Admin-Ahead Server Hardening Suite :: One script that does the following Security Implementations on your Server.

Supported OS and Control Panels:

  • Plain CentOS Server
  • Plain Ubuntu Server
  • CentOs with cPanel
  • CentOs with Plesk
  • Virtuozzo CentOS with cPanel
  • Virtuozzo CentOS with Plesk
  • CentOS without any control panel in KVM
  • Ubuntu with Plesk in KVM
  • Ubuntu without control panel in KVM
  • Ubuntu without control panel in Virtuozzo
  • AWS with CentOS
  • CentOS 5.9 & 6.4 {32 and 64 bit)
  • Ubuntu 12.04 LTS (32 and 64 bit)
  • SSH:
  • Disable direct ssh root login
  • Change the default ssh port
  • Create a sudo user with full privilege for ssh access and disable all other users for ssh access
  • APACHE:
  • mod_evasive Installation
  • mod_evasive is an evasive maneuvers module for Apache to provide evasive action in the event of an HTTP DoS or DDoS attack or brute force attack
  • mod_security
  • It supports a flexible rule engine to perform simple and complex operations and comes with a Core Rule Set (CRS) which has rules for SQL injection, cross site scripting, Trojans, bad user agents, session hijacking and a lot of other exploits
  • Disable Apache header information
  • Disabling Apache headers makes it difficult for an abuser to try version based vulnerabilities on your server
  • Hotlink protection
  • Disable directory Listing and Symlinks
  • PHP:
  • Hide Version Information
  • Remove Public error messages
  • Tune PHP parameters
  • Memory Limit
  • Maximum File Upload Size
  • Maximum Input Time
  • Maximum Execution Time
  • Maximum post size
  • Disable PHP functions
  • system
  • show_source
  • symlink
  • exec
  • dl
  • shell_exec
  • passthru
  • phpinfo
  • escapeshellarg
  • escapeshellcmd
  • Enable open_basedir.
  • When a script tries to access the filesystem, for example using include, or fopen(), the location of the file is checked. When the file is outside the specified directory-tree, PHP will refuse to access it. All symbolic links are resolved, so it’s not possible to avoid this restriction with a symlink. If the file doesn’t exist then the symlink couldn’t be resolved and the filename is compared to (a resolved) open_basedir . Source: http://www.php.net/manual/en/ini.core.php#ini.open-basedir.
  • mod_security.
  • It supports a flexible rule engine to perform simple and complex operations and comes with a Core Rule Set (CRS) which has rules for SQL injection, cross site scripting, Trojans, bad user agents, session hijacking and a lot of other exploits.
  • Disable Apache header information.
  • Disabling Apache headers makes it difficult for an abuser to try version based vulnerabilities on your server.
  • Hotlink protection.
  • Disable directory Listing and Symlinks.
  • MySQL:
  • Disable remote connection to MySQL server to ensure complete protection
  • Disable the use of LOCAL INFILE
  • This will help to prevent unauthorized reading from local files. This is especially important when new SQL Injection vulnerabilities in PHP applications are found
  • Disable symbolic links
  • Remove mysql command history
  • BIND:
  • Hide Version Information
  • Disable recursion
  • Implement blackhole for blacklisting of IP
  • Sysctl.conf:
  • Protect against ICMP attacks
  • Protect against SYN flood attacks
  • Source route verification
  • Disable packet redirects
  • Automatic Installation of following service as per your choice:
  • fail2ban
  • apf
  • csf
  • clamav
  • rkhunter
  • Logwatch
  • Disabling the insecure xinetd services:
  • telnet
  • rlogin
  • rsh
  • rexec
  • Setup cron job to run Clam AntiVirus weeklyExim:
  • Disable Version Information
  • Stop Spoofing from webmail and SMTP authenticated users
  • Dovecot:
  • Disable plain text authentication
  • PureFtpd:
  • Enabled Passive Port Range
  • Disallow anonymous connections. Only allow authenticated users
  • Postfix:
  • Disable the SMTP VRFY command. This stops some techniques used to harvest email addresses
  • Enable Postfix to log recipient address information when rejecting a client name/address or sender address, so that it is possible to find out whose mail is being rejected
  • Make it a requirement that a remote SMTP client introduces itself at the beginning of an SMTP session with the HELO or EHLO command. Many spam bot ignores HELO/EHLO command and you save yourself from spam
  • Reject email if remote hostname is not in fully-qualified domain form. Usually bots sending email don’t have FQDN names
  • Reject all bots sending email from computers connected via DSL/ADSL computers. They don’t have valid internet hostname
  • Reject email if it not valid hostname
  • Reject email if it not valid FQDN
  • Reject the request when the MAIL FROM address is not in fully-qualified domain form. For example email send from xyz or abc is rejected
  • Reject the request when the RCPT TO address is not in fully-qualified domain form
  • Reject email, if sender domain does not exists
  • Reject email, if recipient domain does not exists
  • Disabling Compiler:
  • Host.conf Tuning:
  • Root Login Email Alert to a user specified email:
  • Secure tmp directory:
  • Apply mount partition:
  • Symlink tmp and /var/tmp:
  • Password policy:
  • Prevent Reusing Old PasswordsSet Minimum Password Length

    Set Password Complexity

    Set Password Expiration Period

  • KB: The Script is highly configurable and you can choose the options you want installed and proceed accordingly. You will need to make sure the features that are enabled by the script does not oppose your current Server Settings.Example 1: If any of your website uses “system” call for php; running our script disables it, and your website may break. So it is suggested that you do not enable this install.

    Example 2: If you use MySQL remote connections, Suhosin or a PHP function that is disabled by the script, it may create problems with the website.

  • As a courtesy, Admin-Ahead will provide support to any customers with such errors, to a period limited to the validity of the script purchased and to issues that may have been caused by running the script alone.The Script needs to be used only once on your server. However, our license will be valid for 7 days in case you happen to re-install your server during this period.
$50/server
FacebookTwitterGoogle+LinkedIn
X

SSL Encryption has become Inevitable.

Free

Get Admin-Ahead Let's Encrypt cPanel Plugin for Free!


Your privacy is protected.