Simple tips to improve Server Security In these times, it’s very essential to secure your servers from the outside as well as from customers using the server. This session will show some basic methods on how to protect your server(s). Pulkit Gupta CEO & Chief Architect Softaculous

2. Why should you secure
your server ?
• Customer Safety and
Satisfaction
• Required to Carry on Business
• Long Term Economic Benefits
• Improves Your Hosting Brand

3. Sections in this Session
• Securing your Server(s) SSH Access
• MySQL Security Best Practices
• Preventing Email Abuse

4. Why Secure your SSH ?
• SSH allows you to remotely execute
command
• As an Admin you access it from a Remote
Location, so can a hacker
• A hacker may gain root access to your
server if not secured
• IF a hacker gains root access, you can kiss
your server good bye !

5. Change your SSH Port
• Default SSH port is 22, even the hacker
knows that
• Hacker can Scan Port 22 on various IP
Addresses and use brute force or other
attacks to gain access
• Hence change your port to something
other than 22 (and 2222 which is common
as well)
• In /etc/ssh/sshd_config change :
Port 3077

6. Disable Root Login
• The Hacker would likely try a brute-force
for the root user
• Disabling the Root User Login will add an
additional layer of security to your server
• If you need root access, login as a normal
user and use the su command.
• In /etc/ssh/sshd_config change :
PermitRootLogin no
AllowUsers mysshuser

7. Use Keys for Authentication
• Disable password logins. To do so :
$ ssh-keygen -t rsa
• This will create two files in your (hidden)
~/.ssh directory called: id_rsa and id_rsa.pub
• The first: id_rsa is your private key and the
id_rsa.pub is your public key.
• If you are a Windows User. You can convert the
id_rsa file into a .ppk with the help of
Puttygen for use with Putty.
• Never re-use SSH Keys on multiple servers

8. Use Keys for Authentication (Cont.)
• You will need to set file permissions on the server:
PasswordAuthentication no
$ chmod 700 ~/.ssh
$ chmod 600 ~/.ssh/authorized_keys
• Disable password authentication
completely in /etc/ssh/sshd_config
• Copy the public key (id_rsa.pub) to the
server and install it to the authorized_keys
$ cat id_rsa.pub >> ~/.ssh/authorized_keys

9. SSH IP Address Restriction
• IP Address Restriction means allowing only
certain IPs to SSH into a Server. This
requires static IP Address(es)
• The two important files are:
/etc/hosts.allow
/etc/hosts.deny
sshd: 1.2.3.0
• In /etc/hosts.allow add allowed IP
Address
sshd: ALL
• In /etc/hosts.deny, restrict all IPs

10. Fail2Ban
• Fail2ban scans log files (e.g. /var/log/secure)
and bans IPs (using the Firewall) that show
the malicious signs -- too many password
failures, seeking for exploits, etc.
• Out of the box Fail2Ban comes with filters for
various services like apache, ssh, courier
• You can configure Fail2Ban to send emails to
Sysadmins as well.
# EPEL is required
$ yum install fail2ban

11. Logwatch
• Logwatch is a customizable, pluggable log-
monitoring system.
• It will go through your logs for a given
period of time and make a report in the
areas that you wish, with the detail that
you wish
• Installation is simple :
$ yum install logwatch
• Usage is simple as well :
$ logwatch --detail Low --service sshd --
range today --save /tmp/logwatch

12. Separate Billing Server
• Small and Medium sized web-hosting
companies and resellers tend to keep their
billing systems hosted on the same servers
which host their shared hosting customers
• BAD IDEA !
• Your website + billing software should
*always* be stored on a separate server /
VPS
• It is extremely dangerous to have untrusted
customers on the same server.

13. MySQL / MariaDB Abuse
• Database Abuse is pretty common and
easily achievable in shared
environments
• If MySQL / MariaDB is abused your
system will become slower and all your
customers websites will be affected.
• There are external threats possible if
you don’t secure your MySQL /
MariaDB server

14. Restrict Remote Access
• By Default MySQL will start with
Networking and will listen on Port 3306
• To restrict MySQL from opening a
network socket, the following
parameter should be added in
the[mysqld] section of my.cnf or my.ini:
skip-networking
• Some Control Panels like cPanel restrict
it to the localhost IP 127.0.0.1
bind-address=127.0.0.1

15. Disable the use of LOCAL INFILE
• Disable the use of the "LOAD DATA LOCAL
INFILE" command
• If not secured important data could be
revealed :
SELECT load_file("/etc/passwd")
• To disable the usage of the "LOCAL
INFILE" command, the following parameter
should be added in the [mysqld] section of
the MySQL configuration file.
set-variable=local-infile=0
Some Control Panels like cPanel restrict this already

16. Setting Account Resource Limits
In MySQL 5+, you can limit use of the
following server resources for individual
accounts:
• The number of queries that an account
can issue per hour
• The number of updates that an account
can issue per hour
• The number of times an account can
connect to the server per hour
• The number of simultaneous
connections to the server by an account
GRANT ALL ON customer.* TO ‘DB'@'localhost'
WITH MAX_QUERIES_PER_HOUR 3600
MAX_UPDATES_PER_HOUR 360
MAX_CONNECTIONS_PER_HOUR 3600
MAX_USER_CONNECTIONS 5;

17. Other MySQL / MariaDB Tips
• Change root username and password
(don’t do it on cPanel, Plesk, etc.)
• Remove the "test" database
• Remove Anonymous and obsolete
accounts
• Remove History
cat /dev/null > ~/.mysql_history

18. Prevent Email Abuse
• Shared Hosting users can send a lot of
SPAM from your servers if you don’t
prevent them
• It can cause Black Listing of your server
IPs
• In cPanel, there are some good settings to
prevent users to send excessive emails
like hourly emails, percentage of failed
messages
• You can find it in WHM -> Tweak Settings

19. Ebury and Poodle
• On infected hosts, Ebury steals SSH login
credentials (username/password) from
incoming and outgoing SSH connections.
• Check your servers for an Ebury infection :
https://www.cert-bund.de/ebury-faq
• POODLE : The Google Security Team
discovered this vulnerability; they
disclosed it in September 2014.
• You should disable SSLv3 because of
Poodle.

20. Last Tips
• Backup your servers and data
regularly. It is the only solution you
have if your servers get hacked.
• Keep your systems up-to-date (goes
without saying). Its easy “yum
update”
• Be well informed about recent
vulnerabilities by subscribing to
security mailing lists e.g.
hostingseclist.com

21. Thank You
• Thank you for being here.
Credits :
• Patrick William from Rack911
• Samjad from ActiveLobby
• drServer.net
• cPanel for their development license
• Anyone and Everyone who I missed to mention
:)