网普科技
网普管理员
网普科技人民公仆
积分 3080
发贴 2863
注册 2004-6-26
来自 网普科技
状态 离线
|
#1 How To: Secure your new RedHat Server
This is a collective of information regarding setting up, and securing your new redhat server.
Before we can even start doing anything security modifications we have to know and understand how to use SSH.
Putty is the best, and free SSH Client.
1) Instal & Understand Putty
Learn to use SSH
http://the.earth.li/%7Esgtatham/put...t/x86/putty.exe
2) Understand some basic linux commands. This goes a long way with the ret of the guide because you will have a better 'general' understanding of what each command does.
Basic Shell Commands
引用:
--------------------------------------------------------------------------------
How do I change directories?
Type: cd <directory name> (Move to another directory)
Type: cd .. (Move back a directory)
How do I check permissions on a file?
Type: ls -l (Will show permissions for all files in directory)
How do I check disk space?
Type: df -m (Will show all free space info for all drives)
How do I see all the files in a directory?
Type: ls
How do I check all running services?
Type: ps -xa
How do I view the contents of a text file?
Type: cat <filename>
How do I edit a file?
Type: pico <filename>
How do I use PICO? <-- Click To Learn how to use PICO
How do I debug a cgi script?
Goto the directory the file is in.
Type: ./filename.cgi
Read outputs, and fix errors based on output read.
How do I execute a program, but send it to the background?
Execute the command normally but add an & at the end of it.
How do I bring a program back from the background?
Type: fg
How do I know what my CPU Information is?
Type: cat /proc/cpuinfo
How do I know what my memory information is? RAM
Type: cat /proc/meminfo
How do I find out information about my hard drives?
Type: fdisk -l
--------------------------------------------------------------------------------
More Basic Shell Commands
引用:
--------------------------------------------------------------------------------
I just uploaded/moved some files to a customers/user of mine and now they can't modify/rename/delete this file?
This is because you uploaded the file as a different user/root.
Login to your server via SSH & Type: /scripts/chownpublichtmls
Sometimes when moving an account to your WHM Account from another
WHM Account/server you will get an error where the domain is forbidden.
Login to your server via SSH & Type: /scripts/enablefileprotect
How can I view the status of my Advanced Policy Firewall ? (APF)
Login to your server via SSH & Type: /etc/apf/apf -st
How can I stop my Advanced Policy Firewall ? (APF)
Login to your server via SSH & Type: service apf stop
How can I start my Advanced Policy Firewall ? (APF)
Login to your server via SSH & Type: service apf start
How can I restart CPanel via SSH?
Login to your server via SSH & Type: /etc/rc.d/init.d/cpanel restart
How can I stop BIND / NAMED from SSH?
Login to your server via SSH & Type: /etc/init.d/named stop
How can I start BIND / NAMED from SSH?
Login to your server via SSH & Type: /etc/init.d/named start
How can I force AWSTATS to update?
Login to your server via SSH & Type: /scripts/runlogsnow
How can I find files owned by a customer/user?
Login to your server via SSH & Type: find -user username *Replace username*
--------------------------------------------------------------------------------
3) Install a Firewall. This is a guide to instal APF. Make sure you enable connections for monitoring if you have SM any level of monitoring. You can find the IP SM supplys in the e-mail from them when you signed up. Or start a ticket asking for the spyglass/admin/monitoring IP. (Note, the ip will be in CIDR form so the slash and # after NEED to be there.)
APF Install
引用:
--------------------------------------------------------------------------------
Make /usr/src the current working directory.
cd /usr/src
Obtain the most curent verison of APF.
wget http://rfxnetworks.com/downloads/apf-current.tar.gz
Expand the APF tar.gz file.
tar -xvzf apf-current.tar.gz
Remove the tar.gz file.
rm -f apf-current.tar.gz
Locate the APF directory.
ls -la
Look for a directory named apf-#.#/ where #.# represents the version of APF being installed
(APF version 0.8.7 would be in a directory apf-0.8.7/ and version 0.9 would be in a directory named apf-0.9).
Make the APF directory the current working directory.
Use the directory name you located in step 5.
Note that the numbers will change as new versions are released.
cd apf-0.9
Run the APF install.
sh ./install.sh
Make /etc/apf the current working directory.
cd /etc/apf
Edit the conf.apf file as desired.
pico -w conf.apf
In order for this firewall to work properly you have to edit/add/delete ports.
These ports will allow services such as mail, ftp, and ssh to come in and out of the server.
If you have changed any ports, please modify them below and add/remove as needed.
# Common ingress (inbound) TCP ports
IG_TCP_CPORTS="20,21,22,25,53,80,110,143,443,465,993,995,2082,2083,2086,2087,2095,2096,3306,10000,35000_35999"
please note that ports 2082 to port 2095 is mostly used by cpanel, and port 19638 is only use in
ensim.
# Common ingress (inbound) UDP ports
IG_UDP_CPORTS="20,21,53,1040"
After you have finished editing the ports save the file and test APF.
CTRL-x, y to save enter to confirm
Start APF by typing.
./apf --start
or
service apf start
If APF is functioning properly and you are not locked out edit the conf.apf again
pico -w conf.apf
Set the DEVM parameter to 0
DEVM="0"
Once done Exit and save the file.
CTRL-x, y to save enter to confirm
Restart APF
service apf restart
Enabling connections for server monitoring.
Some service providers that offer monitoring need access to your server, and access without setting off alarms, firewalls etc. is a good thing. Just becareful which IP(s) you put in here.
To allow connections from xx.xx.xx.xx/24
pico -w /etc/apf/allow_hosts.rules
At the very end of the file add this line
xx.xx.xx.xx/24
Of course replace the xx.xx.xx.xx with the IP address provided to you.
--------------------------------------------------------------------------------
4) Install Brute Force Detection, from the makers of APF.
BFD is a modular shell script for parsing applicable logs and checking for authentication failures.
Brute Force Detection
引用:
--------------------------------------------------------------------------------
Login to your server via SSH as Root.
Type:
wget http://www.rfxnetworks.com/downloads/bfd-current.tar.gz
Type:
tar -xvzf bfd-current.tar.gz
Type:
cd bfd*
Now let's install BFD onto the server.
Type:
./install.sh
:: You Should See ::
.: BFD installed
Install path: /usr/local/bfd
Config path: /usr/local/bfd/conf.bfd
Executable path: /usr/local/sbin/bfd
Now we need to edit the configuration file, and set some options.
Don't worry the BFD Configuration isn't hard to edit or understand!
Type: pico -w /usr/local/bfd/conf.bfd
Now we need to find the line to edit:
Press: CTRL-W
Type: ALERT_USR
Change ALERT_USR="0" TO ALERT_USR="1"
Right below that we need to change the email:
Change EMAIL_USR="root" TO EMAIL_USR="you@yoursite.com"
That wasn't to bad let's save and exit the file
Press: CTRL-X then type Y then hit enter
Now we have to prevent locking yourself out of the server.
Type: pico -w /usr/local/bfd/ignore.hosts
Add any IP address that you want to be ignored from the rules.
If your server provider is doing monitoring add their IP(s) here.
Since you need these IPs open in APF as well you cancopy the IPs you used in APF
Type: pico -w /etc/apf/allow_hosts.rules
Then scroll down to the bottom and copy those IPs (drag mouse over that's it)
Press: CTRL-X
Type: pico -w /usr/local/bfd/ignore.hosts
Paste those IPs to the bottom. You should also add your home IP if you hadn't done so before.
If your home IP is dynamic this is not a good idea, and you should get a static IP.
Press: CTRL-X then Y to save then enter.
Now lets run BDF!!!
Type: /usr/local/sbin/bfd -s
--------------------------------------------------------------------------------
5) Dsiable Direct Root Login. This will force you to login as another user in (in cpanel the user must be in the wheel group), and then su to root. This helps deny 'wanna-be' hackers.
Disable Root Login
引用:
--------------------------------------------------------------------------------
If you're using cPanel make sure you add your anotheruser user to the 'wheel' group so that you will be able to 'su -' to root, otherwise you may lock yourself out of root.
Set up anotheruser if you haven't already got one:
a. Type: groupadd anotheruser
b. Type: useradd anotheruser -ganotheruser
c. Type: passwd anotheruser passwordhere
and add a password for the new account.
On a CPanel system, you can (MUST) now go into root WHM and add anotheruser to the wheel group.
After you do this, you will have to login as anotheruser then you will 'su -' to get to root.
--------------------------------------------------------------------------------
6) Dsiable Telnet Access. Telnet is not secure, and your password is sent in plain text, so don't use it! Disable it forever, and use SSH isntead.
Disable Telnet
引用:
--------------------------------------------------------------------------------
Disabling Telnet Access
Telnet should be disabled, and you should use SSH. Telnet sends password in plain text, and 'crackers/hackers' can obtain these passwords easily compared to SSH, and then takeover your dedicated web server.
Type: pico -w /etc/xinetd.d/telnet
Change the disable = no line to
disable = yes.
CTRL+x, then y then enter to save the file.
Restart xinted with:
/etc/rc.d/init.d/xinetd restart
--------------------------------------------------------------------------------
7) Force SSH Protocol 2.
Force SSH Protocol 2
引用:
--------------------------------------------------------------------------------
Force the use of SSH protocol 2
SSH Protocol 1 based systems are facing many automated "root kits".
As a result to step up the security Protcol 2 should be enabled as soon as possible.
The reason to use SSH Protocol 2 on your dedicated webserver is that it is more secure.
Type: pico -w /etc/ssh/sshd_config
If pico is not installed and you receive an error Install PICO
Find the line: #Protocol 2, 1
Uncomment it and change it to look like:
Protocol 2
CTRL+x, then y then enter to save the file.
Now Restart SSH with
/etc/rc.d/init.d/sshd restart
(If the above restart does not work you will need to login to WHM as root
and restart the service.)
--------------------------------------------------------------------------------
Install CHKROOTKIT.
CHKROOTKIT is a shell script that checks system binaries for rootkit modification. Then notifying you.
CHKROOKIT
引用:
--------------------------------------------------------------------------------
chkrootkit: shell script that checks system binaries for rootkit modification.
The following tests are made:
aliens asp bindshell lkm rexedcs sniffer wted w55808 scalper slapper z2 amd basename biff chfn chsh cron date du dirname echo egrep env find fingerd gpm grep hdparm su ifconfig inetd inetdconf init identd killall ldsopreload login ls lsof mail mingetty netstat named passwd pidof pop2 pop3 ps pstree rpcinfo rlogind rshd slogin sendmail sshd syslogd tar tcpd tcpdump top telnetd timed traceroute vdir w write
Login to your server as root. (SSH)
Type:
wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz
Type:
tar xvzf chkrootkit.tar.gz
Change to new directory
cd chkrootkit*
Compile It
make sense
Now give it a test.
./chkrootkit
Everything should read not found, and/or not infected
This is a GOOD thing!
--------------------------------------------------------------------------------
How-To make chkrootkit e-mail you daily.
Login to your server as root. (SSH)
Type:
crontab -e
Add this line to the top:
0 1 * * * (cd /path/to/chkrootkit; ./chkrootkit 2>&1 | mail -s "chkrootkit output" root)
This will run CHKROOTKIT at 1am every day, and e-mail the output to root.
If you are in PICO
CTRl-X, Y, Enter to save and exit
--------------------------------------------------------------------------------
|
天理路上甚宽,稍游心,胸中便觉广大宏朗;
人欲路上甚窄,才寄迹,眼前俱是荆棘泥涂。
网普科技,优质美国主机服务!
美国Linux主机,美国虚拟主机
支持PHP+MYSQL+cPanel+EMAIL
为用户负责,拒绝反动、赌博及色情内容! QQ:126818
 发送QQ消息 |
|
