Securing SSH
Restricting and properly configuring SSH access is an essential step in securing your server.
You can find the SSH configuration file at /etc/ssh/sshd_config
To edit this file, you will need to log into your server as the root user. Once you have logged into your normal user account via SSH, you can become the root user by using the su command. For example:
user@example.com [~]# su -
Password:
root@host [~]#
Editing the SSH Configuration File
To change specific parameters within sshd_config, you need to uncomment the line by removing the number-sign (#) and changing the value for the line. For example, the default SSH port appears in a line like this:
To change the SSH port to 456, you will need to make the line appear like this:
MX Entry Maintenance
An MX (mail exchanger) entry tells a client which server receives mail sent to a domain name.
Assigning Priority to MX Entries :
Lower values denote higher priority, with 0 being the highest possible priority.
The primary mail server(s) (with the lowest-numbered priority) will receive mail sent to your domain.
Secondary mail servers (those with higher priority values) can be used for backup or other purposes.
If you assign multiple mail servers the same priority, then when that level of mail server is needed, mail will be distributed to those servers randomly.
Changing the Sending IP for Outbound Email in Exim
In order to specify which IP address should handle outbound mail, you will need to disable an option in WHM’s Exim Configuration Editor . You can find the Exim Configuration Editor in the Service Configuration section of WHM. To begin, navigate to the configuration editor and disable the following option:
* Automatically send outgoing mail from the account’s IP address instead of the main IP address.
By default, Exim will send mail from the server’s main shared IP address. Enabling this option forces your users to send mail from their main domain’s IP address. If you choose to enable the option listed above, you will not be able to manually specify the IP addresses from which the domains send mail. This option uses /scripts/updateuserdomains to automatically populate /etc/mailhelo and /etc/mailips.
ICANNpolicies for Assigning Dedicated IP Addresses to Subdomains
ICANN requires that a website owner meet one of 2 simple requirements before dedicating an IP address to his or her domain. The user’s domain or subdomain must either:
* Require an SSL Certificate — Generally, these certificates are used for e-commerce. SSL Certificates ensure visitors that they are sharing sensitive information on a secure connection with the appropriate domain.
* Run an anonymous FTP site.
Assigning a dedicated IP address for any other reason than the reasons listed above is a violation of ICANN’s terms.
For more information about ICANN policies, you can visit their website here. http://www.icann.org/en/policy/
Naming the IPv4 reverse DNS zone
To properly format the Domain field in the interface using IPv4:
1. Drop the last octet from the IP address.
2. Reverse the order of the remaining octets.
3. Append in-addr.arpa to the end of the remaining octets.
4. Enter this value in the Domain field of the Add a DNS Zone feature.
For example, the reverse DNS zone for 192.168.0.1 is 0.168.192.in-addr.arpa.
You will specify the last octet of the IP address within the zone file.