Server/VPS Hardening

[certforumz]

To harden your system:

1. Compile and install a high security module-less grsec kernel. See grsec here: http://www.grsecurity.net/

2. Install CSF and configure it. (CSF is fine but if some one is going to get in through an exploit in the kernel, CSF will not prevent that.)

3. Remove all unwanted user accounts and groups.

4. Install and configure proper security measures such as modsecurity and dosdeflate for apache.

5. Restrict SSH to just the users that need to SSH and always disable root login from SSH. Perform other SSH tightening measures.

6. Secure your other software such as mail servers, ftp servers etc. This depends on what you are using - exim, postfix,sendmail etc.

7. Password protect the mysql root login. Remove the test database. Allow mysql database only to the web server system that needs it. If your mysql is on the same system as your webserver, you should block mysql port from external access.

8. Install rkhunter and configure it to scan and send daily reports to you.

9. Install either aide or tripwire and configure it to scan all system files daily and report changes to you.

10. Install logwatch and configure it to send daily log reports to you.

10. Install bastille and harden the system.

11. Once you are done setting up and configuring the system, remove all un-needed packages. Also remove all compilers from the system.

12. As a last step, chattr +a the root bash shell history file and also chattr -R -i the whole of /usr/sbin, /bin, /sbin, /usr/sbin/ , /usr/local/bin and /usr/local/sbin.

Your system should be sufficiently hardened now.

Remember security is not a one time job. It is a life long process so make sure to read up on the latest threats, the new security tools etc.

God bless you.

Source: http://www.webhostingtalk.com/showthread.php?t=878998