[prowas]

Security & Firewall - csf v2.91 de Check Server Security Çıkan Hataları Nasıl Düzeltiriz
Bende Check Server Security Bastıgımda Bu Hatalar Çıkıyor Bazılarını Düzelttim Ama Bunları Düzeltemedim + Her Rebootan Sonra Firewall Status: Stopped! [TEST MODE ENABLED]
Ayarlarında Aktif Etmeme Ragmen Bu Yazılar Degişmiyor

Check iptables is configured
WARNING
iptables is not configured. You should install csf and make sure that it is working correctly
---------
Check whether csf is in TESTING mode
WARNING
If the iptables firewall is working set TESTING to "0" in the Firewall Configuration
---------
Check csf LF_IMAPD option
WARNING
This option helps prevent brute force attacks on your server services
---------
Check /dev/shm is mounted noexec,nosuid
WARNING
/dev/shm isn't mounted with the noexec,nosuid options (currently: none). You should consider adding a mountpoint into /etc/fstab for /dev/shm with those options
----------
Check /etc/named.conf for recursion restrictions
WARNING
You have a local DNS server running but do not have any recursion restrictions set in /etc/named.conf. This is a security and performance risk and you should look at restricting recursive lookups to the local IP addresses only
----------
Check SSHv1 is disabled
WARNING
You should disable SSHv1 by editing /etc/ssh/sshd_config and setting:
Protocol 2
----------
Check SSH on non-standard port
WARNING
You might want to consider moving SSH to a non-standard port to avoid basic SSH port scans by editing /etc/ssh/sshd_config and setting:
Port nnnn
Where nnnn is a port of your choosing. Don't forget to open the port in the firewall first!
----------
Check SSH PasswordAuthentication
WARNING
For ultimate SSH security, you might want to consider disabling PasswordAuthentication and only allow access using PubkeyAuthentication. For more information read this article and this article
-----------
Check Background Process Killer
WARNING
You should enable each item in the WHM > Background Process Killer
-----------
Check exim for extended logging
WARNING
You should enable extended exim logging to enable easier tracking potential outgoing spam issues. Add:
log_selector = +arguments +subject
to the first textarea in the Advanced Mode Exim Configuration Editor
-----------
Check server startup for cups
WARNING
On most servers cups isn't needed and should be stopped and disabled from starting, as it could pose a security threat. This service is currently enabled in init and can be disabled using:
service cups stop
chkconfig cups off
-----------
Check server startup for nfslock
WARNING
On most servers nfslock isn't needed and should be stopped and disabled from starting, as it could pose a security threat. This service is currently enabled in init and can be disabled using:
service nfslock stop
chkconfig nfslock off
-----------
Check server startup for rpcidmapd
WARNING
On most servers rpcidmapd isn't needed and should be stopped and disabled from starting, as it could pose a security threat. This service is currently enabled in init and can be disabled using:
service rpcidmapd stop
chkconfig rpcidmapd off,
-----------
Check server startup for anacron
WARNING
On most servers anacron isn't needed and should be stopped and disabled from starting, as it could pose a security threat. This service is currently enabled in init and can be disabled using:
service anacron stop
chkconfig anacron off
-----------

Biraz Uzun Oldu Ama Zamanı Olan Arkadaş Cevap Yazarsa Çok Sevirinim

[Tickhi]

test modu kapıcaksın WHMDestek bunu açıkladı zaten konunun içinde

service anacron stop
chkconfig anacron off

bu tip uyarıları ssh den yapıcaksın yazıp enter a basman yeterli

[CaLViN]

Mesela şunlar

Alıntı:

Check server startup for cups
On most servers cups isn't needed and should be stopped and disabled from starting, as it could pose a security threat. This service is currently enabled in init and can be disabled using:
service cups stop
chkconfig cups off
-----------
Check server startup for nfslockOn most servers nfslock isn't needed and should be stopped and disabled from starting, as it could pose a security threat. This service is currently enabled in init and can be disabled using:
service nfslock stop
chkconfig nfslock off
-----------
Check server startup for rpcidmapdOn most servers rpcidmapd isn't needed and should be stopped and disabled from starting, as it could pose a security threat. This service is currently enabled in init and can be disabled using:
service rpcidmapd stop
chkconfig rpcidmapd off,
-----------
Check server startup for anacron
On most servers anacron isn't needed and should be stopped and disabled from starting, as it could pose a security threat. This service is currently enabled in init and can be disabled using:
service anacron stop
chkconfig anacron off
-----------

kalın yazdıklarım komutlardır.
ssh a root olarak girip o komutları yazmanız yeterli.

[prowas]

Arkadaşım Dedigini Yaptım Ama Bu Kodu Girdigimde Digerlerinde OK Diyor Ama
service nfslock stop Bunu Yazdıgımda Failed Yazdı :S

Bide Bu Dediginiz Ayarları Her Reboottan Sonra Yapacakmıyım Yoksa Bunda Sonra Bu Ayarları Yapmama Gerek Kalmayacak mı ?

[CaLViN]

sadece bir sefer yapacaksınız.

[Ptah]

Check /dev/shm is mounted noexec,nosuid

hatasını nası düzenliyebilirim ?

[sinangunay]

gerekli servisleride kapatmışsınız sanırım sunucu ayarları komple bozulmuş olabilir..

[nelson]

Alıntı:

Ptah´isimli üyeden Alıntı

Check /dev/shm is mounted noexec,nosuid

hatasını nası düzenliyebilirim ?

/etc/fstab dosyasını açacaksın

dev/shm yanındaki

Alıntı:

defaults 0 0

kısmını

Alıntı:

noexec,nosuid 0 0

ile değiştireceksin, sonra suncuyu reboot edeceksin, ve o hata csfden kalakcak.

Ancak fstab dosyası tehlikelidir, bir hata yaparsan server bir daha açılmaz. Ona göre. Sunucu ayarlarının komple bozulduğunu falan göstermez bu hata her sunucuda bu hatayı verir ayarlanmamışsa.

[diyadin2]

Kod:

Check exim for extended logging
WARNING
You should enable extended exim logging to enable easier tracking potential outgoing spam issues. Add:
 log_selector = +arguments +subject
to the first textarea in the Advanced Mode Exim Configuration Editor

nano /etc/exim.conf

ctrl+w tuşlarıyla arama kutusuna aşağıdakini yazıyoruz

Kod:

hostlist auth_relay_hosts = *

bulduğumuz bu satırın hemen altına

Kod:

 log_selector = +arguments +subject

ekliyoruz

service exim restart

[Yuma]

Check csf SMTP_BLOCK option WARNING This option will help prevent the most common form of spam abuse on a server that bypasses exim and sends spam directly out through port 25. Enabing this option will prevent any web script from sending out using socket connection, such scripts

Check /dev/shm is mounted noexec,nosuid WARNING /dev/shm isn't mounted with the noexec,nosuid options (currently: none). You should consider adding a mountpoint into /etc/fstab for /dev/shm with those options

Check /etc/named.conf for recursion restrictions WARNING you have a local DNS server running but do not have any recursion restrictions set in /etc/named.conf. This is a security and performance risk and you should look at restricting recursive lookups to the local IP addresses only

Check MySQL version WARNING You are running a legacy version of MySQL (v4.1.22) and should consider upgrading to v5.* as recommended by MySQL

Check SSHv1 is disabled WARNING You should disable SSHv1 by editing /etc/ssh/sshd

Check SSH on non-standard port WARNING You might want to consider moving SSH to a non-standard port to avoid basic SSH port scans by editing /etc/ssh/sshd_config and setting:
Port nnnn

Check SSH on non-standard port WARNING You might want to consider moving SSH to a non-standard port to avoid basic SSH port scans by editing /etc/ssh/sshd_config and setting:
Port nnnn

Check Background Process Killer WARNING You should enable each item in the WHM > Background Process Killer

Check root forwarder WARNING The root account should have a forwarder set so that you receive essential email from your server


Check exim for extended logging WARNING You should enable extended exim logging to enable easier tracking potential outgoing spam issues. Add:
log_selector = +arguments +subject
to the first textarea in the Advanced Mode Exim Configuration Editor

Check apache version WARNING You are running a legacy version of apache (v2.0.63) and should consider upgrading to v2.2.* as recommended by apache

Check suPHP WARNING To reduce the risk of hackers accessing all sites on the server from a compromised PHP web script, you should enable suPHP when you build apache/php. Note that there are sideeffects when enabling suPHP on a server and you should be aware of these before enabling it

Check apache for mod_security WARNING You should install the mod_security apache module during the easyapache build process to help prevent exploitation of vulnerable web scripts, together with a set of SecFilters

Check php for register_globals WARNING You should modify the PHP configuration (usually in /usr/local/lib/php.ini) and set:
register_globals = Off
unless it is absolutely necessary as it is seen as a significant security risk


Check php for disable_functions WARNING You should modify the PHP configuration (usually in /usr/local/lib/php.ini) and disable commonly abused php functions, e.g.:
disable_functions = show_source, system, shell_exec, passthru, exec, phpinfo, popen, proc_open, allow_url_fopen
Some client web scripts may break with some of these functions disabled, so you may have to remove them from this list

Check php for enable_dl WARNING You should modify /usr/local/lib/php.ini and set:
enable_dl = Off
This prevents users from loading php modules that affect everyone on the server. Note that if use dynamic libraries, such as ioncube, you will have to load them directly in the PHP configuration (usually in /usr/local/lib/php.ini)


arkadaslar bu kırmızı uyarı verilen degerlerin bu şekilde kalmasının bir kötü yanı varmı var ise nelerdir ve hangi degerleri nasıl güvenli hale getirebiliriz.? şimdiden yardımcı olacak arkadaslara teşekkürlerimi iletirim.