Why should you secure your server ?
• Customer Safety and Satisfaction
• Required to Carry on Business
• Long Term Economic Benefits
• Improves Your Hosting Brand
Sections in this Session
• Securing your Server(s) SSH Access• MySQL Security Best Practices• Preventing Email Abuse
Why Secure your SSH ?• SSH allows you to remotely execute
command
• As an Admin you access it from a Remote Location, so can a hacker
• A hacker may gain root access to your server if not secured
• IF a hacker gains root access, you can kiss your server good bye !
Change your SSH Port• Default SSH port is 22, even the hacker
knows that
• Hacker can Scan Port 22 on various IP Addresses and use brute force or other attacks to gain access
• Hence change your port to something other than 22 (and 2222 which is common as well)
• In /etc/ssh/sshd_config change :Port 3077
Disable Root Login• The Hacker would likely try a brute-force
for the root user
• Disabling the Root User Login will add an additional layer of security to your server
• If you need root access, login as a normal user and use the su command.
• In /etc/ssh/sshd_config change :
PermitRootLogin noAllowUsers mysshuser
Use Keys for Authentication• Disable password logins. To do so :
$ ssh-keygen -t rsa
• This will create two files in your (hidden) ~/.ssh directory called: id_rsa and id_rsa.pub
• The first: id_rsa is your private key and the id_rsa.pub is your public key.
• If you are a Windows User. You can convert the id_rsa file into a .ppk with the help of Puttygen for use with Putty.
• Never re-use SSH Keys on multiple servers
Use Keys for Authentication (Cont.)
• You will need to set file permissions on the server:
PasswordAuthentication no
$ chmod 700 ~/.ssh$ chmod 600 ~/.ssh/authorized_keys
• Disable password authentication completely in /etc/ssh/sshd_config
• Copy the public key (id_rsa.pub) to the server and install it to the authorized_keys
$ cat id_rsa.pub >> ~/.ssh/authorized_keys
SSH IP Address Restriction• IP Address Restriction means allowing only
certain IPs to SSH into a Server. This requires static IP Address(es)
• The two important files are: /etc/hosts.allow /etc/hosts.deny
sshd: 1.2.3.0
• In /etc/hosts.allow add allowed IP Address
sshd: ALL
• In /etc/hosts.deny, restrict all IPs
Fail2Ban• Fail2ban scans log files (e.g. /var/log/secure)
and bans IPs (using the Firewall) that show the malicious signs -- too many password failures, seeking for exploits, etc.
• Out of the box Fail2Ban comes with filters for various services like apache, ssh, courier
• You can configure Fail2Ban to send emails to Sysadmins as well.
# EPEL is required$ yum install fail2ban
Logwatch• Logwatch is a customizable, pluggable log-
monitoring system.
• It will go through your logs for a given period of time and make a report in the areas that you wish, with the detail that you wish
• Installation is simple :$ yum install logwatch
• Usage is simple as well :$ logwatch --detail Low --service sshd --range today --save /tmp/logwatch
Separate Billing Server• Small and Medium sized web-hosting
companies and resellers tend to keep their billing systems hosted on the same servers which host their shared hosting customers
• BAD IDEA !
• Your website + billing software should *always* be stored on a separate server / VPS
• It is extremely dangerous to have untrusted customers on the same server.
MySQL / MariaDB Abuse
• Database Abuse is pretty common and easily achievable in shared environments
• If MySQL / MariaDB is abused your system will become slower and all your customers websites will be affected.
• There are external threats possible if you don’t secure your MySQL / MariaDB server
Restrict Remote Access• By Default MySQL will start with
Networking and will listen on Port 3306
• To restrict MySQL from opening a network socket, the following parameter should be added in the[mysqld] section of my.cnf or my.ini:
skip-networking
• Some Control Panels like cPanel restrict it to the localhost IP 127.0.0.1
bind-address=127.0.0.1
Disable the use of LOCAL INFILE• Disable the use of the "LOAD DATA LOCAL
INFILE" command
• If not secured important data could be revealed :
SELECT load_file("/etc/passwd")
• To disable the usage of the "LOCAL INFILE" command, the following parameter should be added in the [mysqld] section of the MySQL configuration file.
set-variable=local-infile=0
Some Control Panels like cPanel restrict this already
Setting Account Resource LimitsIn MySQL 5+, you can limit use of the following server resources for individual accounts: • The number of queries that an account
can issue per hour • The number of updates that an account
can issue per hour • The number of times an account can
connect to the server per hour • The number of simultaneous
connections to the server by an accountGRANT ALL ON customer.* TO ‘DB'@'localhost' WITH MAX_QUERIES_PER_HOUR 3600MAX_UPDATES_PER_HOUR 360MAX_CONNECTIONS_PER_HOUR 3600 MAX_USER_CONNECTIONS 5;
Other MySQL / MariaDB Tips
• Change root username and password (don’t do it on cPanel, Plesk, etc.)
• Remove the "test" database
• Remove Anonymous and obsolete accounts
• Remove History
cat /dev/null > ~/.mysql_history
Prevent Email Abuse• Shared Hosting users can send a lot of
SPAM from your servers if you don’t prevent them
• It can cause Black Listing of your server IPs
• In cPanel, there are some good settings to prevent users to send excessive emails like hourly emails, percentage of failed messages
• You can find it in WHM -> Tweak Settings
Ebury and Poodle• On infected hosts, Ebury steals SSH login
credentials (username/password) from incoming and outgoing SSH connections.
• Check your servers for an Ebury infection : https://www.cert-bund.de/ebury-faq
• POODLE : The Google Security Team discovered this vulnerability; they disclosed it in September 2014.
• You should disable SSLv3 because of Poodle.
Last Tips• Backup your servers and data
regularly. It is the only solution you have if your servers get hacked.
• Keep your systems up-to-date (goes without saying). Its easy “yum update”
• Be well informed about recent vulnerabilities by subscribing to security mailing lists e.g. hostingseclist.com