Home » Blogs » sandip's blog

New Hosting Server Checklist

Submitted by sandip on Tue, 02/20/2007 - 11:20

Below are some basic guidelines on setting up new hosting servers. This is only a point of reference to begin with and you should know what you are doing, else it is highly advisable to get an expert to work on setting up and securing the server:

Synopsis:

  • Scan server with tools such as netstat, nmap, nessus etc...
  • Disable services not required.
  • Remove packages not required.
  • Update all other packages.
  • Secure Incoming and Outgoing ports.
  • Move SSH to a different port and disable direct root login.
  • Enable Antidos and BruteForce Detection.
  • Scan for rootkits and setup daily reporting.
  • Secure tmp and tmpfs.
  • Secure binaries, paths and profiles.
  • Secure Apache and PHP, and cofigure to expose minimum info about the applications used.
  • Secure Ftp via TLS/SSL connection.
  • ...
  1. Setup server hostname and point DNS A record to the IP.

    Plesk setup:

    • Change the 'Full hostname' field at 'Plesk CP'->'Server'->'Server preferences' page. Plesk will update it's database and all needed configuration files such as /etc/hosts, /etc/sysconfig/network, /var/qmail/control/me, etc...

    Cpanel setup:

    • Run `/usr/local/cpanel/cpkeyclt` after updating the hostname to regenerate a valid key for cpanel.
      Note: Stop apf before running cpkeyclt.
  2. Setup servers root email alias.

    Plesk setup:

    • Login to plesk control panel and set the admin contact email address for the server which should update "/var/qmail/alias/.qmail-root" file and add an alias for root.
    • Either add the hostname (FQDN) to the qmail control locals file or to the virtualdomains file located in "/var/qmail/control/".

    Cpanel setup:

    • Login to cpanel -> Server Contacts -> Change System Mail Preferences.
    • Direct nobody and cpanel email to root and roots email to admin.

  3. Secure FTP with TLS/SSL:
    • Proftpd is configured to use TLS/SSL and requires a client with tls/ssl support for secure connection.
          <IfModule mod_tls.c>
              TLSEngine on
              TLSLog /var/log/proftpd/tls.log
              TLSProtocol TLSv1

              # Are clients required to use FTP over TLS when talking to this server?
              TLSRequired off

              # Server's certificate
              TLSRSACertificateFile /etc/pki/tls/proftpd/server.cert.pem
              TLSRSACertificateKeyFile /etc/pki/tls/proftpd/server.key.pem

              # CA the server trusts
              #TLSCACertificateFile /etc/pki/tls/proftpd/root.cert.pem

              # Authenticate clients that want to use FTP over TLS?
              TLSVerifyClient off

              # Allow SSL/TLS renegotiations when the client requests them, but
              # do not force the renegotations.  Some clients do not support
              # SSL/TLS renegotiations; when mod_tls forces a renegotiation, these
              # clients will close the data connection, or there will be a timeout
              # on an idle data connection.
              TLSRenegotiate required off
          </IfModule>
         
    • Generate self-signed cert and key via:
                # openssl req -new -x509 -days 3650 -nodes -out server.cert.pem -keyout server.key.pem
               
  4. Turn off anonymous ftp:

    Cpanel setup:

    • Login to Cpanel -> Service Configuration -> FTP Configuration.
  5. Remove unnecessary modules:

    Plesk setup:

    • Remove unused Plesk modules through the plesk GUI
      1. Acronis True Image Server Management
      2. Battlefield 1942 Server Manager
      3. Battlefield 2 Server Manager
      4. Counter-Strike Game Server
      5. Firewall -- if using a custom firewall.
      6. Remote Admin for SiteBuilder3
      7. Samba Fileserver Configuration
      8. Virtual Private Networking
    • Update Plesk to latest version using the plesk GUI (only select those components which are installed)
  6. Secure SSH:
    • Only use protocol 2.
    • Disable direct root login.
    • Change port#.
    • Reduce LoginGraceTime to 20 seconds.
    • Set MaxStartups to 10:30:60 .
    • Only allow certain users with SSH rights with "AllowUsers".
    • Only allow certain users to "su" privileges with pam.
  7. Install and setup APF with Antidos.

    Antidos setup:

    • Edit "/etc/apf/conf.apf"
              USE_AD="1"
             
    • Edit "/etc/apf/ad/conf.antidos"
              LP_KLOG="1"
              USR_ALERT="1"
              USR="root"
             
    • Add to "/etc/crontab"
              # Antidos
              */2 * * * * root /etc/apf/ad/antidos -a >> /dev/null 2>&1
             

    Cpanel setup:

    • Below are the Ingress and Egress ports for cpanel:
              IG_TCP_CPORTS="21,22,23,25,53,80,110,143,443,993,995,2082,2083,2086,2087,2095,2096"
              IG_UDP_CPORTS="53"
              EG_TCP_CPORTS="21,25,43,80,443"
              EG_UDP_CPORTS="20,21,53"
             
    • port specifics:
              20 ftp tcp inbound/outbound
              21 ftp tcp,udp inbound/outbound
              22 ssh tcp inbound
              25 smtp tcp inbound/outbound
              26 smtp tcp inbound/outbound
              37 rdate tcp outbound
              43 whois tcp outbound
              53 DNS tcp/udp inbound/outbound
              (inbound is only needed if you run your own public DNS server)
              80 http tcp inbound/outbound
              110 pop3 tcp inbound
              113 ident tcp outbound
              143 imap4 tcp inbound
              443 https tcp inbound
              465 smtp tls/ssl tcp/udp inbound/outbound
              873 rsync tcp/udp outbound
              993 imap4 ssl tcp inbound
              995 pop3 ssl tcp inbound
              2077 webdav tcp/udp inbound/outbound
              2078 webdav ssl tcp/udp inbound/outbound
              2082 cpanel tcp inbound
              2083 cpanel ssl tcp inbound
              2086 whm tcp inbound
              2087 whm ssl tcp inbound
              2089 cp licence tcp outbound
              2095 Webmail tcp inbound
              2096 Webmail SSL tcp inbound
              3306 mysql tcp (only if you need to connect remotely)
              6666 chat tcp inbound
             

    Plesk Setup:

    • Open the common inbound and outboud ports.
              IG_TCP_CPORTS="21,25,53,80,110,143,443,465,993,995,2022,8443"
              IG_UDP_CPORTS="53"
              EG_TCP_CPORTS="21,25,53,80,443,43,465"
              EG_UDP_CPORTS="20,21,53"
             
    • Change ssh helper port:
              HELPER_SSH_PORT="2022"
             
    • Allow for plesk key updates in allow_hosts.rules:
              # Plesk key update
              # need to be able to connect to ka.swsoft.com
              out:d=5224:d=64.131.90.38
             
  8. Install and setup BFD.
    • Integrated with APF.
    • Daily scan report.
              USR_ALERT="1"
              USR="root"
             
  9. Install and setup rkhunter for daily reporting.
    • Edit rkhunter.conf to allow for certain hidden directories and files as needed:
              ALLOWHIDDENDIR=/dev/.udev
              ALLOWHIDDENFILE=/etc/.pwd.lock
             
    • Edit cronjob at /etc/cron.daily/01-rkhunter to do version checking and database update.
              #!/bin/sh
              (
              /usr/bin/rkhunter --versioncheck --update
              /usr/bin/rkhunter --cronjob --rwo
              ) | /bin/mail -s 'rkhunter Daily Run on `hostname`' root
            
  10. Secure tmp and tmpfs mounts:
    • Secure "/tmp", "/var/tmp".
                #!/bin/bash
                # secure_tmp.sh
                dd if=/dev/zero of=/dev/tmpMnt bs=1024 count=300000
                /sbin/mke2fs -j /dev/tmpMnt
                service httpd stop
                service mysqld stop
                service postgresql stop
                service spamassassin stop
                cp -a /tmp /tmp.orig
                mount -o loop,noexec,nosuid,nodev,rw /dev/tmpMnt /tmp
                chmod 1777 /tmp
                cp -a /tmp.orig/* /tmp
                cp -a /var/tmp/* /tmp
                rm -rf /var/tmp
                ln -s /tmp /var/tmp
                service spamassassin start
                service postgresql start
                service mysqld start
                service httpd start
                echo "/dev/tmpMnt /tmp ext3 loop,noexec,nosuid,nodev,rw 0 0" >> /etc/fstab
                mount -o remount /tmp
               
    • Secure /dev/shm with noexec and nosuid mount option in "/etc/fstab".
                tmpfs /dev/shm tmpfs noexec,nosuid,nodev 0 0
               
  11. Secure paths, binaries and profiles with LES:
    • Add the below binaries too to "sec_bin" in "/usr/local/les/opt.dat" file.
                /usr/bin/lwp-download
                /usr/bin/GET
                /usr/bin/curl
              
    • Add daily cron to secure environments.
                #!/bin/bash
                # les
                /usr/local/sbin/les --secure-bin 1 >> /dev/null 2>&1
                /usr/local/sbin/les --secure-path 1 >> /dev/null 2>&1
                /usr/local/sbin/les --secure-prof 1 >> /dev/null 2>&1
               
  12. Disable package service not needed via `chkconfig {package_name} off`
    • gpm -- mouse
    • mdmonitor -- monitor raid devices
    • netfs -- nfs, samba etc...
    • autofs -- automount, nfs, usb, cd etc...
    • kudzu -- detect new hardware
    • restorecond -- monitor selinux file context
    • mcstrans -- mandatory access control selinux translation
  13. Yum update and configs:

    Plesk setup:

    • Exclude kernel for yum updates (/etc/yum.conf).
                  exclude=kernel*
                 
    • Set yum-updatesd (/etc/yum/yum-updatesd.conf) to check only once per 24hrs and send an email for notification:
                  run_interval = 86400
                  updaterefresh = 3600
                  emit_via = email
                  dbus_listener = no
                  email_to = root
                  email_from = root
                 
    • Do a yum update of all packages.
  14. Setup httpd.conf and optimize.
    Timeout 60
    KeepAlive On
    MaxKeepAliveRequests 100
    KeepAliveTimeout 5

    StartServers       3
    MinSpareServers    3
    MaxSpareServers   8
    MaxClients       50
    MaxRequestsPerChild  512

    ServerTokens Prod
    HostnameLookups Off
    ServerSignature Off
  15. Setup/Secure php.ini and optimize.
    • PHP Configurations may need to be adjusted if some lax is required.

          ; compress data
          output_handler = ob_gzhandler
          ; problematic php variables
          disable_functions = "phpinfo,shell_exec,exec,virtual,passthru,proc_close,proc_get_status,proc_open,proc_terminate,system"
          ; Disable URLs for file handling functions
          allow_url_fopen = Off
          ; Disable globals
          register_globals = Off
          ; Restrict access to environment variables
          safe_mode_allowed_env_vars = PHP_
          ; Max script execution time
          max_execution_time = 30
          ; Max time spent parsing inputs
          max_input_time = 60
          ; Max memory size used by one script
          memory_limit = 16M
          ; Max upload file size
          upload_max_filesize = 2M
          ; Max post size
          post_max_size = 8M
          ; Do not show errors on screen
          display_errors = Off
          ; Log errors to log file
          log_errors = On
          ; Hide presence of PHP
          expose_php = Off
         

  16. Setup my.cnf and optimize.

    Create the mysqld.slow.log file and change context for it in SElinux.

            # touch /var/log/mysqld.slow.log
            # chcon --reference=/var/lib/mysql /var/log/mysqld.slow.log
           

    cPanel setup:

    • innodb is needed by horde.
    • Comment out "#basedir=/var/lib" under mysql.server
      (not necessary in 11)
    • "pid-file=/var/lib/mysql/{FQDN}.pid" under mysqld_safe
      (not necessary in 11, as it auto-picks up the hostname)
      Note: If changing hostnames, stop mysql first, or kill all mysql pid and start mysql manually.
    • Comment out "#err-log=/var/log/mysqld.log" under mysqld_safe

  17. Install and setup eaccelerator.

    cPanel setup:

    • phpize is located at /usr/local/bin/phpize
    • php.ini is located at /usr/local/lib/php.ini
    • Install:
              # export PHP_PREFIX="/usr/local"
              # $PHP_PREFIX/bin/phpize
              # ./configure --enable-eaccelerator=shared --with-php-config=$PHP_PREFIX/bin/php-config
              # make
              # make install
             
    • Copy contents of eaccelerator.ini to /usr/local/lib/php.ini in the Dynamic Extensions section:
              zend_extension="/usr/local/lib/php/extensions/no-debug-non-zts-20020429/eaccelerator.so"
              eaccelerator.shm_size = "0"
              eaccelerator.cache_dir = "/var/cache/eaccelerator"
              eaccelerator.enable = "1"
              eaccelerator.optimizer = "1"
              eaccelerator.debug = 0
              eaccelerator.log_file = "/var/log/httpd/eaccelerator_log"
              eaccelerator.name_space = ""
              eaccelerator.check_mtime = "1"
              eaccelerator.filter = ""
              eaccelerator.shm_max = "0"
              eaccelerator.shm_ttl = "3600"
              eaccelerator.shm_prune_period = "0"
              eaccelerator.shm_only = "0"
              eaccelerator.compress = "1"
              eaccelerator.compress_level = "9"
              eaccelerator.keys     = "shm_and_disk"
              eaccelerator.sessions = "shm_and_disk"
              eaccelerator.content  = "shm_and_disk"
              eaccelerator.allowed_admin_path = "/var/www/html/eaccelerator/index.php"
             
    • Prepare:
              # mkdir /var/cache/eaccelerator
              # chown nobody:nobody /var/cache/eaccelerator
              # mkdir /var/www/html/eaccelerator
              # cp control.php /var/www/html/eaccelerator/index.php
             
    • Change the admin user and password in the control file.
    • Add an include line to the eaccelerator.conf file in httpd.conf
              Include /etc/httpd/conf.d/eaccelerator.conf
             
    • eaccelerator.conf
      Alias /eaccelerator /var/www/html/eaccelerator

      <Location /eaccelerator>
          Order deny,allow
          Deny from all
          Allow from localhost
          # Allow from .example.com
          Allow from xx.xx.xx.xx

          # Basic Authentication
          AuthUserFile /var/www/.htpasswd
          AuthGroupFile /var/www/.htgroup
          AuthName "Protected"
          AuthType Basic
          <Limit GET>
            require group  administrator
          </Limit>

          # "satisfy any" - prompt for password for anyone who's IP is not listed in Allow.
          # "satisfy all" - visitor need IP listed in Allow AND provide a valid user/pass.
          satisfy any

      </Location>

             

  18. Install and setup mrtg with apache hits and processes.

    cPanel setup:

    • Add include line in httpd.conf after installing mrtg.
            Include /etc/httpd/conf.d/mrtg.conf
           
  19. Install and setup vpsinfo.
  20. Install and setup SIM.
  21. Install and setup awstats/webalizer.
  22. Install and setup SPRI.
  23. Install and setup PRM -- setup email notification.
  24. Stop recursions in bind:

    NOTE: If using bind-chroot, the named.conf is located at "/var/named/chroot/etc/named.conf".

    Add to the options, allow recursions from main IP, seconday IP and localhost.

          options {
                  ...
                  allow-recursion { 127.0.0.1; xx.xx.xx.xx; xx.xx.xx.xx; };
          };
         

  25. Stop logging lame servers in bind:

    cPanel setup:

    • Edit /etc/named.conf and add the below lines just below the options:
              logging {
                category notify { null; };
                category lame-servers { null; };
              };
             

Bookmark/Search this post with
  • del.icio.us
  • Digg
  • Facebook
  • identi.ca
  • LinkedIn
  • SlashDot
  • StumbleUpon
  • Technorati
  • Twitter
»
Comment