KernelCare

KernelCare – the great option for hosting provaiders and businesses. KernelCare runs on Ubuntu, CentOS, Debian, and other popular flavors of Linux. It checks for updates every 4 hours and installs them automatically. Patches can be rolled back. KernelCare is free for nonprofits. To install KernelCare, run the installation script:

wget -qq -O - https://kernelcare.com/installer | bash

If you are using an IP based license, nothing else is required. Otherwise, if you are using a key based license, run the following command to register the service:

/usr/bin/kcarectl --register <your-key>

Where is the registration code string <your-key>provided when signing up for a trial or purchasing a product. You can get it on this page. Below are some useful KernelCare commands. To check if a running KernelCare kernel is supported:

curl -s -L https://kernelcare.com/checker | python

To unregister a server:

sudo kcarectl --unregister

To check the status of the service:

sudo kcarectl --info

The software will automatically check for new patches every 4 hours. To update manually, run:

/usr/bin/kcarectl --update

Canonical Livepatch

Canonical Livepatch is a service that fixes a running kernel without rebooting your Ubuntu system. Livepatch is free to use on three Ubuntu systems. To use this service on more than three computers, you need to subscribe to the Ubuntu Advantage program. Before installing the service, you need to get a livepatch token from the Livepatch service website. After installing the token and enabling the service by running the following two commands:

sudo snap install canonical-livepatch
sudo canonical-livepatch enable <your-key>

To check the status of the service, run:

sudo canonical-livepatch status --verbose

Later, if you want to unregister the machine, use this command:

sudo canonical-livepatch disable <your-key>

The same instructions apply for Ubuntu 20.04 and Ubuntu 18.04.

So, after the snapshot recovery period has passed on the new VPS, problems may arise caused by changing the MAC address of the network adapter. Typically, when you change a network adapter, the operating system creates a new network adapter for it. Typically you will see the network adapter on “eth1” (or eth2 if you have a private network enabled).

CentOS

This operating system describes the following steps to correct network configuration after snapshot recovery:

1. First you need to log into your server, this can be done as a consequence of this;
2. Delete the contents of /etc/udev/rules.d/70-persistent-net.rules
3. Open /etc/sysconfig/network-scripts/ifcfg-eth0 and change the content to the following:

DEVICE=eth0
TYPE=Ethernet
ONBOOT=yes
NM_CONTROLLED=yes
BOOTPROTO=dhcp
DNS1=8.8.8.8
NAME="System eth0"

After this three steps, you need to restart VPS

Debian & Ubuntu

This operating system describes the following steps to correct network configuration after snapshot recovery:

1. First you need to log into your server, this can be done as a consequence of this;
2. Delete the contents of /etc/udev/rules.d/70-persistent-net.rules
3. Review the contents of /etc/network/interfaces and update all IP addresses to match the current server.

After this three steps, you need to restart VPS

Cybercrime is very high in global risk

According to WEF estimates, cybercrime brings about $ 6 trillion in annual revenue. Corporations such as Facebook, Microsoft, Apple, Amazon, Walmart, and Tesla earn a combined annual revenue of $ 1.28 trillion. These numbers and scales are staggering and very surprising! The most popular cybercrime methods are: blackmail, denial of service and (DDoS) extortion. The ransomware criminal transfers malicious software to the victim’s computer, encrypts the stored data, and requires money to decrypt the contents. A denial of service attack is based on sending excess network traffic to the victim’s computer infrastructure and demanding money to stop it. This works well for many modern corporations whose business runs on digital platforms.

We often use things like smart watches, voice assistants, door cameras, consecration systems, smart personal devices. These devices are very often tools for the theft of personal data, extortion and are at a high level in the lists of criminals. Small businesses that don’t have computer or security experts are also easy targets. As with any other type of crime, the fight against cybercrime never ends. But in fact, governments should consider regulating the devices that people buy and connect to the Internet. Basic security should be the default setting for all products that can be connected to the network.We suggest you familiarize yourself with the link, which sets out some ways to combat cybercrime: https://us.norton.com/internetsecurity-how-to-how-to-recognize-and-protect-yourself-from-cybercrime.html

Some of them is:

• Manage your social media settings
• Talk to your children about the internet
• Keep up to date on major security breaches
• Take measures to help protect yourself against identity theft
• Use strong passwords

Protection takes a very important role in the development of sites. People have experience of being exposed to external threats from intruders who are ready to steal personal data, important information and other resources from your site. Content, business, customers are all important factors, but the protection of the site is above all the confidence in security and integrity.

An SSL certificate is a special protocol that guarantees a secure and reliable connection to your site. This protocol provides reliability, security, and is guaranteed a successful and non-dangerous communication through the elements of authentication and encryption. This fact adds your site status with the suffix “S” (that is, no longer http, but httpS)

Order free certificate Let’s Encrypt

Let’s Encrypt ”is a certificate authority from which you can get a free SSL certificate for the site. They are great for small sites where users can leave some personal information: email, passwords, phone number, address. Certificate Authority Let’s Encrypt is ready to issue you a certificate absolutely FREE!

When installing a security certificate on any control panel, when ordering a certificate, you receive the following files:

• certificate.crt – the basis of the certificate for your domain name.
• private.key – the key that was generated when creating the CSR
• ca_bundle.crt – root certificate provided by your certificate authority

This is very useful for you if you own a small website and cannot afford a paid SSL certificate. We give you a free Let Encrypt security certificate for 90 days. Install the free version of Let Encrypt by clicking on the link:

https://hostry.com/solutions/ssl-for-free/

Method # 1. Using launch options

To enable safe mode using the graphical interface, you must press the key combination from: Windows + C to open “Settings”, then click on “Power”. After that, click on Shift and then “Restart”. Click Troubleshoot, then Launch Options. Click “Restart” after “Enable safe mode” is displayed in the displayed list.

Use the arrow keys to enter safe mode. After you press Enter, in safe mode, your Windows Server will boot into unopened mode.

After successful inclusion of safe mode, your background should be black, and in the upper right corner on your desktop will appear the inscription “Safe mode“

Method # 2. Using msconfig

In order to boot into safe mode using the system (msconfig), you must go to Run and run msconfig

On the Download tab, which is located in the Download Options, select Secure Download. Then click “OK”, and the server will automatically restart in safe mode. If you are prompted to “Restart,” click OK.

When loading in safe mode, the background of the desktop will be black, and in the upper right corner of the desktop will appear the inscription “Safe Mode“

Preliminary Actions

First you need to update your server. To do this, enter a simple command:

apt update && upgrade

It is worth noting that the installation is not difficult, since Fail2Ban is already included in the repositories of your Debian 11. Installation is easy, just enter the command:

apt install fail2ban

After you set it up, please check. The verification step is extremely important for making future adjustments:

systemctl status fail2ban

If Fail2ban is not running on your instance, you need to run it. This can be done with the following command:

systemctl start fail2ban

Next, move on to configuring Fail2ban. This is necessary for proper launch. Enter the following command:

systemctl enable fail2ban

Configuring Fail2Ban

If the first installation step was successfully completed and verified, then you can proceed to the Fail2ban configuration. Fail2ban is installed bundled with a default configuration file. This file contains configurable settings in Fail2ban. The file location is as follows:

/etc/fail2ban/jail.conf

The file contains settings known as filters for configuring Fail2ban. This tool also has many options in its configuration file. These options can be useful for specific scripts and services that work with each other on your Linux machine.

• The bantime value is the exact time during which the malicious IP is blocked
• The maxretry value – The number of times the user will try to login. If the limit is exceeded, the IP address is blocked.
• The ignoreip value is the networks you trust. All networks you enter here will bypass Fai2Ban filtering.
• The enable value allows Fail2ban to confirm whether you want this jail to be enabled or disabled.

Next is to talk about jails. It has an individual customization option. Jails can increase the security of your Linux computer in many ways. You can add different filters to your server services. The first step is to create the jail.local configuration file. You can do it like this:

touch /etc/fail2ban/jail.local

Open jail.local in a text editor of your choice.

nano /etc/fail2ban/jail.local.

After the clarifications above have been provided regarding hail conf. you will be able to apply this directly to the configuration.

enabled = true
port = ssh
bantime = 10h
maxretry = 12
ignoreip = Any_IP

[apache-badbots]
enabled = true
port = http,https, smtp...
bantime = 72h
maxretry = 3

[squid]
enabled = false
port = 80,443,25, 1234...

You will be able to install this from the ports collections if it is installed on your system. To do this, enter the following command:

# cd /usr/ports/security/sudo/
# make install clean

You can also install the sudo binary package using pkg:

# pkg install sudo

Add a Sudo User

First you need to create a user account to use with sudo

# adduser

Answer the questions from the suggested options to create a user. This tutorial will use user.example

Add User to Wheel Group

This group called “Wheel” limits the list of users who can use root

# pw group mod wheel -m user.example

Edit the sudoers file

First, you need to check the sudoers file with visudo extension

# visudo

Look for a wheelset. Remove comment if line is off. When you’re ready to save the file, it should look like this

## Allows people in group wheel to run all commands
%wheel  ALL=(ALL)       ALL

Save and exit vi. ESC type, then : W Q, then ENTER

IMPORTANT! The visudo utility performs a syntax check before making changes to the file. The wrong sudoers file can break your system. Never edit /etc/sudoers directly. For example, if you make a mistake, you will see this when exiting visudo.

Disable and uninstall SELinux

# setenforce 0
# yum remove selinux-policy\*
# rm -rf /etc/selinux/targeted /etc/selinux/config

Install SELinux

# yum install selinux-policy-targeted
# yum install selinux-policy-devel policycoreutils
# touch /.autorelabel; reboot

SELinux will detect the /.autorelabel file upon reboot, and then reconfigure all the files in the correct SELinux contexts. If you have many files in your virtual machine, then VPS may be unavailable for a long time.

Note!

If SELinux is not already installed, then you need to go to step 2 – installing SELinux. If SELinux is installed on your virtual server, then you need to remove it (to reset the policy to the default settings)

SpamAssasin installation process

In order to install this program, we recommend the following command:

apt-get install spamassassin spamc -y

The next step is to install the user and disable the login.

adduser spamassasin --disabled-login

Configuring SpamAssasin

Assign spamassassin to the SpamAssassin user account. This is followed by editing the settings

nano /etc/default/spamassassin

It is necessary to find in this directory ENABLED = 1 Uncomment it by removing the # and changing the value from 1 to 0.

ENABLED=0

Then you need to find the line OPTIONS = “- create-prefs –max-children 5 –helper-home-dir” and make changes. They must include a spamassassin account

OPTIONS="--create-prefs --max-children 5 --username spamassassin --helper-home-dir /home/spamassassin/ -s /home/spamassassin/spamassassin.log"

Then you need to find the line CRON = 0 and make the same changes as before to get CRON = 1. Then save the file. Back up your local SpamAssassin configuration file.

mv /etc/spamassassin/local.cf  /etc/spamassassin/local.cf.bk

Then you need to create a new local SpamAssassin configuration file.

nano /etc/spamassassin/local.cf 

Paste the information below into the file.

rewrite_header Subject ***** SPAM _SCORE_ *****
report_safe             0
required_score          5.0
use_bayes               1
use_bayes_rules         1
bayes_auto_learn        1
skip_rbl_checks         0
use_razor2              0
use_dcc                 0
use_pyzor               0
ifplugin Mail::SpamAssassin::Plugin::Shortcircuit
endif

The next step is to save the change file and then you can close it.

Setting up your Postfix

First of all, to start configuring, you need to edit the Postfix configuration file

nano /etc/postfix/master.cf

Next, you need to find the following records, which are presented below:

smtp      inet  n       -       y       -       -       smtpd
#smtp      inet  n       -       y       -       1       postscreen
#smtpd     pass  -       -       y       -       -       smtpd
#dnsblog   unix  -       -       y       -       0       dnsblog
#tlsproxy  unix  -       -       y       -       0       tlsproxy
submission inet n       -       y       -       -       smtpd

Under smtp configuration add SpamAssassin content filter

smtp      inet  n       -       y       -       -       smtpd

-o content_filter=spamassassin
spamassassin unix -     n       n       -       -       pipe
user=spamassassin argv=/usr/bin/spamc -f -e  
/usr/sbin/sendmail -oi -f ${sender} ${recipient}

Next, you should save this file and you can then close it. This is followed by restarting your Postfix and enabling spamassassin to run on your server.

systemctl restart postfix.service
systemctl enable spamassassin.service
systemctl start spamassassin.service

Install Web Server

The first thing we offer you is installing a web server

yum install httpd php

Personal Home Directory Protection

The following is protection for your home directories. The first thing to understand is that the directories of other users are classified and not visible to anyone, except for the owners, respectively.

We suggest you change all directories to 700; this is to ensure that only the appropriate home directory owners can view their own files

chmod 700 /home
chmod 700 /home/*
chmod 700 /home/*/*

Apply security patch for the Apache to split user privileges

The first thing to learn we need to first install the repository containing the package with the patch. Run the following commands as root or sudo

yum install epel-release
yum install httpd-itk

Through “apache2-mpm-itk” we can see which PHP user should run depending on the virtual host. It adds a new extension in the configuration of AssignUserId virtualhost-user virtualhost-user-group, which allows Apache / PHP to execute user code under a specific user account.

Сreate a virtual host

To create a virtual host in Apache, you can follow this example, which is presented below (for example, taken example.com)

NameVirtualHost example.com

<VirtualHost example.com>

DocumentRoot /home/vhost-user/public_html
ServerName example.com
</VirtualHost>

Next, open the text editor /etc/httpd/conf.d/example-virtualhost.conf and add the contents above. Here is the command to use nano:

nano /etc/httpd/conf.d/example-virtualhost.conf

Configure Apache Web Server to run as another user

After launched the protection of the Apache / PHP server, the following should be added:

AssignUserId vhost-user vhost-user-group

This will look like an example of a virtual host, after the option is added:

NameVirtualHost example.com

<VirtualHost example.com>

DocumentRoot /home/vhost-user/public_html
ServerName example.com
AssignUserId vhost-user vhost-user-group

</VirtualHost>

Next, you need to Hide the version of Apache. To do this, enter the command:

nano /etc/httpd/conf/httpd.conf

Then in the line “ServerTokens” change the parameter after it to “ProductOnly”. This tell to Apache only to show that it is “Apache” and not “Apache / 2.2” or something like that

At the end, restart the Apache server

service httpd restart