Server Audit & Report
Run rkhunter for a quick scan
Run chkrootkit for a quick scan
Check Listening Network Ports
Enforcing Stronger Passwords by pam_cracklib module
Secure /tmp, /var/tmp and /dev/shm with mount options noexec, and nosuid.
Install Logwatch and review logwatch emails daily. Investigate any suspicious activity on your server.
Web Server Secure & Optimization
Mysql Renice for better performance
Control Panel Tweaking for better security & performance
Check whether server IP address is listed in RBLs
Scan /home for suspicious files and symlinks
Remove unsecure RPMs
Check for any errors during server boot up
List all account backup files (tar.gz) that are taking up disk space
Check whether the server has sufficient free memory and swap space
Confirm that server does not run out of disk space and inode usage any time soon
Check and confirm that there are no suspicious network connections to any remote server(s).
Check for any suspicious processes running on the server.
Clean up old or unwanted temporary files from /tmp partition.
Scan for any hidden processes running on the server that may not be listed in “ps” output.
Check for any users with shell access on the server other than root user
Check whether a normal user can execute root commands via sudo
Check the version of Apache currently installed on the server.
Check the version of PHP currently installed on the server.
Check whether the kernel version is update
Check for bad disk blocks in all partitions using SMARTD Health Check
Clean Spam, Frozen and unwanted mails in mail queue
Scan for suspicious files using maldet / clamav
Scan for files and directories with no user associated with them
Check for unsafe file permissions and Disabling some executables
Check the memory/CPU (system health check using systat)
Scan for files and directories with world-writable permissions
Scan and list all suspicious symlinks under home directory
Check server load and partitions to perform maintenance activities
Scan for *.c or binary files (which have possible security issues)
Check dmesg output
Check history for root and su user
Change the permission of a directory and its subfolder to default permission
Examine common linux log files
Check tcp connections and make sure no unwanted ips or ports are listed
Check for Chargen
Check the size of the log files. It’s better that the log size remains in megabytes
Check Load on the server Quick check of running processes using ps, netstat, lsof, top etc
Scan and list all *.tar.gz files under “/home” and “/backup” that are more than 6 months old.
Turn off recursive query globally in named.conf to avoid dns amplification attacks.
Hide server version details for httpd,ftpd,named
Check listening network ports
Restrict users to execute cron
Disable the PHP functions “system, exec, shell_exec, passthru, popen, proc_open, show_source, symlink”
Tune kernel parameters
Disable unused services
Install IFTOP which displays a frequently updated list of network bandwidth utilization (source and destination hosts) that passing through the network interface
iostat reports CPU, disk I/O, and NFS statistics
vmstat reports virtual memory statistics
mpstat reports processors statistics.
Turn off compilers. Most rootkits come precompiled but not all of them do. It will also prevent shell users from trying to compile any irc related programs.
Enable PHP open_basedir Protection : PHP open_basedir protection prevents users from opening files outside of their home directory with php.
Include safe_mode for PHP 5.x and below. Safe_mode ensures that the owner of a PHP script matches the owner of any files to be operated on.
Enabling suEXEC provides support for Apache to run CGI programs as the user ID of the account owner.
Move mails to maildir format
Preparing a list of all world writable files and directories. This will reveal locations where an attacker can store files on your system.
Look at no_owner for all files that do not have a user or group associated with them. All files should be owned by a specific user or group to restrict access to them.
Updated rules for mod security
Update phppear and gem modules
Tackle down the currently infected files on the server by using AUTOBOTS