| How to secure your dedicated or VPS server. Please not that this is only the vary basics!
First, lets configure APF (advanced personal firewall)
Step 1: login to SSH, and become the root user
Step 2: enter the following command: wget http://www.rfxnetworks.com/downloads/apf-current.tar.gz
Step 3: enter the following command: tar -xvzf apf-current.tar.gz
Step 4: cd apf-0.9.5-1/ or whatever the latest version is.
Step 5:Run the install file: ./install.sh
You will receive a message saying it has been installed
Installing APF VERSION HERE: Completed.
Installation Details:
Install path: /etc/apf/
Config path: /etc/apf/conf.apf
Executable path: /usr/local/sbin/apf
AntiDos install path: /etc/apf/ad/
AntiDos config path: /etc/apf/ad/conf.antidos
DShield Client Parser: /etc/apf/extras/dshield/
If you have cPanel, do the following:
Step 1: nano /etc/apf/conf.apf
Step 2: Find Common ingress (inbound) TCP ports
Step 3: Change the following:
Common ingress (inbound) ports
# Common ingress (inbound) TCP ports -3000_3500 = passive port range for Pure FTPD
IG_TCP_CPORTS="21,22,25,53,80,110,143,443,2082,2083, 2086,2087, 2095, 2096,3000_3500"
#
# Common ingress (inbound) UDP ports
IG_UDP_CPORTS="53"
Common egress (outbound) ports
# Egress filtering [0 = Disabled / 1 = Enabled]
EGF="1"
# Common egress (outbound) TCP ports
EG_TCP_CPORTS="21,25,80,443,43,2089"
#
# Common egress (outbound) UDP ports
EG_UDP_CPORTS="20,21,53"
If you have DirectAdmin do the following:
Step 1: nano /etc/apf/conf.apf
Step 2: Find Common ingress (inbound) TCP ports
Step 3: Change the following:
EG_TCP_CPORTS: (incoming) 21,22,25,53,80,110,143,443,1853,1821,1867,1903,1913,1924,1925,1976,
2030,2031,2032,2033,2034,2035,2036,2037,2038,2096,3071,3079,3080,3081,3082,3083,3084,3085,3086,
3306,5000,5669,5670,5671,5672,5673,5674,5675,5677,5678,5679,5680,5681,7524,9293,9301,9302,9925,9926,9067,
9068,20440,20441,20442,20443
EG_ICMP_CPORTS: (outgoing)
37,53,873
Step 6: start the firewall: /usr/local/sbin/apf -s
Step 7: After everything is fine, change the DEV option
We recommend changing this back to "0" after you've had a chance to ensure everything is working well and tested the server out.
nano /etc/apf/conf.apf
FIND: DEVM="1"
CHANGE TO: DEVM="0"
Step 8: now finally enter the following command: chkconfig --level 2345 apf on
Configuring BFD (Brute Force Detector)
Step 1: Login to SSH as root
Step 2: Execute the following command: wget http://www.rfxnetworks.com/downloads/bfd-current.tar.gz
Step 3: tar -xvzf bfd-current.tar.gz
Step 4: cd bfd-0.9 or latest version
Step 5: Run the install file: ./install.sh
You will receive a message saying it has been installed
.: BFD installed
Install path: /usr/local/bfd
Config path: /usr/local/bfd/conf.bfd
Executable path: /usr/local/sbin/bfd
Step 6: nano /usr/local/bfd/conf.bfd
Step 7: Enable brute force hack attempt alerts:
Find: ALERT_USR="0" CHANGE TO: ALERT_USR="1"
Find: EMAIL_USR="root" CHANGE TO: EMAIL_USR="your@yourdomain.com"
Save the changes: Ctrl+X then CTRL+Y
Step 8: /usr/local/sbin/bfd -s
Disable Telnet
To disable telnet, SSH into server and login as root.
At command prompt type: nano-w /etc/xinetd.d/telnet
change disable = no to disable = yes
Save and Exit
At command prompt type: /etc/init.d/xinetd restart
Secure /tmp
Make a 1GB file for /tmp parition and an ext3 filesystem for tmp:
# dd if=/dev/zero of=/dev/tmpFS bs=1024 count=1000000
# /sbin/mkfs.ext3 /dev/tmpFS
Create a backup copy of your current /tmp drive:
# cp -Rpf /tmp /tmpbackup
Mount our new tmp parition and change permissions:
# mount -o loop,noexec,nosuid,rw /dev/tmpFS /tmp
# chmod 1777 /tmp
Copy the old data:
cp -Rpf /tmpbackup/* /tmp/
If you run the mount command and you should get something like this:
/dev/tmpMnt on /tmp type ext3 (rw,noexec,nosuid,loop=/dev/loop0)
Edit /etc/fstab and add this:
/dev/tmpMnt /tmp ext3 loop,nosuid,noexec,rw 0 0
Test your fstab entry:
# mount -o remount /tmp
You can test it runnig a script on /tmp partitio, if you get "permission denied" it is fine!
|
 Add to Favourites
 Print this Article
|
