Make ispCP more Secure

技术分享 Story 125浏览 0评论

Make ispCP more Secure

Make ispCP more Secure
Here you can find some stuff to make your Server more Secure.
Absolutely no warranty, use it at your own risk.

1.) Disable the Apache ServerSignature like this one
Apache/2.2.3 (Debian) mod_fastcgi/2.4.2 mod_perl/2.0.2 Perl/v5.8.8
Put only these lines in your httpd.conf (Under Debian Etch you have to put this in your apache2.conf)

# Disable ServerInfo ServerSignature Off ServerTokens Prod
2.) Disable Debugging functions
An attacker may use this flaw to trick your legitimate web users to give him their credentials. Add the following lines for each virtual host in your configuration file (/etc/apache2/ispcp/...) or directly in the template file (/etc/ispcp/apache/parts/custom.conf.tpl) to disable the Debugging

<IfModule mod_rewrite.c> RewriteEngine on RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK) RewriteRule .* - [F] </IfModule>
Reload the Apache configuration and check if your configuration is active:

# /etc/init.d/apache2 reload # telnet 80 Trying xxx.yyy.zzz.rrr... Connected to Escape character is '^]'.
TRACE / HTTP/1.0 Host: foo A: b
HTTP/1.1 301 Moved Permanently Date: ... Server: Apache Location: Content-Length: ... Connection: close Content-Type: text/html; charset=iso-8859-1 <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>301 Moved Permanently</title> </head><body> <h1>Moved Permanently</h1> <p>The document has moved <a href="">here</a>.</p> </body></html> Connection closed by foreign host.
3.) Secure Proftpd a little more
You can add a little more security to Proftp by editing it's configuration file and adding:

DefaultRoot ~ IdentLookups off
You can also disable displaying of ftp banner.It's displayed by default when someone connects to Your server like this:

Verbindung mit 62.75.xx.xx wurde hergestellt. 220 ProFTPD 1.3.0 Server (vsxxxxxx) [62.75.xx.xx] Benutzer (62.75.xx.xx:(none)):
Here can you see the ProFTPD Version → 1.3.0 To Disable the Banner add, the following line to the proftpd.conf:

ServerIdent off
You can find more information about it here:

4.) Enable SSL in ProFTPD
For a secure File Transfer you can add SSL to your ProFTPD

Create a SSL Certificate:

openssl req -new -x509 -days 365 -nodes -out /etc/proftpd/ssl.crt -keyout /etc/proftpd/ssl.key
Open your proftpd.conf to enable SSL

# vi /etc/proftpd/proftpd.conf
enable the last lines like this and set TLSEngine 'on'

# # SSL via TLS # <IfModule mod_tls.c> TLSEngine on # on for use of TLS TLSLog /var/log/proftpd/ftp_ssl.log # where to log to TLSProtocol SSLv23 # SSLv23 or TLSv1 TLSOptions NoCertRequest # either to request the certificate or not TLSRSACertificateFile /etc/proftpd/ssl.crt # SSL certfile TLSRSACertificateKeyFile /etc/proftpd/ssl.key # SSL keyfile TLSVerifyClient off # client verification </IfModule>
Restart proftpd to bring the effect:

# /etc/init.d/proftpd restart
5.) Change the SMTP-Banner
If you want to change this Postfix SMTP-Banner:

Connected to your-domain.tld. Escape character is '^]'. 220 your-domain.tld. ISPCP 1.0 Priamos Managed ESMTP 1.0.0 RC3 OMEGA
Open your "/etc/postfix/" and change the SMTP-Banner here to what you want

smtpd_banner = $ myhostname ISPCP 1.0 Priamos Managed ESMTP 1.0.0 RC3 OMEGA
6. Install & Configure fail2ban
Fail2Ban automatic blocks an IP-Address after some failed Logins.
It works with Apache,SSH,FTP and Mail.

Install fail2ban per apt-get

# apt-get install fail2ban
After the installation you can configure fail2ban with these two configs under /etc/fail2ban/

/etc/fail2ban/fail2ban.conf /etc/fail2ban/jail.conf
Open your jail.conf to enable the blocks for some Services.

# vi /etc/fail2ban/jail.conf
Now you can enable or disable the Services you want to protect. By default SSH is enabled.

If you want to enable Apache,

# # HTTP servers # [apache] enabled = false port = http filter = apache-auth logpath = /var/log/apache*/*access.log maxretry = 6

# # HTTP servers # [apache] enabled = true port = http filter = apache-auth logpath = /var/log/apache2/users/*access.log maxretry = 6
For FTP (proftpd)

[proftpd] enabled = false port = ftp filter = proftpd logpath = /var/proftpd/proftp.log maxretry = 6
change it to

[proftpd] enabled = true port = ftp filter = proftpd logpath = /var/log/auth.log maxretry = 3
You can change the maximal retry´s before ban with

maxretry = X
If you want to change the bantime,

bantime = 600 (is set in seconds)
Warning: fail2ban use Firewall ruls to block the IP.
A ban is per default for 10 minutes active. After this time the IP is unblocked automatically.

The fail2ban Log is under

7.) SSL for Mailservice (Courier)
First we need to install the courier-ssl packages.

# apt-get install courier-imap-ssl courier-pop-ssl
A default Certificate will be created during the installation. So we need to change them.

Open the /etc/courier/imapd.cnf

# vi /etc/courier/imapd.cnf
and change the attributes to your needs.
And then the same with /etc/courier/pop3d.cnf

# vi /etc/courier/pop3d.cnf
After these changes, first backup the old Certificate before we generate some new.

# cd /etc/courier/ && mv pop3d.pem pop3d.pem.orig && mv imapd.pem imapd.pem.orig
Now we can generate the new one:

# dpkg-reconfigure courier-pop-ssl && dpkg-reconfigure courier-imap-ssl
Done - your Mailservice is now ready for SSL.
Change your Client to use POP3-SSL on port 995 and IMAP-SSL on port 993

8.) Make SSH safer
Every Scriptkiddy checks your Server for a open Port 22 and test to login with the root account.
We will change these things to the good with an other Port and disable the root login via ssh.

First we need a user on the system for a later login. If there is already one, jump over to the next step. If not, create it:

# adduser new_username
Open your sshd_config to change the settings:

# vi /etc/ssh/sshd_config
Change the Port from

Port 22

Port 222
Change this line:

PermitRootLogin yes

PermitRootLogin no
Restart the SSH-Server

# /etc/init.d/ssh restart
Close your connection and connect again to your Server on Port 222 with your new Username.
To become root, only do a:

# su
9.) Prevent DOS-Attacks
To prevent simple Denial-of-Service attacks you can use the mod_evasive module. Download the actual version from and unpack it. Make sure, that apache2-prefork-dev is installed.

# apt-get install apache2-prefork-dev # wget # tar -xzf mod_evasive_1.10.1.tar.gz # cd mod_evasive
Install it with Apache Extensions Module (apxs).

# apxs2 -i -a -c mod_evasive20.c
The module will be built and installed into your httpd.conf.

Optionally you can change some specific directives in your /etc/apache2/apache2.conf file. Just add the following lines and change them to your needs.

<IfModule mod_evasive20.c> DOSHashTableSize 3097 DOSPageCount 2 DOSSiteCount 50 DOSPageInterval 1 DOSSiteInterval 1 DOSBlockingPeriod 10 </IfModule>
ATTENTION: This config may produce "403 Forbidden" Errors on regular sites (to example: typo3, gallery,...)

You can also add the following directives:

DOSEmailNotify DOSSystemCommand "su - someuser -c '/sbin/... %s ...'" DOSLogDir "/var/lock/mod_evasive"
After all, just restart your Apache to load the module.

# sudo /etc/init.d/apache2 restart
10.) Securing Open DNS server (BIND 9)
After a clean install of a Debian server, reports the server as an open dns server(anyone can query the server about any domain ⇒ high load and high transfer). 2 steps for fixing this problem:

a. first edit /etc/bind/named.conf.options (or /etc/named/named.conf for other distros, options paragraph) and add:

recursion no; transfer-format many-answers; //this is for speed up the transfer to a secondary dns
b. we need to modify the template used by ISPCP to generate to zone files, on Debian this is /etc/ispcp/bind/parts/cfg_entry.tpl. The file after modification should looks like:

zone "{DMN_NAME}" { type master; file "{DB_DIR}/{DMN_NAME}.db"; notify YES; allow-query { any; }; };
Restart BIND:

/etc/init.d/bind9 restart

转载请注明:成长的对话 » Make ispCP more Secure