HOW TO: Secure and Optimize Your VPS

Modelayer.com

New Member
SECURING CPANEL - WHM - AND ROOT on a VPS

=========================================
Checking for formmail
=========================================

Form mail is used by hackers to send out spam email, by relay and injection methods. If you are using matts script or a version of it, you may be in jeopardy.


Command to find pesky form mails:
find / -name "[Ff]orm[mM]ai*"

CGIemail is also a security risk:
find / -name "[Cc]giemai*"

Command to disable form mails:
chmod a-rwx /path/to/filename
(a-rwx translates to all types, no read, write or execute permissions).

(this disables all form mail)

If a client or someone on your vps installs form mail, you will have to let them know you are disabling their script and give them an alternative.


=========================================
Root kit checker - http://www.chkrootkit.org
=========================================

Check for root kits and even set a root kit on a cron job. This will show you if anyone has compromised your root. Always update chrootkit to get the latest root kit checker. Hackers and spammers will try to find insecure upload forms on your box and then with injection methods, try to upload the root kit on your server. If he can run it, it will modify *alot* of files, possibly causing you to have to reinstall.


To install chrootkit, SSH into server and login as root.
At command prompt type:

cd /root/
wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz
tar xvzf chkrootkit.tar.gz
cd chkrootkit-0.44
make sense


To run chkrootkit

At command prompt type:
/root/chkrootkit-0.44/chkrootkit

Make sure you run it on a regular basis, perhaps including it in a cron job.

Execution

I use these three commands the most.
./chkrootkit
./chkrootkit -q
./chkrootkit -x | more


=========================================
Install a root breach DETECTOR and EMAIL WARNING
=========================================

If someone does happen to get root, be warned quickly by installing a detector and warning at your box. You will at least get the hackers/spammers ip address and be warned someone is in there.


Server e-mail everytime someone logs in as root

To have the server e-mail you everytime someone logs in as root, SSH into server and login as root.


At command prompt type:
pico .bash_profile

Scroll down to the end of the file and add the following line:

echo 'ALERT - Root Shell Access on:' `date` `who` | mail -s "Alert: Root Access from `who | awk '{print $6}'`" "your@email.com"

Save and exit.


Set an SSH Legal Message

To an SSH legal message, SSH into server and login as root.

At command prompt type:
pico /etc/motd

Enter your message, save and exit.
Note: I use the following message...

ALERT! You are entering a secured area! Your IP and login information
have been recorded. System administration has been notified.
This system is restricted to authorized access only. All activities on
this system are recorded and logged. Unauthorized access will be fully
investigated and reported to the appropriate law enforcement agencies.



=========================================
Web Host manager and CPANEL mods.
=========================================

These are items inside of WHM/Cpanel that should be changed to secure your server.

Goto Server Setup =>> Tweak Settings
Check the following items...

Under Domains
Prevent users from parking/adding on common internet domains. (ie hotmail.com, aol.com)

Under Mail
Attempt to prevent pop3 connection floods
Default catch-all/default address behavior for new accounts - blackhole
(SET TO FAIL)

Under System
Use jailshell as the default shell for all new accounts and modified accounts

Goto Server Setup =>> Tweak Security
Enable php open_basedir Protection
Enable mod_userdir Protection
Disabled Compilers for unprivileged users.

Goto Server Setup =>> Manage Wheel Group Users
Remove all users except for root and your main account from the wheel group.

Goto Server Setup =>> Shell Fork Bomb Protection
Enable Shell Fork Bomb/Memory Protection

When setting up Feature Limits for resellers in Resellers =>> Reseller Center, under Privileges always disable Allow Creation of Packages with Shell Access and enable Never allow creation of accounts with shell access; under Root Access disable All Features.

Goto Service Configuration =>> FTP Configuration
Disable Anonymous FTP

Goto Account Functions =>> Manage Shell Access
Disable Shell Access for all users (except yourself)

Goto Mysql =>> MySQL Root Password
Change root password for MySQL

Goto Security and run Quick Security Scan and Scan for Trojan Horses often. The following and similar items are not Trojans:
/sbin/depmod
/sbin/insmod
/sbin/insmod.static
/sbin/modinfo
/sbin/modprobe
/sbin/rmmod
 
Hello,

I just got this VPS yesterday, and was going through some of your suggestions above. I had some curious results from root kit checker, should I be worried already?? thanks...

-----------------------------------------------------

Checking `bindshell'... INFECTED (PORTS: 465)
Checking `lkm'... find: WARNING: Hard link count is wrong for /proc/vz/vzaquota: this may be a bug in your filesystem driver. Automatically turning on find's -noleaf option. Earlier results may have failed to include directories that should have been searched.
You have 88 process hidden for readdir command
chkproc: Warning: Possible LKM Trojan installed
 
Also, two other things:

(1) When running Quick Security Scan, I get this message (so didn't run it):

There are services enabled by default with your operating system that are not necessary for most web servers. This function
will disable the following services: portmap - Used by NFS to map network drives cupsd - Used for printing atd - Demon for
"at", similar to cron jobs. nfs statd - Used for NFS file system mounting. nis - Network information service gpm - Console
mouse services If you see a [FAILED] error message, this means that the service was not running when the scanner tried to
shut it down. This is not a problem, the service will still be prevented from automatically starting.

(2) ...and these are the results of Scan for Trojan:


Possible Trojan - /etc/cron.daily/logrotate

Possible Trojan - /usr/bin/xml2-config

Possible Trojan - /usr/bin/xmlcatalog

Possible Trojan - /usr/bin/xmllint

Possible Trojan - /usr/lib/python2.4/site-packages/libxml2mod.la

Possible Trojan - /usr/lib/python2.4/site-packages/libxml2mod.so

Possible Trojan - /usr/sbin/pureauth

Possible Trojan - /usr/sbin/antirelayd

Possible Trojan - /usr/bin/cpan

Possible Trojan - /usr/bin/instmodsh

Possible Trojan - /usr/bin/prove

Possible Trojan - /usr/bin/mysqlhotcopy

12 POSSIBLE Trojans Detected

-----------------------------------------

Maybe this is all normal?? I guess I wasn't expecting to see results like this... if anyone could enlighten me I would appreciate it.

...and BTW, thanks for the post, I learned quite a bit just going through these steps...

AW
 
Hello Awolff,

Great questions and ones that should be addressed when suggested security checks give error like these.

First let's look at chrootkit
Checking `bindshell'... INFECTED (PORTS: 465)
Checking `lkm'... find: WARNING: Hard link count is wrong for /proc/vz/vzaquota: this may be a bug in your filesystem driver. Automatically turning on find's -noleaf option. Earlier results may have failed to include directories that should have been searched.
You have 88 process hidden for readdir command
chkproc: Warning: Possible LKM Trojan installed

If we Google the first one we will find many posts saying that this is normal and that it is Exim running secure smtp services on that port.

For the vzaquota problem since this is a VPS we do not have rights to check vzaquota and chrootkit doesn't know how to handle that.

Personally I switched to using RKhunter as it is a bit more configurable and can be configured to check for program updates.

And now for
(1) When running Quick Security Scan, I get this message (so didn't run it):

There are services enabled by default with your operating system that are not necessary for most web servers. This function
will disable the following services: portmap - Used by NFS to map network drives cupsd - Used for printing atd - Demon for
"at", similar to cron jobs. nfs statd - Used for NFS file system mounting. nis - Network information service gpm - Console
mouse services If you see a [FAILED] error message, this means that the service was not running when the scanner tried to
shut it down. This is not a problem, the service will still be prevented from automatically starting.

I just ran this on my VPS as well and got the exact same thing. I had noticed previously that Samba services were running and stopped them via SSH but they come back with every reboot. Nearly everything you see here is Samba related and is unneeded on a VPS such as this so I certainly went ahead and disabled them (these are the services smb and winbind). There was also portmap which I also disabled. And the console services will not start if there is no mouse attached so no worry there.

And for
(2) ...and these are the results of Scan for Trojan:


Possible Trojan - /etc/cron.daily/logrotate

Possible Trojan - /usr/bin/xml2-config

Possible Trojan - /usr/bin/xmlcatalog

Possible Trojan - /usr/bin/xmllint

Possible Trojan - /usr/lib/python2.4/site-packages/libxml2mod.la

Possible Trojan - /usr/lib/python2.4/site-packages/libxml2mod.so

Possible Trojan - /usr/sbin/pureauth

Possible Trojan - /usr/sbin/antirelayd

Possible Trojan - /usr/bin/cpan

Possible Trojan - /usr/bin/instmodsh

Possible Trojan - /usr/bin/prove

Possible Trojan - /usr/bin/mysqlhotcopy

12 POSSIBLE Trojans Detected

The scan for trojan tool in WHM is notorious for false positives. If you want to then Google each of them and I am sure you will find that they are precisely that.

Being as this is a brand new VPS it comes down to a question of trust. Personally I trust KH and would say that you have a perfectly clean VPS. So call this your baseline scan and use it to refer back to when you run scans in the future.
 
What if we don't know

I read the tutorial and followed the instructions, they worked wonderfully! However, I am very paranoid. I have absolutely no experience with hosting. It says in the "pre-purchase" forums that knownhost will do an "initial security hardening." I spoke with Knownhost support and they told me they will install things like firewalls if I ask.

This freaks me out a little, because I don't really know what to ask for in terms of security. I know a firewall makes sense, but beyond that I'm not really sure what to ask for.

Here's my situation, I am going to be hosting a couple websites with different domains. All of these websites will be managed by me. None of these website will have an e-commerce system, but they will have joomla and wordpress backends. Mail is managed on another server. However, I would like to have my vps send me emails when someone logs in as root and a couple forms on the site need to send email confirmations. I need to have ftp access. Other than this I really don't need any more services on the vps running.

my open ports are:
21/tcp open tcpwrapped (ftp)
25/tcp open smtp
53/tcp open domain
80/tcp open http
110/tcp open pop3
143/tcp open imap
443/tcp open https
993/tcp open imaps
995/tcp open pop3s

My questions are:

1. can I disable my mail ports and still have the server email root logins and confirmations when someone fills out a form on my site?
2. do I even need to disable mail services?
3. If you were in this situation, how would you configure your server?
4. what would you ask for in terms of security from knownhost support?
5. Am I out of my league? I am learning alot day by day, but have I bitten off more than I can chew? I am going to be managing my client's content, developing several new sites for them, and managing their VPS...is this too much?

Thanks for your help everyone...I am just getting into the web world, I'm self taught, and currently have no mentor to whom I could pose these questions.

Mike Newell
 
A little further along

To answer my own question:

I was looking for a way to close down ports so I'm not as vulnerable. My original thinking was that a port had to be open for me to access it. This is untrue as it turns out:

If you are managing a server by yourself, not reselling AND using cpanel with csf firewall, you can take this approach. Simply white list the IP addresses you will be working from:

Code:
# csf -a 111.111.111.111

check the white list by going to:

Code:
# cd /etc/csf

and viewing the file:

Code:
# pico csf.allow

If your IP addresses are correct in that file, then its time to edit the csf configuration file:

Code:
# pico /etc/csf/csf.conf

(I wrote down all the ports I removed just in case I ever wanted to put them back. You should take steps to either backup the file or remember the changes you made just in case.)

move the cursor down to the section:

Code:
# Allow incoming ports
TCP_IN = "20,21,22,53 ... "

Now simply remove all the port numbers EXCEPT the ones you want to make available to the public.

Code:
# Allow incoming ports
TCP_IN = "53,80"

As long as your IP address on the whitelist is correct, csf should allow you to still connect to all the other ports, even though they are not present in the configuration file. However, if your IP is not on the whitelist, you will not be able to connect to anything except port "80" and "53".

This configuration has taken a load off my mind already! If anyone else has anything to add, please do!:)

-Mike
 
Hi Mike,

You are absolutely right you can put your IP on the always allow list but for others remember that most times your ISP will randomly assign you a new IP# so this will not work for very long.
 
@Dan

Thanks for the advice. I should have mentioned that.

Eventually, I will wake up one morning and be locked out of all admin access. However, I am willing to deal with this for the added level of security. I am planning on just making the drive to my other white listed IP and adding my new IP that way. Or submitting a support ticket to ask knownhost to white list my new IP.

However, this brings up a good question. Will going this route potentially lock knownhost out of my server if their IP changes?

Thanks as always Dan,
Mike
 
Hi Mike,

KH's IP should not ever change and you are not blocked the SSH port so they should have access just fine :)
 
This guide seems to be outdated, I would reckon that since it was posted in 2008. I was told by KnownHost that things such as Chkrootkit, Rkhunter, and Tripwire are not necessary and just consume resources for VPS plans with lower memory.

Cphulk seems to take care of brute force detection in Cpanel WHM, no need for additional software, I have already done the tweaks you mentioned except for one:

- Attempt to prevent pop3 connection floods.

This doesn't seem to be present in Cpanel WHM anymore.

CGIMail and FormMail can be disabled from Cpanel WHM/Cpanel without using SSH.

I have yet to implement some of the other security precautions you mentioned, but the guide is appreciated although I would have preferred if you went more in depth regarding Cpanel configuration and security (tweaking all security related settings including PHP, MySql, Apache) than additional security software.

I'm a complete newbie to VPS hosting since I just came from shared hosting, so all this can be useful to me. :)
 
Top