Plesk install and security audit

[laughingbuddha]

Hi,

I'm new to this Plesk and Linux stuff. I have been running a Plesk 8.1 VPS with webfusion for the last 2 years but I'm taking the plung and going dedicated shortly with my first HP server to be hosted at Rapidswitch UK data centre.

I want to firstly install Plesk 8.6 (latest) on CentOS 5.1, then put ART yum channel in (use that to install plesk I think) then finaly use the ASL 2.0.

Security is a big question here, and even though I'm no linux guru I can read a manual and I'm technicaly minded.

The thing is I plan to replicate the setup of the dedicated server for a social networking site I'm building, and I want to make it secure and fast (access speed wise). It will be hosted on a dedicated box, but during the development time it will go on the same server as all my other domains.

I currently have 46 domains with a mix of email only domains, static sites, and 2 joomla sites and, few mysql/php sites, and a sms service (php and mysql). Server has 3GB of memory, 2 x new Seagate 146GB U320 SCSI drives (RAID), and 2 x Xeon 2.8GHz cpus.

I have thought about hirering a pro to configure the server, but do I really need to, or will basic configuration of Plesk (using the manual) and ASL do the job?

I also want to implement virus checking for emails as well as the data stored on the server (uploads/downloads), how can I implement this too?

Would it be more cost effective to simply lease the servers or own the servers?

I know it's allot to ask but I'm the kinda person who likes to do things right from day one, and not have to rip it all apart and correct my mistakes months if not years later.

Thanks,

Matt

[faris]

Hi Matt,

A lot of people say leasing is the best option because you don't have to worry about replacing hardware and warranty and so on. However, we always buy, with a 3 year 247 4hr on-site contract and find it much cheaper that way.

The ASL installation basically does pretty much everything you need to keep your machine secure, with one or two exceptions. (Also when I last looked, ASL's upload virus scanner wasn't working quite correctly due to a problem with clamav)

1) You need to install a firewall. The APF firewall is a good one, until Scott and Mike do a better one . Open 8443, 25, 21, 110, 80, 443, 587 (plus IMAP and IMAPS which are in the 99x range -- I forget what). Only open 22 to yourself.

2) Add a login account for yourself (useradd someuser then passwd someuser [enter password twice]. Make sure you can login to that account via SSH

3) Now disable root logins (ASL checks for this I think, but won't do anything about it if it is enabled. Look in /etc/ssh/sshd_config for config options. I think the ASL installation does enable priv separation and disables protocol 1 which is important). From now on, login as you, then su - to root.

4) Use keys instead of passwords for the "someuser" login. Scott has a screencast of this. Effectively you use puttygen to create a key, give it a password, then export the public key and save it in /home/someuser/.ssh/authorized_keys

Check you can login to someuser without giving a password (other than to unlock your private key).

Then disable password logins in /etc/ssh/sshd_config

Incidentally you need to do a "service sshd restart" after making changes to the sshd config in order for them to come into effect.

You might consider making /tmp noexec but Scott would point out that there's little point in doing so because it is so easy to get around and in any case the ASL grsec kernel does the main job of preventing things that should not execute from executing.

5) Invest in some form of off-site backup mechanism. We use 4PSA Backup Manager, on top of which we use a system that copies the backups to Amazon's S3.

6) Consider installing Suhosin. You only need to plugin, not the kernel patch. It sometimes catches things that mod_security misses.

7) Regularly read your logs regularly: /var/log/messages /var/log/secure /usr/local/psa/var/log/maillog

Install Scott's qmail-scanner installer RPM (with clamav and spamassassin) for email virus and spam scanning.

Maybe someone will add to this?

Faris.

[laughingbuddha]

Thanks for the reply.

Some of that I understand, but some of it I'm going to have to research.

Was kinda hoping ASL and ART combined was going to be an all in one solution. Bugger.

It's a pain because I need to go dedicated due to the site loads and projects I'm working on. I just don't have enough time to lock the box down and monitor the server. It's a case of waaaay to many websites to work on.

So much to do so little time to do it in.

If it's cool with you, I will setup the box with the final install here (in my home office at the end of my adsl line) and then pay you (or someone else if you can't) to give it the once over remotely prior to sending it for hosting.

I'm hoping to clone or at least write a proceedure so the next server is a clone of this one, and so on.

I was going to use a Plesk Expand to manage the DNS and servers at one point, but I've heard bad things about plesk expland, and I don't want to mess around with it now.

Matt

[breun]

Well, there's people you can hire for those things...

[laughingbuddha]

Depends on what bucks I'm looking at really.

Anyone in mind?

Matt

[breun]

Shoot us an email at the mail address on the page in my signature.

[BerArt]

[offtopic]

@laughingbuddha, breun does (also) work for us, and I can tell you that they are very good (and fast) in what they do. So I can recommend him (them).

[/offtopic]

[laughingbuddha]

Thanks,

I'll drop him an email this evening when I'm back in the office.

Matt

[laughingbuddha]

Hi Faris,

I'm going through these points at the moment.

I can't locate the option in Plesk to add an additional login account, if that's what you mean, other than the admin account or a client account.

Also, what is su?

How would I manualy disable protocol 1 and remove the root login.

I'm running a Plesk VPS version 8.2.1 under FC2. I will be putting my own server up hopefully before the end of the is year, but the costs are high and i need to sort out someone to do an initial security hardening and some form of back up system first.

Any ideas?

Cheers,


Matt

[Highland]

1. You can't add accounts to SSH via Plesk in the way he's talking about. SSH users can be added, but only in association with a domain.

2. su is the command for "superuser", aka root. If you're not logged in as root, this is the command to become root. It's an additional layer of security since they would have to break into a SSH account first then break into root.

3. To make the SSH changes you mention, edit /etc/ssh/ssh_config and make sure the following lines are present and not duplicated

Protocol 2
PermitRootLogin no

[laughingbuddha]

I've locked the SSH port down to only 2 IPs via the Firewall.

I've got a feeling that Webfusion has customised the SSH config as everything in the config files is commented out in both locations pointed out in this thread.

In the config file located at /etc/ssh/ssh_config there is only one uncommented line that just reads host * so I added Protocol 2 and ran another scan using watchdog after I rebooted the vps, and it still says SSH v1 allowed.

Hopefully the firewall changes I made should offer some extra protection above webfusion standard install. Personally I can't wait to get the server running and dump webfusion, I mean the OS is out of date and so is plesk, plus there is no yum installed so I can't even use the ART repository.

Thanks,

Matt

[breun]

You could install yum yourself, but ART doesn't support Fedora Core 2 anymore.

[laughingbuddha]

yeah that's why I'm not going to bother. I have another VPS with geekstorage in the states that works out 50% cheaper than the webfusion vps in the UK.

Yeah there's a lag (delay) in access that I don't get with the webfusion vps, but it's cheaper and I can have yum, qmail, clamd, centos, and nameservers plus dedicated IPs. All of which I can't get from Webfusion.

I plan to drop webfusion, keep the geekstorage server and host a dedicated server of my own in the UK for more priority hosting. Mission critical stuff and my own projects.

I think I may well go with 4PSA total backup and get some space on one of the many cloud systems for storage of the backups. Just waiting to hear back from 4psa on some questions and I'm sorted.

Thanks,

Matt

[laughingbuddha]

I have a question about firewalls.

Is it better to use a shared hardware firewall with the option of having 22 rules, or to install a software firewall like APF firewall as mentioned by faris?

My ISP is offering me a shared firewall for £250 a year with 22 rules, of which I would lock port 22 (SSH) down to just my dedicated IP address at the office and possibly the one at home. I hope this would be a good method of preventing hacking of the box via SSH.

Matt

[Highland]

The main difference between hardware and software firewalls is resources. APF is really just an automated iptables config, not a separate firewall. That having been said, I use APF everywhere and I never notice a performance hit. I also don't get a massive amount of traffic per day. If my machine had, say, 100k unique visits per day then there might be one. I'm not sure where that threshold would be but it's probably going to be high and the gains few.

If it's low traffic I'd go APF. More rules and less money for virtually the same performance.