Portal Home > Knowledgebase > Articles Database > Is my VPS secure enough?


Is my VPS secure enough?




Posted by mystycs, 03-04-2010, 04:43 PM
Here is what i have done to secure my vps, but i there anything else i should do? Installed Root kit checkers - chkrootkit and rkhunter both run 1x a day.Changed ssh port.Installed BFD (Brute Force Detection)Installed CSF firewall. Disabled root login.Secured /TMPInstalled LES ( Linux Environment Security ), LSM (Linux Socket Monitor), and OSSEC. That is all what i have done so far. Is there anything else i should do. Or is this good enough?

Posted by SC-Daniel, 03-04-2010, 04:51 PM
Force the use of SSH keys instead of passwords and use IPTables to deny access to your SSH port from all IPs except yours.

Posted by mystycs, 03-04-2010, 04:52 PM
Ah yes i forgot to mention iptables. But yea the SSH keys i should do.

Posted by QuickWeb-Roel, 03-04-2010, 05:26 PM
also if you have static IP @home, you could only limit SSH access on that specific IP. Also make sure you always update or patched yours system regularly then you should be all good.

Posted by bentink, 03-04-2010, 07:02 PM
Installed LES ( Linux Environment Security ), LSM (Linux Socket Monitor), and OSSEC. These interfere a lot with the normal working of many servers.

Posted by maroonhost, 03-04-2010, 07:21 PM
what do you mean by a hacker will find a way in if he/she wants these software themself will not be efficient if you are not behind monitoring the server thank you

Posted by Calypso747, 03-05-2010, 12:19 AM
Not enough. In general, rootkit hunters are just post-attack tools, no reason to use them. CSF firewall is a good choice and already contains brute-force detector. Uninstall BFD, this is just an inefficient cron job that cannot prevent usually very fast brute-force attacks. The real things you should do: ============================== - seLinux in enforce mode (tagged or strict) - tune up your seLinux config, especially close all open holes with setsebool; do not forget to change seLinux ssh port with semanage port -a -t ssh_port_t -p tcp yourport - tune up your CSF - make sure important modules for CSF are loaded (lsmod) - tune up PAM - tune up partitions in /etc/fstab - tune up /etc/rsyslog.conf (add kernel, daemon, iptables monitoring, consider remote logging) - set appropriate limits in /etc/security/limits.conf - tune up /etc/sysctl.conf (block forwarding, redirects, ICMP, ipv6...) - tune up /etc/sysconfig/network, especially disable ipv6 as CSF is not bale to protect your box agains ipv6 attacks. Use NETWORKING_IPV6=no, IPV6INIT=no, NOZEROCONF=yes - remove rubbish like wireless modules, irda, usb, fireware. If you cannot do that, make sure these modules are not loaded: echo "install ipv6 /bin/true" > /etc/modprobe.d/no-ipv6; echo "install usb-storage /bin/true" > /etc/modprobe.d/no-usb; echo "install fireware-ohci /bin/true" > /etc/modprobe.d/no-fireware - tune up /etc/shells, restrict just to /bin/sh and /bin/bash - tune up your audit rules in /etc/audit/audit.rules, especially monitor syscalls (-a exit,always -S open -S openat -F exit=-EPERM) - remove rubbish users from /etc/passwd, especially operator, gopher, news, lp, uucp, games, ftp, sync - remove rubbish groups like news, lp, uucp, audio... - set shells for all system accounts except root, halt and shutdown to /dev/null - install ntp but do not use it as a daemon (dangerous!), rather set up a cron job for /usr/sbin/ntpdate - use sha512 passwords (authconfig --passalgo=sha512 --update) - set appropriate permissions for important directories, check SUID wheter needed - install Samhain for system monitoring (CSF does it partly, might be enough for you) There are a lot more security settings depending on your VPS purpose.

Posted by Cape Dave, 03-05-2010, 12:31 AM
Maybe you should go into business It is not easy to get a real handle on security. Seems like you know your stuff. Dave

Posted by troboy, 03-05-2010, 04:23 AM
I am also here for same thing, where can I get expert who can do all these things ?

Posted by bentink, 03-05-2010, 04:30 AM
It would interfere with many control panels!

Posted by Hostwaresupport, 03-05-2010, 04:38 AM
You can find any Server Management company listed on the page given below in order to secure your server properly. http://www.webhostingtalk.com/wiki/C...ver_management

Posted by Calypso747, 03-05-2010, 05:30 AM
Installing a control panel on a VPS box is like sending personal scented invitations to hacker community. Disabling seLinux just because your control panel producer is lazy/not able to create seLinux policies is one of the worst practice. There is no compromise between security and comfort. You either want to have more secure box or more comfortable, but you cannot have both.

Posted by Cape Dave, 03-05-2010, 05:36 AM
Yeah, but I want my Cpanel and I want it secure and that is that

Posted by Calypso747, 03-05-2010, 06:04 AM
You cannot secure Cpanel on VPS due to its internal design, you need RBAC system. The best solution for Cpanel I know is a dedicated server with grsecurity 2.0 hardened kernel (including PaX) and precisely tuned up roles and policies.

Posted by jmjosebest, 03-05-2010, 09:54 AM
To use IpTables in OpenVZ you need add this line in: IPTABLES=”ipt_REJECT ipt_recent ipt_owner ipt_REDIRECT ipt_tos ipt_TOS ipt_LOG ip_conntrack ipt_limit ipt_multiport iptable_filter iptable_mangle ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_length ipt_state iptable_nat ip_nat_ftp” /etc/vz/vz.conf

Posted by Nnyan, 03-05-2010, 01:16 PM
Which brings me to ask is there any panel that is more secure then cpanel? Or at least something that you CAN secure with some work?

Posted by JamesGT, 03-05-2010, 03:15 PM
What if you IP changes?

Posted by SC-Daniel, 03-05-2010, 03:19 PM
DynDNS if you have a dynamic IP... Works better for those of us with static IPs Of course, you could always setup an OpenVPN "management" server.

Posted by metalgenix, 03-05-2010, 10:20 PM
nice thread, thanks for sharing. i need this.

Posted by cloudvps, 03-08-2010, 07:38 AM
A lot of networking tools were mentioned here. But how about the data integrity? In my opinion this is very important point. See http://www.redhat.com/docs/manuals/l...-tripwire.html for more details.

Posted by Calypso747, 03-09-2010, 09:48 PM
I have mentioned Samhain as one of the best data integrity solutions available. Please note that security is a process rather than a point guide. Every what-to-do list published is incomplete.

Posted by MattS, 03-09-2010, 10:35 PM
Get rid of the iptable_nat and ip_nat_ftp - these will make your cPanel license invalid as they route your VPS over the main IP address.



Was this answer helpful?

Add to Favourites Add to Favourites    Print this Article Print this Article

Also Read