Some security measures were integrated into the ePages package, like an integrity check and a new user concept. But ePages hosts (providers) need to ensure the security of the system. The following measures should be performed to ensure data security and restricted access.

The recommendations are mainly for c-systems (UNIX).

Open as Few Ports as Possible

  • Put all (as many as possible) ePages hosts behind your firewall.

  • For any ePages hosts outside your firewall, open as few ports as possible.

  • Only a few ports should be accessible from the outside:

    80 (http), 443 (https) and 22 (ssh)

: Check this by using a port scanner, such as nmap:

nmap -v YOUR_HOST.DOMAIN
  • Stop unnecessary services and/or restrict the access via your firewall. Run only necessary services. To show installed services:

    chkconfig --list
  • Install only necessary software (e.g. do not install X11). To show installed software:

    rpm -qa
  • Install updates from your operating system vendor.

Web Server

  • If possible, do not allow direct connections to the ePages web server. Use a load balancer instead.

  • Try to avoid web server Denial-Of-Service attacks by configuring the web server properly, use the Apache module mod_evasive.

  • It might be useful for you to use ModSecurity, an Intrusion Detection System for Apache.

Restrict Login and SSH Access

The following measures are listed by their importance.

Very Important

  • Use SSH protocol version 2, set in /etc/ssh/sshd_config:

    Protocol 2
  • Do not allow root access, set in /etc/ssh/sshd_config:

    PermitRootLogin no
  • Allow only a few (best: only one!) unprivileged users SSH access by adding them to a specific group (say sshconn), then set in /etc/ssh/sshd_config:

    AllowGroups sshconn
  • After login, unprivileged users become root via the sudo su command.

  • Choose a user name not existing in any dictionary. Do not allow users ep_appl, ep_db, ep_web, ep_runapp, or ep_runweb to have an SSH login or to become root via su.

  • Do not allow login via password, but only via personalized SSH keys (maybe secured with password), set in /etc/ssh/sshd_config:

    PasswordAuthentication no
  • If possible, do not allow direct connections to the ePages hosts, instead use an SSH hopping station.

  • Configure SSH so that only connections from predefined IPs are allowed. Write to /etc/hosts.allow, for example:

    sshd: 127.0.0.1/32

Important

  • Disconnect idle sessions after a period of time. If you use bash as a login shell, set TMOUT. The shell will then terminate if input does not arrive after TMOUT seconds. For example, set TMOUT in /etc/profile to 30 minutes:

    declare -rx TMOUT=18000
  • Check the log file /var/log/secure and disable strange IPs explicitly.

  • Use the wheel group to limit the users who are able to su to root, see The Wheel Group.

  • Combat brute-force attacks with software such as SSH Autoblacklist via PAM.

  • Use one of the widespread tools available for exactly this purpose. Especially DenyHosts has a large user base and is well-known.

    • DenyHosts

    • BlockSSHD

    • sshguard

  • Install an Intrusion Detection System, such as Tripwire or fcheck.

  • Check for root-kits, see chkrootkit.org.

Less Important

  • Disable sudo without terminal:

    visudo
    # comment line: #Default requiretty
  • Listen only to a specific IP address, set in /etc/ssh/sshd_config:

    ListenAddress 1.2.3.4
  • Specify IPv6 as address family and use a different port to hide SSH:

    AddressFamily inet6
    Port 2345