All WiredTree managed servers include our exclusive initial security hardening service, ServerShield, free of charge. This service saves you time and money by greatly increasing the security, performance, and reliability of your WiredTree server.
ServerShield is a comprehensive software security and optimization suite. It was developed by Wiredtree with four major goals - to harden server security, prevent spam, enhance server performance, and improve system computability of our client's servers. It is unique to WiredTree and is free to all clients.
Firewall and Brute Force Protection:
Advanced Firewall (CSF) is installed and configured on your server. All ports which are not needed for operation of the server are blocked off, and we employ both ingress and egress filtering methods to provide the highest level of protection against attacks. The firewall automatically updates using the Spamhaus DROP list to block traffic consisting of stolen 'zombie' netblocks and netblocks controlled entirely by professional spammers. We also configure Brute Force/Login Failure Detection (LFD) which detect brute force login attacks against your server and then works with CSF to block the attacker. Additionally, CPHulk is enabled which protects against brute force attacks directed at cPanel services.
Spam Prevention and Anti-Virus Protection:
WiredTree configures your server to scan all email for malicious software using ClamAV. This software currently detects over 60.000 viruses, worms and trojans and is used by major enterprises and Universities worldwide. We configure your server to perform anti-virus definition updates hourly to ensure your server is always protected.
WiredTree uses a variety of highly effective methods to prevent spam on your server. The first is the use of Realtime Blackhole Lists (RBLs) for spam prevention. We configure your server to use a hand-picked selection of RBLs which block known spam-hosts, open proxy servers, open mail relays, hijacked/infected servers and the like from sending mail to your server. The RBL selection was designed to eliminate spam without blocking legitimate mail. We also harden the mail server configuration as another layer in spam prevention.
We employ advanced spam filtering techniques such as an Optical Character Recognition engine to detect spam in email as images/PDF, checksum-based collaborative filtering technology, and SMTP dictionary attack protection. We also install a custom hand-selected set of rules for SpamAssassin and ClamAV which greatly increase their rate of detection.
Server Hardening and Optimization:
WiredTree hardens your server at many levels. Starting at the network level, we optimize the Linux TCP/IP stack for maximum performance and then harden the system against syn flood attacks, spoofed packets, DNS poisoning, and ICMP DOS/redirect attacks. At the filesystem level we ensure proper directory permissions and protect temporary directory and shared memory space against attacks. At the Operating System level, we remove all unnecessary packages, disable unused services and processes, and configure system daemons (including SSH, HTTP, and BIND) for increased security. We also install and configure many commonly used applications such as Eaccelerator for PHP, FFMPEG, Mencoder, ImageMagick, NetPBM, MyTOP, and more.
HTTP Intrusion and DOS Protection:
WiredTree installs and configures Apache modules mod_security and mod_evasive to prevent against web application and denial of service (DOS) attacks. Mod_security is a intrusion detection and prevention engine which provides protection against a wide range of attacks, both known and unknown, against web applications. We use a customized rule set which is updated daily to ensure your server is always protected.
We also install and configure mod_evasive for Apache. This module allows Apache to provide evasive action in the event of an HTTP DoS attack, DDoS attack or brute force attack. We install a customized rule set to minimize the risk of false positives.
WiredTree installs and configures intrusion detection software Rootkit Hunter and Chkrootkit and configures them to perform nightly security audits to ensure your server is safe. We also install proprietary scripts which prevent against unauthorized processes and allow us to dynamically check the security of your server as attack methods evolve.
Complete list of technical services:
- CSF – Configure both ingress and egress firewall protection.
- LFD – Detect and prevent brute force attacks.
- CPHulk – Detect and prevent brute force attacks.
Spam Prevention and Anti-Virus Protection:
- ClamAV – Configure for e-mail scanning. Enable auto-updating anti-virus definitions.
- Realtime Blackhole Lists (RBLs) – Configure email server with RBLs to prevent spam.
- Harden Mailserver Configuration – Prevent against detection of valid e-mail address through brute-force attacks. Also enable HELO verification and other sanity checks.
- Dictionary Attack Protection – Prevent spammers guessing email addresses on your server.
- Checksum-based Collaborative Filtering – DCC and Razor to detect mass-mails.
- OCR Technology – Optical Character Recognition engine to detect spam in email as images and PDF files.
- Custom rulesets – Custom hand-selected SpamAssassin and ClamAV rulesets to increase spam detection.
HTTP Intrusion and DOS Protection:
- Mod_security – Install and configure mod_security for Apache with auto-updating ruleset.
- Mod_evasive – Install and configure DOS, DDOS, and brute force detection and suppression for Apache.
- PHP SuHosin – PHP Hardening through the Hardened PHP Project. Available on request.
- Disable IP Source Routing – Enable protection against IP source route attacks.
- Disable ICMP Redirect Acceptance – Enable protection against ICMP redirect attacks.
- Enable syncookie protection – Enable protection against TCP Syn Flood attacks.
- Enable ICMP rate-limiting – Enable protection against ICMP flood attacks.
- Harden host.conf – Enable spoofing protection and protection against DNS poisoning attacks.
- Harden Apache – Prevent module and version disclosure information.
- Harden SSH – Allow only SSH version 2 connections.
- Harden Named – Enable protection against DNS recursion attacks.
- Ensure Filesystem Permissions – Fix permission on world writable directories and prevent against directory-transversal attacks.
- Harden temporary directory and shared memory locations – Enforce noexec, nosuid on tmp and shm mounts.
- Harden “fetching” utilities - Allows root-only access of wget, curl, and other utilties often used in web-based attacks.
- Remove unnecessary packages – removes RPMS which are not needed to prevent against potential vulnerabilities and free up disk space.
- Disable unused services – Disable services which are not used.
- Disable unneeded processes – Disable processes which are not needed for server operation.
- PAM Resource Hardening – Protects against exploits which use core dumps and against user resource exhausting through fork bombs and other shell attacks.
- PHP Hardening – Enable OpenBaseDir protection.
- Optimize TCP/IP stack – Various changes to TCP/IP stack to increase buffers and optimize for server environment.
- PHP Configuration – Enables widely used PHP modules for maximum compatibility.
- MySQL Optimization – Optimizes MySQL performance for server configuration and enable query caching.
- PHP Caching – Optimizes PHP performance through EAccelerator script caching.
- FFMPEG and related software support – FFMPEG, Mencoder, flvtool2, and all related applications.
- Graphic Applications – Installs widely-used graphic applications NetPBM and ImageMagick.
- Monitoring Applications – Installs MyTOP, Iptraf, and Iftop utilities to easily monitor server performance.
- Rootkit Hunter – Nightly scan to detect system intrusions.
- Chkrootkit – Nightly scan to detect system intrusions.
- Nobody Process Scanner – Scans for unauthorized "nobody" processes.