This page contains a Flash digital edition of a book.
[


ConfigServer Security] Download for free at http://configserver.com/


CSF also provides a firewall. The end of the installer will produce a list of ports that are believed to be in use, and will update the configuration to allow these ports for TCP and UDP. There are several ways of setting up an iptables-based firewall. There is nothing new here, but there is an ease to it. Adding people to a blacklist or whitelist (color coded red or green) is very easy to do from even a cell phone browser if you have locked yourself out. Another powerful option is the country whitelist/blacklist feature. Adding the two letter country to CC_Deny or CC_Allow can block, or allow, the IP address ranges for an entire nation.


As you set up your configuration file, you notice you can enable the Login Failure Daemon or LFD. This service reviews log files for daemons like SMTP, POP, and SSH to look for failed logins. After a threshold you have determined has been reached, the server will block this offender. The block could be just for a few minutes for the attacker to move on, or you could bring down the ban hammer forever. You could also sync this ban list and cover other servers in the network. Running this service on several servers in the same network, I have watched a would-be attacker work from .25, to .26, to .28 of a given subnet. Putting a non-important server higher up in the subnet to gather and share this information could be useful in multi-server situations.


One of my favorite features is under “Check Server Security” where you get a list of recommended changes. Complete with a score at the bottom of the page, this tool is a great place to get any server in shape fast. A little TLC here can go a long way, and it gives a satisfaction similar to Xbox Live achievements. (I rock a 130/133.)


Before I even get started with services, updates, or even firewalls, I spend a lot of time on my partitions. I want to get my partitions just right so I never have to deal with it again. Some partitions are too open; setting noexec and nosuid can spoil a script kiddie’s fun faster than a phpBB update. These changes are made in the /etc/fstab, but be warned that changes to the fstab should be made and reviewed before rebooting. Any mistakes could cause your system not to return from the next reboot.


Getting cPanel up and running is easy. Install


RHEL/CentOS; install cPanel and make some money. The problem is several services are running from that RHEL/CentOS install you may not need. Take some time to review the running services on your server and change the chkconfig to keep them off after your next reboot. When was the last time you used bluetooth with your server? RHEL/CentOS servers often have the bluetooth service installed and running by default. Another offender, cups (also known as the Common Unix Printing System), is used to accept print jobs. Please turn this one off.


Apache is the lifeblood of web hosting and a few simple changes are recommended, to not only, make Apache PCI compliant, but more secure overall. By default, apache gives out too much information. A stock server will give out information you may not want advertised, like your email address and apache version:


Apache Server at apacheserver.tld Port 80


Turn this off. There is no reason to give away information that could be valuable. Also, add in mod_security support and rebuild with EasyApache. Once you have a build you are happy with, go back and set rules! I log in several servers each week that have mod_security support added but no ruleset enabled. The feature does no good without a ruleset, and adding the default rules is just a click away. Last but not least, consider turning off mod_userdir globally, since it can be a way for users to circumvent bandwidth limitations.


There is more you can do to harden your server, but these are some of the high points to help secure the system with CSF. Regular updates, backups, and a firewall will ensure your server is there to earn you money, not waste your time.


P!


022


For more information visit www.cPanel.net


Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32  |  Page 33  |  Page 34  |  Page 35  |  Page 36  |  Page 37  |  Page 38  |  Page 39  |  Page 40  |  Page 41  |  Page 42  |  Page 43  |  Page 44  |  Page 45  |  Page 46  |  Page 47  |  Page 48  |  Page 49  |  Page 50  |  Page 51  |  Page 52  |  Page 53  |  Page 54  |  Page 55  |  Page 56  |  Page 57  |  Page 58  |  Page 59  |  Page 60  |  Page 61  |  Page 62  |  Page 63  |  Page 64  |  Page 65  |  Page 66  |  Page 67  |  Page 68