Make ispCP more Secure
Here you can find some stuff to make your Server more Secure.
Absolutely no warranty, use it at your own risk.
1.) Disable the Apache ServerSignature like this one
Apache/2.2.3 (Debian) mod_fastcgi/2.4.2 mod_perl/2.0.2 Perl/v5.8.8
Put only these lines in your httpd.conf (Under Debian Etch you have to put this in your apache2.conf)
# Disable ServerInfo
ServerSignature Off
ServerTokens Prod
2.) Disable Debugging functions
An attacker may use this flaw to trick your legitimate web users to give him their credentials. Add the following lines for each virtual host in your configuration file (/etc/apache2/ispcp/…) or directly in the template file (/etc/ispcp/apache/parts/custom.conf.tpl) to disable the Debugging
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]
</IfModule>
Reload the Apache configuration and check if your configuration is active:
# /etc/init.d/apache2 reload
# telnet yourdomain.com 80
Trying xxx.yyy.zzz.rrr...
Connected to yourdomain.com.
Escape character is '^]'.
TRACE / HTTP/1.0
Host: foo
A: b
HTTP/1.1 301 Moved Permanently
Date: ...
Server: Apache
Location: http://www.yourdomain.com/
Content-Length: ...
Connection: close
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>301 Moved Permanently</title>
</head><body>
<h1>Moved Permanently</h1>
<p>The document has moved <a href="http://www.yourdomain.com/">here</a>.</p>
</body></html>
Connection closed by foreign host.
3.) Secure Proftpd a little more
You can add a little more security to Proftp by editing it's configuration file and adding:
DefaultRoot ~
IdentLookups off
You can also disable displaying of ftp banner.It's displayed by default when someone connects to Your server like this:
Verbindung mit 62.75.xx.xx wurde hergestellt.
220 ProFTPD 1.3.0 Server (vsxxxxxx) [62.75.xx.xx]
Benutzer (62.75.xx.xx:(none)):
Here can you see the ProFTPD Version → 1.3.0 To Disable the Banner add, the following line to the proftpd.conf:
ServerIdent off
You can find more information about it here: http://proftpd.org/localsite/Userguide/linked/userguide.html
4.) Enable SSL in ProFTPD
For a secure File Transfer you can add SSL to your ProFTPD
Create a SSL Certificate:
openssl req -new -x509 -days 365 -nodes -out /etc/proftpd/ssl.crt -keyout /etc/proftpd/ssl.key
Open your proftpd.conf to enable SSL
# vi /etc/proftpd/proftpd.conf
enable the last lines like this and set TLSEngine 'on'
#
# SSL via TLS
#
<IfModule mod_tls.c>
TLSEngine on # on for use of TLS
TLSLog /var/log/proftpd/ftp_ssl.log # where to log to
TLSProtocol SSLv23 # SSLv23 or TLSv1
TLSOptions NoCertRequest # either to request the certificate or not
TLSRSACertificateFile /etc/proftpd/ssl.crt # SSL certfile
TLSRSACertificateKeyFile /etc/proftpd/ssl.key # SSL keyfile
TLSVerifyClient off # client verification
</IfModule>
Restart proftpd to bring the effect:
# /etc/init.d/proftpd restart
5.) Change the SMTP-Banner
If you want to change this Postfix SMTP-Banner:
Connected to your-domain.tld.
Escape character is '^]'.
220 your-domain.tld. ISPCP 1.0 Priamos Managed ESMTP 1.0.0 RC3 OMEGA
Open your ”/etc/postfix/main.cf” and change the SMTP-Banner here to what you want
smtpd_banner = $ myhostname ISPCP 1.0 Priamos Managed ESMTP 1.0.0 RC3 OMEGA
6. Install & Configure fail2ban
Fail2Ban automatic blocks an IP-Address after some failed Logins.
It works with Apache,SSH,FTP and Mail.
Install fail2ban per apt-get
# apt-get install fail2ban
After the installation you can configure fail2ban with these two configs under /etc/fail2ban/
/etc/fail2ban/fail2ban.conf
/etc/fail2ban/jail.conf
Open your jail.conf to enable the blocks for some Services.
# vi /etc/fail2ban/jail.conf
Now you can enable or disable the Services you want to protect. By default SSH is enabled.
If you want to enable Apache,
change:
#
# HTTP servers
#
[apache]
enabled = false
port = http
filter = apache-auth
logpath = /var/log/apache*/*access.log
maxretry = 6
to
#
# HTTP servers
#
[apache]
enabled = true
port = http
filter = apache-auth
logpath = /var/log/apache2/users/*access.log
maxretry = 6
For FTP (proftpd)
[proftpd]
enabled = false
port = ftp
filter = proftpd
logpath = /var/proftpd/proftp.log
maxretry = 6
change it to
[proftpd]
enabled = true
port = ftp
filter = proftpd
logpath = /var/log/auth.log
maxretry = 3
You can change the maximal retry´s before ban with
maxretry = X
If you want to change the bantime,
bantime = 600 (is set in seconds)
Warning: fail2ban use Firewall ruls to block the IP.
A ban is per default for 10 minutes active. After this time the IP is unblocked automatically.
The fail2ban Log is under
/var/log/fail2ban.log
7.) SSL for Mailservice (Courier)
First we need to install the courier-ssl packages.
# apt-get install courier-imap-ssl courier-pop-ssl
A default Certificate will be created during the installation. So we need to change them.
Open the /etc/courier/imapd.cnf
# vi /etc/courier/imapd.cnf
and change the attributes to your needs.
And then the same with /etc/courier/pop3d.cnf
# vi /etc/courier/pop3d.cnf
After these changes, first backup the old Certificate before we generate some new.
# cd /etc/courier/ && mv pop3d.pem pop3d.pem.orig && mv imapd.pem imapd.pem.orig
Now we can generate the new one:
# dpkg-reconfigure courier-pop-ssl && dpkg-reconfigure courier-imap-ssl
Done - your Mailservice is now ready for SSL.
Change your Client to use POP3-SSL on port 995 and IMAP-SSL on port 993
8.) Make SSH safer
Every Scriptkiddy checks your Server for a open Port 22 and test to login with the root account.
We will change these things to the good with an other Port and disable the root login via ssh.
First we need a user on the system for a later login. If there is already one, jump over to the next step. If not, create it:
# adduser new_username
Open your sshd_config to change the settings:
# vi /etc/ssh/sshd_config
Change the Port from
Port 22
to
Port 222
Change this line:
PermitRootLogin yes
to
PermitRootLogin no
Restart the SSH-Server
# /etc/init.d/ssh restart
Close your connection and connect again to your Server on Port 222 with your new Username.
To become root, only do a:
# su
9.) Prevent DOS-Attacks
To prevent simple Denial-of-Service attacks you can use the mod_evasive module. Download the actual version from http://www.zdziarski.com/projects/mod_evasive/ and unpack it. Make sure, that apache2-prefork-dev is installed.
# apt-get install apache2-prefork-dev
# wget http://www.zdziarski.com/projects/mod_evasive/mod_evasive_1.10.1.tar.gz
# tar -xzf mod_evasive_1.10.1.tar.gz
# cd mod_evasive
Install it with Apache Extensions Module (apxs).
# apxs2 -i -a -c mod_evasive20.c
The module will be built and installed into your httpd.conf.
Optionally you can change some specific directives in your /etc/apache2/apache2.conf file. Just add the following lines and change them to your needs.
<IfModule mod_evasive20.c>
DOSHashTableSize 3097
DOSPageCount 2
DOSSiteCount 50
DOSPageInterval 1
DOSSiteInterval 1
DOSBlockingPeriod 10
</IfModule>
ATTENTION: This config may produce “403 Forbidden” Errors on regular sites (to example: typo3, gallery,…)
You can also add the following directives:
DOSEmailNotify you@yourdomain.com
DOSSystemCommand "su - someuser -c '/sbin/... %s ...'"
DOSLogDir "/var/lock/mod_evasive"
After all, just restart your Apache to load the module.
# sudo /etc/init.d/apache2 restart
10.) Securing Open DNS server (BIND 9)
After a clean install of a Debian server, dnsstuff.com reports the server as an open dns server(anyone can query the server about any domain ⇒ high load and high transfer). 2 steps for fixing this problem:
a. first edit /etc/bind/named.conf.options (or /etc/named/named.conf for other distros, options paragraph) and add:
recursion no;
transfer-format many-answers; //this is for speed up the transfer to a secondary dns
b. we need to modify the template used by ISPCP to generate to zone files, on Debian this is /etc/ispcp/bind/parts/cfg_entry.tpl. The file after modification should looks like:
zone "{DMN_NAME}" {
type master;
file "{DB_DIR}/{DMN_NAME}.db";
notify YES;
allow-query {
any;
};
};
Restart BIND:
/etc/init.d/bind9 restart
Now You're all done.
