Seeksadmin Blog

There are a few ways to sort server security, but one of the major ways to harden your server is to secure SSH. On a default machine you login as root directly, on the default port. This means you are susceptable to brute force and all other sorts of attacks. What I am going to write about is a short and simple guide about how to secure your SSH and what this does. You dont have to do all of these allthough I would deeply reccomend doing the steps below.
1. Changing SSH Protocol

I guess a good place to start would be what are the differences between the two SSH protocols (1 and 2), as not many people know this. You dont need to know, but I think that you should know the reasons you are doing this. I will try to cut the crap out of it and keep it simple. Basically SSH2 uses seperate protocols for transport, authentication and connections, splitting all your data up making it just that little bit more secure. It also has stronger cryptographic integrity checks and has better encryption. Basically what I am trying to say (but in tech talk) is that this is one change you should always make. Now lets get on to making the change.

Step 1) Use nano, pico or vi (your favourite text editor) to open up /etc/ssh/sshd_config for editing

Step 2) Find the Line #Protocol 2,1

Step 3) Uncomment the line and change it to

Protocol 2

2. Changing the SSH port

This is what we like to call security by obscurity, it is one extra thing the hacker has to guess before he can get in, although practically a port scan would be able to find the port. However i have found that changing the port does stop a lot of brute force attacks from occouring.

NOTE: Make sure you add the port you want to use to the firewall AND/or add yourself to the allow list so you can connect to the port and dont lock yourself out.

Step 1) Again open up /etc/ssh/sshd_config with your favourite editor

Step 2) Find the line #Port 22

Step 3) Uncomment the line and replace with the following (where port 2777 is a random, unused port)

Port 2777

NB: To find out if the port is being used use the comand lsof -i:portnumber eg lsof -i:2777

3. Disable Direct Root Login

Unlike the other steps we have used this requires a bit more than editing the config file, but its not hard so dont worry about it. Again this is a little of security by obscurity adding an extra layer the hacker/cracker has to get through if he wants access to your machine, making that bit harder.

A lot of other guides you will see will tell you to add a cPanel account etc etc, but lets just make it easier shall we.

Step 1) Type the following in SSH replacing username with a random username eg sekadmin

adduser sekadmin

Step 2) Now lets give sekadmin a password

passwd sekadmin

You will now be given a password prompt twice. Make sure the word is not a dictoinary word, I would reccomend looking at my password article for the best password.

Step 3) Now we need to give sekadmin, the correct privilages so he can su - to root.

Step 4) Open up /etc/group with your favourite text editor. Find the line that starts with “wheel” and add your username on at the end of the line. Then close and save the file.

Step 5) Now you will need to test the login works so create a NEW ssh session and try to connect using the username that you just created. Once logged in type “su -” and then the root password to see if that works. If it works everything went ok and you continue on to the next step

Step 6) Once again open up our favourite file /etc/ssh/sshd_config in your text editor

Step 7) Find the line #PermitRootLogin yes, uncomment it and change it to no.

Other Methods

There are also some other methods that you can use. One of the other methods I like to use is binding SSH to an IP. If you do this, the best thing to do is use a spare IP that is not being used by a website. This will offer the most security.

Anouther great thing to do is to disable password logins totally and use an ssh key. I will not write anything about that here, because it can be a blog post on its own for a rainy day

AFTER all changes

Just before I forget, to make all your changes take effect you will have to restart ssh

service sshd restart

As one of our new features is outsourced support I thought I should say a bit about it. First off back in the day when I worked for a big hosting company at a datacenter, it was all on-site staff and they had a great thing for it and everyone was happy, but then the management changed and of course so did the staff. But instead of staying “on-site” they were one of the first hosting companies to start outsourcing.

Obviously at first this made me pretty angry, and I didn’t like the outsourcing market because they stole my job. But almost 8 years on now, I have had a lot of experience in many manners with outsourced staff. The experience I remember most was in 2002-04 where I was the team leader of a team which was outsourced so located in Pakistan. I obviously was not to thrilled, but I needed a job so could not turn it down. I was scared that their language would be terrible, that they would be lazy and not very skilled due to the low pay. I basically thought all of the bad things you could about outsourcing staff, but that all changed.

I will admit the first few weeks were a bit rough, fitting in and getting the staff to listen to me, but once we got over the first few hurdles I was pretty suprised. Firstly they were skilled and worked insanely hard - I would hire them over most other admins I have worked with, if I didnt prefer on-site staff. They were effecient, quick, and learnt very quickly. Okay so thats good you may say, but whats the point if their English is no good? Well… it was. It was pretty good. It was not as good and as fluent as someone who’s first language is English, and sometimes they sounded a bit over proffesional and not personal, but overall it was great. What was even better was that if I corrected them they never made the mistake again. It was like a dream team…. And there went my fear of outsourced hosting and I believe in it so much that I have even started offering it on our website.

Some companies do need on-site techs and it is a much better situation, but in my honest opinion, for the smaller companies it is a much better situation, its more cost effecient and allows companies to focus on other things, like sales or new services. I guess this post was for once a bit of an “advertisement” so I think I will cap it off with if you have any problems or questions, just ask us. We can even set up interviews now for outsourced staff, so it would just be like hiring your own staff member.

Well its been a long time since I last graced myself with having to write a blog post, and I guess that is due to many reasons. One of them being the fact that I was away for 2 months in Australia for a little bit of business, and the other is that I have been busy adding new features to the site to make us one step above everyone else. Before I start talking about the new features that have either been introduced or will be introduced soon, I would like to set out the idea that this blog will recieve at least 3 blog’s a week. However, only time will tell if I can actually keep up with that.

One of the big changes that has happened recently was the new website and the price structure changes. I think I will just tell people why we changed the prices a little. The reason for the change was because managing a cPanel system is so much easier than managing a system with no control panel or plesk, but we were charging the same price. This basically meant that it was hard for us lower response times and keep the quality high. We did not change the prices for clients on the old price plan because we have a policy that your price will never go up, only down!

Along with the new webdesign we have added a few new features and plans that will soon be hitting it big time (we hope). The first one of these I will talk about is reselling Softlayer servers. I have been a fan off Softlayer ever since I got my first server with them which was quite a while back now near when they started. So recently we started to resell their services with our administration slapped on top. We do not mark up the price of the server, and you get a discount on our administration plans. So everyone wins

One thing that I am excited about is the outsourcing, we have just started to offer outsourcing but with a bonus above everyone else. Every admin that is part of our outsourcing team has spent at least 4 months on the seeksadmin helpdesk, so you can be pretty sure they can deal with the hardest of problems. We believe we are competitavly priced, what that means is that we are not the most expensive out there but not the cheapest.

I have a lot more news, but for now I will leave it at this and give me something to post about in future blogs

A common problem for many people is remembering their passwords and at the same time making it cryptic enough. I thought I would share my password “remembering” techniques with you, which will help you keep things secure. There are three main methods you can use and I will describe that below.

Rythm/Pattern

Now it may sound weird to have rythm in your password, but when you think about it, it isn’1 too strange. It is all about memory, and you are more likely to remember a password when it has some rythm to it, that you can remember. For example remembering a password such as

sardines0012a

is not going to be easy. (At least I dont think so). Whereas if you have a password with rythm/a pattern

sand00handx

its much easier to remember.

Words

Anouther method that can also be very easy to use is to remember a word and then add your birth date on the end. An example of this is

Seeksadmin1980

This is very effective and very easy to remember as its 2 very memorable facts. It is also pretty hard to guess unless you know what word I had use and what number (it doesnt have to be birthdate, it could be the date you ordered the server)

Pattern

Now this is my favourite and preffered method. This is also different to the pattern/rythm method i described above. So what is it about? Well thats pretty simple, you make a patern on your key board. Here is an example

!ӣ$%67890

if you are very clever you will have noticed that is holding the shift key pressing 1 to 5 and then letting go of shit and pressing the rest of the numbers. It is very easy to remember as its just a pattern on the keyboard. It does not really require you to remember each number/letter just the pattern. The last example ill give is

zaqwsx.;[]‘/

Which is z -> q, w->x ,->[, ]->/. This type of password is pretty much impossible to guess, and yet in my opinion is one of the easiest to remember.

Other Tips

Vary the methods you use of remembering your passwords and of course vary the passwords you use. Whether its something simple such as changing 1 digit for each server or adding the server name on the end of the password, it is important that the servers have different passwords. If you have a secure password, this is one less way a hacker can gain access to your system.

Yesterday I was very excited and released a project we have been working on for some time. This is a tool for our fully managed clients which should help them manage there server, and also see what we are doing to it. It also helps us a lot allowing us to have a centeral database to check your servers from.

Features

• Server stats with graphs - This helps us assertain the performance of your machines to see if there are any problems with the machine, however it also helps you check if/when you have any load spikes or other such problems, and when your server is being used the most
• Remote Reboot - With this new tool we have managed to give clients without a remote reboot option provided by their host to use ours instead. This is useful as it will work if you cant login to SSH, and can still ping the server.
• Remote MRTG installation - If our graphs are not enough for you, then you can install MRTG with our configuration at a touch of a button. This will automatically install MRTG on your server. We do advise that if you do this you get one of our qualified admins to check this out to make sure everything is ok
• Server Specs/Stats - You will also be able to see the specification of your server, and your kernel version incase you were confused or needed to know what they were. You can also see the freedisk space and the load at last check.
• Server Logs - In this section of the tool you will be able to see the daily logs of all the security scans that have taken place. This allows you to check that your server is secure and that we are doing our job.

We are looking to add many new features to this as it expands, If you have an ideas or see any bugs please do open a ticket by emailing support.

I am sure many of you will be thinking that it is our job to secure your servers and you are right, but much of this you need to know and it will do no harm in you knowing. So if you dont feel like you can do anything here, just open a ticket and we will do it for you. Everything here is pretty simple, and this will be good for anyone who wants to learn, and be slightly more independent.

This guide is mainly for WHM and cPanel as the things are made much easier with cPanel and WHM however we can do them even if you dont have it.

1. Shell Limits

You should enable shell resource limits to prevent users from consuming all the server resources. DDOS exploits typically do this. A quick way to set this for people using WHM is in the root WHM reseller go to Shell Fork Bomb Protection

2. Background Process Killer (People using WHM)

In WHM enable each item in WHM -> Background Process Killer, to remove any IRCs or other malicious bots

3. Apache

In Apache RLimitCPU and RLimitMEM should be set to stop any spammers or DDOSers using all the processes on your server. You can do this in WHM in the Modify Apache Memory Usage page.

You should also make sure that mod_userdir is disabled apart from one main domain, or just make sure its disabled totally, otherwise hacks may use it to try and hide their activities.

You should also enable SUEXEC to reduce the risk of hackers accessing all your sites if the server is comprimissed.

4. PHP

In the php ini (you can find the location via a php info file) you should change enable_dl to Off. This prevents users from loading php modules that effect everyone on the server. Note: IF you use dynamic libs like ioncube you will have to load them directly from the php.ini

You should also change the disable functions to
disable_functions = show_source, system, shell_exec, passthru, exec, phpinfo, popen, proc_open
Some webscripts break with these so you may have to remove a few, but these scripts are dangerous

You need to make sure PHP open_basedir is enabled. In WHM you can do this via WHM -> Tweak Security -> php open_basedir tweak. This prevents PHP scripts from straying outside of their account.

PHPSuExec can reduce the risks of hackers accessing all the sites on the server via a compromised PHP web script. There are some side effects of this, but this is a much safer method. If your server is full I would not recommend it, but on
brand new servers this is the best thing to do as its safer.

5. Control Panel

Make sure your control panel is updated to the latest stable version regularly.

Make sure that SSL login is forced, ie the secure ports. In WHM you can do this via WHM -> Tweak Settings -> Always Redirect users to the ssl/tls ports when visiting /cpanel, /webmil etc

Make sure boxtrapper is DISABLED. The reason for this is that if its enabled you can easily be listed in an RBL and usually has the effect of increasing overall spam load not reducing it.

Make sure you have some sort of limit of emails sent per hour

Make sure users CAN NOT reset passwords via email

Today I decided to make a new blog catagory called Datacenter reviews. The reason is, I think it is my business to know what datacenters are good and what datacenters are bad. I do this because many clients ask me where to host, and of course they trust me with my reccomendations, so here I am trying to give a decent view with as much detail as possible of each datacenter I have some recent experience with.

At the end of the day this is to help you make your decisions. I will try to keep it up-to-date as I buy more servers in difference places and hopefully it will turn into a nice little resource for you guys when you look for some new servers.

Hope you enjoy!

LayeredTech

I only have one server with layerdtech and cant really give a proper review I guess

Sales - n/a

I did not attempt to get any sales as I know they are a good provider and also know their network pretty well and quite a bit about them

Hardware/Support - 7/10

This is just a hardware score as I have not submitted any support requests yet. Their hardware is good but they dont offer some of the most uptodate hardware available.

Network - 10/10

Their network is great, and very reliable. Never had a problem and I do get great pings from the UK and some of the best transfer speeds.

Summary

I still reserve judgement on them but so far everything seems good

DedicatedNow

I have 3 servers here. One Mail server, One backup server and one test server.

Sales - 5/10

Initially before I was a customer sales was really none existant, live chat was never online (even when i was up at late making it working time for them) and emails were replied to in 24 hours, which is pretty slow for me.

However now that I am a client sales has been very good, if I open a ticket asking a question (most of them have been asking for custom setups) they have replied quickly and given me some pretty good deals.

Hardware/Support 6/10

I have never really used the support so this is judged soley on hardware.

For 2 of my servers I have had no hardware problems but on one server I ordered it and within 24 hours I had a hardware failure. Not the most comforting thing. But the hardrive was replaced and the old one mounted as a slave so we could get the data we had uploaded off it. I was relitavely pleased with that.

One thing that I am a bit…dissapointed with is the cost of OS reloads. My test servers costs me $53 per month and an OS reload costs $75 one time. For that reason this test server is the last I get here

Network 10/10

The network has been great. Speeds are good to other places in the US and for me in the UK and there has been no network downtime which is just what i want for my backup servers

Summary 6/10

I still highly recommend these guys to most people because they have a good network and they are making vast improvements to their system. They are a very good budget provider, and are my “budget” provider of choice.

Softlayer

I have been with softlayer for 8 months now and have a total of 7 servers there.

Sales - 10/10

Always the first point of calls when you are trying to get a new server and I can tell you here and now that SoftLayer have the best sales that I have ever had. Even if I just need a backup server with low specs I somehow manage to walk out of the chat with a server about 3 times the specs that I needed/wanted. You may think that this is bad so to speak, but it is amazing sales work.

I usually deal with Amanda and Mary and I think they are amazing. I dont know how many times they have got my server up quicker than they promised or sorted some deal out for me. I think I have something like 3 free hardrives a few gigs of RAM free and one 100mbit port free, they really do cut you a deal.

On the first server I had there they had run out of the spec I wanted, so they gave me a better server for exactly the same price

Hardware/Support - 9/10

Support reply quickly and tickets have been replied to within a few minutes. I have not really submitted anything particullarly taxing, so not sure how good they are at this, although they do have a $3 system admin option which I can imagine is very useful and the reviews off are great.

Hardware has been top quality and apart from once IPMI problem I have had no hardware issues.

Hardware addtions such as RAM, processor or hardrive are done quickly and are scheduled easily which is great. I have had one problem with this and that was not really a big problem. I asked for extra GB of ram to be added on a monday and it was done on a saturday when I was not there. It was done quickly however and no problems and it was investigated afterwards (why it was done earlier).

Network - 8/10

This is the big kicker for everyone it seems, and there is alot of questions being asked about SL’s network. Honestly I have no issues, I am in the UK and the ping I get is as fast as to any other datacenter. The only problem I had was caused by a massive DDOS on the network where the whole DC was done for 40 mins I believe and for that I was credited for next month.

If people are still asking questions about it, SL are planning on adding a lot more providers and I think Global Crossing was planned to be added before christmas (I think i read something about christmas day?)

Summary and Other - 9/10

At the moment Softlayer are by far my favourite provider. Their portal is just stunning, and nothing compares to it, their support is great and the general atomosphere in the community is good. They are definetly my number one datacenter at the moment and I would reccommend them to anyone.