Skip to content

Instantly share code, notes, and snippets.

@halilim

halilim/Server Security and Performance - Base OS.md

Last active July 20, 2018 20:04
Show Gist options
  • Save halilim/66f0c3bea7dbd0b6a3d3 to your computer and use it in GitHub Desktop.
Save halilim/66f0c3bea7dbd0b6a3d3 to your computer and use it in GitHub Desktop.
Download ZIP
Server Security / Performance - Base OS
Raw
Server Security and Performance - Base OS.md
Notes
Preliminary packages
  • Development packages, you'll most probably need them
    • Ubuntu: sudo apt-get install build-essential
    • CentOS: yum groupinstall 'Development Tools'
  • Git

General

  • Partition mounting link1, link2 Ref: 1, 2
  • SSH
    • Change port (Check the new port before logging out!!)
    • Disable root login (optional) (Don't forget to give sudo to another user and check the other user with sudo before logging out!!)
    • Disable passwords (optional) and use keys instead
  • Enable automatic updates (enable and check mailx, reboot might be manual for critical servers)
  • Fail2ban
  • CSF (Test services, ports etc before getting out of test mode)
  • Logwatch
  • syslog-ng / Splunk

Firewalls

  • Enable the firewall
  • Disable every port except the ones that are actually needed (whitelist approach).
  • Especially take care disabling ports of services that have no inherent auth mechanisms like Solr, memcached etc.

Misc

  • Install local only MTA for alerts etc and set root email alias in /etc/aliases
  • Monitor harddisk usage with monit
  • Enable NTP in daemon mode unless already enabled sudo apt-get install ntp

Web servers general

  • ModSecurity (currently Apache, Nginx, IIS)
  • Disable directory listing

    • Apache:
      In httpd.conf/.htaccess'es

      Options -Indexes -MultiViews

    • Nginx (if compiled with autoindex and autoindex is enabled):

        location <loc> {
      autoindex off;
  }

      Or compile with --without-http_autoindex_module

PHP

  • php.ini:

      register_globals off
  date.timezone = "Europe/Istanbul"
  realpath_cache_size = 256k

  • Nginx php.ini (against image.jpg/index.php style attacks):

      cgi.fix_pathinfo = 0

  • If phpMyAdmin is installed, change its path or protect it with http auth.

File servers / file hosting

  • Clamav (if users are uploading files that are also downloadable)

Hosting panels (cPanel, Plesk, DirectAdmin etc) (if used)

  • Change port if possible
  • Enable automatic updates

Shared hosting

Inherently hard to secure.

  • If a hacker can exploit the whole server via just a regular account, then there is probably a problem with the PHP user permissions and/or PHP execution mode (e.g. mod_php, fcgi, FPM etc).
  • cPanel has suPHP (which can be slow)
  • Plesk allows changing the PHP mode of a single account (mod_php/fcgi etc) but watch what other accounts can access when you change one.
  • PHP-FPM on Nginx
  • Virtualmin + SFTP + chroot

General Lists

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment