How to secure your dedicated or VPS server. Please not that this is only the vary basics!

First, lets configure APF (advanced personal firewall)
Step 1: login to SSH, and become the root user
Step 2: enter the following command: wget http://www.rfxnetworks.com/downloads/apf-current.tar.gz
Step 3: enter the following command: tar -xvzf apf-current.tar.gz
Step 4: cd apf-0.9.5-1/ or whatever the latest version is.
Step 5:Run the install file: ./install.sh
You will receive a message saying it has been installed

Installing APF VERSION HERE: Completed.
Installation Details:
  Install path:         /etc/apf/
  Config path:          /etc/apf/conf.apf
  Executable path:      /usr/local/sbin/apf
  AntiDos install path: /etc/apf/ad/
  AntiDos config path:  /etc/apf/ad/conf.antidos
  DShield Client Parser:  /etc/apf/extras/dshield/

If you have cPanel, do the following:
Step 1: nano /etc/apf/conf.apf
Step 2: Find Common ingress (inbound) TCP ports
Step 3: Change the following:
Common ingress (inbound) ports
# Common ingress (inbound) TCP ports -3000_3500 = passive port range for Pure FTPD
IG_TCP_CPORTS="21,22,25,53,80,110,143,443,2082,2083, 2086,2087, 2095, 2096,3000_3500"
#
# Common ingress (inbound) UDP ports
IG_UDP_CPORTS="53"

Common egress (outbound) ports
# Egress filtering [0 = Disabled / 1 = Enabled]
EGF="1"

# Common egress (outbound) TCP ports
EG_TCP_CPORTS="21,25,80,443,43,2089"
#
# Common egress (outbound) UDP ports
EG_UDP_CPORTS="20,21,53"


If you have DirectAdmin do the following:
Step 1: nano /etc/apf/conf.apf
Step 2: Find Common ingress (inbound) TCP ports
Step 3: Change the following:
EG_TCP_CPORTS: (incoming) 21,22,25,53,80,110,143,443,1853,1821,1867,1903,1913,1924,1925,1976,

2030,2031,2032,2033,2034,2035,2036,2037,2038,2096,3071,3079,3080,3081,3082,3083,3084,3085,3086,

3306,5000,5669,5670,5671,5672,5673,5674,5675,5677,5678,5679,5680,5681,7524,9293,9301,9302,9925,9926,9067,

9068,20440,20441,20442,20443

EG_ICMP_CPORTS: (outgoing)
37,53,873


Step 6: start the firewall: /usr/local/sbin/apf -s

Step 7: After everything is fine, change the DEV option
We recommend changing this back to "0" after you've had a chance to ensure everything is working well and tested the server out.

nano /etc/apf/conf.apf

FIND: DEVM="1"
CHANGE TO: DEVM="0"

Step 8: now finally enter the following command: chkconfig --level 2345 apf on



Configuring BFD (Brute Force Detector)

Step 1: Login to SSH as root
Step 2: Execute the following command: wget http://www.rfxnetworks.com/downloads/bfd-current.tar.gz
Step 3: tar -xvzf bfd-current.tar.gz
Step 4: cd bfd-0.9 or latest version
Step 5: Run the install file: ./install.sh
You will receive a message saying it has been installed

.: BFD installed
Install path:    /usr/local/bfd
Config path:     /usr/local/bfd/conf.bfd
Executable path: /usr/local/sbin/bfd

Step 6: nano /usr/local/bfd/conf.bfd
Step 7: Enable brute force hack attempt alerts:
Find: ALERT_USR="0"   CHANGE TO: ALERT_USR="1"   

Find: EMAIL_USR="root" CHANGE TO: EMAIL_USR="[email protected]"

Save the changes: Ctrl+X then CTRL+Y

Step 8: /usr/local/sbin/bfd -s


Disable Telnet
To disable telnet, SSH into server and login as root.
At command prompt type: nano-w /etc/xinetd.d/telnet
change disable = no to disable = yes
Save and Exit
At command prompt type: /etc/init.d/xinetd restart

Secure /tmp

Make a 1GB file for /tmp parition and an ext3 filesystem for tmp:
# dd if=/dev/zero of=/dev/tmpFS bs=1024 count=1000000
# /sbin/mkfs.ext3 /dev/tmpFS



Create a backup copy of your current /tmp drive:
# cp -Rpf /tmp /tmpbackup

Mount our new tmp parition and change permissions:
# mount -o loop,noexec,nosuid,rw /dev/tmpFS /tmp
# chmod 1777 /tmp


Copy the old data:
cp -Rpf /tmpbackup/* /tmp/


If you run the mount command and you should get something like this:
/dev/tmpMnt on /tmp type ext3 (rw,noexec,nosuid,loop=/dev/loop0)


Edit /etc/fstab and add this:
/dev/tmpMnt /tmp ext3 loop,nosuid,noexec,rw 0 0


Test your fstab entry:
# mount -o remount /tmp

You can test it runnig a script on /tmp partitio, if you get "permission denied" it is fine!