Security & Firewall - csf v2.91 de Check Server Security cikan Hatalari Nasil Düzeltiriz

[prowas]

Security & Firewall - csf v2.91 de Check Server Security cikan Hatalari Nasil Düzeltiriz
Bende Check Server Security Bastigimda Bu Hatalar cikiyor Bazilarini Düzelttim Ama Bunlari Düzeltemedim + Her Rebootan Sonra Firewall Status: Stopped! [TEST MODE ENABLED]
Ayarlarinda Aktif Etmeme Ragmen Bu Yazilar Degismiyor

Check iptables is configured
WARNING
iptables is not configured. You should install csf and make sure that it is working correctly
---------
Check whether csf is in TESTING mode
WARNING
If the iptables firewall is working set TESTING to "0" in the Firewall Configuration
---------
Check csf LF_IMAPD option
WARNING
This option helps prevent brute force attacks on your server services
---------
Check /dev/shm is mounted noexec,nosuid
WARNING
/dev/shm isn't mounted with the noexec,nosuid options (currently: none). You should consider adding a mountpoint into /etc/fstab for /dev/shm with those options
----------
Check /etc/named.conf for recursion restrictions
WARNING
You have a local DNS server running but do not have any recursion restrictions set in /etc/named.conf. This is a security and performance risk and you should look at restricting recursive lookups to the local IP addresses only
----------
Check SSHv1 is disabled
WARNING
You should disable SSHv1 by editing /etc/ssh/sshd_config and setting:
Protocol 2
----------
Check SSH on non-standard port
WARNING
You might want to consider moving SSH to a non-standard port to avoid basic SSH port scans by editing /etc/ssh/sshd_config and setting:
Port nnnn
Where nnnn is a port of your choosing. Don't forget to open the port in the firewall first!
----------
Check SSH PasswordAuthentication
WARNING
For ultimate SSH security, you might want to consider disabling PasswordAuthentication and only allow access using PubkeyAuthentication. For more information read this article and this article
-----------
Check Background Process Killer
WARNING
You should enable each item in the WHM > Background Process Killer
-----------
Check exim for extended logging
WARNING
You should enable extended exim logging to enable easier tracking potential outgoing spam issues. Add:
log_selector = +arguments +subject
to the first textarea in the Advanced Mode Exim Configuration Editor
-----------
Check server startup for cups
WARNING
On most servers cups isn't needed and should be stopped and disabled from starting, as it could pose a security threat. This service is currently enabled in init and can be disabled using:
service cups stop
chkconfig cups off
-----------
Check server startup for nfslock
WARNING
On most servers nfslock isn't needed and should be stopped and disabled from starting, as it could pose a security threat. This service is currently enabled in init and can be disabled using:
service nfslock stop
chkconfig nfslock off
-----------
Check server startup for rpcidmapd
WARNING
On most servers rpcidmapd isn't needed and should be stopped and disabled from starting, as it could pose a security threat. This service is currently enabled in init and can be disabled using:
service rpcidmapd stop
chkconfig rpcidmapd off,
-----------
Check server startup for anacron
WARNING
On most servers anacron isn't needed and should be stopped and disabled from starting, as it could pose a security threat. This service is currently enabled in init and can be disabled using:
service anacron stop
chkconfig anacron off
-----------

Biraz Uzun Oldu Ama Zamani Olan Arkadas Cevap Yazarsa cok Sevirinim

[Tickhi]

test modu kapicaksin WHMDestek bunu acikladi zaten konunun icinde

service anacron stop
chkconfig anacron off

bu tip uyarilari ssh den yapicaksin yazip enter a basman yeterli

[CaLViN]

Mesela sunlar

Quote:

Check server startup for cups
On most servers cups isn't needed and should be stopped and disabled from starting, as it could pose a security threat. This service is currently enabled in init and can be disabled using:
service cups stop
chkconfig cups off
-----------
Check server startup for nfslockOn most servers nfslock isn't needed and should be stopped and disabled from starting, as it could pose a security threat. This service is currently enabled in init and can be disabled using:
service nfslock stop
chkconfig nfslock off
-----------
Check server startup for rpcidmapdOn most servers rpcidmapd isn't needed and should be stopped and disabled from starting, as it could pose a security threat. This service is currently enabled in init and can be disabled using:
service rpcidmapd stop
chkconfig rpcidmapd off,
-----------
Check server startup for anacron
On most servers anacron isn't needed and should be stopped and disabled from starting, as it could pose a security threat. This service is currently enabled in init and can be disabled using:
service anacron stop
chkconfig anacron off
-----------

kalin yazdiklarim komutlardir.
ssh a root olarak girip o komutlari yazmaniz yeterli.

[prowas]

Arkadasim Dedigini Yaptim Ama Bu Kodu Girdigimde Digerlerinde OK Diyor Ama
service nfslock stop Bunu Yazdigimda Failed Yazdi :S

Bide Bu Dediginiz Ayarlari Her Reboottan Sonra Yapacakmiyim Yoksa Bunda Sonra Bu Ayarlari Yapmama Gerek Kalmayacak mi ?

[CaLViN]

sadece bir sefer yapacaksiniz.

[Ptah]

Check /dev/shm is mounted noexec,nosuid

hatasini nasi düzenliyebilirim ?

[sinangunay]

gerekli servisleride kapatmissiniz sanirim sunucu ayarlari komple bozulmus olabilir..

[nelson]

Quote:

Originally Posted by Ptah

Check /dev/shm is mounted noexec,nosuid

hatasini nasi düzenliyebilirim ?

/etc/fstab dosyasini acacaksin

dev/shm yanindaki

Quote:

defaults 0 0

kismini

Quote:

noexec,nosuid 0 0

ile degistireceksin, sonra suncuyu reboot edeceksin, ve o hata csfden kalakcak.

Ancak fstab dosyasi tehlikelidir, bir hata yaparsan server bir daha acilmaz. Ona göre. Sunucu ayarlarinin komple bozuldugunu falan göstermez bu hata her sunucuda bu hatayi verir ayarlanmamissa.

[diyadin2]

Code:

Check exim for extended logging
WARNING
You should enable extended exim logging to enable easier tracking potential outgoing spam issues. Add:
 log_selector = +arguments +subject
to the first textarea in the Advanced Mode Exim Configuration Editor

nano /etc/exim.conf

ctrl+w tuslariyla arama kutusuna asagidakini yaziyoruz

Code:

hostlist auth_relay_hosts = *

buldugumuz bu satirin hemen altina

Code:

 log_selector = +arguments +subject

ekliyoruz

service exim restart

[Yuma]

Check csf SMTP_BLOCK option WARNING This option will help prevent the most common form of spam abuse on a server that bypasses exim and sends spam directly out through port 25. Enabing this option will prevent any web script from sending out using socket connection, such scripts

Check /dev/shm is mounted noexec,nosuid WARNING /dev/shm isn't mounted with the noexec,nosuid options (currently: none). You should consider adding a mountpoint into /etc/fstab for /dev/shm with those options

Check /etc/named.conf for recursion restrictions WARNING you have a local DNS server running but do not have any recursion restrictions set in /etc/named.conf. This is a security and performance risk and you should look at restricting recursive lookups to the local IP addresses only

Check MySQL version WARNING You are running a legacy version of MySQL (v4.1.22) and should consider upgrading to v5.* as recommended by MySQL

Check SSHv1 is disabled WARNING You should disable SSHv1 by editing /etc/ssh/sshd

Check SSH on non-standard port WARNING You might want to consider moving SSH to a non-standard port to avoid basic SSH port scans by editing /etc/ssh/sshd_config and setting:
Port nnnn

Check SSH on non-standard port WARNING You might want to consider moving SSH to a non-standard port to avoid basic SSH port scans by editing /etc/ssh/sshd_config and setting:
Port nnnn

Check Background Process Killer WARNING You should enable each item in the WHM > Background Process Killer

Check root forwarder WARNING The root account should have a forwarder set so that you receive essential email from your server


Check exim for extended logging WARNING You should enable extended exim logging to enable easier tracking potential outgoing spam issues. Add:
log_selector = +arguments +subject
to the first textarea in the Advanced Mode Exim Configuration Editor

Check apache version WARNING You are running a legacy version of apache (v2.0.63) and should consider upgrading to v2.2.* as recommended by apache

Check suPHP WARNING To reduce the risk of hackers accessing all sites on the server from a compromised PHP web script, you should enable suPHP when you build apache/php. Note that there are sideeffects when enabling suPHP on a server and you should be aware of these before enabling it

Check apache for mod_security WARNING You should install the mod_security apache module during the easyapache build process to help prevent exploitation of vulnerable web scripts, together with a set of SecFilters

Check php for register_globals WARNING You should modify the PHP configuration (usually in /usr/local/lib/php.ini) and set:
register_globals = Off
unless it is absolutely necessary as it is seen as a significant security risk


Check php for disable_functions WARNING You should modify the PHP configuration (usually in /usr/local/lib/php.ini) and disable commonly abused php functions, e.g.:
disable_functions = show_source, system, shell_exec, passthru, exec, phpinfo, popen, proc_open, allow_url_fopen
Some client web scripts may break with some of these functions disabled, so you may have to remove them from this list

Check php for enable_dl WARNING You should modify /usr/local/lib/php.ini and set:
enable_dl = Off
This prevents users from loading php modules that affect everyone on the server. Note that if use dynamic libraries, such as ioncube, you will have to load them directly in the PHP configuration (usually in /usr/local/lib/php.ini)


arkadaslar bu kirmizi uyari verilen degerlerin bu sekilde kalmasinin bir kötü yani varmi var ise nelerdir ve hangi degerleri nasil güvenli hale getirebiliriz.? simdiden yardimci olacak arkadaslara tesekkürlerimi iletirim.