Current time: 11-16-2024, 06:33 AM Hello There, Guest! (LoginRegister)


Post Reply 
[HowTo] Make ispCP more Secure !
Author Message
BeNe Offline
Moderator
*****
Moderators

Posts: 5,899
Joined: Jan 2007
Reputation: 68
Post: #1
[HowTo] Make ispCP more Secure !
ATTENTION!
There is a new updated Version in the Wiki.

Please use--> [HowTo] Make ispCP more Secure


Greez BeNe


-----------------------------------------------------------------------------------

Hello,

is started to find out some Infos about the Securtity of my Server and ispCP Omega with some Tools out there in the word wide web.

1.) Disable the ServerSignature like this one:

Code:
Apache/2.2.3 (Debian) mod_fastcgi/2.4.2 mod_perl/2.0.2 Perl/v5.8.8

Put only these lines in your httpd.conf

Code:
# Disable ServerInfo
ServerSignature Off
ServerTokens Prod

2.) Disable Debugging functions

An attacker may use this flaw to trick your legitimate web users to give
him their credentials. Add the following lines for each virtual host in your configuration file to disable the Debugging:

Code:
RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]

3.) Disable ProFTPD Banner

When you connect to your FTP-Server it looks like this:

Code:
Verbindung mit 62.75.xx.xx wurde hergestellt.
220 ProFTPD 1.3.0 Server (vsxxxxxx) [62.75.xx.xx]
Benutzer (62.75.xx.xx:(none)):

Here can you see the ProFTPD Version -> 1.3.0

To Disable the Banner add, the following line to the proftpd.conf:
Code:
ServerIdent                    off

Dont forget to restart the Daemons after changing the config.

@Dev-Team: Could also implemented into ispCP for more Security Wink
(This post was last modified: 04-07-2010 02:17 PM by gOOvER.)
03-16-2007 10:45 PM
Visit this user's website Find all posts by this user Quote this message in a reply
BioALIEN Offline
Public Relations Officer
*****
Dev Team

Posts: 620
Joined: Feb 2007
Reputation: 5
Post: #2
RE: How to make VHCS more Secure !
I think some it should be a settings option during the setup/installation process. Some sys admins would want to display this info as it helps them during upgrade, and maintenance. Some want this off for security reasons.

I fall under the latter, but I do know other cases where people would want to display this info. So in my view, the best way to do this is to create a setting which can be on/off to display 1 & 3 above at least.
03-17-2007 01:49 AM
Find all posts by this user Quote this message in a reply
BeNe Offline
Moderator
*****
Moderators

Posts: 5,899
Joined: Jan 2007
Reputation: 68
Post: #3
RE: How to make VHCS more Secure !
If the security is not enough for the Sysadmin, he can
it also manually do. Its not very much work....
But after an upgrade he has to do it once again.
03-17-2007 01:56 AM
Visit this user's website Find all posts by this user Quote this message in a reply
soringo Offline
Junior Member
*

Posts: 33
Joined: Feb 2007
Reputation: 0
Post: #4
RE: How to make VHCS more Secure !
Great work BeNe....this kind of work stuff can be done for DNS even.
In named.conf.options you can put some conditions to hide informations like:

#VERSION
version "private"; #private can be any string except your named version Smile
recursion no; #for lame servers massages - recursive interrogations

Cheers!
03-17-2007 04:58 AM
Find all posts by this user Quote this message in a reply
Kermit Offline
Junior Member
*

Posts: 75
Joined: Jan 2007
Reputation: 0
Post: #5
RE: How to make VHCS more Secure !
BeNe Wrote:If the security is not enough for the Sysadmin, he can
it also manually do. Its not very much work....
But after an upgrade he has to do it once again.

Is some day since I started to think about putting an "import" statement in every config file of VHCS Omega so that every service could have a user file that overrides default settings and that is not rewritten when the system is upgraded.

For example, think about a proftpd.conf that import a proftpd_userprefs.conf file. In the VHCS Omega installation the file proftp_userprefs.conf is NOT present. There is just a proftpd_userprefs.conf.example that a user could use the first time she lays down her first settings... after that the system will never touch the file again!

This sounds good? It could be an elegant solution to VHCS Omega by-hand customization...
(This post was last modified: 03-20-2007 08:11 AM by Kermit.)
03-20-2007 08:10 AM
Visit this user's website Find all posts by this user Quote this message in a reply
BeNe Offline
Moderator
*****
Moderators

Posts: 5,899
Joined: Jan 2007
Reputation: 68
Post: #6
RE: How to make VHCS more Secure !
Quote:This sounds good?
Yeah - why not! Could be a good solution.
03-20-2007 04:42 PM
Visit this user's website Find all posts by this user Quote this message in a reply
RatS Offline
Project Leader
******

Posts: 1,854
Joined: Oct 2006
Reputation: 17
Post: #7
RE: How to make VHCS more Secure !
Not for the first release; maybe a security pack for VHCS Omega maintained by a separate team. I don't like the idea to include you own templates.
03-20-2007 11:42 PM
Visit this user's website Find all posts by this user Quote this message in a reply
BeNe Offline
Moderator
*****
Moderators

Posts: 5,899
Joined: Jan 2007
Reputation: 68
Post: #8
RE: How to make VHCS more Secure !
Quote:Not for the first release; maybe a security pack for VHCS Omega maintained by a separate team.

Full ACK.

Quote:I don't like the idea to include you own templates
Yeah, its hard to maintain the default config.
03-21-2007 12:02 AM
Visit this user's website Find all posts by this user Quote this message in a reply
hxbro Offline
Junior Member
*

Posts: 34
Joined: Feb 2007
Reputation: 0
Post: #9
RE: How to make VHCS more Secure !
I'd also install mod_security for apache and enable it for the vhcs directory (or the whole server if you want).
03-23-2007 06:30 PM
Find all posts by this user Quote this message in a reply
BeNe Offline
Moderator
*****
Moderators

Posts: 5,899
Joined: Jan 2007
Reputation: 68
Post: #10
RE: How to make VHCS more Secure !
hxbro Wrote:I'd also install mod_security for apache and enable it for the vhcs directory (or the whole server if you want).

mod_security is already on the Wishlist Wink
But need enough memory and cpu in my tests...Sad
03-23-2007 06:47 PM
Visit this user's website Find all posts by this user Quote this message in a reply
Post Reply 


Forum Jump:


User(s) browsing this thread: 10 Guest(s)