Shared Hosting
Shared HostingKnowledgebase
Portal Home > Knowledgebase > Industry Announcements > Web Hosting Main Forums > HOW TO: Secure and Optimize...
HOW TO: Secure and Optimize...
 |
 |
 |
Posted by frynge, 12-09-2005, 09:07 PM I hope Elix doesn't mind me posting his great VPS OPTIMIZING techniques. I have posted them at the bottom. These technques can definately help you, but remember, use them at your own risk. If you don't know what your doing, research it before attempting it.
SECURING CPANEL - WHM - AND ROOT on a VPS
This will help but as mentioned in previous posts, with a VPS you do not have access to your kernal. That is good in some ways, because if you don't have access to it, neither to hackers or spammers (which limits what they can do). Its bad in ways, because you lose control and if you secure your box as much as possible, you are still at risk because you cannot control your kernal.
At any rate, here are some helpful hints
=========================================
Checking for formmail
=========================================
Form mail is used by hackers to send out spam email, by relay and injection methods. If you are using matts script or a version of it, you may be in jeopardy.
Command to find pesky form mails:
find / -name "[Ff]orm[mM]ai*"
CGIemail is also a security risk:
find / -name "[Cc]giemai*"
Command to disable form mails:
chmod a-rwx /path/to/filename
(a-rwx translates to all types, no read, write or execute permissions).
(this disables all form mail)
If a client or someone on your vps installs form mail, you will have to let them know you are disabling their script and give them an alternative.
=========================================
Root kit checker - http://www.chkrootkit.org/
=========================================
Check for root kits and even set a root kit on a cron job. This will show you if anyone has compromised your root. Always update chrootkit to get the latest root kit checker. Hackers and spammers will try to find insecure upload forms on your box and then with injection methods, try to upload the root kit on your server. If he can run it, it will modify *alot* of files, possibly causing you to have to reinstall.
To install chrootkit, SSH into server and login as root.
At command prompt type:
cd /root/
wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz
tar xvzf chkrootkit.tar.gz
cd chkrootkit-0.44
make sense
To run chkrootkit
At command prompt type:
/root/chkrootkit-0.44/chkrootkit
Make sure you run it on a regular basis, perhaps including it in a cron job.
Execution
I use these three commands the most.
./chkrootkit
./chkrootkit -q
./chkrootkit -x | more
=========================================
Install a root breach DETECTOR and EMAIL WARNING
=========================================
If someone does happen to get root, be warned quickly by installing a detector and warning at your box. You will at least get the hackers/spammers ip address and be warned someone is in there.
Server e-mail everytime someone logs in as root
To have the server e-mail you everytime someone logs in as root, SSH into server and login as root.
At command prompt type:
pico .bash_profile
Scroll down to the end of the file and add the following line:
echo 'ALERT - Root Shell Access on:' `date` `who` | mail -s "Alert: Root Access from `who | awk '{print $6}'`" your@email.com
Save and exit.
Set an SSH Legal Message
To an SSH legal message, SSH into server and login as root.
At command prompt type:
pico /etc/motd
Enter your message, save and exit.
Note: I use the following message...
ALERT! You are entering a secured area! Your IP and login information
have been recorded. System administration has been notified.
This system is restricted to authorized access only. All activities on
this system are recorded and logged. Unauthorized access will be fully
investigated and reported to the appropriate law enforcement agencies.
=========================================
Web Host manager and CPANEL mods.
=========================================
These are items inside of WHM/Cpanel that should be changed to secure your server.
Goto Server Setup =>> Tweak Settings
Check the following items...
Under Domains
Prevent users from parking/adding on common internet domains. (ie hotmail.com, aol.com)
Under Mail
Attempt to prevent pop3 connection floods
Default catch-all/default address behavior for new accounts - blackhole
(according to ELIX - set this to FAIL, which is what I am going to do to reduce server load)
Under System
Use jailshell as the default shell for all new accounts and modified accounts
Goto Server Setup =>> Tweak Security
Enable php open_basedir Protection
Enable mod_userdir Protection
Disabled Compilers for unprivileged users.
Goto Server Setup =>> Manage Wheel Group Users
Remove all users except for root and your main account from the wheel group.
Goto Server Setup =>> Shell Fork Bomb Protection
Enable Shell Fork Bomb/Memory Protection
When setting up Feature Limits for resellers in Resellers =>> Reseller Center, under Privileges always disable Allow Creation of Packages with Shell Access and enable Never allow creation of accounts with shell access; under Root Access disable All Features.
Goto Service Configuration =>> FTP Configuration
Disable Anonymous FTP
Goto Account Functions =>> Manage Shell Access
Disable Shell Access for all users (except yourself)
Goto Mysql =>> MySQL Root Password
Change root password for MySQL
Goto Security and run Quick Security Scan and Scan for Trojan Horses often. The following and similar items are not Trojans:
/sbin/depmod
/sbin/insmod
/sbin/insmod.static
/sbin/modinfo
/sbin/modprobe
/sbin/rmmod
=========================================
More Security Measures
=========================================
These are measures that can be taken to secure your server, with SSH access.
Update OS, Apache and CPanel to the latest stable versions.
This can be done from WHM/CPanel.
Restrict SSH Access
To restrict and secure SSH access, bind sshd to a single IP that is different than the main IP to the server, and on a different port than port 22.
SSH into server and login as root.
Note: You can download Putty by Clicking Here (http://www.chiark.greenend.org.uk/~s.../download.html). It's a clean running application that will not require installation on Windows-boxes.
At command prompt type:
pico /etc/ssh/sshd_config
Scroll down to the section of the file that looks like this:
#Port 22
#Protocol 2, 1
#ListenAddress 0.0.0.0
#ListenAddress ::
Uncomment and change
#Port 22
to look like
Port 5678 (choose your own 4 to 5 digit port number (49151 is the highest port number AND do not use 5678lol )
Uncomment and change
#Protocol 2, 1
to look like
Protocol 2
Uncomment and change
#ListenAddress 0.0.0.0
to look like
ListenAddress 123.123.123.15 (use one of your own IP Addresses that has been assigned to your server)
Note 1: If you would like to disable direct Root Login, scroll down until you find
#PermitRootLogin yes
and uncomment it and make it look like
PermitRootLogin no
Save by pressing Ctrl o on your keyboard, and then exit by pressing Ctrl x on your keyboard.
Note 2: You can also create a custome nameserver specifically for your new SSH IP address. Just create one called something like ssh.xyz.com or whatever. Be sure to add an A address to your zone file for the new nameserver.
Now restart SSH
At command prompt type:
/etc/rc.d/init.d/sshd restart
Exit out of SSH, and then re-login to SSH using the new IP or nameserver, and the new port.
Note: If you should have any problems, just Telnet into your server, fix the problem, then SSH in again. Telnet is a very unsecure protocol, so change your root password after you use it.
After SSH has been redirected, disable telnet.
Disable Telnet
To disable telnet, SSH into server and login as root.
At command prompt type: pico -w /etc/xinetd.d/telnet
change disable = no to disable = yes
Save and Exit
At command prompt type: /etc/init.d/xinetd restart
Disable Shell Accounts
To disable any shell accounts hosted on your server SSH into server and login as root.
At command prompt type: locate shell.php
Also check for:
locate irc
locate eggdrop
locate bnc
locate BNC
locate ptlink
locate BitchX
locate guardservices
locate psyBNC
locate .rhosts
Note: There will be several listings that will be OS/CPanel related. Examples are
/home/cpapachebuild/buildapache/php-4.3.1/ext/ircg
/usr/local/cpanel/etc/sym/eggdrop.sym
/usr/local/cpanel/etc/sym/bnc.sym
/usr/local/cpanel/etc/sym/psyBNC.sym
/usr/local/cpanel/etc/sym/ptlink.sym
/usr/lib/libncurses.so
/usr/lib/libncurses.a
etc.
Disable identification output for Apache
(do this to hide version numbers from potentional hackers)
To disable the version output for proftp, SSH into server and login as root.
At command prompt type: pico /etc/httpd/conf/httpd.conf
Scroll (way) down and change the following line to
ServerSignature Off
Restart Apache
At command prompt type: /etc/rc.d/init.d/httpd restart
=========================================
Install BFD (Brute Force Detection - optional)
=========================================
To install BFD, SSH into server and login as root.
At command prompt type:
cd /root/
wget http://www.rfxnetworks.com/downloads/bfd-current.tar.gz
tar -xvzf bfd-current.tar.gz
cd bfd-0.4
./install.sh
After BFD has been installed, you need to edit the configuration file.
At command prompt type:
pico /usr/local/bfd/conf.bfd
Under Enable brute force hack attempt alerts:
Find
ALERT_USR="0"
and change it to
ALERT_USR="1"
Find
EMAIL_USR="root"
and change it to
EMAIL_USR="your@email.com"
Save the changes then exit.
To start BFD
At command prompt type:
/usr/local/sbin/bfd -s
Modify LogWatch
Logwatch is a customizable log analysis system. It parses through your system's logs for a given period of time and creates a report analyzing areas that you specify, in as much detail as you require. Logwatch is already installed on most CPanel servers.
To modify LogWatch, SSH into server and login as root.
At command prompt type:
pico -w /etc/log.d/conf/logwatch.conf
Scroll down to
MailTo = root
and change to
Mailto = your@email.com
Note: Set the e-mail address to an offsite account incase you get hacked.
Now scroll down to
Detail = Low
Change that to Medium, or High...
Detail = 5 or Detail = 10
Note: High will give you more detailed logs with all actions.
Save and exit.
A number of suggestions to improve system security. Some of this is specific to CPanel, but much can be applied to most Linux systems.
--------------------------------------------------
Use The Latest Software
Keep the OS and 3rd party software up to date. Always!
CPanel itself can be updated from the root WHM.
--------------------------------------------------
Change Passwords
Change the root passwords at least once a month and try to make them hard to guess. Yes it's a pain to have to keep remembering them, but it's better than being hacked.
--------------------------------------------------
Set Up A More Secure SSH Environment As described here.
--------------------------------------------------
Disable Telnet
1. Type: pico -w /etc/xinetd.d/telnet
2. Change the disable = no line to disable = yes.
3. Hit CTRL+X press y and then enter to save the file.
4. Restart xinted with: /etc/rc.d/init.d/xinetd restart
Also, add the following line to /etc/deny.hosts to flag Telnet access attempts as 'emergency' messages.
in.telnetd : ALL : severity emerg
--------------------------------------------------
Disable Unnecessary Ports (optional)
First backup the file that contains your list of ports with:
cp /etc/services /etc/services.original
Now configure /etc/services so that it only has the ports you need in it. This will match the ports enabled in your firewall.
On a typical CPanel system it would look something like this:
<?php
tcpmux 1/tcp # TCP port service multiplexer
echo 7/tcp
echo 7/udp
ftp-data 20/tcp
ftp 21/tcp
ssh 22/tcp # SSH Remote Login Protocol
smtp 25/tcp mail
domain 53/tcp # name-domain server
domain 53/udp
http 80/tcp www www-http # WorldWideWeb HTTP
pop3 110/tcp pop-3 # POP version 3
imap 143/tcp imap2 # Interim Mail Access Proto v2
https 443/tcp # MCom
smtps 465/tcp # SMTP over SSL (TLS)
syslog 514/udp
rndc 953/tcp # rndc control sockets (BIND 9)
rndc 953/udp # rndc control sockets (BIND 9)
imaps 993/tcp # IMAP over SSL
pop3s 995/tcp # POP-3 over SSL
cpanel 2082/tcp
cpanels 2083/tcp
whm 2086/tcp
whms 2087/tcp
webmail 2095/tcp
webmails 2096/tcp
mysql 3306/tcp # MySQL
?>
Additional ports are controlled by /etc/rpc. These aren't generally needed, so get shot of that file with: mv /etc/rpc /etc/rpc-moved
--------------------------------------------------
Watch The Logs
Install something like logwatch to keep an eye on your system logs. This will extract anything 'interesting' from the logs and e-mail to you on a daily basis.
Logwatch can be found at: http://www.logwatch.org
Install instructions here.
--------------------------------------------------
Avoid CPanel Demo Mode
Switch it off via WHM Account Functions => Disable or Enable Demo Mode.
--------------------------------------------------
Jail All Users
Via WHM Account Functions => Manage Shell Access => Jail All Users.
Better still never allow shell access to anyone - no exceptions.
--------------------------------------------------
Immediate Notification Of Specific Attackers
If you need immediate notification of a specific attacker (TCPWrapped services only), add the following to /etc/hosts.deny
ALL : nnn.nnn.nnn.nnn : spawn /bin/ 'date' %c %d | mail -s"Access attempt by nnn.nnn.nnn.nnn on for hostname" notify@mydomain.com
Replacing nnn.nnn.nnn.nnn with the attacker's IP address.
Replacing hostname with your hostname.
Replacing notify@mydomain.com with your e-mail address.
This will deny access to the attacker and e-mail the sysadmin about the access attempt.
--------------------------------------------------
Check Open Ports
From time to time it's worth checking which ports are open to the outside world. This can be done with:
nmap -sT -O localhost
If nmap isn't installed, it can be selected from root WHM's Install an RPM option.
--------------------------------------------------
Set The MySQL Root Password
This can be done in CPanel from the root WHM Server Setup -> Set MySQL Root Password.
Make it different to your root password!
--------------------------------------------------
Tweak Security (CPanel)
From the root WHM, Server Setup -> Tweak Security, you will most likely want to enable:
- php open_basedir Tweak.
- SMTP tweak.
You may want to enable:
- mod_userdir Tweak. But that will disable domain preview.
--------------------------------------------------
Use SuExec (CPanel)
From root WHM, Server Setup -> Enable/Disable SuExec. This is CPanel's decription of what it does:
"suexec allows cgi scripts to run with the user's id. It will also make it easier to track which user has sent out an email. If suexec is not enabled, all cgi scripts will run as nobody. "
Even if you don't use phpsuexec (which often causes more problems), SuExec should be considered.
--------------------------------------------------
Use PHPSuExec (CPanel)
This needs to built into Apache (Software -> Update Apache from the root WHM) and does the same as SuExec but for PHP scripts.
Wisth PHPSuExec enabled, you users will have to make sure that all their PHP files have permissions no greater than 0755 and that their htaccess files contain no PHP directives.
--------------------------------------------------
Disable Compilers
This will prevent hackers from compiling worms, root kits and the like on your machine.
To disable them, do the following:
chmod 000 /usr/bin/perlcc
chmod 000 /usr/bin/byacc
chmod 000 /usr/bin/yacc
chmod 000 /usr/bin/bcc
chmod 000 /usr/bin/kgcc
chmod 000 /usr/bin/cc
chmod 000 /usr/bin/gcc
chmod 000 /usr/bin/i386*cc
chmod 000 /usr/bin/*c++
chmod 000 /usr/bin/*g++
chmod 000 /usr/lib/bcc /usr/lib/bcc/bcc-cc1
chmod 000 /usr/i386-glibc21-linux/lib/gcc-lib/i386-redhat-linux/2.96/cc1
You will need to enable them again when you need to perform system updates. To do this, run:
chmod 755 /usr/bin/perlcc
chmod 755 /usr/bin/byacc
chmod 755 /usr/bin/yacc
chmod 755 /usr/bin/bcc
chmod 755 /usr/bin/kgcc
chmod 755 /usr/bin/cc
chmod 755 /usr/bin/gcc
chmod 755 /usr/bin/i386*cc
chmod 755 /usr/bin/*c++
chmod 755 /usr/bin/*g++
chmod 755 /usr/lib/bcc /usr/lib/bcc/bcc-cc1
chmod 755 /usr/i386-glibc21-linux/lib/gcc-lib/i386-redhat-linux/2.96/cc1
--------------------------------------------------
Obfuscate The Apache Version Number
1. Type: pico /etc/httpd/conf/httpd.conf
2. Change the line that begins ServerSignature to:
ServerSignature Off
3. Add a line underneath that which reads:
ServerTokens ProductOnly
4. Hit CTRL+X, they y, the enter to save the file.
5. Restart Apache with: /etc/rc.d/init.d/httpd restart
--------------------
COMMON COMMANDS I USE
System Information
who
List the users logged in on the machine. --
rwho -a
List all users logged in on your network. The rwho service must be enabled for this command to work.
finger user_name
System info about a user. Try: finger root last. This lists the users last logged-in on your system.
history | more
Show the last (1000 or so) commands executed from the command line on the current account. The | more causes the display to stop after each screen fill.
pwd
Print working directory, i.e. display the name of your current directory on the screen.
hostname
Print the name of the local host (the machine on which you are working).
whoami
Print your login name.
id username
Print user id (uid) and his/her group id (gid), effective id (if different than the real id) and the supplementary groups.
date
Print or change the operating system date and time. E.g., change the date and time to 2000-12-31 23:57 using this command
date 123123572000
To set the hardware clock from the system clock, use the command (as root)
setclock
time
Determine the amount of time that it takes for a process to complete+ other info. Dont confuse it with date command. For e.g. we can find out how long it takes to display a directory content using time ls
uptime
Amount of time since the last reboot
ps
List the processes that are have been run by the current user.
ps aux | more
List all the processes currently running, even those without the controlling terminal, together with the name of the user that owns each process.
top
Keep listing the currently running processes, sorted by cpu usage (top users first).
uname -a
Info on your server.
free
Memory info (in kilobytes).
df -h
Print disk info about all the file systems in a human-readable form.
du / -bh | more
Print detailed disk usage for each subdirectory starting at root (in a human readable form).
lsmod
(as root. Use /sbin/lsmod to execute this command when you are a non-root user.) Show the kernel modules currently loaded.
set|more
Show the current user environment.
echo $PATH
Show the content of the environment variable PATH. This command can be used to show other environment variables as well. Use set to see the full environment.
dmesg | less
Print kernel messages (the current content of the so-called kernel ring buffer). Press q to quit less. Use less /var/log/dmesg to see what dmesg dumped into the file right after bootup. - only works on dedciated systems
Commands for Process control
ps
Display the list of currently running processes with their process IDs (PID) numbers. Use ps aux to see all processes currently running on your system (also those of other users or without a controlling terminal),
each with the name of the owner. Use top to keep listing the processes currently running.
fg
PID Bring a background or stopped process to the foreground.
bg
PID Send the process to the background. This is the opposite of fg. The same can be accomplished with Ctrl z
any_command &
Run any command in the background (the symbol & means run the command in the background?).
kill PID
Force a process shutdown. First determine the PID of the process to kill using ps.
killall -9 program_name
Kill program(s) by name.
xkill
(in an xwindow terminal) Kill a GUI-based program with mouse. (Point with your mouse cursor at the window of the process you want to kill and click.)
lpc
(as root) Check and control the printer(s). Type ??? to see the list of available commands.
lpq
Show the content of the printer queue.
lprm job_number
Remove a printing job job_number from the queue.
nice program_name
Run program_name adjusting its priority. Since the priority is not specified in this example, it will be adjusted by 10 (the process will run slower), from the default value (usually 0). The lower the number (of niceness to other users on the system), the higher the priority. The priority value may be in the range -20 to 19. Only root may specify negative values. Use top to display the priorities of the running processes.
renice -1 PID
(as root) Change the priority of a running process to -1. Normal users can only adjust processes they own, and only up from the current value (make them run slower).
Optimizing your VPS server (help it run more efficiently)Quote:
MySQL Optimization
Here are my suggested settings for the my.cnf file. This should work well for a VPS with 256-512MB RAM.In order to make things even faster, you can customize these settings specifically for your VPSs' usage. There's a great howto on InterWorx's forum for this --> http://www.interworx.com/forums/showthread.php?p=2346Code:[mysqld] max_connections = 400 key_buffer = 16M myisam_sort_buffer_size = 32M join_buffer_size = 1M read_buffer_size = 1M sort_buffer_size = 2M table_cache = 1024 thread_cache_size = 286 interactive_timeout = 25 wait_timeout = 1000 connect_timeout = 10 max_allowed_packet = 16M max_connect_errors = 10 query_cache_limit = 1M query_cache_size = 16M query_cache_type = 1 tmp_table_size = 16M skip-innodb [mysqld_safe] open_files_limit = 8192 [mysqldump] quick max_allowed_packet = 16M [myisamchk] key_buffer = 32M sort_buffer = 32M read_buffer = 16M write_buffer = 16M
Lastly, I recommend installing mytop to help you monitor your usage...Once that's done, just enter in "mytop" .Code:wget http://dll.elix.us/mytop-1.4.tar.gz tar -zxvf mytop-1.4.tar.gz cd mytop-1.4 perl Makefile.PL make make test make install
PHP & Apache Optimization
I strongly recommend installing eAccelerator. There's an easy to follow howto here: http://forum.ev1servers.net/showthre...t=eaccelerator. If you use the default cache dir for eAccelerator (/tmp/eaccelerator) make sure you check it reguarily and clean it every once and a while. (it can really get quite large from my experience)
For httpd.conf I suggest:
Timeout 200
KeepAlive On
maxKeepAliveRequests 100
KeepAliveTimeout 3
MinSpareServers 10
MaxSpareServers 20
StartServers 15
MaxClients 250
MaxRequestsPerChild 0
HostnameLookups Off
You can use ab to benchmark your Apache before and after you make changes.
ab -c 5 -n 20 somephpbasedsiteonyourserver.com/file.php
I suggest doing 2 or 3 tests like that to get an average.
If you want to check the Apache error log, try this -->
cat /usr/local/apache/logs/error_log
Monitoring Usage
On a Virtuozzo VPS you can use cat /proc/usr_beancounters to output your usage of the VZ parameters. You should pay most attention to oomguarpages and privmpages. (although anything with a failure is generally bad)
You can find the amount of connections to Apache with this command:
netstat -nt | grep :80 | wc -l
To find the amount of Apache processes use this command:
ps -A | grep httpd | wc -l (this will show the process count)
ps -aux | grep httpd (this will show the actual processes)
To find the amount of MySQL processes use this command:
ps -A | grep mysql | wc -l (this will show the process count)
ps -aux | grep mysql (this will show the actual processes)
Just simply using top (standard view) or top -c (will show the actual command being used and/or location of each process as opposed to just the name) can help you monitor your VPS usage very wel.
To see your disk space usage, try using this command --> df -h
Mitigating (D)DOS
If you're being DDOS'd or DOS'd you can use this command:
netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n
That will help you see how many connections each IP address has in total to your server.
There's a very decent script you can use to automate the banning of IP addresses available here --> http://forums.deftechgroup.com/showthread.php?t=825
Although I haven't tried it myself, I suggest you take a look at Scrutinizer as well which sounds very useful --> http://www.solutix.ch/cgi-bin/index.pl
Spam Assassin
Spam Assassin can take up a lot of memory and make it really hard to host just a few sites on a VPS, but there is a way around this...
Login to WHM as root, scroll down to "cPanel 10.8.1-R15" (it may be slightly different depending on what version you are using) then goto "Addon Modules" and install "spamdconf". Once it's done, refresh the WHM page, scroll down to "Add-ons" on the nav bar and then click on 'Setup Spamd Startup Configuration". Set "Maximum Children" to "2". Then hit Submit. Wait a few seconds (15-30, but usually less) for exim to restart and you're done .
cPanel Tweak Setings
Login to WHM as root, and under "Server Configuration" on the nav bar hit "Tweak Settings".
Here are some suggested settings:
Default catch-all/default address behavior for new accounts. fail will generally save the most CPU time.
- Use "FAIL". If you already have some accounts setup not to use "FAIL" (by default it will not) then run this command to convert to FAIL from BLACKHOLE --> perl -pi -e "s/:blackhole:/:fail:/g;" /etc/valiases/*
Mailman
- Mailman tends to use a lot of resources, so if you don't need cpanel mailing lists then uncheck this.
Number of minutes between mail server queue runs (default is 60).:
- You may want to set this to 180 to reduce load.
Track the origin of messages sent though the mail server by adding the X-Source headers (exim 4.34+ required)
- This is just generally a good idea. So check this.
Analog Stats
- I find this useless, so uncheck this. If you want to delete the existing analog stats files just run this command --> rm -rf /home/*/tmp/analog/*
Awstats Reverse Dns Resolution
- Make sure this is unchecked, I find it pretty much useless for most users.
Awstats Stats
- You can check this if you need a robust stats software that integrates with cPanel, if you don't need it, then don't check it. *Note most hosting clients will want to use this. If you want to delete the existing awstats stats files just run this command --> rm -rf /home/*/tmp/awstats/*
Webalizer Stats
- Not many hosting clients will want to use this so, you can uncheck this to reduce load. If you want to delete the existing webalizer stats files just run this command --> rm -rf /home/*/tmp/webalizer/*
Delete each domain's access logs after stats run
- Make sure this is checked, otherwise disk space usage can really rack up!
That's about it for now, I may do some more later....
Hope it helps!
Posted by layer0, 12-09-2005, 09:22 PM Hey - I don't mind it at all
Posted by simplestar, 12-16-2005, 08:10 PM Frynge, terrific job putting this together!
Posted by Apoc, 12-21-2005, 07:08 PM Great post, but you forgot the two most important things to secure a VPS (or server):
- You need a firewall (highly recommend APF)
- You need to secure the /tmp partition so that no scripts can run
Posted by zeca40, 12-26-2005, 07:56 AM Great post, good to have all this in one place.
Question1: how to update chkrootkit? Do I need to remove the existing copy first?
Question2: My sysadmin says that they don't recomend APF on VPS.Will BFD work without APF?Quote:
APF kind works but you have to watch it. If you get over 2000 rules, it pukes out. We don't recommend it.
Posted by layer0, 12-26-2005, 10:45 AM
Question1: how to update chkrootkit? Do I need to remove the existing copy first?
Question2: My sysadmin says that they don't recomend APF on VPS.
Will BFD work without APF?
BFD integrates with APF so I don't think it'll work without it. But, I could be wrong there.
Posted by zeca40, 12-26-2005, 11:20 AM
Thus if your VPS provider supports it, I'd go with using APF.
Posted by jpetersen, 12-26-2005, 06:32 PM BFD does not require APF to run, and works fine on VDS servers by itself.
Posted by frynge, 12-27-2005, 08:30 PM
Question1: how to update chkrootkit? Do I need to remove the existing copy first?
Question2: My sysadmin says that they don't recomend APF on VPS.
Will BFD work without APF?
About chkrootkit. The command I gave you above, installs the latest version. I think they just name the latest version that name, so when you untar it, it opens in to a new folder each time...
So when you want to get the new version, just simply, repeat the steps on getting it and untarring it without changing the command line and your set.
Thanks for more info on this. Its very important to keep your server secure, so these spammers and hackers quickly check your security and move on to easier targets.
Keep adding to this thread so we can create a full security database for VPS'!
Posted by frynge, 12-27-2005, 08:51 PM
- You need a firewall (highly recommend APF)
- You need to secure the /tmp partition so that no scripts can run
I assume a chmod?
Thanks!
Posted by alexrobonlin, 01-03-2006, 09:24 PM This is a very useful thread- thanks!
Posted by apollo, 01-25-2006, 04:28 PM
I assume a chmod?
Thanks!
http://www.webhostingtalk.com/showthread.php?t=292259
Posted by zeca40, 01-30-2006, 06:43 AM
BFD does not require APF to run, and works fine on VDS servers by itself.
I have BFD installed but not APF and on my alerts I see:I figure that this does nothing since there is no APF to execute the command, correct?Code:Executed ban command: /etc/apf/apf -d 210.0.215.4 {bfd.sshd}
Posted by Vince2006, 02-01-2006, 01:52 AM Anyone know if the pangeia link is down? I am logged into my server as root and run the instructions for installing chkrootkit and get the message: Connecting to ftp.pangea.com/| 204.251... etc but nothing happens... the site just appears to time out... Is there somewhere else to get chkrootkit.tar? All of my Google searches default back to pangeia...
Vince
Posted by zeca40, 02-02-2006, 07:00 AM Just to answer my own question: to use BFD without APF you need to change the conf.bfd file to use host.deny rather tha APF. This works great.
Change this:To this:Code:BCMD="/etc/apf/apf -d $ATT_HOST {bfd.$MOD}"Code:BCMD="echo ALL:$ATT_HOST >> /etc/hosts.deny"
Posted by deticatedhosting, 02-09-2006, 01:59 AM Thank you very much there is a lot of good information here.
Posted by build-a-host, 02-14-2006, 01:53 PM I just ran the trojan scanner on my VPS and it returned 21 possible trojans detected.
Here is a list of the possibles it found:
Possible Trojan - /usr/bin/xmlcatalog
Possible Trojan - /usr/bin/xmllint
Possible Trojan - /sbin/lsmod
Possible Trojan - /usr/bin/dbiprof
Possible Trojan - /usr/bin/curl
Possible Trojan - /usr/lib/python2.2/site-packages/libxml2mod.la
Possible Trojan - /usr/lib/python2.2/site-packages/libxml2mod.so
Possible Trojan - /usr/bin/curl-config
Possible Trojan - /usr/bin/xslt-config
Possible Trojan - /usr/lib/libexslt.la
Possible Trojan - /usr/lib/libxslt.la
Possible Trojan - /usr/bin/xsltproc
Possible Trojan - /usr/bin/pod2man
Possible Trojan - /usr/bin/pod2usage
Possible Trojan - /usr/bin/podchecker
Possible Trojan - /usr/bin/podselect
Possible Trojan - /usr/bin/pstruct
Possible Trojan - /usr/bin/splain
Possible Trojan - /usr/bin/xsubpp
Possible Trojan - /usr/bin/xml2-config
Possible Trojan - /usr/lib/libxml2.la
Are these safe? If not, how do I get rid of them?
Posted by Apoc, 02-16-2006, 01:03 PM What trojan scanner did you use exactly? I would recommend to run rkhunter and see what it says about MB5 matches. If it's showing the same problems then it's very likely you have been hacked.
There isn't really a way to get rid of that because you'll probably never know what exactly has been done by a hacker, if he has removed his traces. The only option in that case would be to get your VPS (or server) reinstalled.
Posted by build-a-host, 02-17-2006, 04:31 AM Unless its a "passive" hacker I think i'm ok. I havent had any problems at all out of the server.
I used the trojan scanner within WHM
Posted by Apoc, 02-17-2006, 06:41 AM The trojan scanner in WHM is no good, in my opinion. You should use chkrootkit or rkhunter instead (or better yet: both of them).
Be careful though, never assume there's nothing wrong. Even though you might not notice anything a hacker might be stealing information from your customers and/or send out spam or DoS attacks when you're not looking.
Posted by SamOwen, 02-23-2006, 02:14 AM Good post! Anymore tweaks or does this sum it all up?
Posted by zeca40, 02-26-2006, 09:53 AM Is it OK to install Razor (http://razor.sourceforge.net/) and DCC (http://www.rhyolite.com/anti-spam/dcc/) on a VPS?
Posted by frynge, 03-02-2006, 06:58 PM Quick small update on the original post.
FIRST the pangea link still works for me. Just click it above. If you can't click it there may be something blocking you, as I have no problem getting the file.
Second
In the original post... it was said..
=========================================
Web Host manager and CPANEL mods.
=========================================
These are items inside of WHM/Cpanel that should be changed to secure your server.
Goto Server Setup =>> Tweak Settings
Check the following items...
Under Mail
Attempt to prevent pop3 connection floods
Default catch-all/default address behavior for new accounts - blackhole
I suggest you do not set this to fail, if you have heavy email user or from 30 clients and up. Use blackhole
Fail at the beginning saves cpu time, but over time, with heavy users or many users, this will send bounces back to spammers who spam you. They bounce back to the server and the mail server gets over worked.
Do not use FAIL use BLACKHOLE
I will edit my post above.
cheers
Posted by layer0, 03-02-2006, 07:19 PM
FIRST the pangea link still works for me. Just click it above. If you can't click it there may be something blocking you, as I have no problem getting the file.
Second
In the original post... it was said..
=========================================
Web Host manager and CPANEL mods.
=========================================
These are items inside of WHM/Cpanel that should be changed to secure your server.
Goto Server Setup =>> Tweak Settings
Check the following items...
Under Mail
Attempt to prevent pop3 connection floods
Default catch-all/default address behavior for new accounts - blackhole
I suggest you do not set this to fail, if you have heavy email user or from 30 clients and up. Use blackhole
Fail at the beginning saves cpu time, but over time, with heavy users or many users, this will send bounces back to spammers who spam you. They bounce back to the server and the mail server gets over worked.
Do not use FAIL use BLACKHOLE
I will edit my post above.
cheers
Posted by frynge, 03-02-2006, 07:23 PM
Be careful though, never assume there's nothing wrong. Even though you might not notice anything a hacker might be stealing information from your customers and/or send out spam or DoS attacks when you're not looking.
Do you know how? I wanted to edit the main post.
cheers
Posted by deticatedhosting, 03-02-2006, 08:30 PM I think that you can only edit your post for a short time then there perminate.
Posted by Gibran, 03-05-2006, 10:17 PM Fantastic tutorial!
Posted by SepedaTua, 03-07-2006, 02:18 PM I got this from logwatch:
--------------------- SSHD Begin ------------------------
SSHD Killed: 1 Time(s)
SSHD Started: 1 Time(s)
Failed logins from these:
Io****/password from ***.***.***.***: 1 Time(s)
Me**/password from ***.***.***.***: 1 Time(s)
aa***/password from ***.***.***.***: 1 Time(s)
...
...
...
ze****/password from ***.***.***.***: 1 Time(s)
ze**/password from ***.***.***.***: 1 Time(s)
**Unmatched Entries**
Illegal user anonymous from ***.***.***.***
Illegal user passwd from ***.***.***.***
Illegal user ch*** from ***.***.***.***
...
...
...
Illegal user re***** from ***.***.***.***
Illegal user ze** from ***.***.***.***
What does it means?
-- for me, it looks like someone is doing dictionary attack on my ssh server.
Can anyone make a suggestion for me?
Thanks.
Posted by Funkadelic, 03-08-2006, 01:32 AM I also suggest for shared hosting that the setting in the php.ini file for disable_functions
be changed to
disable_functions = "system,exec"
Doing that will disable the function that most exploits call upon.
Posted by Apoc, 03-13-2006, 12:21 AM
be changed to
disable_functions = "system,exec"
Doing that will disable the function that most exploits call upon.
Posted by Apoc, 03-13-2006, 12:23 AM
For a good tutorial on real advanced spam filtering read this article by rvskin: http://www.rvskin.com/index.php?page=public/antispam
Posted by Funkadelic, 03-13-2006, 12:38 AM disable_functions = dl,system,exec,passthru,shell_exec
Posted by Datacenter1, 03-17-2006, 03:32 PM Good job !!! max_connections = 400 in a VPS with 256 - 512 Mb + Cpanel seem a little high to meQuote:
Originally Posted by elix
VPSes are really hard to use with the memory restrictions and CPU limitations...but with some optimization they can definitely serve your websites fast!
MySQL Optimization
Here are my suggested settings for the my.cnf file. This should work well for a VPS with 256-512MB RAM.
[mysqld] max_connections = 400
Server will run out memory before to reach max_connections
Posted by SamOwen, 03-25-2006, 02:15 AM
Spam Assassin
Spam Assassin can take up a lot of memory and make it really hard to host just a few sites on a VPS, but there is a way around this...
Login to WHM as root, scroll down to "cPanel 10.8.1-R15" (it may be slightly different depending on what version you are using) then goto "Addon Modules" and install "spamdconf". Once it's done, refresh the WHM page, scroll down to "Add-ons" on the nav bar and then click on 'Setup Spamd Startup Configuration". Set "Maximum Children" to "2". Then hit Submit. Wait a few seconds (15-30, but usually less) for exim to restart and you're done .
Posted by layer0, 03-26-2006, 11:48 AM
max_connections = 400 in a VPS with 256 - 512 Mb + Cpanel seem a little high to me
Server will run out memory before to reach max_connections
Posted by xclusive illz, 04-22-2006, 01:34 PM could someone give a brief example where and how to set this up?
it sounds very useful and i've never managed a sever on my own but i would like to install some of the software lol or what ever it is to protect my site
Posted by Hybird71, 06-13-2006, 10:16 AM This is in WMpanel and cpanel.
How about in plesk? do you have the tutorial on that one?
Posted by sleddog, 06-13-2006, 11:19 AM
If you're using a Redhat-derived distribution (e.g., CentOS) with spamassassin installed by rpm, you should have a configuration file /etc/sysconfig/spamassassin.
Edit that file and change the "-m" option. Default is "-m5" (five child processes). Try "-m2" (two child processes).
If you're on a different distro, you may need to find the spamassassin startup script and change the "-m" command line option.
Restart spamd for the change to take effect.
Posted by visualblink, 06-23-2006, 12:17 AM How do I remove or edit the service banners without recompiling the packages of my WHM/cPanel server ? I would like to remove or possibly edit the server application and version banners that can be easily get noticed and grabbed by anybody or scripts even with a simple telnet to the listening port. It is a simple problem but it is always the first attempt of somebody who would want to attack or exploit the certain flaws from the running version of the application/service that he could find with that banner grabbing. The quick way to lure the attacker for his initial phase with this issue could be simply removing the banners or replace the banners with the ones from the completely different service platform. Is there a way to accomplish without recompiling any of the default packages of cPanel/WHM server?
Posted by secmas, 07-10-2006, 10:15 AM If you use Cpanel and WHM, there is a new firewall made by Chirpy that looks great, it uses a lot of less resources than APF and BTF and it is integrated into WHM as an addon as well. And it updates automatically.
Also, you can access CSF from SSH.
You can download CSF with LFD from here:
configserver.com/cp/csf.html
I have just changed APF and BTF for CSF and LFD (both from Chirpy) and it is working really nice in my VPS.
QUESTION:
In your first post you said:But you never mention how to disable them, would you be very kind to explain this step a little bit further?Quote:
Disable Shell Accounts
To disable any shell accounts hosted on your server SSH into server and login as root.
At command prompt type: locate shell.php
Also check for:
locate irc
locate eggdrop
locate bnc
locate BNC
locate ptlink
locate BitchX
locate guardservices
locate psyBNC
locate .rhosts
Note: There will be several listings that will be OS/CPanel related. Examples are
/home/cpapachebuild/buildapache/php-4.3.1/ext/ircg
/usr/local/cpanel/etc/sym/eggdrop.sym
/usr/local/cpanel/etc/sym/bnc.sym
/usr/local/cpanel/etc/sym/psyBNC.sym
/usr/local/cpanel/etc/sym/ptlink.sym
/usr/lib/libncurses.so
/usr/lib/libncurses.a
I really want to thank Frynge for this terrific guide.
Regards,
Sergio
Posted by wwwbug, 07-16-2006, 01:52 AM i did not know how to manage a VPS,until i read this ,thank you !
Posted by EricG, 07-18-2006, 03:13 PM Hello,
This is a very great thread for newbies like me. After reading it and doing all this stuff I feel much more comfortable now about my new VPS. I do have a few questions though about things that are not clear to me.
First: Checking for formmail.
Can I disable these without interferring with cPanel ?
/usr/local/cpanel/cgi-sys/FormMail-clone.cgi
/usr/local/cpanel/cgi-sys/FormMail.cgi
/usr/local/cpanel/cgi-sys/formmail.cgi
/usr/local/cpanel/cgi-sys/FormMail.pl
/usr/local/cpanel/cgi-sys/formmail.pl
/usr/local/cpanel/install/formmail
Second: Disable shell accounts
How do I do that ? The post says to use "locate shell.php" but it doesn't explain how to disable it. These are the only 3 found by locate.
/usr/local/cpanel/base/horde/admin/cmdshell.php
/usr/local/cpanel/base/horde/admin/phpshell.php
/usr/local/cpanel/base/horde/admin/sqlshell.php
It also says that there will be several that are OS/cPanel related such as /usr/local/cpanel/etc/sym/bnc.sym, should they be disabled too or is this sentence meant as a warning NOT to disable those ?
Third: PHPSuExec
It says that all my users will need to make sure their php files have permissions no greater than 0755. On my current reseller hosting account I've installed a few php based applications for my clients that wouldn't work until I change some permissions to 0777. I'm not sure what PHPSuExec does, what problems should I expect if php files do have greater permissions than 0755 ?
That's it.
Posted by sleddog, 07-23-2006, 10:30 PM
This is a very great thread for newbies like me. After reading it and doing all this stuff I feel much more comfortable now about my new VPS. I do have a few questions though about things that are not clear to me.
First: Checking for formmail.
Can I disable these without interferring with cPanel ?
/usr/local/cpanel/cgi-sys/FormMail-clone.cgi
/usr/local/cpanel/cgi-sys/FormMail.cgi
/usr/local/cpanel/cgi-sys/formmail.cgi
/usr/local/cpanel/cgi-sys/FormMail.pl
/usr/local/cpanel/cgi-sys/formmail.pl
/usr/local/cpanel/install/formmail"Disable shell accounts" means to deny account owners the right to login to a shell command prompt (via SSH). In WHM look at "Manage Shell Users". You can choose to give each user a full shell, a jail shell (where they cannot move outside their home directory), or no shell. Unless you have a good reason to do otherwise, it's recommend that you disable shell access (no shell). Of course give full shell access to your own account so you can loginQuote:
How do I do that ? The post says to use "locate shell.php" but it doesn't explain how to disable it. These are the only 3 found by locate.
/usr/local/cpanel/base/horde/admin/cmdshell.php
/usr/local/cpanel/base/horde/admin/phpshell.php
/usr/local/cpanel/base/horde/admin/sqlshell.php
It also says that there will be several that are OS/cPanel related such as /usr/local/cpanel/etc/sym/bnc.sym, should they be disabled too or is this sentence meant as a warning NOT to disable those ?
"shell.php" is a separate issue. Essentially you're looking for PHP scripts on your server than can be used to achieve shell access. These may have been uploaded by users or fetched by someone exploiting a vulnerable website. The files you've listed about are a part of cpanel's Horde webmail and can be left alone.PHP is run as either an Apache module or as a CGI (phpsuexec). As a module, PHP scripts run as the Apache user "nobody". In order for the user "nobody" to write to disk (e.g., to save an uploaded photo), directory permissions have to be relaxed, usually by setting the directory chmod 777 (writable by everyone).Quote:
It says that all my users will need to make sure their php files have permissions no greater than 0755. On my current reseller hosting account I've installed a few php based applications for my clients that wouldn't work until I change some permissions to 0777. I'm not sure what PHPSuExec does, what problems should I expect if php files do have greater permissions than 0755 ?
When using phpsuexec, PHP scripts run as the account user. The account user owns the account's directories, and therefore, the PHP scripts have ready access to write. There is no need to change permissions.
Incorrect permissions or ownership will cause errors when trying to run the PHP scripts. Usually with phpsuexec, files should be chmodded no higher than 644 and directories 755. The files should be owned by the account username, not "nobody" and not "root" (that will also cause a runtime error).
Posted by Velvet Elvis, 07-25-2006, 05:01 PM Is that thread cache setting a typo? That one in particular has always been vodoo for me, but that's ten times what I'm using.
I can't immagine not hitting swap before half that many are cached on burstable 256 meg VPS.
Posted by EricG, 07-29-2006, 10:16 AM Sleddog,
Thanks a lot for your answers, I really appreciate all the help you've given me in the last few weeks.
Posted by johnm160, 08-01-2006, 10:24 AM Hello,
I searched for FformMmail and have come up with many entries
/cgi-sys/formmail.cgi
/cgi-sys/formmail.pl
/install/formmail
/cgi/FormMail.html
/cgi-sys/FormMail-clone.cgi
/cgi-sys/FormMail.cgi
/cgi-sys/FormMail.pl
Do I need to change the permissions on each and everyone of these files?
and the same for CGIMAIL?
Thanks for the help, I want to make sure I get started right
John
Posted by jpetersen, 08-26-2006, 07:54 AM I'd just like to make a quick note on the difference between :blackhole: and :fail: from my personal experience with cPanel servers and Exim:
Since :blackhole: processes the entire email, more resources wind up getting used. I, like many others, have tested replacing :blackhole: with :fail: on some of servers in the past, and can say that easily, without a doubt, less resources (namely CPU and disk I/O) wind up getting used, which helps keep the load average even lower than usual. :fail: will immediately send a 550 error after the invalid RCPT TO: line, vice accepting then discarding the entire email. I'm not saying that will work for everyone, but I have personally seen it immediately decrease resource usage on a shared hosting server with a fairly busy day to day mail flow, and would recommend it to anyone else looking to do the same regardless of the server type.
Posted by Chris.S, 08-31-2006, 04:49 PM Excellent tutorial! would you mind if i posted it in my knowledege base?
Posted by FengYun, 09-05-2006, 05:14 AM thanks, that is a great tutorial
it do help me alot, i think i need some help in some of the basic codes,
hope anyone help me, nope these are not too newbie question
1a) Root breach DETECTOR and EMAIL WARNINGHow am i able to set the server to send more then one warning mail to our server admin. what i think is to if anyone have access to the root, the server will send an mail to 2nd, 3rd server admin mail etc etcQuote:
At command prompt type:
pico .bash_profile
Scroll down to the end of the file and add the following line:
echo 'ALERT - Root Shell Access on:' `date` `who` | mail -s "Alert: Root Access from `who | awk '{print $6}'`" your@email.com
Shall i have to do the long way or there a better way then this?Quote:
echo 'ALERT - Root Shell Access on:' `date` `who` | mail -s "Alert: Root Access from `who | awk '{print $6}'`" admin1@email.com
echo 'ALERT - Root Shell Access on:' `date` `who` | mail -s "Alert: Root Access from `who | awk '{print $6}'`" admin2@email.com
echo 'ALERT - Root Shell Access on:' `date` `who` | mail -s "Alert: Root Access from `who | awk '{print $6}'`" admin3@email.com
1b) Mail Receivei have try the above code to set the to send out an e-mail, when someone access/login to the root account of the server. but for some reason, i unable to see the user login Ip-address. Do anyone know, what code i should add so that it will show the ip-address?Quote:
ALERT - Root Shell Access on: Mon Sep x 00:00:55 SGT 2006 root ttyp0
Sep x 00:01 (bb000-xx-xxx-7.domains.com) root ttyp1 Sep x 00:01
(bb000-xx-xxx-7.domains.com)
2) Alert Email Sent
Is there a way to set the server to send out more then 1 alert mail (default of 1 mail) to the system admin, Looking at, the server will send to two or more alert to the rest of the system admin.
example 1example 2Quote:
BFD, Under Enable brute force hack attempt alerts:
ALERT_USR="1"
EMAIL_USR="your@email.com"example 3Quote:
LogWatch, SSH into server and login as root.
At command prompt type:
pico -w /etc/log.d/conf/logwatch.conf
Scroll down to
Mailto = your@email.comQuote:
Immediate Notification Of Specific Attackers
If you need immediate notification of a specific attacker (TCPWrapped services only), add the following to /etc/hosts.deny
ALL : nnn.nnn.nnn.nnn : spawn /bin/ 'date' %c %d | mail -s"Access attempt by nnn.nnn.nnn.nnn on for hostname" notify@mydomain.com
Replacing nnn.nnn.nnn.nnn with the attacker's IP address.
Replacing hostname with your hostname.
Replacing notify@mydomain.com with your e-mail address.
This will deny access to the attacker and e-mail the sysadmin about the access attempt.
really sorry for these newbie question, as we like the alert to be send to at lest 2-3 server admin when such thing happen....
thanks
Feng
Posted by comdexxsoftwarell, 10-04-2006, 11:55 AM Great Tutorial
Posted by Bibicu, 10-14-2006, 10:41 AM hello everyone!
Good work here with these advices. Thanks a lot for your effort. Thanks
Anyway.. i have 2 questions:
1. not a day goes by and I found perl scripts running on my vps who overload the processors. i restart the apache server and they are gone. how can i prevent those perl scripts to run?
2. another problem si a andos.txt file that i found on my /tmp folder who perform flood to a specific IP adress. how can i prevent this txt running?
An finally i want to know if there is somewhere a script who send mail when CPU is loaded at a specific value... 80-90-100%
regards
Posted by zeca40, 10-18-2006, 02:13 PM FengYun:
I am pretty sure that you can seperate the emails with a comma to send to multiple accounts.Quote:
echo 'ALERT - Root Shell Access on:' `date` `who` | mail -s "Alert: Root Access from `who | awk '{print $6}'`" your@email.com, yoursecond@email.com
Posted by groomi, 10-31-2006, 06:49 PM V Nice tutorial
Posted by Ogg, 12-02-2006, 11:13 AM Great tutorial!
Just a question, I've got 256MB RAM and it seems to be using 140-150MB of it even if nobody is on the website but myself. Is that normal? Right now it's running Directadmin with mail turned off.httpd.confQuote:
top - 18:16:57 up 20:01, 1 user, load average: 0.00, 0.00, 0.00
Tasks: 31 total, 1 running, 30 sleeping, 0 stopped, 0 zombie
Cpu(s): 0.2% us, 0.1% sy, 0.0% ni, 99.7% id, 0.0% wa, 0.0% hi, 0.0% si
Mem: 4136864k total, 4066628k used, 70236k free, 166620k buffers
Swap: 2096472k total, 592k used, 2095880k free, 1933400k cachedmy.cnfQuote:
Timeout 200
KeepAlive On
MaxKeepAliveRequests 120
KeepAliveTimeout 3
MinSpareServers 1
MaxSpareServers 5
StartServers 1
MaxClients 250
MaxRequestsPerChild 500Quote:
[mysqld]
max_connections = 200
port = 3306
socket = /var/lib/mysql/mysql.sock
skip-locking
interactive_timeout = 25
query_cache_type = 1
query_cache_size = 6M
query_cache_limit = 1M
thread_cache_size = 32
wait_timeout = 25
key_buffer_size = 512K
max_allowed_packet = 1M
table_cache = 4
join_buffer_size = 256K
sort_buffer_size = 100K
read_buffer_size = 256K
read_rnd_buffer_size = 256K
net_buffer_length = 2K
thread_stack = 64K
skip-bdb
skip-innodb
Posted by layer0, 12-02-2006, 11:41 AM try For httpd.confPHP Code:Timeout 30
KeepAlive On
MaxKeepAliveRequests 120
KeepAliveTimeout 3
MinSpareServers 1
MaxSpareServers 5
StartServers 1
MaxClients 250
MaxRequestsPerChild 0
Find if it's MySQL or Apache that is actually taking up the RAM...ps auxf will show you.
ps auxf | grep httpd
ps auxf | grep mysql
Posted by Ogg, 12-02-2006, 07:01 PM I was watching top -c and one query on the forum looked like it used 3.3% CPU power while each page load took 0.7-1.3% on Apache.
I tried setting Timeout to 30 and MaxReq to 0 but it doesn't seem to have changed anything... I'm not sure how to read the auxf reports!
*8 users on our forum, posting, reading.Quote:
up 1 day, 3:51, 1 user, load average: 0.00, 0.02, 0.00
Tasks: 33 total, 1 running, 32 sleeping, 0 stopped, 0 zombie
Cpu(s): 0.0% us, 0.0% sy, 0.0% ni, 100.0% id, 0.0% wa, 0.0% hi, 0.0% si
Mem: 4136864k total, 4044932k used, 91932k free, 218388k buffers
Swap: 2096472k total, 592k used, 2095880k free, 1847572k cached
Posted by nex99, 12-31-2006, 10:31 AM Dear,
Service Status of my new VPS shows this info:
named (9.2.4) up
cpsrvd up
Server Load 0.04 (2 cpus)
Memory Used 72.6 %
Swap Used 3.94 %
Disk simfs (/) 13 %
is it ok? specially i think for Memory Used 72.6 %
Posted by layer0, 12-31-2006, 10:33 AM
Service Status of my new VPS shows this info:
named (9.2.4) up
cpsrvd up
Server Load 0.04 (2 cpus)
Memory Used 72.6 %
Swap Used 3.94 %
Disk simfs (/) 13 %
is it ok? specially i think for Memory Used 72.6 %
Posted by talkhostrunner, 02-17-2007, 06:08 AM Awesome tutorial!!!!
Posted by ivytony, 03-19-2007, 01:36 AM These tips are also applicable for VPS built in Fedora Core 6 and Webmin, right?
thanks!
Posted by lcubehost, 03-19-2007, 12:24 PM Thanks for posting this. I am adding this to my checklist of all new setups for VPS. Thanks
Posted by jacky84, 03-20-2007, 01:01 PM Is there document also for howto securing and optimizing a windows VPS
Posted by ivytony, 03-20-2007, 01:03 PM
Posted by mark_s, 04-30-2007, 02:48 PM Hello, I have a VPS with MySQL4/PHP4/Apache2.
I've tried using the optmised values for my.cnf but they are not accepted. Can someone take a look at my my.cnf and tell me acceptable values like the ones in this tutorial?Code:[mysqld] set-variable=local-infile=0 datadir=/var/lib/mysql socket=/var/lib/mysql/mysql.sock # Default to using old password format for compatibility with mysql 3.x # clients (those using the mysqlclient10 compatibility package). old_passwords=1 skip-bdb set-variable = innodb_buffer_pool_size=2M set-variable = innodb_additional_mem_pool_size=500K set-variable = innodb_log_buffer_size=500K set-variable = innodb_thread_concurrency=2 [mysql.server] user=mysql basedir=/var/lib [mysqld_safe] err-log=/var/log/mysqld.log pid-file=/var/run/mysqld/mysqld.pid skip-bdb set-variable = innodb_buffer_pool_size=2M set-variable = innodb_additional_mem_pool_size=500K set-variable = innodb_log_buffer_size=500K set-variable = innodb_thread_concurrency=2
Posted by mark_s, 04-30-2007, 08:42 PM Please ignore my previous message... I have successfully implemented the values in the tutorial.
Posted by ThisNameWillDo!, 05-02-2007, 08:43 AM Cool tut! Thanks!
Posted by Verm, 05-11-2007, 02:23 PM Great post. Thank you.
Posted by blacktooner, 05-15-2007, 02:03 PM Does this works in Ubuntu? Isn't it Linux based?
Posted by Orien, 05-17-2007, 11:54 PM
Posted by Dougy, 06-18-2007, 08:25 PM Not to dig up, but thanks!
Posted by trooperx, 06-21-2007, 01:18 PM
Posted by dayo, 06-26-2007, 12:37 PM Thanks for the detailed info
Posted by amex, 07-07-2007, 11:40 PM
Originally Posted by elix
Lastly, I recommend installing mytop to help you monitor your usage...
Code:
wget http://dll.elix.us/mytop-1.4.tar.gztar -zxvf mytop-1.4.tar.gzcd mytop-1.4perl Makefile.PLmakemake testmake install
Once that's done, just enter in "mytop" .
[root]# mytop
Can't locate Term/ReadKey.pm in @INC (@INC contains: /usr/lib/perl5/5.8.5/i386-linux-thread-multi /usr/lib/perl5/5.8.5 /usr/lib/perl5/site_perl/5.8.5/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.4/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.3/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.2/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.5 /usr/lib/perl5/site_perl/5.8.4 /usr/lib/perl5/site_perl/5.8.3 /usr/lib/perl5/site_perl/5.8.2 /usr/lib/perl5/site_perl/5.8.1 /usr/lib/perl5/site_perl/5.8.0 /usr/lib/perl5/site_perl /usr/lib/perl5/vendor_perl/5.8.5/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.4/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.3/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.2/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.1/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.0/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.5 /usr/lib/perl5/vendor_perl/5.8.4 /usr/lib/perl5/vendor_perl/5.8.3 /usr/lib/perl5/vendor_perl/5.8.2 /usr/lib/perl5/vendor_perl/5.8.1 /usr/lib/perl5/vendor_perl/5.8.0 /usr/lib/perl5/vendor_perl .) at /usr/bin/mytop line 165.
Any ideas?
Thanks!
Posted by r00ter, 07-07-2007, 11:44 PM It looks like a PERL error, can we know which OS you are using, and whether or not you have perl or perl libs installed?
Posted by amex, 07-07-2007, 11:49 PM
Perl: Perl 5.8.5 Installed
Thanks
Posted by foobic, 07-09-2007, 09:47 AM Use CPAN to install the missing module - just type cpan as root. You'll need to do some setting up if you haven't run it before but you can accept the defaults it offers. Then: My belated thanks also to the original authors layer0 and frynge.Code:cpan> install Term::ReadKey
Posted by Shining Star, 07-09-2007, 09:48 AM nice tutorial
Posted by amex, 07-15-2007, 06:17 PM
1a) Root breach DETECTOR and EMAIL WARNING
1b) Mail Receive
i have try the above code to set the to send out an e-mail, when someone access/login to the root account of the server. but for some reason, i unable to see the user login Ip-address. Do anyone know, what code i should add so that it will show the ip-address?
Quote:
ALERT - Root Shell Access on: Mon Jul 9 08:07:40 EDT 2007 root pts/0 Jul 9 08:07 (ool.dyn.optonline.net)
Posted by phuongdong, 07-19-2007, 04:54 AM I guess the email with no IP will be sent to you when you reboot the server(VPS)
Posted by amex, 07-19-2007, 10:34 AM
Posted by dewd, 07-22-2007, 11:43 PM thanks for the info
Posted by frynge, 07-23-2007, 12:42 AM
ool.dyn.optonline.net
http://www.dnsstuff.com/
Posted by amex, 07-23-2007, 01:15 AM
ool.dyn.optonline.net
http://www.dnsstuff.com/
Thanks for responding.
ool.dyn.optonline.net is the hostname of the ISP that logged in. Its not the actual IP or hostname of the individual who logged in.
Running any tests on the hostname will reveal the IP of the general IP of the ISP not the individual subscriber.
Posted by Volt.Networks, 07-25-2007, 06:49 PM Just read the tutorial. Very nice job.
Posted by amex, 07-25-2007, 07:00 PM
Posted by sherwinaval, 09-01-2007, 02:29 PM thanks for this helped me a lot after weeks of trying to find the best solution to optimize my vps
Posted by nixadm, 09-10-2007, 01:09 AM Hello,
I would not recommend to anyone to run this blob list of commands.
The author put an effort in it, but clearly is missing the basic understanding of unix. let alone security practices.
Posted by amex, 09-10-2007, 09:55 PM
I would not recommend to anyone to run this blob list of commands.
The author put an effort in it, but clearly is missing the basic understanding of unix. let alone security practices.
Posted by frynge, 10-27-2007, 09:32 PM
Cheers
Posted by layer0, 10-27-2007, 09:40 PM
Thanks for responding.
ool.dyn.optonline.net is the hostname of the ISP that logged in. Its not the actual IP or hostname of the individual who logged in.
Running any tests on the hostname will reveal the IP of the general IP of the ISP not the individual subscriber.
Posted by amex, 10-28-2007, 09:56 PM
Thanks for your reply. I didint see UseDNS in my sshd_config so I just added this to the end of it but alas it didint change anything:Am I doing something wrong?Code:UseDNS off
Regards,
Posted by GBSF, 10-29-2007, 03:52 PM Great thread guys! Thanks for everyone help!
I have a quick question about setting the following:
At command prompt type:
pico .bash_profile
Scroll down to the end of the file and add the following line:
echo 'ALERT - Root Shell Access on:' `date` `who` | mail -s "Alert: Root Access from `who | awk '{print $6}'`" your@email.com
This seems to be working but every email I get is showing the wrong host name but the correct IP address:
Example:
Access from (balyrion.liquidweb.com)
(208.xxx.xxx.xxx)
ALERT - Root Shell Access on: Mon Oct 29 12:50:50 PDT 2007 root ttyp0 Oct 27 20:59 (balyrion.liquidweb.com) root ttyp2 Oct 29 12:50 (208.xxx.xxx.xxx)
How do I fix this? To show the correct hostname with the ip address?
Posted by diggleblop, 11-13-2007, 05:34 PM I ran the Root kit checker and it tells me that at Port 425 Possible LKM Trjan Installed. Now what?
Posted by layer0, 11-13-2007, 05:38 PM
Thanks for your reply. I didint see UseDNS in my sshd_config so I just added this to the end of it but alas it didint change anything:Am I doing something wrong?Code:UseDNS off
Regards,
Posted by foobic, 11-13-2007, 07:48 PM
Posted by amex, 11-17-2007, 07:41 PM
UseDNS no Code:UseDNS offGood suggestion! Now It works!Quote:
Posted by layer0, 11-17-2007, 07:44 PM
Posted by bigu_c, 11-30-2007, 05:53 PM This is good tut for me!
Thank you!
Posted by mimozo, 12-02-2007, 08:54 AM nice tutorial .. thanks for sharing mate
Posted by remotehost, 12-04-2007, 03:32 AM what is the advantages/disadvantages between APF and CSF ? I use CSF couse it can be integrated with WHM
Posted by Vince2006, 12-04-2007, 04:18 AM I found APF to be quirky... but that's just me. CSF runs lean and mean and does way better than APF did on my box. I'd recommend combining CSF/LFD with MailScanner (through Chripy's site HERE.) Great way to go.
Posted by etusha, 12-11-2007, 01:49 PM any one have use lynis
http://www.rootkit.nl/projects/lynis.html
i have a ask for u whats the best anti rootkit
rootkit hunter or chkrootkit or zeppoo.net or a new anti rootkit
Posted by mcgyver8, 12-12-2007, 03:45 AM Frynge, awesome tutorial!
Posted by betoranaldi, 12-27-2007, 02:31 PM
Spam Assassin
Spam Assassin can take up a lot of memory and make it really hard to host just a few sites on a VPS, but there is a way around this...
Login to WHM as root, scroll down to "cPanel 10.8.1-R15" (it may be slightly different depending on what version you are using) then goto "Addon Modules" and install "spamdconf". Once it's done, refresh the WHM page, scroll down to "Add-ons" on the nav bar and then click on 'Setup Spamd Startup Configuration". Set "Maximum Children" to "2". Then hit Submit. Wait a few seconds (15-30, but usually less) for exim to restart and you're done .
Posted by labeach, 01-04-2008, 07:36 PM Hello,
I had to recompile apache now root logins are no longer being emailed to me. I pico .bash_profile and the email and everything is there. Any ideas on how to fix this? thanks,
Posted by hero525252, 01-23-2008, 11:51 AM if i done this steps will my security be perfect??
Posted by Datacenter1, 01-23-2008, 09:13 PM
for a perfect security you have to unplug your server from network, unplug from power and lock it in a safe (dont lost the key or combination)
Posted by etusha, 01-24-2008, 08:22 AM or burn it
Posted by PCS-Chris, 01-24-2008, 08:47 AM
If you are hosting something which is mission critical to security you could always consider hiring a management company to do a once-over hardening on your machine or VPS in this case. The main key to security is to ensure all packages on the server are kept upto date, and to monitor the content of your accounts.- I guess that works tooQuote:
or burn it
Posted by zwtint, 01-27-2008, 09:16 AM Hi,
Can somebody let me know the exact steps how to harden /tmp on a VPS?
Regards,
Posted by jiggerbit, 01-28-2008, 02:26 PM
Can somebody let me know the exact steps how to harden /tmp on a VPS?
Regards,
Posted by nixadm, 01-29-2008, 06:56 AM
With jiggerbit's answer you are still unsure what it really does, and if you break functionality of some other system component... It always comes back to the basics.
Posted by Tristan Perry, 01-31-2008, 09:53 AM Hello all,
My forum's can sometimes be quite laggy, and I'm not sure why. Load times are averaging at 2+ seconds. I'm on VPS hosting (I have 512Mb of memory - server stats are here).
My forums are getting the same amount of people online as usual (e.g. a bit before peak time: "Users Online: 73 Guests, 41 Users over 15 minutes").
I've carried out the optimisation tips mentioned here (i.e. I've changed the relevant settings in my.cnf and httpd.conf).
However I'm not sure what's causing this lag. I use SMF as my forum software, which is a very reliable and speedy software (other forums with millions of posts run SMF fine; I only have 800,000 posts).
Upon inspection, I found out that certain queries are lagging like mad:Quote:
DELETE FROM yabbse_sessions
WHERE last_update < 1201713265
in /home/tauonli/public_html/forums/Sources/Load.php line 2180, which took 7.59983802 seconds.Quote:
SELECT data
FROM yabbse_sessions
WHERE session_id = '2ab5abd09a2bbebd79065efe0af790e4'
LIMIT 1
in /home/tauonli/public_html/forums/Sources/Load.php line 2110, which took 12.86598301 seconds.Whilst some are completed queries, some are basic queries calling on data from basic table structures.Quote:
REPLACE INTO yabbse_log_boards(id_msg, id_member, id_board)
VALUES
(1058514905, 1, 1)
in /home/tauonli/public_html/forums/Sources/MessageIndex.php line 140, which took 2.8114779 seconds.
UPDATE yabbse_topics
SET num_views = num_views + 1
WHERE id_topic = 60114
in /home/tauonli/public_html/forums/Sources/Display.php line 174, which took 4.49542999 seconds.
UPDATE yabbse_members
SET last_login = 1201723759, member_ip = '88.105.13.104', member_ip2 = '88.105.13.104', total_time_logged_in = 10197033
WHERE id_member = 1
in /home/tauonli/public_html/forums/Sources/Subs.php line 556, which took 3.65229011 seconds.
SELECT
c.id_cat, b.name AS bname, b.description, b.num_topics, b.member_groups,
b.id_parent, c.name AS cname, IFNULL(mem.id_member, 0) AS ID_MODERATOR,
mem.real_name, b.id_board, b.child_level,
b.id_theme, b.override_theme, b.count_posts, b.id_profile, b.redirect,
b.unapproved_topics, b.unapproved_posts, t.approved, t.id_member_started
FROM yabbse_boards AS b
INNER JOIN yabbse_topics AS t ON (t.id_topic = 60114)
LEFT JOIN yabbse_categories AS c ON (c.id_cat = b.id_cat)
LEFT JOIN yabbse_moderators AS mods ON (mods.id_board = t.id_board)
LEFT JOIN yabbse_members AS mem ON (mem.id_member = mods.id_member)
WHERE b.id_board = t.id_board
in /home/tauonli/public_html/forums/Sources/Load.php line 631, which took 15.63650703 seconds.
Runing ps auxf gets:Any ideas on why my forum's are lagging so much would be greatQuote:
mysql 20172 0.8 13.1 153012 69060 ? Sl Jan29 9:51 \_ /usr/sbin/mysqld
(0.8% CPU, 13.1% memory)
nobody 1326 1.0 2.6 56680 13900 ? R 13:00 0:02 \_ /usr/local/apache
nobody 1515 0.7 2.9 58256 15524 ? S 13:00 0:01 \_ /usr/local/apache
nobody 1681 0.7 2.6 56388 13636 ? S 13:01 0:01 \_ /usr/local/apache
nobody 2030 0.6 2.6 56468 13700 ? S 13:02 0:00 \_ /usr/local/apache
nobody 3104 0.9 2.8 57708 14944 ? R 13:02 0:00 \_ /usr/local/apache
nobody 3107 0.4 2.4 54824 12660 ? S 13:02 0:00 \_ /usr/local/apache
nobody 3108 0.7 2.5 55876 13124 ? S 13:02 0:00 \_ /usr/local/apache
nobody 3367 1.1 2.3 54244 12072 ? S 13:03 0:00 \_ /usr/local/apache
nobody 3370 0.6 2.4 55500 12672 ? R 13:03 0:00 \_ /usr/local/apache
nobody 3371 1.0 2.4 54888 12716 ? S 13:03 0:00 \_ /usr/local/apache
nobody 3384 0.9 3.0 58000 15820 ? R 13:03 0:00 \_ /usr/local/apache
nobody 3533 0.9 2.4 55276 13024 ? S 13:03 0:00 \_ /usr/local/apache
nobody 3540 1.0 2.5 56072 13608 ? S 13:03 0:00 \_ /usr/local/apache
nobody 3588 0.8 2.3 54776 12084 ? S 13:04 0:00 \_ /usr/local/apache
nobody 3598 3.8 2.6 56260 13704 ? S 13:04 0:00 \_ /usr/local/apache
nobody 3618 0.0 0.6 47104 3412 ? S 13:04 0:00 \_ /usr/local/apache
Thanks,
Tristan
Posted by rub3n, 02-10-2008, 03:54 PM Nice and very useful thread, thanks for posting this!
Posted by arkin, 02-11-2008, 11:29 AM Great thread/article, thanks.
Posted by jamesmoey, 02-24-2008, 08:02 PM tristanperry
If you use innodb tables, increase your innodb_buffer_pool_size,
and increase your query_cache_size and key_buffer_size.
Good luck.
Posted by Rick Ce, 03-07-2008, 05:41 AM Hi there,
Great post thank you everyone
I have installed apf on my dedi's and it works great, I have come to install it on my cpanel vps servers and my users report they can not send mail has anyone else had this problem? As soon as I stop apf the mail clears from the que.
I have made sure these are open in the config file TCP/UDP 25, 110, 143, 465, 993, 995.
Any ideas?
Kind regards,
Rick
Posted by likepeas, 04-25-2008, 11:59 AM what about sql injection thru the cpanel? i got hacked a few times like these.
Posted by 3dom, 04-26-2008, 05:29 PM Great post. Thanks!
Now I'm sure I'll stick with shared accounts and going to stay away from VPS as long as I can
=)
Posted by grandad, 04-27-2008, 03:59 AM When I use:- On my next SSH login I see the errors:-Quote:
At command prompt type:
pico .bash_profile
Scroll down to the end of the file and add the following line:
echo 'ALERT - Root Shell Access on:' `date` `who` | mail -s "Alert: Root Access from `who | awk '{print $6}'`" your@email.com
Save and exit.When I remove the alert all returns to normal.Quote:
-bash :mail command not found
-bash :echo: write error: Broken pipe
cPanel 11.18.3 R21703
Centos 5
Any idea why it breaks it?
Posted by greggster, 04-30-2008, 06:06 AM tmp can be secured to be noexec in 1 minute, no reboot required. Nothing can execute there - /var/tmp remains a risk - unless that is mounted separately also:
/dev/VolGroup00/LogVol02 /tmp ext3 defaults,nosuid,noexec 1 2
edit the /etc/fstab file, then do a mount -o remount and it will remount /tmp and you are set - just don't be in /tmp when remounting.
Posted by altaibskt, 05-16-2008, 02:42 PM thanx for this nice post
Posted by vikashk, 05-18-2008, 10:57 AM Another great tool against ssh brute force is deny hosts. It uses host.deny file which may be more appropriate for VPSs as the number of iptables rules is usually limited by the VPS provider.
Posted by greggster, 05-20-2008, 10:39 PM Portsentry is one tool that has spared a lot of hacking attempts - I have the same IP's daily trying to get in - here is one way to thwart:
1. Setup Portsentry (against the recommendations) to scan up to port 65000 or so - I saw a lot of scans start at port 1026 - portsentry is default setup to port 1024, so raised to 65000 and allow 3+ port scans before blocking - that way there are less false alarms or in case someone forgets port 22....
2. Change your ssh port to the 2000+ range - remember to open your firewall for this new port..
3. Keep port 22 open on firewall - and now its a honeypot of sort - got to remind users to use the new non-standard port, but script kiddies fall right into it.
4. Anyone port scanning is only looking to harm, so they get dropped completely for a while and cannot do any more harm. Bye bye.
Here we see people start on port 1026 a lot - on a typical portsentry install, Squid, VNC and other services lack a layer of protection that FTP, SMTP have - with this setup - not no more:
From 221.6.145.18 - 2 packets to udp(1026,1027)
From 221.208.208.86 - 2 packets to udp(1026)
From 221.208.208.92 - 2 packets to udp(1026)
From 221.208.208.95 - 2 packets to udp(1026,1027)
From 221.208.208.97 - 2 packets to udp(1026,1027)
From 221.208.208.99 - 4 packets to udp(1026,1027)
From 221.208.208.212 - 4 packets to udp(1026,1027)
From 222.84.225.189 - 2 packets to tcp(5900)
From 222.187.221.27 - 4 packets to tcp(7212,8000)
From 222.216.28.40 - 2 packets to tcp(5900)
And a word about security through obsecurity - technically a lot of existing security is through obsecurity - just differing levels of randomness - port, 8 character password or 1024 character certificate. If someone knew what port a service is running on, or knew a password, or knew the SSH key - either 4, 8, or 1024 characters - they have access. These random characters is why cracking works. Its only a matter of time before the port/password/certificate is found out if being cracked - even if its 20 years - at some point the attacker quits for an easier target. Again, if we can slow down the hacker, they will move on - or the script will move on. Think car alarms, 3 locks on front the door of an apartment, "The CLUB" - all there to say "move on to an easier target".
Posted by Spacial, 06-13-2008, 02:55 AM
Posted by greggster, 06-20-2008, 02:56 AM /etc/php.ini for most installs. When I started this there was about 6 months of no TV and lots of studying - hosting on the net is like jumping into a den of lions and my first few hits woke me up. A test machine with 42,000 failed login attempts scared me into studying. This is a great forum and I have learned from here and from howtoforge.com a massive amount - like going to school.
Posted by robr3004, 07-24-2008, 10:30 PM
Install a root breach DETECTOR and EMAIL WARNING
=========================================
If someone does happen to get root, be warned quickly by installing a detector and warning at your box. You will at least get the hackers/spammers ip address and be warned someone is in there.
Server e-mail everytime someone logs in as root
To have the server e-mail you everytime someone logs in as root, SSH into server and login as root.
At command prompt type:
pico .bash_profile
Scroll down to the end of the file and add the following line:
echo 'ALERT - Root Shell Access on:' `date` `who` | mail -s "Alert: Root Access from `who | awk '{print $6}'`" your@email.com
Save and exit.
I added the email alert to .bash_profile but when I login I get this message:
"You must specify direct recipients with -s, -c, or -b."
I checked for typo's three times. Any ideas?
Posted by robr3004, 07-24-2008, 10:47 PM
I added the email alert to .bash_profile but when I login I get this message:
"You must specify direct recipients with -s, -c, or -b."
I checked for typo's three times. Any ideas?
Posted by n00bRooT, 07-25-2008, 09:10 AM thanks dude great post for n00bs
Posted by Nazeer, 07-26-2008, 01:31 AM Great thread. This is really wonderful thread and very helpful to new VPS users.
I love to see more tutorials like this.
Thanks
Nazeer
WebcareSolutions.com
Posted by greggster, 08-21-2008, 10:17 PM Check out OSSEC for server security - quick install, open 1 port and you are set. It emails every time someone logs in - set your email to cc gmail and if you get rooted, about 10 seconds later a copy will be at gmail also...
Posted by vantasticman7, 08-24-2008, 08:50 PM
Since :blackhole: processes the entire email, more resources wind up getting used. I, like many others, have tested replacing :blackhole: with :fail: on some of servers in the past, and can say that easily, without a doubt, less resources (namely CPU and disk I/O) wind up getting used, which helps keep the load average even lower than usual. :fail: will immediately send a 550 error after the invalid RCPT TO: line, vice accepting then discarding the entire email. I'm not saying that will work for everyone, but I have personally seen it immediately decrease resource usage on a shared hosting server with a fairly busy day to day mail flow, and would recommend it to anyone else looking to do the same regardless of the server type.
Van
Posted by JLHC, 08-24-2008, 08:57 PM Great thread! /Subscribes.
Posted by spudlet, 09-09-2008, 05:40 PM hello
I have installed chkrootkit and bfd exactly as designed (to the letter) in the first post about 4-8 weeks ago.
Today my vps went down, for absolutely no reason as far as i can find, it was 'up' but i couldn't get onto ssh and it wasn't serving over 80.
I complained, rather harshly because I have been receiving very poor service from them in my mind.
They came back and said "someone has added some extra rules to the firewall". I know that no one has logged in (I changed the port for ssh), other than myself and I have made no configuration changes beyond install the above and moving the ssh port which is basic stuff.
Does bfd or chkrootkit add any firewall rules or lock everyone from accessing the site?
The host has 'deleted the rule and turned off the firewall', but i'm a little confused how the entries got in there that would have cocked it up... unless these did it? I can't tell you the firewall rules now because they've been removed and, surprising the firewall was turned off which just seems plum wrong to say this is a managed service I'm paying for.
Its a simple php/mysql setup, directadmin is there but i haven't changed any configuration; a week or so back my host accidently removed one of my ips and assigned it to another customer, but on my end i haven't touched anything.
So could bfd or chkdisk have done this? what could have done? I've quite literally just done a few steps from this guide and nothing else... how can these rules (that i've not seen so can't tell you what they are) have got there?
Posted by secmas, 09-09-2008, 11:36 PM Spudlet,
it sounds like your firewall has blocked your IP from the system. It could happen if you have not added your IP to the white list.
To check why or what have you done, just look into the /var/logs for the IP that your ISP has assigned to you, if you don't know what is your IP, then, you can enter into SecmasHost.com/ip and it will tell. This is a handy utility that I use with my customers when the firewall blocks them.
After you have the IP, go and search on /var/logs/messages and if it is not there, then go and check on the apache error_log.
Hope this help you to see what happened.
Posted by DnaJinx, 09-14-2008, 09:48 PM very useful post thanks for posting it
Posted by alwaysonline247, 09-22-2008, 10:56 PM thanks for the info
Posted by ragubhat, 09-28-2008, 03:31 AM csf+lfd works on all GNU/Linux servers with or without cPanel. This f/w script is well maintained and in certain cases betters apf. Install this on your cPanel VPS and test. On the HN, install either shorewall or firestarter. RKHunter is better and well maintained than Chkrootkit. Code:http://www.configserver.com/cp/csf.htmlYMMV.Code:http://www.rootkit.nl/projects/rootkit_hunter.html
Posted by CI-Theo, 10-05-2008, 07:03 AM This thread is certainly impressive - I have already performed a few mods via SSH. Great job!
Posted by zbaby48, 10-05-2008, 05:42 PM Thanks a lot for this information will definitely put it to good use!
Posted by michaljnowak, 10-06-2008, 10:07 AM Good job. Thanks a lot!
Posted by grniyce, 10-13-2008, 05:15 PM SQL Optimization specifically designed for Vbulletin, IPB, Phbb bulletin boards using multiple queries and shoutboxes. This WILL get you out of hot water with your host telling you you're using too much CPU.
This has been written to be flexible within the following environments:
- 1-4 gig of ram
- Pent4 w/hyper threading or above cpu speed
Enjoy!
[mysqld]
port = 3306
socket = /var/lib/mysql/mysql.sock
skip-locking
max_connections = 2000
max_user_connections = 250
key_buffer = 128M
max_allowed_packet = 64M
max_connect_errors = 10
thread_concurrency = 8
concurrent_insert = 2
table_lock_wait_timeout = 35
wait_timeout = 35
connect_timeout = 10
tmp_table_size = 256M
max_heap_table_size = 256M
table_cache = 2M
join_buffer_size = 1M
sort_buffer_size = 2M
read_buffer_size = 1M
thread_cache_size = 384
wait_timeout = 900
read_rnd_buffer_size = 1M
bulk_insert_buffer_size = 8M
net_buffer_length = 4M
thread_stack = 256K
skip-bdb
skip-innodb
query_cache_limit = 8M
query_cache_size = 128M
query_cache_type = 1
query_prealloc_size = 131072
query_alloc_block_size = 65536
default-storage-engine = MyISAM
[mysqldump]
quick
max_allowed_packet = 500M
[mysql]
no-auto-rehash
#safe-updates
[myisamchk]
key_buffer = 64M
sort_buffer = 64M
read_buffer = 16M
write_buffer = 16M
[mysqlhotcopy]
interactive-timeout
Posted by canubeat, 03-25-2009, 12:03 AM Is there any help on same topic for LxAdmin panel
Posted by host-6-Dan, 04-02-2009, 10:45 AM Thanks for the tut
Posted by DoYouSpeakWak??, 04-06-2009, 11:23 AM Thx for this one. It really helped me last night.
Posted by nhynes57, 04-14-2009, 07:55 AM Great post, I am looking at getting a VPS but security is a worry. This helps a lot. Thanks
Posted by nessic, 04-16-2009, 03:34 AM Great tutorial. Thanks for the help
Posted by biggies, 04-21-2009, 11:10 AM Great Post. Thanks for the help
Posted by CKGroup, 05-11-2009, 04:10 PM Great tut, thanks!
Posted by pongery, 06-08-2009, 11:19 AM awsome tutorial thanks
Posted by webdis2, 06-10-2009, 01:27 PM This is a good guide, i used it and I saw increased performance.
Posted by OwlsHosting, 06-12-2009, 12:44 AM Some great info here! Thankyou
Posted by t3od0r, 06-16-2009, 04:34 AM Thanks, great tutorial, my host should read it, they were hacked
Posted by adwivedi, 07-02-2009, 06:27 AM Hey will i need to have mail (smtp and all) set up to use these email utilities?
Posted by admsys, 07-11-2009, 05:22 AM this tips very usefull for beginner...
thanks 4 share...
Posted by mrwillt, 07-14-2009, 10:01 AM Great guide!
Posted by Sheikh Ahsan, 07-14-2009, 11:54 AM Hello guys,
I am new into this field. Any suggestions will be appreciated!
Cheers
Posted by thesecret, 07-17-2009, 02:57 PM thanks alot for your support
Posted by Larsson, 07-22-2009, 02:56 PM Is this still up to date?
Posted by scurrminator, 08-04-2009, 03:07 PM cool tutorial, thanx
Posted by Hostlatte, 08-10-2009, 07:42 PM Good write up!
Posted by KrazyBob, 08-12-2009, 01:42 AM This is an excellent tutorial even though I use Plesk on top of Virtuozzo. At the moment I am getting spammed to death and I suspect brute force attacked based on IP's going to most of the passworded services. I have over 100 virtual servers running Plesk 8.6 and Virtuozzo 3 (I know - time to upgrade.)
The question I have is this: I have the Plesk firewall enabled through /etc/sysconfig/iptables-config. I can also install APF and BFD even though we use a top-level hardware firewall.
Now then, do I need to add APF to the hardware node? Then do I need to add BFD to the VE? Or can I add APF and BFD to just the hardware node since it sees all IP's anyway? If using the Plesk firewall do I need or want to run APF? I mean, won't they conflict with one another? I can turn off the Plesk firewall just by removing the line from the config and restartiung VZ if APF is the better approach. By default we have most services off and only allow trusted IP's access to ssh.
I am tired of my pager going off and OpManager going crazy.
Posted by greggster, 08-12-2009, 09:09 PM Issue with hardware firewalls is unless configured, they are typically not responsive firewalls - APF and BFD can do this.
Not a direct answer but might help also - actually, I found spam and brute force fighting quite fun. For spam and bruteforce denyhosts might help - as some of the same bots brute forcing might be sending spam, but have not done a statistical test in a while - I installed but there was not enough email to statistically tell. The really useful part is the central denyhosts server that other denyhosts report bad hosts to and your server gets the updates.
Also are the spams for a certain domain? I am hosting one domain and the spamhaus hits went up 30x when started hosting them, and down 30x when just the MX record was pointed to gmail. Unfort I installed denyhosts after this domain's MX record was migrated..
Posted by KrazyBob, 08-12-2009, 09:31 PM Thanks for the reply but the question is still unanswered.
Do I need to add APF to the hardware node? Then do I need to add BFD to the VE? Or can I add APF and BFD to just the hardware node since it sees all IP's anyway? If using the Plesk firewall do I need or want to run APF? I mean, won't they conflict with one another? I can turn off the Plesk firewall just by removing the line from the config and restartiung VZ if APF is the better approach.
Thanks again.
Posted by ServerOrigin, 08-13-2009, 04:22 AM It's recommended that you have a hardware firewall in place and have no open public ports on the hypervisor. I wouldn't recommend running a firewall on the host node itself. It should be firewalled with hardware and then allow your users up to 200-300 available rule additions for each vps.
Posted by KrazyBob, 08-13-2009, 04:46 AM The hardware firewall works but the offending IP's need to entered. The firewall doesn't see them as a brute force attack and is why I asked about installing APF and BFD. I';d love an answer to the actual question.
Posted by shad0wd0wn, 08-21-2009, 11:44 PM Thanks a lot for all of these it'll help a lot
Posted by nessic, 08-23-2009, 08:43 AM Not a bad tutorial, Well Done
Posted by jeswinaugustine, 09-03-2009, 12:33 PM WOW !! just the one i was looking for !! thanks !!
Posted by carmaster, 09-03-2009, 12:43 PM great tutorial i like it
Posted by TRVPS, 09-05-2009, 04:33 PM Now bad security WHM and cPanel You should establish with CSF
Posted by noep, 09-18-2009, 05:18 PM Thanks i used this guide
Posted by Hesham_3del, 09-22-2009, 02:37 PM thanks a lot for this tutorial ...
Posted by energetic, 09-22-2009, 07:55 PM great thread
Posted by vnk1986, 09-26-2009, 01:57 PM Hey Guys! this is a very useful, learning and informative thread. Thanks a lot for sharing your ideas and tips!
Posted by ServerHitch, 10-08-2009, 01:49 AM Great information, really the most important of all is brute force detection!
Posted by hostedweb, 10-09-2009, 09:10 AM Excellent tutorial, thanks!
Posted by k-planethost, 11-01-2009, 07:35 AM how can you check the logfile (/var/log/rkhunter.log)
which is the command?
Posted by [JSH]John, 11-07-2009, 11:00 AM You can use cat /var/log/rkhunter.log or nano /var/log/rkhunter.log
Posted by izesem, 11-18-2009, 05:18 AM Could anyone suggest me to optimize Apache & MySql for Xen Vps
Cpu: Core i7
Ram: 1G DDR3
Posted by hostwebdata, 11-27-2009, 12:56 AM Excellent tutorial thx for the info
Posted by Master Bo, 12-01-2009, 06:52 AM A great collection of hints. Personally, I'd have added also
1. Port knock module for the firewall used, to set up the proper PK'ing and keep the system shut in most cases. In conjunction with rate limiting, that will give better protection from would-be hackers.
2. Resources monitoring. Early warning about any unusual service/resource usage state could be very useful to pinpoint and handle the problem quickly.
Snort could also be a good intruder detection tool.
Thanks!
Posted by ChrisRut, 01-08-2010, 01:57 PM
Is there a reason you can't set SSH to a port higher then 49151?
Posted by 0100001101001010, 01-15-2010, 10:15 PM Thank you. Very nice write up.
Posted by webhostingis1, 01-19-2010, 12:35 PM This a fantastic guide, thanks very much!
I am currently having problems with the following:Everything works fine to begin with but when I access SSH I do not receive an email. Also when I return to the file the line is no longer showing.Quote:
Server e-mail every time someone logs in as root
To have the server e-mail you every time someone logs in as root, SSH into server and login as root.
At command prompt type:
pico .bash_profile
Scroll down to the end of the file and add the following line:
echo 'ALERT - Root Shell Access on:' `date` `who` | mail -s "Alert: Root Access from `who | awk '{print $6}'`" your@email.com
Save and exit.
I am using PUtty for this. If anything can offer any help I will be truly grateful.
Thanks!
Posted by njoker555, 01-19-2010, 12:40 PM
I am using PUtty for this. If anything can offer any help I will be truly grateful.
Thanks!
Posted by webhostingis1, 01-19-2010, 02:40 PM
Using PUtty I used ctrl + x then y to save and that seems to be right.
OK I will ask my web host to help me with this, thanks very much for your help.
I did however manage to add the warning message
Posted by djl93, 01-20-2010, 02:26 AM oh wow thanks a lot! I have a VPS of my own this is very helpful
Posted by macaws, 01-24-2010, 12:19 PM You spent a lot of time making sure we have a secure, safe, VPS. Thank you for this tutorial.
Posted by usherj, 01-30-2010, 12:01 PM Good, useful!
Posted by dedivirtual, 02-01-2010, 02:02 PM Awesome ! Really Appreciable work,
Posted by hostingelite, 02-15-2010, 07:24 AM This really helps me.
I first time come to a hosting forum, that;s worth it.
Thanks!
Elva
Posted by ItsAliveHosting, 02-20-2010, 02:52 PM Nice work and thank you for the heads up.
Posted by the_wanderer, 02-22-2010, 07:42 PM Excellent information contained in this thread. I would encourage anyone adding security and locking down a host, to try and grasp an understanding of what the commands and tools are doing. Blindly following a tutorial - does not provide you with added security if you do not understand the possible consequences of the configuration changes. Agreed... http://www.ossec.net is an excellent tool, here is a quick guide - http://hackertarget.com/2009/08/osse...llation-guide/.Quote:
Check out OSSEC for server security - quick install, open 1 port and you are set. It emails every time someone logs in - set your email to cc gmail and if you get rooted, about 10 seconds later a copy will be at gmail also...
As an additional tip, running Nessus or OpenVas, along with Nikto externally is a great way to check your config, patch levels and general external security.
Posted by David-, 02-28-2010, 06:51 AM This is awesome, will come into hand when i purchase my vps. Thanks!
Posted by waqaspuri, 02-28-2010, 07:06 AM any knows antivirus to protect injection virus, free of cost ?
Posted by k-planethost, 02-28-2010, 02:04 PM clamav antivirus from cpanel/whm you can install it
Posted by nileshparmar, 03-13-2010, 02:37 AM I had ran Quick Security Scan but didn't get any result.
Quick Security Check in Progress...
Note: You may see [FAILED] results below; These are normal as this means the service(s) were already shutdown.
Stopping portmap: [FAILED]
Shutting down console mouse services: [FAILED]
Shutting down SMB services: [FAILED]
Shutting down NMB services: [FAILED]
Shutting down xfs: [FAILED]
Posted by Gergely Homola, 03-31-2010, 03:15 PM that this thread is awesome. I originally registered to say thank you for these tips, I just kinda' forgot until I got here...
Posted by kapz01, 04-02-2010, 12:20 PM Anyone got any idea to this issue: Quote:
# /usr/share/logwatch/scripts/logwatch.pl --range today
Can't exec "sendmail": No such file or directory at /usr/share/logwatch/scripts/logwatch.pl line 1017, <TESTFILE> line 2.
Can't execute sendmail -t: No such file or directory
Posted by -Edward-, 04-03-2010, 11:08 AM
Posted by izumi777, 04-11-2010, 12:49 AM Very nice article. Thanks for sharing.
Posted by Khaen, 04-12-2010, 10:42 AM Excellent tutorial. The information has helped me.
Posted by MarkoB, 04-13-2010, 06:27 AM thanks, it is very usefull for me
Posted by nileshparmar, 04-13-2010, 06:34 AM
Need better solution to this
However i can found manually by editing .html .htm .php pages
nilesh
Posted by eSupun, 04-22-2010, 12:44 AM I think this is the total guide everyone is looking for when they go for a VPS solution.
Thank you very much for sharing knowledge with VPS newbies like us
Thanks again.
Posted by HostNN, 04-25-2010, 02:35 PM Wow thank you! This really helped me out on my VPS. Going to need it to possibly serve my customers.
Posted by S_philip, 04-26-2010, 01:53 AM Hello kapz01,
It seems the default mailer entry in logwatch.conf is not set properly.
What is the default mailer you have on your server?
Posted by MySpotMedia, 05-02-2010, 12:39 PM are these general vps settings or is it ok to run a small hosting business using these?
Posted by assistanz247, 05-12-2010, 04:00 PM Nice work. It would really help VPS Owners.
Posted by WebCobra, 05-23-2010, 03:07 PM Great tutorial, long but great tutorial.
Posted by galwin, 06-02-2010, 02:35 AM Helped me a lot! I am a new VPS owner and I did some of the things here.
Posted by QuickWeb-Roel, 06-08-2010, 01:01 AM My CCNA class finally starting tonight after 1 month of delay due to lack of participants, ...first part is networking fundamentals, i read in the course overview that on chapter 6 they will teach us how to use a networking utility called "ping"
Posted by Flydro, 06-08-2010, 06:19 PM Thank's for this, been looking for a good tutorial to keep my VPS secure as it has been hacked once.
Posted by imanewbie, 06-15-2010, 05:45 PM thanks for this good tutorial, very helpful
Posted by TinyVox, 08-01-2010, 11:56 PM Is this tutorial up to date? it's 5 years old.
Posted by eccspert, 08-22-2010, 06:22 AM Nice tutorial, but maybe you should update it.
Posted by bluearrow, 08-22-2010, 06:52 AM 5 years old but still an very helpful topic.
Posted by GoDeT, 08-25-2010, 02:23 PM nice thread guys! Thanks for everyone help!
Posted by xentos, 09-16-2010, 08:26 AM Thank you, needed the rootkit checker will install it soon
Posted by angathan, 09-16-2010, 12:38 PM Which firewall is more secure? APF or CSF?
Thanks for the tutorial
Posted by junker10, 09-24-2010, 07:33 AM Thanks for the tutorial and the help
Posted by capripio, 09-30-2010, 05:33 AM WoW Nice thanks for share
Posted by PyroEsque, 10-01-2010, 09:37 AM
Thanks for the tutorial
Posted by TinyVox, 10-01-2010, 02:02 PM Well, they both work with iptables. CSF is easier to use and it's well supported by cpanel/whm.
Posted by pureheart, 10-07-2010, 07:42 PM good tutorial...i do this tutorial on my VPS and i get more better speed
Posted by TomMosey, 10-10-2010, 08:42 AM Yeah, this is really great, helped me out a lot
Posted by jaimin26783, 10-11-2010, 09:33 AM Very useful thread about VPS tutorial.
Posted by Andy - XclusiveTech, 10-18-2010, 01:27 AM Awesome guide! Helped optimize my VPS. hopefully in the future I can start my own hosting business, and apply these techniques.
Posted by xenbox, 10-18-2010, 10:37 AM thanks for the tutorial. now i can hardening my cpanel
greet
<<signatures to be set up in your profile>>
Posted by NYCServers-Nick, 11-01-2010, 06:55 PM Very Very Very good tutorial.
If you have a VPS I strongly recommend you follow this guide.
Posted by Robbie P, 11-02-2010, 09:28 AM An excellent tutorial to read, when I read this i found it all extremly easy to understand and to work.
Posted by steven_elvisda, 11-06-2010, 09:37 PM But I still have problem with kernel patching. does anyone give me the best tutorial of kernel patching.
Your idea would be great to me.
Posted by jebra, 11-24-2010, 10:29 AM wow you need to write a book about it
Posted by Hot dog, 11-28-2010, 05:51 PM If i don't have pico as a cmd that means i dont have the pine right? I dont have any kind of cpannels.
Posted by innovohosting, 11-30-2010, 01:33 PM Wow!!! even I was aware of all(well almost) the techniques here I learned a few new softwares and techniques and sites. This is a very very very good thread!
May I suggest you check out also http://securecentos.com/ for a good and structured source of centos hardening?
Posted by tmrsk, 01-15-2011, 08:46 PM thanks for the tutorial
Posted by leetsauce, 02-01-2011, 02:34 AM Great tutorial! Thanks.
Posted by lxspcby, 02-18-2011, 12:10 PM this is a must bookmarked thread, need to see it everytime reload OS
Posted by Vistz, 02-20-2011, 11:59 AM
Goto Account Functions =>> Manage Shell Access
Disable Shell Access for all users (except yourself)
Goto Mysql =>> MySQL Root Password
Change root password for MySQL
Goto Security and run Quick Security Scan and Scan for Trojan Horses often. The following and similar items are not Trojans:
/sbin/depmod
/sbin/insmod
/sbin/insmod.static
/sbin/modinfo
/sbin/modprobe
/sbin/rmmod
Posted by Master Bo, 02-20-2011, 01:11 PM
Non-root can only have 'full access' via sudo.
Posted by Vistz, 02-20-2011, 03:23 PM
Non-root can only have 'full access' via sudo.Where "you" are another user (not root).Code:Goto Account Functions =>> Manage Shell Access Disable Shell Access for all users (except yourself)
Posted by Master Bo, 02-20-2011, 10:26 PM
Myself, I use plain command-line to control everything, to me it's quicker and simpler.
SSH restrictions will all eventually be reflected in /etc/ssh/sshd_config and hosts.allow (if TCP wrappers are installed).
Thanks.
Posted by innovohosting, 02-21-2011, 02:35 AM Yep! How I do it is I have a normal user from which I sudo to root, and I disable remote root login.
If I need more people to have root access, I give them normal users that can change through sudo to root, and that way I can see who became root and when.
Hope it makes sense, just woke up
Posted by Vistz, 02-21-2011, 10:20 AM
Myself, I use plain command-line to control everything, to me it's quicker and simpler.
SSH restrictions will all eventually be reflected in /etc/ssh/sshd_config and hosts.allow (if TCP wrappers are installed).
Thanks.ThanksQuote:
If I need more people to have root access, I give them normal users that can change through sudo to root, and that way I can see who became root and when.
Hope it makes sense, just woke up
Posted by Vistz, 02-21-2011, 10:48 AM Actually, I have another question. Do these security practices work on Kloxo as well?
Posted by coderiser, 02-23-2011, 02:43 PM great guide, thanks for the info
Posted by sam00168, 02-23-2011, 11:56 PM thanks for the guide
Posted by kuyenmotdivad, 02-27-2011, 02:27 PM Great tutorial and advice guys.
Posted by Vistz, 02-27-2011, 11:03 PM I will be using Kloxo instead of cPanel and I noticed that Kloxo comes with LXGuard, which blocks a user's IP after specified number of unsuccessful attempts. Should I still do the section you mentioned about "Toot breach DETECTOR and EMAIL WARNING"?
Posted by no69_2007, 03-08-2011, 04:38 AM i guess this is the perfect guide I ever read.
Posted by hosting-ca, 04-01-2011, 10:39 PM Thanks, Very useful tutorial
Posted by Boxxed, 04-04-2011, 01:32 PM Thanks for the guide, its very useful
Posted by eric6630, 04-04-2011, 08:46 PM help i gain error
-bash: mail: command not found
i installed root breach DETECTOR and EMAIL WARNING
and that command insist
thanks
Posted by Rishi-GV, 05-10-2011, 02:34 PM Great tutorial. Some of the input from the users are also essential! Maybe someone could re-create this, but updated with extra protection.
Posted by rootserver, 05-14-2011, 03:59 PM I can not to instal Kloxo panel. Port 7778 is not funcion
Posted by Patel, 05-16-2011, 12:39 AM Thanks man, im getting into the VPS business and this really helps to keep my files secure!
Posted by henda, 06-08-2011, 12:26 AM Excellent How to guide.. This will come in most useful and save me some money employing "guru's" to secure my webservers in the future..
Posted by appelpitje, 06-08-2011, 09:15 AM Nice guide to protect your vps !!
Posted by wowbestservers, 06-25-2011, 11:38 PM This is very useful..
thank you.
Posted by Phanatic, 06-27-2011, 08:36 PM thanks for this, gonna use this for sure
Posted by frankal, 07-03-2011, 08:51 PM Thx for the guide, secure a server sometimes is stressful.
Posted by zahirw, 08-23-2011, 05:23 PM Awesome guide. I see ppl are still using it over the years. Any tips specific to virtualmin?
Posted by medoezzat, 08-29-2011, 03:13 AM very thaaanks man
Posted by kang_kutu, 11-24-2011, 09:23 PM thanks man
Posted by Bluz, 11-28-2011, 01:00 AM I just upgraded to the newest WHMCS and my cart isn't loading, even people who click a link for a product get taken to a blank card, it did show two errors which were fixed by turning safemode off and the ioncube loader, any suggestions?
Posted by iLoveHosting-UK, 11-28-2011, 06:20 AM
- Ashton
Posted by ServSlots, 01-17-2012, 12:39 PM Good post hope this comes useful to those at WHT
Posted by CEO,TutisHost, 01-23-2012, 10:20 AM Thanks for everything. this is really good for all new comers which would give the hosting company to serve better to their customers.
Posted by m107, 01-29-2012, 04:38 AM thank you
Posted by ALEXEI_M, 01-31-2012, 02:02 AM Very useful thread. Thanks for your post.
Posted by 1llusion, 02-07-2012, 11:08 AM Wow thanks! Will install it right now on my VPS
Posted by Mrkrabz, 04-18-2012, 11:55 AM Thanks, ill keep it in mind with my next VPS
Posted by DevilCrab, 04-23-2012, 10:16 AM wow that is really amazing to learn !
i think someone who can expert this can secure VPS to a good and long extreme !
Posted by Boxxed, 04-25-2012, 05:56 PM
i think someone who can expert this can secure VPS to a good and long extreme !
Posted by Carbon Host, 05-20-2012, 08:27 PM wow, very nice tutorial! keep up the good work
Posted by BA-Corey, 06-11-2012, 02:23 PM If anyone is finding this on google then please note that the download location has changed for root kit checker.
http://www.net-security.org/dl/softw...rootkit.tar.gz
Posted by ferlie, 06-12-2012, 08:53 PM
http://www.net-security.org/dl/softw...rootkit.tar.gz
Posted by Losvre, 06-16-2012, 10:38 AM Great stuff even for people who think they know all:-)
Thank you all
Posted by GeckoNetwork, 06-30-2012, 12:04 AM Very nice tutorial and very easy to understand but I would also include a firewall like (CFS).
Thanks!
@Bluz, Regarding your WHMCS issue I have experiencing this in the past and it for me to fix this I had to go back to the old version of WHMCS before the update.
Hope that helps good luck!
Posted by andrewlarioza, 07-31-2012, 03:30 AM Hi,
Just an additional idea on how to secure Apache web server.
a. Disable TRACE and TRACK
- This will save you a headache on some of Cross site tracing vulnerability. just simply add the following at the end of your Apache main config and restart the services. By default trace is enabled on all apache web server upon installation.
httpd.conf
TraceEnable off
HTH.
regards,
Andrew
Posted by holhostcom, 08-06-2012, 02:04 PM Perfect post!
Thank You!
Could you add some MySQL optimizations as well ?
Posted by wahuu, 08-08-2012, 02:25 PM Excellent guide...
Look forward for new optimization tools...
Posted by CronicHosting, 08-10-2012, 09:36 AM Awesome write up, detailed tutorial.
Keep up the good work,
Sean
Posted by Greg-NH, 09-23-2012, 08:11 PM Anyone know where I can find something similar to this topic that isn't outdated?
I'm trying to secure & optimize my pretty stock CentOS 6.3 w/ WHM/cPanel VPS
Thanks,
Greg
Posted by regolithmedia, 11-06-2012, 03:07 AM it's been 7 years but i'm still read this tutorial everytime securing my personal vps, great.
Posted by Datzen, 11-13-2012, 11:02 AM Thank you for sharing
Posted by inside7, 12-04-2012, 09:19 AM thanks for tut
Posted by vaibhav_p77, 12-26-2012, 09:23 AM Great post it is really helpful
Posted by alphavbox, 12-27-2012, 03:02 AM This is overall discussion is really helpfully for all but no one introduce managed or unmanaged which ine is best and which plans are best for small, medium and higher business hosting.
Posted by frynge, 05-25-2013, 11:12 AM
Very cool
I actually just setup a new VPS with a new host and I had to come back to this tutorial I made ages ago, to see if anyone updated it.
It still works well I see! I hope you all got good use out of it! It took me awhile to collect the data
Posted by frynge, 05-25-2013, 11:33 AM Am I blind... ?
NOW I NEED YOUR GUYS HELP
Posted by 19881024, 05-25-2013, 12:19 PM Yes please moderators let him modify it
Posted by frynge, 05-25-2013, 12:32 PM I see ... the edit button deletes after you log off the first time, so I cannot modify this.
There are many updates and changes, since I made this so long ago. I'm using it to harden a new VPS that I got with the latest security.
BOY have I learned a lot since this last post... PAINFULLY I have learned things.
This guide is still good, many many good things in it, but out of date in places (needs more an update then an overhaul)
Also there was some good comments over the years from many people using VPSs.
Can a mod give me access to update this thread ...... ? plllllllllllllease ?
I will take out all the old stuff that is no longer valid and update it with all the new features that the new cpanel has.
Also there are more additions from the thread and I have many more additions since adding this article.
Anyways, thanks for all the people helping and commenting.
Posted by Gareth-HostRedDragon, 05-25-2013, 01:10 PM The best thing to do is go to WHT help desk and submit a ticket and ask them.(linking to the post.
Sorry I can not link to the helpdesk as I'm using my phone at the moment.
Posted by 19881024, 05-25-2013, 01:18 PM I asked the moderator to let you do this I hope they will
Posted by anon-e-mouse, 05-25-2013, 05:12 PM
NOW I NEED YOUR GUYS HELP
Alternatively, you can start a new thread maybe?
Posted by pacpac, 05-25-2013, 08:50 PM Registered just to say I hope they let you.
This looks insanely useful, but I'm wondering what all is out of date.
Posted by frynge, 05-25-2013, 08:52 PM
This looks insanely useful, but I'm wondering what all is out of date.
I have new ideas about phpsuexec (which is now phpsup
And other ways to harden your system, along with all the new comments and ideas... this guide is by far a definitive guide to hardening your VPS and is still incredibly useful.
At minimum it gives you a sense of security
Posted by pacpac, 05-25-2013, 09:12 PM
I have new ideas about phpsuexec (which is now phpsup
And other ways to harden your system, along with all the new comments and ideas... this guide is by far a definitive guide to hardening your VPS and is still incredibly useful.
At minimum it gives you a sense of security
Thanks for it.
Posted by lowprofile, 06-25-2013, 06:14 AM Nice! It needs a update though
Posted by MarkoFTW, 07-03-2013, 08:56 AM Very useful information, thanks.
Posted by MyMTemplates, 07-16-2013, 12:38 AM Great Tutorial , thank's a lot !
But like @Above said it needs to be updated
Posted by NEQ3 - Sam, 07-22-2013, 10:05 AM Nice job. This was very useful for our staff
Posted by LukaTCE, 09-03-2013, 10:40 AM For i get this error on CentOS 6.4Code:pico .bash_profileCode:-bash: pico: command not found
Posted by Gareth-HostRedDragon, 09-03-2013, 02:15 PM
TryInsteadCode:nano .bash_profile
Posted by LukaTCE, 09-03-2013, 04:14 PM
TryInsteadCode:nano .bash_profile(LV) workedCode:lv
Posted by ManojKumar, Today, 12:49 PM Great post! But since I am a newbie, will these tips work even now?
Add to Favourites 
Print this Article
Also Read
