1

Possible Duplicate:
Hardening Linux Server

I recently started to manage my own server with a cloud-based server. Recently I got hacked somehow and the server was used for phising. On the server it was installed CentOs, cPanel/WHM and CSF with medium security settings.

After being hacked I realize the need for more security. How can I make a secure server with CentOS?

Anders
  • 151
  • 1
  • 5

3 Answers3

3

For maximum security type this command.

# sudo ifdown eth0

But for real. The answer in this thread is almost exactly what you are looking for. How do I run a security check on my WordPress server?

edit: Oh I realized that it was YOU who asked that question...

  1. Firewall rules using iptables. Only leave open the ports you need. Block all, allow port 80 for example.
  2. Change default passwords. If you want to know how a lot of people get hacked...default passwords are a main reason. Change it to your mysql server, your user accounts, whatever.
  3. Disable services you don't need. Hell, uninstall them.
  4. Run up to date software. The reason wordpress will update sometimes is because an old version may have a vulnerability. Make sure your services are all up to date.

If you do this stuff well....you should be pretty secure.

2

This is an extremely broad question, and as you may have already noticed, we could list hundreds of settings, tweaks, and changes that will "help make [a] server more secure" until the cows come home.

In addition to the general "close/shutdown anything you're not using," and the wonderful recommendations made here already, if this is your first time managing a server, it's also not a bad idea to start working through understanding core security principles.

CentOS is mirrored to RedHat, which is more frequently used in an Enterprise setting. As such, there's a lot of good material out there to get you started. Try taking a look at the NSA's guides to securing Linux:

http://www.nsa.gov/ia/_files/factsheets/rhel5-pamphlet-i731.pdf

Understanding how and why people break into servers, and what their attack vectors typically look like is also an invaluable area of understanding (that's always changing)

http://people.redhat.com/sgrubb/files/hardening-rhel5.pdf

The final step beyond making sure your server is secure, is ensuring the software and web application you're hosting are also secure. If your going to be doing web hosting, getting a handle on the types of vulnerabilities they pose and what that means for how people can get into your server is key (Hint: SELinux, while a pain, is your friend here). SQL Injection, Cross site scripting, etc - learn these and learn how to run web application assessments. OWASP is a great place to start for that

https://www.owasp.org/index.php/Main_Page

Univ426
  • 286
  • 1
  • 7
1
  • CloudLinux delivers CPanel hardening with file-system virtualization.
  • SELinux - enable it with booleans for user folders and suexec and whatever needed plus train new rules thru training mode - per user writable tmp folders etc, this one is complex as it works system-wide, but also that's why it's OK.
  • Update CPANEL itself with the latest PHP 5.3 and apps
  • Update MySQL to 5.5 packages
  • ModSecurity with core rules prevents multiple exploits
  • PHP Suhosin, hardening like disabling fopen() with URLS
  • Making PHP source code read-only, e.g. only specific folders would be writable, with specific names using the website admin page.
  • Enabling IPTABLES firewall with limits and anti-scan, enable connection tracking, and no of connections it can handle (hash tables and buckets for iptables in /proc), also deny ssh etc access from every server.
  • Running Snort IDS with scan detection
  • Performing scans with Nessus and Web Scanners
  • Make sure that the backup made on different location and recoverable / non-erasable
  • Disable unneeded services (also reduces RAM)
  • Enable SuEXEC, FastCGI, that each account runs only in it's home folder and cant write / read temp files from others.
  • Run Anti-Virus for mail and web
  • Run multi-threaded (worker) Apache and php-cgi, and apply mod_qos to this.

Additionally you can harden your PHP apps as well.

Simply what you need is called "caging". SELinux, AppArmor, Cloud Linux does this all, and then you can harden PHP by making ini for each user, but if the site is vulnerable to e.g. code injection, then you cant help much with this except for the mod_security.

Also if this slows down too much, you can add Varnish proxy cache, and make your application also cashing / compiling the code, there are many levels of cache:

  • Varnish Cache
  • Application Cache (e.g. it remembers generated objects, written in OO PHP)
  • Static Cache (generated static files, which can be served with timestamp to Application Cache, which is served to Varnish, also OO PHP, in case of CPanel).
  • PHP Cache - xcache, APC etc.
  • Memcached - object cache for PHP

In front of all of that you can put HAProxy which helps routing requests between Varnish and Apache.

With this you should be fine running mod_security and the rest of the protections, if you have a serious application running CPanel.

Also make sure to not use the root account on MySQL.

This is not that bad working you need only to adjust logging so the stats are OK working.

Andrew Smith
  • 1
  • 1
  • 6
  • 20