simple tips to improve server security

21

Upload: resellerclub

Post on 17-Jul-2015

3.915 views

Category:

Technology


0 download

TRANSCRIPT

Why should you secure your server ?

• Customer Safety and Satisfaction

• Required to Carry on Business

• Long Term Economic Benefits

• Improves Your Hosting Brand

Sections in this Session

• Securing your Server(s) SSH Access• MySQL Security Best Practices• Preventing Email Abuse

Why Secure your SSH ?• SSH allows you to remotely execute

command

• As an Admin you access it from a Remote Location, so can a hacker

• A hacker may gain root access to your server if not secured

• IF a hacker gains root access, you can kiss your server good bye !

Change your SSH Port• Default SSH port is 22, even the hacker

knows that

• Hacker can Scan Port 22 on various IP Addresses and use brute force or other attacks to gain access

• Hence change your port to something other than 22 (and 2222 which is common as well)

• In /etc/ssh/sshd_config change :Port 3077

Disable Root Login• The Hacker would likely try a brute-force

for the root user

• Disabling the Root User Login will add an additional layer of security to your server

• If you need root access, login as a normal user and use the su command.

• In /etc/ssh/sshd_config change :

PermitRootLogin noAllowUsers mysshuser

Use Keys for Authentication• Disable password logins. To do so :

$ ssh-keygen -t rsa

• This will create two files in your (hidden) ~/.ssh directory called: id_rsa and id_rsa.pub

• The first: id_rsa is your private key and the id_rsa.pub is your public key.

• If you are a Windows User. You can convert the id_rsa file into a .ppk with the help of Puttygen for use with Putty.

• Never re-use SSH Keys on multiple servers

Use Keys for Authentication (Cont.)

• You will need to set file permissions on the server:

PasswordAuthentication no

$ chmod 700 ~/.ssh$ chmod 600 ~/.ssh/authorized_keys

• Disable password authentication completely in /etc/ssh/sshd_config

• Copy the public key (id_rsa.pub) to the server and install it to the authorized_keys

$ cat id_rsa.pub >> ~/.ssh/authorized_keys

SSH IP Address Restriction• IP Address Restriction means allowing only

certain IPs to SSH into a Server. This requires static IP Address(es)

• The two important files are: /etc/hosts.allow /etc/hosts.deny

sshd: 1.2.3.0

• In /etc/hosts.allow add allowed IP Address

sshd: ALL

• In /etc/hosts.deny, restrict all IPs

Fail2Ban• Fail2ban scans log files (e.g. /var/log/secure)

and bans IPs (using the Firewall) that show the malicious signs -- too many password failures, seeking for exploits, etc.

• Out of the box Fail2Ban comes with filters for various services like apache, ssh, courier

• You can configure Fail2Ban to send emails to Sysadmins as well.

# EPEL is required$ yum install fail2ban

Logwatch• Logwatch is a customizable, pluggable log-

monitoring system.

• It will go through your logs for a given period of time and make a report in the areas that you wish, with the detail that you wish

• Installation is simple :$ yum install logwatch

• Usage is simple as well :$ logwatch --detail Low --service sshd --range today --save /tmp/logwatch

Separate Billing Server• Small and Medium sized web-hosting

companies and resellers tend to keep their billing systems hosted on the same servers which host their shared hosting customers

• BAD IDEA !

• Your website + billing software should *always* be stored on a separate server / VPS

• It is extremely dangerous to have untrusted customers on the same server.

MySQL / MariaDB Abuse

• Database Abuse is pretty common and easily achievable in shared environments

• If MySQL / MariaDB is abused your system will become slower and all your customers websites will be affected.

• There are external threats possible if you don’t secure your MySQL / MariaDB server

Restrict Remote Access• By Default MySQL will start with

Networking and will listen on Port 3306

• To restrict MySQL from opening a network socket, the following parameter should be added in the[mysqld] section of my.cnf or my.ini:

skip-networking

• Some Control Panels like cPanel restrict it to the localhost IP 127.0.0.1

bind-address=127.0.0.1

Disable the use of LOCAL INFILE• Disable the use of the "LOAD DATA LOCAL

INFILE" command

• If not secured important data could be revealed :

SELECT load_file("/etc/passwd")

• To disable the usage of the "LOCAL INFILE" command, the following parameter should be added in the [mysqld] section of the MySQL configuration file.

set-variable=local-infile=0

Some Control Panels like cPanel restrict this already

Setting Account Resource LimitsIn MySQL 5+, you can limit use of the following server resources for individual accounts: • The number of queries that an account

can issue per hour • The number of updates that an account

can issue per hour • The number of times an account can

connect to the server per hour • The number of simultaneous

connections to the server by an accountGRANT ALL ON customer.* TO ‘DB'@'localhost' WITH MAX_QUERIES_PER_HOUR 3600MAX_UPDATES_PER_HOUR 360MAX_CONNECTIONS_PER_HOUR 3600 MAX_USER_CONNECTIONS 5;

Other MySQL / MariaDB Tips

• Change root username and password (don’t do it on cPanel, Plesk, etc.)

• Remove the "test" database

• Remove Anonymous and obsolete accounts

• Remove History

cat /dev/null > ~/.mysql_history

Prevent Email Abuse• Shared Hosting users can send a lot of

SPAM from your servers if you don’t prevent them

• It can cause Black Listing of your server IPs

• In cPanel, there are some good settings to prevent users to send excessive emails like hourly emails, percentage of failed messages

• You can find it in WHM -> Tweak Settings

Ebury and Poodle• On infected hosts, Ebury steals SSH login

credentials (username/password) from incoming and outgoing SSH connections.

• Check your servers for an Ebury infection : https://www.cert-bund.de/ebury-faq

• POODLE : The Google Security Team discovered this vulnerability; they disclosed it in September 2014.

• You should disable SSLv3 because of Poodle.

Last Tips• Backup your servers and data

regularly. It is the only solution you have if your servers get hacked.

• Keep your systems up-to-date (goes without saying). Its easy “yum update”

• Be well informed about recent vulnerabilities by subscribing to security mailing lists e.g. hostingseclist.com

Thank You• Thank you for being here.

Credits :• Patrick William from Rack911• Samjad from ActiveLobby• drServer.net• cPanel for their development license• Anyone and Everyone who I missed to

mention :)