L3server - dedicated server and VPS security

L3 Home  -  Dedicated Servers  -  Business Servers  -  Billing  -  Contact 
  VPS | Hosting | Domains | SSL Certs | TOS | Data Center | Support  
Managed Dedicated Secured Servers and VPS Server Hosting  
SECURITY SERVERS
fully managed dedicated servers and VPS solutions for businesses concerned about data security
 
Links
Dedicated Servers
VPS Servers
Master Reseller
SSL Certificates
Merchant Accounts
Support Request
News
 
Security Advice

Security Advice: cPanel, Plesk, DirectAdmin

Did you get one of our VPS or dedicated servers from our SPECIALS section? Please note that we will also install basic security patches and a firewall such as APF or CSF for you on these servers. If we have not yet, just ask us. It is a free service.

We highly suggest to audit your system for any installations of phpBB, PHPNuke, osTicket, My_eGallery, mambo, ModernBill, awstats, phpAd, and any other popular PHP applications you might be running and ensure they are at their most current versions. This is something we can not do for you.

We strongly suggest to install either the "CSF" or the "APF" firewall on your VPS or dedicated server. Do NOT install both firewalls! Please note that there are SPECIAL settings required for installation on VPS servers! Please do consult us BEFORE installing either script on a VPS you have with us (we can also install it for you, free of charge). We also advice to install "Mod_Security" on your server.
CSF — download and install info:
http://www.configserver.com/cp/csf.html
CSF comes with a nice web interface for cPanel or DirectAdmin.
APF — download and install info: http://www.rfxn.com/projects/advanced-policy-firewall/
We do suggest to also install BFD (Brute Force Detection) when installing APF. BFD works together with APF. You can download it here: http://www.rfxn.com/projects/brute-force-detection/
Mod_Security — download and install info: http://eth0.us/
However, if you have a cPanel VPS or dedicated server, just compile "mod_security" into PHP using /scripts/easyapache.

(A) If your dedicated server or VPS runs Apache 2.x, use this install method to get the latest rule set:

1. Run /scripts/easyapache and follow the on screen menu to enable the mod_security module within
    Apache 2.x. (This installs mod_security 2.5.5 which is required for this ruleset)
2. As root, run "wget -O /root/install_modsec_rules http://403security.org/modsec/install_modsec_rules"
3. As root, run "sh /root/install_modsec_rules" and follow the on screen instructions.

(B) However, if you still run Apache 1.9, or if you do want to make sure mod_security works on a shared hosting server with many different clients, use the older rule set below. Go to "Add-ons" in main menu -> "Mod Security" -> click on "Edit Config" (near top), then replace the entire content (the default settings) with the content below — this will guarantee the best possible protection against root intruders using PHP scripts. Restart Apache after such edit.

#These rules work with mod_security 1.9.x and above only
# This is a rule template, with limited application specific matches
# To prevent functionality loss
# Updated 12/04/2010
# Tested to work with apache1 and apache2
#
# BEGIN RULES
#
# Basic rules with arbitrary command detection
SecFilterSelective THE_REQUEST "\.htgroup"
SecFilterSelective THE_REQUEST "\.htaccess"
SecFilterSelective THE_REQUEST "cd\.\."
SecFilterSelective THE_REQUEST "///cgi-bin"
SecFilterSelective THE_REQUEST "/cgi-bin///"
SecFilterSelective THE_REQUEST "/~root"
SecFilterSelective THE_REQUEST "/~ftp"
SecFilterSelective THE_REQUEST "/htgrep" chain
SecFilterSelective THE_REQUEST "/htgrep" log,pass
SecFilterSelective THE_REQUEST "/\.history"
SecFilterSelective THE_REQUEST "/\.bash_history"
SecFilterSelective THE_REQUEST "/~nobody"
SecFilterSelective THE_REQUEST "<script"
SecFilterSelective THE_REQUEST "psybnc"
SecFilterSelective THE_REQUEST "cmd=cd\x20/var"
SecFilterSelective THE_REQUEST "\?STRENGUR"
SecFilterSelective THE_REQUEST "/etc/motd"
SecFilterSelective THE_REQUEST "/etc/passwd"
SecFilterSelective THE_REQUEST "conf/httpd\.conf"
SecFilterSelective THE_REQUEST "/bin/ps"
SecFilterSelective THE_REQUEST "bin/tclsh"
SecFilterSelective THE_REQUEST "tclsh8\x20"
SecFilterSelective THE_REQUEST "chsh"
SecFilterSelective THE_REQUEST "udp\.pl"
SecFilterSelective THE_REQUEST "wget\x20"
SecFilterSelective THE_REQUEST "bin/nasm"
SecFilterSelective THE_REQUEST "nasm\x20"
SecFilterSelective THE_REQUEST "/usr/bin/perl"
SecFilterSelective THE_REQUEST "links -dump "
SecFilterSelective THE_REQUEST "links -dump-(charset|width) "
SecFilterSelective THE_REQUEST "links (http|https|ftp)\:/"
SecFilterSelective THE_REQUEST "links -source "
SecFilterSelective THE_REQUEST "cd\x20/(tmp|var/tmp|etc/httpd/proxy|dev/shm)"
SecFilterSelective THE_REQUEST "cd\.\."
SecFilterSelective THE_REQUEST "///cgi-bin"
SecFilterSelective THE_REQUEST "/cgi-bin///"
SecFilterSelective THE_REQUEST "/~named(/| HTTP\/(0\.9|1\.0|1\.1)$)"
SecFilterSelective THE_REQUEST "/~guest(/| HTTP\/(0\.9|1\.0|1\.1)$)"
SecFilterSelective THE_REQUEST "/~logs(/| HTTP\/(0\.9|1\.0|1\.1)$)"
SecFilterSelective THE_REQUEST "/~sshd(/| HTTP\/(0\.9|1\.0|1\.1)$)"
SecFilterSelective THE_REQUEST "/~ftp(/| HTTP\/(0\.9|1\.0|1\.1)$)"
SecFilterSelective THE_REQUEST "/~bin(/| HTTP\/(0\.9|1\.0|1\.1)$)"
SecFilterSelective THE_REQUEST "/~nobody(/| HTTP\/(0\.9|1\.0|1\.1)$)"
SecFilterSelective THE_REQUEST "/\.history HTTP\/(0\.9|1\.0|1\.1)$"
SecFilterSelective THE_REQUEST "/\.bash_history HTTP\/(0\.9|1\.0|1\.1)$"
SecFilter "(cmd|command)=(cd|\;|perl|python|lynx|links|mkdir|elinks|cmd|wget|uname|(s|r)(cp|sh)|net(stat|cat)|rexec|smbclient|curl)"
SecFilterSelective REQUEST_URI "/nessus_is_probing_you_"
SecFilterSelective REQUEST_URI "/NessusTest"
SecFilter "javascript\://"
SecFilter "img src=javascript"
SecFilter "_PHPLIB\[libdir\]"
SecFilter "hdr=/"
#Require Content-Length to be provided with every POST request
SecFilterSelective REQUEST_METHOD "^POST$" chain
SecFilterSelective HTTP_Content-Length "^$"
SecFilterSelective HTTP_Transfer-Encoding "!^$"
#Specific XML-RPC attacks on xmlrpc.php
SecFilterSelective THE_REQUEST "(/xmlrpc|.*xmlrpc_services)\.php" chain
SecFilter "(\<xml|\<.*xml)" chain
SecFilter "(echo( |\(|\').*\;|chr|fwrite|fopen|system)\(.*\)\;"
#XML-RPC SQL injection generic signature
SecFilterSelective THE_REQUEST "(/xmlrpc|.*xmlrpc_services)\.php" chain
SecFilter "<methodName>.*</methodName>.*<value><string>.*(delete|insert|drop|replace|update|create)[[:space:]]+[A-Z|a-z|0-9|\*| |,]+[[:space:]](from|into|table).*methodName\>"
#Exploit phpBB Highlighting Code Execution/SQL Injection - Santy.A Worm
SecFilter "&highlight=\'\.fwrite\(fopen\("
SecFilter "&highlight=\x2527\x252Esystem\("
SecFilter "&highlight=\'\.mysql_query\("
SecFilterSelective THE_REQUEST "/quick-reply\.php" chain
SecFilterSelective THE_REQUEST "(\;|\&)highlight=\'\.system\("
SecFilterSelective THE_REQUEST "&highlight=\'\.mysql_query\("
SecFilterSelective THE_REQUEST "&highlight=\'\.fwrite\(fopen\("
SecFilterSelective THE_REQUEST "&highlight=%2527%252E"
SecFilterSelective THE_REQUEST "&highlight=\x2527\x252Esystem\("
SecFilterSelective THE_REQUEST "/viewtopic\.php\?.*(highlight.*(\'\.|\x2527|\x27)|include\(.*GET\[.*\]\)|=(http|https|ftp)\:/|(printf|system)\()"
#phpBB remote command execution exploit
SecFilterSelective REQUEST_URI "profile\.php\?GLOBALS\[signature_bbcode_uid\]=\(\.\x2B\)/e\x00"
SecFilterSelective REQUEST_URI|POST_PAYLOAD "r57phpBB2017xpl"
SecFilterSelective POST_PAYLOAD "_bill_gates@microsoft\.com"
SecFilterSelective THE_REQUEST "/admin/admin_forums\.php\?sid=.*" chain
SecFilter "(forumname|forumdesc)=*\<[[:space:]]*(script|about|applet|activex|chrome)"
SecFilterSelective REQUEST_URI "/posting\.php\?mode=reply\&t=.*userid.*phpbb2mysql_t=(<[[:space:]]*script|(http|https|ftp)\:/)"
SecFilterSelective REQUEST_URI "/posting\.php\\?.*(<[[:space:]]*script|(http|https|ftp)\:/)"
SecFilterSelective THE_REQUEST "changedir=%2Ftmp%2F.php"
SecFilter "^/viewtopic\.php\?" chain
SecFilter "chr\(([0-9]{1,3})\)"
SecFilterSelective THE_REQUEST "viewtopic\.php" chain
SecFilterSelective "THE_REQUEST|ARG_VALUES" "(passthru|cmd|fopen|exit|fwrite)"
SecFilter "phpbb_root_path="
SecFilterSelective THE_REQUEST "/calendar_scheduler\.php\?start=(<[[:space:]]*script|(http|https|ftp)\:/)"
SecFilterSelective REQUEST_URI "/groupcp\.php\?g=.*sid=\'"
SecFilterSelective REQUEST_URI "/index\.php\?(c|mark)=*\'"
SecFilterSelective REQUEST_URI "/portal\.php\?article=*\'"
SecFilterSelective REQUEST_URI "/viewforum.php?f=.*sid=\'"
SecFilterSelective REQUEST_URI "/viewtopic.php?p=.*sid=\'"
SecFilterSelective REQUEST_URI "/album_search\.php\?mode=\'"
SecFilterSelective REQUEST_URI "/album_cat\.php\?cat_id=.*sid=\'"
SecFilterSelective REQUEST_URI "/album_comment\.php\?pic_id=.*sid=\'"
SecFilterSelective REQUEST_URI "calendar_scheduler\.php\?d=.*&mode=&start=\'\">"
SecFilterSelective REQUEST_URI "/profile\.php\?mode=viewprofile&u=.*((script|script|about|applet|activex|chrome)\>|html|(http|https|ftp)\:/)"
SecFilterSelective REQUEST_URI "/viewtopic\.php\?p=.*&highlight=.*((script|script|about|applet|activex|chrome)\>|html|(http|https|ftp)\:/)"
#awstats XSS vulnerabilities
SecFilterSelective THE_REQUEST "awstats" chain
SecFilterSelective ARGS "(pluginmode|loadplugin|debug|configdir|perl|cgi|chmod|exec|print)"
SecFilterSelective REQUEST_URI "/awstats\.pl\?(configdir|update|pluginmode|cgi)=(\||echo|\:system\()"
SecFilterSelective REQUEST_URI "/awstats\.pl\?(debug=1|pluginmode=rawlog\&loadplugin=rawlog|update=1\&logfile=\|)"
SecFilterSelective REQUEST_URI "/awstats\.pl\?[^\r\n]*logfile=\|"
SecFilterSelective REQUEST_URI "/awstats\.pl\?configdir="
SecFilterSelective REQUEST_URI "awstats\.pl\?" chain
SecFilterSelective ARGS "(debug|configdir|perl|chmod|exec|print|cgi)"


Malware Scanner Script
(for Linux OS with any control panel):
We would like to suggest the installation of the following malware detection script on the dedicated server or VPS server you have with us. We have tested this script for two months with great success--and without any issues. You can basically install it in 2 minutes and then forget about it.
General info at developer's site:
http://www.rfxn.com/projects/linux-malware-detect/
This is a malware detection script that will find most of the usual hacker scripts that get typically installed by hacking forums or shopping carts installed in your hosting accounts. The installation will set up a cron job that runs once a day and that will check any files that had been altered since it last run. Here are the installation instructions--but we can also install it for you, *if* you fill out a ticket with your current login credentials.
INSTALL INSTRUCTIONS:
cd /usr/local/
wget http://www.rfxn.com/downloads/maldetect-current.tar.gz tar xfz maldetect-current.tar.gz
tar -xzf maldetect-current.tar.gz
cd maldetect-*
./install.sh
nano -w /usr/local/maldetect/conf.maldet
  (to EDIT config file)
SUGGESTED EDITs ... **note** that "quar_hits=1" is the most essential one that really needs to be set to activate any action by the script, even if you do not want to receive emails:
email_alert=1
email_addr="Your@Email-Address-here"
quar_hits=1

 


 

 
 
Dedicated Servers  |  VPS Servers  |  Domain Registration  |  SSL Certs  |  Support  |  Contact
serverMaster Reseller   -  Data Center  -  TOS  -  Billing Login  -  Email