linia_top



  • 31cacti_nagios2.jpg
  • diagram6.jpg
  • htop1.png
  • vmware1.png
  • zpanel1.png

Main supported software/technologies

tech1

Sample software and technologies which I use and know:
- Linux (Debian, Ubuntu, Centos, Red Hat)
- Unix (FreeBSD)
- network II level: different vendor switches configuration .e.g Cisco, Dlink, Netgear; VLAN, STP, security, GRE tunneling
- network III level: static, dynamic routing (BGP,OSPF), IPv6, IPIP tunneling
- firewalls: iptables, ipfw, pf, shorewall, CSF
- VPNs: IPSec, OpenVPN, PPTP, PPPoE
- http servers: Apache, Nginx, Lighttpd, IIS
- databases: Mysql/MariaDB, PostgreSQL, MongoDB, Firebird
- email servers: Postfi, Exim, Sendmail, Zimbra
- proxy: Squid
- DNS: Bind, PowerDNS
- virtualization servers: jail on FreeBSD, OpenVZ, XEN, VMware
- hosting pannels: ZPanel, CPanel, Webmin
- backups: Bacula, Rsnapshot, BackupPC, Rsync
- monitoring: Cacti, Mrtg, Nagios, Zabbix, Webalizer
- programming: PERL, shell, LUA
- other servers like: DHCP, SMB, FTP/FTPS, SVN


 

Complete server security which I apply consists of:
OS security
- Strong passwords on accounts, disabling shell for not needed
- Upgrades/patches
- Removing unnecesary services
- Removing unnecessary SUID/SGID
- Setting restrictions for partitions
- Lockdown cron
- Sysctl hardening
- Enabling Selinux
- Chrooting Bind if exist
- Periodic checking by audit tools: Aide, Rkhunter, Tiger

Web/DB security
- Http server security: disable modules, disable Includes, CGI execution, installing mod_security, mod_evasive and others
- PHP restrictions like: disable remote code execution, disable danger functions, provide DoS control, control POST size, install advanced protection system Suhosin and others
- Database security: restrict IP access, set passwords for everyone, permissions should be restrictive as possible, chmod 700 on datadir, remove anonymous accounts and test DBs and others
- Periodic vulnerability audit performed by security scanner to find potential holes
- Wordpress, Joomla security: double password access to manage site, htaccess with protections, file permissions, security plugins, upgrades, non default names and others

Network security
- Strong passwords on accounts
- SSH only from allowed IPs
- Disable unnecessary services/ports
- Disable software versions showing
- Sysctl hardening e.g. SYN cookie protection, disable routing redirects, enable RPF and others
- Only encrypted connections like: HTTPS, IMAPS, FTPS, SSH, VPN
- Serious firewall (CSF) with many protrections: flooding, ping of death, DDOS, files integrity, port scaning, exploit checking, blacklist IP rejecting and others
- Fail2ban against brute force for every service
- IDS/IPS application for malicious traffic protection

After applying above you can be really calm about security of your server.