Server Hardening

Initial Server Hardening

APF (Advanced Policy Firewall) or CSF Policy based, reactive firewall. Works with IPTables. (Use CSF if it’s Cpanel)
CSF is at http://www.configserver.com and APF can be installed by running the
ServerMonkey ELS script at http://servermonkeys.com/els.php.
LSM (Linux Socket Monitor) Monitors system for newly opened ports and services.
http://www.rfxn.com/?page_id=59
LES (Linux Environment Security) installation on applicable OS. Sets correct permissions on dangerous binaries, profile scripts and more.
http://www.rfxn.com/projects/linux-environment-security/
Mail Source Tracking Enable tracking of emails sent via PHP scripts. (cPanel only)
BFD (Brute Force Detection) or LFD Identifies login password cracking attempts.
IFTOP does for network usage what 'top' does for CPU usage.
Install libpcap first: http://sourceforge.net/projects/libpcap/
Iftop: (standard ./configure, make && make install)
MyTOP does for MySQL usage what 'top' does for CPU usage. (Installed using the ELS script above)
Services Hardening Tweak & harden common services to minimize information broadcasted about software versions. (Installed using the ELS script above)
Time Synchronization Sync local system clock to a time server.
Setup 'libsafe' Filter common software attacks. (On 32bit Linux OS only) (Installed using the ELS script above)
Setup 'logwatch' Log parsing and reporting utility.
Backdoor inspection Inspect and verify server for sanity from backdoor exploits. (install chrootkit and rkhunter via ELS script)
SSH Server Hardening Modify default sshd server config files to address common protocol & authentication issues. (make sure ssh is using protocol 2)
Software Updates Local inspection of installed software/retrieval of vendor & OS updates. (cpanel updated via ELS script)
PHP open_basedir Modify PHP setup to enforce a set of 'safe' execution paths.
ImageMagick is done via ELS.

NOTE: When running the ELS script do not harden sysctl file or change anything with PHP permissions or root permissions.
NOTE 2: For email for ELS and any other script on initial hardening, put the customer’s email in.

FULL Hardening (Fully managed customers)
Everything in the Initial hardening above
 Change SSH port for added security. (don’t forget to change firewall around so you can access the server)
 Sysctl Hardening
http://www.sysadmin.md/hardening-existing-linux-server-via-sysctl-parameters.html
 /tmp hardening with noexec
http://www.securecentos.com/basic-security/secure-tmp/
 Installing PSAD to monitor log activity.
http://www.cipherdyne.org/psad/docs/
 Remount partitions with noatime option to improve IO.
http://forums.ayksolutions.com/showthread.php?t=480&highlight=noatime
 MOD_TOP enables quick searching of bottlenecks, memory hogs and much more.
http://mod-top.org and then refer here: http://forums.ayksolutions.com/showthread.php?t=493&highlight=mod_top
 Reconfigure host.conf to prevent DNS lookup poisoning & spoofing protection.
multi on
nospoof on
add the above to host.conf file


Note: For further hosting, dedicated servers and etc you can contact http://ayksolutions.com/