file and add the following line:

echo 'ALERT - Root Shell Access on:' `date` `who` | mail -s "Alert: Root Access from `who | awk '{print $6}'`" your@email.com

Save and exit.
Newbie here....

I added the email alert to .bash_profile but when I login I get this message:

"You must specify direct recipients with -s, -c, or -b."

I checked for typo's three times. Any ideas?

Posted by robr3004, 07-24-2008, 10:47 PM
Quote:
Originally Posted by robr3004
Newbie here....

I added the email alert to .bash_profile but when I login I get this message:

"You must specify direct recipients with -s, -c, or -b."

I checked for typo's three times. Any ideas?
Nevermind...I was missing a space between end of the Email Subject info and my email address. It's working now.

Posted by n00bRooT, 07-25-2008, 09:10 AM
thanks dude great post for n00bs

Posted by Nazeer, 07-26-2008, 01:31 AM
Great thread. This is really wonderful thread and very helpful to new VPS users.

I love to see more tutorials like this.

Thanks
Nazeer
WebcareSolutions.com

Posted by greggster, 08-21-2008, 10:17 PM
Check out OSSEC for server security - quick install, open 1 port and you are set. It emails every time someone logs in - set your email to cc gmail and if you get rooted, about 10 seconds later a copy will be at gmail also...

Posted by vantasticman7, 08-24-2008, 08:50 PM
Quote:
Originally Posted by jpetersen
I'd just like to make a quick note on the difference between :blackhole: and :fail: from my personal experience with cPanel servers and Exim:

Since :blackhole: processes the entire email, more resources wind up getting used. I, like many others, have tested replacing :blackhole: with :fail: on some of servers in the past, and can say that easily, without a doubt, less resources (namely CPU and disk I/O) wind up getting used, which helps keep the load average even lower than usual. :fail: will immediately send a 550 error after the invalid RCPT TO: line, vice accepting then discarding the entire email. I'm not saying that will work for everyone, but I have personally seen it immediately decrease resource usage on a shared hosting server with a fairly busy day to day mail flow, and would recommend it to anyone else looking to do the same regardless of the server type.
Since Blackhole reduces load, and Fail (in theory) could reduce spam, would it be possible to have a script that checks for load and then if its low sets to :Fail but if load is high it sets to :Blackhole? That way we could get the best of both worlds?

Van

Posted by JLHC, 08-24-2008, 08:57 PM
Great thread! /Subscribes.

Posted by spudlet, 09-09-2008, 05:40 PM
hello

I have installed chkrootkit and bfd exactly as designed (to the letter) in the first post about 4-8 weeks ago.

Today my vps went down, for absolutely no reason as far as i can find, it was 'up' but i couldn't get onto ssh and it wasn't serving over 80.

I complained, rather harshly because I have been receiving very poor service from them in my mind.

They came back and said "someone has added some extra rules to the firewall". I know that no one has logged in (I changed the port for ssh), other than myself and I have made no configuration changes beyond install the above and moving the ssh port which is basic stuff.

Does bfd or chkrootkit add any firewall rules or lock everyone from accessing the site?

The host has 'deleted the rule and turned off the firewall', but i'm a little confused how the entries got in there that would have cocked it up... unless these did it? I can't tell you the firewall rules now because they've been removed and, surprising the firewall was turned off which just seems plum wrong to say this is a managed service I'm paying for.

Its a simple php/mysql setup, directadmin is there but i haven't changed any configuration; a week or so back my host accidently removed one of my ips and assigned it to another customer, but on my end i haven't touched anything.

So could bfd or chkdisk have done this? what could have done? I've quite literally just done a few steps from this guide and nothing else... how can these rules (that i've not seen so can't tell you what they are) have got there?

Posted by secmas, 09-09-2008, 11:36 PM
Spudlet,
it sounds like your firewall has blocked your IP from the system. It could happen if you have not added your IP to the white list.

To check why or what have you done, just look into the /var/logs for the IP that your ISP has assigned to you, if you don't know what is your IP, then, you can enter into SecmasHost.com/ip and it will tell. This is a handy utility that I use with my customers when the firewall blocks them.

After you have the IP, go and search on /var/logs/messages and if it is not there, then go and check on the apache error_log.

Hope this help you to see what happened.

Posted by DnaJinx, 09-14-2008, 09:48 PM
very useful post thanks for posting it

Posted by alwaysonline247, 09-22-2008, 10:56 PM
thanks for the info

Posted by ragubhat, 09-28-2008, 03:31 AM
csf+lfd works on all GNU/Linux servers with or without cPanel. This f/w script is well maintained and in certain cases betters apf. Install this on your cPanel VPS and test. On the HN, install either shorewall or firestarter. RKHunter is better and well maintained than Chkrootkit.

Code:
http://www.configserver.com/cp/csf.html
Code:
http://www.rootkit.nl/projects/rootkit_hunter.html
YMMV.

Posted by CI-Theo, 10-05-2008, 07:03 AM
This thread is certainly impressive - I have already performed a few mods via SSH. Great job!

Posted by zbaby48, 10-05-2008, 05:42 PM
Thanks a lot for this information will definitely put it to good use!

Posted by michaljnowak, 10-06-2008, 10:07 AM
Good job. Thanks a lot!

Posted by grniyce, 10-13-2008, 05:15 PM
SQL Optimization specifically designed for Vbulletin, IPB, Phbb bulletin boards using multiple queries and shoutboxes. This WILL get you out of hot water with your host telling you you're using too much CPU.

This has been written to be flexible within the following environments:

- 1-4 gig of ram
- Pent4 w/hyper threading or above cpu speed

Enjoy!

[mysqld]
port = 3306
socket = /var/lib/mysql/mysql.sock
skip-locking
max_connections = 2000
max_user_connections = 250
key_buffer = 128M
max_allowed_packet = 64M
max_connect_errors = 10
thread_concurrency = 8
concurrent_insert = 2
table_lock_wait_timeout = 35
wait_timeout = 35
connect_timeout = 10
tmp_table_size = 256M
max_heap_table_size = 256M
table_cache = 2M
join_buffer_size = 1M
sort_buffer_size = 2M
read_buffer_size = 1M
thread_cache_size = 384
wait_timeout = 900
read_rnd_buffer_size = 1M
bulk_insert_buffer_size = 8M
net_buffer_length = 4M
thread_stack = 256K
skip-bdb
skip-innodb
query_cache_limit = 8M
query_cache_size = 128M
query_cache_type = 1
query_prealloc_size = 131072
query_alloc_block_size = 65536
default-storage-engine = MyISAM

[mysqldump]
quick
max_allowed_packet = 500M

[mysql]
no-auto-rehash
#safe-updates

[myisamchk]
key_buffer = 64M
sort_buffer = 64M
read_buffer = 16M
write_buffer = 16M

[mysqlhotcopy]
interactive-timeout

Posted by canubeat, 03-25-2009, 12:03 AM
Is there any help on same topic for LxAdmin panel

Posted by host-6-Dan, 04-02-2009, 10:45 AM
Thanks for the tut

Posted by DoYouSpeakWak??, 04-06-2009, 11:23 AM
Thx for this one. It really helped me last night.

Posted by nhynes57, 04-14-2009, 07:55 AM
Great post, I am looking at getting a VPS but security is a worry. This helps a lot. Thanks

Posted by nessic, 04-16-2009, 03:34 AM
Great tutorial. Thanks for the help

Posted by biggies, 04-21-2009, 11:10 AM
Great Post. Thanks for the help

Posted by CKGroup, 05-11-2009, 04:10 PM
Great tut, thanks!

Posted by pongery, 06-08-2009, 11:19 AM
awsome tutorial thanks

Posted by webdis2, 06-10-2009, 01:27 PM
This is a good guide, i used it and I saw increased performance.

Posted by OwlsHosting, 06-12-2009, 12:44 AM
Some great info here! Thankyou

Posted by t3od0r, 06-16-2009, 04:34 AM
Thanks, great tutorial, my host should read it, they were hacked

Posted by adwivedi, 07-02-2009, 06:27 AM
Hey will i need to have mail (smtp and all) set up to use these email utilities?

Posted by admsys, 07-11-2009, 05:22 AM
this tips very usefull for beginner...


thanks 4 share...

Posted by mrwillt, 07-14-2009, 10:01 AM
Great guide!

Posted by Sheikh Ahsan, 07-14-2009, 11:54 AM
Hello guys,

I am new into this field. Any suggestions will be appreciated!

Cheers

Posted by thesecret, 07-17-2009, 02:57 PM
thanks alot for your support

Posted by Larsson, 07-22-2009, 02:56 PM
Is this still up to date?

Posted by scurrminator, 08-04-2009, 03:07 PM
cool tutorial, thanx

Posted by Hostlatte, 08-10-2009, 07:42 PM
Good write up!

Posted by KrazyBob, 08-12-2009, 01:42 AM
This is an excellent tutorial even though I use Plesk on top of Virtuozzo. At the moment I am getting spammed to death and I suspect brute force attacked based on IP's going to most of the passworded services. I have over 100 virtual servers running Plesk 8.6 and Virtuozzo 3 (I know - time to upgrade.)

The question I have is this: I have the Plesk firewall enabled through /etc/sysconfig/iptables-config. I can also install APF and BFD even though we use a top-level hardware firewall.

Now then, do I need to add APF to the hardware node? Then do I need to add BFD to the VE? Or can I add APF and BFD to just the hardware node since it sees all IP's anyway? If using the Plesk firewall do I need or want to run APF? I mean, won't they conflict with one another? I can turn off the Plesk firewall just by removing the line from the config and restartiung VZ if APF is the better approach. By default we have most services off and only allow trusted IP's access to ssh.

I am tired of my pager going off and OpManager going crazy.

Posted by greggster, 08-12-2009, 09:09 PM
Issue with hardware firewalls is unless configured, they are typically not responsive firewalls - APF and BFD can do this.

Not a direct answer but might help also - actually, I found spam and brute force fighting quite fun. For spam and bruteforce denyhosts might help - as some of the same bots brute forcing might be sending spam, but have not done a statistical test in a while - I installed but there was not enough email to statistically tell. The really useful part is the central denyhosts server that other denyhosts report bad hosts to and your server gets the updates.

Also are the spams for a certain domain? I am hosting one domain and the spamhaus hits went up 30x when started hosting them, and down 30x when just the MX record was pointed to gmail. Unfort I installed denyhosts after this domain's MX record was migrated..

Posted by KrazyBob, 08-12-2009, 09:31 PM
Thanks for the reply but the question is still unanswered.

Do I need to add APF to the hardware node? Then do I need to add BFD to the VE? Or can I add APF and BFD to just the hardware node since it sees all IP's anyway? If using the Plesk firewall do I need or want to run APF? I mean, won't they conflict with one another? I can turn off the Plesk firewall just by removing the line from the config and restartiung VZ if APF is the better approach.

Thanks again.

Posted by ServerOrigin, 08-13-2009, 04:22 AM
It's recommended that you have a hardware firewall in place and have no open public ports on the hypervisor. I wouldn't recommend running a firewall on the host node itself. It should be firewalled with hardware and then allow your users up to 200-300 available rule additions for each vps.

Posted by KrazyBob, 08-13-2009, 04:46 AM
The hardware firewall works but the offending IP's need to entered. The firewall doesn't see them as a brute force attack and is why I asked about installing APF and BFD. I';d love an answer to the actual question.

Posted by shad0wd0wn, 08-21-2009, 11:44 PM
Thanks a lot for all of these it'll help a lot

Posted by nessic, 08-23-2009, 08:43 AM
Not a bad tutorial, Well Done

Posted by jeswinaugustine, 09-03-2009, 12:33 PM
WOW !! just the one i was looking for !! thanks !!

Posted by carmaster, 09-03-2009, 12:43 PM
great tutorial i like it

Posted by TRVPS, 09-05-2009, 04:33 PM
Now bad security WHM and cPanel You should establish with CSF

Posted by noep, 09-18-2009, 05:18 PM
Thanks i used this guide

Posted by Hesham_3del, 09-22-2009, 02:37 PM
thanks a lot for this tutorial ...

Posted by energetic, 09-22-2009, 07:55 PM
great thread

Posted by vnk1986, 09-26-2009, 01:57 PM
Hey Guys! this is a very useful, learning and informative thread. Thanks a lot for sharing your ideas and tips!

Posted by ServerHitch, 10-08-2009, 01:49 AM
Great information, really the most important of all is brute force detection!

Posted by hostedweb, 10-09-2009, 09:10 AM
Excellent tutorial, thanks!

Posted by k-planethost, 11-01-2009, 07:35 AM
how can you check the logfile (/var/log/rkhunter.log)
which is the command?

Posted by [JSH]John, 11-07-2009, 11:00 AM
You can use cat /var/log/rkhunter.log or nano /var/log/rkhunter.log

Posted by izesem, 11-18-2009, 05:18 AM
Could anyone suggest me to optimize Apache & MySql for Xen Vps
Cpu: Core i7
Ram: 1G DDR3

Posted by hostwebdata, 11-27-2009, 12:56 AM
Excellent tutorial thx for the info

Posted by Master Bo, 12-01-2009, 06:52 AM
A great collection of hints. Personally, I'd have added also

1. Port knock module for the firewall used, to set up the proper PK'ing and keep the system shut in most cases. In conjunction with rate limiting, that will give better protection from would-be hackers.

2. Resources monitoring. Early warning about any unusual service/resource usage state could be very useful to pinpoint and handle the problem quickly.

Snort could also be a good intruder detection tool.

Thanks!

Posted by ChrisRut, 01-08-2010, 01:57 PM
Quote:
Originally Posted by frynge
(choose your own 4 to 5 digit port number (49151 is the highest port number AND do not use 5678 lol )
I thought 65535 was the highest port number?
Is there a reason you can't set SSH to a port higher then 49151?

Posted by 0100001101001010, 01-15-2010, 10:15 PM
Thank you. Very nice write up.

Posted by webhostingis1, 01-19-2010, 12:35 PM
This a fantastic guide, thanks very much!

I am currently having problems with the following:

Quote:
Server e-mail every time someone logs in as root

To have the server e-mail you every time someone logs in as root, SSH into server and login as root.


At command prompt type:
pico .bash_profile

Scroll down to the end of the file and add the following line:

echo 'ALERT - Root Shell Access on:' `date` `who` | mail -s "Alert: Root Access from `who | awk '{print $6}'`" your@email.com

Save and exit.
Everything works fine to begin with but when I access SSH I do not receive an email. Also when I return to the file the line is no longer showing.

I am using PUtty for this. If anything can offer any help I will be truly grateful.

Thanks!

Posted by njoker555, 01-19-2010, 12:40 PM
Quote:
Originally Posted by webhostingis1
Everything works fine to begin with but when I access SSH I do not receive an email. Also when I return to the file the line is no longer showing.

I am using PUtty for this. If anything can offer any help I will be truly grateful.

Thanks!
Make sure you save the file before exiting. You can also ask your host for help with it if you need it.

Posted by webhostingis1, 01-19-2010, 02:40 PM
Quote:
Originally Posted by njoker555
Make sure you save the file before exiting. You can also ask your host for help with it if you need it.
Thanks for your reply njoker.

Using PUtty I used ctrl + x then y to save and that seems to be right.

OK I will ask my web host to help me with this, thanks very much for your help.

I did however manage to add the warning message

Posted by djl93, 01-20-2010, 02:26 AM
oh wow thanks a lot! I have a VPS of my own this is very helpful

Posted by macaws, 01-24-2010, 12:19 PM
You spent a lot of time making sure we have a secure, safe, VPS. Thank you for this tutorial.

Posted by usherj, 01-30-2010, 12:01 PM
Good, useful!

Posted by dedivirtual, 02-01-2010, 02:02 PM
Awesome ! Really Appreciable work,

Posted by hostingelite, 02-15-2010, 07:24 AM
This really helps me.

I first time come to a hosting forum, that;s worth it.

Thanks!

Elva

Posted by ItsAliveHosting, 02-20-2010, 02:52 PM
Nice work and thank you for the heads up.

Posted by the_wanderer, 02-22-2010, 07:42 PM
Excellent information contained in this thread. I would encourage anyone adding security and locking down a host, to try and grasp an understanding of what the commands and tools are doing. Blindly following a tutorial - does not provide you with added security if you do not understand the possible consequences of the configuration changes.

Quote:
Check out OSSEC for server security - quick install, open 1 port and you are set. It emails every time someone logs in - set your email to cc gmail and if you get rooted, about 10 seconds later a copy will be at gmail also...
Agreed... http://www.ossec.net is an excellent tool, here is a quick guide - http://hackertarget.com/2009/08/osse...llation-guide/.

As an additional tip, running Nessus or OpenVas, along with Nikto externally is a great way to check your config, patch levels and general external security.

Posted by David-, 02-28-2010, 06:51 AM
This is awesome, will come into hand when i purchase my vps. Thanks!

Posted by waqaspuri, 02-28-2010, 07:06 AM
any knows antivirus to protect injection virus, free of cost ?

Posted by k-planethost, 02-28-2010, 02:04 PM
clamav antivirus from cpanel/whm you can install it

Posted by nileshparmar, 03-13-2010, 02:37 AM
I had ran Quick Security Scan but didn't get any result.
Quick Security Check in Progress...
Note: You may see [FAILED] results below; These are normal as this means the service(s) were already shutdown.

Stopping portmap: [FAILED]
Shutting down console mouse services: [FAILED]
Shutting down SMB services: [FAILED]
Shutting down NMB services: [FAILED]
Shutting down xfs: [FAILED]

Posted by Gergely Homola, 03-31-2010, 03:15 PM
that this thread is awesome. I originally registered to say thank you for these tips, I just kinda' forgot until I got here...

Posted by kapz01, 04-02-2010, 12:20 PM
Anyone got any idea to this issue:
Quote:
# /usr/share/logwatch/scripts/logwatch.pl --range today
Can't exec "sendmail": No such file or directory at /usr/share/logwatch/scripts/logwatch.pl line 1017, <TESTFILE> line 2.
Can't execute sendmail -t: No such file or directory

Posted by -Edward-, 04-03-2010, 11:08 AM
Quote:
Originally Posted by kapz01
Anyone got any idea to this issue:
Do you have sendmail or any other mail protocol installed?

Posted by izumi777, 04-11-2010, 12:49 AM
Very nice article. Thanks for sharing.

Posted by Khaen, 04-12-2010, 10:42 AM
Excellent tutorial. The information has helped me.

Posted by MarkoB, 04-13-2010, 06:27 AM
thanks, it is very usefull for me

Posted by nileshparmar, 04-13-2010, 06:34 AM
Quote:
Originally Posted by k-planethost
clamav antivirus from cpanel/whm you can install it
It is not working properly & not detecting any virus eg. iframe/scripts malicious code

Need better solution to this

However i can found manually by editing .html .htm .php pages

nilesh

Posted by eSupun, 04-22-2010, 12:44 AM
I think this is the total guide everyone is looking for when they go for a VPS solution.

Thank you very much for sharing knowledge with VPS newbies like us

Thanks again.

Posted by HostNN, 04-25-2010, 02:35 PM
Wow thank you! This really helped me out on my VPS. Going to need it to possibly serve my customers.

Posted by S_philip, 04-26-2010, 01:53 AM
Hello kapz01,

It seems the default mailer entry in logwatch.conf is not set properly.

What is the default mailer you have on your server?

Posted by MySpotMedia, 05-02-2010, 12:39 PM
are these general vps settings or is it ok to run a small hosting business using these?

Posted by assistanz247, 05-12-2010, 04:00 PM
Nice work. It would really help VPS Owners.

Posted by WebCobra, 05-23-2010, 03:07 PM
Great tutorial, long but great tutorial.

Posted by galwin, 06-02-2010, 02:35 AM
Helped me a lot! I am a new VPS owner and I did some of the things here.

Posted by QuickWeb-Roel, 06-08-2010, 01:01 AM
My CCNA class finally starting tonight after 1 month of delay due to lack of participants, ...first part is networking fundamentals, i read in the course overview that on chapter 6 they will teach us how to use a networking utility called "ping"

Posted by Flydro, 06-08-2010, 06:19 PM
Thank's for this, been looking for a good tutorial to keep my VPS secure as it has been hacked once.

Posted by imanewbie, 06-15-2010, 05:45 PM
thanks for this good tutorial, very helpful

Posted by TinyVox, 08-01-2010, 11:56 PM
Is this tutorial up to date? it's 5 years old.

Posted by eccspert, 08-22-2010, 06:22 AM
Nice tutorial, but maybe you should update it.

Posted by bluearrow, 08-22-2010, 06:52 AM
5 years old but still an very helpful topic.

Posted by GoDeT, 08-25-2010, 02:23 PM
nice thread guys! Thanks for everyone help!

Posted by xentos, 09-16-2010, 08:26 AM
Thank you, needed the rootkit checker will install it soon

Posted by angathan, 09-16-2010, 12:38 PM
Which firewall is more secure? APF or CSF?

Thanks for the tutorial

Posted by junker10, 09-24-2010, 07:33 AM
Thanks for the tutorial and the help

Posted by capripio, 09-30-2010, 05:33 AM
WoW Nice thanks for share

Posted by PyroEsque, 10-01-2010, 09:37 AM
Quote:
Originally Posted by angathan
Which firewall is more secure? APF or CSF?

Thanks for the tutorial
Could also do with knowing this, anyone got any knowledge to part?

Posted by TinyVox, 10-01-2010, 02:02 PM
Well, they both work with iptables. CSF is easier to use and it's well supported by cpanel/whm.

Posted by pureheart, 10-07-2010, 07:42 PM
good tutorial...i do this tutorial on my VPS and i get more better speed

Posted by TomMosey, 10-10-2010, 08:42 AM
Yeah, this is really great, helped me out a lot Thanks!

Posted by jaimin26783, 10-11-2010, 09:33 AM
Very useful thread about VPS tutorial.

Posted by Andy - XclusiveTech, 10-18-2010, 01:27 AM
Awesome guide! Helped optimize my VPS. hopefully in the future I can start my own hosting business, and apply these techniques.

Posted by xenbox, 10-18-2010, 10:37 AM
thanks for the tutorial. now i can hardening my cpanel

greet
<<signatures to be set up in your profile>>

Posted by NYCServers-Nick, 11-01-2010, 06:55 PM
Very Very Very good tutorial.
If you have a VPS I strongly recommend you follow this guide.

Posted by Robbie P, 11-02-2010, 09:28 AM
An excellent tutorial to read, when I read this i found it all extremly easy to understand and to work.

Posted by steven_elvisda, 11-06-2010, 09:37 PM
But I still have problem with kernel patching. does anyone give me the best tutorial of kernel patching.

Your idea would be great to me.

Posted by jebra, 11-24-2010, 10:29 AM
wow you need to write a book about it

Posted by Hot dog, 11-28-2010, 05:51 PM
If i don't have pico as a cmd that means i dont have the pine right? I dont have any kind of cpannels.

Posted by innovohosting, 11-30-2010, 01:33 PM
Wow!!! even I was aware of all(well almost) the techniques here I learned a few new softwares and techniques and sites. This is a very very very good thread!

May I suggest you check out also http://securecentos.com/ for a good and structured source of centos hardening?

Posted by tmrsk, 01-15-2011, 08:46 PM
thanks for the tutorial

Posted by leetsauce, 02-01-2011, 02:34 AM
Great tutorial! Thanks.

Posted by lxspcby, 02-18-2011, 12:10 PM
this is a must bookmarked thread, need to see it everytime reload OS

Posted by Vistz, 02-20-2011, 11:59 AM
Quote:
Originally Posted by frynge

Goto Account Functions =>> Manage Shell Access
Disable Shell Access for all users (except yourself)

Goto Mysql =>> MySQL Root Password
Change root password for MySQL

Goto Security and run Quick Security Scan and Scan for Trojan Horses often. The following and similar items are not Trojans:
/sbin/depmod
/sbin/insmod
/sbin/insmod.static
/sbin/modinfo
/sbin/modprobe
/sbin/rmmod
So basically, on my VPS, I should have: the root account and my own account. And both of these accounts should have full access. Am I correct in stating this?

Posted by Master Bo, 02-20-2011, 01:11 PM
Quote:
Originally Posted by Vistz
So basically, on my VPS, I should have: the root account and my own account. And both of these accounts should have full access. Am I correct in stating this?
Ideally, root user should not have SSH access, and non-root should be restricted to just a few (using AllowGroups directive in sshd_config, for example).

Non-root can only have 'full access' via sudo.

Posted by Vistz, 02-20-2011, 03:23 PM
Quote:
Originally Posted by masterbo
Ideally, root user should not have SSH access, and non-root should be restricted to just a few (using AllowGroups directive in sshd_config, for example).

Non-root can only have 'full access' via sudo.
To do that, can't you just do this?

Code:
Goto Account Functions =>> Manage Shell Access
Disable Shell Access for all users (except yourself)
Where "you" are another user (not root).

Posted by Master Bo, 02-20-2011, 10:26 PM
Quote:
Originally Posted by Vistz
To do that, can't you just do this?

Code:
Goto Account Functions =>> Manage Shell Access
Disable Shell Access for all users (except yourself)
Where "you" are another user (not root).
What GUI are you talking about?
Myself, I use plain command-line to control everything, to me it's quicker and simpler.

SSH restrictions will all eventually be reflected in /etc/ssh/sshd_config and hosts.allow (if TCP wrappers are installed).

Thanks.

Posted by innovohosting, 02-21-2011, 02:35 AM
Yep! How I do it is I have a normal user from which I sudo to root, and I disable remote root login.
If I need more people to have root access, I give them normal users that can change through sudo to root, and that way I can see who became root and when.

Hope it makes sense, just woke up

Posted by Vistz, 02-21-2011, 10:20 AM
Quote:
Originally Posted by masterbo
What GUI are you talking about?
Myself, I use plain command-line to control everything, to me it's quicker and simpler.

SSH restrictions will all eventually be reflected in /etc/ssh/sshd_config and hosts.allow (if TCP wrappers are installed).

Thanks.
Ah, I'm a bit new to this. I was referring to what OP said.

Quote:
Originally Posted by innovohosting
Yep! How I do it is I have a normal user from which I sudo to root, and I disable remote root login.
If I need more people to have root access, I give them normal users that can change through sudo to root, and that way I can see who became root and when.

Hope it makes sense, just woke up
Thanks

Posted by Vistz, 02-21-2011, 10:48 AM
Actually, I have another question. Do these security practices work on Kloxo as well?

Posted by coderiser, 02-23-2011, 02:43 PM
great guide, thanks for the info

Posted by sam00168, 02-23-2011, 11:56 PM
thanks for the guide

Posted by kuyenmotdivad, 02-27-2011, 02:27 PM
Great tutorial and advice guys.

Posted by Vistz, 02-27-2011, 11:03 PM
I will be using Kloxo instead of cPanel and I noticed that Kloxo comes with LXGuard, which blocks a user's IP after specified number of unsuccessful attempts. Should I still do the section you mentioned about "Toot breach DETECTOR and EMAIL WARNING"?

Posted by no69_2007, 03-08-2011, 04:38 AM
i guess this is the perfect guide I ever read.

Posted by hosting-ca, 04-01-2011, 10:39 PM
Thanks, Very useful tutorial

Posted by Boxxed, 04-04-2011, 01:32 PM
Thanks for the guide, its very useful

Posted by eric6630, 04-04-2011, 08:46 PM
help i gain error

-bash: mail: command not found

i installed root breach DETECTOR and EMAIL WARNING

and that command insist
thanks

Posted by Rishi-GV, 05-10-2011, 02:34 PM
Great tutorial. Some of the input from the users are also essential! Maybe someone could re-create this, but updated with extra protection.

Posted by rootserver, 05-14-2011, 03:59 PM
I can not to instal Kloxo panel. Port 7778 is not funcion

Posted by Patel, 05-16-2011, 12:39 AM
Thanks man, im getting into the VPS business and this really helps to keep my files secure!

Posted by henda, 06-08-2011, 12:26 AM
Excellent How to guide.. This will come in most useful and save me some money employing "guru's" to secure my webservers in the future..

Posted by appelpitje, 06-08-2011, 09:15 AM
Nice guide to protect your vps !!

Posted by wowbestservers, 06-25-2011, 11:38 PM
This is very useful..
thank you.

Posted by Phanatic, 06-27-2011, 08:36 PM
thanks for this, gonna use this for sure

Posted by frankal, 07-03-2011, 08:51 PM
Thx for the guide, secure a server sometimes is stressful.

Posted by zahirw, 08-23-2011, 05:23 PM
Awesome guide. I see ppl are still using it over the years. Any tips specific to virtualmin?

Posted by medoezzat, 08-29-2011, 03:13 AM
very thaaanks man

Posted by kang_kutu, 11-24-2011, 09:23 PM
thanks man

Posted by Bluz, 11-28-2011, 01:00 AM
I just upgraded to the newest WHMCS and my cart isn't loading, even people who click a link for a product get taken to a blank card, it did show two errors which were fixed by turning safemode off and the ioncube loader, any suggestions?

Posted by iLoveHosting-UK, 11-28-2011, 06:20 AM
Quote:
Originally Posted by Bluz
I just upgraded to the newest WHMCS and my cart isn't loading, even people who click a link for a product get taken to a blank card, it did show two errors which were fixed by turning safemode off and the ioncube loader, any suggestions?
Revert back to the older version for the time being until bugs get fixed.

- Ashton

Posted by ServSlots, 01-17-2012, 12:39 PM
Good post hope this comes useful to those at WHT

Posted by CEO,TutisHost, 01-23-2012, 10:20 AM
Thanks for everything. this is really good for all new comers which would give the hosting company to serve better to their customers.

Posted by m107, 01-29-2012, 04:38 AM
thank you

Posted by ALEXEI_M, 01-31-2012, 02:02 AM
Very useful thread. Thanks for your post.

Posted by 1llusion, 02-07-2012, 11:08 AM
Wow thanks! Will install it right now on my VPS

Posted by Mrkrabz, 04-18-2012, 11:55 AM
Thanks, ill keep it in mind with my next VPS

Posted by DevilCrab, 04-23-2012, 10:16 AM
wow that is really amazing to learn !

i think someone who can expert this can secure VPS to a good and long extreme !

Posted by Boxxed, 04-25-2012, 05:56 PM
Quote:
Originally Posted by DevilCrab
wow that is really amazing to learn !

i think someone who can expert this can secure VPS to a good and long extreme !
Ofcourse, someone who is expert or a newbie can secure there VPS's by the help of this guide

Posted by Carbon Host, 05-20-2012, 08:27 PM
wow, very nice tutorial! keep up the good work

Posted by BA-Corey, 06-11-2012, 02:23 PM
If anyone is finding this on google then please note that the download location has changed for root kit checker.

http://www.net-security.org/dl/softw...rootkit.tar.gz

Posted by ferlie, 06-12-2012, 08:53 PM
Quote:
Originally Posted by YDGH-Corey
If anyone is finding this on google then please note that the download location has changed for root kit checker.

http://www.net-security.org/dl/softw...rootkit.tar.gz
Thanks for the linkz

Posted by Losvre, 06-16-2012, 10:38 AM
Great stuff even for people who think they know all:-)

Thank you all

Posted by GeckoNetwork, 06-30-2012, 12:04 AM
Very nice tutorial and very easy to understand but I would also include a firewall like (CFS).

Thanks!

@Bluz, Regarding your WHMCS issue I have experiencing this in the past and it for me to fix this I had to go back to the old version of WHMCS before the update.


Hope that helps good luck!

Posted by andrewlarioza, 07-31-2012, 03:30 AM
Hi,

Just an additional idea on how to secure Apache web server.
a. Disable TRACE and TRACK
- This will save you a headache on some of Cross site tracing vulnerability. just simply add the following at the end of your Apache main config and restart the services. By default trace is enabled on all apache web server upon installation.

httpd.conf

TraceEnable off

HTH.

regards,
Andrew

Posted by holhostcom, 08-06-2012, 02:04 PM
Perfect post!
Thank You!
Could you add some MySQL optimizations as well ?

Posted by wahuu, 08-08-2012, 02:25 PM
Excellent guide...
Look forward for new optimization tools...

Posted by CronicHosting, 08-10-2012, 09:36 AM
Awesome write up, detailed tutorial.

Keep up the good work,

Sean

Posted by Greg-NH, 09-23-2012, 08:11 PM
Anyone know where I can find something similar to this topic that isn't outdated?

I'm trying to secure & optimize my pretty stock CentOS 6.3 w/ WHM/cPanel VPS

Thanks,
Greg

Posted by regolithmedia, 11-06-2012, 03:07 AM
it's been 7 years but i'm still read this tutorial everytime securing my personal vps, great.

Posted by Datzen, 11-13-2012, 11:02 AM
Thank you for sharing

Posted by inside7, 12-04-2012, 09:19 AM
thanks for tut

Posted by vaibhav_p77, 12-26-2012, 09:23 AM
Great post it is really helpful

Posted by alphavbox, 12-27-2012, 03:02 AM
This is overall discussion is really helpfully for all but no one introduce managed or unmanaged which ine is best and which plans are best for small, medium and higher business hosting.

Posted by frynge, 05-25-2013, 11:12 AM
Quote:
Originally Posted by regolithmedia
it's been 7 years but i'm still read this tutorial everytime securing my personal vps, great.

Very cool

I actually just setup a new VPS with a new host and I had to come back to this tutorial I made ages ago, to see if anyone updated it.

It still works well I see! I hope you all got good use out of it! It took me awhile to collect the data

Posted by frynge, 05-25-2013, 11:33 AM
Am I blind... ? I want to update this original post but I can't find the edit button. How do I edit my own post?

NOW I NEED YOUR GUYS HELP

Posted by 19881024, 05-25-2013, 12:19 PM
Yes please moderators let him modify it

Posted by frynge, 05-25-2013, 12:32 PM
I see ... the edit button deletes after you log off the first time, so I cannot modify this.

There are many updates and changes, since I made this so long ago. I'm using it to harden a new VPS that I got with the latest security.

BOY have I learned a lot since this last post... PAINFULLY I have learned things.

This guide is still good, many many good things in it, but out of date in places (needs more an update then an overhaul)

Also there was some good comments over the years from many people using VPSs.

Can a mod give me access to update this thread ...... ? plllllllllllllease ?

I will take out all the old stuff that is no longer valid and update it with all the new features that the new cpanel has.

Also there are more additions from the thread and I have many more additions since adding this article.

Anyways, thanks for all the people helping and commenting.

Posted by Gareth-HostRedDragon, 05-25-2013, 01:10 PM
The best thing to do is go to WHT help desk and submit a ticket and ask them.(linking to the post.

Sorry I can not link to the helpdesk as I'm using my phone at the moment.

Posted by 19881024, 05-25-2013, 01:18 PM
I asked the moderator to let you do this I hope they will

Posted by anon-e-mouse, 05-25-2013, 05:12 PM
Quote:
Originally Posted by frynge
Am I blind... ? I want to update this original post but I can't find the edit button. How do I edit my own post?

NOW I NEED YOUR GUYS HELP
Use the report button on the first post and one of the moderators might help you

Alternatively, you can start a new thread maybe?

Posted by pacpac, 05-25-2013, 08:50 PM
Registered just to say I hope they let you.
This looks insanely useful, but I'm wondering what all is out of date.

Posted by frynge, 05-25-2013, 08:52 PM
Quote:
Originally Posted by pacpac
Registered just to say I hope they let you.
This looks insanely useful, but I'm wondering what all is out of date.
Oddly enough most of it is pretty good. I came back here to harden a new server I just bought and it worked very good.

I have new ideas about phpsuexec (which is now phpsup
And other ways to harden your system, along with all the new comments and ideas... this guide is by far a definitive guide to hardening your VPS and is still incredibly useful.

At minimum it gives you a sense of security

Posted by pacpac, 05-25-2013, 09:12 PM
Quote:
Originally Posted by frynge
Oddly enough most of it is pretty good. I came back here to harden a new server I just bought and it worked very good.

I have new ideas about phpsuexec (which is now phpsup
And other ways to harden your system, along with all the new comments and ideas... this guide is by far a definitive guide to hardening your VPS and is still incredibly useful.

At minimum it gives you a sense of security
I'm about to go through the same process and just stumbled over your guide while looking for various things. I haven't read all of it yet, and I use nginx instead of Apache (no cPanel for me), but really it will be my go-to from now on too, unless you make another instead of update.

Thanks for it.

Posted by lowprofile, 06-25-2013, 06:14 AM
Nice! It needs a update though Good work!

Posted by MarkoFTW, 07-03-2013, 08:56 AM
Very useful information, thanks.

Posted by MyMTemplates, 07-16-2013, 12:38 AM
Great Tutorial , thank's a lot !
But like @Above said it needs to be updated

Posted by NEQ3 - Sam, 07-22-2013, 10:05 AM
Nice job. This was very useful for our staff

Posted by LukaTCE, 09-03-2013, 10:40 AM
For
Code:
pico .bash_profile
i get this error on CentOS 6.4
Code:
-bash: pico: command not found

Posted by Gareth-HostRedDragon, 09-03-2013, 02:15 PM
Quote:
Originally Posted by LukaTCE
For
Code:
pico .bash_profile
i get this error on CentOS 6.4
Code:
-bash: pico: command not found
It means you do not have the editor pico installed.

Try

Code:
nano .bash_profile
Instead

Posted by LukaTCE, 09-03-2013, 04:14 PM
Quote:
Originally Posted by Host Red Dragon
It means you do not have the editor pico installed.

Try

Code:
nano .bash_profile
Instead
Code:
lv
(LV) worked

Posted by ManojKumar, Today, 12:49 PM
Great post! But since I am a newbie, will these tips work even now? Needs an update?



Was this answer helpful?

Add to Favourites Add to Favourites    Print this Article Print this Article

Also Read
Which is VPS type? (Views: 563)

Language: