[HowTo] Make ispCP more Secure !

[BeNe]

ATTENTION!
There is a new updated Version in the Wiki.

Please use--> [HowTo] Make ispCP more Secure


Greez BeNe


-----------------------------------------------------------------------------------

Hello,

is started to find out some Infos about the Securtity of my Server and ispCP Omega with some Tools out there in the word wide web.

1.) Disable the ServerSignature like this one:

Code:

Apache/2.2.3 (Debian) mod_fastcgi/2.4.2 mod_perl/2.0.2 Perl/v5.8.8

Put only these lines in your httpd.conf

Code:

# Disable ServerInfo
ServerSignature Off
ServerTokens Prod

2.) Disable Debugging functions

An attacker may use this flaw to trick your legitimate web users to give
him their credentials. Add the following lines for each virtual host in your configuration file to disable the Debugging:

Code:

RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]

3.) Disable ProFTPD Banner

When you connect to your FTP-Server it looks like this:

Code:

Verbindung mit 62.75.xx.xx wurde hergestellt.
220 ProFTPD 1.3.0 Server (vsxxxxxx) [62.75.xx.xx]
Benutzer (62.75.xx.xx:(none)):

Here can you see the ProFTPD Version -> 1.3.0

To Disable the Banner add, the following line to the proftpd.conf:

Code:

ServerIdent                    off

Dont forget to restart the Daemons after changing the config.

@Dev-Team: Could also implemented into ispCP for more Security

[BioALIEN]

I think some it should be a settings option during the setup/installation process. Some sys admins would want to display this info as it helps them during upgrade, and maintenance. Some want this off for security reasons.

I fall under the latter, but I do know other cases where people would want to display this info. So in my view, the best way to do this is to create a setting which can be on/off to display 1 & 3 above at least.

[BeNe]

If the security is not enough for the Sysadmin, he can
it also manually do. Its not very much work....
But after an upgrade he has to do it once again.

[soringo]

Great work BeNe....this kind of work stuff can be done for DNS even.
In named.conf.options you can put some conditions to hide informations like:

#VERSION
version "private"; #private can be any string except your named version
recursion no; #for lame servers massages - recursive interrogations

Cheers!

[Kermit]

BeNe Wrote:If the security is not enough for the Sysadmin, he can
it also manually do. Its not very much work....
But after an upgrade he has to do it once again.

Is some day since I started to think about putting an "import" statement in every config file of VHCS Omega so that every service could have a user file that overrides default settings and that is not rewritten when the system is upgraded.

For example, think about a proftpd.conf that import a proftpd_userprefs.conf file. In the VHCS Omega installation the file proftp_userprefs.conf is NOT present. There is just a proftpd_userprefs.conf.example that a user could use the first time she lays down her first settings... after that the system will never touch the file again!

This sounds good? It could be an elegant solution to VHCS Omega by-hand customization...

[BeNe]

Quote:This sounds good?

Yeah - why not! Could be a good solution.

[RatS]

Not for the first release; maybe a security pack for VHCS Omega maintained by a separate team. I don't like the idea to include you own templates.

[BeNe]

Quote:Not for the first release; maybe a security pack for VHCS Omega maintained by a separate team.

Full ACK.

Quote:I don't like the idea to include you own templates

Yeah, its hard to maintain the default config.

[hxbro]

I'd also install mod_security for apache and enable it for the vhcs directory (or the whole server if you want).

[BeNe]

hxbro Wrote:I'd also install mod_security for apache and enable it for the vhcs directory (or the whole server if you want).

mod_security is already on the Wishlist
But need enough memory and cpu in my tests...