Enterprise Server Hardening
Check Server Security
CHKRootKit : Detects hacker software and notifies via email
RootKit Hunter : A tool which scans for backdoors and malicious softwares present in the server.
APF or CSF : A policy based iptables firewall system used for the easy configuration of iptables rules.
SSH Securing : For a better security of ssh connections.
Host.conf Hardening : Prevents IP spoofing and dns poisoning
Sysctl.conf Hardening : Prevents syn-flood attacks and other network abuses.
FTP Hardening : Secure FTP software by upgrading to latest version
TMP Hardening : Hardening /tmp, /var/tmp, /dev/shm for preventing the execution of malicious scripts and codes.
PHP Tightening : Tweak PHP by changing the parameters of php configuration for better security and performance.
PHP Upgrade : Compile PHP to its latest stable version which increases server security.
Shell Fork Bomb/Memory Hog Protection : Protection against Telnet/SSH users using all of the server resources and causing a system crash.
Update Control Panel to latest version
Install Logwatch for investigating any suspicious activity on the server
Turn off unused services and daemons
Disabling Chargen to stop the server from being misused by an attacker in their efforts to disrupt another server.
ClamAV : Is a cross-platform antivirus software tool-kit able to detect many types of malicious software, including viruses
Notification of root access when someone login as root in the server along with the timestamp and ip address information.
Email Password Scan
Logwatch : Install Logwatch and review logwatch emails. Investigate any suspicious activity on the server.
IFTOP : Install IFTOP which displays a frequently updated list of network bandwidth utilization (source and destination hosts) that passing through the network interface
Turn off compilers. Most rootkits come precompiled but not all of them do. It will also prevent shell users from trying to compile any irc related programs.
Enable PHP open_basedir Protection : PHP open_basedir protection prevents users from opening files outside of their home directory with php.
Network Socket Inode Validation (NSIV)
A rule based utility intended to aid in the validation of inodes against each LISTEN socket on a system.
Linux Environment Security (LES)
Helpful in enforcing root-only permissions on system binaries (binaries that have no place being executed by normal users), enforcing root-only path traversal on system paths, enforcing immutable bit on essential rpm package contents (i.e: coreutils), and enforcing immutable bit on shell profile scripts.
Mail Server Hardening
Setting the sender header when the email sender tries to spoof the sender
Adding MailHeaders for PHP
Stopping spoofing from webmail and SMTP authenticated users
Dictionary attack protection
Reject remote mail sent to the server\'s hostname
Attachments: Filter messages with dangerous attachments
Scan messages for malware from authenticated senders
Scan outgoing messages for malware
Enable SMTP Restrictions
Configure high failure rate protection
Experimental: Rewrite From: header
Configure the max hourly emails settings
Installation/configuration of SpamAssassin & ClamAV, Realtime Blackhole Lists (RBLs), dictionary attack protection and rate limiting
Mod Security (On Request)
ModSecurity is an embeddable web application firewall. It provides protection from a range of attacks against web applications and allows for HTTP traffic monitoring and real-time analysis with no changes to existing infrastructure.
Mod Evasive (On Request)
Mod Evasive is an evasive maneuvers module for Apache that provides evasive action in the event of an HTTP DoS attack or brute force attack. It is also designed to be a detection and network management tool and can be easily configured to talk to ipchains, firewalls, routers, and more.