Security through obscurity.
- Don't use descriptive DNS entries. I have seen many companies with descriptive DNS entries where there is no requirement and that can direct someone to the most critical elements of your network. Examples are, router.domain.tld, firewall.domain.tld, pptp.domain.tld. There is no requirement in DNS naming conventions and when you pick the names for these and other servers keep in mind that automated attacks may single out descriptive names like smtp.domain.tld. Sure it's easier to remember the hosts because of the descriptive DNS entries but why take the risk when even a simple naming convention change could save you some grief. What if you used something like 01router.domain.tld, or routera.domain.tld. You get the idea.
- Don't run ssh, ftp, telnet, plesk, or webmin on a standard port. You run the risk of being the victim of a automated attack. Any service that listens can run on a non standard port. Of course www, smtp, and the like you should use the standard ports but most everything else can be changed to a different port, however things like network devices like routers, firewalls, and web accelerators should have their administration interface disabled or configured on a different port.
- Changing the port that sshd listens on.
- Edit the /etc/ssh/sshd_conf file and change the port to something other than 22 and make sure only protocol 2 is enabled. Make sure you uncomment PermitRootLogin yes to deny root logins, this requires users to either su to root or use sudo for superuser commands.
- To change the port for Webmin you need to login to do the following.
- Log on to Webmin
- Click on the Port and Address icon on the modules main page
- Change the port number by entering a number into the Listen on port field
- Hit the Save button to use the new settings.
- Changing the port on Plesk is not recommended by the manufacturer however you can do it.
- Edit the Apache configuration file %plesk_dir%admin/conf/httpd.conf
- Find the line Listen 8443
- Replace with Listen IP.ADDRESS:8444 or whatever port you would like to use.
- NOTE: In the case of Plesk running on Virtuozzo Virtual Environment, port changing can lead to VZPP-Plesk integration failure.
This is quite an important step so don't leave this out.
- Make a 300mb tmp file, you can adjust this if you need more space.
cd /dev dd if=/dev/zero of=tmpfs.img bs=1024 count=300000 mke2fs /dev/tmpfs.img
- Backup the current tmp directory contents
cp -pR /tmp /tmp.old
- add the following line to /etc/fstab
/dev/tmpfs.img /tmp ext2 loop,nosuid,noexec,nodev,noatime,rw 0 0
- Mount the new filesystem on /tmp and copy the files back, then link /var/tmp so it's secure also.
mount -o loop,nosuid,noexec,nodev,noatime,rw /dev/tmpfs.img /tmp chmod 1777 /tmp mount -o remount /tmp cp -R /tmp.old/* /tmp/ rm -rf /var/tmp ln -s /tmp /var/tmp
If you need further assistance with this or any other open source application or issue, the experts at Pantek Inc. are available 24/7 at email@example.com, 216-344-1614, and 877-LINUX-FIX.