HOW TO: Secure and Optimize Your VPS

Discussion in 'Linux VPS/Dedicated - cPanel' started by, Mar 14, 2008.

  1. New Member


    Checking for formmail

    Form mail is used by hackers to send out spam email, by relay and injection methods. If you are using matts script or a version of it, you may be in jeopardy.

    Command to find pesky form mails:
    find / -name "[Ff]orm[mM]ai*"

    CGIemail is also a security risk:
    find / -name "[Cc]giemai*"

    Command to disable form mails:
    chmod a-rwx /path/to/filename
    (a-rwx translates to all types, no read, write or execute permissions).

    (this disables all form mail)

    If a client or someone on your vps installs form mail, you will have to let them know you are disabling their script and give them an alternative.

    Root kit checker -

    Check for root kits and even set a root kit on a cron job. This will show you if anyone has compromised your root. Always update chrootkit to get the latest root kit checker. Hackers and spammers will try to find insecure upload forms on your box and then with injection methods, try to upload the root kit on your server. If he can run it, it will modify *alot* of files, possibly causing you to have to reinstall.

    To install chrootkit, SSH into server and login as root.
    At command prompt type:

    cd /root/
    tar xvzf chkrootkit.tar.gz
    cd chkrootkit-0.44
    make sense

    To run chkrootkit

    At command prompt type:

    Make sure you run it on a regular basis, perhaps including it in a cron job.


    I use these three commands the most.
    ./chkrootkit -q
    ./chkrootkit -x | more

    Install a root breach DETECTOR and EMAIL WARNING

    If someone does happen to get root, be warned quickly by installing a detector and warning at your box. You will at least get the hackers/spammers ip address and be warned someone is in there.

    Server e-mail everytime someone logs in as root

    To have the server e-mail you everytime someone logs in as root, SSH into server and login as root.

    At command prompt type:
    pico .bash_profile

    Scroll down to the end of the file and add the following line:

    echo 'ALERT - Root Shell Access on:' `date` `who` | mail -s "Alert: Root Access from `who | awk '{print $6}'`" "[email protected]"

    Save and exit.

    Set an SSH Legal Message

    To an SSH legal message, SSH into server and login as root.

    At command prompt type:
    pico /etc/motd

    Enter your message, save and exit.
    Note: I use the following message...

    ALERT! You are entering a secured area! Your IP and login information
    have been recorded. System administration has been notified.
    This system is restricted to authorized access only. All activities on
    this system are recorded and logged. Unauthorized access will be fully
    investigated and reported to the appropriate law enforcement agencies.

    Web Host manager and CPANEL mods.

    These are items inside of WHM/Cpanel that should be changed to secure your server.

    Goto Server Setup =>> Tweak Settings
    Check the following items...

    Under Domains
    Prevent users from parking/adding on common internet domains. (ie,

    Under Mail
    Attempt to prevent pop3 connection floods
    Default catch-all/default address behavior for new accounts - blackhole

    Under System
    Use jailshell as the default shell for all new accounts and modified accounts

    Goto Server Setup =>> Tweak Security
    Enable php open_basedir Protection
    Enable mod_userdir Protection
    Disabled Compilers for unprivileged users.

    Goto Server Setup =>> Manage Wheel Group Users
    Remove all users except for root and your main account from the wheel group.

    Goto Server Setup =>> Shell Fork Bomb Protection
    Enable Shell Fork Bomb/Memory Protection

    When setting up Feature Limits for resellers in Resellers =>> Reseller Center, under Privileges always disable Allow Creation of Packages with Shell Access and enable Never allow creation of accounts with shell access; under Root Access disable All Features.

    Goto Service Configuration =>> FTP Configuration
    Disable Anonymous FTP

    Goto Account Functions =>> Manage Shell Access
    Disable Shell Access for all users (except yourself)

    Goto Mysql =>> MySQL Root Password
    Change root password for MySQL

    Goto Security and run Quick Security Scan and Scan for Trojan Horses often. The following and similar items are not Trojans:
  2. i.s.s.w

    i.s.s.w New Member

  3. awolff

    awolff New Member


    I just got this VPS yesterday, and was going through some of your suggestions above. I had some curious results from root kit checker, should I be worried already?? thanks...


    Checking `bindshell'... INFECTED (PORTS: 465)
    Checking `lkm'... find: WARNING: Hard link count is wrong for /proc/vz/vzaquota: this may be a bug in your filesystem driver. Automatically turning on find's -noleaf option. Earlier results may have failed to include directories that should have been searched.
    You have 88 process hidden for readdir command
    chkproc: Warning: Possible LKM Trojan installed
  4. awolff

    awolff New Member

    Also, two other things:

    (1) When running Quick Security Scan, I get this message (so didn't run it):

    There are services enabled by default with your operating system that are not necessary for most web servers. This function
    will disable the following services: portmap - Used by NFS to map network drives cupsd - Used for printing atd - Demon for
    "at", similar to cron jobs. nfs statd - Used for NFS file system mounting. nis - Network information service gpm - Console
    mouse services If you see a [FAILED] error message, this means that the service was not running when the scanner tried to
    shut it down. This is not a problem, the service will still be prevented from automatically starting.

    (2) ...and these are the results of Scan for Trojan:

    Possible Trojan - /etc/cron.daily/logrotate

    Possible Trojan - /usr/bin/xml2-config

    Possible Trojan - /usr/bin/xmlcatalog

    Possible Trojan - /usr/bin/xmllint

    Possible Trojan - /usr/lib/python2.4/site-packages/

    Possible Trojan - /usr/lib/python2.4/site-packages/

    Possible Trojan - /usr/sbin/pureauth

    Possible Trojan - /usr/sbin/antirelayd

    Possible Trojan - /usr/bin/cpan

    Possible Trojan - /usr/bin/instmodsh

    Possible Trojan - /usr/bin/prove

    Possible Trojan - /usr/bin/mysqlhotcopy

    12 POSSIBLE Trojans Detected


    Maybe this is all normal?? I guess I wasn't expecting to see results like this... if anyone could enlighten me I would appreciate it.

    ...and BTW, thanks for the post, I learned quite a bit just going through these steps...

  5. Dan

    Dan Moderator

    Hello Awolff,

    Great questions and ones that should be addressed when suggested security checks give error like these.

    First let's look at chrootkit
    If we Google the first one we will find many posts saying that this is normal and that it is Exim running secure smtp services on that port.

    For the vzaquota problem since this is a VPS we do not have rights to check vzaquota and chrootkit doesn't know how to handle that.

    Personally I switched to using RKhunter as it is a bit more configurable and can be configured to check for program updates.

    And now for
    I just ran this on my VPS as well and got the exact same thing. I had noticed previously that Samba services were running and stopped them via SSH but they come back with every reboot. Nearly everything you see here is Samba related and is unneeded on a VPS such as this so I certainly went ahead and disabled them (these are the services smb and winbind). There was also portmap which I also disabled. And the console services will not start if there is no mouse attached so no worry there.

    And for
    The scan for trojan tool in WHM is notorious for false positives. If you want to then Google each of them and I am sure you will find that they are precisely that.

    Being as this is a brand new VPS it comes down to a question of trust. Personally I trust KH and would say that you have a perfectly clean VPS. So call this your baseline scan and use it to refer back to when you run scans in the future.
  6. newe1344

    newe1344 New Member

    What if we don't know

    I read the tutorial and followed the instructions, they worked wonderfully! However, I am very paranoid. I have absolutely no experience with hosting. It says in the "pre-purchase" forums that knownhost will do an "initial security hardening." I spoke with Knownhost support and they told me they will install things like firewalls if I ask.

    This freaks me out a little, because I don't really know what to ask for in terms of security. I know a firewall makes sense, but beyond that I'm not really sure what to ask for.

    Here's my situation, I am going to be hosting a couple websites with different domains. All of these websites will be managed by me. None of these website will have an e-commerce system, but they will have joomla and wordpress backends. Mail is managed on another server. However, I would like to have my vps send me emails when someone logs in as root and a couple forms on the site need to send email confirmations. I need to have ftp access. Other than this I really don't need any more services on the vps running.

    my open ports are:
    21/tcp open tcpwrapped (ftp)
    25/tcp open smtp
    53/tcp open domain
    80/tcp open http
    110/tcp open pop3
    143/tcp open imap
    443/tcp open https
    993/tcp open imaps
    995/tcp open pop3s

    My questions are:

    1. can I disable my mail ports and still have the server email root logins and confirmations when someone fills out a form on my site?
    2. do I even need to disable mail services?
    3. If you were in this situation, how would you configure your server?
    4. what would you ask for in terms of security from knownhost support?
    5. Am I out of my league? I am learning alot day by day, but have I bitten off more than I can chew? I am going to be managing my client's content, developing several new sites for them, and managing their this too much?

    Thanks for your help everyone...I am just getting into the web world, I'm self taught, and currently have no mentor to whom I could pose these questions.

    Mike Newell
  7. newe1344

    newe1344 New Member

    A little further along

    To answer my own question:

    I was looking for a way to close down ports so I'm not as vulnerable. My original thinking was that a port had to be open for me to access it. This is untrue as it turns out:

    If you are managing a server by yourself, not reselling AND using cpanel with csf firewall, you can take this approach. Simply white list the IP addresses you will be working from:

    # csf -a 
    check the white list by going to:

    # cd /etc/csf 
    and viewing the file:

    # pico csf.allow
    If your IP addresses are correct in that file, then its time to edit the csf configuration file:

    # pico /etc/csf/csf.conf
    (I wrote down all the ports I removed just in case I ever wanted to put them back. You should take steps to either backup the file or remember the changes you made just in case.)

    move the cursor down to the section:

    # Allow incoming ports
    TCP_IN = "20,21,22,53 ... "
    Now simply remove all the port numbers EXCEPT the ones you want to make available to the public.

    # Allow incoming ports
    TCP_IN = "53,80"
    As long as your IP address on the whitelist is correct, csf should allow you to still connect to all the other ports, even though they are not present in the configuration file. However, if your IP is not on the whitelist, you will not be able to connect to anything except port "80" and "53".

    This configuration has taken a load off my mind already! If anyone else has anything to add, please do!:)

  8. Dan

    Dan Moderator

    Hi Mike,

    You are absolutely right you can put your IP on the always allow list but for others remember that most times your ISP will randomly assign you a new IP# so this will not work for very long.
  9. newe1344

    newe1344 New Member


    Thanks for the advice. I should have mentioned that.

    Eventually, I will wake up one morning and be locked out of all admin access. However, I am willing to deal with this for the added level of security. I am planning on just making the drive to my other white listed IP and adding my new IP that way. Or submitting a support ticket to ask knownhost to white list my new IP.

    However, this brings up a good question. Will going this route potentially lock knownhost out of my server if their IP changes?

    Thanks as always Dan,
  10. Dan

    Dan Moderator

    Hi Mike,

    KH's IP should not ever change and you are not blocked the SSH port so they should have access just fine :)
  11. Xtreme2damax

    Xtreme2damax New Member

    This guide seems to be outdated, I would reckon that since it was posted in 2008. I was told by KnownHost that things such as Chkrootkit, Rkhunter, and Tripwire are not necessary and just consume resources for VPS plans with lower memory.

    Cphulk seems to take care of brute force detection in Cpanel WHM, no need for additional software, I have already done the tweaks you mentioned except for one:

    - Attempt to prevent pop3 connection floods.

    This doesn't seem to be present in Cpanel WHM anymore.

    CGIMail and FormMail can be disabled from Cpanel WHM/Cpanel without using SSH.

    I have yet to implement some of the other security precautions you mentioned, but the guide is appreciated although I would have preferred if you went more in depth regarding Cpanel configuration and security (tweaking all security related settings including PHP, MySql, Apache) than additional security software.

    I'm a complete newbie to VPS hosting since I just came from shared hosting, so all this can be useful to me. :)

Share This Page