Linux Dedicated Server Security tips

wuk-Jovanna · #1 (**permalink**) 17-06-10, 05:57 AM

Linux Dedicated Server Security

You can secure your server by using the bellow steps:

1) First, install fierwall (APF or configserver security and firewall) and then install Root kit checker (chkrootkit).

To install chkrootkit, SSH into server and login as root.
At command prompt type:

Quote:

cd /root/ (any location where you would like to install it)
wget enter ftp:// along with domain.com.br/the path where you want to install/chkrootkit.tar.gz
tar xvzf chkrootkit.tar.gz
cd chkrootkit-0.44
make sense
To run chkrootkit
At command prompt type:
/root/chkrootkit-0.44/chkrootkit

Also set the cron to run chrootkit on regular basis and keep the version of chkrootkit updated.

2)Regularly install OS patches and upgrade cPanel version. If possible set a cron job to check the update for cPanel.

3)Bind SSH on a single IP address other than shared IP address of the server and also on a different port than port 22 (default).
To change these, type the below at command prompt:

Quote:

pico /etc/ssh/sshd_config

Scroll down to below section:

#Port 22
#Protocol 2, 1
#ListenAddress 0.0.0.0
#ListenAddress ::

uncomment and change Port 22 to
Port 1344 (which you would like to use)

Uncomment and change Protocol 2, 1 to
Protocol 2

Hope this would help you..........

Jovanna

**WHUK-Ralf** · #2 (**permalink**) 06-08-10, 01:01 AM

Hi Jovanna,

Thanks for sharing Tips to secure your dedicated server. I want to add few more points in Check List to increase the security on the server.

Quote:

1. Check the incoming Port for MySQL, If its 3306, then close it. If this port is left open it can pose both a security and server abuse threat since not only can hackers attempt to break into MySQL, any user can host their SQL database on your server and access it from another host and so use Or abuse your server resources.

Quote:

2. Permissions for /tmp , /var/tmp and /usr/tmp must be set 1777

Quote:

3. Ownership for /tmp , /var/tmp and /usr/tmp must be set root:root

Quote:

4. Due to a bug in logrotate if /tmp is mounted with the noexec option, you need to have logrotate use a different temporary directory. If you don't do this syslog may not restart correctly and will write to the wrong (older) log files.

Quote:

5. /var/tmp should either be symlinked to /tmp or mounted as a filesystem.

Quote:

6. /usr/tmp should either be symlinked to /tmp or mounted as a filesystem.

Quote:

7. You should not specify 127.0.0.1 or localhost as a nameserver in /etc/resolv.conf – use the servers main IP address instead.

Quote:

8. If you have a local DNS server running but do not have any recursion restrictions set in /etc/named.conf this is a security and performance risk and you should look at restricting recursive lookups to the local IP addresses only. Unrestricted recursive lookups are as good as a DDoS attack against your system. They will eat up all your system resources.

Quote:

9. Make sure that OS version is still supported by the manufacturer and that upgrades continue to be available.

Quote:

10. You should disable SSHv1 by editing /etc/ssh/sshd_config and setting: Protocol 2.

Quote:

11. Change SSH default port to avoids basic port scans. Edit /etc/ssh/sshd_config and setting: Port xxxx Where xxxx is a port of your choosing. Don't forget to open the port in the firewall first.

Quote:

12. For ultimate SSH security, you might want to consider disabling PasswordAuthentication and only allow access using PubkeyAuthentication.

Quote:

13. You should enable shell resource limits to prevent shell users from consuming server resources – DOS exploits typically do this. In cPanel/WHM, Enable Shell Fork Bomb Protection to shell resource limit.

Quote:

14. Disable all instances of IRC – BitchX, bnc, eggdrop, generic-sniffers, guardservices, ircd, psyBNC, ptlink. In WHM you can do this from Background Process Killer.

Quote:

15. Check apache for mod_security if not installed install it.

Quote:

16. You should install the mod_evasive apache module from source to help prevent DOS attacks against apache. Note that this module breaks FrontPage functionality.

Quote:

17. You should set a value RLimitCPU to prevent runaway scripts from consuming server resources

Quote:

18. You should set a value RLimitMEM to prevent runaway scripts from consuming server resources.

Quote:

19. You should modify /usr/local/lib/php.ini and set:
enable_dl = off This prevents users from loading php modules that affect everyone on the server.

Quote:

20. You should modify /usr/local/lib/php.ini and disable commonly abused php functions, e.g.:
disable_functions = system, shell_exec, passthru, exec, phpinfo, popen, proc_open, ftp_exec, ftp_connect, ftp_login, ftp_get, ftp_put, ftp_nb_ fput, ftp_raw, ftp_rawlist etc...

Quote:

21. To reduce the risk of hackers accessing all sites on the server from a compromised PHP web script, you should enable phpsuexec when you build apache/php.

**Rachael** · #3 (**permalink**) 25-03-11, 04:44 AM

Hi

I would like to add some more very effective ways of Linux dedicated server security

1. ModSecurity [installing web application firewall]
2. ModEvasive [for preventing DDOS attacks]
3. Fix open DNS recursion
4. Securing PHP
5. Install PostEntry [an effective tool to detect portscans]
6. Check the user uploaded files
7. Secure the /tmp folders

xuandma · #4 (**permalink**) 11-11-11, 04:29 AM

Also set the cron to run chrootkit on regular basis and keep the version of chkrootkit updated.

jantanik · #5 (**permalink**) 10-02-12, 04:20 AM

Here are some linux server security tips:
1. Encrypt Data Communication.
2. Avoid Using FTP, Telnet, And Rlogin / Rsh.
3. Minimize Software to Minimize Vulnerability.
4. One Network Service Per System or VM Instance.
5. Keep Linux Kernel and Software Up to Date.
6. Use Linux Security Extensions.
7. User Accounts and Strong Password Policy.
8. Password Aging.