Security Tweaks on Linux Server
1. Exim. 
Write the following two lines in /etc/exim.conf under the first line cPanel Exim 4 Config
Enable extended logging :
Add the following line in exim, below the first line recommended
log_selector = +address_rewrite +all_parents +arguments +connection_reject +delay_delivery +delivery_size +dnslist_defer +incoming_interface +incoming_port +lost_incoming_connection +queue_run +received_sender +received_recipients +retry_defer +sender_on_delivery +size_reject +skip_delivery +smtp_confirmation +smtp_connection +smtp_protocol_error +smtp_syntax_error +subject +tls_cipher +tls_peerdn \
Fommail Trap
http://void.thunderteam.org/fm-trap.html
For Securing Exim
http://www.rvskin.com/index.php?page=public/antispam
2. Httpd :
install mod_security
install mod_dosevasive
3. PHP
disable_functions = "system,exec"
eAccelerator for PHP acceleration
http://sourceforge.net/projects/eaccelerator
3.5 IPTABLES
iptables -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j IN_SANITY
4. Others related security tools
Install BFD from rfxnetworks.net
Install LSM from rfxnetworks.net
APF from rfxnetworks.net
rkhunter can be found on www.rootkit.nl
5. Most important cpanel script to disable compilers
/scripts/compilers off
6. MYSQL
mysql query cache
vi /etc/my.cnf
query-cache-type = 1
query-cache-size = 100M
100M should be set as per the server configuration
7. Securing some binaries
chmod 750 /usr/bin/rcp
chmod 750 /usr/bin/wget
chmod 750 /usr/bin/lynx
chmod 750 /usr/bin/links
chmod 750 /usr/bin/scp
chmod 000 /etc/httpd/proxy/
8. Securing /tmp in case of hack attempt to the server
Securing /tmp
/dev/sad3 /tmp ext2 loop,noexec,nosuid,rw 0 0
You can set the sysctl config at this link http://www.eth0.us/sysctl
httpd.conf
Timeout 15
KeepAlive Off
KeepAliveTimeout 5
Write the following two lines in /etc/exim.conf under the first line cPanel Exim 4 Config
Enable extended logging :
Add the following line in exim, below the first line recommended
log_selector = +address_rewrite +all_parents +arguments +connection_reject +delay_delivery +delivery_size +dnslist_defer +incoming_interface +incoming_port +lost_incoming_connection +queue_run +received_sender +received_recipients +retry_defer +sender_on_delivery +size_reject +skip_delivery +smtp_confirmation +smtp_connection +smtp_protocol_error +smtp_syntax_error +subject +tls_cipher +tls_peerdn \
Fommail Trap
http://void.thunderteam.org/fm-trap.html
For Securing Exim
http://www.rvskin.com/index.php?page=public/antispam
2. Httpd :
install mod_security
install mod_dosevasive
3. PHP
disable_functions = "system,exec"
eAccelerator for PHP acceleration
http://sourceforge.net/projects/eaccelerator
3.5 IPTABLES
iptables -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j IN_SANITY
4. Others related security tools
Install BFD from rfxnetworks.net
Install LSM from rfxnetworks.net
APF from rfxnetworks.net
rkhunter can be found on www.rootkit.nl
5. Most important cpanel script to disable compilers
/scripts/compilers off
6. MYSQL
mysql query cache
vi /etc/my.cnf
query-cache-type = 1
query-cache-size = 100M
100M should be set as per the server configuration
7. Securing some binaries
chmod 750 /usr/bin/rcp
chmod 750 /usr/bin/wget
chmod 750 /usr/bin/lynx
chmod 750 /usr/bin/links
chmod 750 /usr/bin/scp
chmod 000 /etc/httpd/proxy/
8. Securing /tmp in case of hack attempt to the server
Securing /tmp
/dev/sad3 /tmp ext2 loop,noexec,nosuid,rw 0 0
You can set the sysctl config at this link http://www.eth0.us/sysctl
httpd.conf
Timeout 15
KeepAlive Off
KeepAliveTimeout 5
posted by The Great Anil @ 8:41 PM
Comments: 0
