How To: Secure and Configure your VPS or Dedicated server

How to secure your dedicated or VPS server. Please not that this is only the vary basics!


First, lets configure APF (advanced personal firewall)
Step 1: login to SSH, and become the root user
Step 2: enter the following command: wget http://www.rfxnetworks.com/downloads/apf-current.tar.gz
Step 3: enter the following command: tar -xvzf apf-current.tar.gz
Step 4: cd apf-0.9.5-1/ or whatever the latest version is.
Step 5:Run the install file: ./install.sh
You will receive a message saying it has been installed

Installing APF VERSION HERE: Completed.
Installation Details:
  Install path:         /etc/apf/
  Config path:          /etc/apf/conf.apf
  Executable path:      /usr/local/sbin/apf
  AntiDos install path: /etc/apf/ad/
  AntiDos config path:  /etc/apf/ad/conf.antidos
  DShield Client Parser:  /etc/apf/extras/dshield/

If you have cPanel, do the following:
Step 1: nano /etc/apf/conf.apf
Step 2: Find Common ingress (inbound) TCP ports
Step 3: Change the following:
Common ingress (inbound) ports
# Common ingress (inbound) TCP ports -3000_3500 = passive port range for Pure FTPD
IG_TCP_CPORTS="21,22,25,53,80,110,143,443,2082,2083, 2086,2087, 2095, 2096,3000_3500"
#
# Common ingress (inbound) UDP ports
IG_UDP_CPORTS="53"


Common egress (outbound) ports
# Egress filtering [0 = Disabled / 1 = Enabled]
EGF="1"

# Common egress (outbound) TCP ports
EG_TCP_CPORTS="21,25,80,443,43,2089"
#
# Common egress (outbound) UDP ports
EG_UDP_CPORTS="20,21,53"



If you have DirectAdmin do the following:
Step 1: nano /etc/apf/conf.apf
Step 2: Find Common ingress (inbound) TCP ports
Step 3: Change the following:
EG_TCP_CPORTS: (incoming) 21,22,25,53,80,110,143,443,1853,1821,1867,1903,1913,1924,1925,1976,

2030,2031,2032,2033,2034,2035,2036,2037,2038,2096,3071,3079,3080,3081,3082,3083,3084,3085,3086,

3306,5000,5669,5670,5671,5672,5673,5674,5675,5677,5678,5679,5680,5681,7524,9293,9301,9302,9925,9926,9067,

9068,20440,20441,20442,20443

EG_ICMP_CPORTS: (outgoing)
37,53,873


Step 6: start the firewall: /usr/local/sbin/apf -s

Step 7: After everything is fine, change the DEV option
We recommend changing this back to "0" after you've had a chance to ensure everything is working well and tested the server out.

nano /etc/apf/conf.apf

FIND: DEVM="1"
CHANGE TO: DEVM="0"

Step 8: now finally enter the following command: chkconfig --level 2345 apf on



Configuring BFD (Brute Force Detector)

Step 1: Login to SSH as root
Step 2: Execute the following command:
wget http://www.rfxnetworks.com/downloads/bfd-current.tar.gz
Step 3: tar -xvzf bfd-current.tar.gz
Step 4:
cd bfd-0.9 or latest version
Step 5:
Run the install file: ./install.sh
You will receive a message saying it has been installed

.: BFD installed
Install path:    /usr/local/bfd
Config path:     /usr/local/bfd/conf.bfd
Executable path: /usr/local/sbin/bfd

Step 6:
nano /usr/local/bfd/conf.bfd
Step 7:
Enable brute force hack attempt alerts:
Find: ALERT_USR="0"   CHANGE TO: ALERT_USR="1"   

Find: EMAIL_USR="root" CHANGE TO: EMAIL_USR="[email protected]"

Save the changes: Ctrl+X then CTRL+Y


Step 8: /usr/local/sbin/bfd -s


Disable Telnet
To disable telnet, SSH into server and login as root.
At command prompt type: nano-w /etc/xinetd.d/telnet
change disable = no to disable = yes
Save and Exit
At command prompt type: /etc/init.d/xinetd restart

Secure /tmp


Make a 1GB file for /tmp parition and an ext3 filesystem for tmp:
# dd if=/dev/zero of=/dev/tmpFS bs=1024 count=1000000
# /sbin/mkfs.ext3 /dev/tmpFS



Create a backup copy of your current /tmp drive:
# cp -Rpf /tmp /tmpbackup

Mount our new tmp parition and change permissions:
# mount -o loop,noexec,nosuid,rw /dev/tmpFS /tmp
# chmod 1777 /tmp


Copy the old data:
cp -Rpf /tmpbackup/* /tmp/


If you run the mount command and you should get something like this:
/dev/tmpMnt on /tmp type ext3 (rw,noexec,nosuid,loop=/dev/loop0)


Edit /etc/fstab and add this:
/dev/tmpMnt /tmp ext3 loop,nosuid,noexec,rw 0 0


Test your fstab entry:
# mount -o remount /tmp

You can test it runnig a script on /tmp partitio, if you get "permission denied" it is fine!

  • 21 Users Found This Useful
Was this answer helpful?

Related Articles

DNS propagation

If you ever get the error "Error from park wrapper: Using nameservers with the following IPs:...

Server refused to allocate pty

Many customers after changing their VPS's software configuration have experienced the following...

How to reset the LXadmin "admin" password

If you've forgotten your LXAdmin 'admin' password, you can reset it by taking the following...

Do I get Full Administrator or Root access to my VPS?

You will have full administrator or root access to your VPS. 

What is VPS hosting?

VPS (Virtual Private Server) hosting plans give you your own dedicated environment with all the...

Powered by WHMCompleteSolution