How do you secure your servers?

Hi guys,

I am thinkin to open my website to public eventhough some scripts arent working %100 but cant keep it offline forever so before doing this I would like to make my server bulletproof, what are your suggestions, what are your personal settings?For example I couldnt see mod_security in apache available modules, can this be installed manually from the command line?or there is an easier way to install it from virualmin/webmin?

Regards,
Anarchy

We’d welcome any comments folks have on how they secure their servers!

We did discuss this with the author of the above question in IRC, mentioning the article here named “I just setup my server, and installed Virtualmin. Are there any steps I can take to improve the server security?”

https://www.virtualmin.com/documentation/security/faq

run apps as the user like in mod_FCGI
Run security scripts to detect your systems weak points and solve the issues
Have strong passwords, make sure your users can not use weak passwords
Disable root access
Always update your system and webscripts
Run only services you really really need
Install proper certificates
Check your logs every day for suspicious behavior
Don’t use badly written websites, use only the longstanding ones like drupal, joomla, wordpress etc and still dont trust them.
Don’t experiment on your box, use a develop box for experimenting/developing
Place your server in a secure environment, hence a trust worthy data center
If all that won’t help, pull the plug and find another job :slight_smile:

I highly recommend the following:

USE IDS’s (Intursion Detection Systems)

USE strong firewalls

Close all ports NOT needed.

Terminate all services NOT used or needed.

Baseline differential scripts on opensource php applications that check for the alteration and insertion of files and report back to the system administrator if anything changes.

Fail2ban is a fantastic program

Turn off FTP force thorugh SSH.

DenyHosts is a good program.

Afick is a good program

Put phpMyAdmin in https.

Logwatch send logs everynight to sysadmin for review

All this is just a begining, but it is a good start along with the advice of others in this thread.

Kobie

Thanks a lot guys I will be having few questions:

Disable root : then with which username I will login to my webmin/virtualmin, I should replace of course root with an equivalent user but how?
run security scripts: which ones for example?
which IDS would you recommend?
Also there are tools which tell you when a change is made on any file, which one would you recommend?

You can create a sudo user to log into the system and webmin, within webmin assign permission to that user. Also for webmin you should use the domainowner to log in (the domains you create have separate users)
If you must use root, create a pair of Keys (with Putty for example) and disable password for root when the Keys are working.

Tools can be found here: http://www.securityfocus.com/tools

Attached is a c999shell file, use this with extreem caution and do not leave it on your server!! You will get hacked if you do. Upload it, test, delete it, solve issues, upload again, test, delete it. I recommend doing this with the machine still at home and remove it from the internet first. Yes it sounds paranoid but I have had my experiences :slight_smile: Rename the extention jpg to zip to open the file

For PHP look at http://phpsec.org/

It would be nice to be able to get it as a webmin module also.