Linux Hardening & Security (cP/WHM + Apache)

[Nytro]

=======================================

|-----------:[iNFO]:------------------|

|-------------------------------------|

| Title: "Linux Hardening & Security" |

| Author: Krun!x | QK |

| E-Mail: only4lul@gmail.com |

| Home: madspot.org | ljuska.org |

| Date: 2009-06-20 |

=======================================

Content:

1) Intruduction

2) cP/WHM Installation and cP/WHM Configuration

3) The server and it's services | PHP Installation, Optimization & Security

4) Kernel Hardening | Linux Kernel + Grsecurity Patch

5) SSH

6) Firewall | DDoS Protection

7) Mod_Security

8) Anti-Virus - ClamAV

9) Rootkit

10) The Rest of Shits

===================

| 1) Intruduction |

===================

I wrote a step by step paper how to secure linux server with cP/WHM and

Apache installed. By default, linux is not secured enough but you have

to understand there is no such thing as "totally secured server/system".

The purpose of this paper is to understand how to at least provide some

kind of security to the server. I prefer lsws web-server without any

Control Panel at all but for this paper I have used CentOS 5 with cP/WHM

and Apache web-server installed since a lot of hosting compaines and

individuals are using it.

Let's start

So, you bought the server with CentOS 5 installed. If you ordered cP/WHM together with the server you can skip 2.1 step

============================================

| 2) cP/WHM installation and configuration |

============================================

2.1) cP/WHM Installation

To begin your installation, use the following commands into SSH:

root@server [~]# cd /home

root@server [/home]# wget http://layer1.cpanel.net/latest

root@server [/home]# ./latest

-----------------------------------------------------------------------------------------------------

cd /home - Opens /home directory

wget http://layer1.cpanel.net/latest - Fetches the latest installation file from the cPanel servers.

./latest - Opens and runs the installation files.

------------------------------------------------------------------------------------------------------

cP/WHM should be installed now. You should be able to access cP via

http://serverip:2082(SSL-2083) or http://serverip/cpanel and WHM via

http://serverip:2086(SSL-2087) or http://serverip/whm. Let's configure

it now.

2.2) cP/WHM Configuration

Login to WHM using root username/passwd

serverip or http://serverip/whm

WHM - Server setup - Tweak Security:

-------------------------------------

Enable open_basedir protection

Disable Compilers for all accounts(except root)

Enable Shell Bomb/memory Protection

Enable cPHulk Brute Force Protection

WHM - Account Functions:

-------------------------

Disable cPanel Demo Mode

Disable shell access for all accounts(except root)

WHM - Service Configuration - FTP Configuration:

-------------------------------------------------

Disable anonymous FTP access

WHM - MySQL:

-------------

Set some MySQL password(Don't set the same password like for the root access)

-If you don't set MySQL password and if someone upload shell(E.G c99) on

some site on server he will be able to login into the DB with username

"root" without password and delete/edit/download any db on that server

WHM - Service Configuration - Apache Configuration - PHP and SuExec Configuration

--------------------

Enable suEXEC - suEXEC = On

When PHP runs as an Apache Module it executes as the user/group of the

webserver which is usually "nobody" or "apache". suEXEC changes this so

scripts are run as a CGI. Than means scripts are executed as the user

that created them. With suEXEC script permissions can't be set to

777(read/write/execute at user/group/world level)

===============================================================================

| 3) The server and it's services | PHP Installation, Optimization & Security |

===============================================================================

3.1) Keep all services and scripts up to date and be sure that you running the latest secured version.

On CentOS type this into SSH to upgrade/update services on the server.

[root@server ~]# yum upgrade

or

[root@server ~]# yum update

3.2) PHP Installation/Update, configuration and optimization + Suhosin patch

First download what you need, type into SSH the following:

root@server [~]# cd /root

root@server [~]# wget http://www.php.net/get/php-5.2.9.tar.bz2/from/this/mirror

root@server [~]# wget http://download.suhosin.org/suhosin-patch-5.2.8-0.9.6.3.patch.gz

root@server [~]# wget http://download.suhosin.org/suhosin-0.9.27.tgz

Untar PHP

root@server [~]# tar xvjf php-5.2.9.tar.bz2

Patch the source

root@server [~]# gunzip < suhosin-patch-5.2.8-0.9.6.3.patch.gz | patch -p0

Configure the source. If you want to use the same config as you used for

the last php build it's not a problem but you will have to add

enable-suhosin to old config. To get an old config type this into SSH:

root@server [~]# php -i | grep ./configure

root@server [~]# cd php-5.2.9

root@server [~/php-5.2.9]# ./configure --enable-suhosin + old config(add old config you got from "php -i | grep ./configure" here)

root@server [~/php-5.2.9]# make

root@server [~/php-5.2.9]# make install

Note: If you get an error like make: command not found or patch: Command

not found, you will have to install "make" and "patch". It can be done

easly. Just type this into SSH:

root@server [~]# yum install make

root@server [~]# yum install patch

Now check is everything as you want. Upload php script like this on the server:

<?php

phpinfo();

?>

And open it via your browser and you will see your PHP configuration there

3.3) Suhosin

Now we can install suhosin patch to get better security and performance.

root@server [~]# tar zxvf suhosin-0.9.27.tgz

root@server [~]# cd suhosin-0.9.27

root@server [~/suhosin-0.9.27]# phpize

root@server [~/suhosin-0.9.27]# ./configure

root@server [~/suhosin-0.9.27]# make

root@server [~/suhosin-0.9.27]# make install

After you installed suhosin you will get something like this: It's installed to /usr/local/lib/php/extensions/no-debug-non-zts-20060613/

Now edit your php.ini. If you don't know where php.ini located it, type this into SSH.

root@server [~]# php -i | grep php.ini

Configuration File (php.ini) Path => /usr/local/lib

Loaded Configuration File => /usr/local/lib/php.ini

It means you have to edit /usr/local/lib/php.ini

Type into SHH:

root@server [~]# nano /usr/local/lib/php.ini

If you get an error, nano: Command not found, then:

root@server [~]# yum install nano

Find "extension_dir =" and add:

extension_dir = /usr/local/lib/php/extensions/no-debug-non-zts-20060613/

To save it, CTRL + O and then Enter button.

3.4)

We will install Zend Optimizer to get better perfomance:

Download Zend Optimizer from Zend Guard - Protect Your IP & Generate More Revenue - Zend.com

root@server [~]# tar -zxvf ZendOptimizer-3.3.3-linux-glibc23-i386.tar.gz

root@server [~]# cd ZendOptimizer-3.3.3-linux-glibc23-i386

root@server [~/ZendOptimizer-3.3.3-linux-glibc23-i386]# ./install.sh

Welcome to Zend Optimizer installation..... - Press Enter button

Zend licence agreement... - Press Enter button

Do you accept the terms of this licence... - Yes, press Enter button

Location of Zend Optimizer... - /usr/local/Zend, press Enter button

Confirm the location of your php.ini file...- /usr/local/lib, press Enter button

Are you using Apache web-server.. - Yes, press Enter button

Specify the full path to the Apache control utility(apachectl)...-/usr/local/apache/bin/apachectl, press Enter button

The installation has completed seccessfully...- Press Enter button

Now restart apache, type this into SSH:

root@server [~]# service httpd restart

3.5) php.ini & disabled functions

Edit php.ini like this:

root@server [~]# nano /usr/local/lib/php.ini

------------------------------------------------------------

safe_mode = On

expose_php = Off

Enable_dl= Off

magic_quotes = On

register_globals = off

display errors = off

disable_functions = system, show_source, symlink, exec, dl,

shell_exec, passthru, phpinfo, escapeshellarg,escapeshellcmd

-------------------------------------------------------------

root@server [~]# service httpd restart

Or you can edit php.ini via WHM:

WHM - Service Configuration - PHP Configuration Editor

=========================================================

| 4) Kernel Hardening | Linux Kernel + Grsecurity Patch |

=========================================================

Description : grsecurity is an innovative approach to security utilizing

a multi-layered detection, prevention, and containment model. It is

licensed under the GPL. It offers among many other features:

-An intelligent and robust Role-Based Access Control (RBAC) system that can generate least privilege policies for your

entire system with no configuration

-Change root (chroot) hardening

-/tmp race prevention

-Extensive auditing

-Prevention of arbitrary code execution, regardless of the technique used (stack smashing, heap corruption, etc)

-Prevention of arbitrary code execution in the kernel

-Randomization of the stack, library, and heap bases

-Kernel stack base randomization

-Protection against exploitable null-pointer dereference bugs in the kernel

-Reduction of the risk of sensitive information being leaked by arbitrary-read kernel bugs

-A restriction that allows a user to only view his/her processes

-Security alerts and audits that contain the IP address of the person causing the alert

Downloading and patching kernel with grsecurity

root@server [~]# cd /root

root@server [~]# wget http://www.kernel.org/pub/linux/kernel/v2.6/linux-2.6.26.5.tar.gz

root@server [~]# wget http://www.grsecurity.com/test/grsecurity-2.1.12-2.6.26.5-200809141715.patch

root@server [~]# tar xzvf linux-2.6.26.5.tar.gz

root@server [~]# patch -p0 < grsecurity-2.1.12-2.6.26.5-200809141715.patch

root@server [~]# mv linux-2.6.26.5 linux-2.6.26.5-grsec

root@server [~]# ln -s linux-2.6.26.5-grsec/ linux

root@server [~/linux]# cd linux

root@server [~/linux]# cp /boot/config-`uname -r` .config

root@server [~/linux]# make oldconfig

Compile the Kernel:

root@server [~/linux]# make bzImage

root@server [~/linux]# make modules

root@server [~/linux]# make modules_install

root@server [~/linux]# make install

Check your grub loader config, and make sure default is 0

root@server [~/linux]# nano /boot/grub/grub.conf

Reboot the server

root@server [~/linux]# reboot

==========

| 5) SSH |

==========

In order to change SSH port and protocol you will have to edit sshd_config

root@server [~]# nano /etc/ssh/sshd_config

Change Protocol 2,1 to Protocol 2

Change #Port 22 to some other port and uncomment it

Like, Port 1337

There is a lot of script kiddiez with brute forcers and they will try to crack our ssh pass because they know username is root, port is 22

But we were smarter, we have changed SSH port

Also, their "brute forcing" can increase server load, it means our sites(hosted on that server) will be slower

SSH Legal Message

edit /etc/motd, write in motd something like this:

"ALERT! That is a secured area. Your IP is logged. Administrator has been notified"

When someone login into SSH he will see that message:

ALERT! That is a secured area. Your IP is logged. Administrator has been notified

If you want to recieve an email every time when someone logins into SSH as root, edit .bash_profile(It's located in /root directory) and put this at the end of file:

echo 'ALERT - Root Shell Access on:' `date` `who` | mail -s "Alert: Root Access from `who | awk '{print $6}'`" mail@something.com

And at the end restart SSH, type "service sshd restart" into SSH

=================================

| 6) Firewall | DDoS Protection |

=================================

6.1) Firewall, CSF Installation

root@server [~]# wget http://www.configserver.com/free/csf.tgz

root@server [~]# tar -xzf csf.tgz

root@server [~]# cd csf

In order to install csf your server needs to have some ipt modules

enabled. csftest is a perl script and it comes with csf. You can check

those mudules with it.

root@server [~/csf]# ./csftest.pl

The output should be like this:

root@server [~/csf]# ./csftest.pl

Testing ip_tables/iptable_filter...OK

Testing ipt_LOG...OK

Testing ipt_multiport/xt_multiport...OK

Testing ipt_REJECT...OK

Testing ipt_state/xt_state...OK

Testing ipt_limit/xt_limit...OK

Testing ipt_recent...OK

Testing ipt_owner...OK

Testing iptable_nat/ipt_REDIRECT...OK

No worries if you have no all those mudules enabled, csf will work is

you didn't get any FATAL errors at the end of the output.

Now, get to installation

root@server [~/csf]# ./install.sh

You will have to edit conf.csf file. It's located here:

/etc/csf/csf.conf

You need to edit it like this:

Testing = "0"

And have to configure open ports in conf.csf or you won't be able to

access these ports. In most cases it should be configured like this if

you are using cP/WHM. If you are running something on some other port

you will have to enable it here. If you changed SSH port you will have

to enable a new port here:

# Allow incoming TCP ports

TCP_IN = "20,21,22,25,53,80,110,143,443,465,587,993,995,2077,2078,2082,2083,2086,2087,2095,2096"

# Allow outgoing TCP ports

TCP_OUT = "20,21,22,25,37,43,53,80,110,113,443,587,873,2087,2089,2703"

6.2) CSF Connection Limit

There is in csf.conf CT option, configure it like this

CT_LIMIT = "200"

It means every IP with more than 200 connections is going to be blocked.

CT_PERMANENT = "1"

IP will blocked permanent

CT_BLOCK_TIME = "1800"

IP will be blocked 1800 secs(1800 secs = 30 mins)

CT_INTERVAL = "60"

Set this to the the number of seconds between connection tracking scans.

After conf.csf editing you need to restart csf

root@server [~# service csf restart

6.3) SYN Cookies

Edit the /etc/sysctl.conf file and add the following line in order to enable SYN cookies protection:

-----------------------------------

# Enable TCP SYN Cookie Protection

net.ipv4.tcp_syncookies = 1

-----------------------------------

root@server [~/]# service network restart

6.4) CSF as security testing tool

CSF has an option "Server Security Check". Go to WHM - Plugins - CSF -

Test Server Security. You will see additional steps how to secure the

server even more. I'm writing only about most important things here and

I covered most of them in the paper but if you want you can follow steps

provided by CSF to get the server even more secured.

6.5) Mod_Evasive

ModEvasive module for apache offers protection against DDoS (denial of service attacks) on your server.

To install it login into SSH and type

---------------------------------------------------------------------------------

root@server [~]# cd /root/

root@server [~]# wget http://www.zdziarski.com/projects/mod_evasive/mod_evasive_1.10.1.tar.gz

root@server [~]# tar zxf mode_evasive-1.10.1.tar.gz

root@server [~]# cd mod_evasive

then type...

root@server [~/mod_evasive]# /usr/sbin/apxs -cia mod_evasive20.c

---------------------------------------------------------------------------------

When mod_evasive is installed, place the following lines in your httpd.conf (/etc/httpd/conf/httpd.conf)

--------------------------------

<IfModule mod_evasive20.c>

DOSHashTableSize 3097

DOSPageCount 2

DOSSiteCount 50

DOSPageInterval 1

DOSSiteInterval 1

DOSBlockingPeriod 10

</IfModule>

--------------------------------

6.6) Random things:

csf -d IP - Block an IP with CSF

csf -dr IP - Unblock an IP with CSF

csf -s - Start firewall rules

csf -f - Flush/stop firewall rules

csf -r - Restart firewall rules

csf -x - Disable CSF

csf -e - Enable CSF

csf -c - Check for updates

csf -h - Show help screen

-Block an IP via iptables

iptables -A INPUT -s 208.131.183.169 -j DROP

-Unblock an IP via iptables

iptables -I INPUT -s IP -j ACCEPT

-See how many IP addresses are connected to the server and how many connections has each of them.

netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n

===================

| 7) Mod_Security |

===================

Mod_Security is a web application firewall and he can help us to secure our sites against RFI, LFI, XSS, SQL Injection etc

If you use cP/WHM you can easly enable Mod_security in WHM - Plugins - Enable Mod_Security and save

Now I will explain how to install Mod_security from source.

You can't install Mod_Security if you don't have libxml2 and http-devel libraries.

Also, you need to enable mod_unique_id in apache modules, but don't worry, I will explain how to do it

Login into SSH and type...

root@server [~]# yum install libxml2 libxml2-devel httpd-devel

libxml2 libxml2-devel httpd-devel should be installed now

then you need to edit httpd.conf file, you can find it here:

root@server [~]# nano /etc/httpd/conf/httpd.conf

You need to add this in your httpd.conf file

LoadModule unique_id_module modules/mod_unique_id.so

Now download the latest version of mod_security for apache2 from ModSecurity: Open Source Web Application Firewall

login into SSH and type...

root@server [~]# cd /root/

root@server [~]# wget SourceForge.net: ModSecurity: Downloading ...

root@server [~]# tar zxf modsecurity-apache_2.5.6.tar.gz

root@server [~]# cd modsecurity-apache_2.5.6

root@server [~/modsecurity-apache_2.5.6]# cd apache2

then type:

root@server [~/modsecurity-apache_2.5.6/apache2]# ./configure

root@server [~/modsecurity-apache_2.5.6/apache2]# make

root@server [~/modsecurity-apache_2.5.6/apache2]# make install

Go at the end of httpd.conf and place an include for our config/rules file...

Include /etc/httpd/conf/modsecurity.conf

---------------------------------------------------------

# /etc/httpd/conf/httpd.conf

LoadModule unique_id_module modules/mod_unique_id.so

LoadFile /usr/lib/libxml2.so

LoadModule security2_module modules/mod_security2.so

Include /etc/httpd/conf/modsecurity.conf

---------------------------------------------------------

You need to find good rules for Mod_Security. You can find them at

official Mod_Security site. Also, give a try to gotroot.com rules. When

you find a good rules, just put them in /etc/httpd/conf/modsecurity.conf

And restart httpd at the end, type "service httpd restart" into SSH

==========================

| 8) Anti-Virus - ClamAV |

==========================

You need AV protection to protect the server against worms and trojans

invading your mailbox and files! Just install clamav (a free open source

antivirus software for linux). More information can be found on clamav

website - Clam AntiVirus

In order to install CLamAV login into SSH and type

root@server [~]# yum install clamav

Once you have installed clamav for your CentOS, here are some basic commands you will need:

Update the antivirus database

root@server [~]# freshclam

Run antivirus

root@server [~]# clamscan -r /home

Running as Cron Daily Job

To run antivirus as a cron job (automatically scan daily) just run

crontab -e from your command line. Then add the following line and save

the file.

@daily root clamscan -R /home

It means clamav will be scanning /home directory every day. You can change the folder to whatever you want to scan.

==============

| 9) Rootkit |

==============

Rootkit scanner is scanning tool to ensure you for about 99.9%* you're clean of nasty tools.

This tool scans for rootkits, backdoors and local exploits by running tests like:

-MD5 hash compare

-Look for default files used by rootkits

-Wrong file permissions for binaries

-Look for suspected strings in LKM and KLD modules

-Look for hidden files

-Optional scan within plaintext and binary files

Instalation:

Login into SSH and type

root@server [~]# cd /root/

root@server [~]# wget http://downloads.rootkit.nl/rkhunter-1.2.7.tar.gz

root@server [~]# tar -zxvf rkhunter-1.2.7.tar.gz

root@server [~]# cd rkhunter-1.2.7

root@server [~rkhunter-1.2.7]# ./installer.sh

Scan the server with rkhunter

root@server [~]# rkhunter -c

=========================

| 10) The Rest of Shits |

=========================

10.1) Random suggestions

If you use bind DNS server then we need to edit named.conf file

named.conf is located here: /etc/named.conf

and add

recursion no; under Options

----------------------------

Options{

recursion no;

----------------------------

Now restart bind, type into SSH

root@server [~]# service named restart

This will prevent lookups from dnstools.com and similar services and reduce server load

In order to prevent IP spoofing, you need to edit host.conf file like this:

This file is located here: /etc/host.conf

Add that in host.conf

------------------

order bind,hosts

nospoof on

------------------

Hide the Apache version number:

edit httpd.conf (/etc/httpd/conf/httpd.conf)

-----------------------

ServerSignature Off

-----------------------

Disable telnet:

Edit file: /etc/xinetd.d/telnet

------------------

disable = yes

------------------

10.2) Passwords

Don't use the same password you are using for the server on some other places.

When the Datacenter contacts you via e-mail or phone, always request

more informations. Remember, someone alse could contact you to get some

information or even root passwords.

10.3) Random thoughts

No matter what you need to secure the server, don't think you are safe

only because you are not personally involved in any shits with

"hackers". When you are hosting hacking/warez related sites you are the

target. There is no such thing as totally secured server. Most important

things are backups, make sure you will always have an "up-to-date"

offsite backups ^^

Anyhow, this is the end of my paper, I hope it will help you to get some

kind of security to your server.

-Krun!x

# milw0rm.com [2009-06-29]

[Cheater]

Nu sunt deacord cu a instala apache, php and else din surse, recomand sa fie instalate din repository astfel esti anuntat in cazul in care apare un update si il poti updata usor. Updateurile sunt un punct cheie in securitate!