====== Make ispCP more Secure ======


Here you can find some stuff to make your Server more Secure.\\
Absolutely no warranty, use it at your own risk.\\

===== 1.) Disable the Apache ServerSignature like this one =====
\\

<cli>
Apache/2.2.3 (Debian) mod_fastcgi/2.4.2 mod_perl/2.0.2 Perl/v5.8.8
</cli>

Put only these lines in your httpd.conf
(Under Debian Etch you have to put this in your apache2.conf)

<cli>
# Disable ServerInfo
ServerSignature Off
ServerTokens Prod
</cli>

===== 2.) Disable Debugging functions =====
\\
An attacker may use this flaw to trick your legitimate web users to give
him their credentials. Add the following lines for each virtual host in your configuration file (/etc/apache2/ispcp/...) or directly in the template file (/etc/ispcp/apache/parts/custom.conf.tpl) to disable the Debugging

<cli>
<IfModule mod_rewrite.c>
    RewriteEngine on
    RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
    RewriteRule .* - [F]
</IfModule>
</cli>

Reload the Apache configuration and check if your configuration is active:

<cli>
# /etc/init.d/apache2 reload
# telnet yourdomain.com 80
Trying xxx.yyy.zzz.rrr...
Connected to yourdomain.com.
Escape character is '^]'.
</cli>
<cli>
TRACE / HTTP/1.0
Host: foo
A: b

</cli>
<cli>
HTTP/1.1 301 Moved Permanently
Date: ...
Server: Apache
Location: http://www.yourdomain.com/
Content-Length: ...
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>301 Moved Permanently</title>
</head><body>
<h1>Moved Permanently</h1>
<p>The document has moved <a href="http://www.yourdomain.com/">here</a>.</p>
</body></html>
Connection closed by foreign host.
</cli>

===== 3.) Secure Proftpd a little more =====
\\
You can add a little more security to Proftp by editing it's configuration file and adding:

<cli>
DefaultRoot ~
IdentLookups off
</cli>
You can also disable displaying of ftp banner.It's displayed by default when someone connects to Your server like this:

<cli>
Verbindung mit 62.75.xx.xx wurde hergestellt.
220 ProFTPD 1.3.0 Server (vsxxxxxx) [62.75.xx.xx]
Benutzer (62.75.xx.xx:(none)):
</cli>

Here can you see the ProFTPD Version -> 1.3.0
To Disable the Banner add, the following line to the proftpd.conf:

<cli>
ServerIdent                    off
</cli>

You can find more information about it here: http://proftpd.org/localsite/Userguide/linked/userguide.html

===== 4.) Enable SSL in ProFTPD =====
\\
For a secure File Transfer you can add SSL to your ProFTPD

Create a SSL Certificate:

<cli>
openssl req -new -x509 -days 365 -nodes  -out /etc/proftpd/ssl.crt -keyout /etc/proftpd/ssl.key
</cli>

Open your proftpd.conf to enable SSL

<cli>
# vi /etc/proftpd/proftpd.conf
</cli>
enable the last lines like this and set TLSEngine 'on'
<cli>
#
# SSL via TLS
#
<IfModule mod_tls.c>
  TLSEngine                             on                                      # on for use of TLS
  TLSLog                                /var/log/proftpd/ftp_ssl.log            # where to log to
  TLSProtocol                           SSLv23                                  # SSLv23 or TLSv1
  TLSOptions                            NoCertRequest                           # either to request the certificate or not
  TLSRSACertificateFile                 /etc/proftpd/ssl.crt                    # SSL certfile
  TLSRSACertificateKeyFile              /etc/proftpd/ssl.key                    # SSL keyfile
  TLSVerifyClient                       off                                     # client verification
</IfModule>

</cli>

Restart proftpd to bring the effect:

<cli>
# /etc/init.d/proftpd restart
</cli>
===== 5.) Change the SMTP-Banner =====
\\
If you want to change this Postfix SMTP-Banner: 

<cli>
Connected to your-domain.tld.
Escape character is '^]'.
220 your-domain.tld. ISPCP 1.0 Priamos Managed ESMTP 1.0.0 RC3 OMEGA
</cli>

Open your "/etc/postfix/main.cf" and change the SMTP-Banner here
to what you want

<cli>
smtpd_banner = $myhostname ISPCP 1.0 Priamos Managed ESMTP 1.0.0 RC3 OMEGA
</cli>

===== 6. Install & Configure fail2ban =====




\\
Fail2Ban automatic blocks an IP-Address after some failed Logins.\\
It works with Apache,SSH,FTP and Mail.

Install fail2ban per apt-get

<cli>
# apt-get install fail2ban
</cli>

After the installation you can configure fail2ban with these two configs under /etc/fail2ban/

<cli>
/etc/fail2ban/fail2ban.conf
/etc/fail2ban/jail.conf
</cli>

Open your jail.conf to enable the blocks for some Services.

<cli>
# vi /etc/fail2ban/jail.conf
</cli>

Now you can enable or disable the Services you want to protect.
By default SSH is enabled.

If you want to enable Apache,\\
change:

<cli>
#
# HTTP servers
#

[apache]

enabled = false
port    = http
filter  = apache-auth
logpath = /var/log/apache*/*access.log
maxretry = 6
</cli>

to

<cli>
#
# HTTP servers
#

[apache]

enabled = true
port    = http
filter  = apache-auth
logpath = /var/log/apache2/users/*access.log
maxretry = 6
</cli>

For FTP (proftpd)

<cli>
[proftpd]

enabled  = false
port     = ftp
filter   = proftpd
logpath  = /var/proftpd/proftp.log
maxretry = 6
</cli>

change it to

<cli>
[proftpd]

enabled  = true
port     = ftp
filter   = proftpd
logpath  = /var/log/auth.log
maxretry = 3
</cli>

**Important Note:** 

On debian lenny, the /var/log/auth.log contains extra spaces at the end of the line. Due to this, fail2ban cannot detect these lines. You have to modify the failregex to get it working. Details can be found here: [[http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=507986|Debian BugTracker]]

You can change the maximal retry´s before ban with
<cli>
maxretry = X
</cli>

If you want to change the bantime,

<cli>
bantime  = 600 (is set in seconds)
</cli>


Warning: fail2ban use Firewall ruls to block the IP.\\
A ban is per default for 10 minutes active. After this time the IP is unblocked automatically.

The fail2ban Log is under
<cli>
/var/log/fail2ban.log
</cli>

===== 7.) SSL for Mailservice (Courier) =====
\\

First we need to install the courier-ssl packages.

<cli>
# apt-get install courier-imap-ssl courier-pop-ssl
</cli>

A default Certificate will be created during the installation.
So we need to change them.

Open the /etc/courier/imapd.cnf
<cli>
# vi /etc/courier/imapd.cnf
</cli>
and change the attributes to your needs.\\
And then the same with /etc/courier/pop3d.cnf
<cli>
# vi /etc/courier/pop3d.cnf 
</cli>

After these changes, first backup the old Certificate before
we generate some new.

<cli>
# cd /etc/courier/ && mv pop3d.pem pop3d.pem.orig && mv imapd.pem imapd.pem.orig
</cli>

Now we can generate the new one:

<cli>
# dpkg-reconfigure courier-pop-ssl && dpkg-reconfigure courier-imap-ssl
</cli>

Done - your Mailservice is now ready for SSL.\\
Change your Client to use POP3-SSL on port 995 and IMAP-SSL on port 993

===== 8.) Make SSH safer =====


Every Scriptkiddy checks your Server for a open Port 22 and test to login with the root account.\\
We will change these things to the good with an other Port and disable the root login via ssh.

First we need a user on the system for a later login.
If there is already one, jump over to the next step.
If not, create it:
<cli>
# adduser new_username
</cli>

Open your sshd_config to change the settings:
<cli>
# vi /etc/ssh/sshd_config
</cli>

Change the Port from
<cli>
Port 22
</cli>
to
<cli>
Port 222
</cli>

Change this line:
<cli>
PermitRootLogin yes
</cli>
to
<cli>
PermitRootLogin no
</cli>
Restart the SSH-Server
<cli>
# /etc/init.d/ssh restart
</cli>

Close your connection and connect again to your Server on Port 222 with your new Username. \\
To become root, only do a:
<cli>
# su
</cli>

===== 9.) Prevent DOS-Attacks =====
\\
To prevent simple Denial-of-Service attacks you can use the mod_evasive module. Download the actual version from http://www.zdziarski.com/projects/mod_evasive/ and unpack it. Make sure, that apache2-dev is installed.
 
<cli>
# apt-get install apache2-dev build-essential
# wget http://www.zdziarski.com/projects/mod_evasive/mod_evasive_1.10.1.tar.gz
or
# wget http://www.leetupload.com/dbindex2/index.php?dir=Linux/&file=mod_evasive_1.10.1.tar.gz
# tar -xzf mod_evasive_1.10.1.tar.gz
# cd mod_evasive
</cli>

Install it with Apache Extensions Module (apxs).
<cli>
#  apxs2 -i -a -c mod_evasive20.c
</cli>
The module will be built and installed into your httpd.conf.

Optionally you can change some specific directives in your /etc/apache2/apache2.conf file. Just add the following lines and change them to your needs.
<cli>
<IfModule mod_evasive20.c>
    DOSHashTableSize    3097
    DOSPageCount        2
    DOSSiteCount        50
    DOSPageInterval     1
    DOSSiteInterval     1
    DOSBlockingPeriod   10
</IfModule>
</cli>
ATTENTION: This config may produce "403 Forbidden" Errors on regular sites (to example: typo3, gallery,...)


You can also add the following directives:
<cli>
    DOSEmailNotify      you@yourdomain.com
    DOSSystemCommand    "su - someuser -c '/sbin/... %s ...'"
    DOSLogDir           "/var/lock/mod_evasive"
</cli>

If you dont create and chmod /var/log/evasive you have this error:
<cli>
mx mod_evasive[32318]: Couldn't open logfile /var/log/evasive//dos-1.2.3.4: No such file or directory
</cli>


Create the evasive log directory:
<cli>
mkdir /var/log/evasive
</cli>

Chmod this directory
<cli>
chown www-data:www-data /var/log/evasive
</cli>

After all, just restart your Apache to load the module.
<cli>
# sudo /etc/init.d/apache2 restart
</cli>

===== 10.) Securing Open DNS server (BIND 9) =====

After a clean install of a Debian server, dnsstuff.com reports the server as an open dns server(anyone can query the server about any domain => high load and high transfer). 2 steps for fixing this problem:

a. first edit /etc/bind/named.conf.options (or /etc/named/named.conf for other distros, options paragraph) and add:

<cli>
allow-recursion { localnets; }; //only act as resolver for itself.
transfer-format many-answers; //this is for speed up the transfer to a secondary dns.
</cli>
b. we need to modify the template used by ISPCP to generate to zone files, on Debian this is /etc/ispcp/bind/parts/cfg_entry.tpl. The file after modification should looks like:

<cli>
zone "{DMN_NAME}" {
        type    master;
        file    "{DB_DIR}/{DMN_NAME}.db";
        notify  YES;
        allow-query {
                any;
        };
};
</cli>

Restart BIND:

<cli>
/etc/init.d/bind9 restart
</cli>
Now You're all done.