Ver Mensaje Individual
  #7 (permalink)  
Antiguo 30/05/2007, 18:47
Avatar de wiz
wiz
 
Fecha de Ingreso: agosto-2006
Ubicación: Argentina
Mensajes: 48
Antigüedad: 18 años, 4 meses
Puntos: 0
Re: Afinando un Server

Aqui algunos consejos, pero en ingles (tips! je):

parte 1

IMPORTANTE - SI UD NO DOMINA LA TEMATICA O NO ESTA SEGURO EXACTAMENTE DE QUE ESTA MODIFICANDO EN CADA PASO DE ESTA GUIA, POR FAVOR NO LO HAGA, O CONSULTE CON EL ADMINISTRADOR AMIGO DE SU BARRIO


Cita:
How-To: The Complete Server Optimization Guide (2007)

Greetings,
This guide is composed of material found from various other web hosting, control panel, and script forums related to optimization, hardening and securing. This is also cPanel oriented however can be used for other servers running different control panels just to name a few Plesk, DirectAdmin, Webmin.

Now before we begin I cannot stress enough that you NEED to read my post thoroughly taking every last word into detail as you are applying these methods on your own risk as a VPS is not all sunshine and lollipops. If you don’t know what you are doing, it is strongly suggested to do a bit of research before attempting it, these methods have been tested on several different servers and I personally have conducted benchmarking with these methods on several VPSes right here at PowerVPS. And of course you will learn to love the "cp" command (copy) as I'm going to be mentioning it quite a bit and again I cannot stress enough that you BACK UP EVERYTHING YOU CHANGE don't be one of those people that say "Oh, that will never happen to me!" don't be fooled.. Karma will get you one day =)

Now let's start with the basics:


WHM/cPanel Modifications:


First off, jump into your serveru sing a SECURE connection (https://55.55.55.55:2087) of course changing the 55.55.55.55 part to your servers IP - this is so the data sent across your internet connection to your server is encrypted and undecodable.

Navigate your browser to Server Configuration -> Tweak Settings then making sure the following items are ticked (double check they are if they are not ticked, TICK THEM) unless I specify otherwise (they will be color coded for easy reading - Green = GOOD and Red = BAD):
-----------

(Below is an example on how I will layout my guide)

Under Domains:

(TICK) When adding a new domain, automatically create A entries for the registered nameservers if they would be contained in the zone.
(TICK) Prevent users from parking/adding on common internet domains. (ie hotmail.com, aol.com)
(TICK) When adding a new domain, if the domain is already registered, ignore the configured nameservers, and set the NS line to the authoritative (registered) ones.

And now make sure the following is NOT ticked:

(UNTICK) Allow users to Park/Addon Domains on top of domains owned by other users. (probably a bad idea)
(UNTICK) Allow Creation of Parked/Addon Domains that resolve to other servers (ie domain transfers) [This can be a major security problem. If you must have it enabled, be sure to not allow users to park common internet domains.]
(UNTICK) Allow Creation of Parked/Addon Domains that are not registered

Under Mail:

(TICK) Default catch-all/default address behavior for new accounts. blackhole is usually the best choice if you are getting mail attacks.
(TICK) Set this to "fail" for general use and as stated above "blackhole" if you're getting mail fooded (over 1000 emails in the mail queue)
(TICK) Silently Discard all FormMail-clone requests with a bcc: header in the subject line
(TICK) Track the origin of messages sent though the mail server by adding the X-Source headers (exim 4.34+ required)

Here's a tricky setting, "The maximum each domain can send out per hour (0 is unlimited):" set this number to something you think is reasonable my personal preference is 60.. basically this setting will limit each account (not just the domain) on how many emails it can send out per hour, basically if you have a spammer on your machine and you can't find him.. set this to 60 and you will definitely stop him in his tracks.

Now this next one is also tricky ""Prevent the user "nobody" from sending out mail to remote addresses (PHP and CGI scripts generally run as nobody if you are not using PHPSuexec and Suexec respectively.)"" tick this if you want to disable any account on your machine from sending mail as "Nobody" it's really up to you in the end, if you're very strict (like me) you will enable this and force all your accounts to use the local SMTP server (which is probably better as when you receive emails from forums and stuff they don't come as "[email protected]" they come as "[email protected]" which in my sense looks more professional.

(TICK) Include a list of Pop before SMTP senders in the X-PopBeforeSMTP header when relaying mail. (exim 4.34-30+ required)

And the same thing applies with this next one " The number of times users are allowed to check their mail using pop3 per hour. Zero is unlimited. (cppop only):" basically set this limit to again something around 60 or so if you're getting mail attacked.. it will again stop the attack right in it's tracks.

(TICK) Attempt to prevent pop3 connection floods

Now this setting "BoxTrapper Spam Trap" is strongly recommended to disable as having boxtrapper enabled can very easily lead to your server being listed in common RBLs and usually has the effect of increasing the overall spam load, not reducing it.

Under MySQL:

If you aren't required to use MySQL5, don't. Use MySQL 4.1 with the option " Use old style (4.0) passwords with mySQL 4.1+ (required if you have problems with php apps authenticating)" nearly always enabled it will stop certain applications using older methods of authenticating with MySQL.

Under System:

(TICK) Always redirect users to the ssl/tls ports when visiting /cpanel, /webmail, etc.
(TICK) Use jailshell as the default shell for all new accounts and modified accounts

Under cPAddons:

(TICK) Prevent installation of addon scripts not provided by cPanel
(TICK) Prevent installation of cPanel addon scripts that have be altered (Turning this off may be useful when testing custom addons.)
(TICK) Use native SSL support if possible, negating need for Stunnel

(UNTICK) Allow cPanel users to reset their password via email (This option has been vulnerable in the past, so you should keep it disabled)

=========================================
Security
=========================================

Security -> Fix Insecure Permissions (Scripts)
-----------

Fix Insecure Permissions (Scripts) (Run this at least once a month to make sure there are no inscure permissions on scripts running on your server.)

Security -> Manage Wheel Group Users
-----------

Remove all users except for root and your main account from the wheel group. unless you directly need another account there for SUing purposes, never ever have apache or any other system service listed in the wheel group.

Security -> Modify Apache Memory Usage
-----------

You should set a value RLimitCPU to prevent runaway scripts from consuming server resources - DOS exploits can typically do this. Run this at least once a week to reassure the limit is up to date

Security -> Quick Security Scan
-----------

You'll only need to run this once, but make sure you do. (Running this will ensure that bad services are not running on your server)

Security -> Shell Fork Bomb Protection
-----------

Enable Shell Fork Bomb/Memory Protection. (You should enable shell resource limits to prevent shell users from consuming server resources - DOS exploits typically do this.)

Security -> Tweak Security
-----------

Enable PHP's open_basedir Tweak. (To prevent PHP scripts from straying outside their cPanel account, and possibly executing or modifying other accounts files)

Enable Apache's mod_userdir Tweak. (To prevents users from stealing bandwidth or hackers hiding access/accounts to your servers)

Disable Compilers. (This tweak will disable the system's c and c++ compilers for unprivileged accounts on your VPS. Many canned exploits require working compilersc on the system to operate. You can also choose to allow some users to use the compilers while they remain disabled by default.)

=========================================
Service Configuration
=========================================

Service Configuration -> Enable/Disable SuExec
-----------

Enable SuExec. (To reduce the risk of hackers accessing all sites on the server from a compromised CGI web script, you should keep this enabled.)
(UNTICK)Always set the "Sender:" header when the sender is changed from the actual sender. Unchecking this will stop "On behalf of" data in Microsoft(R) Outlook, but may limit your ability to track abuse of the mail system.
(TICK) Verify the existence of email senders.
(TICK) Use callouts to verify the existence of email senders.
(UP2U) Discard email for users who have exceeded their quota rather than keeping it in the queue. (This again is up to you really, if you don't wish to have accounts that are suspended due to exceeding their quota loose all their new mail then leave this unticked)

Now jump into the "Advanced Editor" and in the first white box paste the following;

Quote:
log_selector = +all

smtp_load_reserve = 4

queue_only_load = 2

deliver_queue_load_max = 5
The above settings will allow exim to use extended logging for all accounts on the server, and the functions with the numbers tell exim not to use all the resources on your server if you're processing a lot of mail all at the same time.

Service Configuration -> FTP Configuration
-----------
Disable Anonymous FTP access (Used as an attack vector by hackers and should be disabled unless actively used by your accounts)

Última edición por wiz; 30/05/2007 a las 19:23