We take security very seriously and so have put together a comprehensive set of hardening steps we can perform on your server. To have any or all of these security steps applied to your server, please email support. Please specify which steps you want done, otherwise the technician will do his/her best to determine what's in your best interests and do the appropriate steps. Typically that means we will perform steps 1-6 automatically and 7-9 upon request.

This post isn't intended to describe the steps in detail, but to rather cover them at a high level to give you an understanding of what they are and how they can help, and what things you should be aware of if you apply them. If you'd prefer to tackle any of these yourself instead of having us do it, and you need any tips or pointers, just let us know.

1. Upgrade Apache/PHP, openssh, openssl, mysql etc.

Nothing new here, but we'll make sure your running the latest secure versions of commons software components.This is the first step in preventing your server getting cracked by common exploits. Usually there are no downsides, but if you have specific version requirements for particular apps, some upgrades should be made with caution.

2. Firewall Installation.

We can install the R-rf Networks apf firewall and various other related tools such as bfd,sim and pmon. These will prevent unauthorized access to your server and thwart brute force attacks.

APF (Advanced Policy Firewall) http://www.rfxnetworks.com/apf.php
BFD (Brute Force Detection) http://www.rfxnetworks.com/bfd.php
SIM (System Integrity Monitor) http://www.rfxnetworks.com/sim.php
PRM (Process Resource Monitor) http://www.rfxnetworks.com/prm.php
LES (Linux Environment Security) http://www.rfxnetworks.com/les.php
NSIV (Network Socket Inode Validation) http://www.rfxnetworks.com/nsiv.php
SPRI (System Priority) Installation http://www.rfxnetworks.com/spri.php

Please be aware this is not a silver bullet, and these do not prevent exploits of services you do run. You will also need to be aware you have a firewall and may need to open up additional ports as needed if you add new services.

3. Rkhunter Installation.

Although not a preventative mechanism, it can be useful to detect any failures in your layers of defense. It's a cron job that scans your system for rootkits, exploits, trojans and backdoors.

http://www.rootkit.nl/projects/rootkit_hunter.html

No downsides, although there can sometimes be false alarms.

4. Mod_Security Installation.

Mod security is effectively a firewall for web based apps and can help prevent attacks on programs that would otherwise be vulnerable.

This can be fine tuned, but you may limit some "power" user customers (easily rectified).

http://www.modsecurity.org

5. /tmp hardening.

Many attacks and exploits use /tmp to work out of any propogate themselves. By making /tmp a seperate partition and mounting it noexec and nosuid (meaning executables cannot be run from /tmp nor with escalated privileges), this stops many of these exploits from being able to do any harm.

A potential downside is making /tmp too small for some operations like account backups/transfers.

6. Disable non-root access to unsafe binaries.

Many exploits use well known executables already on your system as part of their bag of tools. By only allowing privileged users access to these files, you can cause many attacks to not function.

You may find some binaries like "wget" too useful to limit access to, despite being useful to crackers too.

7. Disable SSH root access. (optional)

Root ssh is bad because a brute force attack can use the known username 'root' and concentrate on password variations. By using a unique username (not something like admin) you creatly reduce the chance of a successful brute force attack.

Some people use root ssh in the form of ftps to access the entire filesystem. There are several ways to workaround this, like creating a new user with uid 0 as well. You also need to be aware of this when requesting support, and give us the no-root login info.

8. Change SSH Port. (optional)

An additional layer of security is to change the default ssh port to something else. Although this is akin to security by obscurity, it can let you completely avoid many script kiddy atacks.

Like non-root ssh, you need to be aware of this when requesting support, and give us the alternate port info.

9. PHP suEXEC support. (optional)

When PHP runs as an Apache Module it executes as the user/group of the webserver which is usually "nobody" or "apache". php suEXEC changes this so scripts are run as a CGI.

This means scripts are executed as the user that created them. If user "snow" uploaded a PHP script, you would see it was "snow" running the script when looking at the running processes on your server. It also provides an additional layer of security where script permissions can't be set to 777 (read/write/execute at user/group/world level).

The downside however is that there can sometimes be issues with any .htaccess directives you have, specifically in regards to PHP directives. You may have to remove PHP directives from .htaccess and move them into a php.ini file inside of your site's document root. In addition, there could be some performance loss (also known as seeing a higher server load) as a result of all php scripts being ran as a seperate CGI instead of as part of the Apache module.

We can install the R-rf Networks apf firewall and various other related tools such as bfd,sim and pmon. These will prevent unauthorized access to your server and thwart brute force attacks.

Hello! How I can order install of this software? Or I must install it myself? Is install free or pay service?
Thanks

Hello! How I can order install of this software? Or I must install it myself? Is install free or pay service?
Thanks

After the upgrades on Sunday, when stateful firewalls are supported, just submit a ticket as normal, and we'll install the software.

Question on /tmp.. I have heard different things and I want to get this straight.

The only thing I have done is run /scripts/securetmp. Well, I opened a TT about an issue and the tmp dir came up. I mentioned that I ran securetmp, but was still concered about it actually being secure. I was then told that /securetmp will not work on a VPS? If this is the case, I really need to take care of this ASAP. I have info on doing this from cpanel and WHT, but I would rather hear it from you guys.
What should I do?

Sorry if I hijacked this thread..

Question on /tmp.. I have heard different things and I want to get this straight.

The only thing I have done is run /scripts/securetmp. Well, I opened a TT about an issue and the tmp dir came up. I mentioned that I ran securetmp, but was still concered about it actually being secure. I was then told that /securetmp will not work on a VPS? If this is the case, I really need to take care of this ASAP. I have info on doing this from cpanel and WHT, but I would rather hear it from you guys.
What should I do?

Sorry if I hijacked this thread..

Although not tied to the 2.6.1 release, this is a relatively new feature we offer which is why you are seeing it here. At the time you asked, we could not offer you a secure /tmp.

We now can, and in fact this will be the default configuration come sunday. There is nothing you need to do, your VPS will just have a secured /tmp once booted after the upgrade.

BTW, you can't change how it's mounted - it's something we control externally of your VPS.

if you can't wait till sunday for your /tmp to be secured, just send a ticket to support and we'll take care of it for you. A reboot of your VPS is required.

hth
charles

Hey Folks,

I split the specific questions/issues from this thread into their own thread. Please keep this one on topic to specific questions about the first post.

Please create a new thread for issues/testing/feedback as it relates to your VPS, this will keep this one from getting super long and bogged down in specific customer VPS issues, etc.

Thanks!

Hi,

I am a new customer of PowerVPS (1 day) and from the results so far I am already glad I made the change. The support request are incredibly fast (mins) and already I notice the considerable difference in response/page load times from the server. I must advise from the outset that I am a total newbie so do excuse my quite obvious/simple questions.

As far as security: I have the Power 2 config set up yesterday. At my previous VPS provider I had a server management team come in to secure the server. My question is, is this required here or does the existing security configuration suffice?

I previously used Acunett but I am also looking at Configserver (mailscanner package).

thanks

As far as security: I have the Power 2 config set up yesterday. At my previous VPS provider I had a server management team come in to secure the server. My question is, is this required here or does the existing security configuration suffice?

I previously used Acunett but I am also looking at Configserver (mailscanner package).


Just FYI, steps 1-6 are done before we release the server to you. Steps 7 and 8 can be done by request (email support).

You are running a full bown linux server, so you are right to have security concerns. Also, the less you know, the more you should be concerned :) Your VPS is not insecure, but having a third party audit it would not be a bad idea if you can afford it. But security is not a one-time things - you need to keep on top of it.

We refer our dedicated customers to Acunett, so they would probably be a good choice, although I don't know their expertise regarding VPS.

hth
charles

Just FYI, steps 1-6 are done before we release the server to you. Steps 7 and 8 can be done by request (email support).

You are running a full bown linux server, so you are right to have security concerns. Also, the less you know, the more you should be concerned :) Your VPS is not insecure, but having a third party audit it would not be a bad idea if you can afford it. But security is not a one-time things - you need to keep on top of it.

We refer our dedicated customers to Acunett, so they would probably be a good choice, although I don't know their expertise regarding VPS.

hth
charles

Charles,

I hear you on the 'less you know the more you should be concerned'! I have been reviewing a lot of information recently to ensure all is well.

7 & 8 have been done already. Good to know about Acunett though; selected them from WHT reviews so I expect I will go with them.

I am interested in the mailscanner package from Configserver though which I think I will go for (at least I know it is properly configured) and know who to address should issues arise.

Thx

I'm planning on ordering a WHM/CPanel VPS from you and had some additional questions about your post.

When you harden /tmp do you also harden /var/tmp and /dev/shm ?

What size do you set for /dev/shm ? I believe it defaults to 1/2 of memory on RHEL3?

From the VPS viewpoint, what version of linux is it running? What actual OS is the host server running?

Does whatever firewall you set on the host OS also apply to the VPS or do they somehow bypass most of the TCP/IP stack and firewall on the host?

Does each VPS have it's own swap partition?

TIA,

-- David

I have something to add. You can add a layer of complexity to your SSH by having some fun with firewall rules.

I found this little gem after I just installed Centos4.1 on the machine I am about to send to colocate with you guys.

http://www.hostlibrary.com/A-Cure-for-the-Common-SSH-Login-Attack-195586.html

-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -m recent --rcheck --name SSH -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 1600 -m recent --name SSH --set -j DROP
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 1601 -m recent --name SSH --remove -j DROP
-A RH-Firewall-1-INPUT -j DROP


What this would allow is that in order to even enable SSH you have to first send a telnet unlock request to port 1600 then you can SSH into 22. When you are done with the port you can close it by telnetting to port 1601.

This also only unlocks port 22 for the location in which you performed the unlock command.

Wow, thats awesome! Nice one!

Wow, thats awesome! Nice one!

Also ... neither port 1600 and 1601 are even open. ipchains merely notices you trying to access it. So a general port scan might open ssh by telnetting 1600 but then might immediately close it when it hits 1601.

I wish I had the knowledge to come up with this stuff. I think this is a great way to lock your SSH. But in each case you should consider changing the ports you use to unlock, instead of just leaving them as 1600 and 1601 :)

As he said on the page, you could also setup so that you have to hit two ports in a specific order to open up ssh. I think that this would make it bullet proof.

Can someone point me to a good tutorial on linux user management? I want to disable root SSH access and create a user that has just about all the root abilities without having to 'sudo' everytime, is that possible?

what's wrong with sudo su - ?

Can someone point me to a good tutorial on linux user management? I want to disable root SSH access and create a user that has just about all the root abilities without having to 'sudo' everytime, is that possible?

You can give fine grained access wiith sudo, or plain stupid blanket root access with no password required. So if your issue is just having to enter you password you can avoid that (but would still need to prefix commands with sudo). Best would be to give limited access to certain script, with no password (again if entering your password is the issue). Otherwise rething your need for this.

You can also ceate a user and change their uid and group to 0. This is a root user with a different name, and not really advised either. About the only think you have achieved is allow root ssh by a different name.

hth
charles

what's wrong with sudo su - ?

Duh, yeah, that works, thanks.

I was just looking at my secure logs, and noticed someone trying ssh access with tons of user names / pw combos. Is there a way to prevent these types of attacks?

Duh, yeah, that works, thanks.

I was just looking at my secure logs, and noticed someone trying ssh access with tons of user names / pw combos. Is there a way to prevent these types of attacks?

BFD can help with that.
http://rfxnetworks.com/bfd.php

BFD can help with that.
http://rfxnetworks.com/bfd.php

OK, forgive my ignorance...

I've installed BFD, is this just a notification tool though? Or is it actually denying requests?

OK, forgive my ignorance...

I've installed BFD, is this just a notification tool though? Or is it actually denying requests?
Yeah it integrates with APF so it will deny requests.

About those programs:

APF (Advanced Policy Firewall) http://www.rfxnetworks.com/apf.php
BFD (Brute Force Detection) http://www.rfxnetworks.com/bfd.php
SIM (System Integrity Monitor) http://www.rfxnetworks.com/sim.php
PRM (Process Resource Monitor) http://www.rfxnetworks.com/prm.php
LES (Linux Environment Security) http://www.rfxnetworks.com/les.php
NSIV (Network Socket Inode Validation) http://www.rfxnetworks.com/nsiv.php
SPRI (System Priority) Installation http://www.rfxnetworks.com/spri.php

are they installed as default or what is the proccess you guys use to install it ?

And what is the main rule for the firewall that is load with the machine ?

Can you share it please.

thx in advance.

APF is installed by default, You have to ask for others to be installed or install them yourself. I believe BFD is also installed but wasnt installed for mine. Rule as in? for the VPS or the main host? I believe for the VPS it depends on your control panel, but httpd / sshd / mail / dns are open, your cpanel they'll add the other required ports.

i think they all are default since i notice i do have SIM and APF thats why i am asking here maybe who create the thread can answer me.

thx anyway.

I know that APF is default, Not sure if Robert added the other programs into the OS template. If you want an answer right away email support@powervps.com with tag line [NON URGENT] (: and they'll get back to you faster than the forums.

i think they all are default since i notice i do have SIM and APF thats why i am asking here maybe who create the thread can answer me.

thx anyway.

Yes, per the original post, the first 6 items are installed by default.

hth
charles

its not urgent thats why i post here
:D

Thx charles.

And how about the iptables rules used ?

And how about the iptables rules used ?

I don't understand the question. We install APF by default, using the default rules.

hth
charles

i was thinking that you guys use to use personal rules built.

Thx :D

Regarding sshd_config,
If you change PermitRoot to "no" does this mean that you can not re-enable root due to permissions of the sshd_config file?

I tried to change it with my alternative wheel user and discovered I could not because it is owned by root/root and permissions were set to 600, not 644 (world).

Can someone confirm this before I go and disable root please... should I just change the permissions to 644??

Regarding sshd_config,
If you change PermitRoot to "no" does this mean that you can not re-enable root due to permissions of the sshd_config file?

I tried to change it with my alternative wheel user and discovered I could not because it is owned by root/root and permissions were set to 600, not 644 (world).

Can someone confirm this before I go and disable root please... should I just change the permissions to 644??
when you login as a wheel group user you can use:

su -

then type in the root password to become root.

that's what I usually do

I'm a little confused about a few things.

Item 1 of the default security list states that it insures the latest versions of common components are installed. Yet the RKHunter log says OpenSSL, OpenSSH and ProFTPd appear vulnerable as they are not up to date. Checking the source sites for some of these components appears to confirm that.

RKHunter also complains about the hash or Hash values of half of the modules in /bin whose hashes it checks. Is this normal? I would expect the RKHunter database of hashes to be correct for the installed system, to be of any use.

I'm not in production mode yet, so there is no emergency, but my concern is longer term: how do I interpret this log if half of these warnings are bogus?

I would suggest e-mailing support: support@powervps.com. Sometimes there can be an error when they setup your VPS.

I contacted support, which responded by updating the service packages on my server. It isn't clear why the latest versions were not already installed per the standard security install, but support response was very prompt. (thanks, Veena) RKHunter still complains about Apache 1.3.33. Not clear why, as that is the latest.

The hash issues are due to an apparently recurring problem of RKHunter not supplying the correct tables for the version of RC2 installed. After some reflection, I view this as an inevitable consequence of open source. How does an independent tool manage to have unique support for every variation of every independent OS out there? In 64 and 32 bit versions? Seems to me there should be a different approach to managing hash tables that is not dependent on RKHunter itself. Shouldn't these be supplied by the OSes?

Certainly, not a problem PowerVPS can solve.

Ultimately, although RKHunter is a very useful tool, it will never be a panacea. I am looking into installing my own whitelist of hashes for the particular modules in question. (package linux-util)

Zoney70, i'll have someone update the versions we are using as well as the rkhunter hash if they are oput of date in our templates.

charles

Charles,
I've also noticed the following errors over last few days in the daily cron/scripts/upcp email:

retrygrab() failed for:
http://xxxxxx
Executing failover method
retrygrab() failed for:
http://xxxxxx
Executing failover method

I put in the x's instead of full to powervps yum path in case of security issues.

- Vince

i'll have someone update the versions we are using as well as the rkhunter hash if they are oput of date in our templates.May I suggest you should update the templates more often, to avoid delivering old software versions.

I also suggest, 'Software updates' section of the forum should be more active with more user participation and be guided by staff members. For instance perl, iptables, wget, rkhunter, apf, etc. might be very old on many VPS.

Let me give a couple of examples, the other day while installing Vipul's Razor I noticed that I'd have to first update Perl as a particular perl module which was a pre-requisite for Vipul's Razor would only be supported on the later version of Perl.

Another example, if you were not delivering updated apf, the user may not get to use apf -u ip.address (to remove the ban on ip.address) as this feature was only added in the version 0.96

Zoney70, i'll have someone update the versions we are using as well as the rkhunter hash if they are oput of date in our templates.

charles

The rkhunter hash issue appears to be that Virtuozzo requires specific versions of a couple of command modules of the util-linux package. Therefore these modules are different from those expected by rkhunter for FC2 Tettnang. The modules with unexpected hashes on my DA VPS are dmesg, login, and kill. (I was told by Defender support that dmesg is not used at all, which then raises the question of why it was replaced)

According to the rkhunter hash list, the hashes of these 3 modules in my VPS exactly match those of the same modules in the /bin directory of Redhat Shrike (from which Fedora was originally derived). It appears to me that they were obtained from the package util-linux-2.11y-9.i386 after FC2 was installed. (The rpm for that package is stored in the root folder of the vps.) However, the installed package list on vzpp lists util-linux-2.12-18, which is the key that rkhunter is using to index the hash list for these modules.

Defender support appears to believe the long term solution for the "bad hash" issue is for RKHunter to supply a hash list compatible with SW-Soft. I frankly consider this unlikely to happen unless the OS is installed from a package list that has a separate identity from Tettnang because the rkhunter hashes are indexed by the installed package list. I don't realistically expect rkhunter to be redesigned.

Bottom line:
I resolved the issue for my VPS by adding four MD5WHITELIST directives to /usr/local/etc/rkhunter.conf. (The 4th directive is because the identical kill module is also stored in /usr/bin.) I see no particular problem in using the rkhunter.conf file to resolve the issue, except that this should be part of the rkhunter installation, or instructions on how to accomplish it should be part of the security FAQ.

Defender support appears to believe the long term solution for the "bad hash" issue is for RKHunter to supply a hash list compatible with SW-Soft. I frankly consider this unlikely to happen unless the OS is installed from a package list that has a separate identity from Tettnang because the rkhunter hashes are indexed by the installed package list. I don't realistically expect rkhunter to be redesigned.


Suprisingly, although busy, Michael is a pretty good guy when it comes to getting rid of these false positives. Both this and templates are at the top of my todo list, and they will be gotten to today/tomorrow. =)

I'll update here.

Charles,
I've also noticed the following errors over last few days in the daily cron/scripts/upcp email:

You shouldn't get those anymore =)

You shouldn't get those anymore =)
Got the yum.powervps.com and download.powervps.com back online, eh? :)

You shouldn't get those anymore =)

Correct. As of today the error is no longer there.
Thanks

Now if only I can get rid of those blasted LSM alerts :confused:

- Vince

Update:
error regarding yum path back again at 16:00 GMT.

Update:
error regarding yum path back again at 16:00 GMT.

Yeah, I was playing with the repos to streamline them somewhat; apparantly, apache didn't like me for about 30 minutes. The messages themselves aren't anything to worry about, and it's just saying 'hey, i'm skipping to the next url in your list, since this one isn't working right now' - hence failover. =)

Hi,

I have been really happy with the great care and expertise that PowerVPS and its staff have taken with our VPSes' security. I have a question though. Do the alerts for the firewalls and security-related programs all automatically report to root in case of any suspicious activities?

Are there any other log files that one would like to monitor, perhaps automatically too or via a program, if that's possible? I am using LogWatch currently and it seems pretty okay so far.

Hi Guys,
I am currently looking at this: http://www.configserver.com/cp/csf.html

is this going to completely mess up my server (with your stuff that comes preinstalled)?

I use CSF & LFD on my VPS and it's no problem at all.
Just make sure you configure CSF to be running on a VPS, monolithic kernal or something :)

You also need to remove APF and BFD once you install this, but there's a script included with the CSF package which can do it for you. It needs to be run from SSH though.

David

OK, I think I will leave it just now - I almost did enough damage last night emptying the log folders to last me a lifetime...

I use csf and lfd on a power2 with no problems.

Just to chime in here, I use CSF/LFD on my Power-1 level VPS, and it works great for me.