| Best Server Security Configuration. Summary 1) Upgrade Apache/PHP, MySQL, OpenSSH, OpenSSL, cP/WHM etc 2) cP/WHM Configuration 3) SSH Access 4) Mod_Security 5) Firewall 6) DDoS Protection 7) Rootkit 8) PHP Configuration 9) Other 10)The End Author: QKrun1x 1) Upgrade Apache/PHP, MySQL, OpenSSH, OpenSSL cP/WHM etc Quote: Update your Apache/PHP, MySQL, OpenSSH, OpenSSL, cP/WHM... and be sure that you running the latest secured version. 2) cP/WHM Configuration Quote: WHM - Server setup - Tweak Security: ------------------------------------- Enable php open_basedir protection Enable mod_userdir protection Disable Compilers for all accounts(except root) Enable Shell Bomb/memory Protection WHM - Account Functions: ------------------------- Disable cPanel Demo Mode Disable shell access for all accounts(except root) WHM - Service Configuration - FTP Configuration: ------------------------------------------------- Disable anonymous FTP access WHM - MySQL: ------------- Set some MySQL password(Don't set the same password like for the root access) -If you don't set MySQL password and if someone upload shell(E.G c99) on some site on server he will be able to login into db with username "root" without password and delete/edit/download any db on that server WHM - Server Setup: -------------------- Go to Server Setup and enable suEXEC and PHPsuEXEC When PHP runs as an Apache Module it executes as the user/group of the webserver which is usually "nobody" or "apache". PHPsuEXEC changes this so scripts are run as a CGI. Than means scripts are executed as the user that created them. With PHPsuEXEC script permissions can't be set to 777(read/write/execute at user/group/world level) 3) SSH Access Quote: Change SSH port(set something like 1334) You can change it in /etc/ssh/sshd_conf There is a lot of script kiddiez with brute forcers and they will try to crack our ssh pass because they know username is root, port is 22 But we are smarter, we changed SSH port :) Also, their "brute forcing" can reduce server load, that means our sites(hosted on that server) will be slower SSH Legal Message edit /etc/motd, write in motd something like that: "ALERT! That is a secured area. Your IP is logged. Administrator has been notified" When someone login into SSH he will see that message: ALERT! That is a secured area. Your IP is logged. Administrator has been notified And at the end restart SSH, type "service sshd restart" into SSH 4) Mod_Security Quote: Mod_Security is a web application firewall and he can help us to secure our sites against RFI, LFI, XSS, SQL Injection etc If you use cP/WHM you can easly enable Mod_security in WHM - Plugins - Enable Mod_Security and save Now I will explain how to install Mod_security from source. You can't install Mod_Security if you don't have libxml2 and http-devel libraries. Also, you need to enable mod_unique_id in apache modules, but don't worry, I will explain how to do it :) Login into SSH and type... ---------------------------------------------------- yum install libxml2 libxml2-devel httpd-devel ---------------------------------------------------- libxml2 libxml2-devel httpd-devel should be installed now then you need to edit httpd.conf file, you can find it here: /etc/httpd/conf/httpd.conf You need to add this in your httpd.conf file LoadModule unique_id_module modules/mod_unique_id.so Now download the latest version of mod_security for apache2 from http://www.modsecurity.org login into SSH and type... ----------------------------------------------------------------------------- cd /root/downloads wget http://www.modsecurity.org/download/...e_2.1.7.tar.gz tar zxf modsecurity-apache_2.1.7.tar.gz cd modsecurity-apache_2.1.7 cd apache2 ------------------------------------------------------------------------------ Now we need to edit Makefile, file is located here: /root/download/modsecurity-apache_2.1.7/apache2/ change "top_dir =" with "top_dir = /usr/lib/httpd" then type: ------------------- make make install ------------------- --------------------------------------------------------- # /etc/httpd/conf/httpd.conf LoadModule unique_id_module modules/mod_unique_id.so LoadFile /usr/lib/libxml2.so LoadModule security2_module modules/mod_security2.so Include /etc/httpd/conf/modsecurity.conf --------------------------------------------------------- go at the end of httpd.conf and place an include for our config/rules file... Include /etc/httpd/conf/modsecurity.conf Content of /etc/httpd/conf/modsecurity.conf ------------------------------------------------------------------------------------------------------------------------ # Only inspect dynamic requests # (YOU MUST TEST TO MAKE SURE IT WORKS AS EXPECTED) SecFilterEngine DynamicOnly # Reject requests with status 403 SecFilterDefaultAction "deny,log,status:403" # Some sane defaults SecFilterScanPOST On SecFilterCheckURLEncoding On SecFilterCheckCookieFormat On SecFilterCheckUnicodeEncoding Off # Accept almost all byte values SecFilterForceByteRange 1 255 # Server masking is optional # SecServerSignature "Microsoft-IIS/5.0" SecUploadDir /tmp SecUploadKeepFiles Off # Only record the interesting stuff SecAuditEngine RelevantOnly SecAuditLog logs/audit_log # You normally won't need debug logging SecFilterDebugLevel 0 SecFilterDebugLog logs/modsec_debug_log # Only accept request encodings we know how to handle # we exclude GET requests from this because some (automated) # clients supply "text/html" as Content-Type SecFilterSelective REQUEST_METHOD "!^GET$" chain SecFilterSelective HTTP_Content-Type "!(^$|^application/x-www-form-urlencoded$|^multipart/form-data)" # Require Content-Length to be provided with # every POST request SecFilterSelective REQUEST_METHOD "^POST$" chain SecFilterSelective HTTP_Content-Length "^$" # Don't accept transfer encodings we know we don't handle # (and you don't need it anyway) SecFilterSelective HTTP_Transfer-Encoding "!^$" # WEB-ATTACKS /bin/sh command attempt SecFilter "/bin/sh" # WEB-ATTACKS ps command attempt SecFilterSelective THE_REQUEST "/bin/ps" # WEB-ATTACKS /bin/ps command attempt # SecFilterSelective THE_REQUEST "ps\x20" # WEB-ATTACKS wget command attempt SecFilter "wget\x20" # WEB-ATTACKS uname -a command attempt SecFilter "uname\x20-a" # WEB-ATTACKS /usr/bin/id command attempt SecFilter "/usr/bin/id" # WEB-ATTACKS id command attempt SecFilter "\;id" # WEB-ATTACKS echo command attempt SecFilter "/bin/echo" # WEB-ATTACKS kill command attempt SecFilter "/bin/kill" # WEB-ATTACKS chmod command attempt SecFilter "/bin/chmod" # WEB-ATTACKS chgrp command attempt SecFilter "/chgrp" # WEB-ATTACKS chown command attempt SecFilter "/chown" # WEB-ATTACKS chsh command attempt SecFilter "/usr/bin/chsh" # WEB-ATTACKS tftp command attempt SecFilter "tftp\x20" # WEB-ATTACKS gcc command attempt SecFilter "gcc\x20-o" # WEB-ATTACKS cc command attempt #SecFilter "cc\x20" # WEB-ATTACKS /usr/bin/cpp command attempt SecFilter "/usr/bin/cpp" # WEB-ATTACKS cpp command attempt SecFilter "cpp\x20" # WEB-ATTACKS /usr/bin/g++ command attempt SecFilter "/usr/bin/g\+\+" # WEB-ATTACKS g++ command attempt SecFilter "g\+\+\x20" # WEB-ATTACKS bin/python access attempt SecFilter "bin/python" # WEB-ATTACKS python access attempt SecFilter "python\x20" # WEB-ATTACKS bin/tclsh execution attempt SecFilter "bin/tclsh" # WEB-ATTACKS tclsh execution attempt SecFilter "tclsh8\x20" # WEB-ATTACKS bin/nasm command attempt SecFilter "bin/nasm" # WEB-ATTACKS nasm command attempt SecFilter "nasm\x20" # WEB-ATTACKS /usr/bin/perl execution attempt SecFilter "/usr/bin/perl" # WEB-ATTACKS perl execution attempt SecFilter "perl\x20" # WEB-ATTACKS traceroute command attempt SecFilter "traceroute\x20" # WEB-ATTACKS ping command attempt SecFilter "/bin/ping" # WEB-ATTACKS netcat command attempt SecFilter "nc\x20" # WEB-ATTACKS nmap command attempt SecFilter "nmap\x20" # WEB-ATTACKS xterm command attempt SecFilter "/usr/X11R6/bin/xterm" # WEB-ATTACKS X application to remote host attempt SecFilter "\x20-display\x20" # WEB-ATTACKS lsof command attempt SecFilter "lsof\x20" # WEB-ATTACKS rm command attempt SecFilter "rm\x20" # WEB-ATTACKS mail command attempt SecFilter "/bin/mail" # WEB-ATTACKS /bin/ls command attempt SecFilterSelective THE_REQUEST "/bin/ls" # WEB-ATTACKS /etc/inetd.conf access SecFilter "/etc/inetd\.conf" log,pass # WEB-ATTACKS /etc/motd access SecFilter "/etc/motd" log,pass # WEB-ATTACKS /etc/shadow access SecFilter "/etc/shadow" log,pass # WEB-ATTACKS conf/httpd.conf attempt SecFilter "conf/httpd\.conf" log,pass # WEB-ATTACKS .htgroup access SecFilterSelective THE_REQUEST "\.htgroup" log,pass # WEB-CGI rksh access SecFilterSelective THE_REQUEST "/rksh" # WEB-CGI bash access SecFilterSelective THE_REQUEST "/bash" log,pass # WEB-CGI perl command attempt SecFilterSelective THE_REQUEST "/perl\?" # WEB-CGI zsh access SecFilterSelective THE_REQUEST "/zsh" # WEB-CGI csh access SecFilterSelective THE_REQUEST "/csh" # WEB-CGI tcsh access SecFilterSelective THE_REQUEST "/tcsh" # WEB-CGI rsh access SecFilterSelective THE_REQUEST "/rsh" # WEB-CGI ksh access SecFilterSelective THE_REQUEST "/ksh" # WEB-CGI icat access SecFilterSelective THE_REQUEST "/icat" log,pass # WEB-CGI /cgi-bin/ls access SecFilterSelective THE_REQUEST "/cgi-bin/ls" log,pass # WEB-CLIENT Javascript document.domain attempt SecFilter "document\.domain\(" # WEB-CLIENT Javascript URL host spoofing attempt SecFilter "javascript\://" # WEB-MISC cross site scripting \(img src=javascript\) attempt SecFilter "img src=javascript" # WEB-MISC .htpasswd access SecFilter "\.htpasswd" # WEB-MISC http directory traversal SecFilter "\.\.\\" # WEB-MISC http directory traversal SecFilter "\.\./" # WEB-MISC ls%20-l SecFilter "ls\x20-l" # WEB-MISC /etc/passwd SecFilter "/etc/passwd" # WEB-MISC .htaccess access SecFilter "\.htaccess" # WEB-MISC cd.. SecFilter "cd\.\." # WEB-MISC /.... access SecFilter "/\.\.\.\." # WEB-MISC cat%20 access SecFilter "cat\x20" # WEB-MISC long basic authorization string SecFilter "Authorization\: Basic " # WEB-MISC .history access SecFilterSelective THE_REQUEST "/\.history" # WEB-MISC .bash_history access SecFilterSelective THE_REQUEST "/\.bash_history" # WEB-MISC *%0a.pl access SecFilterSelective THE_REQUEST "/*\x0a\.pl" # WEB-MISC apache ?M=D directory list attempt SecFilterSelective THE_REQUEST "/\?M=D" log,pass # WEB-MISC server-status access SecFilterSelective THE_REQUEST "/server-status" log,pass # WEB-MISC Transfer-Encoding\: chunked SecFilter "chunked" # WEB-MISC perl post attempt SecFilterSelective THE_REQUEST "/perl/" chain SecFilter "POST" # WEB-MISC mod_gzip_status access SecFilterSelective THE_REQUEST "/mod_gzip_status" log,pass # WEB-PHP squirrel mail spell-check arbitrary command attempt SecFilterSelective THE_REQUEST "/squirrelspell/modules/check_me\.mod\.php" chain SecFilter "SQSPELL_APP\[" # WEB-PHP squirrel mail theme arbitrary command attempt SecFilterSelective THE_REQUEST "/left_main\.php" chain SecFilter "cmdd=" # WEB-PHP phpbb quick-reply.php arbitrary command attempt SecFilterSelective THE_REQUEST "/quick-reply\.php" chain SecFilter "phpbb_root_path=" # WEB-PHP phpbb quick-reply.php access SecFilterSelective THE_REQUEST "/quick-reply\.php" log,pass SecFilterSelective THE_REQUEST "\.php" chain SecFilter "path=http\://" # WEB-PHP Mambo uploadimage.php upload php file attempt SecFilterSelective THE_REQUEST "/uploadimage\.php" chain SecFilter "\.php" # WEB-PHP Mambo upload.php upload php file attempt SecFilterSelective THE_REQUEST "/upload\.php" chain SecFilter "\.php" # WEB-PHP Mambo uploadimage.php access SecFilterSelective THE_REQUEST "/uploadimage\.php" log,pass # WEB-PHP Mambo upload.php access SecFilterSelective THE_REQUEST "/upload\.php" log,pass # WEB-PHP phpBB privmsg.php access SecFilterSelective THE_REQUEST "/privmsg\.php" log,pass # WEB-PHP test.php access SecFilterSelective THE_REQUEST "/test\.php" log,pass # WEB-PHP phpBB viewtopic.php SecFilterSelective THE_REQUEST "viewtopic.php" chain SecFilterSelective "THE_REQUEST|ARG_VALUES" "(system|exec|passthru|cmd|fopen|exit|fwrite)" deny,log # EXTRAS SecFilter "/boot" SecFilter "/dev" SecFilter "/etc" SecFilter "/initrd" SecFilter "/lost+found" SecFilter "/mnt" SecFilter "/proc" SecFilter "/root" SecFilter "/sbin" SecFilter "/tmp" SecFilter "/usr/local/apache" SecFilter "/var/spool" SecFilter "/bin/cc" SecFilter "/bin/gcc" SecFilter "<[[:space:]]*script" SecFilter "<(.|\n)+>" SecFilter "delete[[:space:]]+from" SecFilter "insert[[:space:]]+into" SecFilter "select.+from" ------------------------------------------------------------------------------------------------------------------------ Now restart httpd, type "service httpd restart" into SSH 5) Firewall Quote: We will install APF (Advanced Policy Firewall) now... APF is a policy based iptables firewall system designed for ease of use and configuration Let's begin! Login into SSH and type ---------------------------------------------------------------- cd /root/downloads wget http://www.rfxnetworks.com/downloads/apf-current.tar.gz tar -xvzf apf-current.tar.gz cd apf-0.9.5-1 // or whatever the latest version is ./install.sh ---------------------------------------------------------------- -------------------------------------------------------- Installing APF 0.9.5-1: Completed. Installation Details: Install path: /etc/apf/ Config path: /etc/apf/conf.apf Executable path: /usr/local/sbin/apf AntiDos install path: /etc/apf/ad/ AntiDos config path: /etc/apf/ad/conf.antidos DShield Client Parser: /etc/apf/extras/dshield/ --------------------------------------------------------- Now we need to configure our new firewall... We need to edit apf.conf That is located here: /etc/apf/conf.apf If you use cP/WHM, like me, you need to configure apf like this(to we can access cP/WHM because firewall will block our cP/WHM ports and we will not be able to access cP/WHM) ---------------------------------------------------------------------------------------- Common ingress (inbound) ports # Common ingress (inbound) TCP ports -3000_3500 = passive port range for Pure FTPD IG_TCP_CPORTS="21,22,25,53,80,110,143,443,2082,208 3, 2086,2087, 2095, 2096,3000_3500" # # Common ingress (inbound) UDP ports IG_UDP_CPORTS="53" Common egress (outbound) ports # Egress filtering [0 = Disabled / 1 = Enabled] EGF="1" # Common egress (outbound) TCP ports EG_TCP_CPORTS="21,25,80,443,43,2089" # # Common egress (outbound) UDP ports EG_UDP_CPORTS="20,21,53" ----------------------------------------------------------------------------------------- Then... (apf.conf) ---------------------- FIND: DEVM="1" CHANGE TO: DEVM="0" ---------------------- now start apf, type in ssh ----------- apf -s ----------- Some other apf commands: --------------------------- apf -s - start apf apf -r - restart apf apf -f - flush firewall apf -st - firewall status apf -d IP - bann IP apf -u IP - unbann IP --------------------------- 6) DDoS Protection Quote: We will install mod_evasive and DDoS Deflate to prevent DDoS attacks on our server ################### # Mod Evasive # ################### ModEvasive module for apache offers protection against DDoS (denial of service attacks) on your server. To install it login into SSH and type --------------------------------------------------------------------------------- cd /root/dawnloads wget http://www.zdziarski.com/projects/mo..._1.10.1.tar.gz tar zxf mode_evasive-1.10.1.tar.gz cd mod_evasive then type... /usr/sbin/apxs -cia mod_evasive20.c --------------------------------------------------------------------------------- When mod_evasive is installed, place the following lines in your httpd.conf (/etc/httpd/conf/httpd.conf) -------------------------------- DOSHashTableSize 3097 DOSPageCount 2 DOSSiteCount 50 DOSPageInterval 1 DOSSiteInterval 1 DOSBlockingPeriod 10 -------------------------------- #################### # DDoS Deflate # #################### Installation ----------------------------------------------------------- wget http://www.inetbase.com/scripts/ddos/install.sh chmod 0700 install.sh ./install.sh ----------------------------------------------------------- Uninstalling ----------------------------------------------------------- wget http://www.inetbase.com/scripts/ddos/uninstall.ddos chmod 0700 uninstall.ddos ./uninstall.ddos ----------------------------------------------------------- 7) Rootkit Quote: Ok, we will install RKHunter now: Rootkit scanner is scanning tool to ensure you for about 99.9%* you're clean of nasty tools. This tool scans for rootkits, backdoors and local exploits by running tests like: - MD5 hash compare - Look for default files used by rootkits - Wrong file permissions for binaries - Look for suspected strings in LKM and KLD modules - Look for hidden files - Optional scan within plaintext and binary files Instalation: Login into SSH and type ----------------------------------------------------------- cd /root/downloads wget http://downloads.rootkit.nl/rkhunter-1.2.7.tar.gz tar -zxvf rkhunter-1.2.7.tar.gz cd rkhunter-1.2.7 ./installer.sh ----------------------------------------------------------- 8) PHP Configuration Quote: We need to edit php.ini php.ini is located here /usr/local/lib/php.ini ---------------------------------------------------------- safe_mode = On expose_php = Off magic_quotes = On register_globals = off display errors = off disable_functions = show_source, system, proc_terminate, shell_exec, exec, passthru, proc_open, phpinfo, popen ----------------------------------------------------------- Or if you running cP/WHM you can configure it here: WHM - Service Configuration - PHP Configuration Editor 9) Other Quote: If you use bind DNS server then we need to edit named.conf file named.conf is located here: /etc/named.conf and add recursion no; under Options ---------------------------- Options{ recursion no; ---------------------------- Now restart bind type into SSH ----------------------- service named restart ----------------------- That will prevent lookups from dnstools.com and similar services and reduce server load Now we will prevent IP spoofing, to do it we need to edit host.conf file This file is located here: /etc/host.conf Add that in host.conf ------------------ order bind,hosts nospoof on ------------------ Hide the Apache version number: edit httpd.conf (/etc/httpd/conf/httpd.conf) ----------------------- ServerSignature Off ----------------------- Disable telnet: Edit file: /etc/xinetd.d/telnet ------------------ disable = yes ------------------ |
|小黑屋|最新主题|手机版|微赢网络技术论坛
( 苏ICP备08020429号 )
GMT+8, 2024-11-6 03:12 , Processed in 0.824708 second(s), 12 queries , Gzip On, MemCache On.
Powered by Discuz! X3.5
© 2001-2023 Discuz! Team.
