Any tips for securing a dedicated server?

[cullenstev@gmail.com]

Hi all, new customer here with a dedicated server.
I want this to be as hardened as possible. Anyone have any particular tips for security? I googled for checklists and did everything I could, and I also made adjustments so I have a perfect score on the firewall configuration check, but I thought maybe there would be some tips for these setups specifically.

In particular I'm wondering about allowed ports, the firewall by default has quite a few ports open, including all from 30,000-50,000. Should I lock down pretty much everything besides HTTP and SSL?

That brings me to a related question.. as of now I am just using this for a webserver. I'm hosting my nameserver with GoDaddy and email with Google. Is there any particular advantage to migrating my nameserver to GlowHost? The only one I can think of would be to gain use of their support for any DNS issues. If there are other technical advantages please let me know, DNS is an area that I am not very comfortable with.

[Matt]

When we send the servers out they are not a default OS or cPanel install. We already tune them to be highly secure yet still workable.

If you follow the various guides that float around out there you might have a more secure box, but a much less usable one. Some of the items I have found out there in my opinion are totally pointless such as changing the SSH port to something other than 22. Disabling root login is also another good one that makes no sense to me especially when your login to WHM is as root using the root credentials why then disable root via SSH?

If you have an impossible to guess password no one is going to get into your box as root via SSH on a standard port because the firewall is going to give them the boot after 5 tries.

Some of the more aggressive disable_functions in php.ini lists that I have seen ensure that the machine is very secure but also ensures 99% of the programs in use out there will not function. They might as well turn safe_mode to on with some of the paranoiac lists for php.ini

The mod_security that I have seen are just as bad as some of the php.ini floating around the web. Great security but you might as well unplug the server, it is going to be just about as useful.

Those ports 30k-50k should be enabled for passive FTP transfers.

All of the rest of those can remain as is as they are either required by cPanel or specifically enabled by GlowHost to accommodate the most common services requested.

If you want to post your port list, perhaps we can tell you which of the TCP inboud / outbound ones that are not implicitly required for the server to run smoothly.

As to migration of your nameserver, you nailed it. Support and ease of use.

[cullenstev@gmail.com]

Thanks for the reply Matt.

Code:

TCP_IN: 20,21,22,26,53,80,143,443,465,873,990,953,993,995,1042,1221,2077,2078,2082,2083,2086,2087,2095,2096,3690,3784,4643,8000:8020,8443,12000:12100,20001,30000:50000
TCP_OUT: 20,21,22,26,37,43,53,80,82,113,143,443,587,873,953,1221,2077,2078,2082,2083,2086,2087,2089,2095,2703,3306,3690,3784,4643,8443,12000,20001

Code:

UDP_IN: 20,21,53,953
UDP_OUT: 20,21,53,113,123,873,953,6277,33434:33523

The server will just be used for an ecommerce site. Mail will be hosted by google. For now at least I'm going to keep the nameserver hosted at godaddy. So all I really need is WWW connectivity, as well as administrative stuff.

Cullen

[Matt]

I've gone ahead and compiled a list for you of ports and descriptions of what they are for. Sounds like you could close quite a few of them should you be so inclined.

Also here is a list of ports that cPanel.net says are the bare minimums for running cPanel control panel. Getting the most out of your system’s firewall. cPanel Blog

Below is the list of ports and descriptions that I have compiled for you. Use the scroll bar at the bottom to see the full descriptions...

Code:

0 SFTP
21 FTP 
22 SSH 
25 SMTP 
26 SMTP Alternate Port 
37 rdate
43 WHOIS 
53 DNS - Domain Name Server 
80 HTTP 
82 Mod Perl (should be disabled if you are not using it)
110 POP3 
113 ident
123 NTP (Network Time, may not be needed) 
143 IMAP 
443 HTTPS 
465 SMTP TLS/SSL
587 (same as port 26, often requested instead of cPanel's default SMTP alternate port 26 for users migrating from control panels other than cPanel. Can be disabled)
873 Rsync 
953 Named (rndc - remote DNS admin)
990 FTPS
993 IMAP SSL 
995 POP3 SSL 
1221 SAM Broadcaster (close if you do not run shoutcast servers that require SAM broadcaster on the client side)
2077 Webdav (for webdisk)
2078 Webdav (for webdisk)
2082 cPanel
2083 cPanel SSL 
2084 entropychat server (also disable from WHM service manager if not used) 
2086 WHM 
2087 WHM SSL 
2089 required for cPanel license 
2095 WebMail 
2096 WebMail SSL 
2703 Razor # Spam Assassin Addon (can be closed since you don't use email here)
3306 mySQL remote access (can be closed if you do not want to admin your DBs remotely)
3690 SVN (can be closed if you do not use SVN)
3784 BFD (can be closed if you do not use BFD...CSF is used instead for Brute Force Detection)
4643 Virtuozo # VPS Only (can close this since this is not a VPS)
6277 DCC # Spam Assassin Addon (can be closed since you don't use email here)
8000:8020 for shoutcast server (can be closed if you don't plan on using shoutcast server)
8443 JSP (can be closed if you dont run JSP)
6666 Melange chat Server (also disable from WHM service manager if not used) 
7786 Interchange (also disable from WHM service manager if not used) 
8080 JSP (can be closed if you dont run JSP)
12000 (Open as an Optional Alternative SSH Port, disable if you don't want it or use another port instead)
12100:12100 Ruby on Rails (can be closed if you dont run RoR)
20001: (OnlineNic API requires this to be enabled for their API. You can disable it if you do not use their API)
30000:50000 For Passive FTP transfer
33434:33523 Traceroute

[Matt]

PS:

If you end up disabling services please open a ticket at GlowHost so that we can remove them from our monitors.

[cullenstev@gmail.com]

Thanks for the info Matt. A small (possibly inconsequential) problem. After closing all the ports I deemed to be unnecessary, the firewall security check no longer completes. It loads to the point where "PHP Check" is the last line loaded at the bottom of the frame, then just sits there waiting for data from my IP. The only thing I modified was the allowed ports, which I double checked and added back any that might be needed, such as even the unsecure cPanel ports.

This is what I left open:
TCP IN:
20,21,26,80,82,443,990,1042,2082,2083,2086,2087,20 89,3690,30000:50000
TCP OUT:
20,21,26,37,43,80,82,113,443,873,1042,2082,2083,20 86,2087,2089,3690

UDP IN:
21
UDP OUT:
21,53,113,123,873,953,33434:33523

Did I get too aggressive in my port closing?

[Matt]

well, the first thing I noticed in your ports above are you have spaces in 20 89 and 20 87

As for why the security check wont complete, I am not sure. You will probably want to ask configserver.com on their forums as that is the site that writes the firewall software.

[raicol]

Thanks for the info Matt.

Regards,
Raicol

[CliffordSanchez]

The SSH protocol is designed to secure the connection when you log in to the server. Managing a set of keys avoids having to use passwords. It also simplifies the connection: you can connect to multiple machines using a single key.

[Sean9568]

There is a list of dedicated server security vulnerabilities. Install dedicated trusted SSL on the server. Regular scanning for malware and virus is essential.