Server Hardening

Please follow the below instructions to secure a linux server:

Step-1:

Kernel Tuning With Sysctl:

[root]#vi /etc/sysctl.conf

Now paste the following into the file, you can overwrite the current information.

#Kernel sysctl configuration file for Red Hat Linux


# For binary values, 0 is disabled, 1 is enabled. See sysctl( 8 ) and
# sysctl.conf(5) for more details.


# Disables packet forwarding
net.ipv4.ip_forward=0


# Disables IP source routing
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.lo.accept_source_route = 0
net.ipv4.conf.eth0.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0


# Enable IP spoofing protection, turn on source route verification
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.lo.rp_filter = 1
net.ipv4.conf.eth0.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1


# Disable ICMP Redirect Acceptance
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.lo.accept_redirects = 0
net.ipv4.conf.eth0.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0


# Enable Log Spoofed Packets, Source Routed Packets, Redirect Packets
net.ipv4.conf.all.log_martians = 0
net.ipv4.conf.lo.log_martians = 0
net.ipv4.conf.eth0.log_martians = 0


# Disables IP source routing
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.lo.accept_source_route = 0
net.ipv4.conf.eth0.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0


# Enable IP spoofing protection, turn on source route verification
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.lo.rp_filter = 1
net.ipv4.conf.eth0.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1


# Disable ICMP Redirect Acceptance
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.lo.accept_redirects = 0
net.ipv4.conf.eth0.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0


# Disables the magic-sysrq key
kernel.sysrq = 0


# Decrease the time default value for tcp_fin_timeout connection
net.ipv4.tcp_fin_timeout = 15


# Decrease the time default value for tcp_keepalive_time connection
net.ipv4.tcp_keepalive_time = 1800


# Turn off the tcp_window_scaling
net.ipv4.tcp_window_scaling = 0


# Turn off the tcp_sack
net.ipv4.tcp_sack = 0


# Turn off the tcp_timestamps
net.ipv4.tcp_timestamps = 0


# Enable TCP SYN Cookie Protection
net.ipv4.tcp_syncookies = 1


# Enable ignoring broadcasts request
net.ipv4.icmp_echo_ignore_broadcasts = 1


# Enable bad error message Protection
net.ipv4.icmp_ignore_bogus_error_responses = 1


# Log Spoofed Packets, Source Routed Packets, Redirect Packets
net.ipv4.conf.all.log_martians = 1


# Increases the size of the socket queue (effectively, q0).
net.ipv4.tcp_max_syn_backlog = 1024


# Increase the tcp-time-wait buckets pool size
net.ipv4.tcp_max_tw_buckets = 1440000


# Allowed local port range
net.ipv4.ip_local_port_range = 16384 65536


----------------------------------------------------------

After you make the changes to the file you need to run /sbin/sysctl -p and
sysctl -w net.ipv4.route.flush=1 to enable the changes without a reboot.

Step-2:

Securing /tmp and /dev/shm


The first step is to check if /tmp is already secure. Some data centers do not create a /tmp partition while others do.

[root]#df -h |grep tmp


If that displays nothing then go below to create a tmp partition. If you do have a tmp partition you need to see if it mounted with noexec.

[root]#cat /etc/fstab |grep tmp

If there is a line that includes /tmp and noexec then it is already mounted as non-executable. If not follow the instructions below to create one without having to physically format your disk. Idealy you would make a real partition when the disk was originally formated, that being said I have not had any trouble create a /tmp partition using the following method.

Create a ~1000Mb partition

[root]#cd /dev/; dd if=/dev/zero of=tmpMnt bs=1024 count=1000000

Format the partition

mkfs.ext2 /dev/tmpMnt

When it asks about not being a block special device press Y


Make a backup of the old data

[root]#cp -Rp /tmp /tmp_backup

Mount the temp filesystem

[root]#mount -o loop,noexec,nosuid,rw /dev/tmpMnt /tmp

Set the permissions

[root]#chmod 0777 /tmp

Copy the old files back

[root]#cp -Rp /tmp_backup/* /tmp/

Once you do that go ahead and restart mysql and make sure it works ok. We do this because mysql places the mysql.sock in /tmp which neeeds to be moved. If not it migth have trouble starting. If it does you can add this line to the bottom of the /etc/fstab to automatically have it mounted:

Open the file in vi:

[root]#vi /etc/fstab

Now add this single line at the bottom:

/dev/tmpMnt /tmp ext2 loop,noexec,nosuid,rw 0 0

While we are at it we are going to secure /dev/shm. Look for the mount line for /dev/shm and change it to the following:

none /dev/shm tmpfs noexec,nosuid 0 0

Umount and remount /dev/shm for the changes to take effect.

[root]#umount /dev/shm
[root]#mount /dev/shm

Next delete the old /var/tmp and create a link to /tmp

[root]#rm -rf /var/tmp/
[root]#ln -s /tmp/ /var/

If everything still works fine you can go ahead and delete the /tmp_backup directory.

[root]#rm -rf /tmp_backup

You /tmp, /var/tmp, and /dev/shm are now mounted in a way that no program can be directly run from these directories.



Step-3:


Install ckhrootkit and setup cron


Login to shell as root

[root]#cd /usr/src

#Type the following

[root]#wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz

# Check the MD5 SUM of the download for security:
ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.md5

md5sum chkrootkit.tar.gz

#Unpack the tarball using the command

[root]#tar xvzf chkrootkit.tar.gz


#Change to the directory it created

[root]#cd chkrootkit*

#Compile by typing

[root]#make sense

#To use chkrootkit, just type the command

[root]#./chkrootkit

#Everything it outputs should be 'not found' or 'not infected'...

[root]#cd ..
#Then remove the .gz file

[root]#rm chkrootkit.tar.gz

Daily Automated System Scan that emails you a report

While in SSH run the following:

[root]#vi /etc/cron.daily/chkrootkit.sh

Insert the following to the new file:

#!/bin/bash
cd /usr/src/chkrootkit-0.49/
./chkrootkit | mail -s "Daily chkrootkit from V10" user@domain.com


Important:
1. Change 'Servername' to the server your running so you know where it's coming from.
2. Change 'admin@youremail.com' to your actual email address where the script will mail you.

Now save the file:

Change the file permissions so we can run it

[root]#chmod 755 /etc/cron.daily/chkrootkit.sh

Now if you like you can run a test report manually in SSH to see how it looks.

[root]#cd /etc/cron.daily/

[root]#./chkrootkit.sh

You'll now receive a nice email with the report! This will now happen everyday so you don't have to run it manually.


Step-4:


Install APF in a Server


Login to your server through SSH and su to the root user.

1. cd /usr/src


2. wget http://www.rfxnetworks.com/downloads/apf-current.tar.gz


3. tar -xvzf apf-current.tar.gz


4. cd apf-9.7-1/


5. Run the install file:

[root]#./install.sh
You will receive a message saying it has been installed


Installing APF 0.9.5-1: Completed.


Installation Details:


Install path: /etc/apf/
Config path: /etc/apf/conf.apf
Executable path: /usr/local/sbin/apf
AntiDos install path: /etc/apf/ad/
AntiDos config path: /etc/apf/ad/conf.antidos
DShield Client Parser: /etc/apf/extras/dshield/


Other Details:
Listening TCP ports: 21,22,25,53,80,110,143,443,2082,2083,2086,2087,2095,2096,3000_3500,10000,30000_50000
Listening UDP ports: 21,22,25,53,80,110,143,443,2082,2083,2086,2087,2095,2096,3000_3500,10000,30000_50000


6. Lets configure the firewall:

[root]#vi /etc/apf/conf.apf


We like to use DShield.org's "block" list of top networks that have exhibited suspicious activity.
FIND: USE_DS="0"
CHANGE TO: USE_DS="1"

7. Configuring Firewall Ports:


Cpanel Servers
We like to use the following on our Cpanel Servers


Common ingress (inbound) ports
# Common ingress (inbound) TCP ports -3000_3500 = passive port range for Pure FTPD
IG_TCP_CPORTS="21,22,25,26,53,80,110,143,443,465,587,993,995,2222,2082,2083,2086,2087,2095,2096,4087,3000_3500,10000,46647,56657,30000:50000"
#
# Common ingress (inbound) UDP ports
IG_UDP_CPORTS="21,22,25,26,53,80,110,143,443,465,587,993,995,2222,2082,2083,2086,2087,2095,2096,4087,3000_3500,10000,46647,56657,30000:50000"


Common egress (outbound) ports
# Egress filtering [0 = Disabled / 1 = Enabled]
EGF="1"


# Common egress (outbound) TCP ports
EG_TCP_CPORTS="21,22,25,26,53,80,110,143,443,465,587,993,995,2222,2082,2083,2086,2087,2095,2096,4087,3000_3500,10000,46647,56657,30000:50000"
#
# Common egress (outbound) UDP ports
EG_UDP_CPORTS="21,22,25,26,53,80,110,143,443,465,587,993,995,2222,2082,2083,2086,2087,2095,2096,4087,3000_3500,10000,46647,56657,30000:50000"


Ensim Servers
We have found the following can be used on Ensim Servers -
although we have not tried these ourselves as I don't run Ensim boxes.


Common ingress (inbound) ports
# Common ingress (inbound) TCP ports
IG_TCP_CPORTS="21,22,25,26,53,80,110,143,443,465,587,993,995,2222,2082,2083,2086,2087,2095,2096,4087,3000_3500,10000,46647,56657,30000:50000"
#
# Common ingress (inbound) UDP ports
IG_UDP_CPORTS="21,22,25,26,53,80,110,143,443,465,587,993,995,2222,2082,2083,2086,2087,2095,2096,4087,3000_3500,10000,46647,56657,30000:50000"


Common egress (outbound) ports
# Egress filtering [0 = Disabled / 1 = Enabled]
EGF="1"


# Common egress (outbound) TCP ports
EG_TCP_CPORTS="21,22,25,26,53,80,110,143,443,465,587,993,995,2222,2082,2083,2086,2087,2095,2096,4087,3000_3500,10000,46647,56657,30000:50000"
#
# Common egress (outbound) UDP ports
EG_UDP_CPORTS="21,22,25,26,53,80,110,143,443,465,587,993,995,2222,2082,2083,2086,2087,2095,2096,4087,3000_3500,10000,46647,56657,30000:50000"


Save the changes: Ctrl+X then Y


8. Starting the firewall

[root]#/usr/local/sbin/apf -s


9. After everything is fine, change the DEV option
Stop the firewall from automatically clearing itself every 5 minutes from cron. We recommend changing this back to "0" after you've had a chance to ensure everything
is working well and tested the server out.


[root]#vi /etc/apf/conf.apf


FIND: APF DEVEL_MODE="1"
CHANGE TO: APF DEVEL_MODE="0"


10. Configure AntiDOS for APF


[root]#vi /etc/apf/ad/conf.antidos


There are various things you might want to fiddle with but I'll get the ones that will alert you by email.


# [E-Mail Alerts]
Under this heading we have the following:


# Organization name to display on outgoing alert emails
CONAME="Your Company"

Enter your company information name or server name..


# Send out user defined attack alerts [0=off,1=on]
USR_ALERT="0"

Change this to 1 to get email alerts


# User for alerts to be mailed to
USR="your@email.com"

Enter your email address to receive the alerts


Save your changes! Ctrl+X then press Y
Restart the firewall:

[root]# /usr/local/sbin/apf -r



Step-5:


Install BFD in a Server(Brute Force Detection)


Login to your server through SSH and su to the root user.

1. cd /usr/src


2. wget http://www.rfxnetworks.com/downloads/bfd-current.tar.gz


3. tar -xvzf bfd-current.tar.gz


4. cd bfd-1.2/

5. Run the install file:

[root]#./install.sh
You will receive a message saying it has been installed


BFD installed
Install path: /usr/local/bfd
Config path: /usr/local/bfd/conf.bfd
Executable path: /usr/local/sbin/bfd


6. Lets edit the configuration file:

[root]#vi /usr/local/bfd/conf.bfd


7. Enable brute force hack attempt alerts:
Find: ALERT_USR="0" CHANGE TO: ALERT_USR="1"


Find: EMAIL_USR="root" CHANGE TO: EMAIL_USR="your@yourdomain.com"

Save the changes: Ctrl+X then Y

8. Prevent locking yourself out!

[root]#vi /usr/local/bfd/ignore.hosts and add your own trusted IPs


Save the changes: Ctrl+X then Y


9. Run the program!

[root]#/usr/local/sbin/bfd -s


Step-6:


Libsafe Installation


Libsafe is a dynamically loadable library that intercepts calls to unsafe functions and processes them so that hackers can't hijack the process and run the code of their choice.

A closer look at Libsafe:
Libsafe is a system library that intercepts calls to specific unsafe functions and handles them securely. This allows it to handle precompiled executables, meaning that manually editing the source and recompiling (or waiting for the maintainer to do this) is not necessary. Also, and possibly more important, it will work on bugs in software programs that have not been discovered yet. It can do this because it intercepts all calls to a particular function, performs the task, and sends back the information without the calling program's knowledge.

Even if a program has been written using bad techniques, Libsafe will stop it from possibly being exploited. It will do this systemwide and will be transparent to the programs themselves. The main idea is to set an upper limit on the size of the buffer that is used in a particular function. Although this can't be done at compilation time, it can be done when the function is actually called. Libsafe checks the current stack and sets a realistic limit so that the buffer can't be overwritten.

Libsafe currently handles these unsafe functions:
strcpy(char *dest, const char *src)
strpcpy(char *dest, const char *src)
wcscpy(wchar_t *dest, const wchar_t *src)
wcpcpy(wchar_t *dest, const wchar_t *src)
strcat(char *dest, const char *src)
wcscat(wchar_t *dest, const wchar_t *src)
getwd(char *buf)
gets(char *s)
scanf(const char *format, ...)
realpath(char *path, char resolved_path[])
sprintf(char *str, const char *format, ...)

These are the more common ones that are problematic in C and C++ programs in a Linux environment.

[root]#cd /usr/src
[root]#wget http://fresh.t-systems-sfr.com/linux/misc/libsafe-2.0-16.tgz
[root]#tar xvfz libsafe-2.0-16.tgz
[root]#cd libsafe-2.0-16
[root]#make
[root]#make install


Step-7:


Install LogWatch in a Server


Logwatch is a customizable log analysis system. Logwatch parses through your system's logs for a given period of time and creates a report analyzing areas that you specify, in as much detail as you require.

[root]#cd /usr/src
[root]#wget ftp://ftp.kaybee.org/pub/linux/logwatch-7.3.6.tar.gz
[root]#tar -xzvf logwatch-7.3.6.tar.gz
[root]#cd logwatch-7.3.6/
[root]#vi /usr/src/logwatch-7.3.6/conf/logwatch.conf

# Scroll down within the file and find the part called "MailTo". This is where you can specify where you want the logs mailed to. By default it is set to root. We suggest setting this to an email address you check regulary. Also, you may want to send it to an email address thats not hosted on the server (just in case ....).

--------------------------------------------------------------------------------
MailTo = logwatch@yourdomain.com, logwatch@off-site-domain.com
--------------------------------------------------------------------------------

# Now set the amount of detail you want reported by Logwatch

You will see something similar to this:

-------------------------------------------------------------------------------
# The default detail level for the report.
# This can either be Low, Med, High or a number.
# Low = 0
# Med = 5
# High = 10
Detail = Low
--------------------------------------------------------------------------------

We suggest setting the detail to High as it will send you more information.



Step-8:



Install AIDE(Advanced Intrusion Detection Environment)


AIDE (Advanced Intrusion Detection Environment) is a free replacement for Tripwire. It does the same things as the semi-free Tripwire and more.It creates a database from the regular expression rules that it finds from the config file. Once this database is initialized it can be used to verify the integrity of the files. It has several message digest algorithms (md5,sha1,rmd160,tiger,haval,etc.) that are used to check the integrity of the file.


[root]#cd /usr/src
[root]#wget http://downloads.sourceforge.net/aide/aide-0.13.1.tar.gz
[root]#tar -xzvf aide-0.13.1.tar.gz
[root]#cd aide-0.13.1/
[root]#./configure
[root]#make
[root]#make install

If you are getting any libcrypt error, please do

yum install *crypt* ----not a real solution.


Step-9:


ClamAV Installation


Clam AntiVirus is an open source (GPL) anti-virus toolkit for UNIX, designed especially for e-mail scanning on mail gateways.


[root]#cd /usr/src
[root]#wget http://freshmeat.net/redir/clamav/29355/url_tgz/clamav-0.92.tar.gz
[root]#tar -xvzf clamav-0.92.tar.gz
[root]#./configure --prefix=/usr \
--sysconfdir=/etc \
--libexecdir=/usr/sbin \
--disable-clamuko \
--with-user=clamav \
--with-group=clamav \
--with-dbdir=/var/lib/clamav/db


[root]#make
[root]#make install
[root]#chmod 755 /etc/init.d/clamd
[root]#/etc/init.d/clamd start

In order to start ClamAV at boot time do the following:


[root]#ln -s /etc/init.d/clamd /etc/rc2.d/S20clamd
[root]#ln -s /etc/init.d/clamd /etc/rc3.d/S20clamd
[root]#ln -s /etc/init.d/clamd /etc/rc4.d/S20clamd
[root]#ln -s /etc/init.d/clamd /etc/rc5.d/S20clamd
[root]#ln -s /etc/init.d/clamd /etc/rc0.d/K20clamd
[root]#ln -s /etc/init.d/clamd /etc/rc1.d/K20clamd
[root]#ln -s /etc/init.d/clamd /etc/rc6.d/K20clamd


[root]#/etc/init.d/clamd start

you will now notice some clamd processesRun it using

[root]#/scripts/restartsrv_clamav

now you will get an error message:

ERROR: Please edit the example config file /etc/clamav.conf.

You must at least remove the Example directive. My /etc/d.conf


Step-10:


SSH Server Hardening


These are measures that can be taken to secure your server, with SSH access.

Update OS, Apache and CPanel to the latest stable versions.

This can be done from WHM/CPanel >> Restrict SSH Access

To restrict and secure SSH access, bind sshd to a single IP that is different than the main IP to the server, and on a different port than port 22.

SSH into server and login as root.

[root]#vi /etc/ssh/sshd_config

Scroll down to the section of the file that looks like this:

#Port 22
#Protocol 2, 1
#ListenAddress 0.0.0.0
#ListenAddress ::

Uncomment and change


#Port 22

to look like

Port 5678 (choose your own 4 to 5 digit port number (49151 is the highest port number)


Uncomment and change

#Protocol 2, 1

to look like

Protocol 2


Uncomment and change

#ListenAddress 0.0.0.0

to look like

ListenAddress 123.123.123.15 (use one of your own IP Addresses that has been assigned to your server)


Note 1: If you would like to disable direct Root Login, scroll down until you find

#PermitRootLogin yes

and uncomment it and make it look like

PermitRootLogin no

Save by pressing Ctrl o on your keyboard, and then exit by pressing Ctrl x on your keyboard.

Now restart SSH


[root]#/etc/rc.d/init.d/sshd restart


Step-11:


Installing CSF


[root]#cd /usr/src
[root]#wget http://www.configserver.com/free/csf.tgz
[root]#tar -xzf csf.tgz
[root]#cd csf
[root]#sh install.sh

If you would like to disable APF+BFD (which you will need to do if you have
them installed otherwise they will conflict horribly):

[root]#sh disable_apf_bfd.sh

That's it. You can then configure csf and lfd in WHM, or edit the files
directly in /etc/csf/*


Step-12:


Cpanel Hardening


You should configure the following in your WHM (CPanel):

Main >> Server Configuration >> Tweak Settings

[x] Prevent the user ‘nobody’ from sending out mail to remote addresses (php and cgi scripts generally run as nobody if you are not using phpsuexec and suexec respectively.)

[x] Track the origin of messages sent though the mail server by adding the X-Source headers (exim 4.34+ required)

Main >> Security >> Fix Insecure Permissions (Scripts)

Main >> Security >> Tweak Security

“Compilers are disabled for unpriviledge users”

Main >> Service Configuration >> Enable/Disable SuExec

suexec Status “enabled”

Main >> Account Functions >> Disable or Enable Demo Mode

Select from “Users” the “demo” account and click “Modify” then click “Disable” if it exists


Step-13:


Rkhunter Installaion


[root]#cd /usr/src
[root]#wget http://jaist.dl.sourceforge.net/sourceforge/rkhunter/rkhunter-1.2.9.tar.gz
[root]#tar -zxvf rkhunter-1.2.9.tar.gz
[root]#cd rkhunter-1.2.9
[root]#./installer.sh

Now you can run a test scan with the following command:


/usr/local/bin/rkhunter -c


How to setup a daily scan report?

[root]#vi /etc/cron.daily/rkhunter.sh

add the following replacing your email address:

#!/bin/bash

cd /usr/local/bin/
./rkhunter -c --cronjob 2>&1 | mail -s "Daily Rkhunter Scan Report" user@domain.com

[root]#chmod +x /etc/cron.daily/rkhunter.sh


Step-14:


Install Nobody Check


Login to your server as the root user through shell

[root]#cd /usr/src


[root]#wget http://www.webhostgear.com/projects/nobodycheck/install.sh


[root]#chmod +x install.sh
[root]#./install.sh

Wait for the installer to finish

[root]#rm -f install.sh

Open the /usr/local/nobody_check/nc.conf and put in your email address and select your options. Change the to email address to the address you want reports to be sent to.

[root]#vi /usr/local/nobody_check/nc.conf

Check if cron entry below has been updated

[root]#vi /var/spool/cron/root


0 */1 * * * /usr/local/nobody_check/nobody_check >/dev/null 2>&1

Example root cronjob runs once per hour

And then restart CRON

[root]#/etc/init.d/crond restart


Step-15:


Securing PHP

[root]# php -i |grep php.ini


[root]#vi /usr/local/lib/php.ini

Add the following:

disable_functions = system,system_exec,shell,shell_exec,exec,passthru,escapeshellarg, escapeshellcmd,proc_close,proc_open,ini_alter,dl, popen,parse_ini_file,show_source


Step-16:


LES(Linux Environment Security)


[root]#cd /usr/src


[root]#wget http://rfxnetworks.com/downloads/les-current.tar.gz
[root]#tar -zxvf les-current.tar.gz
[root]#cd les-0.2/
[root]#./install.sh

LES run


/usr/local/sbin/les --secure-bin on
/usr/local/sbin/les --secure-path on


Step-17:


Install SPRI


[root]#cd /usr/src
[root]#wget http://rfxnetworks.com/downloads/spri-current.tar.gz
[root]#tar -zxvf spri-current.tar.gz
[root]#cd spri-0.5/
[root]#./install.sh


[root]#/usr/local/sbin/spri -v



Step-18:


Install PRM


[root]#cd /usr/src
[root]#wget http://www.rfxnetworks.com/downloads/prm-current.tar.gz
[root]#tar -xzvf prm-current.tar.gz
[root]#cd prm-0.5/
[root]#./install.sh
[root]#vi /usr/local/prm/conf.prm

# enable user e-mail alerts [0=disabled,1=enabled]
USR_ALERT="1"

And configure our e-mail addresses for alerts:
# e-mail address for alerts
USR_ADDR="root, you@domain.com"

Check the 5,10, or 15 minute load average; relative to the later option below for min. load level.
# check 5,10,15 minute load average. [1,2,3 respective of 5,10,15]
LC="1"

PRM optionally has a required load average for running. If the load is not equal to or greater than this value; PRM will not run. Setting this value to zero will force the script to always run but this should not be needed.
# min load level required to run (decimal values unsupported)
MIN_LOAD="1"

The max percentage of CPU a process should be allowed to use before PRM flags it for killing.
# Max CPU usage readout for a process - % of all cpu resources (decimal values unsupported)
MAXCPU="35"

The max percentage of MEM a process should be allowed to use before PRM flags it for killing.
# Max MEM usage readout for a process - % of system total memory (decimal values unsupported)
MAXMEM="15"


Step-19:


ASSP:


http://www.grscripts.com/howto130.html
http://www.grscripts.com/advice5.html


Step-20:

Mod_Security:

Follow the steps given below to install mod_security on a cPanel server running apache as webserver.

1. Run Easyapache. (Make sure to take a backup of /usr/local/apache before running the easyapache script)

    [root]#/scripts/easyapache

2. Select Mod_Security module. Save and build.

3. After building the apache successfully, download the modsec2_rules file by executing the the command:


    [root]#cd /etc
    [root]#wget http://hyperois.com/files/modsec2_rules.tar.gz

4. Extract the file "modsec2_rules.tar.gz":

    [root]#tar -xzvf modsec2_rules.tar.gz

and add the following lines in /usr/local/apache/conf/modsec2.conf before the closing </IfModule>


    [root]#vi /usr/local/apache/conf/modsec2.conf




<IfModule mod_security2.c>
SecRuleEngine On
# “Add the rules that will do exactly the same as the directives”
# SecFilterCheckURLEncoding On
# SecFilterForceByteRange 0 255
SecAuditEngine RelevantOnly
SecAuditLog logs/modsec_audit.log
SecDebugLog logs/modsec_debug_log
SecDebugLogLevel 0
SecDefaultAction “phase:2,deny,log,status:406"
SecRule REMOTE_ADDR “^127.0.0.1$” nolog,allow
Include “/usr/local/apache/conf/modsec2.user.conf”


SecServerSignature “Rules Powered By HyperOIS.comHyperOIS.com”


#First, add in your exclusion rules:
#These MUST come first!
Include /etc/modsecurity/exclude.conf


#Application protection rules
Include /etc/modsecurity/rules.conf


#Just in Time Patches for Vulnerable Applications
Include /etc/modsecurity/jitp.conf


#Comment spam rules
Include /etc/modsecurity/blacklist.conf


#Bad hosts, bad proxies and other bad players
Include /etc/modsecurity/blacklist2.conf


#Bad clients, known bogus useragents and other signs of malware
Include /etc/modsecurity/useragents.conf


#Known bad software, rootkits and other malware
Include /etc/modsecurity/rootkits.conf


#Additional rules for Apache 2.x ONLY! Do not add this line if you use Apache 1.x
Include /etc/modsecurity/apache2-rules.conf


</IfModule>

5. Save and quit.

6. Restart apache.

0 comments:

Post a Comment