Dragon Research Group (DRG) :: sshpwauth-tac The Secure Shell (SSH) architecture is a set of protocols and tools based on the ability to enable encrypted remote system login. SSH has largely replaced tools such as TELNET and rsh for most system administrative needs. Most SSH implementations have had good track records, having been responsible for relatively few bugs that lead to widespread anonymous attacks against the protocol or implementation. However, like many systems, SSH is only as safe as its weakest link. Password Strengths and Weaknesses It might be argued that any reliance on static usernames and passwords for critical system authentication is prone to failure, particularly at scale. Log failed and successful remote connection events preferably to a remote syslog server. SSH Policy and Configuration Options DenyUsers, AllowUsers, DenyGroups, AllowGroups These options contain a list of group names or user names, separated by whitespace. AuthorizedKeysFile Match PasswordAuthentication PermitRootLogin Port Monitoring and Alerting
CentOS 5 HTTP/HTTPS web server with PHP, database, virtual hosts, & web statistics [httpd+mpm_itk, mod_ssl, mod_php, awstats] | firewing1 This how-to will show you how to configure: An Apache 2External Links icon web server using virtual hostsThe ITK MPMExternal Links icon allows each virtual host to serve requests as its own user/groupmod_ssl to serve pages over the secure HTTP (HTTPS) protocolmod_security to help prevents everything from SQL injections to data leaksmod_php for PHP scripts along with mod_suhosin to help protect mitigate risks from known and unknown flaws in PHP scripts Rebuilding httpd for ITK About privilege separation By default, the Apache web server runs as the 'apache' user. Privilege separation is a technique that can be used to mitigate the risk of an attack against a shared hosting server. Rebuild process Unfortunately, the ITK MPM is not included in the stock httpd distribution. With that done, let's make a few quick modifications to the RPM spec file located at ~/rpmbuild/SPECS/httpd.spec. We will first need to add the ITK patches. In the %build section of the spec file, you will see these lines:
CentOS 5 server setup series: getting started | firewing1 Preface As of writing, the most recent version of CentOS available is 5.6 so I will be using it as the basis for this howto. If a newer version is available, I recommend you use that version instead. Much of these instructions should still apply, especially if it is only a newer 5.x release. This series of tutorials will help you set up a shared hosting server using hardened CentOS 5. Before starting When writing this tutorial, I assumed that you: Legal Disclaimer Please note that this guide is provided on an informal, as-is basis. Installing CentOS 5 Visit the CentOS project website External Links icon and download the latest 5.x netinstall ISO image from a nearby mirror. . Once you have started the installation process, choose the HTTP install method and enter the URL and path that you noted earlier. For more information on this process, see section 12.11 of the Red Hat Enterprise Linux installation guide, Installing via HTTP Repository setup Note: this command works at the time of writing.
CentOS 5 SSH+SFTP for remote access and secure file transfers [OpenSSH] | firewing1 This how-to will show you how to configure: Remote access over SSH via OpenSSHExternal Links iconSecure, password-less authenticationOptional: OpenSSH 5.4p1 to allow restrict shell access and jail users by groupSecure file transfers over SFTP Configuring OpenSSH openssh-server is already installed by default, it just needs to be configured. We will disable root logins as well as all password-based logins in favour of the more secure public key authentication. The following will configure SSH as described above: cat << EOF >> /etc/ssh/sshd_config### Customizations ### Some of the settings here duplicate defaults, however this is to ensure that# if for some reason the defaults change in the future, your server's # configuration will not be affected. # Do not allow root to login over SSH. # Disable password authentication and enable key authentication. # Do not allow TCP or X11 forwarding by default.AllowTcpForwarding noX11Forwarding no # Why give such a large window? ln -s ../.. Denyhosts
CentOS 5 server setup series: server security & reliability | firewing1 This how-to will not configure any one service in particular, but rather focus on the operating system as a whole in order to improve security and reliability. This how-to will show you how to: Configure the GRUBExternal Links icon bootloader to gracefully handle kernel panics during bootsCreate, edit & manage custom SELinuxExternal Links icon policy modulesDeny access to remote users with too many failed authentication attempts over SSH (DenyhostsExternal Links icon), POP3 or IMAP (Fail2banExternal Links icon)Improve the password hash strengthEnable shell timeouts...and much more! Gracefully recovering from kernel panics: Boot robustness & more GRUB has two very important features that you can use to make your system more robust in the event of a kernel panic or other boot error: saved default boot entries and fallbacks. The fallback command is extremely handy when installing and testing new kernels. So, how do we get this setup? cat << EOF > /usr/local/sbin/grub-set-default#! fallback=1
CentOS 5 SQL database server [MySQL] | firewing1 This how-to will show you how to configure: MySQLExternal Links icon as a secure and performant database serverCreate new databasesAdditional MySQL users with restricted privileges Installing MySQL yum install mysql mysql-serverchkconfig mysqld onservice mysqld startiptables -I RH-Firewall-1-INPUT 4 -m state --state NEW -m tcp -p tcp --dport 3306 -j ACCEPTservice iptables savemysql_secure_installation Adding a new database+user Execute in MySQL: CREATE DATABASE `username_purpose`GRANT ALL ON `username_purpose` TO 'username'@'localhost' IDENTIFIED BY 'new_password'FLUSH PRIVILEGES; The new user will only have privileges on the newly created database. You can choose anything you'd like for username_purpose, username and new_password but to make maintenance easier, name your database users after the corresponding system user for that site. As well, remember that most of your users will simply need to enter the password once at installation time of the CMS or other software.
CentOS 5 POP3/IMAP/SMTP mail server with virtual users [Dovecot LDA+SASL, Postfix] | firewing1 This how-to will show you how to configure: A MySQLExternal Links icon database to store information about email accounts, aliases (per-address or per-domain) and autorespondersPostfixExternal Links icon as your mail transfer agent (MTA) for SMTP amavisd-newExternal Links icon with clamavExternal Links icon & spamassassinExternal Links icon for automatic virus and spam filteringAbility to define virtual users (via MySQL database) mapped to a real UID/GID or system usersAliases generated automatically from the MySQL database, allowing one address to forward to another or all addresses on a domain to forward to anotherResponseExternal Links icon handling email autorespondersDovecot as the local delivery agent (LDA) delivering mail to the corresponding user's mailboxDovecot as SASL authenticatorDovecotExternal Links icon for POP3 & IMAP Dovecot LDA delivering mail as any system user (better security)SASL authentication based on virtual user information stored in the MySQL database
How To: WHM/cPanel Hardening & Security - The Basics - Part 1 1. Introduction A step by step paper how to secure linux server with cPanel/WHM and Apache installed. By default, linux is not secured enough but you have to understand there is no such thing as “totally secured server/system”. The purpose of this paper is to understand how to at least provide some kind of security to the server. Let’s start So, you bought the server with CentOS 5 installed. 2. 2.1 WHM\cPanel Installation To begin your installation, use the following commands into SSH: cd /home wget . cd /home – Opens /home directory wget – Fetches the latest installation file from the cPanel servers. . WHM\cPanel should be installed now. 2.2 WHM\cPanel Configuration Login to WHM using root username/passwd or WHM – Server setup – Tweak Security: Disable cPanel Demo Mode Disable shell access for all accounts(except root) WHM – Service Configuration – FTP Configuration: WHM – MySQL: 3. or 4. 6. . .