We deal with security related issues nearly every day. Many of these issues could be prevented with a few minor changes to php.ini along with the installation of mod_security. It is simply amazing how many machines are hacked, and then used for the sole purpose of sending spam, denial of service (DoS) attacks or Botnets.
Security is a practice of managed risk. The strength of your system security is directly related to your commitment to managing your server. It is not realistic, or possible, to guarantee your system is completely secure.
This will be an evolving document, please feel free to suggest any additions or changes.
Please note, that these settings could break your application, use at your own risk.
Develop a patch and upgrade strategy. It is important to plan for regular schedule updates. A subscription to security related mailing lists including your vendors’ mailing list will alert you to any immediate requirement to patch your server.
Develop a password strategy. Consider enforcing your password security by modifying /etc/pam.d/system-auth (at least on RedHat based systems). See my system-auth.diff for reference (from a RHEL4 machine).
Validate your system passwords. Run John the Ripper once a month on your system to validate your password entries.
Enforce password lengths and aging. By using the settings below as a starting point.
# /etc/login.defs changes..
Disable direct root logins. Modify your /etc/ssh/sshd_config file to disallow direct root logins.
Change your SSH port in /etc/ssh/sshd_config (then restart sshd) .. This will help prevent brute force attacks. Don’t forget to update your firewall rules..
PHP.ini recommended changes
display_errors = Off
safe_mode = On
register_globals = Off
disable_functions = "dl,phpinfo,shell_exec,passthru,exec,popen,system,proc_terminate,proc_close"
magic_quotes_gpc = On
allow_url_fopen = Off
expose_php = off
allow_url_include = Off
; consider setting open_basedir
Disable wget, elinks, lynx, curl, .. by setting the permissions to 0700
Remount, /tmp /dev/shm and /var/tmp noexec, nosuid.
Install a firewall such as APF
Disable unused services.
Keep your systems up to date.
Install Rootkit Hunter and configure a daily cron job created to email a report to root. Can be run manually with:
rkhunter -c --skip-keypress — Website: http://rkhunter.sf.net
Install Chkrootkit from http://www.chkrootkit.org/ This shoud run at least once per day.
Install OSSEC from ossec.net. OSSEC is an Open Source Host-based Intrusion Detection System. It performs log analysis, integrity checking, Windows registry monitoring, rootkit detection, real-time alerting and active response. It is available for most platforms including Linux, OpenBSD, FreeBSD, MacOS, Solaris and Windows.
In addition, here are some cPanel specific changes for those with a control panel:
- Enable “Attempt to prevent pop3 connection floods” – this stops people trying to attack your server by DOSing the POP3 service
– Set “The maximum each domain can send out per hour” – this limits any damage caused by spammers should they get onto the server through an exploit
– Set “The number of times users are allowed to check their mail using pop3 per hour” – this helps keep POP3 load to managable levels on the server
– Disable “Allow perl updates from rpm based linux vendors” – cPanel maintains perl modules directly through cpan and so vendor per rpms are not necessary
– Enable “Always redirect users to the ssl/tls ports when visiting /cpanel, /webmail, etc.” – enables secure access through SSL for logins
– Disable “Allow cPanel users to reset their password via email” – this option has been an exploit vector in the past and should not be trusted
– Enable “php open_basedir Protection” – this prevents users running php scripts from straying outside their own root directory (except for /tmp)
– Enable mod_userdir Protection – this prevents users from stealing bandwidth or hackers hiding access to your servers through apache
– Disable Compilers – this stops exploits from compiling code on you server
– Change System Mail Preferences – all these fields should be completed with an existing email address that is monitored
– Enable “Shell Fork Bomb Protection” – this prevents poorly written scripts from consuming server resources and prevents local DOS attacks
– Disable FTP Configuration > Anonymous FTP – this is a typical vulnerable option used as an attack vector by hackers and should be disabled unless actively used
– Enable “Modify Apache Memory Usage” – this helps limit the resources that poorly written scripts can use
– Enable “Background Process Killer” – this kills off exploit processes such as IRC bots during the upcp nightly run