Linux Server Security and Hardening

Server Hardening

• Apache Hardening– Increased security on Apache.
• SSH Hardening– Custom SSH Port and limited connections.
• Bind Hardening– Enable protection against DNS recursion attacks.
• Ensure Filesystem Permissions– Fix permission on world writable directories and prevent against directory-transversal attacks.
• /tmp and shm(shared memory) Hardening– Configure noexec, nosuid on tmp and shm mounts.
• Fetching utilites hardening– Allows root-only access of wget, curl, and other utilties often used in web-based attacks.
• Remove unnecessary packages– removes RPMS which are not needed to prevent against potential vulnerabilities and free up disk space.
• Disable unused services– Disable services which are not used.
  Disable unneeded processes– Disable processes which are not needed for server operation.
• Secure console access
• PHP Hardening– Enable SuHosin, OpenBaseDir protection and more.
• FTP, HTTP file upload Scan – Pure-ftp and Apache will be configured to scan all uploaded files using ClamAV. This will highly reduce the risk of virus files being uploaded to your server.
• Linux Socket Monitor– (Optional)Track changes to Network sockets and Unix domain sockets, effectively a port monitor.
• System Integrity Monitor– (Optional)services monitor for ‘SysVinit’ systems.
  Linux Environment Security– (Optional)root-only permissions on system binaries .

Firewall Configuration

• CSF – Packet Inspection (SPI) firewall and Security application.
• LFD – Detect and prevent Login Intrusion.
• APF – Configure both ingress and egress firewall protection.
• BFD – Detect and prevent brute force attacks.
• CPHulk – Detect and prevent brute force attacks.

Security Audit

• Rootkit Hunter – Nightly scan to detect system intrusions.
• Chkrootkit – Nightly scan to detect system intrusions.

Support Servers and Control Panel

We will be performing basic security on new client or server. Below are the actions on security.

•  CentOS 5, 6, 7 ( cPanel , Plesk , DirectAdmin )
• RHEL 5, 6, 7 (cPanel, Plesk , DirectAdmin )
• Fedora (cPanel, Plesk , DirectAdmin )
• Linux Plain Servers without Control Panel

Server Optimization

•   Apache Optimization – Apache performance optimization by tweaking settings.( Optional: Install Nginx as a proxy/load balancer for Apache )
• PHP Configuration – Widely used PHP modules will be enabled for maximum compatibility.
• MySQL Optimization – MySQL performance Optimization using my.cnf and enabling query caching.
• PHP Caching – Optimizes PHP performance through
• Xcache/Eaccelerator/Memcache script caching.
• Monitoring Apps – We will install MyTOP, Iptraf, and Iftop utilities to easily monitor server performance.
• Process Resource Monitor – monitor and kill processess overloading the server (Optional)
• SPRI ( System Priority ) – control server load(optional)
• CloudFlare Installation

Spam Prevention and Anti-Virus Protection

• ClamAV – Configure for e-mail and virus scanning (Exim Integration). Enable auto-updating anti-virus definitions.
• Realtime Blackhole Lists (RBLs) – Configure email server with RBLs loaded to prevent spam.
• Harden Mailserver Configuration – Prevent against detection of valid e-mail address through brute-force attacks. Also enable HELO verification and other sanity checks.
• Dictionary Attack Protection – Prevent spammers guessing email addresses on your server.