# How do you secure your server(s)?



## WelltodoInformalCattle (Aug 18, 2013)

I'm simply curious, how do you folks secure your servers? I'm currently using a mix of logwatch, psad, and CSF for instance yet I can't help but still feel vulnerable.

Any tips are greatly welcomed and I'm sure they'll be useful for the inexperienced such as myself!


----------



## kunnu (Aug 18, 2013)

Respectable voss,

+ We use Linux Malware scanner(Malware Detect)

+ ClamAV Scanner

+ Never use old/outdated script/software/OS

+ Always read hosting security related latest news


----------



## wcypierre (Aug 18, 2013)

1. if you're running a hosting a website, you can add modsecurity/php ids to it to prevent webbased hacking.

2. limit the services that you're supposed to run(if some services are only used once in a while, then turn it off and turn it on based on demand)

3. if certain services are only to be accessed by you, then limit it to a predefined set of ip for better security(like ssh)

However, "Never use old/outdated script/software/OS" -- provided that it doesn't breaks anything, so, always do a backup before upgrading


----------



## GIANT_CRAB (Aug 18, 2013)

Here: http://lmgtfy.com/?q=how+to+secure+server

Plenty of answers.


----------



## WelltodoInformalCattle (Aug 18, 2013)

Yes, I'm aware of the power of Google but if there's anything that pisses me off it is being told to Google something when I'm merely curious as to how people plug potential sources of vulnerabilities on their servers.

It would have been easier to ignore this thread then to have made a comment that contributes nothing to it @GIANT_CRAB


----------



## SeriesN (Aug 18, 2013)

GIANT_CRAB said:


> Here: http://lmgtfy.com/?q=how+to+secure+server
> 
> Plenty of answers.


Stop being a douchebag. Doesn't help this forum.


----------



## wcypierre (Aug 18, 2013)

Voss said:


> Yes, I'm aware of the power of Google but if there's anything that pisses me off it is being told to Google something when I'm merely curious as to how people plug potential sources of vulnerabilities on their servers.
> 
> It would have been easier to ignore this thread then to have made a comment that contributes nothing to it @GIANT_CRAB


btw, try and list down the services that you use, its pretty to hard to say about anything when you don't state anything.


----------



## 365Networks (Aug 18, 2013)

Usually I set up denyhosts right away and modify the */etc/ssh/sshd_config*

I usually delete any services I am not using/running, as those can be a security hole as well if let unmonitored.


----------



## 365Networks (Aug 18, 2013)

I have a client who runs CHkrootkit & RKHunter, as well as Maldet + ClamAV. Seems a bit too much?

Surely ClamAV + Maldet should be enough?


----------



## drmike (Aug 18, 2013)

I rated this 5 stars.  Good topic.

Generally, locking down SSH --- moving it to non standard port, not accepting user style password keyed in logins.

Deny style scripts to monitor malicious attackers and block them on IP basis.

DDoS script to babysit packet flow.

IPTables to limit packet flow ceiling


----------



## 365Networks (Aug 18, 2013)

I also like to set up a 'dummy' SSH daemon on port 22, still looking for a solid way to get it to log all requests via email, daily.

Also, if you have IPv6 at home (or where ever you SSH from), have SSHd only listen on an IPv6 address, this should stop 99% of all bruteforce/SSHd exploit attacks as most target via IPv4.


----------



## HalfEatenPie (Aug 18, 2013)

Well...  This obviously depends on what you're using the server for.

In terms of SSH, immediately after installing the OS I move it to a non-standard port, require key logins (+ password), setup e-mail alert on SSH Logins (many resources on the internet for that actually!  But here's one for root: http://www.webhostgear.com/43.html ) and obviously don't allow root login via SSH.  

IPTables are your best friend.  Custom scripts that monitors changes to your log files would also be fantastic.  Most of the times if I'm feeling lazy I have it set to monitor the logs of each services and then temporarily drop the connection to that IP depending on how frequently they attempt to access something (and is denied).  

I also put monitoring (SNMP) on each VM and link it to two of my Observium monitoring nodes.  

This is usually the groundworks once you get the OS and such installed.  If you use apache and such then you go further in-depth with the security measures and settings.

Each new piece of software you introduce into your server provides another vector for possible attack (or so as I feel).  Therefore just being able to lock it down would be nice.  I haven't really seen a need for ClamAV personally so don't really know if I should start including that into my system.  Anyone have any opinions?


----------



## hzr (Aug 18, 2013)

By installing ZPanel, my server becomes fully managed by everyone

So I don't need to worry about securing it.


----------



## dmmcintyre3 (Aug 18, 2013)

I leave them at the BIOS screen with a no OS found error. (having drive issues)


----------



## D. Strout (Aug 18, 2013)

dmmcintyre3 said:


> I leave them at the BIOS screen with a no OS found error. (having drive issues)


Undoubtedly the most secure so far.

Here's what I know I should do: minstall (dump all unnecessary/possible vector services that way), reinstall SSH with root access off, run on a high port with key-based login only using a frequently changed password-protected key.

But I don't do that. Just an unencrypted key-based auth, port 22, password-based access off. Before you start screaming, ask yourself: will someone just scanning port 22 even keep trying once they see that password authentication is off? Move on to easier targets! See http://xkcd.com/538/ - title text especially.


----------



## Quexis (Aug 18, 2013)

D. Strout said:


> Undoubtedly the most secure so far.
> 
> Here's what I know I should do: minstall (dump all unnecessary/possible vector services that way), reinstall SSH with root access off, run on a high port with key-based login only using a frequently changed password-protected key.
> 
> But I don't do that. Just an unencrypted key-based auth, port 22, password-based access off. Before you start screaming, ask yourself: will someone just scanning port 22 even keep trying once they see that password authentication is off? Move on to easier targets! See http://xkcd.com/538/ - title text especially.


For my personal server(s), this.


----------



## drmike (Aug 19, 2013)

@D. Strout hit my summary on the SSH lock down spot on.  You should consider authoring the cliff notes / Howto for your install/hardening in this area.

Nice to see minstall mentioned    Deja vu, three or more mentions of it in past 24 hours.

Full release (open source) and general info on what minstall is here:

https://github.com/KnightSwarm/Minstall


----------



## HalfEatenPie (Aug 19, 2013)

Yep I guess I forgot to mention minstall on mine.  

While I agree that you don't want to be the low hanging fruit I believe you should at minimum change the port.


----------



## peterw (Aug 19, 2013)

For ssh: http://vpsboard.com/topic/103-simple-security/

For iptables: http://vpsboard.com/topic/980-iptablesip6tables-one-file-script/

Still don't know which log monitor tool is the best.


----------



## WelltodoInformalCattle (Aug 19, 2013)

I created this thread because well, why not ask people that are in this industry? They encounter and mitigate attacks almost daily. Thanks for the info, I'm sure other people will find this thread useful if they're not as security conscious as you all.


----------



## clone1018 (Aug 19, 2013)

wcypierre said:


> 1. if you're running a hosting a website, you can add modsecurity/php ids to it to prevent webbased hacking.
> 
> 2. limit the services that you're supposed to run(if some services are only used once in a while, then turn it off and turn it on based on demand)
> 
> ...


Just to note, PHPIDS by itself does not prevent or protect against intrusion. It's an API for you to make your own application with. "The IDS neither strips, sanitizes nor filters any malicious input, it simply recognizes when an attacker tries to break your site and reacts in exactly the way you want it to."


----------



## wcypierre (Aug 19, 2013)

clone1018 said:


> Just to note, PHPIDS by itself does not prevent or protect against intrusion. It's an API for you to make your own application with. "The IDS neither strips, sanitizes nor filters any malicious input, it simply recognizes when an attacker tries to break your site and reacts in exactly the way you want it to."


of course you'd need some configuration, even with iptables, you'd need to add a rule to block an inbound connection to a  rarely used port that you don't want certain people to access, no?


----------



## clone1018 (Aug 19, 2013)

Right but the difference is IPTables still handles protecting you, IDS doesn't come with _anything_ to protect against it, it's your job to learn how to protect against the specific issue IDS is reporting and handle it properly.


----------



## wcypierre (Aug 19, 2013)

clone1018 said:


> Right but the difference is IPTables still handles protecting you, IDS doesn't come with _anything_ to protect against it, it's your job to learn how to protect against the specific issue IDS is reporting and handle it properly.


True. But the OP didn't mentioned about wanting an out of the box solution, I guess?


----------



## clone1018 (Aug 19, 2013)

wcypierre said:


> True. But the OP didn't mentioned about wanting an out of the box solution, I guess?


I'm not speaking against it, I just want people who install it to understand it


----------



## wcypierre (Aug 19, 2013)

clone1018 said:


> I'm not speaking against it, I just want people who install it to understand it


I have a tendency to write a clean and secure code, as phpids eats cpu cycles as well and its not that its fool proof


----------



## wlanboy (Aug 19, 2013)

Voss said:


> I created this thread because well, why not ask people that are in this industry? They encounter and mitigate attacks almost daily. Thanks for the info, I'm sure other people will find this thread useful if they're not as security conscious as you all.


I am looking forward to new input too.


----------



## Tux (Aug 19, 2013)

Disable password authentication and use iptables to limit connections.

I don't change SSH ports as that's just security by obscurity, and those ports are likely to get scanned anyway.


----------



## wlanboy (Aug 20, 2013)

Everyone working with fail2ban?


----------



## stim (Aug 20, 2013)

Denyhosts here. Very easy to setup and use.


----------



## ICPH (Aug 24, 2013)

Im using Config server firewall, i think its quite good protection. Also list open ports and close ones you dont use.


----------



## Grumble (Nov 20, 2015)

I use geo blocking to allow only the countries I work with (UK, USA, AU etc.). You can either deny or allow countries. Allow makes for a shorter list.


Also, SSH with certificates and whitelisted IP access only.


No extra users.


32 character passwords.


No sudo on the server.


Wordfence or All in one security for WordPress.


----------



## samK (Jun 9, 2020)

*Secure Server Connectivity*

Establish and Use *a Secure* Connection. ...
Use SSH Keys Authentication. ...
*Secure* File Transfer Protocol. ...
*Secure* Sockets Layer Certificates. ...
Use Private Networks and VPNs. ...
Monitor Login Attempts. ...
Manage Users. ...
Establish Password Requirements.


----------



## visualwebtechnologies (Apr 13, 2022)

Secure port, ssh keys setup, Maldet + ClamAV


----------



## JonathanKW (Apr 13, 2022)

visualwebtechnologies said:


> Secure port, ssh keys setup, Maldet + ClamAV



What do you like about Maldet + ClamAV?

In testing against a product such as Imunify, I notice that ClamAV with their default signatures does not catch nearly as much malware as what Imunify does by default.

On top of ClamAV being super memory heavy with a requirement of 3GB makes it less desirable.


----------



## visualwebtechnologies (Apr 13, 2022)

JonathanKW said:


> What do you like about Maldet + ClamAV?
> 
> In testing against a product such as Imunify, I notice that ClamAV with their default signatures does not catch nearly as much malware as what Imunify does by default.
> 
> On top of ClamAV being super memory heavy with a requirement of 3GB makes it less desirable.


Yes i agree ClamAV is very high resource intensive so it is possible that it ran out of memory. Could you SSH to the server and check if you see any OOM (out of memory) errors.

Second option you can either use imunify360 software it's better


----------

