Security+ Essentials. APF and BFD – Products to avoid. APF and BFD – Products to avoid When securing a web hosting server a Firewall and Brute Force Detection protection are critical pieces a server admin needs to look at. Two products were recommended by us in the past, but we have several reasons to step away from these recommendations. Security is an evolving topic and what is secure today might be at risk tomorrow if security does not grow with the risks out there on the Internet.
APF (Firewall) and BFD (Brute Force Detection) are no longer maintained and updated in a way that a business can rely on these products. There are newer threats out on the Internet that require that a firewall and brute force detection tool need to grow with in regards to recognizing the signatures of these threats and to protect a server. A second reason is that the owner of RFXNetworks seems to have a financial problem.
We did order services as well (before knowing about the criminal activity of Ryan MacDonald) and are at the edge of losing our money. How to get APF working with a server has poor local DNS resolution on reboot. Author: Peter Abraham; Published: Mar 5, 2012; Category: Managed Hosting, Managed Services, Security; Tags: DNS, Security; One Comment Over the years, we’ve really enjoyed the various projects created by Ryan MacDonald in terms of helping our customers have more reliable and more secure servers. One of the projects we consistently use and recommend is Ryan’s Advanced Policy Firewall by R-fx Networks known as APF While we do customize the implementation of APF as well as BFD (making some core changes to allow us to integrate APF into our other managed security offerings), one of the issues we run into from time to time with APF is that if local DNS resolution is not working when the server is rebooted, a server will hang at starting APF.
Most of the time this issue can be resolved by making sure local DNS resolution is perfect on reboot. The latter part is not a good option for security, and the former doesn’t fit for customers who want an integrated picture that includes APF and BFD. #! Centos5 - Rivalug Wiki. From Rivalug Wiki Centos 5.5 Desktop on x86_64 References Release Notes Known Issues, including some during upgrades from 5.2 to 5.3 Updating yum clean all yum update glibc\* yum update yum\* rpm\* python\* yum clean all yum update shutdown -r now Install from USB CD and DVD media drives are no longer automatically found on all hardware, its handy to install from a bootable usb drive.
The following was done on a Fedora desktop. Format usb drive as vfat, and bootable Format has vfat mkfs -t vfat /dev/sdb1 Re-insert the usb drive and mount the vfat partition Find and download netinstall image from lastest Centos 5 release. wget Install unetbootin: yum install unetbootin Use unetbootin to install this image onto Press OK Hardening ntp to. Server Monkeys - ELS (Easy Linux Security) UPDATE April 8, 2009:Due to many recent time restrictions, I have not been able to update this program. I am still here and still alive. Expect some developments in the next coming months. I will be collaborating with several new developers to improve the code overall and bring it to new operating systems and control panel platforms. Thanks for continuing to support my ELS script and feedback is always welcome. In addition, if you would like to contribute any fixes or improvements or otherwise help in the development of ELS, please email me at rich@servermonkeys.com.
ELS stands for Easy Linux Security. This program is always being improved with new features and bugfixes, so be sure to keep it up to date. Supported Operating Systems Donate Please remember that ELS is an open source project which is supported by users like you. Web for host. ELS stands for Easy Linux Security. ELS was created by Richard Gannon, Martynas Bendorius and Wael Isa. ELS takes many of the tasks performed by our Administrators and puts it into an easy to use program for anyone to use. It is released under the GNU/GPL so it is free to use. This program is always being improved with new features and bugfixes, so be sure to keep it up to date. If you found a bug or would like an improvement, please let us know! If you really like this program, donations are welcome! Supported Operating Systems : * Red Hat Linux * Red Hat Enterprise Linux * Fedora Core * CentOS * Debian What ELS Does: * Install RKHunter * Install RKHunter Cronjob which emails a user-set email address nightly * Install/update APF * Install/update BFD * Install CHKROOTKIT * Install CHKROOTKIT Cronjob which emails a user-set email address nightly * Disable Telnet * Force SSH Protocol 2 * Secure /tmp * Secure /var/tmp * Secure /dev/shm * Install/update Zend Optimizer * Install/update eAccelerator * And more!
How to Secure Your Apache Web Server. How to Secure Your Apache Web Server Installing and maintaining a secure web server on Linux can be a challenge. It requires in-depth knowledge of Linux, Apache, and PHP server-side options. One of the main problems is to find the balance between security and productivity and usability. The best solution depends on the specific project requirements, but all installations share certain common characteristics. Here are some best practices for securing a LAMP server, from the server configuration to fine-tuning PHP settings. The task of securing a web server should begin with hardening the Linux operating system. Hardening Linux could be a whole article of its own, but certain concepts are especially important in regards to serving web content: Linux kernel hardening The kernel is the most frequent target for attackers. Apache Best Security Practices Once you've secured the Linux operating system you can begin to take care of the Apache web server.
To harden Apache go through these steps: CentOS. Linux server/cpanel/VPS tweaking and Hardening for security 1. Install or compile the missing modules in php & apache , Install or compile the missing modules in php & apache. You can do this using easy apache /scripts/easyapache 2. Cd /usr/local/cpanel/whostmgr/docroot/cgi wget -N tar -xzpf fantastico_whm_admin.tgz rm -rf fantastico_whm_admin.tgz Go to WHM, login as root and click on Tweak Settings, then you should ensure that both the Ioncube loader is selected for the backend copy of PHP.
Now go here: WHM -> Plugins (orAdd-Ons) -> Fantastico De Luxe WHM Admin (scroll down the left menu). Upon loading, Fantastico De Luxe WHM Admin will auto-update your existing installation (if existing). After the installation complete go to settings PHPsuexec (*): VERY ESSENTIAL!!! /usr/local/cpanel/bin/rebuild_phpconf –current 3. Vi /etc/csf/csf.conf change testing mode to “0″ Allow necessary ports in TCP in and OUT service csf restart 4. 5. ServerShield Server Hardening and Optimization | Server Hardening | WiredTree. All WiredTree managed servers include our exclusive initial security hardening service, ServerShield, free of charge. This service saves you time and money by greatly increasing the security, performance, and reliability of your WiredTree server.
ServerShield is a comprehensive software security and optimization suite. It was developed by Wiredtree with four major goals - to harden server security, prevent spam, enhance server performance, and improve system computability of our client's servers. It is unique to WiredTree and is free to all clients. Firewall and Brute Force Protection: Advanced Firewall (CSF) is installed and configured on your server. Spam Prevention and Anti-Virus Protection: WiredTree configures your server to scan all email for malicious software using ClamAV. WiredTree uses a variety of highly effective methods to prevent spam on your server. Server Hardening and Optimization: WiredTree hardens your server at many levels.
HTTP Intrusion and DOS Protection: Centos Dedicated Server Security. NIDS with psad and fwsnort. Psad - Intrusion Detection with iptables, iptables Log Analysis, iptables Policy Analysis. Psad: Intrusion Detection and Log Analysis with iptables psad is a collection of three lightweight system daemons (two main daemons and one helper daemon) that run on Linux machines and analyze iptables log messages to detect port scans and other suspicious traffic. A typical deployment is to run psad on the iptables firewall where it has the fastest access to log data. psad incorporates many signatures from the Snort intrusion detection system to detect probes for various backdoor programs (e.g. EvilFTP, GirlFriend, SubSeven), DDoS tools (mstream, shaft), and advanced port scans (FIN, NULL, XMAS) which are easily leveraged against a machine via nmap. When combined with fwsnort and the Netfilter string match extension, psad is capable of detecting many attacks described in the Snort rule set that involve application layer data.
For the second example, psad interfaces with Gnuplot to produce a graph of the number of TCP SYN packets to destination ports per hour. History. Network/IPTables. 1. Introduction CentOS has an extremely powerful firewall built in, commonly referred to as iptables, but more accurately is iptables/netfilter. Iptables is the userspace module, the bit that you, the user, interact with at the command line to enter firewall rules into predefined tables.
Netfilter is a kernel module, built into the kernel, that actually does the filtering. There are many GUI front ends for iptables that allow users to add or define rules based on a point and click user interface, but these often lack the flexibility of using the command line interface and limit the users understanding of what's really happening. Before we can really get to grips with iptables, we need to have at least a basic understanding of the way it works. Chains These are 3 predefined chains in the filter table to which we can add rules for processing IP packets passing through those chains. INPUT - All packets destined for the host computer. Rules are added in a list to each chain. 1. 2. 2. 3. . #! Downloads. Sampson & Associates - Building a hardened LAMP web server. - Des Moines, IA: Computer Networks, Support, and Security.
Here we will cover some steps you can take to make sure that your LAMP (Linux, Apache, MySQL, PHP) server is secure. Ideally you would not normally run all 3 components on the same server, but in some cases it is overkill to separate them. For example this particular site is hosted on a virtual server purchased from TekTonic (who, by the way, I strongly recommend.) Since, this is a small site and I do not control the network that it is hosted on, I did not setup the typical network of DMZ, App, and Data Base network segments all separated by firewalls. So, how do I make this server secure? Do not allow remote root ssh login: First you will want to add a user that can login to your server.
Useradd username Then set the password for the above username passwd username This will prompt for you to type in a password twice. Now log out of your server and make sure that you can login with the new user. Su - Followed by the root password when prompted. # Prevent root logins: PermitRootLogin no. How-to: Harden a Linux Web Server (Overview) Introduction Last weeks on "System administrators" group on Linkedin, the members talked about how to harden a GNU/Linux web server for an hacking contest. Because I think it was born an intersting "to do" list about the argument during a post of mine, I have taken the decision to report in this article the ideas and my vision of the problem.
The following words are what I wrote... Hardening Linux step-by-step If you need to protect a server with in mind an high level of security, I suggest you to think to three level of hardening. High level (client side web services) You should consider what type of “services” will run “inside” your daemons. For example: a “LAMP application”, CMS or “simple html pages” In the first two cases you should harden every service like Linux Kernel(see next), Apache web server (and its modules), Mysql and Php. One of the best solution for Apache, as told previously, is mod_security. If you use only “html”, you could use only mod_security. Low Level. RedHat / Centos hardening, customizing and removing excess - Linux Users Group. #### # Centos 5.2, 5.3 # hardening, customizing and removing excess # # Boardstretcher: Updated June 6, 2010 # #### # Contents: # # ExCESS:: # Service Definitions # Remove Services # Remove IP6 # Remove RPMs # # CUSTOMIZE: # Add date to history # Colorized grep, dir and prompt # # HARDEN: # Protect webserver upload directory # Require password for single user mode # Disable USB storage in kernel # Allow root login only from console # Store passwords in sha512 rather than md5 # Install Intrusion Detection System #### #DISABLE SELINUX (SET TO DISABLED/DISABLED) # #I leave SELINUX on when I am using the box as a webserver.
Otherwise, I turn it off. system-config-securitylevel-tui reboot #Service DEFINITIONS: #REMOVE SERVICES: (Paste from this) # #Obviously you should only remove whas you don't need #UPDATE ALL SYSTEM PACKAGES and INSTALL YOUR KERNEL SOURCES yum update yum install kernel* reboot #ADD DATE and TIME TO HISTORY OUTPUT #ADD Color to GREP. Blog: Hardening CentOS kernel with grsecurity. Hardening the server's kernel is one of the most important things we need to consider when speaking about OS hardening. This is mini-howto install and configure grsecurity on CentOS server. grsecurity is powerful and easy to use Linux kernel security enhancement.
It gives you a lot of security features: Downloading linux kernel and grsecurity patch At the first we need to download grsecurity patch and the right version of Linux kernel source code. In this page you can find the latest stable version of grsecurity patch (At the time of writing this post, it's for linux 2.6.32 stable tree). Before we start make sure to install all the necessary packages that you'll need to build the kernel: # yum groupinstall "Development Tools" # yum install ncurses-devel # cd /usr/src/kernels # wget # wget Patching the kernel grsecurity configuration.
MySQL Security Best Practices (Hardening MySQL Tips) | GreenSQL LTD. By David Maman, GreenSQL CTO Introduction The MySQL database has become the world's most popular open source database because of its consistent fast performance, high reliability and ease of use. MySQL is used on every continent – yes, even in Antarctica! – by individuals, Web developers, as well as many of the world's largest and fastest-growing organizations such as industry leaders Yahoo!
As most products do, MySQL comes "ready-to-work" out of the box. Syntax explanation This paper contains code examples that can either be executed in the operation system console, sent to the database via the MySQL console or added to configuration files. GreenSQL GreenSQL delivers Database Security Solution for the small and medium businesses (SMB) and the enterprise markets. 1.
Many known attacks are possible only once physical access to a machine has been acquired. Make sure to: 2. Consider whether MySQL will be accessed from the network or only from its own server. skip-networking bind-address=127.0.0.1. CentOS 5 Administration - 42.2. Server Security. 20 ways to Secure your Apache Configuration.
Hardening PHP from php.ini | Mad Irish . net. Server Guide. Tips for Securing a LAMP Server. Webserver - Apache Server Hardening - IT Security - Stack Exchange. Building a secure web server with CentOS 5, part 1 | Ray Heffer. SecureCentos.com. VPS Tutorials. HOW TO: Secure and Optimize your VPS. How to Conduct a Linux Server Security Audit. Linux Server Hardening. How To: WHM/cPanel Hardening & Security - The Basics - Part 1. RedHat / Centos hardening, customizing and removing excess. CentOS 5 POP3/IMAP/SMTP mail server with virtual users [Dovecot LDA+SASL, Postfix] | firewing1.
CentOS 5 SQL database server [MySQL] | firewing1. CentOS 5 server setup series: server security & reliability | firewing1. CentOS 5 SSH+SFTP for remote access and secure file transfers [OpenSSH] | firewing1. CentOS 5 server setup series: getting started | firewing1. CentOS 5 HTTP/HTTPS web server with PHP, database, virtual hosts, & web statistics [httpd+mpm_itk, mod_ssl, mod_php, awstats] | firewing1. Linux Guides: CentOS 5 Server | firewing1. Dragon Research Group (DRG) :: sshpwauth-tac. Network/SecuringSSH. Hardening new CentOS system. 20 Linux Server Hardening Security Tips.
OS Protection.