LinuxQuestions.org
Help answer threads with 0 replies.
Home Forums Tutorials Articles Register
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
Reload this Page VPS Host Node Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 01-11-2009, 11:45 AM   #1
tuftystick
Member
 
Registered: Jan 2009
Location: Scotland
Distribution: CentOS 5.3
Posts: 36

Rep: Reputation: 15
VPS Host Node Security

Greetings All,

I have looked high and low looking for a guide on securing a VPS host node.

I have been told from other sources that there isn't much you can do apart from keeping it up2date and disabing un-needed system services.

What are these un-needed system services?

System setup;

CentOS w/ OpenVZ & HyperVM

Thanks.
Last edited by tuftystick; 01-11-2009 at 11:46 AM.
 
Old 01-12-2009, 11:47 AM   #2
tuftystick
Member
 
Registered: Jan 2009
Location: Scotland
Distribution: CentOS 5.3
Posts: 36

Original Poster
Rep: Reputation: 15
Someone must have a idea??

Thanks.
 
Old 01-12-2009, 12:34 PM   #3
georgekraj
LQ Newbie
 
Registered: Dec 2007
Location: India
Distribution: RHEL 5.0
Posts: 27

Rep: Reputation: 16
Lot of services are available in Linux. But those are not required to run all the time. Disabling the unwanted services will save memory and CPU resources.

To list out the running services, run the command:-

# chkconfig --list |more

To disable a particular service, run the command:-

# chkconfig service-name off

eg:- # chkconfig autofs off

# chkconfig --list autofs
autofs 0ff 1ff 2ff 3ff 4ff 5ff 6ff

You can disable all the unnecessary services like this.
Last edited by georgekraj; 01-12-2009 at 12:35 PM.
 
Old 01-12-2009, 12:37 PM   #4
tuftystick
Member
 
Registered: Jan 2009
Location: Scotland
Distribution: CentOS 5.3
Posts: 36

Original Poster
Rep: Reputation: 15
Yes but what are the unwanted services? It's for VPS hosting.

Thanks.
 
Old 01-12-2009, 01:39 PM   #5
junpa
Member
 
Registered: Aug 2008
Location: Northern Hemisphere
Distribution: Slackware, OpenVMS, fbsd
Posts: 51

Rep: Reputation: 16
tuftystick,

it all depends on your setup. If you are using a web based solution for remote administration the requirements will differ from a solely ssh based administration.

basically unwanted services are the ones that listen for a remote connection with the exception of the services you explicitly enable.

after you fix that then you can look at the other processes that may
lead to privilege escalation.

If you post the output of:
Code:
 chkconfig --list
as georgekraj suggested I can give you a bump in the right direction.
 
Old 01-12-2009, 02:49 PM   #6
tuftystick
Member
 
Registered: Jan 2009
Location: Scotland
Distribution: CentOS 5.3
Posts: 36

Original Poster
Rep: Reputation: 15
Listed below is the output asked for;

Code:
[root@node ~]# chkconfig --list
NetworkManager  0:off   1:off   2:off   3:off   4:off   5:off   6:off
NetworkManagerDispatcher        0:off   1:off   2:off   3:off   4:off   5:off  6:off
acpid           0:off   1:off   2:off   3:on    4:on    5:on    6:off
anacron         0:off   1:off   2:on    3:on    4:on    5:on    6:off
atd             0:off   1:off   2:off   3:on    4:on    5:on    6:off
auditd          0:off   1:off   2:on    3:on    4:on    5:on    6:off
autofs          0:off   1:off   2:off   3:on    4:on    5:on    6:off
avahi-daemon    0:off   1:off   2:off   3:on    4:on    5:on    6:off
avahi-dnsconfd  0:off   1:off   2:off   3:off   4:off   5:off   6:off
bluetooth       0:off   1:off   2:on    3:on    4:on    5:on    6:off
conman          0:off   1:off   2:off   3:off   4:off   5:off   6:off
cpuspeed        0:off   1:on    2:on    3:on    4:on    5:on    6:off
crond           0:off   1:off   2:on    3:on    4:on    5:on    6:off
cups            0:off   1:off   2:on    3:on    4:on    5:on    6:off
dhcdbd          0:off   1:off   2:off   3:off   4:off   5:off   6:off
dhcpd           0:off   1:off   2:on    3:on    4:on    5:on    6:off
dhcrelay        0:off   1:off   2:off   3:off   4:off   5:off   6:off
dund            0:off   1:off   2:off   3:off   4:off   5:off   6:off
firstboot       0:off   1:off   2:off   3:on    4:off   5:on    6:off
gpm             0:off   1:off   2:on    3:on    4:on    5:on    6:off
haldaemon       0:off   1:off   2:off   3:on    4:on    5:on    6:off
hidd            0:off   1:off   2:on    3:on    4:on    5:on    6:off
httpd           0:off   1:off   2:on    3:on    4:on    5:on    6:off
hypervm         0:off   1:off   2:on    3:on    4:on    5:on    6:off
ip6tables       0:off   1:off   2:on    3:on    4:on    5:on    6:off
ipmi            0:off   1:off   2:off   3:off   4:off   5:off   6:off
iptables        0:off   1:off   2:off   3:off   4:off   5:off   6:off
irda            0:off   1:off   2:off   3:off   4:off   5:off   6:off
irqbalance      0:off   1:off   2:on    3:on    4:on    5:on    6:off
kdump           0:off   1:off   2:off   3:off   4:off   5:off   6:off
kudzu           0:off   1:off   2:off   3:off   4:off   5:off   6:off
lvm2-monitor    0:off   1:on    2:on    3:on    4:on    5:on    6:off
mcstrans        0:off   1:off   2:on    3:on    4:on    5:on    6:off
mdmonitor       0:off   1:off   2:on    3:on    4:on    5:on    6:off
mdmpd           0:off   1:off   2:off   3:off   4:off   5:off   6:off
messagebus      0:off   1:off   2:off   3:on    4:on    5:on    6:off
microcode_ctl   0:off   1:off   2:on    3:on    4:on    5:on    6:off
multipathd      0:off   1:off   2:off   3:off   4:off   5:off   6:off
mysqld          0:off   1:off   2:off   3:off   4:off   5:off   6:off
netconsole      0:off   1:off   2:off   3:off   4:off   5:off   6:off
netfs           0:off   1:off   2:off   3:on    4:on    5:on    6:off
netplugd        0:off   1:off   2:off   3:off   4:off   5:off   6:off
network         0:off   1:off   2:on    3:on    4:on    5:on    6:off
nfs             0:off   1:off   2:off   3:off   4:off   5:off   6:off
nfslock         0:off   1:off   2:off   3:on    4:on    5:on    6:off
nscd            0:off   1:off   2:off   3:off   4:off   5:off   6:off
ntpd            0:off   1:off   2:off   3:off   4:off   5:off   6:off
oddjobd         0:off   1:off   2:off   3:off   4:off   5:off   6:off
pand            0:off   1:off   2:off   3:off   4:off   5:off   6:off
pcscd           0:off   1:off   2:on    3:on    4:on    5:on    6:off
portmap         0:off   1:off   2:off   3:on    4:on    5:on    6:off
psacct          0:off   1:off   2:off   3:off   4:off   5:off   6:off
rdisc           0:off   1:off   2:off   3:off   4:off   5:off   6:off
readahead_early 0:off   1:off   2:on    3:on    4:on    5:on    6:off
readahead_later 0:off   1:off   2:off   3:off   4:off   5:on    6:off
restorecond     0:off   1:off   2:on    3:on    4:on    5:on    6:off
rpcgssd         0:off   1:off   2:off   3:on    4:on    5:on    6:off
rpcidmapd       0:off   1:off   2:off   3:on    4:on    5:on    6:off
rpcsvcgssd      0:off   1:off   2:off   3:off   4:off   5:off   6:off
saslauthd       0:off   1:off   2:off   3:off   4:off   5:off   6:off
sendmail        0:off   1:off   2:on    3:on    4:on    5:on    6:off
setroubleshoot  0:off   1:off   2:off   3:on    4:on    5:on    6:off
smartd          0:off   1:off   2:on    3:on    4:on    5:on    6:off
sshd            0:off   1:off   2:on    3:on    4:on    5:on    6:off
syslog          0:off   1:off   2:on    3:on    4:on    5:on    6:off
vz              0:off   1:off   2:on    3:on    4:on    5:on    6:off
winbind         0:off   1:off   2:off   3:off   4:off   5:off   6:off
wpa_supplicant  0:off   1:off   2:off   3:off   4:off   5:off   6:off
xfs             0:off   1:off   2:on    3:on    4:on    5:on    6:off
ypbind          0:off   1:off   2:off   3:off   4:off   5:off   6:off
yum-updatesd    0:off   1:off   2:on    3:on    4:on    5:on    6:off
Server Setup:

CentOS 5.2 64 Bit
OpenVZ & HyperVM
Hosting VPS Servers

Thanks.
 
Old 01-12-2009, 03:08 PM   #7
junpa
Member
 
Registered: Aug 2008
Location: Northern Hemisphere
Distribution: Slackware, OpenVMS, fbsd
Posts: 51

Rep: Reputation: 16
tuftystick,

a quick scan of your list and the following can be disabled.

Code:
chkconfig atd off
chkconfig bluetooth off
chkconfig cups off
chkconfig gpm off
chkconfig httpd off
chkconfig pcscd off
chkconfig netfs off
chkconfig portmap off
chkconfig rpcidmapd off
chkconfig rpcvcgssd off
chkconfig cpuspeed off
chkconfig firstboot off
chkconfig nfslock off
chkconfig xfs off
I would advise you to do your own research for each of the services
in the first column of the ' chkconfig --list command ' so you know what they do and make your own
assessment as to whether you need them or not.

look at these links:

Which Services Can I Disable?
Perfect Setup (older centos release, but still applicable)
Last edited by junpa; 01-12-2009 at 03:14 PM. Reason: additional information
 
Old 01-12-2009, 03:10 PM   #8
tuftystick
Member
 
Registered: Jan 2009
Location: Scotland
Distribution: CentOS 5.3
Posts: 36

Original Poster
Rep: Reputation: 15
Will the above stop me or my clients from doing anything?

Thanks.
 
Old 01-12-2009, 03:38 PM   #9
junpa
Member
 
Registered: Aug 2008
Location: Northern Hemisphere
Distribution: Slackware, OpenVMS, fbsd
Posts: 51

Rep: Reputation: 16
OpenVZ & HyperVM do not need any of those services.

if you are using the webserver (httpd) on the host then you can
leave that on (not recommended).

but to answer your question no it will not prevent you or your clients
from doing anything.

your clients have their own isolated environment.

the only thing you should be using on the host is iptables, sshd, and the
mangement tools for ovz and hypervm.
 
Old 01-12-2009, 03:43 PM   #10
tuftystick
Member
 
Registered: Jan 2009
Location: Scotland
Distribution: CentOS 5.3
Posts: 36

Original Poster
Rep: Reputation: 15
Ok, thanks alot junpa.
 
Old 01-14-2009, 05:20 PM   #11
aldesha989
LQ Newbie
 
Registered: Oct 2008
Posts: 13

Rep: Reputation: 0
chkconfig atd off
chkconfig bluetooth off
chkconfig cups off
chkconfig gpm off
chkconfig httpd off
chkconfig pcscd off
chkconfig netfs off
chkconfig portmap off
chkconfig rpcidmapd off
chkconfig rpcvcgssd off
chkconfig cpuspeed off
chkconfig firstboot off
chkconfig nfslock off
chkconfig xfs off

the best just with openvz
 
Old 01-21-2009, 09:50 PM   #12
jeffreyfrog
LQ Newbie
 
Registered: Jan 2009
Posts: 2

Rep: Reputation: 0
I would suggest you to do your own research for the services in the first column of the "chkconfig list command" try to analyze how they work on it and make your own assessment as to whether you need them or not and if it works for you.
 
Old 01-23-2009, 04:24 AM   #13
junpa
Member
 
Registered: Aug 2008
Location: Northern Hemisphere
Distribution: Slackware, OpenVMS, fbsd
Posts: 51

Rep: Reputation: 16
jeffreyfrog,

I already said that....except for a word or two it could have
been a copy & paste.
 
  


Reply



Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
mysqld node of mysql cluster system not connecting to management node coal-fire-ice Linux - Server 1 07-27-2015 08:33 AM
vps node locks up? I_AM Linux - Networking 1 10-09-2008 01:35 AM
Qmail Integration with Hode ashfaq Linux - Software 0 03-20-2006 11:55 PM
Where can I download UML VPS or Xen VPS to make a virtual private server? abefroman Linux - Software 3 12-09-2005 10:00 AM
VPS security?? itware Linux - Security 2 05-06-2004 11:02 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 06:19 PM.

Contact Us - Advertising Info - Rules - Privacy - LQ Merchandise - Donations - Contributing Member - LQ Sitemap -
Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration