The cloud provider’s market is still new and each service provider offers different options, especially for  safety and availability of services. What traditional web hosting company would take the risk to ensure a recovery time or service availability in case of massive attacks on the Internet?

Of course, the pioneers in cloud implement all the necessary steps to maintain redundancy, distribution of resources over several data centers, to avoid interruption of services. But their applications are still based on an Internet where each segment is doing its best, without a real commitment. Sometimes a company or client face the distant problems with role player of public cloud hosting providers, because their main strength dwells to maintain cost of services to complete the requirements of heavily developed industry, which is always looking for the affordability.

For their part, fixed support and mobile telecommunication recommend a dedicated link to the cloud, but the recommended option is not free. The formula is to build an encrypted network by using VPN to match the security standards on hosted server.

With regard to data privacy, all players in the cloud computing industry not only talk about the isolation mechanisms of cloud servers, but also point out the presence of support teams and dedicated security infrastructure. These are positive things, because they always provide a higher level of security than that obtained by the clients.

But what about the management of identities, entitlements and workplace security, especially for public cloud service users?  To prevent information leakage and entrance of malware, the company remains attentive to the terminal management. Hence the recent appearance of filtering services and identification standard in the web hosting companies increasing the security levels.

In addition, while choosing cloud hosting solution from any web host, customer should always read TOS and SLA very carefully. However, the service provider offers cloud to the client means, quick data process and easy recovery,  in case of failure of an application, but as a customer if you feel any kind of  dissatisfaction with customer service; make sure you know the clauses in money back guarantee. This precaution is worth considering.

The “Alternative PHP Cache” (APC) is a free and open opcode cache for PHP. It was designed to provide a free framework, open and robust for caching and optimizing PHP intermediate code. It is known that APC should normally be included an alternatively in php icon wink Alternative PHP Cache.

We should use it to optimize the access of portals, and it is true that the improvement is really important!

Here is a small howto explaining how to install an APC on debian with php4.

First you need to install PEAR
apt-get install apache2
apt-get install libapache2-mod-php4
apt-get install php-pear
apt-get install php4-dev
apt-get install make
pecl install apc

You must install the mod pre-fork as well. Otherwise apache2-prefork-dev will show an unnecessary error, “Sorry, not able to successfully run APXS. ”

You must copy the file / usr / share / php / apc.php and make it available via a web interface, eg / var / www / htdocs /
And you must edit the file to include a password
vi / var/www/apache2-default/apc.php
To change this password you must change these values:
defaults (‘ADMIN_USERNAME’, ‘user’) / / Admin Username
defaults (‘ADMIN_PASSWORD’, ‘password’) / / Admin Password – Change to Enable this..

Then you must edit the php.ini file and add this:
extension = apc.so
apc.enabled = 1
apc.shm_segments = 1
apc.shm_size = 1024
apc.max_file_size = 1024000

apc.enabled enable or disable APC. It is a default
apc.shm_segments is the number of memory segments to allocate for the cache. It is a default.
apc.shm_size is the size of each shared memory segment in MB. This must be paid according to the machines capabilities and needs.
apc.max_file_size prevents large files from being cached.

It is possible to clear the cache by authenticating and clicking on ‘Clear Cache opcode ”

And experience the greatly improved performance with alternative PHP Cache.

At the conference Microsoft unveiled Windows Server 8. This is the first server version which involved in between developers of Windows and Windows Azure team. You’ll find many concepts and elements of Azure in Windows Server 8.

The goals of Windows Server 8 is to create, deploy, administer private cloud, and cloud to the hybrid on Azure platform.

Microsoft Ad said:

• Geo replication between data centers would be more easy with these new features included in platform.
• Translator API is now available in marketplace to improve the translation of applications.
• Windows SDK 1.5: This new API will assist to improve performance of monitoring, and remote desktop encryption.
• Windows Azure Bus: The latest version with many improved features.
• Toolkit for Windows Azure & Windows 8: Currently available for Windows Phone, IOS, Android will be available for Windows 8. ideal for applications metropolitan cities.
• Demonstration Team Foundation (TFS) on Azure.
• As of now in 25 countries Azure is available

Windows Server  8 incorporates Hyper-V 3.0, which will provide all the elements to create the private cloud. Virtualization is highlighted and the dynamic approach to its infrastructure. This v3 includes a new virtual disk format, the function VHDX Storage Spaces to create virtual storage volume on any physical storage anywhere. Above all, the virtual storage can be done over several physical volumes.

In addition, Windows server provides eight multi-tenant infrastructure for cloud services with the  significant enhancements to help to reduce the Cost of high availability and service management. The management, identity and development tools with Windows Azure, & Windows Server 8 empowers developers and IT professionals to deliver their choice of services across public and private windows cloud hosting environments, or a combination of Both.

The final idea is to ensure redundancy of services, connectivity regardless of the terminal. The new approach into the Microsoft is appreciable. A comprehensive and integrated all the systems and Microsoft’s products ensures that everything is in its place and everything makes sense. Windows, Windows Live , Windows Azure, Windows Server, Windows Phone and interconnected world, simplifying the use of Microsoft’s products for everyone. Microsoft’s approach towards the market is pretty straightforward. They are focusing on the need of consumers and their new spending habits of information increasingly dense, fast and collaborative.

The cloud is in the heart of Windows 8. The RTM will be dedicated to the integration of high cloud to enhance the  user’s experience in Windows 8. “Windows Live ID”, which takes place more than important in this new version. To prove the authentication is already happening through it from the home. All your data, documents, photos, and other contacts that you do not want to see literally stored on your hardware will be deported on the Cloud through the SkyDrive service to your settings through the menu “Sync PC Settings” control panel to synchronize your settings (personalization, themes, language, history or bookmarks favorites in IE, etc …)

In this article, we’ll see how to secure your dedicated server by configuring three essential programs:

* Iptables: Firewall is the Linux systems, it is difficult to handle the first time but you can make very fine adjustments. In this tutorial I propose a set of standard rules for a web server.
* Fail2ban: it is a system that automatically ban all users who try to connect several times without success on our server. It helps prevent brute force attacks.
* Rkhunter: it is a software that warns of sensitive files that are changed. In other words, a good detector Backdoor and Rootkit.

And as a bonus, I would give you a tips to be prevented by email when someone’s logs into SSH on your server. At the end of the article you will have a secure Web server already, but not enough for my taste, hence the second article will gives you little more tips about how secure php scripts with Apache 2 modules.

I think this mini tutorial on iptables, with the arguments most commonly used and these basic principles will not hurt. I’ll do that in a list to make this easier, the goal is not to be exhaustive.

If you do a iptables-L, you will see the rules that define your firewall. Looking at the results more closely, we see three types of chains:

* INPUT: corresponds to the rules of the incoming traffic from the server
* OUTPUT: corresponds to the rules for outgoing traffic the server
* FORWARD: the rules to make redirects

We also note that we have the firewall’s policy on “acceptable” for all channels and it is not very good at security. Our approach will be of any block (DROP) and then slowly release the ports for the services we use.

Here is a list of arguments that are used frequently:

*-T: specify on which table you are working, it’s default filter that contains the input, output and forward
*-A: adds a rule at the end of string
*-P: specifies the protocol of the rule (usually TCP, UDP or ICMP for ping)
*-Dport: specifies the destination port
*-D: specifies the policy to apply (or accept drop most of the time)
* F-: clear all rules (F = Flush)
*-X: erase chain

Configuration rules

To set up a firewall on Linux, most of the time you create a bash file with all the iptables commands that you want to. In my case, I put iptables to 0, then I block everything, then I slowly unlocked the services I use. Therefore, the order is important! Here is the file used for the video, remember to change the port number for ssh or otherwise you will be blocked (a hardware reboot will do you unlock).

#!/bin/sh
### BEGIN INIT INFO
# Provides:          Firewall maison
# Required-Start:    $local_fs $remote_fs $network $syslog
# Required-Stop:     $local_fs $remote_fs $network $syslog
# Default-Start:
# Default-Stop:
# X-Interactive:     false
# Short-Description: Firewall maison
### END INIT INFO

# Mise à 0
iptables -t filter -F
iptables -t filter -X
echo “Mise à 0″

# On bloque tout
iptables -t filter -P INPUT DROP
iptables -t filter -P FORWARD DROP
iptables -t filter -P OUTPUT DROP
echo “Interdiction”

# Ne pas casser les connexions établies
iptables -A INPUT -m state –state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -m state –state RELATED,ESTABLISHED -j ACCEPT

# Autorise le loopback (127.0.0.1)
iptables -t filter -A INPUT -i lo -j ACCEPT
iptables -t filter -A OUTPUT -o lo -j ACCEPT
echo “Loopback”

# ICMP (le ping)
iptables -t filter -A INPUT -p icmp -j ACCEPT
iptables -t filter -A OUTPUT -p icmp -j ACCEPT
echo “Ping ok”

# SSH IN/OUT
iptables -t filter -A INPUT -p tcp –dport 1337 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp –dport 1337 -j ACCEPT
echo “SSH ok”

# DNS In/Out
iptables -t filter -A OUTPUT -p tcp –dport 53 -j ACCEPT
iptables -t filter -A OUTPUT -p udp –dport 53 -j ACCEPT
iptables -t filter -A INPUT -p tcp –dport 53 -j ACCEPT
iptables -t filter -A INPUT -p udp –dport 53 -j ACCEPT
echo “dns ok”

# NTP Out
iptables -t filter -A OUTPUT -p udp –dport 123 -j ACCEPT
echo “ntp ok”

# HTTP + HTTPS Out
iptables -t filter -A OUTPUT -p tcp –dport 80 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp –dport 443 -j ACCEPT

# HTTP + HTTPS In
iptables -t filter -A INPUT -p tcp –dport 80 -j ACCEPT
iptables -t filter -A INPUT -p tcp –dport 443 -j ACCEPT
iptables -t filter -A INPUT -p tcp –dport 8443 -j ACCEPT
echo “http ok”

# FTP Out
iptables -t filter -A OUTPUT -p tcp –dport 21 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp –dport 20 -j ACCEPT

# FTP In
# imodprobe ip_conntrack_ftp # ligne facultative avec les serveurs OVH
iptables -t filter -A INPUT -p tcp –dport 20 -j ACCEPT
iptables -t filter -A INPUT -p tcp –dport 21 -j ACCEPT
iptables -t filter -A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT
echo “ftp ok”

# Mail SMTP:25
iptables -t filter -A INPUT -p tcp –dport 25 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp –dport 25 -j ACCEPT

# Mail POP3:110
iptables -t filter -A INPUT -p tcp –dport 110 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp –dport 110 -j ACCEPT

# Mail IMAP:143
iptables -t filter -A INPUT -p tcp –dport 143 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp –dport 143 -j ACCEPT

# Mail POP3S:995
iptables -t filter -A INPUT -p tcp –dport 995 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp –dport 995 -j ACCEPT
echo “mail ok”

# Monit
iptables -t filter -A INPUT -p tcp –dport 4598 -j ACCEPT

# Webmin
iptables -t filter -A INPUT -p tcp –dport 10000 -j ACCEPT
echo “monitoring ok”

The upper part  is optional but it avoids warnings in log files. At the level of difficulty, once you understand a line to the rest comes by itself. Remember to give execute permissions to this file  (chmod + x firewall) and place it in / etc / init.d / and activate it to start the  server with update-rc.d  firewall defaults (but make sure that the file is working properly before!)

I take this opportunity to pass to give you my script to the proper iptables back to 0 in case of trouble:

#!/bin/sh
echo “Flushing iptables rules…”
sleep 1
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT

That’s all on the side of the Firewall. If  one day you install additional services and that  it does not work, remember to look to the Firewall, you tend to forget when the configuration is finished.

“Ban Automatic with fail2ban

Most of the time, when someone trying to hack your server, hacker use brute force method. That is to say they test all possible passwords, starting with the most likely (as dictionary words) to the more unlikely (sequences of random characters). With the computing power of today’s computers, it works not too bad if your password is simple. Fortunately we can easily counter it by installing a system that automatically ban people who try to connect on many occasions without success.

“Simple configuration of fail2ban

To begin, you must install fail2ban with the command line apt-get install fail2ban. Then it is recommended that the configuration file intact and make a copy for editing, then cp / etc/fail2ban/jail.conf / etc/fail2ban/jail.conf.local and then vi etc/fail2ban/jail . conf.local.

To activate a filter, you must enclose the field enabled to true and possibly change the maxretry (number of attempts before the ban), the bantime (time ban) and the port (especially for ssh).

I recommend you to activate the following filters: [ssh] [ssh-back], [Apache] [apache-multiport] [apache-noscript] [apache-overflows], [proftpd] [postfix] [couriersmtp] and [courierauth]. These filters are enabled by default, you have nothing else to do by changing the enabled = false to true.

“Add  custom filters

The default filters are fine, but here are some custom filters that you can find on the internet. You do not have to activate them is the bonus.

The filter “apache-404″ can ban users who make too many errors 404. Usually it is those who are looking for administration pages to hard by changing the url. However, be careful! If there is a missing element on your site, such as an image, it will generate a 404 and it may ban your visitors.

The filter “apache-admin” can protect your administration area if you have one. In my case but I’d rather not give it to you anyway.

And the last, “apache-w00tw00t” can ban a scanner fault “w00tw00t” frequently used, we find traces in the logs.

To be added to the file / etc/fail2ban/jail.conf.local:

[apache-404]
enabled = true
port = http
filter = apache-404
logpath = /var/log/apache*/error*.log
maxretry = 10

[apache-admin]
enabled = true
port = http
filter = apache-admin
logpath = /var/log/apache*/error*.log
maxretry = 6

[apache-w00tw00t]
enabled = true
filter = apache-w00tw00t
action = iptables[name=Apache-w00tw00t,port=80,protocol=tcp]
logpath = /var/log/apache2/access*.log
maxretry = 1

Now you must create three files, which are filters based on regular expression (Regex) in / etc/fail2ban/filter.d  /:

(Apparently in the article, I forgot the “. Conf” at the end of files, so think of it)
apache-404.conf

# Fail2Ban configuration file
# Option: failregex
# Notes.: regex to match the password failure messages in the logfile. The
# host must be matched by a group named “host”. The tag “” can
# be used for standard IP/hostname matching.
# Values: TEXT
# [client x.x.x.x] File does not exist: /home/www/admin/admin,
failregex = [[]client []] File does not exist: .*
#
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =

apache-admin.conf

# Fail2Ban configuration file
# Option: failregex
# Notes.: regex to match the password failure messages in the logfile. The
# host must be matched by a group named “host”. The tag “” can
# be used for standard IP/hostname matching.
# Values: TEXT
# [client x.x.x.x] File does not exist: /home/www/admin/admin,
failregex = [[]client []] File does not exist: .*admin|PMA|mysql
#
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
apache-w00tw00t.conf

# Fail2Ban configuration file

# Option: failregex
# Notes.: regex to match the password failure messages in the logfile. The
# host must be matched by a group named “host”. The tag “” can
# be used for standard IP/hostname matching.
# Values: TEXT
# [client x.x.x.x] File does not exist: /home/www/admin/admin,
failregex = [[]client []] File does not exist: .*admin|PMA|mysql
#
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
root@ks367082:/etc/fail2ban/filter.d# cat apache-w00tw00t.conf

failregex = ^ -.*”GET \/w00tw00t\.at\.ISC\.SANS\.DFind\:\).*”.*

ignoreregex =

Then  you can do with a restart of  fail2ban / etc/init.d/fail2ban restart and you’re done.

“Backdoor Detector

The latest software is to install a detector Backdoor. To install, do an apt-get install rkhunter and check its configuration file / etc / default / rkhunter report_email that is on root and cron_daily_run to yes.

You will receive emails in case if sensitive files are modified. Be careful because it can generate false positives.
Receive an email when an ssh

This time it’s more a trick than software. To receive an email when someone connects to an account of a user system, you can change the file ~ user / .bashrc and add the following line: echo ‘Root Shell Access `who` `date` | mail-s `hostname` Root Shell email@domaine.tld

At each connection, this code will be executed and you will be notified. Rather handy if you’re paranoid and want to easily detect intrusions.

In conclusion, with these few basic principles you should have a secure dedicated server. Remember that no server is infallible and always keep a system up to date to limit the risks.