LinuxQuestions.org - VPS Host Node Security

- Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)

- - VPS Host Node Security (https://www.linuxquestions.org/questions/linux-security-4/vps-host-node-security-696519/)

VPS Host Node Security

Greetings All,

I have looked high and low looking for a guide on securing a VPS host node.

I have been told from other sources that there isn't much you can do apart from keeping it up2date and disabing un-needed system services.

What are these un-needed system services?

System setup;

CentOS w/ OpenVZ & HyperVM

Thanks.

Someone must have a idea??

Thanks.

Lot of services are available in Linux. But those are not required to run all the time. Disabling the unwanted services will save memory and CPU resources.

To list out the running services, run the command:-

# chkconfig --list |more

To disable a particular service, run the command:-

# chkconfig service-name off

eg:- # chkconfig autofs off

# chkconfig --list autofs
autofs 0:off 1:off 2:off 3:off 4:off 5:off 6:off

You can disable all the unnecessary services like this.

Yes but what are the unwanted services? It's for VPS hosting.

Thanks.

tuftystick,

it all depends on your setup. If you are using a web based solution for remote administration the requirements will differ from a solely ssh based administration.

basically unwanted services are the ones that listen for a remote connection with the exception of the services you explicitly enable.

after you fix that then you can look at the other processes that may
lead to privilege escalation.

If you post the output of:

Code:

chkconfig --list

as georgekraj suggested I can give you a bump in the right direction.

Listed below is the output asked for;

Code:

[root@node ~]# chkconfig --list

NetworkManager  0:off  1:off  2:off  3:off  4:off  5:off  6:off

NetworkManagerDispatcher        0:off  1:off  2:off  3:off  4:off  5:off  6:off

acpid          0:off  1:off  2:off  3:on    4:on    5:on    6:off

anacron        0:off  1:off  2:on    3:on    4:on    5:on    6:off

atd            0:off  1:off  2:off  3:on    4:on    5:on    6:off

auditd          0:off  1:off  2:on    3:on    4:on    5:on    6:off

autofs          0:off  1:off  2:off  3:on    4:on    5:on    6:off

avahi-daemon    0:off  1:off  2:off  3:on    4:on    5:on    6:off

avahi-dnsconfd  0:off  1:off  2:off  3:off  4:off  5:off  6:off

bluetooth      0:off  1:off  2:on    3:on    4:on    5:on    6:off

conman          0:off  1:off  2:off  3:off  4:off  5:off  6:off

cpuspeed        0:off  1:on    2:on    3:on    4:on    5:on    6:off

crond          0:off  1:off  2:on    3:on    4:on    5:on    6:off

cups            0:off  1:off  2:on    3:on    4:on    5:on    6:off

dhcdbd          0:off  1:off  2:off  3:off  4:off  5:off  6:off

dhcpd          0:off  1:off  2:on    3:on    4:on    5:on    6:off

dhcrelay        0:off  1:off  2:off  3:off  4:off  5:off  6:off

dund            0:off  1:off  2:off  3:off  4:off  5:off  6:off

firstboot      0:off  1:off  2:off  3:on    4:off  5:on    6:off

gpm            0:off  1:off  2:on    3:on    4:on    5:on    6:off

haldaemon      0:off  1:off  2:off  3:on    4:on    5:on    6:off

hidd            0:off  1:off  2:on    3:on    4:on    5:on    6:off

httpd          0:off  1:off  2:on    3:on    4:on    5:on    6:off

hypervm        0:off  1:off  2:on    3:on    4:on    5:on    6:off

ip6tables      0:off  1:off  2:on    3:on    4:on    5:on    6:off

ipmi            0:off  1:off  2:off  3:off  4:off  5:off  6:off

iptables        0:off  1:off  2:off  3:off  4:off  5:off  6:off

irda            0:off  1:off  2:off  3:off  4:off  5:off  6:off

irqbalance      0:off  1:off  2:on    3:on    4:on    5:on    6:off

kdump          0:off  1:off  2:off  3:off  4:off  5:off  6:off

kudzu          0:off  1:off  2:off  3:off  4:off  5:off  6:off

lvm2-monitor    0:off  1:on    2:on    3:on    4:on    5:on    6:off

mcstrans        0:off  1:off  2:on    3:on    4:on    5:on    6:off

mdmonitor      0:off  1:off  2:on    3:on    4:on    5:on    6:off

mdmpd          0:off  1:off  2:off  3:off  4:off  5:off  6:off

messagebus      0:off  1:off  2:off  3:on    4:on    5:on    6:off

microcode_ctl  0:off  1:off  2:on    3:on    4:on    5:on    6:off

multipathd      0:off  1:off  2:off  3:off  4:off  5:off  6:off

mysqld          0:off  1:off  2:off  3:off  4:off  5:off  6:off

netconsole      0:off  1:off  2:off  3:off  4:off  5:off  6:off

netfs          0:off  1:off  2:off  3:on    4:on    5:on    6:off

netplugd        0:off  1:off  2:off  3:off  4:off  5:off  6:off

network        0:off  1:off  2:on    3:on    4:on    5:on    6:off

nfs            0:off  1:off  2:off  3:off  4:off  5:off  6:off

nfslock        0:off  1:off  2:off  3:on    4:on    5:on    6:off

nscd            0:off  1:off  2:off  3:off  4:off  5:off  6:off

ntpd            0:off  1:off  2:off  3:off  4:off  5:off  6:off

oddjobd        0:off  1:off  2:off  3:off  4:off  5:off  6:off

pand            0:off  1:off  2:off  3:off  4:off  5:off  6:off

pcscd          0:off  1:off  2:on    3:on    4:on    5:on    6:off

portmap        0:off  1:off  2:off  3:on    4:on    5:on    6:off

psacct          0:off  1:off  2:off  3:off  4:off  5:off  6:off

rdisc          0:off  1:off  2:off  3:off  4:off  5:off  6:off

readahead_early 0:off  1:off  2:on    3:on    4:on    5:on    6:off

readahead_later 0:off  1:off  2:off  3:off  4:off  5:on    6:off

restorecond    0:off  1:off  2:on    3:on    4:on    5:on    6:off

rpcgssd        0:off  1:off  2:off  3:on    4:on    5:on    6:off

rpcidmapd      0:off  1:off  2:off  3:on    4:on    5:on    6:off

rpcsvcgssd      0:off  1:off  2:off  3:off  4:off  5:off  6:off

saslauthd      0:off  1:off  2:off  3:off  4:off  5:off  6:off

sendmail        0:off  1:off  2:on    3:on    4:on    5:on    6:off

setroubleshoot  0:off  1:off  2:off  3:on    4:on    5:on    6:off

smartd          0:off  1:off  2:on    3:on    4:on    5:on    6:off

sshd            0:off  1:off  2:on    3:on    4:on    5:on    6:off

syslog          0:off  1:off  2:on    3:on    4:on    5:on    6:off

vz              0:off  1:off  2:on    3:on    4:on    5:on    6:off

winbind        0:off  1:off  2:off  3:off  4:off  5:off  6:off

wpa_supplicant  0:off  1:off  2:off  3:off  4:off  5:off  6:off

xfs            0:off  1:off  2:on    3:on    4:on    5:on    6:off

ypbind          0:off  1:off  2:off  3:off  4:off  5:off  6:off

yum-updatesd    0:off  1:off  2:on    3:on    4:on    5:on    6:off

Server Setup:

CentOS 5.2 64 Bit
OpenVZ & HyperVM
Hosting VPS Servers

Thanks.

tuftystick,

a quick scan of your list and the following can be disabled.

Code:

chkconfig atd off

chkconfig bluetooth off

chkconfig cups off

chkconfig gpm off

chkconfig httpd off

chkconfig pcscd off

chkconfig netfs off

chkconfig portmap off

chkconfig rpcidmapd off

chkconfig rpcvcgssd off

chkconfig cpuspeed off

chkconfig firstboot off

chkconfig nfslock off

chkconfig xfs off

I would advise you to do your own research for each of the services
in the first column of the ' chkconfig --list command ' so you know what they do and make your own
assessment as to whether you need them or not.

look at these links:

Which Services Can I Disable?
Perfect Setup (older centos release, but still applicable)

Will the above stop me or my clients from doing anything?

Thanks.

OpenVZ & HyperVM do not need any of those services.

if you are using the webserver (httpd) on the host then you can
leave that on (not recommended).

but to answer your question no it will not prevent you or your clients
from doing anything.

your clients have their own isolated environment.

the only thing you should be using on the host is iptables, sshd, and the
mangement tools for ovz and hypervm.

Ok, thanks alot junpa.

chkconfig atd off
chkconfig bluetooth off
chkconfig cups off
chkconfig gpm off
chkconfig httpd off
chkconfig pcscd off
chkconfig netfs off
chkconfig portmap off
chkconfig rpcidmapd off
chkconfig rpcvcgssd off
chkconfig cpuspeed off
chkconfig firstboot off
chkconfig nfslock off
chkconfig xfs off

the best just with openvz

I would suggest you to do your own research for the services in the first column of the "chkconfig list command" try to analyze how they work on it and make your own assessment as to whether you need them or not and if it works for you.

jeffreyfrog,

I already said that....except for a word or two it could have
been a copy & paste.