New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
My Script basically does this, And alot more to secure servers, But only centos based at the moment, Considering making it for Ubuntu/Debian.
http://lowendtalk.com/discussion/20033/script-autosecure-for-cpanel-auto-harden-cpanel
I do the same on my home server (white list a few IP addresses or a range), but my VPS runs CSF with SSH open to everyone.
One thing I would recommend is using the AllowUsers directive when configuring sshd. Stops logging in as root dead in it's tracks even if you have PermitRootLogin set to yes and root isn't set in AllowUsers.
Why no CSF ? CSF is one of the best firewalls I have ever used...
I use it, love the country blocking, directory watch and the connection tracking
.
I have selected deny hosts as this app can share random attack data. You will block automatically all known bonnets, etc.
I have no preference in deny hosts or fail2ban
Booth are doing job great.
As for higher port it is enough move ssh to anything different than port 22.
It will harden things up.
Remember that this is only basic tutorial, and i am inviting everyone to extend it.
I use some additional measures:
1st: Allow access only to your country (can be changed to geoip city)
http://ts1-en.blogspot.com/2009/06/ssh-access-control-with-geoip.html
2nd: Email when someone login through ssh : http://askubuntu.com/questions/179889/how-do-i-set-up-an-email-alert-when-a-ssh-login-is-successful
3rd:
Email when the VPS start/reboot
http://thepoch.com/tumblr/be-emailed-when-your-linux-server-starts-up-or-shuts.html
Note: for debian you must change the headers to:
TIL there's a $SSH_CONNECTION variable in bash.
https://library.linode.com/securing-your-server
I just disable password login & enforce fail2ban most of the time
CSF can do #1 and #2. You'd need to do #3 manually, or set up uptime monitoring if you want real metrics on the server.
Not everyone uses CSF ...
1, I think CSF block all ports. With host.deny/allow you can block by service.
2, I think LFD is the one who send email. I don't use LFD.
100% ssh security
/etc/init.d/dropbear stop
howto start ssh
reboot server
also
chmod 000 /usr/bin/cc
chmod 000 /usr/bin/gcc
Drop incoming connections if IP make more than 10 connection attempts to port 80 within 100 seconds (add rules to your iptables shell script)
IPT=/sbin/iptables
Max connection in seconds
SECONDS=100
Max connections per IP
BLOCKCOUNT=10
....
..
default action can be DROP or REJECT
DACTION="DROP"
$IPT -I INPUT -p tcp --dport 80 -i eth0 -m state --state NEW -m recent --set
$IPT -I INPUT -p tcp --dport 80 -i eth0 -m state --state NEW -m recent --update --seconds
${SECONDS} --hitcount ${BLOCKCOUNT} -j ${DACTION}
----------Lignttpd: Limit All Connections
server.kbytes-per-second=1024
----------Set limit to 64 kbyte/s for each single connection per IP:
connection.kbytes-per-second=64
I can understand dropping traffic after a certain number of hits, but what purpose does it serve to remove all permissions from cc and gcc?
to disable compiler
For what? Why not to generate keys & allow only your country?
AFAIK - If someone has access to a user, they can generally bring along their own packaged compiler and use the existing libraries on the system
It's kinda pointless.
you need port knocking http://www.portknocking.org/
and fail2ban
Agree It's kinda pointless.
Fail2ban uses like 3MB on my VPS. It's worth it.
I imagine sshguard uses <1MB of RAM since it is coded in C. But it does not allow you to specify custom "attack signatures" i.e. custom regex patterns. You can do that with fail2ban.
Install apticron and unattended-upgrades. The former tells you when new updates are available and the latter does the upgrades automatically:
apt-get install apticron unattended-upgradesWell, I will put all those together and make tutorial, how to build bulletproof unbreakable fortress of your LEB.
Just want to add my $.02. I posted this in an older thread.
I wrote a script to check that IPTables is running with the correct rules every 5 minutes. It has the following components:
1 Somewhere in your IPTables rules, add this:
-A INPUT -m comment --comment "CHECKME"OR
-A INPUT -m recent --set --name CHECKME2 Create a script
/root/check_iptables.sh3 Create a cron job
/etc/cron.d/check_iptables4 Create a script
/root/iptablesload.sh5 Install Monit (e.g.
apt-get install monit,yum install monit), and modify its config file.Here's part of my
/etc/monit/monitrcfor your reference. This is for Ubuntu. More Monit examples are here:http://mmonit.com/wiki/Monit/ConfigurationExamples
set daemon 120 # check services at 2-minute intervals with start delay 360 # optional: delay the first check by 6-minutes set logfile /var/log/monit.log set idfile /var/lib/monit/id set statefile /var/lib/monit/state # Be sure to configure your VPS to be able to send emails (127.0.0.1:25) # Or you can specify another mailserver. Please refer to: # http://mmonit.com/monit/documentation/monit.html#setting_a_mail_server_for_alert_messages set mailserver localhost set eventqueue basedir /var/lib/monit/events # set the base directory where events will be stored slots 1000 # optionally limit the queue size set alert YOUR_EMAIL_ADDRESS_HERE but not on { action, instance, uid, pid, ppid } set httpd port 2812 and use address localhost # only accept connection from localhost allow localhost # allow localhost to connect to the server and allow admin:password # require user 'admin' with password 'password' ... More rules here ... # This is the relevant rule! check file iptables-ts with path /var/run/ipt_timestamp if timestamp > 6 minutes then exec "/root/iptablesload.sh" if timestamp > 6 minutes for 2 cycles then alertAnd you are done.
For more IPTables security tips, check out my tech blog article. You can ignore the Asterisk section.
https://blog.ls20.com/securing-your-asterisk-voip-server-with-iptables/
The best is, the ssh login message works also when a provider enters into your container that would like this:
Sou you can tell them get the fuck out of my container
Some hosts do this (i would go away if i would be you).
BTW i used: http://www.crucialp.com/resources/tutorials/secure-server-securing/email-alert-root-ssh-login-e-mail.php with postfix and mailutils.