Results 1 to 10 of 10

Thread: Any tips for securing a dedicated server?

  1. #1
    cullenstev@gmail.com is offline No longer a Newbie
    Join Date
    Feb 2009
    Posts
    5

    Default Any tips for securing a dedicated server?

    Hi all, new customer here with a dedicated server.
    I want this to be as hardened as possible. Anyone have any particular tips for security? I googled for checklists and did everything I could, and I also made adjustments so I have a perfect score on the firewall configuration check, but I thought maybe there would be some tips for these setups specifically.

    In particular I'm wondering about allowed ports, the firewall by default has quite a few ports open, including all from 30,000-50,000. Should I lock down pretty much everything besides HTTP and SSL?

    That brings me to a related question.. as of now I am just using this for a webserver. I'm hosting my nameserver with GoDaddy and email with Google. Is there any particular advantage to migrating my nameserver to GlowHost? The only one I can think of would be to gain use of their support for any DNS issues. If there are other technical advantages please let me know, DNS is an area that I am not very comfortable with.

  2. #2
    Matt's Avatar
    Matt is offline GlowHost Administrator
    Join Date
    Jan 2005
    Location
    Behind your monitor
    Posts
    5,390

    Default

    When we send the servers out they are not a default OS or cPanel install. We already tune them to be highly secure yet still workable.

    If you follow the various guides that float around out there you might have a more secure box, but a much less usable one. Some of the items I have found out there in my opinion are totally pointless such as changing the SSH port to something other than 22. Disabling root login is also another good one that makes no sense to me especially when your login to WHM is as root using the root credentials why then disable root via SSH?

    If you have an impossible to guess password no one is going to get into your box as root via SSH on a standard port because the firewall is going to give them the boot after 5 tries.

    Some of the more aggressive disable_functions in php.ini lists that I have seen ensure that the machine is very secure but also ensures 99% of the programs in use out there will not function. They might as well turn safe_mode to on with some of the paranoiac lists for php.ini

    The mod_security that I have seen are just as bad as some of the php.ini floating around the web. Great security but you might as well unplug the server, it is going to be just about as useful.

    Those ports 30k-50k should be enabled for passive FTP transfers.

    All of the rest of those can remain as is as they are either required by cPanel or specifically enabled by GlowHost to accommodate the most common services requested.

    If you want to post your port list, perhaps we can tell you which of the TCP inboud / outbound ones that are not implicitly required for the server to run smoothly.

    As to migration of your nameserver, you nailed it. Support and ease of use.
    Send your friends and site visitors to GlowHost and get $125 plus bonus!
    GlowHost Affiliate Program | Read our Blog | GlowHost's Facebook | Follow us on Twitter | GlowHost on Google+

  3. #3
    cullenstev@gmail.com is offline No longer a Newbie
    Join Date
    Feb 2009
    Posts
    5

    Default

    Thanks for the reply Matt.
    Code:
    TCP_IN: 20,21,22,26,53,80,143,443,465,873,990,953,993,995,1042,1221,2077,2078,2082,2083,2086,2087,2095,2096,3690,3784,4643,8000:8020,8443,12000:12100,20001,30000:50000
    TCP_OUT: 20,21,22,26,37,43,53,80,82,113,143,443,587,873,953,1221,2077,2078,2082,2083,2086,2087,2089,2095,2703,3306,3690,3784,4643,8443,12000,20001
    Code:
    UDP_IN: 20,21,53,953
    UDP_OUT: 20,21,53,113,123,873,953,6277,33434:33523
    The server will just be used for an ecommerce site. Mail will be hosted by google. For now at least I'm going to keep the nameserver hosted at godaddy. So all I really need is WWW connectivity, as well as administrative stuff.

    Cullen
    Last edited by Matt; 02-16-2009 at 05:37 PM.

  4. #4
    Matt's Avatar
    Matt is offline GlowHost Administrator
    Join Date
    Jan 2005
    Location
    Behind your monitor
    Posts
    5,390

    Default

    I've gone ahead and compiled a list for you of ports and descriptions of what they are for. Sounds like you could close quite a few of them should you be so inclined.

    Also here is a list of ports that cPanel.net says are the bare minimums for running cPanel control panel. Getting the most out of your systemís firewall. cPanel Blog

    Below is the list of ports and descriptions that I have compiled for you. Use the scroll bar at the bottom to see the full descriptions...

    Code:
    0 SFTP
    21 FTP 
    22 SSH 
    25 SMTP 
    26 SMTP Alternate Port 
    37 rdate
    43 WHOIS 
    53 DNS - Domain Name Server 
    80 HTTP 
    82 Mod Perl (should be disabled if you are not using it)
    110 POP3 
    113 ident
    123 NTP (Network Time, may not be needed) 
    143 IMAP 
    443 HTTPS 
    465 SMTP TLS/SSL
    587 (same as port 26, often requested instead of cPanel's default SMTP alternate port 26 for users migrating from control panels other than cPanel. Can be disabled)
    873 Rsync 
    953 Named (rndc - remote DNS admin)
    990 FTPS
    993 IMAP SSL 
    995 POP3 SSL 
    1221 SAM Broadcaster (close if you do not run shoutcast servers that require SAM broadcaster on the client side)
    2077 Webdav (for webdisk)
    2078 Webdav (for webdisk)
    2082 cPanel
    2083 cPanel SSL 
    2084 entropychat server (also disable from WHM service manager if not used) 
    2086 WHM 
    2087 WHM SSL 
    2089 required for cPanel license 
    2095 WebMail 
    2096 WebMail SSL 
    2703 Razor # Spam Assassin Addon (can be closed since you don't use email here)
    3306 mySQL remote access (can be closed if you do not want to admin your DBs remotely)
    3690 SVN (can be closed if you do not use SVN)
    3784 BFD (can be closed if you do not use BFD...CSF is used instead for Brute Force Detection)
    4643 Virtuozo # VPS Only (can close this since this is not a VPS)
    6277 DCC # Spam Assassin Addon (can be closed since you don't use email here)
    8000:8020 for shoutcast server (can be closed if you don't plan on using shoutcast server)
    8443 JSP (can be closed if you dont run JSP)
    6666 Melange chat Server (also disable from WHM service manager if not used) 
    7786 Interchange (also disable from WHM service manager if not used) 
    8080 JSP (can be closed if you dont run JSP)
    12000 (Open as an Optional Alternative SSH Port, disable if you don't want it or use another port instead)
    12100:12100 Ruby on Rails (can be closed if you dont run RoR)
    20001: (OnlineNic API requires this to be enabled for their API. You can disable it if you do not use their API)
    30000:50000 For Passive FTP transfer
    33434:33523 Traceroute
    Send your friends and site visitors to GlowHost and get $125 plus bonus!
    GlowHost Affiliate Program | Read our Blog | GlowHost's Facebook | Follow us on Twitter | GlowHost on Google+

  5. #5
    Matt's Avatar
    Matt is offline GlowHost Administrator
    Join Date
    Jan 2005
    Location
    Behind your monitor
    Posts
    5,390

    Default

    PS:

    If you end up disabling services please open a ticket at GlowHost so that we can remove them from our monitors.
    Send your friends and site visitors to GlowHost and get $125 plus bonus!
    GlowHost Affiliate Program | Read our Blog | GlowHost's Facebook | Follow us on Twitter | GlowHost on Google+

  6. #6
    cullenstev@gmail.com is offline No longer a Newbie
    Join Date
    Feb 2009
    Posts
    5

    Default

    Thanks for the info Matt. A small (possibly inconsequential) problem. After closing all the ports I deemed to be unnecessary, the firewall security check no longer completes. It loads to the point where "PHP Check" is the last line loaded at the bottom of the frame, then just sits there waiting for data from my IP. The only thing I modified was the allowed ports, which I double checked and added back any that might be needed, such as even the unsecure cPanel ports.

    This is what I left open:
    TCP IN:
    20,21,26,80,82,443,990,1042,2082,2083,2086,2087,20 89,3690,30000:50000
    TCP OUT:
    20,21,26,37,43,80,82,113,443,873,1042,2082,2083,20 86,2087,2089,3690

    UDP IN:
    21
    UDP OUT:
    21,53,113,123,873,953,33434:33523

    Did I get too aggressive in my port closing?

  7. #7
    Matt's Avatar
    Matt is offline GlowHost Administrator
    Join Date
    Jan 2005
    Location
    Behind your monitor
    Posts
    5,390

    Default

    well, the first thing I noticed in your ports above are you have spaces in 20 89 and 20 87

    As for why the security check wont complete, I am not sure. You will probably want to ask configserver.com on their forums as that is the site that writes the firewall software.
    Send your friends and site visitors to GlowHost and get $125 plus bonus!
    GlowHost Affiliate Program | Read our Blog | GlowHost's Facebook | Follow us on Twitter | GlowHost on Google+

  8. #8
    raicol is offline No longer a Newbie
    Join Date
    May 2010
    Posts
    5

    Default

    Thanks for the info Matt.

    Regards,
    Raicol

  9. #9
    Join Date
    Nov 2016
    Posts
    7

    Default

    The SSH protocol is designed to secure the connection when you log in to the server. Managing a set of keys avoids having to use passwords. It also simplifies the connection: you can connect to multiple machines using a single key.

  10. #10
    Sean9568 is offline Nearly a Glow Sage
    Join Date
    Jan 2018
    Posts
    18

    Default

    There is a list of dedicated server security vulnerabilities. Install dedicated trusted SSL on the server. Regular scanning for malware and virus is essential.

Similar Threads

  1. upgrading from vps to dedicated server
    By Manna8 in forum WHM, Resellers, VPS and Dedicated Hosting Topics
    Replies: 5
    Last Post: 10-16-2008, 08:41 PM
  2. The Dedicated Server BARGAIN BASEMENT!
    By Matt in forum General Announcements
    Replies: 0
    Last Post: 06-10-2008, 03:13 PM
  3. New Dedicated Server Lineup and SALE!!!
    By Matt in forum General Announcements
    Replies: 0
    Last Post: 05-01-2008, 11:38 AM
  4. Dedicated Server Backup
    By bdominick in forum WHM, Resellers, VPS and Dedicated Hosting Topics
    Replies: 11
    Last Post: 12-04-2007, 06:06 PM
  5. Dedicated Server BLOWOUT!!!
    By Matt in forum General Announcements
    Replies: 2
    Last Post: 04-29-2007, 08:49 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16