SPRI – Tool for changing the priority of different processess running in the server according to the level of importance and thereby increasing the performance and productivity of the server.
cd /usr/src
wget http://www.rfxn.com/downloads/spri-current.tar.gz
tar zxvf spri-current.tar.gz
cd spri-0*
./install.sh
spri -v
Monday, February 11, 2013
System Integrity Monitor – Service monitoring of HTTP, FTP, DNS, SSH, MYSQL & more
System Integrity Monitor – Service monitoring of HTTP, FTP, DNS, SSH, MYSQL & more
cd /usr/src/
wget http://www.rfxn.com/downloads/sim-current.tar.gz
tar zxf sim-current.tar.gz
cd sim-3*
./setup -i
perl -pi -e "s/^init.named.*/init.named on/" /usr/local/sim/config/mods.control
perl -pi -e "s/^init.httpd.*/init.httpd on/" /usr/local/sim/config/mods.control
perl -pi -e "s/^init.mysqld.*/init.mysql on/" /usr/local/sim/config/mods.control
perl -pi -e "s/^init.named.*/init.named on/" /usr/local/sim/config/mods.control
perl -pi -e "s/^init.exim.*/init.exim on/" /usr/local/sim/config/mods.control
sim -j
cd /usr/src/
wget http://www.rfxn.com/downloads/sim-current.tar.gz
tar zxf sim-current.tar.gz
cd sim-3*
./setup -i
perl -pi -e "s/^init.named.*/init.named on/" /usr/local/sim/config/mods.control
perl -pi -e "s/^init.httpd.*/init.httpd on/" /usr/local/sim/config/mods.control
perl -pi -e "s/^init.mysqld.*/init.mysql on/" /usr/local/sim/config/mods.control
perl -pi -e "s/^init.named.*/init.named on/" /usr/local/sim/config/mods.control
perl -pi -e "s/^init.exim.*/init.exim on/" /usr/local/sim/config/mods.control
sim -j
MyTOP – A console-based (non-gui) tool for monitoring the threads and overall performance of a MySQL
MyTOP – A console-based (non-gui) tool for monitoring the threads and overall performance of a MySQL
/scripts/realperlinstaller –force Getopt::Long
/scripts/realperlinstaller –force DBI
/scripts/realperlinstaller –force DBD::mysql
/scripts/realperlinstaller –force Term::ReadKey
wget http://jeremy.zawodny.com/mysql/mytop/mytop-1.6.tar.gz
tar zxpfv mytop-1.6.tar.gz
cd mytop-1.6
perl Makefile.PL && make && make install
Error in option spec: “long|!” error message if you are trying to execute the mytop command. Please do the following to solve this error.
After doing perl Makefile.PL edit the mytop script inside the installation location and Search for the line
“long|!” => \$config{long_nums},
and comment it to
#”long|!” => \$config{long_nums},
and then execute make install from the source directory to install the altered mytop script.
After installing mytop you need to create a new file under /root/.mytop (mytop config file for root) with the lines below (mysql root password is found on /root/.my.cnf:
user=root
pass=
host=localhost
db=mysql
delay=5
port=3306
socket=
batchmode=0
header=1
color=1
idle=1
To
mytop -d mysql
/scripts/realperlinstaller –force Getopt::Long
/scripts/realperlinstaller –force DBI
/scripts/realperlinstaller –force DBD::mysql
/scripts/realperlinstaller –force Term::ReadKey
wget http://jeremy.zawodny.com/mysql/mytop/mytop-1.6.tar.gz
tar zxpfv mytop-1.6.tar.gz
cd mytop-1.6
perl Makefile.PL && make && make install
Error in option spec: “long|!” error message if you are trying to execute the mytop command. Please do the following to solve this error.
After doing perl Makefile.PL edit the mytop script inside the installation location and Search for the line
“long|!” => \$config{long_nums},
and comment it to
#”long|!” => \$config{long_nums},
and then execute make install from the source directory to install the altered mytop script.
After installing mytop you need to create a new file under /root/.mytop (mytop config file for root) with the lines below (mysql root password is found on /root/.my.cnf:
user=root
pass=
host=localhost
db=mysql
delay=5
port=3306
socket=
batchmode=0
header=1
color=1
idle=1
To
mytop -d mysql
Apache configuration(IN SERVERS USER WHM TO ADD GLOBAL SETTING TO THE httpd.conf)
Apache configuration(IN SERVERS USER WHM TO ADD GLOBAL SETTING TO THE httpd.conf)
To start, open the Apache configuration file and finding the directives section. On a cPanel server, it will be located in /usr/local/apache/conf/. On a Plesk server, it will be in /etc/httpd/conf/. If you are using vi or vim: once you open the file, you can find the directives by scrolling through the file, or by typing forward-slash ‘/’ and typing the exact string that you are looking for (search is case specific).
[root@host /] vim /usr/local/apache/conf/httpd.conf
or
[root@host /] vim /etc/httpd/conf/httpd.conf
This list is a composite of the settings we will be reviewing from fresh install on a cPanel server:
Timeout 300
KeepAlive On
MaxKeepAliveRequests 100
KeepAliveTimeout 15
MinSpareServers 5
MaxSpareServers 10
StartServers 5
MaxClients 150
MaxRequestsPerChild 0
Timeout 300
Usually this value doesn’t require editing and a default of 300 is sufficient. Lowering the ‘Timeout’ value will cause a long running script to terminate earlier than expected.
On virtualized servers like VPS servers, lowering this value to 100 can help improve performance.
KeepAlive On
This setting should be “On” unless the server is getting requests from hundreds of IPs at once.
High volume and/or load balanced servers should have this setting disabled (Off) to increase connection throughput.
MaxKeepAliveRequests 100
This setting limits the number of requests allowed per persistent connection when KeepAlive is on. If it is set to 0, unlimited requests will be allowed.
It is recommended to keep this value at 100 for virtualized accounts like VPS accounts. On dedicated servers it is recommended that this value be modified to 150.
KeepAliveTimeout 15
The number of seconds Apache will wait for another request before closing the connection. Setting this to a high value may cause performance problems in heavily loaded servers. The higher the timeout, the more server processes will be kept occupied waiting on connections with idle clients.
It is recommended that this value be lowered to 5 on all servers.
MinSpareServers 5
This directive sets the desired minimum number of idle child server processes. An idle process is one which is not handling a request. If there are fewer spareservers idle then specified by this value, then the parent process creates new children at a maximum rate of 1 per second. Setting this parameter to a large number is almost always a bad idea.
Liquidweb recommends adjusting the value for this setting to the following:
Virtualized server, ie VPS 5
Dedicated server with 1-2GB RAM 10
Dedicated server with 2-4GB RAM 20
Dedicated server with 4+ GB RAM 25
****************************************************************
WHM Tweaking – Tweak WHM for better security and performance.
Server Setup =>> Tweak Settings
Check the following items...
Under Domains: Prevent users from parking/adding on common internet domains. (ie hotmail.com, aol.com)
Under Mail: Attempt to prevent pop3 connection floods
Default catch-all/default address behavior for new accounts - blackhole
Under System: Use jailshell as the default shell for all new accounts and
modified accounts
Goto Server Setup =>> Tweak Security
Enable php open_basedir Protection
*****************************************************************
PHP Tightening – Tweak PHP by changing the parameters of php configuration for better security and performance.
php.ini & disabled functions
Edit php.ini
[root@server ]# nano /usr/local/lib/php.ini
safe_mode = On
allow_url_fopen = off
expose_php = Off
Enable_dl= Off
magic_quotes = On
register_globals = off
display errors = off
disable_functions = system, show_source, symlink, exec, dl,shell_exec, passthru, phpinfo, escapeshellarg,escapeshellcmd, popen, proc_open, allow_url_fopen, ini_set
************************************************************
PHP Upgarde – Compile PHP to its latest stable version which increases server security.
Using easyapache script .
************************************************************
MySQL optimization – Optimize MySQL value for better performance and stability
/usr/local/cpanel/3rdparty/mysqltuner/mysqltuner.pl
#DO NOT MODIFY THE FOLLOWING COMMENTED LINES!
[mysqld]
max_connections = 400
key_buffer = 16M
myisam_sort_buffer_size = 32M
join_buffer_size = 1M
read_buffer_size = 1M
sort_buffer_size = 2M
table_cache = 1024
thread_cache_size = 286
interactive_timeout = 25
wait_timeout = 1000
connect_timeout = 10
max_allowed_packet = 16M
max_connect_errors = 10
query_cache_limit = 1M
query_cache_size = 16M
query_cache_type = 1
tmp_table_size = 16M
skip-innodb
[mysqld_safe]
open_files_limit = 8192
[mysqldump]
quick
max_allowed_packet = 16M
[myisamchk]
key_buffer = 32M
sort_buffer = 32M
read_buffer = 16M
write_buffer = 16M
MySQL parameters like query_cache_size, key_buffer_size, Table_cache, sort_buffer, read_rnd_buffer_size, thread_cache, tmp_table_size, query_cache_size etc should be altered according to your server status.
To start, open the Apache configuration file and finding the directives section. On a cPanel server, it will be located in /usr/local/apache/conf/. On a Plesk server, it will be in /etc/httpd/conf/. If you are using vi or vim: once you open the file, you can find the directives by scrolling through the file, or by typing forward-slash ‘/’ and typing the exact string that you are looking for (search is case specific).
[root@host /] vim /usr/local/apache/conf/httpd.conf
or
[root@host /] vim /etc/httpd/conf/httpd.conf
This list is a composite of the settings we will be reviewing from fresh install on a cPanel server:
Timeout 300
KeepAlive On
MaxKeepAliveRequests 100
KeepAliveTimeout 15
MinSpareServers 5
MaxSpareServers 10
StartServers 5
MaxClients 150
MaxRequestsPerChild 0
Timeout 300
Usually this value doesn’t require editing and a default of 300 is sufficient. Lowering the ‘Timeout’ value will cause a long running script to terminate earlier than expected.
On virtualized servers like VPS servers, lowering this value to 100 can help improve performance.
KeepAlive On
This setting should be “On” unless the server is getting requests from hundreds of IPs at once.
High volume and/or load balanced servers should have this setting disabled (Off) to increase connection throughput.
MaxKeepAliveRequests 100
This setting limits the number of requests allowed per persistent connection when KeepAlive is on. If it is set to 0, unlimited requests will be allowed.
It is recommended to keep this value at 100 for virtualized accounts like VPS accounts. On dedicated servers it is recommended that this value be modified to 150.
KeepAliveTimeout 15
The number of seconds Apache will wait for another request before closing the connection. Setting this to a high value may cause performance problems in heavily loaded servers. The higher the timeout, the more server processes will be kept occupied waiting on connections with idle clients.
It is recommended that this value be lowered to 5 on all servers.
MinSpareServers 5
This directive sets the desired minimum number of idle child server processes. An idle process is one which is not handling a request. If there are fewer spareservers idle then specified by this value, then the parent process creates new children at a maximum rate of 1 per second. Setting this parameter to a large number is almost always a bad idea.
Liquidweb recommends adjusting the value for this setting to the following:
Virtualized server, ie VPS 5
Dedicated server with 1-2GB RAM 10
Dedicated server with 2-4GB RAM 20
Dedicated server with 4+ GB RAM 25
****************************************************************
WHM Tweaking – Tweak WHM for better security and performance.
Server Setup =>> Tweak Settings
Check the following items...
Under Domains: Prevent users from parking/adding on common internet domains. (ie hotmail.com, aol.com)
Under Mail: Attempt to prevent pop3 connection floods
Default catch-all/default address behavior for new accounts - blackhole
Under System: Use jailshell as the default shell for all new accounts and
modified accounts
Goto Server Setup =>> Tweak Security
Enable php open_basedir Protection
*****************************************************************
PHP Tightening – Tweak PHP by changing the parameters of php configuration for better security and performance.
php.ini & disabled functions
Edit php.ini
[root@server ]# nano /usr/local/lib/php.ini
safe_mode = On
allow_url_fopen = off
expose_php = Off
Enable_dl= Off
magic_quotes = On
register_globals = off
display errors = off
disable_functions = system, show_source, symlink, exec, dl,shell_exec, passthru, phpinfo, escapeshellarg,escapeshellcmd, popen, proc_open, allow_url_fopen, ini_set
************************************************************
PHP Upgarde – Compile PHP to its latest stable version which increases server security.
Using easyapache script .
************************************************************
MySQL optimization – Optimize MySQL value for better performance and stability
/usr/local/cpanel/3rdparty/mysqltuner/mysqltuner.pl
#DO NOT MODIFY THE FOLLOWING COMMENTED LINES!
[mysqld]
max_connections = 400
key_buffer = 16M
myisam_sort_buffer_size = 32M
join_buffer_size = 1M
read_buffer_size = 1M
sort_buffer_size = 2M
table_cache = 1024
thread_cache_size = 286
interactive_timeout = 25
wait_timeout = 1000
connect_timeout = 10
max_allowed_packet = 16M
max_connect_errors = 10
query_cache_limit = 1M
query_cache_size = 16M
query_cache_type = 1
tmp_table_size = 16M
skip-innodb
[mysqld_safe]
open_files_limit = 8192
[mysqldump]
quick
max_allowed_packet = 16M
[myisamchk]
key_buffer = 32M
sort_buffer = 32M
read_buffer = 16M
write_buffer = 16M
MySQL parameters like query_cache_size, key_buffer_size, Table_cache, sort_buffer, read_rnd_buffer_size, thread_cache, tmp_table_size, query_cache_size etc should be altered according to your server status.
Sunday, February 10, 2013
FTP Hardening – Secure FTP software by upgrading to latest version
FTP Hardening – Secure FTP software by upgrading to latest version
FTP: In WHM >> Service Configuration, there is an option to change 2 settings for FTP.
By default the first will be set to use pure-ftpd (this is good) and the second is to allow anonymous FTP (this is very bad). Unless you really want half the world (the bad half) discovering that you run an open FTP server, turn anonymous OFF.
Each FTP session uses resources, so you should also be careful about how many FTP logons you allow each account in your Feature Lists. Up to 3 is fine - anything over 10 is getting silly and simply invites your users to use your server for file sharing.
FTP: In WHM >> Service Configuration, there is an option to change 2 settings for FTP.
By default the first will be set to use pure-ftpd (this is good) and the second is to allow anonymous FTP (this is very bad). Unless you really want half the world (the bad half) discovering that you run an open FTP server, turn anonymous OFF.
Each FTP session uses resources, so you should also be careful about how many FTP logons you allow each account in your Feature Lists. Up to 3 is fine - anything over 10 is getting silly and simply invites your users to use your server for file sharing.
Saturday, February 9, 2013
Host.conf & sysctl.conf Hardening
Host.conf Hardening –Prevents IP spoofing and dns poisoning
The host.conf file resides in /etc/host.conf.
order bind,hosts
multi on
nospoof on
Sysctl.conf Hardening – Prevents syn-flood attacks and other network abuses.
#Kernel sysctl configuration file for Red Hat Linux
#
# For binary values, 0 is disabled, 1 is enabled. See sysctl(8) and
# sysctl.conf(5) for more details.
# Disables packet forwarding
net.ipv4.ip_forward=0
# Disables IP source routing
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.lo.accept_source_route = 0
net.ipv4.conf.eth0.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
# Enable IP spoofing protection, turn on source route verification
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.lo.rp_filter = 1
net.ipv4.conf.eth0.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
# Disable ICMP Redirect Acceptance
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.lo.accept_redirects = 0
net.ipv4.conf.eth0.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
# Enable Log Spoofed Packets, Source Routed Packets, Redirect Packets
net.ipv4.conf.all.log_martians = 0
net.ipv4.conf.lo.log_martians = 0
net.ipv4.conf.eth0.log_martians = 0
# Disables IP source routing
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.lo.accept_source_route = 0
net.ipv4.conf.eth0.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
# Enable IP spoofing protection, turn on source route verification
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.lo.rp_filter = 1
net.ipv4.conf.eth0.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
# Disable ICMP Redirect Acceptance
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.lo.accept_redirects = 0
net.ipv4.conf.eth0.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
# Disables the magic-sysrq key
kernel.sysrq = 0
# Decrease the time default value for tcp_fin_timeout connection
net.ipv4.tcp_fin_timeout = 15
# Decrease the time default value for tcp_keepalive_time connection
net.ipv4.tcp_keepalive_time = 1800
# Turn off the tcp_window_scaling
net.ipv4.tcp_window_scaling = 0
# Turn off the tcp_sack
net.ipv4.tcp_sack = 0
# Turn off the tcp_timestamps
net.ipv4.tcp_timestamps = 0
# Enable TCP SYN Cookie Protection
net.ipv4.tcp_syncookies = 1
# Enable ignoring broadcasts request
net.ipv4.icmp_echo_ignore_broadcasts = 1
# Enable bad error message Protection
net.ipv4.icmp_ignore_bogus_error_responses = 1
# Log Spoofed Packets, Source Routed Packets, Redirect Packets
net.ipv4.conf.all.log_martians = 1
# Increases the size of the socket queue (effectively, q0).
net.ipv4.tcp_max_syn_backlog = 1024
# Increase the tcp-time-wait buckets pool size
net.ipv4.tcp_max_tw_buckets = 1440000
# Allowed local port range
net.ipv4.ip_local_port_range = 16384 65536
# Turn on execshield
kernel.exec-shield=1
kernel.randomize_va_space=1
After you make the changes to the file you need to run /sbin/sysctl -p and sysctl -w net.ipv4.route.flush=1 to enable the changes without a reboot.
The rules were taken from: http://ipsysctl-tutorial.frozentux.net/ipsysctl-tutorial.html
The host.conf file resides in /etc/host.conf.
order bind,hosts
multi on
nospoof on
Sysctl.conf Hardening – Prevents syn-flood attacks and other network abuses.
#Kernel sysctl configuration file for Red Hat Linux
#
# For binary values, 0 is disabled, 1 is enabled. See sysctl(8) and
# sysctl.conf(5) for more details.
# Disables packet forwarding
net.ipv4.ip_forward=0
# Disables IP source routing
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.lo.accept_source_route = 0
net.ipv4.conf.eth0.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
# Enable IP spoofing protection, turn on source route verification
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.lo.rp_filter = 1
net.ipv4.conf.eth0.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
# Disable ICMP Redirect Acceptance
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.lo.accept_redirects = 0
net.ipv4.conf.eth0.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
# Enable Log Spoofed Packets, Source Routed Packets, Redirect Packets
net.ipv4.conf.all.log_martians = 0
net.ipv4.conf.lo.log_martians = 0
net.ipv4.conf.eth0.log_martians = 0
# Disables IP source routing
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.lo.accept_source_route = 0
net.ipv4.conf.eth0.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
# Enable IP spoofing protection, turn on source route verification
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.lo.rp_filter = 1
net.ipv4.conf.eth0.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
# Disable ICMP Redirect Acceptance
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.lo.accept_redirects = 0
net.ipv4.conf.eth0.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
# Disables the magic-sysrq key
kernel.sysrq = 0
# Decrease the time default value for tcp_fin_timeout connection
net.ipv4.tcp_fin_timeout = 15
# Decrease the time default value for tcp_keepalive_time connection
net.ipv4.tcp_keepalive_time = 1800
# Turn off the tcp_window_scaling
net.ipv4.tcp_window_scaling = 0
# Turn off the tcp_sack
net.ipv4.tcp_sack = 0
# Turn off the tcp_timestamps
net.ipv4.tcp_timestamps = 0
# Enable TCP SYN Cookie Protection
net.ipv4.tcp_syncookies = 1
# Enable ignoring broadcasts request
net.ipv4.icmp_echo_ignore_broadcasts = 1
# Enable bad error message Protection
net.ipv4.icmp_ignore_bogus_error_responses = 1
# Log Spoofed Packets, Source Routed Packets, Redirect Packets
net.ipv4.conf.all.log_martians = 1
# Increases the size of the socket queue (effectively, q0).
net.ipv4.tcp_max_syn_backlog = 1024
# Increase the tcp-time-wait buckets pool size
net.ipv4.tcp_max_tw_buckets = 1440000
# Allowed local port range
net.ipv4.ip_local_port_range = 16384 65536
# Turn on execshield
kernel.exec-shield=1
kernel.randomize_va_space=1
After you make the changes to the file you need to run /sbin/sysctl -p and sysctl -w net.ipv4.route.flush=1 to enable the changes without a reboot.
The rules were taken from: http://ipsysctl-tutorial.frozentux.net/ipsysctl-tutorial.html
SSH Securing – For a better security of ssh connections.
SSH Securing – For a better security of ssh connections.
Disabling Root Login and changing the listening port .
1.create a user for ssh like sshadminz
2.give the user wheel privilage through Whm
3.in /etc/ssh/sshd_config change the entry PermitRootLogin to no
4.in /etc/ssh/sshd_config change the entry #Port to Port xxxx (needed port,make sure that port is open in csf/iprules)
5.restart the sshd service
>ssh sshadminz@***.***.***.*** -p xxxx
Setting an SSH Legal Message
The message is contained within the following file: /etc/motd
ALERT! You are entering a secured area! Your IP and login information
have been recorded. System administration has been notified.
This system is restricted to authorized access only. All activities on
this system are recorded and logged. Unauthorized access will be fully
investigated and reported to the appropriate law enforcement agencies.
SSH In /etc/ssh/sshd_config,
#Protocol 2, 1
should be changed as
Protocol 2
AllowTcpForwarding no
Restart ssh service
# Only allow the following users SSH Access
AllowUsers User1 User2 etc
# Deny access to the following users
DenyUsers admin etc
# Set the timeout period for idle sessions (in seconds)
ClientAliveInterval 300
ClientAliveCountMax 0
# Disable Host-Based Authentication
HostbasedAuthentication no
# Remove ability to login as Root
PermitRootLogin no
# Change the default SSH Port (Not essential but can help uncomment if you want)
#Port 22
#ListenAddress 192.168.1.1
# Consider CHRooting users to their own directories.
# Subsystem sftp internal-sftp
#Match group sftponly
# ChrootDirectory /home/%u
# X11Forwarding no
# AllowTcpForwarding no
# ForceCommand internal-sftp
# Disable empty passwords from login
PermitEmptyPasswords no
# Set your required Log Level (Either INFO or DEBUG)
LogLevel INFO
# Turn on privilege separation
UsePrivilegeSeparation yes
# Prevent the use of insecure home directory and key file permissions
StrictModes yes
# Turn on reverse name checking
VerifyReverseMapping yes
# Do you need port forwarding?
AllowTcpForwarding no
X11Forwarding no
# Specifies whether password authentication is allowed. The default is yes.
PasswordAuthentication no
Disabling Root Login and changing the listening port .
1.create a user for ssh like sshadminz
2.give the user wheel privilage through Whm
3.in /etc/ssh/sshd_config change the entry PermitRootLogin to no
4.in /etc/ssh/sshd_config change the entry #Port to Port xxxx (needed port,make sure that port is open in csf/iprules)
5.restart the sshd service
>ssh sshadminz@***.***.***.*** -p xxxx
Setting an SSH Legal Message
The message is contained within the following file: /etc/motd
ALERT! You are entering a secured area! Your IP and login information
have been recorded. System administration has been notified.
This system is restricted to authorized access only. All activities on
this system are recorded and logged. Unauthorized access will be fully
investigated and reported to the appropriate law enforcement agencies.
SSH In /etc/ssh/sshd_config,
#Protocol 2, 1
should be changed as
Protocol 2
AllowTcpForwarding no
Restart ssh service
# Only allow the following users SSH Access
AllowUsers User1 User2 etc
# Deny access to the following users
DenyUsers admin etc
# Set the timeout period for idle sessions (in seconds)
ClientAliveInterval 300
ClientAliveCountMax 0
# Disable Host-Based Authentication
HostbasedAuthentication no
# Remove ability to login as Root
PermitRootLogin no
# Change the default SSH Port (Not essential but can help uncomment if you want)
#Port 22
#ListenAddress 192.168.1.1
# Consider CHRooting users to their own directories.
# Subsystem sftp internal-sftp
#Match group sftponly
# ChrootDirectory /home/%u
# X11Forwarding no
# AllowTcpForwarding no
# ForceCommand internal-sftp
# Disable empty passwords from login
PermitEmptyPasswords no
# Set your required Log Level (Either INFO or DEBUG)
LogLevel INFO
# Turn on privilege separation
UsePrivilegeSeparation yes
# Prevent the use of insecure home directory and key file permissions
StrictModes yes
# Turn on reverse name checking
VerifyReverseMapping yes
# Do you need port forwarding?
AllowTcpForwarding no
X11Forwarding no
# Specifies whether password authentication is allowed. The default is yes.
PasswordAuthentication no
Subscribe to:
Posts (Atom)