Does anyone has any tricks, hacks, tutorials to hardening Interworx's security (on CentOS / RHEL). Not that it is unsecure but we have had attack attempts on some of our servers lately and we want to make sure we stay clean. These attempts did NOT happen on Interworx servers, we only want to build a good policy to prevent what we can in the future when our old servers will be converted to Interworx.
Another question : Is it possible to run Interworx correctly with SELinux enabled?
Any hints or small things that you did on your servers will be helpful... Even if you think it is obvious as enabling the firewall, we want to make sure we did not forget anything in our policy.
I saw a few threads here and there talking about specific issues related to security but nothing like this. If there is, maybe my searches were bad, simply refer me to the right thread! :)
You can also message me directly if there is some info you do not want to disclose here (and that anyone can read).
Thanks for any input!
It is not really possible to run SELINUX without doing a lot of work to define rules to get it to work properly, which would require lots of trial and error and headaches.
Some basic things you can do:
- Disable root login and only use regular accounts to access the server and su- over to root for root activities
- Disable password logins and only permit login via SSH keys
- Run suPHP (PHP Scripts run as SiteWorx user in the Webserver config page)
- Encourage users to install applications using an installer like simplescripts/softaculous which should have mechanisms to keep their software up to date. In any case you shouldn't let users run out of date software that can be hacked/exploited. Also sometimes, it's not the software that gets hacked but a poorly made plugin that allows for code injection.
- You can run things like Brute Force Detection/DOS Deflate but they might need to be altered to work with ipv6 versions of netstat output (DOS Deflate in particular seems broken with the new netstat).
- Run the server behind a NAT device and only forward ports you need
- _all_ users should use strong passwords and change them regularly
Thanks for the reply Dan!
We already did almost all of these. But thanks for the refresh and some new details.
About the logins, on other servers on which we directly have access to iptables, we have blocked ssh and some other ports from all IPs except a few for sysadmins, and also did some other specific tricks. Is it possible to get a finer grain of configuration for the firewall? We have some leased machines in datacenters where we do not have access to put a NAT device or other in front… In these cases, we would prefer being able to configure the software firewall a little bit more than what is proposed in the panel.
Well, to start with, enabling the firewall is always a good idea - Make sure that any ports you DON’T need or want open are closed.
Secondly, for distributed denial of service defeat, mod-evasive is a great little apache module, and works just like any other user-installed module.
Highly secure passwords are always a great idea, and while hopefully we’ll have something for that down the road there are plenty of generators out there you can use to get these.