Secure Your server (LINUX)

1. Kernel update

# yum update kernel

2. Openssh & Openssl Version updation.

# yum update openssh && yum update openssl

3. Secure /tmp, /dev/shm & /var/tmp

For cPanel server,

cPanel >> /scripts/securetmp

4. Enable firewall (csf )

5. Malware scanner (LMD, rkhunter, clamAV)

16. Disable ssh tunneling.

Add following parameter in ssh config and restart ssh

# AllowTcpForwarding No

7. Enable Display Time and Date in HISTORY

echo 'export HISTTIMEFORMAT="%d/%m/%y %T "' >> ~/.bash_profile
source ~/.bash_profile

    cPanel Security
 ======================

8. WHM >> HOME >> cPanel Security

    Enable Apache mod_userdir Tweak

    Disable compiler access

    Password strength : set 70

    Configure security policies — Set Passwd Age 90days

    Enable Shell Fork Bomb Protection

    Disable cpHulk Protection (if csf already installed)

    Enable PHP open_basedir

    Enable Check Referrer Security.

    Enable Background Process Killer

    Enable Check Referrer Blank Security.


9. Add disable_functions:

symlink, show_source, system, virtual, shell_exec,passthru, exec, popen,proc_open, proc_close, proc_nice, proc_terminate,proc_get_status, pfsockopen,allow_url_fopen, posix_getpwuid, eval,posix_setsid, posix_mkfifo, posix_setpgid,posix_setuid, posix_uname,posix_kill,apache_child_terminate, apache_setenv,define_syslog_variables,escapeshellarg, escapeshellcmd, leak, dl, fp, fput,ftp_connect, ftp_exec,ftp_get, ftp_login, ftp_nb_fput, ftp_put, ftp_raw, ftp_rawlist,highlight_file, ini_alter, ini_get_all, ini_restore, inject_code

10. Disable allow_url_fopen in php.ini including all phpselector

11. Turn off unused services and daemons

chkconfig cups off

service xfs stop

chkconfig xfs off

service nfslock stop

chkconfig nfslock off

service rpcidmapd stop

chkconfig rpcidmapd off

service bluetooth stop

chkconfig bluetooth off

service anacron stop

chkconfig anacron off

service gpm stop

chkconfig gpm off

service avahi-daemon stop

chkconfig avahi-daemon off

service hidd stop

chkconfig hidd off

service pcscd stop

chkconfig pcscd off

17. Install default mod-security vendor >> WHM >> mod-security vendor

        Exim Settngs
 ======================

WHM >> Tweak Settings >> Mail     &     WHM >> HOME >> EXIM Configuration Manager

Install ClamAV and configure

Exim tweak setting and exim configuration Manager settings

1. Prevent nobody from sending mail [?] On

2. Max hourly emails per domain [?] 300

3. Initial default/catch-all forwarder destination [?] set fail

4. Set RDNS for mail Ips

5. Trust X-PHP-Script headers to determine the sender of email sent from processes running as nobody >> Enable

6. Enable SpamAssassin Spam Box delivery for messages marked as spam (user

configurable)

8. Dictionary attack protection enable

9. Reject remote mail sent to the server’s hostname [?] On

10. Configure custom RBL

11. Restrict outgoing SMTP to root, exim, and mailman (FKA SMTP Tweak)? On

12. Scan outgoing messages for malware [?] On

13. Scan messages for malware from authenticated senders (eximscan). [?] On

14.Tighten /etc/cpanel_exim_system_filter as other server and attribute the

file.

15. Enable SPF & DomainKey on domains for newly created accounts

16. Track email origin via X-Source email headers >> enable

17. Set Maximum percentage of failed or deferred messages a domain may send per hour

18. Install WHM addon to monitor and alert server IP blacklist

19. Enabling Extended Exim Logging

WHM >> Main >> Service Configuration >> Exim Configuration Editor >> Advanced Editor

log_selector = +address_rewrite +all_parents +arguments +connection_reject +delay_delivery +delivery_size +dnslist_defer +incoming_interface +incoming_port +lost_incoming_connection +queue_run +received_sender +received_recipients +retry_defer +sender_on_delivery +size_reject +skip_delivery +smtp_confirmation +smtp_connection +smtp_protocol_error +smtp_syntax_error +subject +tls_cipher +tls_peerdn

http://thecpaneladmin.com/plugin-database/

    CSF Setting
 ================

1. Disable Testing mode

TESTING = “0”

2. Set RESTRICT_SYSLOG = “3”

3. Add following ports in TCP_IN

TCP_IN = 3306,5666,1167

4. Remove ssh port from csf

5. Enable SYNFLOOD

6. White list main client IP and our office Ips

7. Enable SSH port only for our office Ips and main client IP like below setting in csf.allow,

tcp|in|d=2231|s=122.174.216.172

8. Make following changes in csf conf for service connections,

LF_FTPD = “100”

# Enable login failure detection of SMTP AUTH connections

LF_SMTPAUTH = “100”

# Enable syntax failure detection of Exim connections

LF_EXIMSYNTAX = “100”

# Enable login failure detection of pop3 connections

LF_POP3D = “100”

# Enable login failure detection of imap connections

LF_IMAPD = “100”

# Enable login failure detection of cpanel, webmail and whm connections

LF_CPANEL = “10”

# Enable failure detection of repeated Apache mod_security rule triggers

LF_MODSEC = “25”