DirectAdmin | New Server Checklist

-> Domain Monitoring Tool - (CPU usage monitor for individual domains)

by lordphi has been added :)

Chris
 
Just been added:

-> Configure POP3S (Secure POP3) with xinetd

Chris
 
After installing Kiss it seems DNS lookups are refused.

I just tested it with one of my domains. From my PC I started an NSLookup and put in one of my domains names...it timed out. In my SSH window I stopped kiss. I requeried in NSLookup and the domain returned an address.

I do have port 53 open inbound tcp/udp. Is there something else I should have enabled?
 
Try changing:

Code:
##############################################################################
# Uncomment to allow DNS zone transfers
#
#$IPTABLES -A INPUT -i eth0 -p udp --sport 53 --dport 53 -m state --state NEW -j ACCEPT
#$IPTABLES -A INPUT -i eth0 -p tcp --sport 53 --dport 53 -m state --state NEW -j ACCEPT
#$IPTABLES -A OUTPUT -o eth0 -p udp --sport 53 --dport 53 -m state --state NEW -j ACCEPT
#$IPTABLES -A OUTPUT -o eth0 -p tcp --sport 53 --dport 53 -m state --state NEW -j ACCEPT

To:

Code:
##############################################################################
# Uncomment to allow DNS zone transfers
#
$IPTABLES -A INPUT -i eth0 -p udp --sport 53 --dport 53 -m state --state NEW -j ACCEPT
$IPTABLES -A INPUT -i eth0 -p tcp --sport 53 --dport 53 -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -o eth0 -p udp --sport 53 --dport 53 -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -o eth0 -p tcp --sport 53 --dport 53 -m state --state NEW -j ACCEPT

Take a read through: http://forum.ev1servers.net/showthread.php?s=&threadid=36733 for a bit of information on this particular issue (it was discussed there previously) - I will update the script with the area uncommented later tonight or possibly tomorrow.

Chris
 
Restricting SSH to one address

I've decided to restrict SSH access to one "non-public" IP address and thought it might be good to add to this checklist?

By "non-public" I mean an address that doesn't have any domains pointing to it. In my case this is the server address. I created my reseller accounts using two addresses each so I have a total of five addresses, including the "non-public" one.

My thinking is that someone trying to hack into your system with a specific domain name might not take the time to scan other IPs in your range. I realize this isn't a huge security measure as there are those that will just scan ranges of IPs, but it may prevent an attack from someone who is angry with a website hosted by you.

You'll need to edit the sshd_config file in /etc/ssh. I generally use vi.

vi /etc/ssh

Look for the line that says
#ListenAddress 0.0.0.0

You can get down to that line by hitting the j key until you are at the pound sign. If you go too far, kit the k key to go up.

Once at the #, hit x to delete the pound sign.

Then hit the l key to get over to the first 0. Again if you go too far, hit h to back up.

Now hit R (has to be capital) and type in your "non-public" address. When you're done hit the ESCape key. Then save your work by typing a colon and then wq and hit return :)wq).

Now restart sshd by issuing the command:
service sshd restart.

Of course you will have to begin using your "hidden IP" within putty to connect or you can add a DNS entry for your hidden IP though I think that is somewhat less secure.
 
Re: Restricting SSH to one address

RTKS said:
You can get down to that line by hitting the j key until you are at the pound sign. If you go too far, kit the k key to go up.

Once at the #, hit x to delete the pound sign.

Then hit the l key to get over to the first 0. Again if you go too far, hit h to back up.

Now hit R (has to be capital) and type in your "non-public" address. When you're done hit the ESCape key. Then save your work by typing a colon and then wq and hit return :)wq).

or even easier:

vi /etc/ssh/sshd_config

scroll down to the line ListenAddress using the down arrow on your keyboard

Press "i" to go into insert mode

Edit it as noted in the guide

press esc to exit insert mode

to save and exit type

:x <enter>

(<enter being a tap on your enter / return key :))

Chris
 
Re: Restricting SSH to one address

RTKS said:
I've decided to restrict SSH access to one "non-public" IP address and thought it might be good to add to this checklist?

If you really want to be anal, move the port for the ssh listener deamon to something like 8022 and then throw a portsentry listener on port 22 that would immediately firewall all unauthorized access. This will stop an attacker immediately from proceeding onto other vulnerable ports because portsentry will issue an iptables drop rule against the attempted connectors IP address. Of course you will want to add your home/office IP's to the exclude list because you WILL accidentally try to connect to the original port yourself once and a while out of habit.
 
Re: Re: Restricting SSH to one address

thuskey said:
If you really want to be anal, move the port for the ssh listener deamon to something like 8022 and then throw a portsentry listener on port 22 that would immediately firewall all unauthorized access. This will stop an attacker immediately from proceeding onto other vulnerable ports because portsentry will issue an iptables drop rule against the attempted connectors IP address. Of course you will want to add your home/office IP's to the exclude list because you WILL accidentally try to connect to the original port yourself once and a while out of habit.

So what happens if I spoof my source address a few thousand times using the network admins ISP or even worse you office IP block or something? :)

Just a question, portsentry etc is not of any use in a proper production environment. Thats my opinion now.

Paul
 
Installing SpamAssassin

Nowhere in the New Server Checklist do I see anything about installing SpamAssassin.

But it's now become more a requirement than an option, due to the recent addition to the skins.

So I urge Chris to add some information about SpamAssassin to the original post.

It appears that we'll all need to follow the steps here, and some of us perhaps the steps here as well.

Jeff
 
The last full checklist is at the top of this thread; it's always edited when changed.

Jeff
 
If it works for you and your clients, go for it.

Personally, I do the same for the compiler system, and I only allow it for root.

But that's me.

I wouldn't want to limit everyone that way.

Jeff
 
Maybe a section for *suggested* security items? I'd be happy to write up a small FAQ with the addition of a section as to why this would be a good idea as well as disadvantages.

-drmike
 
No one's stopping you, drmike :) .

You can post it in the How-To Guides forum.

Security is a very important part of our business and our business philosophy, and I've been doing Unix security since the early 80s, so be prepared for some real scrutiny.

Of course you may teach me a lot, and I look forward to your contributions.

Jeff
 
Question how do you add these codes to the server using SSH? sorry for the newbie questions, I using DA on Centos server.

Thanks

Rocky

jlasman said:
Here's my /etc/sysconfig/ipchains file (if you use iptables you'll have to do the conversion yourself)...

(and if you keep reading afterwards I'll tell you what all those ports from 49152 through 49161 are for)...
Code:
-A input -s 0/0 -d 0/0 143 -p tcp -y -j ACCEPT
-A input -s 0/0 -d 0/0 110 -p tcp -y -j ACCEPT
-A input -s 0/0 -d 0/0 53 -p udp   -j ACCEPT
-A input -s 0/0 -d 0/0 53 -p tcp -y -j ACCEPT
-A input -s 0/0 -d 0/0 113 -p tcp -y -j ACCEPT
-A input -s 0/0 -d 0/0 113 -p udp   -j ACCEPT
-A input -s 0/0 -d 0/0 443 -p tcp -y -j ACCEPT
-A input -s 0/0 -d 0/0 443 -p udp   -j ACCEPT
-A input -s 0/0 -d 0/0 2222 -p tcp -y -j ACCEPT
-A input -s 0/0 -d 0/0 2222 -p udp   -j ACCEPT
-A input -s 0/0 -d 0/0 123 -p udp   -j ACCEPT
-A input -s 0/0 -d 0/0 25 -p tcp -y -j ACCEPT
-A input -s 0/0 -d 0/0 80 -p tcp -y -j ACCEPT
-A input -s 0/0 -d 0/0 21 -p tcp -y -j ACCEPT
-A input -s 0/0 -d 0/0 22 -p tcp -y -j ACCEPT
-A input -s 0/0 -d 0/0 -i lo -j ACCEPT
-A input -s 0/0 53 -d 0/0 -p udp -j ACCEPT
-A input -s 0/0 -d 0/0 66 -p tcp -y -j ACCEPT
-A input -s 0/0 -d 0/0 66 -p udp  -j ACCEPT
-A input -s 0/0 -d 0/0 49152 -p tcp -y -j ACCEPT
-A input -s 0/0 -d 0/0 49153 -p tcp -y -j ACCEPT
-A input -s 0/0 -d 0/0 49154 -p tcp -y -j ACCEPT
-A input -s 0/0 -d 0/0 49155 -p tcp -y -j ACCEPT
-A input -s 0/0 -d 0/0 49156 -p tcp -y -j ACCEPT
-A input -s 0/0 -d 0/0 49157 -p tcp -y -j ACCEPT
-A input -s 0/0 -d 0/0 49158 -p tcp -y -j ACCEPT
-A input -s 0/0 -d 0/0 49159 -p tcp -y -j ACCEPT
-A input -s 0/0 -d 0/0 49160 -p tcp -y -j ACCEPT
-A input -s 0/0 -d 0/0 49161 -p tcp -y -j ACCEPT
-A input -s 0/0 -d 0/0 -p tcp -y -j REJECT
-A input -s 0/0 -d 0/0 -p udp -j REJECT
Those ports from 49151 through 49162 are left open for proftpd to be able to do passive ftp...

And here's the code you need to put into /etc/proftpd.conf to tell proftpd to use these open ports (I put it right after the Port line):
Code:
##### added to make passive transfer work
# use part of the IANA registered ephemeral port range
PassivePorts 49152 49161
####

Jeff
 
These won't work on a CentOS system, since CentOS uses iptables, and not ipchains.

The good news is that iptables will automatically allow passive ftp if you use the kiss firewall (see that thread, and the recent thread about the changes required for CentOS4 and latest Fedora releases).

Jeff
 
Any possibility of weeding out the scripts that don't work/out of date and the ones that do?
 
Back
Top