Replacing OpenSSH server with dropbear
dropbear is a SSH 2 server and client designed to be small enough to be used in small memory environments, while still being functional and secure enough for general use.
It implements most required features of the SSH 2 protocol, and other features such as X11 and authentication agent forwarding.
1. Install dropbear
apt-get install dropbear
Prevent brute force attacks using fail2ban
fail2ban monitors log files such as /var/log/auth.log and /var/log/apache/access.log and temporarily or persistently bans failure-prone addresses by updating existing firewall rules. Currently, by default, fail2ban supports ssh/apache/vsftpd but configuration can be easily extended for monitoring any other ASCII file.
1. Install fail2ban
apt-get install fail2ban
Setup DomainKeys Identified Mail (DKIM) in Postfix
DomainKeys Identified Mail (DKIM) is a method for email authentication that allows an organization to take responsibility for a message it has sent in a way that can be validated by a recipient. The technique is based on public-key cryptography: Responsibility is claimed by the signer by adding a digital signature to a message's header, the DKIM-Signature header field. The verifier recovers the signer's public key using the DNS, and then verifies that the signed parts have not been altered.
1. Install DKIM filter
apt-get install dkim-filter
Tuning MySql with MySqlTuner to increase efficiency and performance
mysqltuner is a high-performance MySQL tuning script written in perl that will provide you with a snapshot of a MySQL server's health. Based on the statistics gathered, specific recommendations will be provided that will increase a MySQL server's efficiency and performance.
1. Install MySqlTuner
apt-get install mysqltuner
Installing PowerDNS Recursor
PowerDNS Recursor is a resolving DNS server, that runs as a separate process. The authoritative pdns_server can be configured to proxy recursive queries to the recursor, and optionally overlay authoritative zone data.
The Recursor is used by several of the largest Internet providers of the world, including AOL, Shaw Cable and Neuf Cegetel.
1. Install the pdns-recursor package
apt-get install pdns-recursor
Installing HAVP (HTTP Antivirus Proxy)
HAVP (HTTP Antivirus Proxy) is a proxy with a ClamAV anti-virus scanner. The main aims are continuous, non-blocking downloads and smooth scanning of dynamic and password protected HTTP traffic. Havp antivirus proxy has a parent and transparent proxy mode. It can be used with squid or standalone.
1. Install HAVP
apt-get install havp
Configuring port forwarding with rinetd
inetd redirects TCP connections from one IP address and port to another. rinetd is a single-process server which handles any number of connections to the address/port pairs specified in the file /etc/rinetd.conf. Since rinetd runs as a single process using nonblocking I/O, it is able to redirect a large number of connections without a severe impact on the machine. This makes it practical to run TCP services on machines inside an IP masquerading firewall.
1. Install rinetd
apt-get install rinetd
OpenID authentication with the mod_auth_openid Apache module
mod_auth_openid is an authentication module for the Apache 2 webserver. It handles the functions of an OpenID consumer as specified in the OpenID 2.0 specification.
After a user authenticates themselves, the user's identity will be available in the REMOTE_USER variable. A cookie named open_id_session_id is saved to maintain each user's session.
1. Install the module
apt-get install libapache2-mod-auth-openid
Install mod_spamhaus Apache module to fight comment spam
mod_spamhaus is an Apache module for DNS Block Listing that protects web services by denying access to particular IP addresses. It can stop spam relaying via web form URL injection, and block HTTP DDoS attacks from bot-nets.
It queries sbl-xbl.spamhaus.org, taking advantage of the Spamhaus Block List (SBL) and the Exploits Block List (XBL).
1. Download the latest mod_spamhaus deb package from sid package repository (mod_spamhaus is not available for lenny but we can use the sid package)
wget http://ftp.us.debian.org/debian/pool/main/m/mod-spamhaus/libapache2-mod-spamhaus_0.7-1_i386.deb
Implementing SPF checks in Postfix
Sender Policy Framework (SPF), as defined in RFC 4408, is an e-mail validation system designed to prevent e-mail spam by addressing a common vulnerability, source address spoofing. SPF allows administrators to specify which hosts are allowed to send e-mail from a given domain by creating a specific DNS SPF record in the public DNS. Mail exchangers then use the DNS to check that mail from a given domain is being sent by a host sanctioned by that domain's administrators.