As the number of websites on the internet rises, there are more and more people who own a hosting account, many of whom have their own VPS or dedicated servers. As their servers are most likely unmanaged, this article will provide valuable information for improving your web server security. Keep in mind that the chain is only as strong as its weakest link, therefor all services and potential vulnerabilities will be covered in this two-part tutorial. The examples will be provided using a 64-bit Centos 6 with Apache Web Server.
WHM and cPanel
WHM/cPanel is popular software for server management that provides a graphical interface for managing all services on the server. Its login form is usually SSL-encrypted, protecting you from eavesdropping. However, that form should also be protected from dictionary and brute-force attacks — the type of attacks where the attacker tries to guess your password either by trying all possible password combinations or by trying the most common passwords and dictionary words.
cPHulk is used for brute-force protection. It comes with the WHM and should be enabled through its interface. cPHulk provides both user-based and IP-based brute-force protection, as well as many configuration options. In cases where a few users would need to login to WHM or cPanel (for example, if you are a web development company or managing a personal server), I would suggest using a very restrictive approach:
- Block an IP address for 60 minutes after 5 failed login attempts
- Block an IP address for 24 hours after 10 failed login attempts
- Block an account for 15 minutes after 5 failed login attempts
- Whitelist your own IP address (or an IP range if multiple people need access)
- Blacklist all other IP ranges
However, if you are a web hosting company, you will have to deal with many users who are not necessarily tech-savvy, so adjust the cPHulk configuration accordingly. Unfortunately, there is one potential problem that still has not been solved by cPanel developers — account lockout denial of service attack. It basically means that a malicious attacker with a sufficient number of IP addresses could lockout a large number of accounts or target a few accounts and keep them locked for a long time, thus disabling the real users to login. Right now, one of the possible solutions to the problem is to whitelist the user's IP address. Another popular solution is to clear the cPHulk logs, buying enough time for the real user to log in.
Secure Socket Shell (SSH) is a network protocol used for accessing remote machines in a secure way. Basically, it is a terminal which allows you to execute operating system commands on the remote server. There are a few tweaks that can improve the security of this protocol. First, disable the SSH password authentication in WHM. This will enforce the use of SSH keys for authentication, meaning that an attacker would not be able to login without the key, even if he knows a correct username and password combination. Of course, the next step would be to create a key to use. Go to manage root SSH keys in WHM and generate a new key. Do not forget to enter the password for the key and use a strong one. Then, download the private key in .ppk format and use it in your SSH client.
SSH keys use RSA encryption where the key length can be set to 2048 or 4096 bits. Considering that the current largest key that has been compromised by hostile factorization is 768 bits (5 years ago), it can be concluded that the SSH keys provide a great layer of security. However, if you would like to be extra-safe, you could use two-step verification. As its name says, this type of authentication has two steps:
- Enter the username and password
- Receive the login code on your mobile phone and enter it to complete the login
There is also the possibility of creating a single-use backup code, in case you lose your phone or it gets stolen. This feature can be enabled on SSH login by installing the Google authenticator module.
Disable SSH protocol 1
SSH has two protocols that it may use — protocol 1 and protocol 2. Protocol 1 is older and should be disabled. Execute the following command to open the SSH config file:
# nano /etc/ssh/sshd_config
Find the following line and edit it as shown:
# Protocol 2,1
Change the port number
The default port used by SSH is 22. It is advised to change the SSH port number to a non-standard port which is above 1024 and which is not used by any service (here is the list of TCP and UDP system ports). Also, it is recommended to avoid port 2222, as the attackers know that it's a popular alternative port. To change the port, open the SSH config file, find the line where it says "Port 22" and edit the number.
On Centos 6 and above, you will need to update the port number in SELinux module:
# semanage port -a -t ssh_port_t -p tcp 2132
Update the firewall to allow connections to the new port number:
# nano /etc/sysconfig/iptables
Go to the following line:
-A INPUT -p tcp -m state –state NEW -m tcp –dport 22 -j ACCEPT
And change it to the following:
-A INPUT -p tcp -m state –state NEW -m tcp –dport 2132 -j ACCEPT
Finaly, restart the iptables and SSH:
# service iptables restart
# /etc/init.d/sshd restart
Tune in over the next few weeks for part two of our web server security tutorial.