ssh
If possible, don’t allow user login ssh to the server. Also disable root user login and use sudo to gain root access.
[root@directadmin]# nano -w /etc/ssh/sshd_config
Change:
PermitRootLogin no
Restart ssh server!
[root@directadmin]# /etc/init.d/sshd restart
Note: Make sure you installed sudo and sudoers to your user!
Filesystem
You can prevent and hide access certain folders and files.
cd / chmod 751 . chmod 751 /etc chmod 751 /home chmod 751 /boot chmod 751 /usr/local chmod 751 /usr/local/bin chmod 751 /usr/local/directadmin chmod 751 /bin chmod 751 /usr/bin chmod 750 /usr/bin/users chmod 750 /usr/bin/top chmod 750 /usr/bin/who chmod 750 /usr/bin/lspci chmod 750 /usr/bin/ftp chmod 750 /usr/bin/rcp chmod 750 /usr/bin/lynx chmod 750 /usr/bin/links
php.ini
There are certain functions in PHP that we don’t want users to use because of the danger they are. Even if you know your users aren’t utilizing certain functions it is wise to completely disable them so an attacker can’t use them. This security precaution is especially effective at stopping an attacker who has somehow managed to upload a PHP script, write one to the filesystem, or even include a remote PHP file. By disabling functionality you ensure that you can limit the effectiveness of these types of attacks.
Depend your configuration, edit php.ini and disable dangerous functions. Depend your server and php module configuration (mod_php, php-fastcgi, PHP-FPM, suPHP, lsphp):
/usr/local/lib/php.ini /usr/local/etc/php5/cgi/php.ini /usr/local/etc/php6/cgi/php.ini /usr/local/etc/php7/cgi/php.ini
Change disable_functions to bellow:
disable_functions = exec,system,passthru,shell_exec,escapeshellarg,escapeshellcmd,proc_close,proc_open,dl,popen,show_source,posix_kill,posix_mkfifo,posix_getpwuid,posix_setpgid,posix_setsid,posix_setuid,posix_setgid,posix_seteuid,posix_setegid,posix_uname
Install Clamav Scanner
[root@directadmin]# cd /usr/local/directadmin/custombuild
Edit options.conf and change to:
clamav=yes clamav_exim=yes
[root@directadmin]# ./build clamav
Clamav Signatures
Edit Freshclam.conf file:
[root@directadmin]# nano -w /etc/freshclam.conf
Add these line end of file:
DatabaseCustomURL http://cdn.malware.expert/malware.expert.ndb DatabaseCustomURL http://cdn.malware.expert/malware.expert.hdb DatabaseCustomURL http://cdn.malware.expert/malware.expert.ldb DatabaseCustomURL http://cdn.malware.expert/malware.expert.fp
Restart Freshclam
[root@directadmin]# /etc/init.d/freshclam restart
Extra Signatures
if you want use more signatures to clamav, i suggest install Linux Malware Detect – from www.rfxn.com
If you dont wanna install itself software, you can tweak and use only signatures to clamav. Add freshclam.conf end of file:
DatabaseCustomURL http://cdn.rfxn.com/downloads/rfxn.ndb DatabaseCustomURL http://cdn.rfxn.com/downloads/rfxn.hdb
Install ModSecurity
[root@directadmin]# cd /usr/local/directadmin/custombuild
Edit options.conf file:
modsecurity=yes modsecurity_ruleset=none
Build ModSecurity with custombuild:
[root@directadmin]# ./build modsecurity [root@directadmin]# ./build modsecurity_rules
ModSecurity Scan Uploads with Clamav
Scan all uploaded files to server with modsecurity rules.
Edit options.conf file:
modsecurity_uploadscan=yes
Install Runav.conf ModSecurity Rules:
[root@directadmin]# mkdir /usr/local/directadmin/custombuild/custom [root@directadmin]# mkdir /usr/local/directadmin/custombuild/custom/modsecurity [root@directadmin]# mkdir /usr/local/directadmin/custombuild/custom/modsecurity/conf
Generate runav.conf file with content:
SecRule FILES_TMPNAMES "@inspectFile /usr/local/bin/runav.pl" \
"phase:2,t:none,block,msg:'Virus found in uploaded file',id:'399999'"
Update rules modifications:
[root@directadmin]# ./build modsecurity_rules
Check rules installed in /etc/modsecurity.d folder!
Also Check /usr/local/bin/runav.pl file:
#!/usr/bin/perl
#
# runav.pl
# Copyright (c) 2004-2011 Trustwave
#
# This script is an interface between ModSecurity and its
# ability to intercept files being uploaded through the
# web server, and ClamAV
$CLAMDSCAN = "/usr/local/bin/clamdscan";
if ($#ARGV != 0) {
print "Usage: runav.pl <filename>\n";
exit;
}
my ($FILE) = shift @ARGV;
$cmd = "$CLAMDSCAN --stdout --no-summary $FILE";
$input = `$cmd`;
$input =~ m/^(.+)/;
$error_message = $1;
$output = "0 Unable to parse clamscan output [$1]";
if ($error_message =~ m/: Empty file\.?$/) {
$output = "1 empty file";
}
elsif ($error_message =~ m/: (.+) ERROR$/) {
$output = "0 clamscan: $1";
}
elsif ($error_message =~ m/: (.+) FOUND$/) {
$output = "0 clamscan: $1";
}
elsif ($error_message =~ m/: OK$/) {
$output = "1 clamscan: OK";
}
Malware Expert – ModSecurity Rules
[root@directadmin]# cd /usr/local/directadmin/custombuild [root@directadmin]# mkdir custom [root@directadmin]# mkdir custom/modsecurity [root@directadmin]# mkdir custom/modsecurity/conf
Add file malware_expert.conf to custom/modsecurity/conf folder and replace (serial key):
SecRemoteRules (serial key) https://rules.malware.expert/download.php?rules=generic
If you dont have Licence, Buy now!
Add file rbl.conf to custom/modsecurity/conf folder
SecRule REQUEST_METHOD "POST" "id:'400010',phase:1,t:none,chain,drop,noauditlog,msg:'Malware host detected by rbl.malware.expert'" SecRule REMOTE_ADDR "@rbl rbl.malware.expert"
NOTE! Make sure you update custombuild:
[root@directadmin]# ./build modsecurity_rules
And check custombuild add malware_expert.conf to /etc/modsecurity.d/malware_expert.conf
httpd-modsecurity.conf (Depend Server Configuration)
Also apache modsecurity configuration need little modifications, because clamav need scan uploaded files.
These working with Apache 2.4 / mod_php / mod_ruid2:
[root@directadmin]# cd /usr/local/directadmin/custombuild [root@directadmin]# mkdir custom [root@directadmin]# mkdir custom/ap2 [root@directadmin]# mkdir custom/ap2/conf [root@directadmin]# mkdir custom/ap2/extra
Add custom/ap2/extra/httpd-modsecurity.conf file with these modifications:
LoadFile /usr/local/lib/libxml2.so
LoadModule security2_module /usr/lib/apache/mod_security2.so
<IfModule mod_security2.c>
# Default recommended configuration
SecRuleEngine On
SecRequestBodyAccess On
SecDefaultAction "phase:1,deny,log,status:406"
SecDefaultAction "phase:2,deny,log,status:406"
SecRemoteRulesFailAction Warn
SecRequestBodyLimitAction ProcessPartial
SecResponseBodyLimitAction ProcessPartial
SecRequestBodyLimit 268435456
SecRequestBodyNoFilesLimit 268435456
SecPcreMatchLimit 250000
SecPcreMatchLimitRecursion 250000
SecCollectionTimeout 600
SecDebugLog /var/log/httpd/modsec_debug.log
SecDebugLogLevel 0
SecAuditEngine RelevantOnly
SecAuditLogDirMode 1733
SecAuditLogFileMode 0550
SecAuditLogType Concurrent
SecAuditLogStorageDir /var/log/modsec_audit
SecAuditLog /var/log/httpd/modsec_audit.log
SecUploadDir /tmp
SecTmpDir /tmp
SecDataDir /tmp
SecUploadFileMode 0644
SecTmpSaveUploadedFiles on
# ModSecurity Core Rules Set and Local configuration
IncludeOptional /etc/modsecurity.d/*.conf.main
IncludeOptional /etc/modsecurity.d/*.conf
</IfModule>
Rebuild configurations
[root@directadmin]# ./build rewrite_confs
Activate rules and modifications:
[root@directadmin]# ./build modsecurity_rules