Security Question

M

mikelato

Verified User
Joined
Jan 25, 2010
Messages
74
Hi,

I would like to make sure that my servers are setup to be as secure as possible. I know there are ways to setup your partitions on the hard drive to disallow certain commands and what not.

So my question is, what is the best and most affordable anti-virus, anti-root kit, and firewall software to use for linux. Right now I am using AVG free, and chkrootkit with cron jobs to run every night along with iptables for the firewall. And I have SSL enabled on my billing system, control panel, and webmail. I just want to make sure there isnt anything else I need to do to make sure my servers are secure on the system level.

P.S. - If you need to know I am running CentOS 5.x

Thanks,
Mike
 
Disable php functions.

as root:
Code: 
cd /usr/local/directadmin/custombuild
./build secure_php

also google about securing /tmp partition , make sure /tmp mounted on its own partition and mount it with noexec flag ( configure in /etc/fstab ).
 
Last edited:
Thanks for your input that is helpful, does anyone else have any further suggestions?
 
@mr.aplesauce:

Isn't that exactly what user yonatanp wrote?

@mikelato:

Be sure to install one of the firewalls mentioned on these forums; they're all free. I pefer KISS because it's simple, but there are others and lots of DirectAdmin users who prefer them.

Jeff
 
So it is definetly a good idea to have something other than IPtables on the server? If this is true, does anyone else have any recommendations as far as software goes? I am leaning more towards functionality than ease of use. I would rather learn software than have sub-par protection.

Thanks again for the help,
Mike
 
Disable these disk_total_space,diskfreespace are important in the php.ini hackers can not see the user list on your server, and hides the disk usage
 
Here is a short TODO list (not complete) we use on every new DA server install:

  1. Remove unnecessary packages
  2. Update the base system and kernel
  3. Enable quotas if necessary
  4. Configure root’s mail to be forwarded elsewhere
  5. Set root login notification
  6. Create “Authorized Use Only” message (for legal purposes, not really a security feature)
  7. Disable insecure/unnecessary services
  8. Install NTP package
  9. Disable direct root logins
  10. Disable shell login for well-known users
  11. (Obsolete) Force SSH2
  12. Hardening /tmp, /var/tmp and /dev/shm directories
  13. Hardening /home directory
  14. Secure DNS (disable recursive queries, full zone transfers etc)
  15. Hide Apache/PHP info
  16. Enable server-status
  17. Install Apache::VMonitor
  18. Install mod_geoip
  19. Install and configure sysstat, auditd, psacct
  20. Install firewall
  21. Install aide (integrity checker)
 
Thanks for all of the advice, keep the suggestions coming if anyone else has anything to add!

-Mike
 
mikelato said:
So it is definetly a good idea to have something other than IPtables on the server?
Click to expand...
You need to have iptables on your server; it's the user interface to the netfilter part of the kernel. All the other firewalls I know of on linux simply manipulate iptables.

While I use KISS because it's simple to use there are at least two other linux firewalls described on these forums.

Here's a good link to understanding how it all works:

http://www.netfilter.org/

Jeff
 
Thanks Jeff that is very helpful as well. I am slowly starting to get all of these changes in place. Is there not software out there that does it all with one simple install?

Thanks again,
Mike
 
Also, I currently do not have SELinux enabled on my system. Should this be enabled? If so, does anyone have detailed instructions on enabling it? Will it affect DA or other software on the system?

-Mike
 
mikelato said:
Also, I currently do not have SELinux enabled on my system. Should this be enabled? If so, does anyone have detailed instructions on enabling it? Will it affect DA or other software on the system?
Click to expand...
Enabling it will probably result in a lot of problems. It would certainly need to be customized. You'd have to run it in logging mode for a while, then see what you'd have to allow. And any change later could break your server.

My own feeling is that SELinux is not a good idea on a hosting server. There are several good books on SELinux available; I recommend having a good understanding of it before considering it.

The book I own is: SELinux: NSA's Open Source Security Enhanced Linux but there are other good ones as well; here's an Amazon link.

Jeff
 
Thanks for your input, I think I will keep it disabled. I just hate to not secure the server as much as possible because the headache will be a lot worse trying to repair a hacked server than securing it properly. Everyone's input here has been great. Thanks again for all of the help.

I did have one last question though. I would like to know what the best anti-virus software for linux is. I am running AVG free right now, is that sufficient or should I consider paying for something more advanced to protect the system?

-Mike
 
Just to keep everyone updated I just installed CSF with the directadmin installer and it is very nice software which checks all of the aspects of the server that people have listed here as far as securing it. It gives warnings and tells you what changes need to be made in order to ensure the best security. It can be downloaded through the following URL.

http://www.configserver.com/cp/csf.html

To install it, just check out the readme, but I just ran the installer.directadmin.sh file and it installed perfectly in about 10 seconds and there are no problems with it at all. I definetly recommend this plugin for securing your server, the software is great and the install is even better.

-Mike
 
mikelato said:
I did have one last question though. I would like to know what the best anti-virus software for linux is. I am running AVG free right now, is that sufficient or should I consider paying for something more advanced to protect the system?
Click to expand...
While it's certainly possible to write a virus which will attack linux there are comparably few in the wild. Generally we use anti-virus on Linux only to keep the Windows machines that eventually get the emails/html files from our servers.

Many of us use ClamAV for that purpose; it's easily installed into the exim SpamBlocker exim.conf file. This forum has a thread or two on how to use it with proftpd to make sure uploaded html files don't have viruses.

Jeff
 
Ok sounds good, thanks Jeff your a huge help on these forums. Keep up the good work!

-Mike
 
You must log in or register to reply here.
Back
Top