How to Secure and Optimize a Server or VPS – 2

Tutorials following continued discussions from How to Secure and Optimize a Server or VPS part 1

Install BFD (Brute Force Detection – optional)

To install BFD, SSH into server and login as root.

At command prompt type:

cd /root/
tar -xvzf bfd-current.tar.gz
cd bfd-0.4

After BFD has been installed, you need to edit the configuration file.

At command prompt type:

pico /usr/local/bfd/conf.bfd

Under Enable brute force hack attempt alerts:


and change it to




and change it to


Save the changes then exit.

To start BFD

At command prompt type:

/usr/local/sbin/bfd -s

Modify LogWatch

Logwatch is a customizable log analysis system. It parses through your system’s logs for a given period of time and creates a report analyzing areas that you specify, in as much detail as you require. Logwatch is already installed on most CPanel servers.

To modify LogWatch, SSH into server and login as root.

At command prompt type:

pico -w /etc/log.d/conf/logwatch.conf

Scroll down to

MailTo = root

and change to

Mailto =

Note: Set the e-mail address to an offsite account incase you get hacked.

Now scroll down to

Detail = Low

Change that to Medium, or High…

Detail = 5 or Detail = 10

Note: High will give you more detailed logs with all actions.

Save and exit.

A number of suggestions to improve system security. Some of this is specific to CPanel, but much can be applied to most Linux systems.
Use The Latest Software
Keep the OS and 3rd party software up to date. Always!
CPanel itself can be updated from the root WHM.
Change Passwords

Change the root passwords at least once a month and try to make them hard to guess. Yes it’s a pain to have to keep remembering them, but it’s better than being hacked.

Set Up A More Secure SSH Environment As described here.

Disable Telnet
1. Type: pico -w /etc/xinetd.d/telnet
2. Change the disable = no line to disable = yes.
3. Hit CTRL+X press y and then enter to save the file.
4. Restart xinted with: /etc/rc.d/init.d/xinetd restart
Also, add the following line to /etc/deny.hosts to flag Telnet access attempts as ‘emergency’ messages.

in.telnetd : ALL : severity emerg

Disable Unnecessary Ports (optional)
First backup the file that contains your list of ports with:

cp /etc/services /etc/services.original

Now configure /etc/services so that it only has the ports you need in it. This will match the ports enabled in your firewall.
On a typical CPanel system it would look something like this:

Additional ports are controlled by /etc/rpc. These aren’t generally needed, so get shot of that file with: mv /etc/rpc /etc/rpc-moved
Watch The Logs
Install something like logwatch to keep an eye on your system logs. This will extract anything ‘interesting’ from the logs and e-mail to you on a daily basis.
Logwatch can be found at:
Install instructions here.
Avoid CPanel Demo Mode
Switch it off via WHM Account Functions => Disable or Enable Demo Mode.
Jail All Users
Via WHM Account Functions => Manage Shell Access => Jail All Users.
Better still never allow shell access to anyone – no exceptions.
Immediate Notification Of Specific Attackers
If you need immediate notification of a specific attacker (TCPWrapped services only), add the following to /etc/hosts.deny

ALL : nnn.nnn.nnn.nnn : spawn /bin/ 'date' %c %d | mail -s"Access attempt by nnn.nnn.nnn.nnn on for hostname"

Replacing nnn.nnn.nnn.nnn with the attacker’s IP address.
Replacing hostname with your hostname.
Replacing with your e-mail address.
This will deny access to the attacker and e-mail the sysadmin about the access attempt.

Check Open Ports

From time to time it’s worth checking which ports are open to the outside world. This can be done with:

nmap -sT -O localhost

If nmap isn’t installed, it can be selected from root WHM’s Install an RPM option.

Set The MySQL Root Password

This can be done in CPanel from the root WHM Server Setup -> Set MySQL Root Password.
Make it different to your root password!
Tweak Security (CPanel)

From the root WHM, Server Setup -> Tweak Security, you will most likely want to enable:
– php open_basedir Tweak.
– SMTP tweak.
You may want to enable:
– mod_userdir Tweak. But that will disable domain preview.

Use SuExec (CPanel)
From root WHM, Server Setup -> Enable/Disable SuExec. This is CPanel’s decription of what it does:
“suexec allows cgi scripts to run with the user’s id. It will also make it easier to track which user has sent out an email. If suexec is not enabled, all cgi scripts will run as nobody. ”
Even if you don’t use phpsuexec (which often causes more problems), SuExec should be considered.

Use PHPSuExec (CPanel)
This needs to built into Apache (Software -> Update Apache from the root WHM) and does the same as SuExec but for PHP scripts.
Wisth PHPSuExec enabled, you users will have to make sure that all their PHP files have permissions no greater than 0755 and that their htaccess files contain no PHP directives.

Disable Compilers
This will prevent hackers from compiling worms, root kits and the like on your machine.
To disable them, do the following:

chmod 000 /usr/bin/perlcc
chmod 000 /usr/bin/byacc
chmod 000 /usr/bin/yacc
chmod 000 /usr/bin/bcc
chmod 000 /usr/bin/kgcc
chmod 000 /usr/bin/cc
chmod 000 /usr/bin/gcc
chmod 000 /usr/bin/i386*cc
chmod 000 /usr/bin/*c++
chmod 000 /usr/bin/*g++
chmod 000 /usr/lib/bcc /usr/lib/bcc/bcc-cc1
chmod 000 /usr/i386-glibc21-linux/lib/gcc-lib/i386-redhat-linux/2.96/cc1

You will need to enable them again when you need to perform system updates. To do this, run:

chmod 755 /usr/bin/perlcc
chmod 755 /usr/bin/byacc
chmod 755 /usr/bin/yacc
chmod 755 /usr/bin/bcc
chmod 755 /usr/bin/kgcc
chmod 755 /usr/bin/cc
chmod 755 /usr/bin/gcc
chmod 755 /usr/bin/i386*cc
chmod 755 /usr/bin/*c++
chmod 755 /usr/bin/*g++
chmod 755 /usr/lib/bcc /usr/lib/bcc/bcc-cc1
chmod 755 /usr/i386-glibc21-linux/lib/gcc-lib/i386-redhat-linux/2.96/cc1


Obfuscate The Apache Version Number

1. Type: pico /etc/httpd/conf/httpd.conf
2. Change the line that begins ServerSignature to:

ServerSignature Off

3. Add a line underneath that which reads:

ServerTokens ProductOnly

4. Hit CTRL+X, they y, the enter to save the file.
5. Restart Apache with:

/etc/rc.d/init.d/httpd restart