Ways to toughen security on your server

18 posts / 0 new
Last post
#1 Sun, 10/14/2007 - 21:24
ah...lifes...good

Ways to toughen security on your server

Through experience, these are some of the ways you could toughen your server security. Feel free to add your suggestions and tips.

1. USE STRONG PASSWORD.

That means having a combination of alphabets (in upper as well as lower-case), numerals and signs. The password should preferably be sufficient long enough, e.g. more than 8-10 characters.

Very poor passwords: admin, administrator, root, password, server, mysecretpassword, manager Poor passwords: 1982, joe72, john69, kingkong Good passwords: Ml69m2oo!_Dta1, k40c*F#@K\sY24$

One way of creating a tough password that you could remember:

Mandy Likes 69. Me Too! Don't Tell Anyone.... becomes M l 69 M 2oo ! D t a 1

2. INSTALL PATCHES IN A TIMELY FASHION

Subscribe to the announcement lists.

Patch your server software and applications as soon as updates become available. Of course, test them on your development server first to avoid surprises.

3. USE LEIF'S FIREWALL RULES

http://www.virtualmin.com/index.php?option=com_fireboard&Itemid=77&func=...

These rules will reduce probing and hacking attempts.

4. CHANGE YOUR WEBMIN, USERMIN, SSH PORT NO.

Change Webmin's port no. from 10000 to something else Change Usermin's port no. from 20000 to something else Change SSH's port no. from 22 to something else

Make sure you change your firewall rules accordingly.

5. USER GROUP FOR SSH ACCESS

You can create a user group and configure SSH server to only allow access to users from the group.

6. TURN OFF ROOT ACCESS

You should turn off root access to the common services. Create another user who has root privileges, and use that login instead.

7. MYSQL USER ACCOUNTS

Insert a password for your MySQL root user. The default is blank.

Delete any unnecessary MySQL user account.

8. TURN OFF SERVICES YOU DON'T USE

For example, if you don't use FTP, turn it off.

Mon, 10/15/2007 - 05:38
jaldeguer

I'd also like to add after doing all of those steps you just mentioned. I also add the following to all of my servers.

To stop brute force attacks to SSH:

http://denyhosts.sourceforge.net/

If you want to stop brute force attacks to SSH,FTP,SMTP,Apache, etc.:

http://www.fail2ban.org/wiki/index.php/Main_Page

Host Based Intrusion Detection:

http://www.ossec.net/

Chrooted SFTP with:

http://www.howtoforge.com/mysecureshell_sftp_debian_etch

FTP:

I prefer to use vsftpd, then chroot your users.

A somewhat controversial approach I block off whole blocks of IP's from countries I get most hacking type attempts.

Don't forget to inspect your logs.

Finally have a good backup to recover from in case your box gets owned.

Sun, 11/18/2007 - 21:10 (Reply to #2)
flymale

Just the thread I was looking for, except I created one in the General Discussion forum.
I guess I was looking to see what will be integrated in the Virtualmin GPL as the Sentry Tools are now gone.

Meanwhile, to the OP, those steps look awesome. But for newbs like me, a little "How to" for each step would be just fine! For example, doing the chrooting thing, etc.

Sun, 11/18/2007 - 22:51 (Reply to #3)
Joe
Joe's picture

<div class='quote'>For example, doing the chrooting thing, etc.</div>

While most of the advice is excellent and well worth learning more about, I will point out that I happen to disagree with using chroot as a security tool. It was never intended for such purposes, and it has significant security implications. So, let me be emphatic in saying specifically: I do not recommend running a chrooted ssh environment.

It is a very popular technique, but it only provides illusory security gains while removing very real protections. It's too high a price to pay for security by obscurity.

Actually, security by obscurity is always an illusory gain, though in the case of changing ports, it doesn't hurt anything. (But it also doesn't give you much--port scanners generally recognize Webmin no matter what port it's on, unless you also tweak the headers and such.)

--

Check out the forum guidelines!

Thu, 12/27/2007 - 14:38 (Reply to #4)
kato

<div class='quote'>...though in the case of changing ports, it doesn't hurt anything. (But it also doesn't give you much...</div>
Oh, I disagree. Changing my port on SSH removed 100% of the brute force attacks I recieve on an average day.

While it certainly won't stop someone specifically targeting my server, it's stopped almost all the attempts against ssh that I see from scanners; it seems like they only look on the expected port and, when they don't find it, move on to easier fruit.

Thu, 12/27/2007 - 15:10 (Reply to #5)
kato

Sorry, that was entirely greek to my green little ears. Particularly the phrase &quot;module config for module&quot; and &quot;Usermin module of the same name&quot;.

Maybe we should start with what I'm doing wrong, and then you give me the dunce cap... I've done the following:

1. Installed virtualmin 3.50 Pro on Ubuntu 6.06.1 (Webmin version 1.380)
2. log into http://domain:10000 as master administrator
3. scanned through the trees, including the following obvious choices:
a. Virtualmin -&gt; System Settings -&gt; Module Config (nothing here)
b. Webmin -&gt; Servers -&gt; SSH Server (I set port number here)

After going to 3.a., I did find a &quot;module config&quot; link, which took me to &quot;Configurable options for SSH Server&quot;, but there isn't any place to set a port there...

On second thought, I'll go get the dunce cap while I wait...

Thu, 12/27/2007 - 15:15 (Reply to #6)
kato

Let me add that I've seen a similar instruction in the module configuration reference... but I just can't seem to pinpoint how to reach the &quot;Virtualmin Virtual Servers module page&quot;... it's almost like I'm missing links in my tree or... missing the point entirely :(

Thu, 12/27/2007 - 15:27 (Reply to #7)
Joe
Joe's picture

<div class='quote'>Let me add that I've seen a similar instruction in the module configuration reference... but I just can't seem to pinpoint how to reach the &quot;Virtualmin Virtual Servers module page&quot;... it's almost like I'm missing links in my tree or... missing the point entirely :(</div>

So you're reading docs targeted at Virtualmin running without the Virtualmin Framed Theme. Virtualmin is a Webmin module (a very large, and complex Webmin module with many supporting modules and plugins and themes of its own...but a module of Webmin nonetheless)...and if you install it without switching to the Virtualmin theme, you would browse to it in the Servers tab in Webmin, just like for Apache or BIND or whatever. And it would have a Module config.. link in the upper left corner, just like regular Webmin modules.

But, since you're using the full stack of Virtualmin stuff, you have a menu item just for Virtualmin configuration.

You're not missing any links in your tree. You're just expecting Webmin modules configuration for non-Virtualmin modules to be in the tree, and they aren't. It is possible that at some point in the future, the framed themes (Blue and Virtualmin and the upcoming AJAX theme) will get an extra layer of submenus to allow fully tree-based navigation. But that's in the future. Right now, to configure anything that is a stock Webmin module, you browse to the module and click Module config...

--

Check out the forum guidelines!

Fri, 12/28/2007 - 00:25 (Reply to #8)
NotteScura

I believe what Joe is referring you to is the &quot;Module Config&quot; link located at the top left of the SSH/Telnet page (where it actually tries to connect to your server). I'm not sure about global Usermin module config, Joe will have to point that one out.

The second option down from the top is listed as the port to connect to, and is set at Default to start. Just change to your new port, and save, and you should be set.

As to where to find Virtualmin in your Webmin tree, it's located under the &quot;Servers&quot; category as Virtualmin Virtual Servers.

And back to the original topic.. most of these steps are very helpful, and every server admin should be taking steps to at least have extremely hard-to-guess passwords for any services requiring them.

As Joe stated, changing ports is helpful, but not necessarily going to stop the determined hacker, but it will definitely cut back on hack attempts. Another thing to note about this, is sometimes specific ports are blocked, and not accessible to some users. I had a friend who's company firewall was blocking port 10000, and therefore he was not able to reach Webmin at all.

On the note about Chroot SSH setup... Ensim Pro uses it by default, and I used that for many years.. their setup actually worked quite well, but it definitely wasn't fool-proof. If someone was smart, and determined, I'm sure they could have undermined it.. the few hack attempts that I had caught on the system, were mostly &quot;script kiddies&quot; setting up a staging ground to attack other sites/servers.

As for firewalls, yes, I highly recommend using them to filter out everything, but the basic hosting services traffic that is required.

And root-kit hunters are great, but more often than not, they won't help you, unless you catch the hacker before he's had the opportunity to do something with the system.

The idea behind security is to prevent systems from ever being compromised, and rkh's are fundamentally designed for the aftermath of such an activity, not preventing it.

Anyway, all of these things are great ideas, some more practical than others, but all in all, a good group of ideas for securing your server(s) in the best way possible.

NS

Fri, 12/28/2007 - 00:30 (Reply to #9)
NotteScura

Kato: Ugh, disregard the first section of my post, I didn't realize that there was a 2nd page here, until it was too late. Looks like Joe got you taken care of.

Joe: Is the Edit feature not finished? or am I just running into some random bug, because it's not letting me edit my post. :D

NS

Tue, 01/01/2008 - 04:43 (Reply to #10)
sgrayban

In each module page there is a Module Config link in the right frame upper left corner.

Tue, 01/01/2008 - 04:48 (Reply to #11)
sgrayban

I also do not recommend changing ANY default posts. It is a waste of time because nmap can still sniff out the new ports and it isn't a real security threat anyways.

Second disabling root login access is also a moot point IF you use proper passwords that are mixed case and contain special characters and numbers.

I have allowed root access for over 4 years now and with millions of hacking attempts the losers still can't find the password for it.

Thu, 12/27/2007 - 15:22 (Reply to #12)
Joe
Joe's picture

Step 3 should be:

Browse to Others:SSH/Telnet Server

Click &quot;Module config..&quot; in the upper left corner (this is where it always is in regular Webmin modules. Set the port. Save it.

--

Check out the forum guidelines!

Thu, 12/27/2007 - 15:35 (Reply to #13)
kato

I tried going to the Webmin link on the tree, then expanding others, then selecting &quot;SSH / Telnet Login&quot; link... this is where I see the error message (There is no SSH server running on 192.168.1.78 port 22)

Sadly, there is no 'module config' link in the corner... am I still in the wrong place? If so, where in the tree am I trying to go?

Thu, 12/27/2007 - 15:38 (Reply to #14)
kato

Ah F%#$#$!

When I went back to try it out after reading your post, I grabbed the wrong browser (logged in as the virtualhost user instead of the master admin)

Spiffy! I see now. Thanks so much.

Mon, 10/15/2007 - 07:04
PlayGod

Root Kit Hunter does some nice checks and reporting. Here's how I set it up on my machine.

Webmin &gt; System &gt; Software Packages
Browse YUM for rkhunter, pick the version for your OS, Install

Setup cron jobs within Webmin &gt; System &gt; Schedule Cron Jobs (/path/to/ is /usr/bin/ for RedHat/CentOS systems, yours may be different)

<b>Root Kit Hunter Quick Scan &amp; profile updater - setup this cron to run daily</b>
[code:1]/path/to/rkhunter -c --update --quick --report-warnings-only --cronjob 2&gt;&amp;1 | mail -s &quot;RK QuickScan - YourServerName&quot; emailaddress@whatever.tld[/code:1]

<b>Root Kit Hunter - setup this cron to run weekly</b>
[code:1]/path/to/rkhunter -c --update --cronjob 2&gt;&amp;1 | mail -s &quot;RK Scan Details - YourServerName&quot; emailaddress@whatever.tld[/code:1]

Tip: set the email notification address to an account that is not dependent on the server.

Thu, 12/27/2007 - 14:33
kato

<div class='quote'>4. CHANGE YOUR WEBMIN, USERMIN, SSH PORT NO.</div>

Err, sorry to be such a noob...

I changed my SSH port before virtualmin was installed (I never run the default) and now my virtual-admins see this error when going to &quot;Webmin Modules-&gt;SSH/Telnet Login&quot;:

[code:1]There is no SSH server running on 192.168.1.78 port 22.[/code:1]

Is there something to configure in virtualmin to fix this? Also, how do I go about changing virtualmin's port? I don't see anything in the settings for such things :(

Thu, 12/27/2007 - 14:40 (Reply to #17)
Joe
Joe's picture

<div class='quote'>Is there something to configure in virtualmin to fix this?</div>

Of course. Just edit the module configuration for that module and set the port. You'll need to also set it in the Usermin module of the same name (if you grant access to the module to Usermin users, anyway).

This is true of nearly all Webmin modules--they each have their own configuration, and you can find it by clicking &quot;Module config..&quot; up in the left corner of the module.

--

Check out the forum guidelines!

Topic locked