PortSentry is part of the Abacus Project suite of security tools. It is a program designed to detect and respond to port scans against a target host in real-time. PortSentry will detect SYN/half-open, FIN, NULL, X-MAS and oddball packet stealth scans. PortSentry has an internal state engine to remember hosts that connected previously.
- Now portsentry is installed you can edit the configuration file portsentry.conf this file is well. Commented so I wont go into detail. Once you have edited the config file open the portsentry.ignore. File and you should see the following: # Put hosts in here you never want blocked.
- I have here a CentOS 5 and I'm trying to run yum install php-soap but the installer hangs on and the last step is Running Transaction Test. I found out that NFS shares are the problem.
cPanel Installation and Security
This documentation covers how to install cPanel on a fresh Linux server and how to do initail server security.
cPanel Installation :
* cPanel can be install on Redhat based Linux servers and FreeBSD
* A freshly build latest stable Centos server is highly recommended Flitecad software.
How to Install cPanel :
* Yum must be installed before installing cPanel. All most all Redhat based servers will have yum preinstalled, if not installed install it from rpm ( http://rpm.pbone.net/ ).
# Update the system using Yum
$ yum update
# Disable selinux on dedicated servers. Set SELINUX=disabled in /etc/selinux/config
# Reboot the system
$ reboot
# Download the cPanel installer and run
$ cd /root; wget http://httpupdate.cpanel.net/latest; chmod +x latest; ./latest
Server security:
* Remove telnet server; we dont want that.
$ rpm -e telnet-server
* Check xinetd enabled services and dsiable them. Run below command and disable all services which shows ‘disable = no'
$ cd /etc/xinetd.d; grep disable ./*
How To Install Portsentry On Centos Command
* Disable xinetd service itself. cPanel donot use xinetd
$ /etc/init.d/xinetd stop; chkconfig xinetd off
# Add a system user eg:- administrator
$ useradd administrator
# Reset the administrator password. A strong password can be generated using following command
$ mkpasswd -l 16
# Also reset the root password to a strong one
# Add administrator user to sudoer list. After this verify administrator user can sudo to root user.
$ visudo
# Permit ‘su' for only wheel group members. Open /etc/pam.d/su and add (order is important) or uncomment
auth required pam_wheel.so use_uid
# Disable SSH protocol 1 and enable SSH protocol 2 in /etc/ssh/sshd_config
# Disable rootlogin in /etc/ssh/sshd_config (Make sure some user eg:- administrator is added in sudoer list with full privilege)
# Set a banner of legal warning in SSH. Add the contents in /etc/sshBanner.txt and add following to /etc/ssh/sshd_config
Banner /etc/sshBanner.txt
# Restart SSH service
$ /etc/init.d/sshd restart
# Change SSH port. Open /etc/ssh/sshd_config and change Port 22
# Install AFICK. Download latest afick rpm from http://sourceforge.net/projects/afick/files/afick/
$ rpm -ivh afick-x.x.x.x.noarch.rpm
# Open /etc/afick.conf and set email id and enable cron run.
@@define MAILTO email_id
@@define BATCH 1
# Ensure that AFICK donot update its database after a cron run. Database update should be run manually by sysadmin, else if we miss a cron email we will miss the file changes alert. Open /etc/cron.daily/afick_cron and set ACTION='-k'.
# Initialize AFICK database
$ afick -c /etc/afick.conf -i -P
# Disable DNS recursion and version publish. Open /etc/named.conf and set
Options {
recursion no;
version 'No version for you';
….
# Restart bind
$ /etc/init.d/named restart
# Disable Exim version printing. Add following to /usr/local/cpanel/etc/exim/config_options
smtp_banner = '${primary_hostname} ESMTP Mail service ready'
# Rebuild eximconf and restart exim service
$ /scripts/buildeximconf && /scripts/restartsrv_exim
# Disable anonymous user login in /etc/pure-ftpd.conf
NoAnonymous yes
# Disable pure-ftpd default banner. This shows server time and ftp service name. Create a file /etc/ftpWelcome.txt and add 'FTP Service Is Ready'. Now open /etc/init.d/pure-ftpd and add
OPTIONS='-F /etc/ftpWelcome.txt'
# Restart ftp serivce
$ /scripts/restartsrv_ftpserver
# Disable apache signature. Open /usr/local/apache/conf/httpd.con and add/edit as follows
ServerSignature Off
ServerTokens Prod
# Permanently save the change
$ /usr/local/cpanel/bin/apache_conf_distiller –update
# Restart apache
$ /etc/init.d/httpd restart
Jde manual. # Install Rkhunter. Download latest rkhunter from http://www.rootkit.nl/projects/rootkit_hunter.html
$ tar -xvzf rkhunter-x.x.x.tar.gz; cd rkhunter-x.x.x; ./installer.sh –layout /usr/local –install; /usr/local/bin/rkhunter –update
# Create rkhunter cron job. Create file /etc/cron.daily/rkhunter.sh and add the following. Make sure to replace replace-this@with-your-email.com with the system administrator email address
#!/bin/bash
(/usr/local/bin/rkhunter -c –cronjob 2>&1 | mail -s 'RKhunter Scan Details' replace-this@with-your-email.com)
# Give execute permission for the script
Server security:
* Remove telnet server; we dont want that.
$ rpm -e telnet-server
* Check xinetd enabled services and dsiable them. Run below command and disable all services which shows ‘disable = no'
$ cd /etc/xinetd.d; grep disable ./*
How To Install Portsentry On Centos Command
* Disable xinetd service itself. cPanel donot use xinetd
$ /etc/init.d/xinetd stop; chkconfig xinetd off
# Add a system user eg:- administrator
$ useradd administrator
# Reset the administrator password. A strong password can be generated using following command
$ mkpasswd -l 16
# Also reset the root password to a strong one
# Add administrator user to sudoer list. After this verify administrator user can sudo to root user.
$ visudo
# Permit ‘su' for only wheel group members. Open /etc/pam.d/su and add (order is important) or uncomment
auth required pam_wheel.so use_uid
# Disable SSH protocol 1 and enable SSH protocol 2 in /etc/ssh/sshd_config
# Disable rootlogin in /etc/ssh/sshd_config (Make sure some user eg:- administrator is added in sudoer list with full privilege)
# Set a banner of legal warning in SSH. Add the contents in /etc/sshBanner.txt and add following to /etc/ssh/sshd_config
Banner /etc/sshBanner.txt
# Restart SSH service
$ /etc/init.d/sshd restart
# Change SSH port. Open /etc/ssh/sshd_config and change Port 22
# Install AFICK. Download latest afick rpm from http://sourceforge.net/projects/afick/files/afick/
$ rpm -ivh afick-x.x.x.x.noarch.rpm
# Open /etc/afick.conf and set email id and enable cron run.
@@define MAILTO email_id
@@define BATCH 1
# Ensure that AFICK donot update its database after a cron run. Database update should be run manually by sysadmin, else if we miss a cron email we will miss the file changes alert. Open /etc/cron.daily/afick_cron and set ACTION='-k'.
# Initialize AFICK database
$ afick -c /etc/afick.conf -i -P
# Disable DNS recursion and version publish. Open /etc/named.conf and set
Options {
recursion no;
version 'No version for you';
….
# Restart bind
$ /etc/init.d/named restart
# Disable Exim version printing. Add following to /usr/local/cpanel/etc/exim/config_options
smtp_banner = '${primary_hostname} ESMTP Mail service ready'
# Rebuild eximconf and restart exim service
$ /scripts/buildeximconf && /scripts/restartsrv_exim
# Disable anonymous user login in /etc/pure-ftpd.conf
NoAnonymous yes
# Disable pure-ftpd default banner. This shows server time and ftp service name. Create a file /etc/ftpWelcome.txt and add 'FTP Service Is Ready'. Now open /etc/init.d/pure-ftpd and add
OPTIONS='-F /etc/ftpWelcome.txt'
# Restart ftp serivce
$ /scripts/restartsrv_ftpserver
# Disable apache signature. Open /usr/local/apache/conf/httpd.con and add/edit as follows
ServerSignature Off
ServerTokens Prod
# Permanently save the change
$ /usr/local/cpanel/bin/apache_conf_distiller –update
# Restart apache
$ /etc/init.d/httpd restart
Jde manual. # Install Rkhunter. Download latest rkhunter from http://www.rootkit.nl/projects/rootkit_hunter.html
$ tar -xvzf rkhunter-x.x.x.tar.gz; cd rkhunter-x.x.x; ./installer.sh –layout /usr/local –install; /usr/local/bin/rkhunter –update
# Create rkhunter cron job. Create file /etc/cron.daily/rkhunter.sh and add the following. Make sure to replace replace-this@with-your-email.com with the system administrator email address
#!/bin/bash
(/usr/local/bin/rkhunter -c –cronjob 2>&1 | mail -s 'RKhunter Scan Details' replace-this@with-your-email.com)
# Give execute permission for the script
$ chmod +x /etc/cron.daily/rkhunter.sh
# Securing tmp
$ /scripts/securetmp
# Root and administrator (sudo user) login alerts. Add following to both /root/.bashrc and /home/administrator/.bashrc (Change the subject line as needed)
echo 'ALERT – Root Shell Access on `hostname`:' `date` `who` |mail -s 'Alert: Root Access from `who | cut -d'(' -f2 | cut -d')' -f1`' replace-this@with-your-email.com
# Install apf (firewall)
$ wget http://www.rfxn.com/downloads/apf-current.tar.gz
$ tar -xvzf apf-current.tar.gz
$ cd afp-x.x.x
$ ./install.sh
# The installer will display the current opened TCP and UDP ports. Copy them and add it to IG_TCP_CPORTS and IG_UDP_CPORTS respectively in /etc/apf/conf.apf. We also need to enable ports 0-1024 (both TCP and UDP) in apf for portscanner detector to work, so add 0_1024 to IG_TCP_CPORTS and IG_UDP_CPORTS
# Start apf
$ apf -s
# Install BFD (brute force detector)
$ wget http://www.rfxn.com/downloads/bfd-current.tar.gz
$ tar -xvzf bfd-current.tar.gz
$ cd bfd-x.x.x
$ ./install.sh
$ bfd -s
# Install portsentry (port scanner detector) from ftp://ftp.pbone.net/mirror/ftp.falsehope.net/home/tengel/fedora/4/te/i386/RPMS/portsentry-1.2-1.te.i386.rpm
# open /etc/portsentry/portsentry.conf and comment KILL_ROUTE and add
KILL_RUN_CMD='/usr/local/sbin/apf -d $TARGET$ ‘Portscan detected on port $PORT$''
$ /etc/init.d/portsentry restart
# Enable suphp and suexec
$ /usr/local/cpanel/bin/rebuild_phpconf –no-htaccess 5 none suphp 1
# Run /scripts/easyapache and enable mod_security
# Load mod_esecurity rules
$ cd /usr/local/apache/conf/
$ wget http://updates.atomicorp.com/channels/rules/delayed/modsec-2.5-free-latest.tar.bz2
$ tar -xvjf modsec-2.5-free-latest.tar.bz2
$ cd modsec/
$ perl -i -pe ‘s//etc/asl/whitelist/whitelist.txt/' *
$ > domain-spam-whitelist.conf
$ mkdir /usr/local/apache/conf/modsec/ip
$ mkdir /usr/local/apache/conf/modsec/global
# open /usr/local/apache/conf/modsec/00_asl_rbl.conf and add
SecDataDir /usr/local/apache/conf/modsec
# open /usr/local/apache/conf/modsec2.conf and add
Include '/usr/local/apache/conf/modsec/*.conf'
# Restart apache
$ /etc/init.d/httpd restart
cPanel Settings :
# Goto Main >> Server Configuration >> Basic cPanel & WHM Setup and set the contact information
# Goto Main >> Server Configuration >> Tweak Settings >> All and
Enable SpamAssassin spam filter = enabled
GIEmail and CGIEcho = disabled
Cookie IP validation = strict
Generate core dumps = off
Send passwords when creating a new account = off
Blank referrer safety check = on
Referrer safety check = on
Require SSL = on
Enable HTTP Authentication = off
Allow PHP to be run by resellers in WHM = off
Use MD5 passwords with Apache = on
Security Tokens = on
Default shell jailed = on
# Goto Main >> Security Center >> Apache mod_userdir Tweak and enable 'Enable mod_userdir Protection'
# Goto Main >> Security Center >> Compiler Access and disable compilers for unprivileged users
# Main >> Security Center >> Configure Security Policies and
Password Age = enabled (30 days)
Password Strength = enabled (15 characters)
XML-API and JSON-API requests = enabled
DNS cluster requests = enabled
# Goto Main >> Security Center >> cPHulk Brute Force Protection and enable burte force protection
# Goto Main >> Security Center >> PHP open_basedir Tweak and enable 'Enable php open_basedir Protection.'
# Goto Main >> Security Center >> Security Questions and setup the security question
# Goto Main >> Security Center >> Shell Fork Bomb Protection and enable protection
How To Install Portsentry On Centos Server
# Goto Main >> Security Center >> SMTP Tweak and enable protection
# Goto Main >> Security Center >> Traceroute Enable/Disable and disable traceroute Granite city coleslaw recipe.
# Goto Main >> Account Functions >> Manage Shell Access and disable shell access for all user. If shell access is required only enable jailed shell
# Goto Main >> cPanel >> Manage Plugins and install Clamav
Daha güvenli bir cpanel için cpanel güvenlik ile iletişime geçebilirsiniz.
Ayhan ARDA