You can use the port security feature to restrict input to an interface by limiting and identifying MAC addresses of the workstations that are allowed to access the port. When you assign secure MAC addresses to a secure port, the port does not forward packets with source addresses outside the group of defined addresses. If you limit the number of secure MAC addresses to one and assign a single secure MAC address, the workstation attached to that port is assured the full bandwidth of the port.

If a port is configured as a secure port and the maximum number of secure MAC addresses is reached, when the MAC address of a workstation attempting to access the port is different from any of the identified secure MAC addresses, a security violation occurs.

Basic Operation

Default Port Security Operation. The default port security setting for each port is off, or “continuous”. That is, any device can access a port without causing a security reaction.

Intruder Protection. A port that detects an “intruder” blocks the intruding device from transmitting to the network through that port.

Eavesdrop Protection. Using either the port-security command or the switch’s web browser interface to enable port security on a given port automatically enables eavesdrop prevention on that port.

General Operation for Port Security. On a per-port basis, you can configure security measures to block unauthorized devices, and to send notice of security violations. Once port security is configured, you can then monitor the network for security violations through one or more of the following:

Alert flags that are captured by network management tools such as

ProCurve Manager (PCM and PCM+)

Alert Log entries in the switch’s web browser interface

Event Log entries in the console interface

Intrusion Log entries in the menu interface, CLI, or web browser interface

For any port, you can configure the following:

Action: Used when a port detects an intruder. Specifies whether to send an SNMP trap to a network management station and whether to disable the port. Address Limit: Sets the number of authorized MAC addresses allowed on the port.

Learn-Mode: Specify how the port acquires authorized addresses.

Continuous: Allows the port to learn addresses from inbound traffic from any connected device. This is the default setting.

Limited-Continuous: Sets a finite limit (1 -32) to the number of learned addresses allowed per port.

Configuring and Monitoring Port Security

Port Security

Static: Enables you to set a fixed limit on the number of MAC addresses authorized for the port and to specify some or all of the authorized addresses. (If you specify only some of the authorized

addresses, the port learns the remaining authorized addresses from the traffic it receives from connected devices.)

Configured: Requires that you specify all MAC addresses authorized for the port. The port is not allowed to learn addresses from inbound traffic.

Authorized (MAC) Addresses: Specify up to eight devices (MAC addresses) that are allowed to send inbound traffic through the port. This feature: Closes the port to inbound traffic from any unauthorized devices that are connected to the port. Provides the option for sending an SNMP trap notifying of an

attempted security violation to a network management station and, optionally, disables the port. (For more on configuring the switch for SNMP management, see “Trap Receivers and Authentication Traps” in the Management and Configuration Guide for your switch.)

Port Access: Allows only the MAC address of a device authenticated through the switch’s 802.1X Port-Based access control.

The image depicts Configuring and Monitoring Port Security

Following are the steps to Secure VPS:

Firewall Installation
Installing firewall and various other related tools such as CSF, sim. These will prevent unauthorized access to your server and from brute force attacks.
CSF (ConfigServer Firewall) http://www.configserver.com/free/csf/install.txt
SIM (System Integrity Monitor) http://www.rfxnetworks.com/sim.php
NSIV (Network Socket Inode Validation) http://www.rfxnetworks.com/nsiv.php
LES (Linux Environment Security) http://www.rfxnetworks.com/les.php
these do not prevent exploits of services which you run on your VPS server. Also need to be aware of the installed firewall and you need to open up the additional ports as needed if you add new services/program.

Securing /tmp partition
Most of the attacks and exploits use /tmp to work out of any propagate themselves. By mounting /tmp with noexec and nosuid (meaning executables cannot be run from /tmp nor with escalated privileges), this stops many of these exploits from being able to do any harm.
You can do it by adding following entry in “/etc/fstab”
====
none /tmp tmpfs nodev,nosuid,noexec 0 0
====
save the file and reboot the VPS, now vps get mounted with “nosuid” and “noexec”

Installing Rkhunter (RootKit Hunter)
Rkhunter is a very useful security scanning tool that is used to scan for trojans, rootkits, backdoors, local exploits and other security problems. It can be useful to detect any failures in your layers of defense. It’s a cron job that scans your server for security problems.

Securing MySQL Database
MySQL is one of the most popular databases on the Internet and it is often used in conjunction with PHP. Besides its undoubted advantages such as easy of use and relatively high performance, MySQL offers simple but very effective security mechanisms. Unfortunately, the default installation of MySQL, and in particular the empty root password and the potential vulnerability to buffer overflow attacks, makes the database an easy target for attacks. You can secure the Mysql using the tutorial.

Securing MySQL Database
MySQL is one of the most popular databases on the Internet and it is often used in conjunction with PHP. Besides its undoubted advantages such as easy of use and relatively high performance, MySQL offers simple but very effective security mechanisms. Unfortunately, the default installation of MySQL, and in particular the empty root password and the potential vulnerability to buffer overflow attacks, makes the database an easy target for attacks. You can secure the Mysql using the tutorial.

Upgrade Apache/PHP, MySQL to latest version
make sure your running the latest secure versions of commons software components. This is the important step in preventing your server getting cracked by common exploits.

Installing Mod_Security
ModSecurity is an open source intrusion detection and prevention engine for web applications and helps in preventing attacks on programs that would be vulnerable; it acts as a powerful shielding application from attacks. ModSecurity supports both branches of the Apache web server.

Disable non-root access to unsafe binaries.
Many exploits use well known executables already on your system as part of their bag of tools. By allowing only privileges to root to these files, you can avoid many attacks to not function.

nabling PHP suEXEC
When PHP runs as an Apache Module it executes as the user/group of the webserver which is usually “nobody” or “apache”. Suexec is a mechanism supplied with Apache that allows to execute CGI scripts as the user they belong to, rather than Apache’s user. This improves security in situations where multiple mutually distrusting users have the possibility to put CGI content on the server.

Disable SSH root access
Allowing the root user to login directly is a major security issue, because a brute force attack can use the known username ‘root’ and concentrate on password variations. By using a unique username (not something like admin) you can reduce the chance of a successful brute force attack. This will force a hacker to have to guess 2 separate passwords to gain root access.

Changing SSH Port
One common security precaution that system admins use is to set ssh to listen on a non-standard port (e.g. port 9989, 9898, etc). It is common for hackers to attempt ssh daemon exploits that tend to be very specific to the version of openssh that is running. By having sshd listen to a different port, instead, then you are reducing the risk of a general port 22 scan and hack. Changing port is an additional layer of security.