Setup and Secure Plesk Server

So login with SSH and enter as root.

 

1. Verify if YUM is installed. If yes, proceed to edit /etc/yum.conf.

If not, install from RPM. YUM is installed in latest FEDORA by default. Other OS use for example apt-get (Debian)

 

2. Edit YUM configuration to work with ATOMIC packages.

 

            Using Lynx (yum -y install lynx):

  

                        lynx -source http://www.atomicorp.com/installers/atomic.sh | sh 

 

            Using Wget:

 

                         wget -q -O – http://www.atomicorp.com/installers/atomic.sh | sh

 

3. Install some useful tools like, JOE – text editor,

Midnight Commander and LYNX text based navigator. I usually suggest Midnight Commander,

it is visual tool, for beginners too, Joe and Lynx is just optional You can use VI as well if you are familiar with it.

 

            yum install joe mc lynx

 

4. Also we do an update of packages for yum with, to be up to date. At this step, we want to be sure

we have all the packages updated. Probably if you are use ATOMIC packages,

will ask for replace MySQL and PHP to ART version. It is OK

 

            yum update

 

5. In PLESK create a domain, usually each of us have a default domain,

and this domain users we change to have access with SSH. Is important to create this user (domain) and

not go forward to change root access. Of course you can create later as well, just if you disable root,

you cannot access server with SSH. Linux people will call it a wheel account.

Next I change the root password as well, from default value.

 

            passwd root    

 

(same, will ask for password) – WRITE this down somewhere, in your notes.

 

After this, I follow the description from

http://www.crucialparadigm.com/resources/tutorials/secure-server-securing/disable-direct-root-login.php or later,

the ELS installer will do this.

 

6. Now edit some files to be easier to navigate in SSH, like:

 

            joe /etc/bashrc

 

and add these lines. This will help not to write all the times cd /home/http/vhosts/

just execute phttpd and you are already there. You may create your own rules of course.

Be sure that lines does not broke.

 

            alias bye=”exit” #if you hit exit, will be the same as say bye, exit user.

            alias ns=”netstat -lpn” #a shortcut for a specific netstat command.

            alias pmysql=”cd /var/lib/mysql” #will bring you into mysql data directory

            alias phttpd=”cd /var/www/vhosts” #will bring you into home users data directory

            alias tailall=”tail -f /var/www/vhosts/*/statistics/logs/error_log” #will tail in all error_log to see which domain have major problems.

 

For example you can create an alias to read mail logs, by add any similar rules, using Linux commands.

 

            joe /root/.bashrc

 

and add a line like:

 

            echo ‘ALERT – Root Shell Access (YOURSERVERNAME) on:’ date who | mail -s “Alert: Root Access from who | cut -d"(" -f2 | cut -d")" -f1” YOUREMAIL

 

This will help to know each time when someone logged in as root, which is theoretically only you,

the ELS installer will do this.

You will get on root login a mail to your mail address with

subject ALERT – Root Shell Access (YOURSERVERNAME) on:, from which IP is entered and so on.

YOURSERVERNAME and YOUREMAIL must be changed with your data. (ELS can do this as well)

 

7. Because YUM update installed MySQL 4, change also my.cnf and update tables to MySQL 4 compatible.

In latest distros, there is already MySQL 5. ART repository will update to 5.X

 

            joe /etc/my.cnf

 

If you are updated to MySQL 4.1.x, then add to my.cnf old_passwords=1

Rehash user names and passwords (new users only – if database and username/passwords are created after the update)

 

We suggest to consider this my.cnf. How to find which MySQL you run, execute.

 

            mysql -uadmin -pcat /etc/psa/.psa.shadowstatus

 

    * http://servermonkeys.com/projects/els/mysql/configs/my.cnf-4.0

    * http://servermonkeys.com/projects/els/mysql/configs/my.cnf-5.0

    * http://servermonkeys.com/projects/els/mysql/configs/my.cnf-4.1

    * http://servermonkeys.com/projects/els/mysql/configs/my.cnf-5.1

 

Be sure that after get it, edit. Change the following things. Lines with # … every 1GB of RAM;

and add this line old_passwords=1, then uncomment lines to be like this.

 

            #skip-innodb#collation-server=latin1_general_ci

 

You can use MySQL Performance Tuning Primer Script, but MySQL must run minimum 24 hours to get correct data,

to configure your server. Link to the script is: http://www.day32.com/MySQL/tuning-primer.sh – run it and

correct the data in /etc/my.cnf

 

8. ANTIVIRUS: You can live with DrWeb or you can install Clamav free solution

 

            yum remove drweb-qmail drweb (in new PLESK Kaspersky)yum install qmail-scanner clamd maildrop ggreylist

 

Now all should work fine, you can check to send to you a test virus from http://www.aleph-tec.com/eicar/index.php

In meantime check log files to see if all work fine and no errors are there.

 

            tail -f  /var/spool/qmailscan/qmail-queue.logtail -f /usr/local/psa/var/log/maillogtail -f /var/log/clamav/clamd.log

 

9. FIREWALL: You can use from PLESK their Firewall Module, easy to install or use APF.

PLESK module is nice, but for more advanced usage, still recommended APF.

 

We found a very nice auto installer. (http://www.servermonkeys.com/els.php)

 

            wget –output-document=installer.sh http://servermonkeys.com/projects/els/installer.shchmod +x installer.shsh   installer.shels –apfels –bfd

 

Install ONLY APF, BDF from it, the rest will be ignored.

 

When you are done, you still need some modification.

 

            joe /etc/apf/allow_hosts.rules

 

Here you will add your IP to ignore it. VERY IMPORTANT to not be lock out from server.

The format of these files are line-seperated addresses, IP masking is supported.

Example:

24.202.16.11

24.202.11.0/24

 

            joe /etc/apf/ad/conf.antidos

 

# Try to detect syn-flood attacks [0=off,1=on]

DET_SF=”1″

# Parse klog for iptables logged attacks [0=off,1=on]

LP_KLOG=”1″

USR_ALERT=”1″

USR=”[email protected]”

ARIN_ALERT=”1″

 

Here you setup to send to you some antidos alert.

 

            /etc/apf/apf -sjoe /etc/apf/conf.apf

 

Check as well for ports:

# Common ingress (inbound) TCP ports

IG_TCP_CPORTS=”20,21,22,25,53,80,110,143,443,465,993,995,3306,5224,8443,8880,10000,35000_35999″

or

IG_TCP_CPORTS=”20,21,25,53,80,110,143,443,465,993,995,3306,5224,8443,8880,10000,35000_35999″ (notice no 22 port for SSH – we suggest this)

 

Also look for USE_DS=”1″, usually have value 0, change to 1.

 

            /etc/apf/apf -s

 

FINAL STEP:

If Firewall work OK do not forget to get out from DEVmode and restart …

 

# Set firewall dev cronjob

# 1 = enabled / 0 = disabled

DEVM=”0″

 

10. Disable some executables

Many php exploit scripts use common *nix tools to download root kits or backdoors. By simply chmod’ing the files so that no none-wheel or root user can use them we can eliminate many possible problems. The downside to doing this is that shell users will be inconvenienced by not being able to use the the commands below. If you run LES, which I would suggest, then you do not need to run the first group of chmods. If you get an error on the chmod 000 because a directory does not exist to not worry they are not on every server.

 

            chmod 700 /usr/bin/rcpchmod 700 /usr/bin/wgetchmod 700 /usr/bin/lynxchmod 700 /usr/bin/linkschmod 700 /usr/bin/scpchmod 000 /etc/httpd/proxy/chmod 000 /var/mail/vboxchmod 700 /usr/bin/mcchmod 700 /usr/bin/elinkschmod 700 /usr/bin/lwp-downloadchmod 700 /usr/bin/GETchmod 700 /usr/bin/curl

 

Also a suggestion that make a backup of /usr/bin, /usr/sbin, /bin, /sbin if someone overwrite in time this executables (will be infected by a chrootkit) then is easy to replace.

 

Going a step further might be to run the same chmod permission setting on ‘/usr/bin/*cc*’. This will only allow root to run compile programs like ‘gcc’. Such hardening suggestions can help to stave off local and remote attacks, but don’t consider them 100% foolproof either. Think of this as just another layer of security. Now I cannot give to you a list here, cause can be different files which is not compile libraries, ex.mysqlaccess, contain *cc*. So best is to use like

 

            cd /usr/bin/; ls -al *gccchmod 700 byacc cc gcc gnatgcc i386-redhat-linux-gcc perlcc yacc

 

(this is just an example, see what *gcc return)

 

12. RKHUNTER & CHKROOTKIT

Now we will install rkhunter so we will at least know if the server has been cracked. Note that a false positive is not always bad and you need to investigate the error before thinking you are hacked. Things such as compiling a 2.6.9 kernel on your server will cause binaries to change and rkhunter to suspect the server was cracked.

 

            yum install rkhunter chkrootkitrkhunter -cchkrootkit

 

13. Register Globals and Error Reporting and mod_security

Register_globals is something that ideally php coders would code to allow to be turned off but many do not. Because of that disabling this feature may cause a lot of scripts to break. If you are on a shared host it is probably best if you do not enable this. If you are not a shared host then there is probably nothing wrong with it but do make sure by looking at all of your web sites to ensure it did not break any. That being said if you can get away with it then your server is going to be more secure. This comes down to the usability vs security issue, yes it makes it more secure but it also blocks some popular scripts. Use this at your own risk! To disable it search for “register_globals”. It will currently be set to “On” go ahead and change it to “Off”.

 

Next step is to find display_errors = On and change it to display_errors = Off, you can also turn on log_errors = On and if you like change

 

error_reporting = E_ALL & ~E_NOTICE into error_reporting = E_COMPILE_ERROR|E_ERROR|E_CORE_ERROR

 

Disable some problematic php variables, which can be insecure for the server.

 

disable_functions =”phpinfo,shell_exec,exec,virtual,passthru,proc_close,proc_get_status,proc_open,proc_terminate,system”

 

First open the php.ini file

 

            joe /etc/php.ini

 

Restart apache for it to take effect.

 

            /etc/init.d/httpd graceful

 

Register Global change can affect this settings some scripts, you need to tell to your customers about this.

 

Install mod_security with YUM. This tool can prevent a lot of problems, file injections, attacks etc to APACHE.

 

            yum install mod_security

 

14. Services Version Number

Version numbers can be used by various software scanners to determine if your server is vulnerable. Though you should have the latest versions of everything security though obscurity is one method that can be employed to help secure your server.

 

First we are going to hide the version information in apache.

 

            joe /etc/httpd/conf/httpd.conf

 

Search for “ServerSignature”

It should say On, change it to Off

This will remove the identification of apache from error pages

 

Right below that add a line that has the following:

“ServerTokens Prod”

This will identify apache simply as “apache” with no version numbers or OS information

 

Save out of the file and restart apache

You can do a TEST before restart

 

            /etc/init.d/httpd configtest

 

Need to get: Syntax OK

 

            /etc/init.d/httpd graceful

 

Next we will disable named from giving a version.

 

            joe /etc/named.conf

 

Search for “query-source address * port 53;”

Add a line right below it with

version “Named”;

Save and restart named

 

Remember this is just security though obscurity and you still need to keep the server updated! This is just going to stop some people from finding your server in the first place. It will not help at all if somebody is trying to actually hack the server.

 

15. PHP Optimizer/CACHE

 

We suggest also to install Ioncube Loaders, a lot of software come encoded with Ioncube , XCache, Zend Optimizer, php-eaccelerator.

 

yum install php-ioncube-loader  php-zend-optimizer  php-eaccelerator

 

XCache is also easy to install, you can get from http://www.jasonlitka.com/2007/01/30/how-to-compiling-xcache-from-source/ the SRC RPM.

Then also you need php-devel to compile it. Install with shell: yum install php-devel

Then shell: rpmbuild –rebuild php-xcache-1.2.1-jason.1.src.rpm (or new filename) . You will see in cd /usr/src/redhat/RPMS the RPM file, so install it with shell: rpm -i FILENAME

If apache not restart, see if the problem is not with Zend Optimizer and XCache, Zend Optimizer MUST be load after XCache. Of course you can edit /etc/php.d/xcache.ini to fit with your wish. Also you can get from /usr/share/doc/XCACHEPATH/ the admin directory and copy where you can reach it. Read more on XCache home page.

 

IMPORTANT: After restart Apache, and execute php -v you may get error messages like “Failed loading /usr/local/Zend/lib/Optimizer-3.3.0/php-5.2.x/ZendOptimizer.so: /usr/local/Zend/lib/Optimizer-3.3.0/php-5.2.x/ZendOptimizer.so: cannot restore segment prot after reloc: Permission denied”.

 

You will need to execute like this, just change the correct path to SO files.

 

            chcon -t texrel_shlib_t /usr/lib/php/zend/ZendOptimizer-5.2.so; execstack -c /usr/local/Zend/lib/Optimizer-3.3.0/php-5.2.x/ZendOptimizer.so; php -v

 

If you fo not get any error, problem is solved.

 

16. FTP Passive Mode Port

You need to edit /etc/proftpd.conf and add a line like

 

PassivePorts 35000 35999

 

After this see please APF Firewall settings at line IG_TCP_CPORTS= is there this port??

Then execute restart of XINETD

 

            /etc/rc.d/init.d/xinetd restart

 

17. mod-suPHP

 

A lot of people have problems with different PHP softwares like Joomla, different Gallery softwares, especially where need to upload pictures. Why? Because now in a new settings, PHP will work as apache:apache user and any files uploaded via a web interface will get this user rights. Any files uploaded via FTP clients, will get the domain ownership. SO, if you for example want to get all picture files added via WEB INTERFACE, you cannot download or overwrite via FTP because the file rights. Also on install a lot of people need to setup folders to 777 rights to uload in it.

 

So seems the mod_suPHP solution is nice and working with the following settings.

 

            yum install mod_suphp

 

(alternate http://dag.wieers.com/rpm/packages/mod_suphp/)

 

After this, /etc/httpd/conf.d/mod_suphp.conf (important this line LoadModule suphp_module modules/mod_suphp.so, rest can be uncommented on Debian/Ubuntu is not the same place, is in apache kind of directory); /etc/suphp.conf (use default, except umask=0022)

 

If is PHP5, change in /etc/suphp.conf

 

umask=0022

 

[handlers]

;Handler for php-scripts

php5-script=php:/usr/bin/php-cgi

 

In some case, suphp.conf in /etc/httpd/conf.d will not work, so

 

            mv /etc/httpd/conf.d/suphp.conf /etc/httpd/conf.d/mod_suphp.confjoe /etc/httpd/conf.d/mod_suphp.conf

 

Here change line suPHP_Engine on into #suPHP_Engine on (this is very important)

 

If you compiled suphp with setid-mode “force” or “paranoid”, you can specify the user- and groupname to run PHP-scripts with.

Example: suPHP_UserGroup ftpuser psacln

 

The major things come with: httpd.include of each domain need to add, before < /VirtualHost >, the line Include /var/www/vhosts/domain.com/conf/vhost.conf

Then create vhost.conf. (We suggest to use for this Power Toys, this will suggest exacctly what you need to do and modify the file for you)

 

In vhost.conf you need:

 

            php_admin_flag engine on    

    suPHP_Engine On    

    suPHP_ConfigPath “/var/www/vhosts/DOMAIN/httpdocs/”

    AddHandler x-httpd-php .php 

    AddHandler php5-script .php

    AddHandler x-httpd-php .php .php5 .php4 .php3 .phtml

    suPHP_AddHandler x-httpd-php

    suPHP_AddHandler php5-script .php

    suPHP_UserGroup ftpuser psacln

    php_value open_basedir “/tmp/”

    php_value upload_tmp_dir “/var/www/vhosts/DOMAIN/tmp/”

 

    order allow,deny    

    deny from all    

 

 

 

Need to focus on BOLD issues. DOMAIN is your domain, AddHandler one line is for PHP4, the other for PHP5, dunno if will work both together. Create in httpdocs/tmp directory, to write in it, as temporary upload dir. We still study this to move one directory up, but is not tested yet: DOMAIN/tmp/. After this, you need to add a php.ini file in your httpdocs directory, which will be use for that domain. this file cannot be read from outside because is restricted. To test if is work, create a file wit lines, < ?php phpinfo(); ? > and call it from web. You can see if is loaded new PHP.INI or not and mod_suPHP is on.

 

PLESK SETTINGS:

 

Go and login into PLESK admin and do the following steps.

Before all, click on update and do an update.

Click on SERVERS:

 

    1. Change password: Change passwords to access into PLESK.

    2. Access: Setup PLESK ADMIN access and add your IP, in this way you restrict ADMIN access from your IP.

    3. System time: I use synchronize time with server: time.windows.com, anyway setup here the correct zone.

    4. Mail preferences: Enable MAPS protection to zen.spamhaus.org;cbl.abuseat.org and also I use POP3 lock time to 20 minutes.(important)

    5. Mailman settings: Setup email and password.

    6. DNS – Read the manual.

    7. Logo Setup – to setup your Company LOGO

    8. Crontab – Set crontab message, if need change here the mail to not send to root.

 

Next step is CLIENTS AND DOMAINS, but this is documented in manuals, so I suggest to read it.