Welcome to Centmin Mod Community
Become a Member

Sysadmin [Question] How to secure a CMM install?

Discussion in 'System Administration' started by deschlong, May 2, 2018.

  1. deschlong

    deschlong New Member

    23
    5
    3
    Mar 1, 2018
    Ratings:
    +8
    Local Time:
    8:12 PM
    1.15
    10.1
    Hi guys,

    I finally made the switch on a couple of servers to CentOS with CMM.

    As soon as the servers were online I saw a couple of port scannings failed logins.

    On debian I did the usual SSH hardening (disable root, change port, auth key login only) and transfered files via SCP with the users auth key file.

    On CentOS with CMM I feel a little bit lost, I dont wanna break any functionality, so my questions are:

    - Can I apply the usual SSH hardening here too?
    - How to secure FTP without breaking its functionality? (When adding a vhost, every vhost has its own ftp user)
    - Anything else?

    Thanks guys!
     
  2. eva2000

    eva2000 Administrator Staff Member

    41,395
    9,298
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +14,265
    Local Time:
    4:12 AM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    CSF Firewall takes care of failed login scans via LFD - login failure daemon CSF Firewall - CentminMod.com LEMP Nginx web stack for CentOS :)

    You can change SSHD port via centmin.sh menu option 16 - it will prompt for existing SSHD port number = 22 and then ask for desired new port number for SSHD and then proceed to automatically change the port and change it at CSF Firewall level too

    As to SSH keys for login. Before you look into ssh key only (+disable password authentication), make sure your web host is setup with features that allow you to regain access to your server if you ever loose your ssh key's private key and that you know how to use those features to regain access.

    If you don't know how to use those features, setup a test instance/VPS with that web host and test it out. If you're with web host with hourly billed VPSes like Linode, DigitalOcean, and Vultr then it is relatively cheap to test out for a few hours on a test VPS.

    Here's a example text you can use to ask your web host to be sure

    There's numerous how to use ssh key login guides online, but not many go beyond that to explain what to do if you loose your ssh private key and are unable to use password logins. And that can come down to your web host and what measures they have in place i.e. out of band console access etc and recovery ISO/cds available.

    And some relevant guides with different web hosts about setting up SSH key authentication and also about recovery as well general need to know info.

    DigitalOcean



    Has out of band console access

    Linode



    Has out of band console access called Lish

    Vultr



    Has out of band console access

    OVH


    RamNode


    Others


    Secure out of the box, but see FAQ item 2 covers users accounts you can't lock site accounts down to user level like cpanel/WHM as there is no 100% user isolation between site accounts on Centmin Mod.

    Pure-ftpd virtual ftp users only isolates ftp Pure-FTPD Virtual FTP Users but isn't fully jailed like cpanel/WHM as Centmin Mod is not made or setup for shared hosting like cpanel/WHM but more for usage by trusted user (myself/yourself). If paranoid, you can also stop pure-ftpd service within SSH and only start the service when you are intending to use FTP/transfer files.

    So the pure-ftpd virtual ftp user can lock that ftp user to the nginx vhost directory but because files are owned by nginx user/group, it wouldn't stop a hacker using php/file based transversal of other nginx vhosts. If you want isolation, setup 1 server for each site your want to host. It's how I usually host my centmin mod sites/subdomain sites i.e. this forum is hosted on separate server from centminmod.com site and separate server from my other subdomain sites for *.centminmod.com subdomains.

    Full chroot/jailed user/site isolation is on the long term to do list but nothing immediate is planned. There's a preview of what isolation may look like here.

    Some other items folks overlook are mentioned at Sysadmin - protect root user over ssh

     
    • Informative Informative x 1
    • Friendly Friendly x 1
  3. deschlong

    deschlong New Member

    23
    5
    3
    Mar 1, 2018
    Ratings:
    +8
    Local Time:
    8:12 PM
    1.15
    10.1
    Awesome eva, thanks for such great and long info! and for the quick response!

    Makes me even more confident why I switched my servers to CentOS :)
     
    • Like Like x 1