Plesk install and security audit

[laughingbuddha]

Cool, I'll go with APF.

Firewall/IP Tables/IP Chains pah.....as long as it helps protect the server then its all good.

I'll install APF then ASL.

Thanks.

Matt

[laughingbuddha]

Bugger, got a whole list of errors with APF. Directories missing and all sorts, so I've removed it and installed psa-firewall.

I hope that works ok with ASL.

Matt

[scott]

That the rpm from the atomic repo? I had backported that from fedora 8 or 9, but never really tested it on anything other than my desktop box.

[laughingbuddha]

Something to do with a missing directory, think it's a missing directory on my server. Possibly my file structure. Not sure if SELinux was on, it could have been that.

Put the PSA Firewall on for the moment as I now how to use that.

Disabled SELinux as it was preventing the install of clamd. Wouldn't let it create/access a folder.

Installed qmail and clamd, added a new shh user and random password, disabled root login (gave it a totaly random password on install). Setup PSA-Firewall to only allow port 22 to 2 IPs, mine and a backup IP at another office. Locked down all un-used ports and services like samba, vpn port ect....

Installed some eliments that the art yum Plesk install didn't do. App uk time server to the system time, minor configuration of plesk.

Need to update my guide to clamd and qmail-scanner install to add some steps to disable SELinux. The vps I last did it on never had SElinux running so I never experinced that issue before. Thank god for googling which helped solve it.

Thanks guys for your support.

Next stop ASL licence! Lets hope PSA-Firewall likes ASL as this server goes live next wensday.

Matt

[Highland]

You installed APF from an RPM? I'd install from source myself

[laughingbuddha]

Installed from the art yum channel.

[faris]

You can't go far wrong with APF.

Download,
tar -xvzf filename
cd directory
sh install.sh
Note the ports it displays after it installs.
nano -w /etc/apf/conf.apf
scroll down, find ingress port list. Open 80,443,25,110,8443,21 (and maybe a few others, based on the ones listed previously)
Do not include port 22
save
nano -w /etc/apf/allow-hosts.conf (I think)
add the static IP of your internet connection (this allows your IP to access all ports, inc 22)
save file
apf -r (this runs apf)
Make sure all is well. Can you ssh in? Plesk working?
Now try again from a different IP if you can.
Still OK? You should not be able to login via SSH

apf will automatically disable itself in 5 minutes.

Once you are sure all is OK, nano -w /etc/apf/conf.apf and disable devel mode.

save file.

apf -r

That's it

(basically)

[faris]

p.s you get it from here: http://rfxnetworks.com/apf.php

p.p.s. for anybody who might need to know, if you are installing apf in a virtuozzo vps you need to change some things in conf.apf, specifically you need to use venet instead of eth for the ethernet adapter (e.g. venet0 as opposed to eth0) and you need to set monoken to 1 rather than 0.

In addition you need to make sure your vps supplier has enabled a full set of iptables modules, and allows you to have a decent number of iptables entries. Any vps provider worth their salt will be able to do this for you, if they do not do so by default.

The very latest version of apf includes a new feature that needs an iptables module that is not one of the ones enabled by default in Centos5 as far as I can tell, but it is optional and not required.


Faris.

[laughingbuddha]

With the config of APF you also have UDP as well as TCP plus Egressive outgoing section.

I got a little confused at that point when I was reading another guide I found. That was before I found it didn't want to start or save the config due to the directory issue.

[faris]

For UDP you only need port 53 (DNS)
Do not enable egress rules.

Simple (once you know how, that is. Nothing is simple until then!).

Faris.

[laughingbuddha]

Well the server is now 2 days from installation.

I've got CentOS 5.2 and Plesk 8.6 on and fully up-to-date via yum. I've turn domain keys on for emails, I've turn permit route login off, I've forced protocol 2 only. added an extra ssh user, locked down port 22 in the psa-firewall to just 2 ip's only, install clamd and qmail-scanner, configured both and setup clamd to update twice a day.

SELinux is off as I'm going to sign up for ASL as soon as the server is in the server house, and I will buy my Plesk licence at the same time.

One question, Faris mentioned Suhosin. Is it worth doing? And if so, how?

Thanks,


Matt

[faris]

Suhosin is stupidly easy to install.

Download.
Untar/zip
.configure
make
make install

add to php.ini:
[suhosin]
something-or-other

(optionally add a whole heap of config options but there's no need)

restart httpd

check phpinfo() says suhosin is installed.

Now, is it worth it? For the most part mod_security catches the stuff that suhosin would also catch. But I've seen a smalll number of events that mod_sec missed that suhosin then got.
It has virtually no overhead.

So yes, worth it.

We install it as standard on a VPS is the customer specifies that they want it fully managed.

Now I note that Scott has a suhosin RPM in one of the repos, but I don't know if that's the same thing or not. Scott?

Faris.

[laughingbuddha]

Righty. I had you until the .configure. Remember I'm a newbie and until 2 months ago I had never used ssh.

Another issue I hit up against tonight (as it is here in the uk), is the problem of how the heck do I alter all the ip, default gateway, primary + secondary dns details.

Until now the server has been working on my local lan behind my firewall, so IP 192.168.0.100, default gateway 192.168.0.1, and the primary and secondary dns from my dsl router. But now I'm ready to move it to the server house, how do I change this, and more importantly so plesk, qmail, and firewall don't screw up.

I tried crawling google, but found nothing so far. Help

Matt

[faris]

You shoulda gone with a VPS from us Matt. The best thing about them is that you do this: backup -> play with confit -> find you screw up -> restore backup. All within 5 minutes.

When you "install" a program from its raw source code, the first step is generally to run the configure command. This kind of looks at some files, creates some special files that later tell the compiler what's what, and similar stuff.

The you run the make command which compiles the program in question, and turns it into an executable file.

Then quite often you can run the "make install" command which takes th executable and copies it to the right place on your system in order to work.

In contract, with an RPM, all the compiling and stuff has already been done, so those bits get skipped.

Changing plesk IPs:
http://kb.parallels.com/en/943

Your server's IPs are configured via files in /etc/sysconfig/network-scripts (or similar) -- usually ifcfg-eth0 (if you have more than one IP, then you'll also have ifcfg-eth0:0 or ifcfg-eth0:1.

Do not confuse that with ifcfg-eth1 which will be your second ethernet port if you have one, and which will normally be disabled.

You'll find the gateway IP in these ifcfg-ethX:Y files (but usually only in the ifcfg-eth0 one)

Nameservers are found in /etc/resolv.conf

After changing IPs, check our /etc/hosts.conf to make sure that's been changed too. Same goes for hostnamed.

All the above is from memory. Filenames and locations may be slightly different to reality. Use my advice at your own risk. I'm a human, not a Scott.

Faris.

[faris]

p.s. it is odd to get nameservers automatically configured if your have set a static IP address. Normally if you set a static IP you also have to manually set nameservers, since automatic nameserver configuration is usually only possible with DCHP.

Your co-lo company will normally have its own nameservers which you can use. But you may alternatively like to use the opendns nameservers (www.opendns.org) 208.67.222.222 and 208.67.220.220

Faris.