Thanks Celauran. I am learning there is lots to know about security and it may never end as software improves. Your comment "
makes finding real incidents more tedious" makes me think of my security list I am slowly poking away at. My list is a prioritized based upon a 1 man shop with no one else having access to my computers. Next week I will be spending 4 hours a day working on the pending stuff. After that 2 hours a day as I start to market the website. The extract below is part of a spread sheet that allows me to find the source of the item fairly quickly for when I finally get a chance to work on it. It may be of interest to other beginners like myself. There are probably some duplicate entries.
Finished:
Restrict File and Directory Access
Secure SSH - Disable Protocol 1 and use only Protocol 2
use secure Sftp rather than ftp (WinSCP says it is using SFTP at the top)
do not give users shell accounts on your system
Use Firewall To Restrict Outgoing Connections (not needed).
make sure you log all PHP errors to a log file
PHP A Note About Setting Up Correct File Permissions
Disable FTP login
Restrict loging attempts (
put no.login at the end of password entries (try FTP)
firewall block SSH from everything except your home computer
Secure SSH - Limit User Logins (not needed if only root + secure user)
run yum update often
strong bash root password
strong mysql root password
upload files (only allow image files)
disabled unused services. Check using htop
firewall only allow ports 80, 22 (25 is for mail so it is blocked)
Fail2Ban to Prevent Password Attacks on SSH
Database input (sanitize all inputs) sql injection
Utilize strong (mixed case, alpha-numberic, long) passwords on accounts that are necessary.
Don't run a GUI if you don't need one and never leave a GUI running while the server isn't being used for an interactive console session.
Be wary of third-party content providers.
log all php errors
set maximum upload size
use chown and chmod to minmize access to a bare minimum
control PHP post size
Secure SSH - use strong passwords
Secure SSH - Disable root login
Hide apache version: ServerSignature Off
Hide apache version: ServerTokens Prod
Hide apache list if the index.php is missing
Secure SSH - Use Public/Private Key Authentication & disable passwords
Pending in the order I was planning on working on it:
Secure SSH - Use a Non-Standard Port - Determine ports used with 'netstat -tulpn'
Virtual box to improve the backup system I have.
Reviewing logs: /var/log/messages.log (create a script to speed this up)
Reviewing logs: /var/log/daemon.log (create a script to speed this up)
Reviewing logs: /var/log/auth.log (create a script to speed this up)
Check your shell´s command history (e.g. /root/.bash_history)
reduce PHP information leakage
Limit PHP Access To File System
check for large log files on a regular basis (find out why)
Install Suhosin Advanced Protection System for PHP
system errors go to root's email. Read them.
Free software to help: Dnssy - checks all your DNS settings
Free software to help: Logwatch - Analyses logs and sends a daily digest to the administrator
Enable Postfix Postscreen to prevent email spam without damaging performance or risking false positives
Disabling Dangerous PHP Functions
PHP User and Group ID
.htaccess (to prevent images going out to reduce bandwidth)
Apache - Limite size of uploads to your LeadSheets directory
Keep software up to date
hide apache version
minimize loadable PHP modules
turn off remote PHP code execution
Use TCP wrappers (tcpd) to run Internet-related daemons and properly configure the hosts.allow and hosts.deny files to restrict access.
Free software to help: Mxtoolbox - checks your mail server every 15 mins, alerts when down or blacklisted, can also "port scan" your firewall
PHP #24 Watch Your Logs & Auditing
Restrict email connections
Apache - Keeping apache up to date
Apache - disabling unused modules
Apache - run apache as a separate user and group (must change permissions for this in your script called SetWebPermissions)
Apache - restrict access to certain directories
Apache - Use mod_security and mod_evasive Modules to Secure Apache
Apache - Disable Apache’s following of Symbolic Links
Apache - log independently of your OS logging (more detail)
sea-surf attach
reduce PHP modules
disable allow_url_include
Enable SQL Safe Mode (this was used for the differential backups)
PHP resource control (maximum execution time)
Session Path - session.save_path
Keep PHP, Software, And OS Up to Date
PHP Use Linux Security Extensions (such as SELinux)
PHP Install Mod_security
Run Apache / PHP In a Chroot Jail If Possible
#25 Run Service Per System or VM Instance
#26 Additional Tools
A Note About PHP Backdoors
List users with this command 'cut -d: -f1 /etc/passwd'
Apache - turn off server side includes
Check last logged in users (e.g. Run lastlog
find files modified between x and y minutes ago
new entries in crontab
Try a Google site: search to see what's indexed.
use google webmaster tools
PHP Fastcgi / CGI - cgi.force_redirect Directive
Apache - Protect DDOS attacks and Hardening (only if attacked)
configure PHP to disable the eval statement
Write Protect Apache, PHP, and, MySQL Configuration Files
read the google online security blog
By default, email reports of any system problems will be sent to user "root". You can read them by going to Webmin > System > Users and Groups > root and clicking the "Read Email" button. It's usually more convenient to forward them to an external email address. You can configure this by going to Webmin > Servers > Postfix Mail Server > Mail Aliases, selecting Create a new alias and setting Address to "root" and your email address in "Alias to", "Email address".
read this
http://www.sans.org/reading-room/whitep ... files-2074
check for any XSS (cross-site scripting)
If you install a forum (new software) keep the software up to date
Secure SSH - Filter SSH at the Firewall
Apache - Enabling encrypted SSL connections
use your hosting company blog or forum or just email them
Log off of server consoles when they're not being used. This is especially important for Internet-connected systems.
Fail2Ban to Prevent Password Attacks on Apache (not just SSH)
Don't use common names for groups that are given high levels access (ex: "admins").
delete users that are not needed
encrypt sensitive data
If Installing web sites
If Adding email users
Reduce Apache logging of image files (does not seem to get logged)
