The following is a list of software and configurations that you must installed to secure, optimize and harden your server.
a) Install CHKRootKit, which is a program that looks for known signatures in trojaned system binaries, it basically detects if your system has been compomised.
b) Install Rootkit Hunter, which is scanning tool to find most types of exploits (backdoors, suspicious files, md5 hash comparisons, and is over 99% accurate in detecting such exploits.
c) Install APF Firewall and configured to only allow traffic on the ports that are used. Configured the Anti-DOS function in APF. This additional module helps mitigate and prevent certain types of DOS (denial of service) attacks to your server. This also saves from the Brute forcing attack but sometimes some packets get pass through but if your password is not from those which available in the dictionary then no problem.
d) Install BFD (Brute Force Detection), this program works real time in conjunction with APF firewall to block any IP Addresses of users that fail authentication more than 3 times in 10 minutes.
e) Install Logwatch now. This program parses through your server's logs and reports to you via e-mail on a daily basis with tabulated information.
f) Install SIM (System Integrity Monitor) on your server now, this software checks all services 24x7 and restarts them if they are down. An e-mail is dispatched a downed service is detected and restarted.
g) Install mod_security to secure your server littlebit from the badly coded scripts. But it can interfere with certain common functions in your scripts. If you are looking for really secure one then enable safemod. Also install mod_evasive and choose the following settings.
DOSHashTableSize 3097
DOSPageCount 9
DOSSiteCount 100
DOSPageInterval 2
DOSSiteInterval 2
DOSBlockingPeriod 900
h) Secure the System Configuration File "host.conf" and "nsswitch.conf" to prevent DNS lookup poisoning and also provide protection against spoofs.
i) Secure the System Configuration File "sysctl.conf " to prevent the TCP/IP stack from syn-flood attacks. It is also configured to prevet other various and similar network abuse.
j) /tmp and /var/tmp need to be secured to prevent the execution of malicious scripts
k) Install SPRI, this program changes the priority of different processes in accordance to their level of importance. You should see at least a 5-20% decrease in the average load level of your server on average.
l) Disabled the Mchat, Cgiecho, Cgiemail, Guestbook, Counter, Formmail and Anonymous FTP access. They are the most commonly exploited scripts since they are in the same location on every CPanel server in the world.
m) Disable the Telnet to prevent insecure transmissions of data and passwords, SSH must be used instead of Telnet, and functions the same way. Harden the SSH by restricting the SSH Protocol to SSH 2. SSH will still function the same way, just more secure.
a) Install CHKRootKit, which is a program that looks for known signatures in trojaned system binaries, it basically detects if your system has been compomised.
b) Install Rootkit Hunter, which is scanning tool to find most types of exploits (backdoors, suspicious files, md5 hash comparisons, and is over 99% accurate in detecting such exploits.
c) Install APF Firewall and configured to only allow traffic on the ports that are used. Configured the Anti-DOS function in APF. This additional module helps mitigate and prevent certain types of DOS (denial of service) attacks to your server. This also saves from the Brute forcing attack but sometimes some packets get pass through but if your password is not from those which available in the dictionary then no problem.
d) Install BFD (Brute Force Detection), this program works real time in conjunction with APF firewall to block any IP Addresses of users that fail authentication more than 3 times in 10 minutes.
e) Install Logwatch now. This program parses through your server's logs and reports to you via e-mail on a daily basis with tabulated information.
f) Install SIM (System Integrity Monitor) on your server now, this software checks all services 24x7 and restarts them if they are down. An e-mail is dispatched a downed service is detected and restarted.
g) Install mod_security to secure your server littlebit from the badly coded scripts. But it can interfere with certain common functions in your scripts. If you are looking for really secure one then enable safemod. Also install mod_evasive and choose the following settings.
DOSHashTableSize 3097
DOSPageCount 9
DOSSiteCount 100
DOSPageInterval 2
DOSSiteInterval 2
DOSBlockingPeriod 900
h) Secure the System Configuration File "host.conf" and "nsswitch.conf" to prevent DNS lookup poisoning and also provide protection against spoofs.
i) Secure the System Configuration File "sysctl.conf " to prevent the TCP/IP stack from syn-flood attacks. It is also configured to prevet other various and similar network abuse.
j) /tmp and /var/tmp need to be secured to prevent the execution of malicious scripts
k) Install SPRI, this program changes the priority of different processes in accordance to their level of importance. You should see at least a 5-20% decrease in the average load level of your server on average.
l) Disabled the Mchat, Cgiecho, Cgiemail, Guestbook, Counter, Formmail and Anonymous FTP access. They are the most commonly exploited scripts since they are in the same location on every CPanel server in the world.
m) Disable the Telnet to prevent insecure transmissions of data and passwords, SSH must be used instead of Telnet, and functions the same way. Harden the SSH by restricting the SSH Protocol to SSH 2. SSH will still function the same way, just more secure.
- Change the port of the SSH from default
- Disable the direct root login acess
- Set the wheel/username password
- Set the email alert for anyone login through root
- Email address must be different from the server address
n) Background Process Killer need to be enabled to kill any of the following which are commonly recognized bad processes: BitchX, bnc, eggdrop, generic-sniffers, guardservices, ircd, psyBNC, ptlink and related services.
o) Enable the phpsuexec, open_basedir.
p) Disable any anitivirus on the VPS. Also disable ClamAV because that is very resource intensive.
q) You can install the MRTG on the server to track the actual bandwidth usage but it is very resource intensive.
r) Disbale these scripts exec, shell_exec, system, passthru, shell_exec, popen,proc_close,proc_get_status,proc_nice,proc_open, proc_terminate. But some scripts can stop working which are using this.