Basic cPanel Server Hardening - Part 3

In part 2 I showed you how to install and configure Advanced Protection Firewall (APF). In this installment I will show you how to install and configure Brute Force Detection (BFD). This tool is just as easy to install as APF and works with APF to help block attackers. It checks the server logs every few minutes looking for failed login attempts. Too many failed attempts from the same IP address and it uses APF to block the IP from all access to the server.

Execute these commands to download and install it. You may need to change the version number in the third command if BFD has been updated.

wget http://www.rfxn.com/downloads/bfd-current.tar.gz
tar -xzf bfd-current.tar.gz
cd bfd-1.3 # current version number as of this post
sh install.sh

Now that BFD is installed edit /usr/local/bfd/ignore.hosts and add the same IP addresses that you added to /etc/apf/allowed_hosts.rules so that BFD will not try to block you if you mistype your password too many times in a row.

That's all there is to adding basic protection from brute force attacks to your server. It will not protect your server from slow brute force attacks so you still need to be sure you keep the system up to date and enforce strong passwords for all users. In part 4 I will go over securing the /tmp directory.

I'd Rather Be With Her

My wife has been away for a few days for training for the Disney Mom's panel. I was very excited when she made it onto the panel and am very proud of her as well. We've been apart before, we both travel fairly regularly for work, but for some reason this time is different. Sure I always miss her a little when we are apart, but something about this time is different.

Part of it is all the really cool stuff she is getting to do at Disney right now, the kinds of things most people never get to do. So yeah, I'm jealous, quite jealous, but very proud and happy for her at the same time. I know she's really enjoying herself and hope I'm not bugging her too much when I ask for updates.

I think a bigger part of it is that I've been working crazy hours lately at work on a project that is suffering from severe scope creep and denial of that scope creep. We hardly get to see each other during the week and on weekends we get so busy trying to keep up with things around the house we haven't made time for each other. Combining the hours at work with her not being here at all right now is really getting to me and I'm really looking forward to picking her up at the airport tomorrow night.

That's not all though, its not really what's behind my feeling the way I feel right now. I've let myself get into the never ending trap of long hours at work chasing an impossible moving target so it's my fault that we haven't had time for each other lately. I've been trying to keep myself coming home at a reasonable time lately, but I'm not very good at it, I tend to want to keep going until I'm done fixing a particular issue.

Unfortunately my company decided to have their Christmas party in the middle of the week this year, and it is a 3 hour drive away. She has to work and the kids have school so they won't be coming with me to it, and I'll be stuck there overnight. Shortly after she gets back I'll have to leave and spend the night away, something I really don't want to do. I've never really been a fan of company holiday parties. I've been to some really good ones, but this time of year I just don't have the extra time or energy. At least it is only for one night and I will have almost the rest of the year off.

I'm really not one of those people that can't deal with not seeing my wife every day, I would even get annoyed with her if she called me as often as some people call their spouses during the day. This trip has definitely reminded me just how much she means to me though. I know I'd rather be with her living in a cardboard box than living alone in a mansion.

Basic cPanel Server Hardening - Part 2

In Part 1 I explained why securing a server is important and the general steps I would take you through to secure your server. In this installment I will go into detail about installing and configuring a software firewall. A dedicated firewall device can give you added security, but they are often not an option for the small web hosting providers this series is targeted at.

A properly configured firewall is literally a defensive wall between a server and the internet. You can poke small holes in the wall to allow traffic to flow only where you want it to, and you can prevent traffic from specific addresses from accessing the server at all.

I use Advanced Policy Firewall (APF) which makes installation and configuration simple. Execute these commands to download and install it. You may need to change the version number in the third command if APF has been updated.

wget http://www.rfxn.com/downloads/apf-current.tar.gz
tar -xzf apf-current.tar.gz
cd apf-9.7-1  # current version number as of this post
sh install.sh

Initially APF is configured to block all services except SSH. To enable a service you must open the port the service uses for communication. I like to document which services I have enabled and what ports they use right in the configuration file so I can tell quickly what is and what is not enabled when I need to make changes.

Open the file /etc/apf/conf.apf in a text editor then find the line that sets the allowed TCP inbound ports by searching for IG_TCP_CPORTS. Replace this line with the following:

# Common inbound (ingress) TCP ports
# 20    ftp
# 21    ftp
# 22    ssh
# 25    smtp
# 53    dns
# 80    http
# 110   pop3
# 143   imap
# 443   https
# 465   smtps
# 993   imaps
# 995   pop3s
# 2083  cpanel secure
# 2096  webmail

IG_TCP_CPORTS="20, 21, 22, 25, 53, 80, 110, 143, 443, 465, 993, 995, 2083, 2096"

I have intentionally kept cPanel's WHM interface blocked by the firewall. WHM provides a web interface with control over almost the entire server, so keeping it blocked by the firewall helps reduce the risk to the server. I will show you how your can access it later in this article.

Next find the line that sets the allowed UDP inbound ports by searching for IG_UDP_CPORTS and replace it with the following:

# Common inbound (ingress) UDP ports
# 53    dns

IG_UDP_CPORTS="53"

By default the firewall allows all outbound traffic, but it is more secure to restrict outbound traffic as well. To enable outbound filtering find the line EGF="0" and change it to EGF="1". You do not have to allow all the inbound services you defined, once a connection is established two way traffic is allowed. Find the line that sets the allowed TCP outbound ports by searching for EG_TCP_CPORTS and replace it with the following:

# Common outbound (egress) TCP ports
# 21    ftp
# 25    smtp
# 37    rdate
# 43    whois
# 53    dns
# 80    http
# 443   https

EG_TCP_CPORTS="21, 25, 37, 43, 53, 80, 443"

Next find the line that sets the allowed UDP outbound ports by searching for EG_UDP_CPORTS and replace it with the following:

# Common outbound (egress) UDP ports
# 20    ftp
# 21    ftp
# 53    dns
# 123   ntpd

EG_UDP_CPORTS="20, 21, 53, 123"

Now it is time to test the changes to the firewall configuration you have made. To start APF execute the command /etc/init.d/apf restart. By default when you start APF it will only run for about 5 minutes and then shut itself off. This allows you to test your configuration without completely locking yourself out of the server if something is wrong. If you are unable to access your server after starting APF for the first time just wait a few minutes and try again.

When you are done testing your configuration edit the file /etc/apf/allowed_hosts.rules and add your IP address. This tells APF to always allow you full access to the server so you don't get locked out. 

The final configuration change is to switch APF from development mode to production mode. Edit /etc/apf/conf.apf again and change DEVEL_MODE="1" to DEVEL_MODE="0".

If you have followed the instructions in this article you now have a firewall protecting your server. This is just a basic firewall configuration, but it is better than no firewall at all. In the next article I will show you how to detect brute force intrusion attempts and block them using the firewall.

I'd Rather Be There

I'd much rather be sitting by the water on Ocracoke Island. I am naturally drawn to water, especially the ocean. I've been going almost every year since my first trip in 2004. When I am there I spend a lot of time enjoying views like this one. Watching the Windfall make it's regular journeys, the ferries bringing loads of excited tourists to the island and leaving with fully relaxed ones.

For me relaxation is the name of the game on Ocracoke. Sure, I like playing in the water and the great burgers at SMackNally's, but I like sitting on the beach or on my rented deck watching the water just as much. I miss the island as soon as I start heading for the ferry docks to head home. After about 6 months I really start looking forward to my next trip, and if I go more than a year without some island time I become very tempted to get in the Jeep and head east.

Basic cPanel Server Hardening - Part 1

A friend of mine who runs a small web hosting company recently had his server taken offline by his provider. It was taken offline due to the server hosting "several" phishing sites. He had no idea that he was hosting these phishing sites, only that an account had been compromised and a site defaced, which is all that many people notice when this happens to them.

I am not a security expert, far from it in fact. I am however the only person my friend had to turn to for help in this situation. I've set up many Linux servers over the years, many of them dedicated single purpose servers and a few for shared hosting like my friend's. One thing I do know about server security is that there is no such thing as a truly secure server. It is a balancing act between keeping the server secure and allowing users to make use of it.

The hosting provider insisted we rebuild the server, which makes sense. Hackers generally try to cover their tracks once they compromise a system. To be certain all of the damage done by the hacker a full re-install of the operating system is the best way to go. Since we needed to re-install and the hardware was at the End of Life stage we decided to replace it with newer hardware instead of rebuilding on the out dated hardware. Once the hosting provider had finished installing Linux with cPanel for us and turned it over to us the process of securing the server began.

In upcoming posts I will be detailing the steps I took to secure the new server. I will go over installing a Firewall, important system tweaks, detecting brute force login attempts, detecting root kits when they get installed, and adjusting cPanel for security. I will only be going over the basic steps of securing a server, if you are interested in security there are many books available, or for more up to date information use Google.

getting going again

Wow, over a year since my last post. When I started this I never planned on posting every day, but over a year is a bit much. I'm going to try to start posting more frequently.

The Dead Goat Breath IPA was very good and I've made a couple of other beers since then. I've even made a Lager similar to Corona for the summer. I think I'm going to stick to Ales for now though, they are a little easier to work with.

I also gave up my iPhone when I was given a Blackberry Storm for work. After almost a year of the Storm I gave in and happily changed to an iPhone 3gs. A lot of the things I didn't like about the original iPhone have been fixed, though there are a few things I wish it did similar to the Blackberry. If I could take one thing from the blackberry and have it on the iPhone it would the be the way it handles messages. Specifically being able to see all of my messages in one place. Messages from all email accounts, the Facebook app, etc...

Speaking of the iPhone I've also been toying with iPhone application development. So far I've only done some simple test apps to see how it works. I have a few ideas for applications to build, now I just need to find some free time to work on them.

Ok, so now that I've filled you in on the information about me you probably don't care about anyway it is time for me to go away and think of some kind of quality content to start posting here.