ServerShield

All WiredTree managed dedicated and VPS servers include our exclusive initial security hardening service, ServerShield, free of charge. This service saves you time and money by greatly increasing the security, performance, and reliability of your WiredTree server.

Below is an overview of our included services. You can find a complete technical listing below them.

Firewall Protection:

Advanced Policy Firewall (APF) is installed and configured on your server. All ports which are not needed for operation of the server are blocked off, and we employ both ingress and egress filtering methods to provide the highest level of protection against attacks. We also configure Brute Force Detection (BFD) which detects brute force login attacks against your server and then works with APF to block the attacker.

Spam Prevention and Anti-Virus Protection:

WiredTree configures your server to scan all email for malicious software using ClamAV. This software currently detects over 60.000 viruses, worms and trojans and is used by major enterprises and Universities worldwide. We configure your server to perform anti-virus definition updates hourly to ensure your server is always protected.

WiredTree uses a couple of highly effective methods to prevent spam on your server. The first is the use of Realtime Blackhole Lists (RBLs) for spam prevention. We configure your server to use a hand-picked selection of RBLs which block known spam-hosts, open proxy server, open mail relays, hijacked/infected servers and the like from sending mail to your server. The RBL selection was designed to eliminate spam without blocking legitimate mail. We also harden the mail server configuration as another layer in spam prevention.

Server Hardening and Optimization:

WiredTree hardens your server at many levels. Starting at the network level, we optimize the Linux TCP/IP stack for maximum performance and then harden the system against syn flood attacks, spoofed packets, DNS poisoning, and ICMP DOS/redirect attacks. At the filesystem level we ensure proper directory permissions and protect temporary directory and shared memory space against attacks. At the Operating System level, we remove all unnecessary packages, disable unused services and processes, and configure system daemons (including SSH, HTTP, and BIND) for increased security. We also install and configure many commonly used applications such as Eaccelerator for PHP, ImageMagick, NetPBM, MyTOP, and more.

HTTP Intrusion and DOS Protection:

WiredTree installs and configures Apache modules mod_security and mod_evasive to prevent against web application and denial of service (DOS) attacks. Mod_security is a intrusion detection and prevention engine which provides protection against a wide range of attacks, both known and unknown, against web applications. We use a customized rule set which is updated daily to ensure your server is always protected.

We also install and configure mod_evasive for Apache. This module allows Apache to provide evasive action in the event of an HTTP DoS attack, DDoS attack or brute force attack. We install a customized rule set to minimize the risk of false positives.

Security Audits:

WiredTree installs and configures intrusion detection software Rootkit Hunter and Chkrootkit and configures them to perform nightly security audits to ensure your server is safe. We also install proprietary scripts which prevent against unauthorized processes and allow us to dynamically check the security of your server as attack methods evolve.

Complete list of technical services:

Firewall Protection:

• APF – Configure both ingress and egress firewall protection.
• BFD – Detect and prevent brute force attacks.

Spam Prevention and Anti-Virus Protection:

• ClamAV – Configure for e-mail scanning. Enable auto-updating anti-virus definitions.
• Realtime Blackhole Lists (RBLs) – Configure email server with RBLs to prevent spam.
• Harden Mailserver Configuration – Prevent against detection of valid e-mail address through brute-force attacks. Also enable HELO verification and other sanity checks.

HTTP Intrusion and DOS Protection:

• Mod_security – Install and configure mod_security for Apache with auto-updating ruleset.
• Mod_evasive – Install and configure DOS, DDOS, and brute force detection and suppression for Apache.

Server Hardening:

• Disable IP Source Routing – Enable protection against IP source route attacks.
• Disable ICMP Redirect Acceptance – Enable protection against ICMP redirect attacks.
• Enable syncookie protection – Enable protection against TCP Syn Flood attacks.
• Enable ICMP rate-limiting – Enable protection against ICMP flood attacks.
• Harden host.conf – Enable spoofing protection and protection against DNS poisoning attacks.
• Harden Apache – Prevent module and version disclosure information.
• Harden SSH – Allow only SSH version 2 connections.
• Harden Named – Enable protection against DNS recursion attacks.
• Ensure Filesystem Permissions – Fix permission on world writable directories and prevent against directory-transversal attacks.
• Harden temporary directory and shared memory locations – Enforce noexec, nosuid on tmp and shm mounts.
• Harden “fetching” utilities - Allows root-only access of wget, curl, and other utilties often used in web-based attacks.
• Remove unnecessary packages – removes RPMS which are not needed to prevent against potential vulnerabilities and free up disk space.
• Disable unused services – Disable services which are not used.
• Disable unneeded processes – Disable processes which are not needed for server operation.
• PAM Resource Hardening – Protects against exploits which use core dumps and against user resource exhausting through fork bombs and other shell attacks.
• PHP Hardening – Enable OpenBaseDir protection.

Server Optimization:

• Optimize TCP/IP stack – Various changes to TCP/IP stack to increase buffers and optimize for server environment.
• PHP Configuration – Enables widely used PHP modules for maximum compatibility.
• Eaccellerator – Optimizes PHP performance through script caching.
• Graphic Applications – Installs widely-used graphic applications NetPBM and ImageMagick.
• Monitoring Applications – Installs MyTOP, Iptraf, and Ifop utilities to easily monitor server performance.

Security Audits:

• Rootkit Hunter – Nightly scan to detect system intrusions.
• Chkrootkit – Nightly scan to detect system intrusions.