{"id":323,"date":"2012-04-16T22:20:07","date_gmt":"2012-04-16T22:20:07","guid":{"rendered":"http:\/\/www.plugged.in\/?p=323"},"modified":"2012-04-16T22:20:07","modified_gmt":"2012-04-16T22:20:07","slug":"web-hosting-security-premier","status":"publish","type":"post","link":"https:\/\/www.veriteknik.net.tr\/en\/web-hosting-security-premier\/","title":{"rendered":"Web Hosting Security premier"},"content":{"rendered":"<p><span style=\"color: #ff0000;\"><strong>IMPORTANT NOTE:<\/strong><\/span>\u00a0Never assume the directory structures exist in your system as written in the document. Never blindly follow security instructions &#8212; read, review, compare, apply as it fits your system.,<\/p>\n<h3>Update your server as necessary<\/h3>\n<p>As its nature, Linux is a multi-developer operating system and you might see an update on any package everyday, an\u00a0updater\u00a0like YUM if you don&#8217;t change it&#8217;s default behavior hosts the most recent stable versions of each package that you install on your server.<\/p>\n<p>Compared to other operating systems, updating Linux is easy as writing a command to terminal, the rest will be automated by YUM. Yum can be extended by independent software\u00a0repositories like Repoforge. RPMforge is a collaboration of Dag and other packagers. They provide over 5000 packages for CentOS, including wine, vlc, mplayer, xmms-mp3, and other popular media tools. It is not part of Red Hat or CentOS but is designed to work with those distributions.<\/p>\n<p>To install Rpmforge, run;<\/p>\n<blockquote><p>\u00a0rpm -Uvh http:\/\/pkgs.repoforge.org\/rpmforge-release\/rpmforge-release-0.5.2-2.rf.src.rpm<\/p><\/blockquote>\n<p>If you get an error with the command, check the web site for a recent version. If you are using a control panel like Directadmin you better exclude the packages below from yum as they are maintained by the control panel updater;<\/p>\n<blockquote><p>exclude=apache* httpd* mod_* mysql* MySQL* da_* *ftp* exim* sendmail* php* bind-chroot*<\/p><\/blockquote>\n<p>and the last thing you should do is to type<\/p>\n<blockquote><p>yum upgrade<\/p><\/blockquote>\n<p>We suggest you to run the update at least every once a month.<\/p>\n<h3>Disable Telnet<\/h3>\n<hr style=\"width: 100%;\" width=\"100%\" \/>\n<p>Nowadays, Telnet is mostly given its role to SSH; more secure remote shell client, because Telnet is sending the passwords in readable clear text. Also SSH have many abilities that you can use such as private-keys that you can use to log in to the server without writing down a password. Public key is mostly used when you need root access even you don&#8217;t know the root password (root password might be changed by the system administrator or by your client which you install the system for).<\/p>\n<p>Connect to the server and edit<strong>\u00a0\/etc\/xinetd.d\/telnet<\/strong>\u00a0by typing;<\/p>\n<blockquote><p>vi \/etc\/xinetd.d\/telnet<\/p><\/blockquote>\n<p>if exists\u00a0<strong>disable = no<\/strong>\u00a0change to\u00a0<strong>disable = yes<\/strong><\/p>\n<p>save &amp; exit (SHIFT + ZZ)<\/p>\n<h3>Restrict Access to applications that can directly connect to the Internet<\/h3>\n<hr \/>\n<p>Even an attacker leak into your server, it is better to give him no chance to download his applications to the server, don&#8217;t give run permission to following applications except root user by typing;<\/p>\n<blockquote><p>chmod 700 \/usr\/bin\/wget<br \/>\nchmod 700 \/usr\/bin\/telnet<br \/>\nchmod 700 \/usr\/local\/bin\/lynx<br \/>\nchmod 700 \/usr\/bin\/links<br \/>\nchmod 700 \/usr\/bin\/bcc<br \/>\nchmod 700 \/usr\/bin\/byacc<br \/>\nchmod 700 \/usr\/bin\/cc<br \/>\nchmod 700 \/usr\/bin\/gcc<br \/>\nchmod 700 \/usr\/bin\/perlcc<br \/>\nchmod 700 \/usr\/bin\/yacc<br \/>\nchmod 0700 \/usr\/bin\/curl<br \/>\nchmod 700 \/usr\/bin\/lwp-*<br \/>\nchmod 700 \/usr\/bin\/*ncftp*<\/p><\/blockquote>\n<p>Also please note that, if you are taking backups of your domains\/dbs to the same server, be aware that a directory created without explicit permission will be readable by all users, to make the directory readable only by root, type;<\/p>\n<blockquote><p>chmod 600 \/backups<\/p><\/blockquote>\n<h3>Restrict OS level function calling to PHP<\/h3>\n<hr \/>\n<p>In a shared hosting environment, even a customer of yours may try to explore your server. If you don&#8217;t have any reason to call the functions below, restrict them;<\/p>\n<p>edit \/etc\/php.ini (or whereever it is, for directadmin you can check \/usr\/local\/lib\/php.ini) and find the line disable_functions and replace with the below line:<\/p>\n<blockquote><p>disable_functions = apache_get_modules,apache_get_version,apache_getenv,apache_note, apache_setenv,disk_free_space,diskfreespace,dl, highlight_file,ini_alter,ini_restore,openlog,passthru,phpinfo, proc_nice,shell_exec,show_source,symlink,system, exec,popen,escapeshellarg,escapeshellcmd,myshellexec,c99_buff_prepare,c99_sess_ put,fpassthru<\/p><\/blockquote>\n<h3>\u00a0Block executing commands on the \/tmp Partition<\/h3>\n<hr \/>\n<p>Several script languages like PHP, holds temporary files like session,upload and cache on the \/tmp partition on Linux systems. \u0130f the attacker has an access to this folder then those scripts can be run from this point so with this way, all system files can be reached or accessed by root. To block running of files which are in the \/tmp partition, it must not be given run permission while mounting \/tmp partition.<\/p>\n<p>To do this process, you have to choose \/tmp partition as seperate partition while installaing the system. Enter this command in the command line to check this setting:<\/p>\n<blockquote><p>df -h # or<br \/>\nmount<\/p><\/blockquote>\n<p>Enter this command:<\/p>\n<blockquote>[root@xxx ~]# df -h<br \/>\nFilesystem\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Size\u00a0 Used Avail Use% Mounted on<br \/>\n\/dev\/mapper\/VolGroup00-LogVol00 2.9G\u00a0 820M\u00a0 1.9G\u00a0 30% \/<br \/>\n<strong>\/dev\/mapper\/VolGroup00-LogVol02 2.9G\u00a0 288M\u00a0 2.4G\u00a0 11% \/tmp<\/strong><br \/>\n\/dev\/mapper\/VolGroup00-LogVol04 7.8G\u00a0 3.8G\u00a0 3.7G\u00a0 51% \/var<br \/>\n\/dev\/mapper\/VolGroup00-LogVol05 44G\u00a0\u00a0 35G\u00a0 6.6G\u00a0 85% \/hsphere<br \/>\n\/dev\/mapper\/VolGroup00-LogVol03 4.8G\u00a0 908M\u00a0 3.6G\u00a0 20% \/usr<br \/>\n\/dev\/sda1\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 99M\u00a0\u00a0 36M\u00a0\u00a0 58M\u00a0 39% \/boot<br \/>\ntmpfs\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 2.0G\u00a0\u00a0\u00a0\u00a0 0\u00a0 2.0G\u00a0\u00a0 0% \/dev\/shm<\/p><\/blockquote>\n<p>If you can not see a seperate\u00a0 \/tmp partition like in the example, create a new 3 GB \/tmp partition by applying steps below. If there is a \/tmp partition then follow with the step 2:<\/p>\n<p><strong>Step 1:<\/strong><\/p>\n<blockquote><p>cd \/dev\/<br \/>\ndd if=\/dev\/zero of=Tmp bs=1024 count=3000000<br \/>\nmkfs -t ext3 \/dev\/Tmp<br \/>\ncd \/<br \/>\ncp -aR\u00a0 \/tmp\u00a0 \/tmp_backup<br \/>\nmount\u00a0 -o\u00a0 loop,noexec,nosuid,rw\u00a0 \/dev\/Tmp\u00a0 \/tmp<br \/>\ncp -aR \/tmp_backup\/* \/tmp\/<br \/>\nchmod 0777 \/tmp<br \/>\nchmod +t\u00a0 \/tmp<\/p><\/blockquote>\n<p>Add information of the newly created partition into the \/etc\/fstab in order to make it available after next boot.<\/p>\n<blockquote><p>\/dev\/Tmp\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 \/tmp\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ext3\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 loop,rw,nosuid,noexec\u00a0\u00a0\u00a0\u00a0 0 0<\/p><\/blockquote>\n<p>If you already have\u00a0 \/tmp partition, please apply the below steps.<\/p>\n<p><strong>Step 2:<br \/>\n<\/strong><\/p>\n<p>change &#8220;defaults&#8221; in the line starting with \/tmp in \/etc\/fstab to restrict running applications such as<\/p>\n<blockquote><p>\/dev\/VolGroup00\/LogVol02 \/tmp\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ext3\u00a0\u00a0\u00a0\u00a0<strong>defaults\u00a0<\/strong>1 2<\/p><\/blockquote>\n<p>to<\/p>\n<blockquote><p>\/dev\/VolGroup00\/LogVol02 \/tmp\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ext3\u00a0\u00a0\u00a0\u00a0\u00a0<strong>rw,nosuid,noexec<\/strong>\u00a01 2<\/p><\/blockquote>\n<p>Change defaults region as\u00a0<strong>rw,nosuid,noexec\u00a0<\/strong>then save and exit. Remount \/tmp partition in order to make changes available immediately by typing;<\/p>\n<blockquote><p>mount -oremount loop,rw,nosuid,noexec \/tmp<\/p><\/blockquote>\n<p>..<\/p>\n<p>note: Some parts of this document inspired from the documentation of dynamicnet.net<\/p>\n","protected":false},"excerpt":{"rendered":"<p>IMPORTANT NOTE:\u00a0Never assume the directory structures exist in your system as written in the document. Never blindly follow security instructions &#8212; read, review, compare, apply as it fits your system., Update your server as necessary As its nature, Linux is a multi-developer operating system and you might see an update on any package everyday, an\u00a0updater\u00a0like [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_uag_custom_page_level_css":"","footnotes":""},"categories":[481],"tags":[455,477,377,478,479,480,424],"yst_prominent_words":[],"class_list":["post-323","post","type-post","status-publish","format-standard","hentry","category-web-hosting-security","tag-directadmin","tag-repoforge","tag-rpmforge","tag-telnet","tag-update","tag-upgrade","tag-yum"],"jetpack_featured_media_url":"","uagb_featured_image_src":{"full":false,"thumbnail":false,"medium":false,"medium_large":false,"large":false,"1536x1536":false,"2048x2048":false},"uagb_author_info":{"display_name":"ckaraca","author_link":"https:\/\/www.veriteknik.net.tr\/en\/author\/ckaraca\/"},"uagb_comment_info":0,"uagb_excerpt":"IMPORTANT NOTE:\u00a0Never assume the directory structures exist in your system as written in the document. Never blindly follow security instructions &#8212; read, review, compare, apply as it fits your system., Update your server as necessary As its nature, Linux is a multi-developer operating system and you might see an update on any package everyday, an\u00a0updater\u00a0like&hellip;","_links":{"self":[{"href":"https:\/\/www.veriteknik.net.tr\/en\/wp-json\/wp\/v2\/posts\/323","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.veriteknik.net.tr\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.veriteknik.net.tr\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.veriteknik.net.tr\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.veriteknik.net.tr\/en\/wp-json\/wp\/v2\/comments?post=323"}],"version-history":[{"count":0,"href":"https:\/\/www.veriteknik.net.tr\/en\/wp-json\/wp\/v2\/posts\/323\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.veriteknik.net.tr\/en\/wp-json\/wp\/v2\/media?parent=323"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.veriteknik.net.tr\/en\/wp-json\/wp\/v2\/categories?post=323"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.veriteknik.net.tr\/en\/wp-json\/wp\/v2\/tags?post=323"},{"taxonomy":"yst_prominent_words","embeddable":true,"href":"https:\/\/www.veriteknik.net.tr\/en\/wp-json\/wp\/v2\/yst_prominent_words?post=323"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}