Lik`s forum

ConfigServer Firewall
http://www.configserver.com/

A Stateful Packet Inspection (SPI) firewall, Login/Intrusion Detection and Security application for Linux servers.

This suite of scripts provides:

Straight-forward SPI iptables firewall script
Daemon process that checks for login authentication failures for:
Courier imap, Dovecot, uw-imap, Kerio
openSSH
cPanel, WHM, Webmail (cPanel servers only)
Pure-ftpd, vsftpd, Proftpd
Password protected web pages (htpasswd)
Mod_security failures (v1 and v2)
Suhosin failures
Exim SMTP AUTH
Custom login failures with separate log file and ...

MySQLTuner is a script written in Perl that allows you to review a MySQL installation quickly and make adjustments to
increase performance and stability. The current configuration variables and status data is retrieved and presented in a
brief format along with some basic performance suggestions.

Download script on the server:

Code: Select all

wget https://raw.github.com/major/MySQLTuner-perl/master/mysqltuner.pl

Run script:

Code: Select all

perl mysqltuner.pl

Insecure download & run approach:

Code: Select all

curl -sSL mysqltuner.pl | perl

Example of script output:
# perl mysqltuner.pl
>> MySQLTuner ...

Apache server response codes

Whenever a user sends a request to a server, a process called a ‘handshake’ begins where the server and your computer communicate and the server makes sure it can accommodate what your user has requested of it. This means being able to make the connection between the two computers and then completing the transfer of data.
Headers are short fragments of text which are generated by servers to hold information pertaining ...

http://google.com/safebrowsing/diagnostic?site=domain.com

OpenSSH

For locking down which users may or may not access the server you will want to look into one, or more, of the following directives:
User/Group Based Access

AllowGroups

This keyword can be followed by a list of group name patterns, separated by spaces.If specified, login is allowed only for users whose primary group or supplementary group list matches one of the patterns.`*' and `?' can be used as wildcards in the patterns.Only group ...

RPMforge is a collaboration of Dag, Dries, and other packagers. They provide over 4000 packages for CentOS, including mplayer, xmms-mp3, and other popular media tools. It is not part of RedHat or CentOS but is designed to work with these major distributions.

Packages are supplied in RPM format and in most cases are ready to use. Beware that some packages are newer than the official CentOS version and you should not blindly install those packages. ...

Protecting your host from SYN floods

From Alexey's iproute documentation, adapted to netfilter and with more plausible paths. If you use this, take care to adjust the numbers to reasonable values for your system.
If you want to protect an entire network, skip this script, which is best suited for a single host.
It appears that you need the very latest version of the iproute2 tools to get this to work with 2.4.0.

#! /bin/sh ...

One useful thing in adding more swap on different disks is that you can have the kernel use the different locations in round-robin as RAID0 partition.

You can do that by editing the lines for the swap in /etc/fstab. You have to change the defaults option to pri=0 on all lines defining swap.

The trick aroung pri=0 is this:
Pri comes from priority, and thus defining the priority of the swap partition/file which will be ...

1 The Linux kernel supports the following overcommit handling modes
2
3 0 - Heuristic overcommit handling. Obvious overcommits of
4 address space are refused. Used for a typical system. It
5 ensures a seriously wild allocation fails while allowing
6 overcommit to reduce swap usage. root is allowed to
7 allocate slighly more memory in this mode. This is the
8 default.
9
10 1 - Always overcommit. Appropriate for some scientific
11 applications. ...

http://www.grsecurity.org
http://grsecurity.net/generic-config
http://grsecurity.net/confighelp.php