Newbie - ASL on Plesk 10.2 CentOS VPS

[inquis]

Hi,

I have had ASL installed for the last couple of days on a VPS with Plesk 10.2 and am feeling so much more easier about my servers security and not so paranoid - It was actually making me quite irrational about things so I have to say a big Thankyou to the ASL Dev Team. I know lots of people say ASL is a great product etc but you guys really have taken a big weight off my shoulders in respects of dealing with server security, although I know my part of the bargain is to make sure all my scripts, passwords etc are clean and healthy ;0)

In and amongst my new found warm fuzzy feeling, Just one thing keeps catching my eye.

Obviously I will not be able to take advantage of the enhanced kernel hardening features dedicated server are privy to and as such the only vulnerabilities I am showing are:

kernel module loading allowed - The kernel allow modules to be loaded on demand. This would allow an attacker to install a kernel root kit
Kernel Check, Anonymous mapping (mprotect) is vulnerable
Kernel Check, Executable bss ( mprotect) detected
Kernel Check, Executable data ( mprotect) detected
Kernel Check, Executable heap ( mprotect) detected
Kernel Check, Executable shared library data ( mprotect) detected
Kernel Check, Executable stack ( mprotect) detected
Kernel Check, Shared library randomisation test - Shared libraries can be located at random addresses too, which is what this test tries to find out
Kernel Check, Executable shared library data condition detected

I know they are vulnerabilities as such but in light of my server being a VPS am I lulling myself into a fall sense of security ( no pun intended ) into thinking I am all tight and cosy within my server framework or are their additional ways / actions that can be used to mitigate the above or is it a case of, those are the only high alerts that I should hope to see owing to my VPS server status ?

If their ARE any additional steps that I can take to lock it down further within the context of me keeping / having a VPS server ( Dedicated server running costs dont enable that as a viable option ) then I would like to gain some pointers ......... but secretly what I want to hear is I am running as nice as I could hope to ........ given my "fighting weight". ;0)

Thanks in advance!

[faris]

A few other things, which you might already have done, might be useful:

1) Firewall MySQL (3306) out to stop external access
2) Firewall ssh out to stop external access (allow your own IPs obviously)
3) Use ssh keys instead of passwords and disable direct root login.
4) Keep the os up to date as well as the scripts

Use an absolutely unguessable, very long password for the Virtuozzo Power Panel (assuming you are on virtuozzo) or, if you can live without remote reboots, ask your vps provider to disable this completely. The VPP password is usually the same as the root one, so I think you can change this yourself.

Faris.

[biggles]

I would also enable dazuko. It takes care of malicious scripts before they can enter your server...

[inquis]

I would also enable dazuko. It takes care of malicious scripts before they can enter your server...

Hi Dazuko needs the kernel to be enabled right ?

I am on a VPS and cant get any of that kernel goodness if I have understood it all correctly.

Thanks for your input.

[inquis]

A few other things, which you might already have done, might be useful:

1) Firewall MySQL (3306) out to stop external access
2) Firewall ssh out to stop external access (allow your own IPs obviously)
3) Use ssh keys instead of passwords and disable direct root login.
4) Keep the os up to date as well as the scripts

Use an absolutely unguessable, very long password for the Virtuozzo Power Panel (assuming you are on virtuozzo) or, if you can live without remote reboots, ask your vps provider to disable this completely. The VPP password is usually the same as the root one, so I think you can change this yourself.

Faris.

1 > Done that one - Thanks
2 - Done that one - Thanks
3 - Have a strong password but command line is not my thing, however I am starting to dabble a little to at least get the common known. Any good sites / info for someone on a mac thats in layman's / newbie language ( really I should do a search to see if there is SSH lesson 1 for newbies on the forum ) - ;0)
4 - Yep Im on that one and have it hardcoded into my brain to keep up to date - I just hope if I do update it does not break anything and stuff up the server.

Thanks for your pointers - its appreciated.

[mikeshinn]

Hi Dazuko needs the kernel to be enabled right ?

Correct.

[inquis]

Hello mikeshinn, have I got it pretty locked in terms of being a VPS as I am going to get it or can I tighten a little more ?

[mikeshinn]

Hello mikeshinn, have I got it pretty locked in terms of being a VPS as I am going to get it or can I tighten a little more ?

From an ASL perspective, yes. You can't do much about kernel vulnerabilities with a VPS I'm afraid (as you dont have control over the kernel), but outside that you're looking good. Just make sure you got the PHP vulnerabilities (if any) reported by ASL fixed as well, those are big holes too.

[inquis]

Hello mikeshinn, have I got it pretty locked in terms of being a VPS as I am going to get it or can I tighten a little more ?

From an ASL perspective, yes. You can't do much about kernel vulnerabilities with a VPS (as you dont have control over the kernel) I'm afraid, but outside that you're looking good.

Good to hear!

Whilst you are here sir, would you be able to advise on this - https://www.atomicorp.com/forums/viewto ... =18&t=5003

Thanks

[biggles]

I would also enable dazuko. It takes care of malicious scripts before they can enter your server...

Hi Dazuko needs the kernel to be enabled right ?

I am on a VPS and cant get any of that kernel goodness if I have understood it all correctly.

Thanks for your input.

Sorry, I knew that, but all the sun yesterday probably got to my head...