6. Firewall - DDoS Protection
6.1 Firewall, CSF Installation
CODE wget http://www.configserver.com/free/csf.tgz tar -xzf csf.tgz cd csf
In order to install csf your server needs to have some ipt modules enabled. csftest is a perl script and it comes with csf. You can check those mudules with it.
CODE ./csftest.pl
The output should be like this:
./csftest.pl Testing ip_tables/iptable_filter...OK Testing ipt_LOG...OK Testing ipt_multiport/xt_multiport...OK Testing ipt_REJECT...OK Testing ipt_state/xt_state...OK Testing ipt_limit/xt_limit...OK Testing ipt_recent...OK Testing ipt_owner...OK Testing iptable_nat/ipt_REDIRECT...OK
Don't worry if you don't have all those mudules enabled, csf will work if you didn't get any FATAL errors at the end of the output.
Now, get to installation
CODE ./install.sh
You will have to edit csf.conf file. It's located here:
CODE /etc/csf/csf.conf You need to edit it like this: Testing = "0"
And you need to configure open ports in csf.conf or you won't be able to access these ports. In most cases it should be configured like this if you are using cP/WHM. If you are running something on some other port you will have to enable it here. If you changed SSH port you will have to add a new port here: # Allow incoming TCP ports TCP_IN = "20,21,22,25,53,80,110,143,443,465,587,993,995,207 7,2078,2082,2083,2086,2087,2095,2096" # Allow outgoing TCP ports TCP_OUT = "20,21,22,25,37,43,53,80,110,113,443,587,873,2087, 2089,2703" 6.2) CSF Connection Limit There is in csf.conf CT option, configure it like this CT_LIMIT = "200" It means every IP with more than 200 connections is going to be blocked. CT_PERMANENT = "1" IP will blocked permanenty CT_BLOCK_TIME = "1800" IP will be blocked 1800 secs(1800 secs = 30 mins) CT_INTERVAL = "60" Set this to the the number of seconds between connection tracking scans. After csf.conf editing you need to restart csf root@server [~# service csf restart 6.3) SYN Cookies Edit the /etc/sysctl.conf file and add the following line in order to enable SYN cookies protection:
# Enable TCP SYN Cookie Protection net.ipv4.tcp_syncookies = 1
CODE service network restart
6.4 CSF as security testing tool
CSF has an option "Server Security Check". Go to WHM - Plugins - CSF - Test Server Security. You will see additional steps how to secure the server even more. I'm writing only about most important things here and I covered most of them in the paper but if you want you can follow steps provided by CSF to get the server even more secured.
6.5 Mod_Evasive
ModEvasive module for apache offers protection against DDoS (denial of service attacks) on your server. To install it login into SSH and type:
CODE cd /root/ wget http://www.zdziarski.com/projects/mod_evasive/mod_evasive_1.10.1.tar.gz tar zxf mode_evasive-1.10.1.tar.gz cd mod_evasive
then type...
CODE /usr/sbin/apxs -cia mod_evasive20.c
When mod_evasive is installed, place the following lines in your httpd.conf (/etc/httpd/conf/httpd.conf)
DOSHashTableSize 3097 DOSPageCount 2 DOSSiteCount 50 DOSPageInterval 1 DOSSiteInterval 1 DOSBlockingPeriod 10
6.6 Random things:
csf -d IP - Block an IP with CSF csf -dr IP - Unblock an IP with CSF csf -s - Start firewall rules csf -f - Flush/stop firewall rules csf -r - Restart firewall rules csf -x - Disable CSF csf -e - Enable CSF csf -c - Check for updates csf -h - Show help screen -Block an IP via iptables iptables -A INPUT -s IP -j DROP -Unblock an IP via iptables iptables -A INPUT -s IP -j ACCEPT -See how many IP addresses are connected to the server and how many connections has each of them. netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n
7. Mod_Security
Mod_Security is a web application firewall and he can help us to secure our sites against RFI, LFI, XSS, SQL Injection etc If you use cP/WHM you can easly enable Mod_security in WHM - Plugins - Enable Mod_Security and save Now I will explain how to install Mod_security from source. You can't install Mod_Security if you don't have libxml2 and http-devel libraries. Also, you need to enable mod_unique_id in apache modules, but don't worry, I will explain how to do it
Login into SSH and type...
CODE yum install libxml2 libxml2-devel httpd-devel libxml2 libxml2-devel httpd-devel
should be installed now then you need to edit httpd.conf file, you can find it here:
CODE nano /etc/httpd/conf/httpd.conf
You need to add this in your httpd.conf file LoadModule unique_id_module modules/mod_unique_id.so Now download the latest version of mod_security for apache2 from http://www.modsecurity.org
login into SSH and type...
CODE cd /root/ wget http://www.modsecurity.org/download/modsecurity-apache_2.5.6.tar.gz tar zxf modsecurity-apache_2.5.6.tar.gz cd modsecurity-apache_2.5.6 cd apache2
then type:
CODE ./configure make make install
Go at the end of httpd.conf and place an include for our config/rules file... Include /etc/httpd/conf/modsecurity.conf
# /etc/httpd/conf/httpd.conf LoadModule unique_id_module modules/mod_unique_id.so LoadFile /usr/lib/libxml2.so LoadModule security2_module modules/mod_security2.so Include /etc/httpd/conf/modsecurity.conf
You need to find a good rules for Mod_Security. You can find them at official Mod_Security site. Also, give a try to gotroot.com rules. When you find a good rules, just put them in /etc/httpd/conf/modsecurity.conf And restart httpd at the end, type "service httpd restart" into SSH.
8. Anti-Virus - ClamAV
You need AV protection to protect the server against worms and trojans invading your mailbox and files! Just install clamav (a free open source antivirus software for linux). More information can be found on clamav. website - http://www.clamav.net
In order to install CLamAV login into SSH and type
CODE yum install clamav
Once you have installed clamav for your CentOS, here are some basic commands you will need:
Update the antivirus database
CODE freshclam
Run antivirus
CODE clamscan -r /home
Running as Cron Daily Job To run antivirus as a cron job (automatically scan daily) just run crontab -e from your command line. Then add the following line and save the file.
CODE @daily root clamscan -R /home
It means clamav will be scanning /home directory every day. You can change the folder to whatever you want to scan.
9. Rootkit
Rootkit scanner is scanning tool to ensure you for about 99.9%* you're clean of nasty tools.
This tool scans for rootkits, backdoors and local exploits by running tests like: -MD5 hash compare -Look for default files used by rootkits -Wrong file permissions for binaries -Look for suspected strings in LKM and KLD modules -Look for hidden files -Optional scan within plaintext and binary files
Installation: Login into SSH and type
CODE cd /root/ wget http://downloads.rootkit.nl/rkhunter-1.2.7.tar.gz tar -zxvf rkhunter-1.2.7.tar.gz cd rkhunter ./installer.sh
Scan the server with rkhunter
CODE rkhunter -c
10. The Rest of it
10.1 Random suggestions
If you use bind DNS server then we need to edit named.conf file named.conf is located here: /etc/named.conf and add recursion no; under Options
Options{ recursion no;
Now restart bind, type into SSH
CODE service named restart
This will prevent lookups from dnstools.com and similar services and reduce server load In order to prevent IP spoofing, you need to edit host.conf file like this: This file is located here: /etc/host.conf Add that in host.conf
order bind,hosts nospoof on
Hide the Apache version number: edit httpd.conf (/etc/httpd/conf/httpd.conf)
ServerSignature Off
10.2 Passwords Don't use the same password you are using for the server on some other places. When the Datacenter contacts you via e-mail or phone, always request more informations. Remember, someone alse could contact you to get some information or even root passwords.
10.3 Random thoughts No matter what you need to secure the server, don't think you are safe only because you are not personally involved in any ###### with "hackers". When you are hosting hacking/warez related sites you are the target. There is no such thing as totally secured server. Most important things are backups, make sure you will always have an "up-to-date" offsite backups |