Basic Steps To Secure Your Server

 

Install a firewall and/or login failure tracker

You should always run a firewall allowing traffic only on ports that you use, i.e. HTTP, SMTP, IMAP/POP3. It is also good to run a daemon that keeps track of failed login attempts, and blocks these IP addresses at the firewall. ConfigServer Security & Firewall is an excellent piece of software that does both, and is free for personal use-

http://configserver.com/cp/csf.html

 

MySQL

You should disable the local infile function, which will help to prevent against unauthorized reading from local files. This matters especially when new SQL Injection vulnerabilities in PHP applications are found. Add the following line to your /etc/my.cnf file under the [mysqld] section, and restart MySQL-

local-infile = 0

 

PHP

  • Enable only the PHP modules that your sites require
  • Disable risky PHP functions in php.ini, via a line such as "disable_functions=show_source, system, shell_exec, passthru, exec, phpinfo, popen, proc_open, ini_set"
  • Use a PHP security module such as suhosin or mod_security
 

SSH

  • Disable SSH logins as root user
  • Allow only publickey logins for root or all SSH users (no password authentication)
  • Change the port on which SSH runs on by editing /etc/ssh/sshd_config and restarting the SSH service. This will thrwart automated dictionary attacks on the standard port 22
  • Only allow SSH protocol 2, 1 is outdated and insecure

http://wiki.centos.org/HowTos/Network/SecuringSSH

http://centoshelp.org/security/securing-sshd/

 

Apache

  • Use Apache 2.2 or later
  • Run PHP as suPHP. This setting makes PHP run as the user that is using it. This makes abuse easier to track, and prevents a malicious script from affecting other user's accounts
  • Set Server Signature to "Product Only". This way the server will not divulge the specific version of Apache it is running in error message or HTTP headers (WHM --> Apache Configuration)
  • Only use Apache modules that your website or users need
 

Passwords

  • Do not use simply passwords, such as words you can find in a dictionary, or passwords less than 8 characters long. Try to include a mix of upper and lower case letters, as well as numbers in your password. Do not use the same password you use for your primary e-mail account as other services
  • Make a password rotation schedule, such as every two weeks, monthly, etc, and stick to it
  • Set the minimum password strength option in WHM to a value of at least 50 to keep users from setting easily crackable passwords
 

WHM/cPanel

  • Disable "Compiler Access" in "Security Center"
  • Enable "Shell Fork Bomb Protection" in "Security Center"
  • Set "Password Strength" in "Security Center" to a value of at least 50

 

PHP Software

  • Always follow the security recommendations for hardening your installation when installing any PHP software
  • ALWAYS check at least once a week to make sure you are running the latest version of any mainstream PHP software. Outdated versions tend to have security vulnerabilities that WILL get exploited eventually, resulting in lost data, defaced websites, SPAM being sent from accounts, service suspension, and malware warnings in browsers when people visit your site (which are a pain to get rid of)
  • Set file permissions securely
    • All directories should be 755 or 750.
    • All files should be 644 or 640. Exception: configuration files (wp-config.php, configuration.php, config.php) should be 600 or stricter to prevent other users on the server from reading it.
    • No directories should ever be given 777, even upload directories
  • The above are the #1 reasons customer's websites get hacked
  • Supplemental Information:

    https://codex.wordpress.org/Updating_WordPress
    https://codex.wordpress.org/Hardening_WordPress
    https://docs.joomla.org/Upgrade_Instructions
    https://docs.joomla.org/Security

 

Antivirus/Malware Scan

  • There are numerous software packages available to scan and monitor your server and accounts for malicious content
    • ClamAV
    • AVG for Linux
    • RKHunter
    • ChkRootKit

Backups, backups, backups

  • Make backups, and make them often. Your web host is not repsonsible for backing up your information unless it is specifically included in your plan, or you pay for the service
  • There are backup features standard in cPanel servers. You can make the download and store it on your home computer or workstation
  • Make a backup right now, while we're on the subject
  • Seriously, do it
 

SPAM Prevention

  • If you have a contact form, make sure it isn't easily exploited by bots. Use a captcha if possible
  • Set an hourly e-mail limit per account in WHM/Tweak Settings. 500 should be more than sufficient for most accounts
  • Use strong passwords for e-mail accounts
  • Check your mail statistics once in awhile to see who is sending the most mail, and at what volume

 

Unnecessary Services

  • Some Linux installations include services which are rarely if EVER used in web hosting environments, and just add another layer of possible security holes
  • These include cups, xfs, bluetooth, nfs, rpcidmapd, etc.
  • Stop and disable these if you do not need them

 

Resources / Links

https://documentation.cpanel.net/display/CKB/How+to+Harden+PHP

http://www.rackaid.com/resources/how-to-harden-or-secure-ssh-for-improved-security/

http://www.rpm-based.org/how-to-manage-services-with-chkconfig-and-service

https://documentation.cpanel.net/display/ALD/Backup

https://documentation.cpanel.net/display/ALD/Backup+Wizard


 

 

  • security, firewall, server hardening
  • 12 Users Found This Useful
Was this answer helpful?

Related Articles

What Do I Do If My Server Has Been Compromised?

Unmanaged servers do not come pre-configured. It is the customer's responsibility to configure,...

CSF Country Code List

Below is a full list of CSF country codes that can be used in the CSF Firewall configurations for...

How to Block Countries in CSF Firewall

How to block countries in csf? In the csf configuration file (/etc/csf/csf.conf), there is an...

Securing RDP logins on your Windows Server

If you would like to restrict Remote Desktop access to your Dedicated server to an IP address or...