UK WEB HOSTING FORUM FOR DISCUSSION ON WEB HOSTING SERVICE AND SUPPORT
LINUX HOSTING WINDOWS HOSTING PACKAGES SHOPPING CART OSCOMMERCE ZEN CART AGORA
ECOMMERCE HOSTING ASP MSSQL FRONTPAGE HOSTING PHP MYSQL HOSTING DISCUSSION FORUM
CPANEL RESELLER HOSTING DEDICATED SERVER VPS HOSTING PLESK VIRTUOZZO
Quick Search
Your forum announcement here!

  UK Web Hosting | Dedicated Server Windows and Linux VPS Forum > Technical Support > VPS Hosting - Virtual Private Servers

Reply
 
LinkBack Thread Tools Display Modes
  #1 (permalink)  
Old 08-11-2008, 21:31
flesso's Avatar
Premium Member
 
Join Date: Mar 2007
Location: 127.0.0.1
Posts: 1,556
Default Hardening PHP and Apache?

Does any one know of any good articles/tutorials on how to harden PHP and Apache on a cPanel VPS?
__________________
Regards,
Josh Hold

eUKhost Blog: Over 1000 Computer Related Articles to Sink Your Teeth Into!

LDN GIGS - Gig Listings for London

Super Moderator

I'm only a forum gremlin (moderator), and do not work for eUKhost in any way. Opinions expressed by me are mine only, and do not reflect those of either eUKhost or any company that may be listed above.

I don't bite, honest.
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #2 (permalink)  
Old 08-11-2008, 21:41
DPS Computing's Avatar
Premium Member
 
Join Date: Apr 2007
Location: Manchester, United Kingdom
Posts: 6,494
Send a message via ICQ to DPS Computing Send a message via AIM to DPS Computing Send a message via MSN to DPS Computing Send a message via Yahoo to DPS Computing Send a message via Skype™ to DPS Computing
Default

ServerShield Server Hardening and Optimization | Server Hardening | WiredTree

and

Hardening of your server's PHP configuration - Dedicated Server Hosting | VPS Hosting | Virtual Private Servers Forum

Hope that helps .
__________________
David Smith
DPS Computing
http://www.dpscomputing.com (Computing, Reviews, News) - New site / new polls / new stories! With many more to follow!
http://djdavid.dpscomputing.com (My DJ Website) - Christmas Gigs Announced! (02/12/2008 )
NEW LAUNCH! http://davidsmith.dpscomputing.com (My Personal Website)
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #3 (permalink)  
Old 08-11-2008, 22:37
flesso's Avatar
Premium Member
 
Join Date: Mar 2007
Location: 127.0.0.1
Posts: 1,556
Default

Thanks for the links David.

Does anyone know of any Apache hardening articles? I.e. what modules to use and what not to use.
__________________
Regards,
Josh Hold

eUKhost Blog: Over 1000 Computer Related Articles to Sink Your Teeth Into!

LDN GIGS - Gig Listings for London

Super Moderator

I'm only a forum gremlin (moderator), and do not work for eUKhost in any way. Opinions expressed by me are mine only, and do not reflect those of either eUKhost or any company that may be listed above.

I don't bite, honest.
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #4 (permalink)  
Old 08-11-2008, 23:15
Rsync's Avatar
System Administrator
 
Join Date: Mar 2007
Posts: 93
Thumbs up Basic But Powerful Steps to secure cPanel VPS.

1. Firewall Installation

Installing firewall and various other related tools such as CSF, sim. These will prevent unauthorized access to your server and from brute force attacks.
CSF (ConfigServer Firewall) http://www.configserver.com/free/csf/install.txt
LES (Linux Environment Security) R-fx Networks - Internet Security Solutions - Projects » LES
SIM (System Integrity Monitor) R-fx Networks - Internet Security Solutions - Projects » SIM
these do not prevent exploits of services which you run on your VPS server. Also you need to be aware of the installed firewall and you need to open up the additional ports as needed if you add new services/program.

2. Installing Rkhunter (RootKit Hunter)

Rkhunter is a very useful security scanning tool that is used to scan for trojans, rootkits, backdoors, local exploits and other security problems. It can be useful to detect any failures in your layers of defense. It’s a cron job that scans your server for security problems.
You can install rootkit using following steps.
====
a. Login to your server via SSH as root.
[root@support007 ~]# cd /usr/local/src/
b. Download latest RKHunter Version [1.3.2]
[root@support007 ~]# wget rkhunter.1.3.2.tar.gz
c. Extract files
[root@support007 ~]# tar -xzvf rkhunter-1.3.2.tar.gz
d. [root@support007 ~]# cd rkhunter-1.3.2
e. [root@support007 ~]# ./installer.sh
f. Now setup RKHunter to e-mail you daily scan reports.
[root@support007 ~]# pico /etc/cron.daily/rkhunter.sh
Add The Following Lines:
Quote:
#!/bin/bash
(/usr/local/bin/rkhunter –update && /usr/local/bin/rkhunter -c –cronjob 2>&1 | mail -s "RKhunter Scan Details" supp0rt@eukhost.com) Replace the e-mail above with your e-mail. It is best to send the e-mail to an e-mail off-site so that if the server is compromised then hacker can’t erase the scan reports.
Type: chmod 700 /etc/cron.daily/rkhunter.sh
Please refer the following URL for more details on Rootkit Hunter

3. Securing /tmp partition
Most of the attacks and exploits use /tmp to work out of any propagate themselves. By mounting /tmp with noexec and nosuid (meaning executables cannot be run from /tmp nor with escalated privileges), this stops many of these exploits from being able to do any harm.
You can do it by adding following entry in "/etc/fstab"
Quote:
none /tmp tmpfs nodev,nosuid,noexec 0 0
save the file and reboot the VPS, now vps get mounted with "nosuid" and "noexec"

4. Upgrade Apache/PHP, MySQL to latest version
make sure your running the latest secure versions of commons software components. This is the important step in preventing your server getting cracked by common exploits. There will be no problem in up-gradation, but if you have specific version requirements for particular applications, some upgrades should be made with caution.

5. Installing Mod_Security
ModSecurity is an open source intrusion detection and prevention engine for web applications and helps in preventing attacks on programs that would be vulnerable, it acts as a powerful shielding application from attacks. ModSecurity supports both branches of the Apache web server.
This can be fine tuned, but you may limit some "power" user customers (easily rectified). ModSecurity: Open Source Web Application Firewall

6. Enabling PHP suEXEC
When PHP runs as an Apache Module it executes as the "user/group" of the webserver which is usually "nobody" or "apache". Suexec is a mechanism supplied with Apache that allows to execute CGI scripts as the user they belong to, rather than Apache’s user. This improves security in situations where multiple mutually distrusting users have the possibility to put CGI content on the server.
This means the scripts are executed as the user that created them. If user "supp0rt" uploaded a PHP script, you would see it was "supp0rt" running the script when looking at the running processes on your server. It also provides an additional layer of security where script permissions can’t be set to 777 (read/write/execute at user/group/world level).
Note :-
Switching to the PHP Suexec module on the servers affects the users that depended on the configuration in the .htaccess file are panicking because their site not works anymore. This is not really a reason to be panic, what can you do in this situation is simple. Try to move as much configurations from your .htaccess file to the php.ini file. The php.ini is a simple text file that can be places in every directory from your server. It will affect only that directory and not the entire site. In addition, there could be some performance loss (also known as seeing a higher server load) as a result of all php scripts being ran as a separate CGI instead of as part of the Apache module.

7. Disable dangerous PHP functions
Some PHP functions are termed to be highly dangerous and these PHP functions should be left disabled in the configuration. Using an insecure PHP script as an entry point to a web hosting server can start unleashing dangerous commands and take control over the complete server.
Following is the complete list of such PHP functions which are needed to be disabled, so that it can't be executed from the server.
Locate the php.ini file of your server
Quote:
[root@support007 ~]# php -i | grep php.ini
Configuration File (php.ini) Path => /usr/local/lib
Loaded Configuration File => /usr/local/lib/php.ini
[root@support007 ~]#
Now edit this file,
Quote:
[root@support007 ~]# pico /usr/local/lib/php.ini
Search for "disable_functions" [without quote] within that configuration file & modify it from disable_functions = to
Quote:
disable_functions = "system,passthru,exec,popen,proc_close,proc_get_st atus,proc_nice,proc_open,proc_terminate,shell_exec ,highlight_file,escapeshellcmd,define_syslog_varia bles,posix_uname,posix_getpwuid,apache_child_termi nate,posix_kill,posix_mkfifo,posix_setpgid,posix_s etsid,posix_setuid,escapeshellarg,posix_uname,ftp_ exec,ftp_connect,ftp_login,ftp_get,ftp_put,ftp_nb_ fput,ftp_raw,ftp_rawlist,ini_alter,ini_restore,inj ect_code,syslog,openlog,define_syslog_variables,ap ache_setenv,mysql_pconnect,eval,phpAds_XmlRpc,phpA ds_remoteInfo,phpAds_xmlrpcEncode,phpAds_xmlrpcDec ode,xmlrpc_entity_decode,fp,fput"
Note :- Disabling above mentioned functions may affect your web-applications, it's recommended to recheck your code & find an alternative solution, rather than risking the complete server for a mere application

8. Securing MySQL Database
MySQL is one of the most popular databases on the Internet and it is often used in conjunction with PHP. Besides its undoubted advantages such as easy of use and relatively high performance, MySQL offers simple but very effective security mechanisms. Unfortunately, the default installation of MySQL, and in particular the empty root password and the potential vulnerability to buffer overflow attacks, makes the database an easy target for attacks.

9. Disable non-root access to unsafe binaries.
Many exploits use well known executables already on your system as part of their bag of tools. By allowing only privileges to root to these files, you can avoid many attacks to not function.
You may find some binaries like "wget, lynx, scp" too useful to limit access to root only, despite being useful to crackers too.

10. Changing SSH Port
One common security precaution that system admins use is to set ssh to listen on a non-standard port (e.g. port 9989, 9898, etc). It is common for hackers to attempt ssh daemon exploits that tend to be very specific to the version of openssh that is running. By having sshd listen to a different port, instead, then you are reducing the risk of a general port 22 scan and hack. Changing port is an additional layer of security. Although this is a kin to security by obscurity, it can let you completely avoid many script attacks.

11. Disable SSH root access
Allowing the root user to login directly is a major security issue, because a brute force attack can use the known username ‘root’ and concentrate on password variations. By using a unique username (not something like admin) you can reduce the chance of a successful brute force attack. This will force a hacker to have to guess 2 separate passwords to gain root access (you do have 2 separate passwords for unique user’s and root right)

Now feel Safe and Enjoy
__________________
Regards,
RsyNc
VPS Support Team,
http://www.eukhost.com

VPS Hosting || Managed Hosting
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #5 (permalink)  
Old 08-11-2008, 23:29
DPS Computing's Avatar
Premium Member
 
Join Date: Apr 2007
Location: Manchester, United Kingdom
Posts: 6,494
Send a message via ICQ to DPS Computing Send a message via AIM to DPS Computing Send a message via MSN to DPS Computing Send a message via Yahoo to DPS Computing Send a message via Skype™ to DPS Computing
Default

I assume these would also apply to dedicated linux servers?
__________________
David Smith
DPS Computing
http://www.dpscomputing.com (Computing, Reviews, News) - New site / new polls / new stories! With many more to follow!
http://djdavid.dpscomputing.com (My DJ Website) - Christmas Gigs Announced! (02/12/2008 )
NEW LAUNCH! http://davidsmith.dpscomputing.com (My Personal Website)
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #6 (permalink)  
Old 08-11-2008, 23:49
Rsync's Avatar
System Administrator
 
Join Date: Mar 2007
Posts: 93
Default

Hello David,

Yes, this security tweak is also used for Linux Dedicated Servers.
__________________
Regards,
RsyNc
VPS Support Team,
http://www.eukhost.com

VPS Hosting || Managed Hosting
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #7 (permalink)  
Old 08-11-2008, 23:52
flesso's Avatar
Premium Member
 
Join Date: Mar 2007
Location: 127.0.0.1
Posts: 1,556
Default

RSync, many thanks for that amazing tutorial of yours. That's probably the best I've seen on the internet, and I've been through many sites looking for something of the standard. Once again, many thanks.

Would you recommend installing ClamAV for the scanning of incoming and outgoing email?
__________________
Regards,
Josh Hold

eUKhost Blog: Over 1000 Computer Related Articles to Sink Your Teeth Into!

LDN GIGS - Gig Listings for London

Super Moderator

I'm only a forum gremlin (moderator), and do not work for eUKhost in any way. Opinions expressed by me are mine only, and do not reflect those of either eUKhost or any company that may be listed above.

I don't bite, honest.
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #8 (permalink)  
Old 09-11-2008, 00:11
Rsync's Avatar
System Administrator
 
Join Date: Mar 2007
Posts: 93
Default

Hello,
Yes you can install ClamAV for Virus Protection for Email and Filemanager Uploads, but I will not recommend this on a VPS, as "ClamAV" require more resources to run smoothly and it affect the VPS performance having less resources. It's good to install it on a Dedicated server, as dedicated server is having enough resources to utilize.
You can Install ClamAV on a [WHM/cPanel] server from WHM >> cPanel >> Manage Plugins >> clamavconnector Option

__________________
Regards,
RsyNc
VPS Support Team,
http://www.eukhost.com

VPS Hosting || Managed Hosting
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #9 (permalink)  
Old 09-11-2008, 00:23
DPS Computing's Avatar
Premium Member
 
Join Date: Apr 2007
Location: Manchester, United Kingdom
Posts: 6,494
Send a message via ICQ to DPS Computing Send a message via AIM to DPS Computing Send a message via MSN to DPS Computing Send a message via Yahoo to DPS Computing Send a message via Skype™ to DPS Computing
Default

Quote:
Originally Posted by Rsync View Post
Hello David,

Yes, this security tweak also used on Linux Dedicated Server.
Thanks for the clarification on that Rsync .

Quote:
Originally Posted by Rsync View Post
Hello,

Yes you can install ClamAV for Virus Protection for Email and Filemanager Uploads, but I will not recommend this on a VPS, as "ClamAV" require more resources to run smoothly and it affect the VPS performance having less resources. It's good to install it on a Dedicated server, as dedicated server is having enough resources to utilize.
You can Install ClamAV on a [WHM/cPanel] server from WHM >> cPanel >> Manage Plugins >> clamavconnector Option

So ClamAV is good to use on a dedicated server? Everything else I have heard about it hasn't been good but it is something I have been interested in installing if it won't cause any problem and is useful .
__________________
David Smith
DPS Computing
http://www.dpscomputing.com (Computing, Reviews, News) - New site / new polls / new stories! With many more to follow!
http://djdavid.dpscomputing.com (My DJ Website) - Christmas Gigs Announced! (02/12/2008 )
NEW LAUNCH! http://davidsmith.dpscomputing.com (My Personal Website)
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #10 (permalink)  
Old 09-11-2008, 00:49
flesso's Avatar
Premium Member
 
Join Date: Mar 2007
Location: 127.0.0.1
Posts: 1,556
Default

RSync, is there any particular ruleset/configuration I should use with mod_security?
__________________
Regards,
Josh Hold

eUKhost Blog: Over 1000 Computer Related Articles to Sink Your Teeth Into!

LDN GIGS - Gig Listings for London

Super Moderator

I'm only a forum gremlin (moderator), and do not work for eUKhost in any way. Opinions expressed by me are mine only, and do not reflect those of either eUKhost or any company that may be listed above.

I don't bite, honest.
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #11 (permalink)  
Old 09-11-2008, 02:09
Rsync's Avatar
System Administrator
 
Join Date: Mar 2007
Posts: 93
Default

Hello Josh Hold,

You can download mod_security rules from mod_security rule.
__________________
Regards,
RsyNc
VPS Support Team,
http://www.eukhost.com

VPS Hosting || Managed Hosting
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #12 (permalink)  
Old 09-11-2008, 03:32
Rsync's Avatar
System Administrator
 
Join Date: Mar 2007
Posts: 93
Default

Quote:
Originally Posted by DPS Computing View Post
I assume these would also apply to dedicated linux servers?
Yes, this security tweak also used on Linux Dedicated Server. But securing "/tmp" partition step is different on a dedicated server.
Following is the steps to secure "/tmp" on a dedicated server.

You only need to change the Attributes of the "/tmp" without reboot the server.
You can remount the partition immediately with the new attributes as,
Quote:
mount -o remount,noexec,nosuid /tmp
OR
make the change in the fstab
Quote:
LABEL=/tmp /tmp ext3 noexec,nosuid,nodev,rw 1 2
then remount it
Quote:
mount -o remount /tmp
Following is the steps to secure your "/tmp" partition using a cPanel Script, on a cPanel server.
Quote:
1. Login to your server as root via SSH.

2. Type: /scripts/securetmp
cPanel wrote that script to allow users to secure their "/tmp" partition very easily.

That's all done, "/tmp" secured on a dedicated server.
__________________
Regards,
RsyNc
VPS Support Team,
http://www.eukhost.com

VPS Hosting || Managed Hosting
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #13 (permalink)  
Old 09-11-2008, 22:05
flesso's Avatar
Premium Member
 
Join Date: Mar 2007
Location: 127.0.0.1
Posts: 1,556
Default

Thanks again RSync. Do you have any other links to mod_sec rules that I could use? The other link crashed my HTTPD server.
__________________
Regards,
Josh Hold

eUKhost Blog: Over 1000 Computer Related Articles to Sink Your Teeth Into!

LDN GIGS - Gig Listings for London

Super Moderator

I'm only a forum gremlin (moderator), and do not work for eUKhost in any way. Opinions expressed by me are mine only, and do not reflect those of either eUKhost or any company that may be listed above.

I don't bite, honest.
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #14 (permalink)  
Old 09-11-2008, 22:20
eUKhost.com's Avatar
Chief Marketing Officer
 
Join Date: Sep 2005
Posts: 4,997
Send a message via AIM to eUKhost.com Send a message via MSN to eUKhost.com Send a message via Skype™ to eUKhost.com
Default

I'll personally recommend not to use clamAV as there's no need for a Anti-Virus scanner on Linux Servers. Spamassassin can be tweaked to deal with those 25 kb zip attachments which come in those virus spams. If you ignore or delete such spams then there's absolutely no need for clamAV on Linux Servers.

clamAV is resource intensive and there's no need to trouble your server if you are a experienced internet user.
__________________
UK Web Hosting || Business Hosting || eUKhost Knowledgebase
Toll Free : 0808 262 0255 || MSN : mark @ eukhost.com || AIM : eukmark
A bunch of Sheep led by a Lion is better than a bunch of Lions led by a Sheep.
__________________________________________________

Great Opportunity :: Join our Affiliate Program for FREE and earn 20% commission on each referral.
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #15 (permalink)  
Old 09-11-2008, 22:30
flesso's Avatar
Premium Member
 
Join Date: Mar 2007
Location: 127.0.0.1
Posts: 1,556
Default

Quote:
Originally Posted by eUKhost.com View Post
I'll personally recommend not to use clamAV as there's no need for a Anti-Virus scanner on Linux Servers. Spamassassin can be tweaked to deal with those 25 kb zip attachments which come in those virus spams. If you ignore or delete such spams then there's absolutely no need for clamAV on Linux Servers.

clamAV is resource intensive and there's no need to trouble your server if you are a experienced internet user.
Not even on a dedicated server?
__________________
Regards,
Josh Hold

eUKhost Blog: Over 1000 Computer Related Articles to Sink Your Teeth Into!

LDN GIGS - Gig Listings for London

Super Moderator

I'm only a forum gremlin (moderator), and do not work for eUKhost in any way. Opinions expressed by me are mine only, and do not reflect those of either eUKhost or any company that may be listed above.

I don't bite, honest.
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #16 (permalink)  
Old 09-11-2008, 22:38
eUKhost.com's Avatar
Chief Marketing Officer
 
Join Date: Sep 2005
Posts: 4,997
Send a message via AIM to eUKhost.com