Mod_Security installation and usage guide
This guide is going to show you how to install and configure mod_security which will help protect your server from exploits that are passed though apache. Mod_security does this by inspecting the information sent in apache and filtering out all of the “bad” requests as determined by the set of rules specified in the httpd.conf. The ruleset that I use in this guide will block out most of the common exploits, including the nosanity phpbb worms. It should also block out most of the other common methods of hacking a server passed though php.
Updated July 11th with the latest version, enjoy!
First we will download and unzip mod_security.
—–command—–
wget http://www.modsecurity.org/download/modsecurity-apache_1.9.4.tar.gz
tar -zxf modsecurity-apache_1.9.4.tar.gz
—–command—–
(more…)
Misc Scripts
This page has a list of various scripts as well as information to further help secure your server. Many of them are from rfxnetworks who does a great job with his scripts, all of which are released freely for anybody to use. They all will greatly help towards making your server more secure and run better. That being said make sure and look at all of the emails coming in from the scripts because they may identify problems or possible intrusions.
PHP Security
Php by nature is unfortunatly very insecure by default. There are many ways to help make it more secure for a shared hosting enviroment by running modules like mod_security. Another way to do this is by disabling the actual functions that many of these exploits call on. This can be done by simply editing the php.ini and restarting apache. Though you should not have any trouble with the disabled functions if webpages do start to have problems you can always add the function back. Most times you will get an error on a webpage that will tell you exactly which is causing the problem.
Updated August 9th to include even more php functions to disable.
Mod_evasive
One way to stop one of the more basic attacks on a server is mod_evasive.This how-to will walk though the process of installing and configuring mod_evasive. This apache module will help protect against people sending too many requests to the webserver in an attempt to flood it. If it detects too many connections the offending ip will be blocked from the accessing apache for This is especially useful when the server is continuously getting attacked. With this default configuration it will block the offending ip for 10 minutes. If it continues to try and flood mod_evasive will automatically add more time to this.
*Update* Feb 1 2005 - Now links to the latest version of mod_evasive from the old name of mod_dosevasive.
**NOTE** This module has been known to cause problems with frontpage server extensions. If you them you should not install this module or just be aware of the fact it might break them.
(more…)
Miscellaneous system tweaks
This guide will not actually help in a physical sense to secure your server but it help prevent against many automated attacks that attack based on version number. If a cracker is starting to probe your system for holes it is common to check all the version numbers for your services. This guide will disable some of the common system daemons from reporting what version they are. This is called security by obscurity and you should not rely on it! It is just one of the many little things that you can do to help lower your systems chance of getting hacked.
First we are going to hide the version information in apache.
—–command—–
pico /etc/httpd/conf/httpd.conf
—–command—–
Misc security tweaks
Miscellaneous system tweaks
In this guide I am going to go over some basic system tweaks that will help the security of your server. None of are that big of a deal but every little bit helps secure your server more.
Updated Feb 18 to include enabling syncookies
The first thing we are going to do is to enable tcp_syncookies by simply typing the following command.
—–command—–
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
—–command—–
(more…)
Secure temporary directories
How-To: Secure your temp directories
Every system needs temporary folders that any user is able to read and write BUT these directories should not be able to execute programs or scripts. Though this will only protect you from somebody running the script directly it will help with a large portion of the automated rootkits and trojans that script kiddies use. They will still be able to put the files on the system but they will be unable to execute them and create the back door. One of the biggest problems is php injection via apache in which people will have apache download and then run an exploit. Securing the temp directories is probably the single biggest thing you can do towards securing your server.
This guide will work fine with cPanel, ensim, plesk, and of course with no control panel. It is designed for Redhat but should work on any linux varient.
The first step is to check if /tmp is already secure. Some datacenters do not create a /tmp partition while others do.
—–command—–
df -h |grep tmp
—–command—–
(more…)
Syctl.conf Hardening
The purpose of syctl hardening is to help prevent spoofing and dos attacks. This short guide will show what I have found to be a good configuration for the sysctl.conf configuration file. The most important of the variables listed below is the enabling of syn cookie protection. Only place the bottom two if you do not want your server to respond to ICMP echo, commonly referred to as ICMP ping or just ping requests.
NOTICE: Make sure that eth0 is your primary interface, if it is not replace eth0 with eth1 in the code below.
(more…)
Configure APF Firewall
A firewall is a very good idea for a server. Though many people think that a firewall is instant protection that will do everything it really is not. A firewall will help prevent some things but it is not going to stop everything. It is just one piece of the security network that is being woven. I recommend advanced protection firewall (APF) by rfxnetworks. APF will block unused outgoing and incoming ports. It can also be configured to use information from some block lists. The below port list will work for cPanel. For the other control panels you will need to add in the administration ports.
http://www.rfxnetworks.com/apf.php
—–command—–
cd /usr/local/src
wget http://rfxnetworks.com/downloads/apf-current.tar.gz
tar -zxf apf-current.tar.gz
cd apf-0.*
./install.sh
—–command—–
Rkhunter Installation
security system is perfect and it is always good to have some forms of intrusion detection just incase somebody does get in you can be notified. Do not immediatly get worried if in an email you get a positive, many of them are false and from upgrades. I would first suggest running “rkhunter -c” from ssh and looking at the errors. If it is a few bad binaries you should check to see what was updated recently. If you have a rootkit detected you should start to worry because it is very uncommon for a false positive on a rootkit or trojan.
Newer Posts »