Booservers - All about dedicated servers

Mount /tmp with noexec

Thu, 04 Sep 2008 15:02:44 +0000

By default, RS servers come with everything lumped in / and a small amount partitioned for /boot and some for swap. With this current setup, you have no room for making more partitions unless you have a second hard-drive.

Recently, I found out it would be worthwhile to give /tmp it's own partition and mount it using noexec- This would protect your system from MANY local and remote exploits of rootkits being run from your /tmp folder.

First off, I want to thank everyone for their help from this thread:

http://forum.rackshack.net/showthread.php?...&threadid=27470

I am simply compiling their advice into a how-to...

What we are doing it creating a file that we will use to mount at /tmp.

CODE

cd /dev

Create 100MB file for our /tmp partition. If you need more space, make count size larger.

CODE

dd if=/dev/zero of=tmpMnt bs=1024 count=100000

Make an extended filesystem for our tmpMnt file

CODE

mke2fs /dev/tmpMnt

Backup your /tmp dir- I had mysql.sock file that I needed to recreate the symbolic link for. Other programs may use it to store cache files or whatever.

CODE

cd /

CODE

cp -R /tmp /tmp_backup

Mount the new /tmp filesystem with noexec

CODE

mount -o loop,noexec,nosuid,rw /dev/tmpMnt /tmp

CODE

chmod 0777 /tmp

Copy everything back to new /tmp and remove backup

CODE

cp -R /tmp_backup/* /tmp/

CODE

rm -rf /tmp_backup

Now we need to add this to fstab so it mounts automatically on reboots.

CODE

pico -w /etc/fstab

You should see something like this:

CODE

/dev/hda3 / ext3 defaults,usrquota 1 1

/dev/hda1 /boot ext3 defaults 1 2

none /dev/pts devpts gid=5,mode=620 0 0

none /proc proc defaults 0 0

none /dev/shm tmpfs defaults 0 0

/dev/hda2 swap swap defaults 0 0

At the bottom add

CODE

/dev/tmpMnt /tmp ext2 loop,noexec,nosuid,rw 0 0

(Each space is a tab)

Ctrl + X and Y

Your done- /tmp is now mounted as noexec. You can sleep a little bit safer tonight. I created a hello world c++ and compiled it then moved it to /tmp. Upon trying to run it (even chmod +x'ed), it gives the following error:

CODE

bash: ./a.out: Permission denied

Yay! /tmp no longer has execute permissions

Source: http://forums.theplanet.com/index.php?showtopic=27771

4 Primary Areas For Tuning Your Server

Thu, 04 Sep 2008 14:57:07 +0000

I just thought I would add my two cents in for everyone. I posted an old howto with some sysctl.conf, but I think that was when I was running on my previous server using and older version of redhat. So here's a fresh howto that is a little more complete.

These configs are based on my server specs, which is a Dual 2.0GHz Xeon with 2GB of RAM running RedHat Enterprise. Depending on your server's RAM you might have to reduce some of the settings, which I'll try make notes with each section.

First, is the /etc/sysctl.conf file. Most people overlook tweaking these settings, always thinking it is a mysql or apache problem. You can get a tremendous boost in throughput by adjusting these settings. These are the settings I use on my server, and have come about by constantly adjusting and monitoring performance, and this is what works best for me, your mileage may vary based on server specs and traffic. I suggest finding some guides and reading up about what each seting does before you make changes. (Note: most out there are pretty dated unfortunatly). Also, some people out there like to have tcp_window_scaling, sack, fack, etc, turned off, but I leave them on. I guess it is just a personal preference thing. So don't complain, but feel free to leave your comments, testing, and results.

/etc/sysctl.conf

CODE

# Kernel sysctl configuration file for Red Hat Enterprise Linux

# Controls IP packet forwarding

net.ipv4.ip_forward = 0

# Controls source route verification

net.ipv4.conf.default.rp_filter = 1

net.ipv4.conf.all.rp_filter = 1

# Disables IP source routing

net.ipv4.conf.default.accept_source_route = 0

net.ipv4.conf.all.accept_source_route = 0

# Controls the System Request debugging functionality of the kernel

kernel.sysrq = 0

# Controls whether core dumps will append the PID to the core filename.

# Useful for debugging multi-threaded applications.

kernel.core_uses_pid = 1

# Increase maximum amount of memory allocated to shm

# Only uncomment if needed!

# kernel.shmmax = 67108864

# Disable ICMP Redirect Acceptance

net.ipv4.conf.default.accept_redirects = 0

net.ipv4.conf.all.accept_redirects = 0

# Enable Log Spoofed Packets, Source Routed Packets, Redirect Packets

net.ipv4.conf.default.log_martians = 1

net.ipv4.conf.all.log_martians = 1

# Decrease the time default value for tcp_fin_timeout connection

net.ipv4.tcp_fin_timeout = 25

# Decrease the time default value for tcp_keepalive_time connection

net.ipv4.tcp_keepalive_time = 1200

# Turn on the tcp_window_scaling

net.ipv4.tcp_window_scaling = 1

# Turn on the tcp_sack

net.ipv4.tcp_sack = 1

# tcp_fack should be on because of sack

net.ipv4.tcp_fack = 1

# Turn on the tcp_timestamps

net.ipv4.tcp_timestamps = 1

# Enable TCP SYN Cookie Protection

net.ipv4.tcp_syncookies = 1

# Enable ignoring broadcasts request

net.ipv4.icmp_echo_ignore_broadcasts = 1

# Enable bad error message Protection

net.ipv4.icmp_ignore_bogus_error_responses = 1

# Make more local ports available

# net.ipv4.ip_local_port_range = 1024 65000

# Set TCP Re-Ordering value in kernel to '5'

net.ipv4.tcp_reordering = 5

# Lower syn retry rates

net.ipv4.tcp_synack_retries = 2

net.ipv4.tcp_syn_retries = 3

# Set Max SYN Backlog to '2048'

net.ipv4.tcp_max_syn_backlog = 2048

# Various Settings

net.core.netdev_max_backlog = 1024

# Increase the maximum number of skb-heads to be cached

net.core.hot_list_length = 256

# Increase the tcp-time-wait buckets pool size

net.ipv4.tcp_max_tw_buckets = 360000

# This will increase the amount of memory available for socket input/output queues

net.core.rmem_default = 65535

net.core.rmem_max = 8388608

net.ipv4.tcp_rmem = 4096 87380 8388608

net.core.wmem_default = 65535

net.core.wmem_max = 8388608

net.ipv4.tcp_wmem = 4096 65535 8388608

net.ipv4.tcp_mem = 8388608 8388608 8388608

net.core.optmem_max = 40960

After you make the changes to the file, you can make them effective immediately by typing in /sbin/sysctl -p

Also, you will need to issue /sbin/sysctl -w net.ipv4.route.flush=1 to flush the routing table to make some of these changes happen instantly.

Here's some URLs with useful info, benchmarks, etc... (I believe one was posted from someone below)
http://www.aarnet.edu.au/engineering/netwo.../mtu/local.html
http://sverre.home.cern.ch/sverre/TenGBE_w...er_04232003.pdf
http://www.hep.ucl.ac.uk/~ytl/tcpip/linux/...en/datatag-tcp/
http://www-didc.lbl.gov/TCP-tuning/TCP-tuning.html
http://ipsysctl-tutorial.frozentux.net/chu...html/index.html

-------------------------------------------

Second is the MySQL /etc/my.cnf settings file. A lot of people just leave this file with its default settings until they notice problems with their server performance. Please note that I'm not including the datadir or socket settings since those can vary based on your server setup. Also I'm only including the base [mysqld] section and not any of the [safe_mysqld], [mysqldump], or [myisamchk] sections.

Also, update your MySQL to the latest version, if you are still running 3.x you should be dragged out into the street and beaten with a stick, seriously. Just download the MySQL RPMs from the MySQL website, it takes 30 seconds to upgrade. They usually release a new version every month. Be aware of the difference between 4.0.x and 4.1.x (or higher).

CODE

[mysqld]

connect_timeout=15

interactive_timeout=100

join_buffer_size=1M

key_buffer=256M

max_allowed_packet=16M

max_connections=500

max_connect_errors=10

myisam_sort_buffer_size=64M

read_buffer_size=2M

read_rnd_buffer_size=2M

sort_buffer_size=2M

table_cache=1024

thread_cache_size=100

thread_concurrency=4

wait_timeout=300

query_cache_size=128M

query_cache_limit=1M

query_cache_type=1

skip-innodb

For people with a single CPU be sure to set thread_concurrency to 2 (4 is for Dual CPUs). People with 1GB of RAM, you might want to consider lowering the key_buffer to 64M and the myisam_sort_buffer_size to 32M. This really just depends on how much free memory your system has during peak traffic hours. If you increase these too much and your system runs out of physical RAM and starts swapping to disk, your system is going to eat it hard.

For more information about Mysqld variables, please read the following articles as they explain all the settings in-depth and how to fine-tune them: Article 1 and Article 2 and Article 3

-------------------------------------------

Third is Apache. Some people run 1.x, and some run 2.x, me personally I run 2.x because of the better performance. But some people are tied to the older version because of other software packages.

The first thing to do if you are running 1.x is to get mod_gzip and use it. If you are running 2.x then use mod_deflate (it is included). This compresses all your HTML/TXT/XML data before it is sent, saving you bandwidth, and faster load times for your users.

If you are serving up pages + images then you *probably* want to set your keepalive to on, and have your settings something like this:

Timeout 60
KeepAlive On
MaxKeepAliveRequests 1000
KeepAliveTimeout 10

By setting the KeepAliveTimeout low you won't have all those lingering connections. You can probably set it even lower if you like.

If you are only serving up html (or php or whatever) pages, and using another web server for your images (like tux). Then you probably want to set your KeepAlive to Off since the user will only be requesting 1 file at a time.

Most people have the bad habit of instantly increasing their MaxClients to 256. This can be BAD if you don't take into account memory availability. You need to determine how much memory you have free, how much each apache process consumes, then do the math to figure out what you can safely set the MaxClients to. If you exceed your physical memory then once again the server will swap to the HD and the server will take a dive in performance.

Comment out / remove and Dynamic Shared Object (DSO) modules that you do not use! There are a ton loaded by default, most which you will never use. I commented out 20+ personally! Read the apache documentation on what each one does, the apache docs are very detailed.

If possible, set the AllowOverride option to None. This prevents apache from checking for the .htaccess file in every directory whenever a request is made. However if you use .htaccess files then you have to leave the setting there, but if you can limit it down to certain directories, then do it.

Mask your Apache version by using the following settings:
ServerSignature Off
ServerTokens ProductOnly

That's just good practice, you can also hide your PHP info by setting expose_php = Off in your /etc/php.ini file.

Fourth is PHP. One thing to do is use a program like eAccelerator which caches pre-compiled versions of your php files to help reduce overhead and increase performance. It is a free download from sourceforge, but it will require a little know-ho on your part to install. There are plenty of other guides on how to install this. It is very simple and quick.

A lot of people use the redhat PHP RPMs, which can be quite bloated. My libphp4.so module is only 2.07MB in size. (I don't remember what the default redhat one is, but I'm willing to bet it is larger). Also Redhat never seems to keep up to date with the latest PHP (or MySQL) version, I always recommend updating as soon as a new release is published.

Here's my configure line. There's a lot of settings you may not use, and they could be ones that you use that I don't. You can view your current configure line via the phpinfo() function. These include all the big things such as GD, XML, SHM, etc.. Some people maybe want to enable a certain memory-limit to prevent PHP from eating too much memory per process.

Also, I don't use mm simply because I found it would crash apache on an almost daily basis. I had problems with session storage, and also it would not restart after rotating logs...

CODE

./configure

--prefix=/usr

--exec-prefix=/usr

--bindir=/usr/bin

--sbindir=/usr/sbin

--sysconfdir=/etc

--datadir=/usr/share

--includedir=/usr/include

--libdir=/usr/lib

--libexecdir=/usr/libexec

--localstatedir=/var

--sharedstatedir=/usr/com

--mandir=/usr/share/man

--infodir=/usr/share/info

--disable-cgi

--disable-debug

--disable-rpath

--disable-memory-limit

--disable-ipv6

--disable-safe-mode

--enable-pic

--enable-discard-path

--enable-inline-optimization

--enable-gd-native-ttf

--enable-gd-imgstrttf

--enable-magic-quotes

--enable-sysvsem

--enable-sysvshm

--enable-sysvmsg

--enable-shmop

--enable-track-vars

--enable-exif

--enable-wddx

--enable-bcmath

--enable-calendar

--enable-ftp

--enable-inline-optimization

--with-apxs2=/usr/sbin/apxs

--with-mysql=/usr

--with-pear

--with-config-file-path=/etc

--with-exec-dir=/usr/bin

--with-gd

--with-png-dir=/usr

--with-jpeg-dir=/usr

--with-freetype-dir=/usr

--with-gettext

--with-openssl

--with-regex

--with-ttf=/usr

--with-expat-dir=/usr

--with-dom=/usr

--with-dom-xslt=/usr

--with-dom-exslt=/usr

--with-iconv

--with-db4=/usr

--with-gdbm=/usr

--with-zlib=/usr

--with-zlib-dir=/usr

--with-xmlrpc

--with-xml

--with-bz2=/usr

--with-cdb

--enable-mbstring

-------------------------------------------

When compiling programs (like PHP, eaccelerator, etc..), you can fine-tune some of your compile-options to enhance performance for your CPU's capabilities (and remove excess stuff like debug info)

As mentioned before, I run dual xeon's (P4's for all practical purposes). If you are using a different CPU then you might have to go look up the proper flags at the GCC website.

Before compiling a program, you can set the following flags:

CODE

export CFLAGS="-O3 -pipe -mcpu=pentium4 -march=pentium4 -fomit-frame-pointer"

export CXXFLAGS="${CFLAGS}"

export CHOST="i686-pc-linux-gnu"

export MAKEOPTS="-j2"

export LDFLAGS="-Wl,-O1"

These flags are considered "stable" and should enhance performance a little for software that you compile with these options. There are tons of other flags, however some reduce precision for certain math (which can cause problems in certain software) and others may reduce stabililty.

-------------------------------------------

I guess that's about it... Use the information at your own risk. Hopefully it will help some people out, or at least point them in the right direction.

Please don't post questions that are like: "here's my config, can you optimize it for X server?". I don't check these forums that often, so I probably won't reply to your question.

Server tuning is more of an art than just entering X setting to Y number. Before making changes, keep your old configs. Also get a monitoring program so you can graph out your server load and other vitals. That way you can see before & after results. Also, if you run a forum, let your users know that you are going to make changes, and get their feedback on response time and such from them.

Enjoy.

Source: http://forums.theplanet.com/index.php?showtopic=48880

Chkrootkit

Thu, 15 Dec 2005 21:43:05 +0000

Installing CHKROOTKIT

(Version 0.42b Sep 20 2003)

SSH as admin to your server. DO NOT use telnet

#Change to root
su -

#Type the following
wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz

#Unpack the tarball using the command
tar xvzf chkrootkit.tar.gz

#Change to the directory it created
cd chkrootkit*

#Compile by typing
make sense

#To use chkrootkit, just type the command
./chkrootkit

#Everything it outputs should be 'not found' or 'not infected'...

#Now,
cd ..
#Then remove the .gz file
rm chkrootkit.tar.gz

Credits: http://www.cheetaweb.com/

APF Firewall 0.9.4-7

Thu, 15 Dec 2005 21:32:07 +0000

Just thought I'd update the howto's for APF.

Type ifconfig

Find out if it�s using eth0 or eth1.

Usually its eth0 but if its not, change it in conf.apf or you�ll be completely blocking the server from access

wget http://www.rfxnetworks.com/downloads/apf-current.tar.gz

tar -xvzf apf-current.tar.gz
cd apf*
./install.sh
pico -w /etc/apf/conf.apf

RESV_DNS="1"

All SYSCTL options should be set to 1 EXCEPT for
SYSCTL_OVERFLOW="0"
SYSCTL_SYNCOOKIES="0"

USE_DS="1"
USE_AD="1"

FOR PLESK:

IG_TCP_CPORTS="20,21,22,25,53,80,110,143,443,465,993,995,8443"
IG_UDP_CPORTS="37,53,873"

EGF="1"
EG_TCP_CPORTS="20,21,22,25,53,37,43,80,113,443,465,873"
EG_UDP_CPORTS="53,873"

For CPANEL:

IG_TCP_CPORTS="20,21,22,25,53,80,110,143,443,993,995,2082,2083,20 86,2087,2095,2096"
IG_UDP_CPORTS="37,53,873"

EGF="1"
EG_TCP_CPORTS="20,21,22,25,37,53,43,80,113,443,465,873,2087,2089"
EG_UDP_CPORTS="53,873"

apf �s to start firewall.

If you are not kicked out of SSH and you can type commands after it loads, that means it�s installed correctly.

pico -w /etc/apf/ad/conf.antidos

LP_KLOG="1"

USR_ALERT="1"
USER = �root�
ARIN_ALERT="1"

pico -w /etc/apf/conf.apf

change DEVM to 0

apf -r

Antidos via APF Firewall

Thu, 15 Dec 2005 21:30:45 +0000

Antidos is a really nice feature of the APF firewall, but it's not automatically turned on when you install and run APF.

First you probably want to make sure APF is running nicely for a few days and you have your own IP listed in the "allow_hosts.rules" file so you can't lock yourself out. You also want to understand how to access the EV1 remote console (from your EV1 account manager), just in case you do lock yourself out.

And to be even more safe, lets set DEVEL_MODE to "1" (on) and we need to setup USE_AD to enable the use of antidos, so find and edit these:

pico -w /etc/apf/conf.apf

DEVEL_MODE="1"

USE_AD="1"

apf -r

Now APF will quit in 5 minutes. Don't forget to put DEVEL_MODE back when everything is OK!

Your server will not be firewalled after 5 minutes! If you are under attack right now this might not be such a good thing to disable.

If you installed APF with the normal installer most of the settings for antidos should be OK. We only need to change a few things, find and change these:

pico -w /etc/apf/ad/conf.antidos

LP_KLOG="1"
IPT_BL="1"

USR_ALERT="1"
USER = �root�
ARIN_ALERT="1"

You can test run it manually (it's just a shell script):

/etc/apf/ad/antidos -a

It doesn't say anything if it liked the config file and your system, and if you ran it for the first time, you will find it created a blank log file at:

/var/log/apfados_log

You need to have antidos set to run via cron. If you have "crontab -e" all set up you can use that to set it up. Some panels let you edit the root cron job file from the panel.

This is a critical setup point, if not done, antidos will simply not operate.

Here's an example line, I added this to my root crontab:

*/2 * * * * /etc/apf/ad/antidos -a > /dev/null 2>&1

This will run antidos every two minutes. The author of antidos doesn't recommend running it once a minute as it may cause a bottleneck for itself and the CPU. Likewise running it beyond a period of once every 5 minutes is not recommended either, for obvious reasons.

You can check to see if it's being run with something like this:

tail -30 /var/log/cron

Now restart apf again:

apf -r

Try to access a few of your sites and if you are not locked out and happy with everything you can set DEVEL_MODE to "0" (off) :

pico -w /etc/apf/conf.apf

DEVEL_MODE="0"

apf -r

At this point it would be nice to test to see if it actually works, I leave that up to you to figure out how or maybe someone else can post some ideas. I would be very careful, you don't want to DOS the wrong server.

If for some reason you find out it's locking the wrong people out and want to turn it off, take this line out of root cron:

*/2 * * * * /etc/apf/ad/antidos -a > /dev/null 2>&1

And blank out this file:

/etc/apf/ad/ad.rules

You can look in the log file to see what went wrong:

/etc/apf/ad/apfados_log

And don't forget to restart apf:

apf -r

For more info on the settings, see the doc files at:
http://rfxnetworks.com/apf.php

Banning over-aggressive web crawlers

Thu, 15 Dec 2005 21:03:11 +0000

Not all web crawlers obey robots.txt like they should

One in particular was getting on my nerves, the Inktomi Slurp crawler. Essentially, it would go to my site (http://rpg-works.net) and load ALL my clients sites in quick succession, bogging down my server to the point of becoming unresponsive.

So, for your benefit, here's my current ban list (I put this in rc.local)

# Ban Slurpy (Inktomi/Yahoo) NetBlock
/sbin/iptables -A INPUT -s 66.196.64.0/18 -j DROP
# Ban nameprotect.com
/sbin/iptables -A INPUT -s 12.175.0.32/28 -j DROP
# AskJeeves.Com
/sbin/iptables -A INPUT -s 65.214.36.0/22 -j DROP
# Alexa
/sbin/iptables -A INPUT -s 209.237.238.0/24 -j DROP
# Turnitin.com Bot
/sbin/iptables -A INPUT -s 64.140.49.66 -j DROP
# Cyveillance.com (RIAA enforcement)
/sbin/iptables -A INPUT -s 63.148.99.224/27 -j DROP

Others here, such as nameprotect.com are "intellectual property" crawlers that basically check your site for compliance. Even though they use your bandwidth and resources, you get nothing in return (such as listing on a search engine), they're just looking for someone to sue on behalf of one of their clients.

If you're having problems with your server randomly becoming unresponsive, this is worth a shot.

How did I get these IPs?

Check your access logs for "robots.txt", most bots at least attempt to look at the file. The enter those IPs into http://arin.net
for information on who they belong to, as well as the netblock you can ban if the bot is an extreme nuisance.

Mount /tmp with noexec

Thu, 15 Dec 2005 20:20:01 +0000

What we are doing it creating a file that we will use to mount at /tmp.

--------------

cd /dev

--------------

Create 100MB file for our /tmp partition. If you need more space, make count size larger.

--------------

dd if=/dev/zero of=tmpMnt bs=1024 count=100000

--------------

Make an extended filesystem for our tmpMnt file

--------------

mke2fs /dev/tmpMnt

--------------

Backup your /tmp dir- I had mysql.sock file that I needed to recreate the symbolic link for. Other programs may use it to store cache files or whatever.

--------------

cd /

cp -R /tmp /tmp_backup

--------------

Mount the new /tmp filesystem with noexec

--------------

mount -o loop,noexec,nosuid,rw /dev/tmpMnt /tmp

chmod 0777 /tmp

--------------

Copy everything back to new /tmp and remove backup

--------------

cp -R /tmp_backup/* /tmp/

rm -rf /tmp_backup

--------------

Now we need to add this to fstab so it mounts automatically on reboots.

--------------

pico -w /etc/fstab

--------------

You should see something like this:

--------------

/dev/hda3 / ext3 defaults,usrquota 1 1
/dev/hda1 /boot ext3 defaults 1 2
none /dev/pts devpts gid=5,mode=620 0 0
none /proc proc defaults 0 0
none /dev/shm tmpfs defaults 0 0
/dev/hda2 swap swap defaults 0 0

--------------

At the bottom add

--------------

/dev/tmpMnt /tmp ext2 loop,noexec,nosuid,rw 0 0

--------------

(Each space is a tab)

Ctrl + X and Y

Your done- /tmp is now mounted as noexec. You can sleep a little bit safer tonight. I created a hello world c++ and compiled it then moved it to /tmp. Upon trying to run it (even chmod +x'ed), it gives the following error:

--------------

bash: ./a.out: Permission denied

--------------

HOW-TO: Secure cPanel

Wed, 30 Nov 2005 21:43:35 +0000

First and foremost I want to say that this is not going to make your server 100% cracker proof, there is always a possibility that somebody will find a way in. I have listed a lot of things you can do to protect your server and that will help you secure it. While securing your server you have to find a median between what is secure and what restricts your clients or websites. You can easily make your server 100% secure from remote attacks by unplugging the ethernet cable, but chances are you will not get much good with it. This is not a complete guide and I will update it when I find time or it needs it. Overall it is a very good start and it is probably more then most servers have.

If you have any problems with the guide please post them and I will try and help/update the guide. I have not included everything you can do but it is a very good start. If you need somebody to secure server please feel free to private message or email me.

All commands meant to be run in ssh will begin with "#"

--------------------------

First step is to updated your software. Make sure up2date says you are fully updated:
#up2date -u

Now update the kernel. Below I have posted the directions for a server using lilo as the bootloader. I will add in directions for grub later as I do not run grub on any of my servers. If you are using grub please skip this section and upgrade the kernel at another time.

#cd /var/spool/up2date

If you have a dual processor server:

#up2date --download --force kernel-smp
#rpm -ivh kernel-smp-2.4.21-15.0.4.EL.i686.rpm
#lilo -v -v
#lilo -R 2.4.21-15.0.4.1
#shutdown -r now

If you have a single processor server:
#up2date --download --force kernel
#rpm -ivh kernel-2.4.21-15.0.4.EL.i686.rpm
#lilo -v -v
#lilo -R 2.4.21-15.0.4.1E
#shutdown -r now

When you run lilo -v -v make sure that no errors appear, if so you probably need to look at the lilo.conf for the problem.

The lilo -R command will make it reboot only once to the new kernel. If for some reason just put in a reboot TT and it will automatically boot to the old kernel. If it comes back up fine then you can edit the /etc/lilo.conf and set "default=" the new kernel label.

--------------------------

A firewall should be the first thing installed.. I recommend advanced protection firewall (APF) by rfxnetworks. APF will block unused outgoing and incoming ports. It can also be configured to use information from some block lists.
http://rfxnetworks.net/apf.php
#cd /usr/src
#wget http://rfxnetworks.net/downloads/apf-current.tar.gz
#tar -zxf apf-current.tar.gz
#cd apf-0.*
#./install.sh

Now edit config file
#pico -w /etc/apf/conf.apf

Change the following:
USE_DS="1"
USE_AD="1"

Scroll down to this section:

# Common ingress (inbound) TCP ports IG_TCP_CPORTS="20,21,22,25,26,53,80,110,143,443,465,993,995,2082, 2083,2086,2087,2095,2096"
# Common ingress (inbound) UDP ports
IG_UDP_CPORTS="21,53,465,873"

# Common ICMP (inbound) types
# 'internals/icmp.types' for type definition; 'all' is wildcard for any
IG_ICMP_TYPES="3,5,11,0,30,8"

Scroll down a bit then find this section:

EGF="1"
# Common egress (outbound) TCP ports EG_TCP_CPORTS="21,22,25,26,27,37,43,53,80,110,113,443,465,873,208 9"
# Common egress (outbound) UDP ports
EG_UDP_CPORTS="20,21,53,123,465,873"

Save the file and start apf via.
apf -s
If everything still works then edit the config file and turn dev mode off.
DEVM="0"

Now restart APF
#apf -r

--------------------------

The following scripts are fairly easy to use and install, I might add documentation later but for now I will not.

Along with installing APF I would suggest installing brute force monitor (BFD) also by rfxnetworks. BFD will monitor your ssh and ftp services and automatically ban users that try to brute force a password. If you install BFD make sure you can get a separate ip to ssh into your server incase it blocks you for some reason! You can add your ip to the allow list via "apf -a IP" if you have a static ip.
http://rfxnetworks.net/bfd.php

Yet another very handy tool by rfxnetworks is socket monitor (PMON). This tool will alert you whenever a new port is opened on the server. This is very helpful in detecting any users running weird processes or attempting to run backdoors. When any program that it does not recognized is started it will email you with the information.
http://rfxnetworks.net/pmon.php

Another tool I would suggest, but that is not really part of securing your server, is system integrity monitor (SIM) which is also by rfxnetworks. SIM will automatically detect when a service is down and restarts it.
http://rfxnetworks.net/sim.php

I always recommend to turn off compilers. Most rootkits come precompiled but not all of them do. It will also prevent shell users from trying to compile any irc related programs. To turn the compilers on switch the off to on.
/scripts/compilers off

--------------------------

mod_security

First we will download and unzip mod_security. This guide compiles for apache1.3.x which is what cPanel currently uses.
#wget http://www.modsecurity.org/download...ty-1.8.4.tar.gz
#tar zxf mod_security-1.8.4.tar.gz
#cd mod_security-1.8.4/apache1

Next compile mod_security at a module:
#/etc/httpd//bin/apxs -cia mod_security.c

Make a backup of your httpd.conf before touching anything so you have something to go back to if it does not work.
#cp /etc/httpd/conf/httpd.conf /etc/httpd/conf/httpd.conf-mod_sec

Now edit the httpd.conf
pico -w /etc/httpd/conf/httpd.conf

Scroll down below the following line:
AddModule mod_security.c
The rules listed in the text file below can just be pasted in. They are a collection of rules, many of them taken from snort, that block most of the common attacks while still letting normal requests by.
http://eth0.us/faq/modsec.txt

Create the error log file:
#touch /var/log/httpd/audit_log

Restart apache
#service httpd restart

If sites start to have problems look at error log.
/var/log/httpd/audit_log

--------------------------

The /tmp partition is one the common places for script kiddies and crackers alike to place trojans or scripts. Because of that you should have the /tmp partition mounted noexec. First we need to check if your /tmp is secure.
#df -h |grep tmp

If that displays nothing then go below to create a tmp partition. If you do have a tmp partition you need to see if it mounted with noexec.
#cat /etc/fstab |grep tmp

If there is a line that includes /tmp and noexec then it is already mounted as non-executable. You will also want to check if /var/tmp is linked to /tmp.
ls -alh /var/ |grep tmp

If it shows something to the effect of "tmp -> /tmp/" then you are ok. If not go ahead an remove the old /var/tmp and replace it with a sym link to /tmp.
#rm -rf /var/tmp/
#ln -s /tmp/ /var/

If you do not have any /tmp partition you will need to follow the directions below to create and mount a partition.

Create a 190Mb partition
#cd /dev/; dd if=/dev/zero of=tmpMnt bs=1024 count=200000

Format the partion
#mke2fs /dev/tmpMnt

Make a backup of the old data
#cp -Rp /tmp /tmp_backup

Mount the temp filesystem
#mount -o loop,noexec,nosuid,rw /dev/tmpMnt /tmp

Set the permissions
#chmod 0777 /tmp

Copy the old files back
#cp -Rp /tmp_backup/* /tmp/

Once you do that go ahead and start mysql and make sure it works ok. If it does you can add this line to the bottom of the /etc/fstab to automatically have it mounted:
/dev/tmpMnt /tmp ext2 loop,noexec,nosuid,rw 0 0

Next delete the old /var/tmp and create a link to /tmp
#rm -rf /var/tmp/
#ln -s /tmp/ /var/

If everything still works fine you can go ahead and delete the /tmp_backup directory.
#rm -rf /tmp_backup

--------------------------

Many php exploit scritps use common *nix tools to download rootkits or backdoors. By simply chmod'ing the files so that no none-wheel or root user can use them we can eliminate many possible problems. The downside to doing this is that shell users will be inconvenienced by not being able to use the the commands below. Mod_security really removes the need to chmod this, but it is an added layer of protection.

#chmod 750 /usr/bin/rcp
#chmod 750 /usr/bin/wget
#chmod 750 /usr/bin/lynx
#chmod 750 /usr/bin/links
#chmod 750 /usr/bin/scp

--------------------------

Now we will install rkhunter so we will atleast know if the server has been cracked.

Download and unzip rkhunter
#cd /usr/local/src/
#wget http://downloads.rootkit.nl/rkhunter-1.1.4.tar.gz
#tar -zxf rkhunter-1.1.4.tar.gz
#cd rkhunter

Install it
#./install.sh

Now create a cronjob so it will email you with notifications to the root mailbox:
#crontab -e

At the bottom add the following line
16 0 * * * /usr/local/bin/rkhunter -c --nocolors --cronjob --report-mode --createlogfile --skip-keypress --quiet

Press control x to save

--------------------------

Credits: John W - Security and general linux how-to's