Access MariaDB Server
mysql -u root -p
Create new database
CREATE DATABASE bdhostidb;
Check whether the database created
SHOW DATABASES;
GRANT ALL PRIVILEGES ON 'sqI_bdhositit_co'.* TO 'sqI_bdhositit_co'@localhost;aaPanel Security Risk and Solution
Detect whether secure socket layer encryption is used to transmit information to avoid eavesdropping on sensitive information
Test type: Whether to use encrypted remote administration ssh
Risk level: Medium risk
Risk detail: Remote administration of ssh without secure socket encryption
Solution:
1. Add or modify Protocol 2 in [/etc/ssh/sshd_config] file
2. Then run the command systemctl restart sshd to restart the process
Tips: This scheme can enhance the protection of SSH communication and avoid sensitive data leakage.
Check if the command-line interface timeout is set
Test type: Check if the command-line interface timeout is set
Risk level: Medium risk
Risk detail: No command line timeout is configured for exit
Solution:
1. Add tmout=300 in the file [/etc/profile], and the waiting time is not more than 600 seconds
2. Execute source /etc/profile to make the configuration work
Tips: This solution will make the server command line over a certain period of time does not operate automatically shut down, can strengthen the security of the server.
User FTP access security configuration checks
Test type: User FTP access security configuration
Risk level: Medium risk
Risk detail: Currently pure-ftpd is not configured with security access. Modify/add the value of Umask to 177:077 in the [pure-ftpd.conf] file
Solution:
1. In [/www/server/pure-ftpd/etc/pure-ftpd.conf] change the value of Umask to 177:077 in the config file
Tips: This scheme can enhance the protection of FTP server and reduce the risk of server intrusion.
Check important files for suid and sgid permissions
Test type: Check for files with suid and sgid permissions
Risk level: Medium risk
Risk detail: The following files have sid privilege, chmod u-s or g-s remove sid bits: “/usr/bin/chage、/usr/bin/gpasswd、/usr/bin/wall、/usr/bin/chfn、/usr/bin/chsh、/usr/bin/newgrp、/usr/bin/write、/usr/sbin/usernetctl、/bin/mount、/bin/umount、/sbin/netreport”
Solution:
1. Use the chmod u-s/g-s [filename] command to change the permissions of the file
Tips: This scheme removes the special permissions of important files, which can prevent intruders from using these files for privilege escalation.
chmod g-s /usr/bin/chage chmod u-s /usr/bin/gpasswd chmod u-s /usr/bin/chfn chmod u-s /usr/bin/chsh chmod u-s /usr/bin/newgrp chmod u-s /bin/mount chmod u-s /bin/umount
bootloader Configuring permission checks
Test type: bootloader Configuring permissions
Risk level: Medium risk
Risk detail: The following critical file or directory permissions are incorrect:/boot/grub2/grub.cfg Current permissions: 644 : root Security permissions: 600 : root
Solution:
1. Configure secure permissions for grub according to the file suggested by the risk description
2. If grub2, then: chmod 600 /boot/grub2/grub.cfg、chown root /boot/grub2/grub.cfg
3. If grub, then: chmod 600 /boot/grub/grub.cfg、chown root /boot/grub/grub.cfg
Tips: This scheme can strengthen the server grub interface protection, further prevent external intrusion server.
Check if an empty password user exists
Test type: Check if an empty password user exists
Risk level: High risk
Risk detail: Found an empty password user【】
Solution:
1. Log in to server as root, set password for empty password user
2. If you do not know the user’s purpose, you can execute the command [passwd -l (username)] to temporarily block the user.Unlock user command [passwd-fu (username)]
Tips: detects the existence of blank password users, may be hackers reserved backdoor users, if not business needs to suggest setting a password.
sudo awk -F":" '($2 == "") {print $1 ": has no password."}' /etc/shadow
Critical file permission checks
Test type: Critical file permission checks
Risk level: High risk
Risk detail: The following critical files or directories have permission errors:
/etc/shadow Current permissions: 000 : root Suggested changes to: 400 : root
/etc/security Current permissions: 755 : root Suggested changes to: 600 : root
/etc/ssh/sshd_config Current permissions: 600 : root Suggested changes to: 644 : root
/etc/gshadow Current permissions: 000 : root Suggested changes to: 400 : root
/etc/shadow Current permissions: 000 : root Suggested changes to: 400 : root
/etc/gshadow Current permissions: 000 : root Suggested changes to: 400 : root
Solution:
1、On the [File] page, set the correct permissions and owner for the specified directory or file
Detect whether to limit password reuse times
Test type: Check password reuse limit
Risk level: Medium risk
Risk detail: Unlimited password reuse
Solution:
1、Configuration file backup: cp -p /etc/pam.d/system-auth /etc/pam.d/system-auth.bak
2、Add or modify remember=5 after [password sufficient] in [/etc/pam.d/system-auth] file
SSH idle timeout detection
Test type: SSH idle timeout detection
Risk level: Medium risk
Risk detail: The current SSH idle timeout time is: 0, it is recommended to set it to 600-900
Solution:
1、Set [ClientAliveInterval] in the [/etc/ssh/sshd_config] file to be between 600 and 900
2、Tip: The recommended SSH idle timeout time is: 600-900
Check whether the current panel port is safe
Test type: Panel port
Risk level: Medium risk
Risk detail: The panel port is the default port (7800), which may cause unnecessary security risks
Solution:
1. Please modify the default panel port on the [Settings] page
2. Note: Servers with [Security Group] should release the new port in the [Security Group] in advance to prevent the new port cannot be opened
SSH password complexity check
Test type: SSH password complexity check
Risk level: Medium risk
Risk detail: 【/etc/security/pwquality.conf】set the minclass setting to 3 or 4 in the file
Solution:
1、【/etc/security/pwquality.conf】 Set password complexity to require 3 or 4 types of characters, such as lowercase letters, uppercase letters, numbers, and special characters. like:
2、minclass=3
/etc/bashrc User default permission check
Test type: [/etc/bashrc] User default permission check
Risk level: Medium risk
Risk detail: umask is not set to 027
Solution:
1、[/etc/bashrc] The umask set in the file is 002, and it is recommended to set it to 027
2、Solution: Modify the /etc/bashrc file permission to 027
Panel login alarm
Test type: Panel login alarm
Risk level: Medium risk
Risk detail: Please enable it in [Settings] – [Notification]
Solution:
1、Enable it in [Settings] – [Notification]
[/etc/csh.cshrc] User default permission check
Test type: [/etc/csh.cshrc] User default permission check
Risk level: Medium risk
Risk detail: umask not set to 027
Solution:
1、[/etc/csh.cshrc] The umask set in the file is 002, which does not meet the requirements. It is recommended to set it to 027
2、The operation is as follows: Modify umask to 027
Check the minimum interval between SSH password changes
Test type: Check the minimum interval between SSH password changes
Risk level: Medium risk
Risk detail: 【/etc/login.defs】In the file, PASS_MIN_DAYS is greater than or equal to 7
Solution:
1、[/etc/login.defs] PASS_MIN_DAYS should be set to be greater than or equal to 7
2、PASS_MIN_DAYS 7 needs to execute the command at the same time to set the expiration time of the root password. The command is as follows: chage –mindays 7 root
Check SSH password expiration time
Test type: Check SSH password expiration time
Risk level: Medium risk
Risk detail: 【/etc/login.defs】Set PASS_MAX_DAYS to between 90-180 in the file
Solution:
1、[/etc/login.defs] Use a non-password login key pair. Please ignore this, and set the PASS_MAX_DAYS parameter to between 90-180 in /etc/login.defs
2、PASS_MAX_DAYS 90 You need to execute the command to set the root password expiration time at the same time. The command is as follows: chage –maxdays 90 root
The panel is not monitoring
Test type: The panel is not monitoring
Risk level: Low risk
Risk detail: Open it in [Monitor] – [System Monitor]
Solution:
1、Open it in [Monitor] – [System Monitor]
Check the website to prevent cross-site
Test type: Website anti-cross-site detection
Risk level: Low risk
Risk detail: The following websites are not enabled for cross-site prevention: …
Solution:
1. On the [WebSite] page, [Settings]-[Site Directory], turn on the [Anti-cross-site attack (open_basedir)] function
PHP version leaked
Test type: PHP version leaked
Risk level: High risk
Risk detail: Risk-free
Suggest:
1. Set [expose_php] in the [php.ini] file and configure it to Off
2. Tips: Set [expose_php] in the [php.ini] file and configure it to Off
Tips: This solution can prevent the disclosure of sensitive information on the website and reduce the possibility of server intrusion.
aaPanel Management script
aaPanel Management script
-
Stop service bt stop
- Start
service bt start
Restart
service bt restart
Uninstall
service bt stop && chkconfig –del bt && rm -f /etc/init.d/bt && rm -rf /www/server/panel
View current port of control panel
cat /www/server/panel/data/port.pl
Change port of control panel,e.g. 8881(centos 6 Operation System)
echo ‘8881’ > /www/server/panel/data/port.pl && service bt restart iptables -I INPUT -p tcp -m state –state NEW -m tcp –dport 8881 -j ACCEPT service iptables save service iptables restart
Change port of control panel,e.g. 8881(centos 7 Operation System)
echo ‘8881’ > /www/server/panel/data/port.pl && service bt restart firewall-cmd –permanent –zone=public –add-port=8881/tcp firewall-cmd –reload
Force to change MySQL manager (root) Password,e.g. 123456
cd /www/server/panel && python tools.py root 123456
Change control Panel login password,e.g. 123456
cd /www/server/panel && python tools.py panel 123456
Site Configuration location
/www/server/panel/vhost
Delete banding domain of control panel
rm -f /www/server/panel/data/domain.conf
Clean login restriction
rm -f /www/server/panel/data/*.login
View control panel authorization IP
cat /www/server/panel/data/limitip.conf
Stop access restriction
rm -f /www/server/panel/data/limitip.conf
View permission domain
cat /www/server/panel/data/domain.conf
Turn off control panel SSL
rm -f /www/server/panel/data/ssl.pl && /etc/init.d/bt restart
View control panel error logs
cat /tmp/panelBoot
View database error log
cat /www/server/data/*.err
Site Configuration directory(nginx)
/www/server/panel/vhost/nginx
Site Configuration directory(apache)
/www/server/panel/vhost/apache
Site default directory
/www/wwwroot
Database backup directory
/www/backup/database
Site backup directory
/www/backup/site
Site logs
/www/wwwlogs
Nginx
nginx installation directory
/www/server/nginx
Start
service nginx start
Stop
service nginx stop
Restart
service nginx restart
Reload
service nginx reload
nginx Configuration
/www/server/nginx/conf/nginx.conf
Apache
apache installation directory
/www/server/httpd
Start
service httpd start
Stop
service httpd stop
Restart
service httpd restart
Reload
service httpd reload
apache Configuration
/www/server/apache/conf/httpd.conf
MySQL
mysql installation directory
/www/server/mysql
phpmyadmin installation directory
/www/server/phpmyadmin
Data storage directory
/www/server/data mysql
Start
service mysqld start
Stop
service mysqld stop
Restart
service mysqld restart
Reload
service mysqld reload
mysql Configuration
/etc/my.cnf
FTP
ftp installation directory
/www/server/pure-ftpd
Start
service pure-ftpd start
Stop
service pure-ftpd stop
Restart
service pure-ftpd restart
ftp Configuration
/www/server/pure-ftpd/etc/pure-ftpd
PHP
php installation directory
/www/server/php
Start (Please modify by PHP version, e.g. service php-fpm-54 start)
servicephp-fpm-{52|53|54|55|56|70|71|72|73|74|80|81} start
Stop(Please modify by PHP version, e.g. service php-fpm-54 stop)
service php-fpm-{52|53|54|55|56|70|71|72|73|74|80|81} stop
Restart(Please modify by PHP version, e.g. service php-fpm-54 restart)
service php-fpm-{52|53|54|55|56|70|71|72|73|74|80|81} restart
Reload(Please modify by PHP version, e.g. service php-fpm-54 reload)
service php-fpm-{52|53|54|55|56|70|71|72|73|74|80|81} reload
Configuration(Please modify by PHP version, e.g. /www/server/php/52/etc/php.ini)
/www/server/php/{52|53|54|55|56|70|71|72|73|74|80|81}/etc/php.ini
Redis
redis installation directory
/www/server/redis
Start
service redis start
Stop
service redis stop
redis Configuration
/www/server/redis/redis.conf
Memcached
memcached installation directory
/usr/local/memcached
Start
service memcached start
Stop
service memcached stop
Restart
service memcached restart
Reload
service memcached reload
KeyHelp server control panel
Installation Requirements:
- Operating system: Ubuntu LTS or Debian
- Memory: At least 1 GB RAM
- Architecture: 64-bit operating system
- The installation must be performed on a clean system. All required services are installed and configured by KeyHelp.
- The installation must be done as root user.
KeyHelp Installation
Log on to your server with root user and execute the following command:
wget https://install.keyhelp.de/get_keyhelp.php -O install_keyhelp.sh ; bash install_keyhelp.sh ;
After executing the command, KeyHelp will guide you through the installation.
If you get the message “ERROR: The certificate of ‘install.keyhelp.de’ is not trusted.“, you have to add “–no-check-certificate” as a wget parameter. Or install the “ca-certificates” package with the command “apt-get install ca-certificates”.
Welcome to your KeyHelp server control panel
Before you start setting up your server, here are some important tips to ensure the stability of your system.
- Do not change the default PHP Interpreter of your operating system.
If you need other PHP versions, use the ones provided under Settings -> Configuration -> PHP Interpreter. - Never upgrade your operating system version manually.
Instead, always use the instructions and upgrade scripts that you can find here.
Protected: MultiSaaS – Multi-Tenancy Multipurpose Website Builder (SaaS)
- « Previous Page
- 1
- …
- 11
- 12
- 13
- 14
- 15
- …
- 92
- Next Page »