Dev {Tricks}

You are here: Home / Archives for Server and Hosting / Providers

by Leave a Comment

How to restrict direct root access | Linux | CentOS

We can do it just in two steps.

Step One:

At first we will create new root user as follows (for example, newroot)

  1. Login as root using SSH.
  2. Create new user e.g., newroot and add user to wheel group 
    useradd -G wheel newroot
  3. Set password for newroot 
    passwd newroot
  4. You will get option to enter password. Use letter and number only.
    Save the newroot and password somewhere of you edge.
  5. Su to newroot 
    su - newroot
  6. Test sudo permission (permission should be root) 
    sudo whoami
  7. Enter password of newroot and it will show result “root”.
  8. Open sshd config file and check whether it has the “newroot” in AllowUsers. If not, add the user manually. (usually at the end). 
    vi /etc/ssh/sshd_config

    [Permission Denied!] Quit :q

    AllowUsers newroot
  9. Restart sshd.service 
    sudo systemctl restart sshd.service

Step Two:

Now we are going to disable the root user. Before doing this, you have to logout from “root” and then login with “newroot”.

You can only disable the  “root”, if you can successfully login with “newroot”.

  1. After successfully login with “newroot”, su to “root” using root password. 
    su - root
  2. Then open sshd_config. 
    vi /etc/ssh/sshd_config
  3. Search and change permitRootLogin “yes” to “no” as follows. 
    permitRootLogin no
  4. Restart sshd.service to implement the change 
    sudo systemctl restart sshd.service
  5. Now logout from “newroot” and try to login “root”
  6. Login with root now not allowed. Access Deny.
  7. So login with “newroot” and then su to root with root password 
    su - root

by Leave a Comment

How to create One-Click login to RoundCube and phpMyAdmin ?

To enable one-click login for RoundCube

cd /usr/local/directadmin/
./directadmin set one_click_webmail_login 1
service directadmin restart
cd custombuild
./build update
./build dovecot_conf
./build exim_conf
./build roundcube

To enable one-click login for phpMyAdmin

cd /usr/local/directadmin/
./directadmin set one_click_pma_login 1
service directadmin restart
cd custombuild
./build update
./build phpmyadmin

To disable browser access to phpMyAdmin

cd /usr/local/directadmin/custombuild
./build update
./build set phpmyadmin_public no
./build phpmyadmin

 

 

by Leave a Comment

ConfigServer Security & Firewall, CSF basic commands, advanced configurations and settings

Basic CSF commands

  • Enable CSF 
    csf -e
  • Disable CSF 
    csf -x
  • Start CSF 
    csf -s
  • Flush/Stop CSF 
    csf -f
  • Reload CSF 
    csf -r
  • Allow an IP and add it to csf.allow – /etc/csf/csf.allow 
    csf -a 162.162.1.219
  • Remove and delete an IP from csf.allow – /etc/csf/csf.allow 
    csf -ar 162.162.1.209
  • Place an IP on temporary deny list in /var/lib/csf/csf.tempban 
    csf -td
  • Remove an IP from the temporary IP ban or allow list 
    csf -tr 162.162.1.209
  • Flush all IPs from the temporary IP entries 
    csf -tf
  • Deny an IP and add to csf.deny 
    csf -d 162.162.1.209
  • Remove and Unblock an IP from csf.deny 
    csf -dr 162.162.1.209
  • Remove and Unblock all entries from csf.deny 
    csf -df
  • Search for a pattern match on iptables e.g : IP, CIDR, Port Number 
    csf -g 152.167.1.118

Advanced Configuration to csf.conf at /etc/csf/csf.conf

  • Add root and admin notification email addresses at /etc/aliases. 
    root: root@domain.com
admin: admin@domain.com
  • Add email address to get all notifications – /etc/csf
    (csf > firewall configuration > Reporting Settings > LF_ALERT_TO = alert@domain.com)

    LF_ALERT_TO = "alert@domain.com"
  • Stop or disable “excessive resource usage” change PT_USERTIME = 0 
    PT_USERTIME = "0"

    Under Process Tracking at /etc/csf

  • Don’t Block IP addresses that are in the csf.allow files 
    IGNORE_ALLOW = "1"
  • Allow Incoming and Outgoing ICMP 
    ICMP_IN = "1"
    ICMP_OUT = "1"
  • Block Certain Countres 
    CC_DENY = "CA,CN,US"
    CC_ALLOW = "IN,ME,DE"
  • Send the Su and SSH Login log by Email 
    LF_SSH_EMAIL_ALERT = "1"
    LF_SU_EMAIL_ALERT = "1"
  •  Get alert or notification 
    LF_ALERT_TO = "email@domain.tld"

Warning in CSF

  • SYSLOG_CHECK option check
    (This option helps prevent brute force attacks on your server services)

    • Open /etc/csf/csf.conf
    • Search for “SYSLOG_CHECK”
    • Put value between 300 and 3600 seconds 
      SYSLOG_CHECK = "600"
    • Restart CSF firewall 
      #csf -r
  • Check for DNS recursion restrictions
    (You have a local DNS server running but do not appear to have any recursion restrictions set. This is a security and performance risk and you should look at restricting recursive lookups to the local IP addresses only)
    • Add following options to /etc/named.conf 
      options {        
   allow-recursion {
   localhost;
};
    • Restart named 
      service named restart
  • Check for cxs
    (You should consider using cxs to scan web script uploads and user accounts for exploits uploaded to the server)

    ConfigServer eXploit Scanner (cxs) - from $60/server

    https://configserver.com/cp/cxs.html

  • Check for osm
    (You should consider using osm to provide protection from spammers exploiting the server)

    Outgoing Spam Monitor (osm) - $40/server

    https://www.configserver.com/cp/osm.html

  • Check for swap file
    (The server appears to have no swap file. This is usually considered a stability and performance risk. You should either add a swap partition, or create one via a normal file on an existing partition)
  • SSH/Telnet Check
    • Check SSH PasswordAuthentication
      (You should disable PasswordAuthentication and only allow access using PubkeyAuthentication to improve brute-force SSH security)
    • Check SSH UseDNS
      (You should disable UseDNS by editing /etc/ssh/sshd_config. Otherwise, lfd will be unable to track SSHD login failures successfully as the log files will not report IP addresses)

      UseDNS no