[HowTo] Make ispCP more Secure !

[HowTo] Make ispCP more Secure ! - Printable Version

+- ispCP - Board - Support (http://www.isp-control.net/forum)
+-- Forum: ispCP Omega Contributions Area (/forum-40.html)
+--- Forum: Howtos (/forum-41.html)
+--- Thread: [HowTo] Make ispCP more Secure ! (/thread-257.html)

Pages: 1 2 3 4 5

[HowTo] Make ispCP more Secure ! - BeNe - 03-16-2007 10:45 PM

ATTENTION!
There is a new updated Version in the Wiki.

Please use--> [HowTo] Make ispCP more Secure

Greez BeNe

-----------------------------------------------------------------------------------

Hello,

is started to find out some Infos about the Securtity of my Server and ispCP Omega with some Tools out there in the word wide web.

1.) Disable the ServerSignature like this one:

Code:

Apache/2.2.3 (Debian) mod_fastcgi/2.4.2 mod_perl/2.0.2 Perl/v5.8.8

Put only these lines in your httpd.conf

Code:

# Disable ServerInfo

ServerSignature Off

ServerTokens Prod

2.) Disable Debugging functions

An attacker may use this flaw to trick your legitimate web users to give
him their credentials. Add the following lines for each virtual host in your configuration file to disable the Debugging:

Code:

RewriteEngine on

RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)

RewriteRule .* - [F]

3.) Disable ProFTPD Banner

When you connect to your FTP-Server it looks like this:

Code:

Verbindung mit 62.75.xx.xx wurde hergestellt.

220 ProFTPD 1.3.0 Server (vsxxxxxx) [62.75.xx.xx]

Benutzer (62.75.xx.xx:(none)):

Here can you see the ProFTPD Version -> 1.3.0

To Disable the Banner add, the following line to the proftpd.conf:

Code:

ServerIdent                    off

Dont forget to restart the Daemons after changing the config.

@Dev-Team: Could also implemented into ispCP for more Security Wink

RE: How to make VHCS more Secure ! - BioALIEN - 03-17-2007 01:49 AM

I think some it should be a settings option during the setup/installation process. Some sys admins would want to display this info as it helps them during upgrade, and maintenance. Some want this off for security reasons.

I fall under the latter, but I do know other cases where people would want to display this info. So in my view, the best way to do this is to create a setting which can be on/off to display 1 & 3 above at least.

RE: How to make VHCS more Secure ! - BeNe - 03-17-2007 01:56 AM

If the security is not enough for the Sysadmin, he can
it also manually do. Its not very much work....
But after an upgrade he has to do it once again.

RE: How to make VHCS more Secure ! - soringo - 03-17-2007 04:58 AM

Great work BeNe....this kind of work stuff can be done for DNS even.
In named.conf.options you can put some conditions to hide informations like:

#VERSION
version "private"; #private can be any string except your named version Smile

recursion no; #for lame servers massages - recursive interrogations

Cheers!

RE: How to make VHCS more Secure ! - Kermit - 03-20-2007 08:10 AM

BeNe Wrote:If the security is not enough for the Sysadmin, he can
it also manually do. Its not very much work....
But after an upgrade he has to do it once again.

Is some day since I started to think about putting an "import" statement in every config file of VHCS Omega so that every service could have a user file that overrides default settings and that is not rewritten when the system is upgraded.

For example, think about a proftpd.conf that import a proftpd_userprefs.conf file. In the VHCS Omega installation the file proftp_userprefs.conf is NOT present. There is just a proftpd_userprefs.conf.example that a user could use the first time she lays down her first settings... after that the system will never touch the file again!

This sounds good? It could be an elegant solution to VHCS Omega by-hand customization...

RE: How to make VHCS more Secure ! - BeNe - 03-20-2007 04:42 PM

Quote:This sounds good?

Yeah - why not! Could be a good solution.

RE: How to make VHCS more Secure ! - RatS - 03-20-2007 11:42 PM

Not for the first release; maybe a security pack for VHCS Omega maintained by a separate team. I don't like the idea to include you own templates.

RE: How to make VHCS more Secure ! - BeNe - 03-21-2007 12:02 AM

Quote:Not for the first release; maybe a security pack for VHCS Omega maintained by a separate team.

Full ACK.

Quote:I don't like the idea to include you own templates

Yeah, its hard to maintain the default config.

RE: How to make VHCS more Secure ! - hxbro - 03-23-2007 06:30 PM

I'd also install mod_security for apache and enable it for the vhcs directory (or the whole server if you want).

RE: How to make VHCS more Secure ! - BeNe - 03-23-2007 06:47 PM

hxbro Wrote:I'd also install mod_security for apache and enable it for the vhcs directory (or the whole server if you want).

mod_security is already on the Wishlist Wink

But need enough memory and cpu in my tests... Sad