35 replies to this topic

[Stian S]

I'm working on securing my VPS as much as possible. This is what I've done so far (note that I'm running all of the sites, so I don't have to be secured against 'customers' with access to the server who might run old copies of phpBB etc):

• All PHP software running the latest versions
• Disabled PHP register_globals
• Using a 20 char root password
• Only jail-shell for normal users
• Installed chkrootkit
• Done most of the things mentioned here.

I'm also thinking about doing this:

• Disabling direct root access (ssh & ftp)
• Compile apache/php with mod_security
• Disabling php functions like "system", "passthru", "exec", "escapeshellcmd", "popen", and "pcntl_exec"
• Install a firewall (any suggestions?)
• Install Brute Force Monitor

I'm also reading on this great website for securing servers, http://www.eth0.us.

Comments? What would you do to secure your server? Is a default cPanel server secure enough?

[MacManX]

I am pretty sure that all ASO servers are protected by mod_security and that The Planet (ASO's data center) has already installed hardware firewalls.  You may want to check with technical support about that.

[Stian S]

I am pretty sure that all ASO servers are protected by mod_security and that The Planet (ASO's data center) has already installed hardware firewalls.  You may want to check with technical support about that.

I'm talking about a VPS, not the shared servers. mod_security is not installed AFAIK, and ASO have software firewalls on the shared servers IIRC.

[-ASO- Tim]

mod_security is really easy to install, just hard to configure. You can get it installed in WHM under the Addon Modules section.

If you want a firewall, APF is the only way to go (since I think it's the only one compatible with our VPS software).

[Stian S]

What's so hard about configuring mod_security? Found this ruleset configured for cPanel servers etc:

CODE

<IfModule mod_security.c>
# Turn the filtering engine On or Off
SecFilterEngine On

# Change Server: string
SecServerSignature "Apache"


# This setting should be set to On only if the Web site is
# using the Unicode encoding. Otherwise it may interfere with
# the normal Web site operation.
SecFilterCheckUnicodeEncoding Off

# The audit engine works independently and
# can be turned On of Off on the per-server or
# on the per-directory basis. "On" will log everything,
# "DynamicOrRelevant" will log dynamic requests or violations,
# and "RelevantOnly" will only log policy violations
SecAuditEngine RelevantOnly

# The name of the audit log file
SecAuditLog logs/audit_log

# Should mod_security inspect POST payloads
SecFilterScanPOST On

# Action to take by default
SecFilterDefaultAction "deny,log,status:403"

## ## ## ## ## ## ## ## ## ##
## ## ## ## ## ## ## ## ## ##

# Require HTTP_USER_AGENT and HTTP_HOST in all requests
# SecFilterSelective "HTTP_USER_AGENT|HTTP_HOST" "^$"

# Require Content-Length to be provided with
# every POST request
SecFilterSelective REQUEST_METHOD "^POST$" chain
SecFilterSelective HTTP_Content-Length "^$"

# Don't accept transfer encodings we know we don't handle
# (and you don't need it anyway)
SecFilterSelective HTTP_Transfer-Encoding "!^$"

# Protecting from XSS attacks through the PHP session cookie
SecFilterSelective ARG_PHPSESSID "!^[0-9a-z]*$"
SecFilterSelective COOKIE_PHPSESSID "!^[0-9a-z]*$"

SecFilter "viewtopic\.php\?" chain
SecFilter "chr\(([0-9]{1,3})\)" "deny,log"

# Block various methods of downloading files to a server
SecFilterSelective THE_REQUEST "wget "
SecFilterSelective THE_REQUEST "lynx "
SecFilterSelective THE_REQUEST "scp "
SecFilterSelective THE_REQUEST "ftp "
SecFilterSelective THE_REQUEST "cvs "
SecFilterSelective THE_REQUEST "rcp "
SecFilterSelective THE_REQUEST "curl "
SecFilterSelective THE_REQUEST "telnet "
SecFilterSelective THE_REQUEST "ssh "
SecFilterSelective THE_REQUEST "echo "
SecFilterSelective THE_REQUEST "links -dump "
SecFilterSelective THE_REQUEST "links -dump-charset "
SecFilterSelective THE_REQUEST "links -dump-width "
SecFilterSelective THE_REQUEST "links http:// "
SecFilterSelective THE_REQUEST "links ftp:// "
SecFilterSelective THE_REQUEST "links -source "
SecFilterSelective THE_REQUEST "mkdir "
SecFilterSelective THE_REQUEST "cd /tmp "
SecFilterSelective THE_REQUEST "cd /var/tmp "
SecFilterSelective THE_REQUEST "cd /etc/httpd/proxy "
SecFilterSelective THE_REQUEST "/config.php?v=1&DIR "
SecFilterSelective THE_REQUEST "/../../ "
SecFilterSelective THE_REQUEST "&highlight=%2527%252E "
SecFilterSelective THE_REQUEST "changedir=%2Ftmp%2F.php "
</IfModule>

[jaseone]

I hope you don't run a forum where you want to say things like ftp, telnet, ssh or any of the other filters you have listed.  

[MacManX]

Jason's right.  Under your rules, making a forum or blog post with any of the words that you have listed, like "curl" and "echo", would generate a 403 (Access Denied) error.  It is very easy to configure mod_security to keep your server secure.  Where the difficulty comes in is when you want to configure mod_security to keep your server secure without breaking anything.

[evn]

Not to mention making it nearly impossible for somebody running some screen readers or refresh-able braille displays to use the site.

[Stian S]

I hope you don't run a forum where you want to say things like ftp, telnet, ssh or any of the other filters you have listed.   

Heh, didn't think about that.

[Stian S]

I looked in /var/log/messages and found hundreds of "authentication failiures":

CODE

Sep 5 05:51:31 vps sshd(pam_unix): authentication failiure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=219.252.183.*
Sep 5 05:51:31 vps sshd(pam_unix): authentication failiure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=219.252.183.*
Sep 5 05:51:33 vps sshd(pam_unix): authentication failiure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=219.252.183.*
Sep 5 05:51:34 vps sshd(pam_unix): authentication failiure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=219.252.183.*

And some of the lines include usernames like root, news, ftp, lp and operator.

I guess this is some sort of brute force attack. I've got a 20 digit/char root password, and I have also disabled direct root access as of now (have to su through another "secret" user).

I wonder, is this common? This is a new VPS with only a few websites (all of them are mine). I find it rather scary anyways. Is there a log where I can see what IP that has successfully logged into the server (wether it be ftp or ssh)?

I also have a lot of these in the /var/log/messages log:

CODE

Sep 5 06:47:15 vps pure-ftpd: (?@127.0.0.1) [INFO] New connection from 127.0.0.1

What is that all about?

Also, when it list a successfull ftp login without any attached user, what is that? I noticed that the usernames are listed when any of my legit ftp users log in, but I had a few logins that were missing usernames (or so it seemed). Can it be cPanel or whatever? It says;

CODE

Sep 1 16:50:50 vps pure-ftpd: (?@212.112.238.*) [INFO] New connection from 212.112.238.*
Sep 1 16:50:50 vps pure-ftpd: (?@212.112.238.*) [INFO] Logout
Sep 1 16:50:50 vps pure-ftpd: (?@212.112.238.*) [INFO] New connection from 212.112.238.*
Sep 1 16:50:50 vps pure-ftpd: (?@212.112.238.*) [INFO] Logout

The times look rather strange. Also, no users specified, and no operations seems to be done (I can see other ftp operations by legit users, like uploads etc). So, is the "Logout" part just saying that the user (or probably virus/bot) closes the connection before the password is entered?

I guess it's time to install a brute force monitor.

[djrk111]

Well, I don't know about the rest, but the connections from 127.0.0.1 are probably OK- that's just your server connecting to itself, as it probably has to do somewhat frequently...

[Stian S]

Maybe it's a process checking to see if ftp is up or not.

However, what about those brute force attacks? Should I be worried about WHM getting brute force attacked? How can I protect it better? Are there any logs?

[-ASO- Tim]

Brute force attacks are common against our servers. Luckily, they're almost always just checking for dumb username and password combinations (root/password, for example). As long as your password is decently long, you should be fine.

As for the 127.0.0.1 connection, that's just chkservd doing it's thing. It tests to see if services are down and restarts them for you if they stop responding

[Stian S]

Ah, good to know.

[Stian S]

I hope you don't run a forum where you want to say things like ftp, telnet, ssh or any of the other filters you have listed.

Jason's right. Under your rules, making a forum or blog post with any of the words that you have listed, like "curl" and "echo", would generate a 403 (Access Denied) error. It is very easy to configure mod_security to keep your server secure. Where the difficulty comes in is when you want to configure mod_security to keep your server secure without breaking anything.

Actually, you are both wrong.

I just added mod_security with the ruleset I posted above your messages, and I *AM* able to post messages in the forums with "scp", "wget", "cd /tmp" and other comments.

But if I try to put any of those in the url (e.g. "viewtopic.php?&wget"), the server rejects it and gives a 403 error message.

[MacManX]

Now, install a WordPress blog, and try to make a blog post with words like "curl" and "wget". ^_-

[jaseone]

Why would it work in a forum and not Wordpress though? They would both be using POST... Maybe that particular setup doesn't filter POST requests?

[MacManX]

Why would it work in a forum and not Wordpress though? They would both be using POST... Maybe that particular setup doesn't filter POST requests?

Good point.  All I know is that it's a BIG (frequently reported) problem over in the WordPress support forums.

[Stian S]

I have an audit_log I check frequently anyway, so if I see a rule creating trouble, I can just remove it from the mod_secure list.

[Logan]

Is the mod_security module good for anything other than blocking keywords?