| Posted by xtremeservices, 08-01-2013, 04:40 PM | | Hi All,
I have been running a hosting company as a hobby for the past decade and am hoping to ramp things up with a focus on small business services with security in mind.
I'd appreciate some input on best practices for securing more active Linux hosts running the LAMP stack as well as Virtualmin/Postfix/Dovecot and vsftpd.
Current defense thoughts:
Up the wire
- Transparent Firewall (FW/IPS/IDS/DDoS prevention)
At the Linux VPS Hosts
- IPTABLES FW (UFW)
-- Strict management port access to known IP subnets only
-- Only ports with active services running
- Fail2ban
-- all active services
-- wordpress brute force attempts
-- badbots
- Ossec
- Custom Scripts
-- ssh successful logins
-- loose perm files
At Apache2
- Mod Security
- suexec with custom user/group for each virtual host
- disable followsymlinks - use SymLinksifOwnerMatch instead
- default webserver completely disabled
At PHP.ini
- utilize open_basedir
- utilize disable_functions
Linux Security Patches
- Applied on the weekend of push on a test machine
- If test machine exhibits no issues, push to all after a week
I primarily run Ubuntu 10.04 server for the VPS hosts so atomic is out. Although I am considering it for standalone managed VPS systems.
Forgive me if there is a better place to get advice on this sort of thing.
Many Thanks in advance,
~Jeremy
Last edited by xtremeservices; 08-01-2013 at 04:48 PM.
|
| Posted by MoeO, 08-01-2013, 05:44 PM | | Hello,
All of these safeguards, controls, tools are great, However, it needs to be configured correctly to ensure it's functioning properly and as expected.
What about your backup plans? It's essential for Information security management to plan for disaster recovery as well as business continuity.
It mainly depends on what's going to be on the server and whether it's a shared server or not. It doesn't need to be loaded with dozens of tools to protect the server as it can have a bad impact on your overall speed and availability. Security needs to be balanced with availability. All the best.
|
| Posted by xtremeservices, 08-01-2013, 06:11 PM | | Hi Moe,
I completely agree about Backups : ) been burned I have...
Backups for Shared Environment VPS hosts are weekly
Backups for Virtualmin domains full weekly - incremental daily.
Offsite Backups monthly
I have configured the different security pieces with regard to their purposes.
Thx for the input.
|
| Posted by BestServerSupport, 08-02-2013, 10:36 AM | | I would like to add few more security tips as below:
1. secure /tmp by making it noexec.
2. disable direct root login.
3. Install tool like rkhunter tool for server security audit.
4. For emails prevent "nobody" user to send emails. Always force SMTP authentication to send emails.
|
| Posted by xtremeservices, 08-02-2013, 12:14 PM | | Thx for the input BestSupportServices,
I forgot to mention that I run Maldet which scans daily and I utilize its signatures with clamd via mod security for scanning all apache2/php uploads.
I tried making temp non-executable but that does not play nice with the Virtualmin product. I might re-visit this though.
Do you mean only allow a sudo user to login via ssh? If so, that is a really good idea and I will re-visit this in our policy.
Rootkit hunter is a good idea, but it is already accomplished by running ossec.
Preventing nobody from sending email, do you mean via local relay for php mail function? How do you recommend going about that?
Thx again for the input!
|
| Posted by brianoz, 08-02-2013, 09:42 PM | | Some of the best security tips come from this methodology:
think like a hacker - what methods are they using at the moment?work out simple ways to block those offand of course, add all basic sensible security strategies
Make sure the Apache symlink issue is blocked, for instance. Don't run PHP as a single shared user or you are effectively giving everyone blanket access to everyone's files.
Security constantly changes and grows. Although there are always little bits extra here and there, don't forget the basic good practices which actually give pretty consistent protection.
|
| Posted by JakeMS, 08-02-2013, 10:31 PM | | Don't forget to enable SELinux or Grsecurity/AppArmor. Yes, it can be a bit of an inconvenience, but once it's configured and set up securely, it might just save your back side if all else fails.
|
| Posted by TNP HOST, 08-03-2013, 06:19 PM | | So how many of you are using cloud linux to secure your clients from symlinks ?
Add up cloud linux + Cage FS + Securelink
|
|
 Add to Favourites
 Print this Article
|
