An System Administrator needs to pay more attention to improving his VPS Server or dedicated Linux server and must not using just a standard level of security.
Here some tips to improve your VPS, which i apply on a Linux VPS with CentOS, search google for how to implement on another Linux distro.
First thing you must do is check your VPS or server from intruder attack and backdoor(except you just fresh install the operating system). Use chkrootkit to check if there any rootkit or backdoor on our server by doing this :
- wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz
- tar –xzvf chkrootkit.tar.gz
- cd chkrootkit
- make sense
- Run command ./chkrootkit and then the checking and cleaning process will running.
Password is main key to enter our server, so password must use various combination such as uppercase, lowercase, number, and special character that difficult to guess so your password is impenetrable against brute force attack. Do not using dictionary words.
It is a must to update system regularly. CentOS user can use yum update command, for Debian or Ubuntu can use apt-get update command, search on google for other distro.
Activate / Install Neccessary Service Only
Deactivate service that you not using. The amount of security holes is increased along side amount of service run on our server
Use Secure FTP
It’s Must Recommended to use secure FTP while doing data transfer from our local computer into the server or vice versa. Regular FTP only use pure text without encryption for data transfer, that means your sent username and password is an easy package sniffer can read.
Access Server Through SSH
It’s better using SSH than telnet for accessing your Server, here some step to secure SSH server by changing default configuration on SSH:
- nano /etc/ssh/sshd_config
- Find line with #Port 22 written on it, delete # character and change port from 22 to random number so it’s dificult to guess e.g. 3786, this will help our server from masscanner SSH or worm that will scan SSH and see if it able to exploit. This step can help us a little against newbie cracker.
- Find #PermitRoorLogin yes, delete # character and change to “PermitRootLogin No” this is meant so the server will reject login to SSH as root. We need to login with a lower level user and then use “su-” to become root user, but before that,you must create new user that can login to server using SSH.
- Save new configuration with CTRL+O and exit using CTRL+X, Restart SSHD using /etc/init.d/sshd restart or service sshd restart .
- Use netstat -plnat |grep sshd , to see if the SSHD is running on the port we changed.
If you want only your IP (dedicated IP) can access server using SSH, change the configuration as below:
- nano /etc/hosts.allow
- add line sshd: your-dedicated-ip
- save that file then open /etc/hosts.deny
- add sshd: ALL then save
- Hide information about Server service version
Hide Service Version
- If we must run a web service or web server such as Apache, we must disable/change the Apache version to avoid amateur cracker and stop automatic script that will search for our Apache version. How to do it? Simply open httpd.conf file (usually located at /etc/httpd/conf/httpd.conf) and then find “ServerSignature” change to “ServerSignature off” and change “ServerTokens ” to “ServerTokens ProductOnly” as well. Exit the file by pressing ctrl+x then type y to save, restart Apache. This will hide our web server version.
- If you using php, you can hide the php version by editing php.ini file on /etc/php.ini, find “expose_php = On”, change to “expose_php = Off”. Exit, save and restart Apache to see the changes.
- If you using sendmail(not recommended), then prepare to face the attacker, but you can hide the version by editing this :
- add (`confSMTP_LOGIN_MSG’,’ Welcome all customer to my Mail Server ‘),
- then run m4 /etc/mail/sendmail.mc > /etc/sendmail.cf or make –C /etc/mail.
- edit file using echo smtp Help > /etc/mail/helpfile .
Libsafe, is one of many solution to avoid string and buffer overflows attack. This will dynamically change LD_PRELOAD.
How to Install Libsafe:
- wget http://www.research.avayalabs.com/project/libsafe/src/libsafe-2.0-16.i386.rpm
- rpm –ivh libsafe-2.0-16.i386.rpm
- to see if the libsafe is installed you can use cat /etc/ld.so.preload
GRSecurity kernel patch Installment
GRSecutiry is a kernel patch that will improve your Linux Server ability against buffer overflow and other cases on kernel. For information see :
Mount /tmp using noexec
One thing the cracker will do after get shell is trying to increase privilage become root or same level as root, and some of their favorite place is /tmp, /usr/tmp, /var/tmp .
How to mount /tmp using noexec :
- cd /dev
- dd if=/dev/zero of=securetmp bs=1024 count=100000
- mke2fs /dev/securetmp
- cp -R /tmp /tmp_backup
- mount -o loop,noexec,nosuid,rw /dev/securetmp /tmp
- chmod 0777 /tmp
- cp -R /tmp_backup/* /tmp/
- rm -rf /tmp_backup
- then add mount -o loop,noexec,nosuid,rw /dev/securetmp /tmp pada /etc/rc.local or at /etc/fstab /dev/tmpMnt /tmp ext2 loop,noexec,nosuid,rw 0 0
- Exit and save file.
- Test that directory tmp by adding file to tmp directory and run it.
- if successfull the “Permission Denied” message will be shown.
repeat for /var/tmp and /usr/tmp
To Secure tmp On VPS with virtual OpenVZ do this:
- Edit /etc/fstab by typing nano -w /etc/fstab
- add line none /tmp tmpfs nodev,nosuid,noexec 0 0 on the bottom of /etc/stab
- exit and save file.
- Remount /tmp run command: mount -o remount /tmp
- to make sure /tmp is mounted type df -h and the following result will shown:
- none 3.9G 0 3.9MG 0% /tmp.
to Secure /var/tmp do this:
- Backup /var/tmp using command: mv /var/tmp /var/tmpbackup
- Create a symbolic link that redirect /var/tmp point to /tmp using following command: ln -s /tmp /var/tmp
- Copy old data by using command: cp /var/tmpbackup/* /tmp/
- Delete backup file with command: rm -rf /var/tmpbackup
reboot your VPS OpenVZ.
We can use APF (Advance Policy Firewall) , script that use IPtables and very easy to install
- wget http://www.rfxnetworks.com/downloads/apf-current.tar.gz
- tar -xzvf apf-*
- cd apf-*
- sh install.sh
Can also use CSF (Config Server Firewall)
- rm -fv csf.tgz
- wget http://www.configserver.com/free/csf.tgz
- tar -xzf csf.tgz
- cd csf
- sh install.sh
Source : Keamanan VPS Linux