So I am relatively familiar with web servers, but I wanted to know something.

What are all of the optimizations that I should ask my server administrator to do, in order to really make it very well secured?

Thanks

Make sure you set a root mySQL password.

Also, to prevent DOS attacks:

- Install APF firewall.
- Install BFD (Brute Force detection).

Very easy to install within minutes and will shield your server against DOS attacks.

Quote:

Originally Posted by Gareth

Make sure you set a root mySQL password.

Also, to prevent DOS attacks:

- Install APF firewall.
- Install BFD (Brute Force detection).

Very easy to install within minutes and will shield your server against DOS attacks.

Can you link few of the recommended one's?

Thank you Gareth. A couple links would really help

http://www.rfxnetworks.com/apf.php
http://www.rfxnetworks.com/bfd.php

Quote:

Originally Posted by Bagel50

http://www.rfxnetworks.com/apf.php
http://www.rfxnetworks.com/bfd.php

Oh! Thank you so very much. maybe some others could get some more good ideas up on here. Who wouldn't want to have the BEST server uptime anywhere?

:-D

The only website that I have really used is:

www.eth0.us

..and some other one that I can't remember :\

Few things you can do:

Scan for rootkits and kernel-level rootkits, trojan, hiden ports, /dev directory, system, binaries, files permission and ifconfig/ifs.
Scan for superuser accounts and accounts with no password
Compile PHP to the Latest version
Compiler / Fetch app. limiting. (limits access to compilers)
Host.conf & Sysctl Hardening (spoof protection and basic ddos protection)
Installation and Configuration of APF - (Advanced Policy Firewall) (restricts access to unneeded ports)
Install BFD - (Brute Force Detection)
Install Mod_Security with massive custom rules
Installation of Security Updates by OS/Control panel Vendor
LibSafe Installation (software level attack buffer. Prevents buffer overflow attacks)
Noexec, Nosuid Temporary Directories (noexec directories such as /tmp, /var/tmp, /dev/shm)
Php Open_Basedir Tweak
Remove Unnecessary Software
Secure Kernel Default
Secure Ports
Secure Services
Secure Root Login
Secure Sshd Port
Secure DNS
Secure Ftp Server
Update Kernel & Limit Kernel Capabilities
Update Installed Softwares
Update Cpanel to the Latest Stable Version (For CPanel)
ClamAV + ExiScan Installation (email virus/spam scanning)
Install Exim Dictionary Attack
Install Forge Helo To Protect From Using The Server For Spamming
Installation and Configuration of Razor and SARE To Integrate with SpamAssassin
RBL/DNSBL Thru Exim with RBL Whitelist, Blocklist & Bypass integrated with abuseat.org, spamcop.net, spamhaus.org, ordb.org and njabl.org to protect against spamming
CHkrootkit notification (checks for possible rootkits on the server.)
Installation and Configuration of Tripwire
Install SIM ( restarts downed services & delete logs in /var/log automatically )
Install PRM ( Process Resource Monitor ) to monitor processes and kill overloading in the server
Install SPRI ( System Priority ) to control server load
Install EAccelerator
Install ZendOptimizer
Install MRTG (optional)
Install Cacti (optional)
Install Root Login Notification
Install MyTOP
Optimize Apache
Optimize MySQL
Optimize PHP
Logwatch Installation and Configuration (Sends a detailed daily report of server events based on logs)


More or less cut and paste from one of the server hardening companies I've used in the past.

Quote:

Originally Posted by Payton

Few things you can do:

Scan for rootkits and kernel-level rootkits, trojan, hiden ports, /dev directory, system, binaries, files permission and ifconfig/ifs.
Scan for superuser accounts and accounts with no password
Compile PHP to the Latest version
Compiler / Fetch app. limiting. (limits access to compilers)
Host.conf & Sysctl Hardening (spoof protection and basic ddos protection)
Installation and Configuration of APF - (Advanced Policy Firewall) (restricts access to unneeded ports)
Install BFD - (Brute Force Detection)
Install Mod_Security with massive custom rules
Installation of Security Updates by OS/Control panel Vendor
LibSafe Installation (software level attack buffer. Prevents buffer overflow attacks)
Noexec, Nosuid Temporary Directories (noexec directories such as /tmp, /var/tmp, /dev/shm)
Php Open_Basedir Tweak
Remove Unnecessary Software
Secure Kernel Default
Secure Ports
Secure Services
Secure Root Login
Secure Sshd Port
Secure DNS
Secure Ftp Server
Update Kernel & Limit Kernel Capabilities
Update Installed Softwares
Update Cpanel to the Latest Stable Version (For CPanel)
ClamAV + ExiScan Installation (email virus/spam scanning)
Install Exim Dictionary Attack
Install Forge Helo To Protect From Using The Server For Spamming
Installation and Configuration of Razor and SARE To Integrate with SpamAssassin
RBL/DNSBL Thru Exim with RBL Whitelist, Blocklist & Bypass integrated with abuseat.org, spamcop.net, spamhaus.org, ordb.org and njabl.org to protect against spamming
CHkrootkit notification (checks for possible rootkits on the server.)
Installation and Configuration of Tripwire
Install SIM ( restarts downed services & delete logs in /var/log automatically )
Install PRM ( Process Resource Monitor ) to monitor processes and kill overloading in the server
Install SPRI ( System Priority ) to control server load
Install EAccelerator
Install ZendOptimizer
Install MRTG (optional)
Install Cacti (optional)
Install Root Login Notification
Install MyTOP
Optimize Apache
Optimize MySQL
Optimize PHP
Logwatch Installation and Configuration (Sends a detailed daily report of server events based on logs)


More or less cut and paste from one of the server hardening companies I've used in the past.

Great list i do or have done alot of these on my own production box .. as i run 2 linux boxes at my office.. great list

Securing and optmizing a server are two unrelated things at times. Hardening the server is one good thing, but if you overharden you can lose some preformance benifits.

I found that out when I installed Mod_Security. It was causing me all sorts of problems on a few of my dynamic sites. I finally gave up and turned it off.