Hi,
A cPanel server can be secured by many means. I am listing some of the efficient ways to do.
WHMWHM >> Security Center1. Compiler Access >> make sure it is disabled for all users except "root".
2. Configure Security Policies >> Password Strength
3. cPHulk Brute Force Protection >> Enable it. White listing should be done based on strict evaluation.
4. Traceroute Enable/Disable >> Disable it.
5. Shell Fork Bomb Protection >> Enable.
OS and kernel6.
find / ( -perm -a+w ) ! -type l >> globally_writable.txt Look at globally_writable.txt to see all world writable files and directories. This will reveal locations where an attacker can store files on your system.
NOTE:
Fixing permissions on some PHP/CGI scripts that are not properly coded will break them.7.
find / -nouser -o -nogroup >> no_owner.txt Look at no_owner for all files that do not have a user or group associated with them. All files should be owned by a specific user or group to restrict access to them.
8. Make Sure No Non-Root Accounts Have UID Set To 0
awk -F: '($3 == "0") {print}' /etc/passwdOnly root should have the UID as 0. Output should look like as follows
root:x:0:0:root:/root:/bin/bash9. Tripwire – Monitors checksums of files and reports changes.
The package can be downloaded from the link
http://sourceforge.net/projects/tripwire. To get its usage, Please refer the readme of the package
https://projects.honeynet.org/honeywall/browser/trunk/rpm-devel/tripwire/README.Fedora.in?rev=110. Chrookit – Scans for common rootkits, backdoors, etc.
http://www.chkrootkit.org11. Rkhunter – Scans for common rootkits, backdoors, etc.
http://www.rootkit.nl/projects/rootkit_hunter.html
12. Logwatch – Monitors and reports on daily system activity.
http://sourceforge.net/projects/logwatch/files/13. Change SSH port to non-standard port.
14. Change SSH Protocol 2,1 to Protocol 2
15. Enable Email Alert on root login
vi /root/.bashrc
#Scroll to the end of the file then add the following
echo 'ALERT - Root Shell Access (YourserverName) on:' `date` `who` | mail -s "Alert: Root Access from `who | cut -d"(" -f2 | cut -d")" -f1`" admin@domain.comFirewall17. Install CSF firewall and make sure test mode is disabled after opening all used ports.
Note : Make sure SSH port set in #14 is opened in firewall.
#CSF Connection Limit
#There is in csf.conf CT option, configure it like this
CT_LIMIT = “100″
#It means every IP with more than 100 connections is going to be blocked.
CT_PERMANENT = “1″
#IP will blocked permanenty
CT_BLOCK_TIME = “1800″
#IP will be blocked 1800 secs(1800 secs = 30 mins)
CT_INTERVAL = “60″
#Set this to the the number of seconds between connection tracking scans.
#After csf.conf editing, restart csf18. Tweak LFD and CSF to prevent DOS.
19. Secure /tmp, /dev/shm and /var/tmp
Securing PHP
20. Disable vulnerable PHP functions. Find the disable_functions in php.ini file
disable_functions = system, show_source, symlink, exec, dl,
shell_exec, passthru, phpinfo, escapeshellarg,escapeshellcmd21. Enable suPHP if the server is for shared hosting.
22. WHM >> Configure PHP and suEXEC > set suPHP handler and suexec
Apache22. Install mod_security and cmc to manage the mod sec rules via WHM. See
http://configserver.com/cp/cmc.html23. Install dos_evasive.
FTP24. WHM >> Service Configuration >> FTP Server Configuration
Make sure Anonymous logins and uploads are disabled.
MySQL25. Disable networking if you don't need anyone to remotely connect to MySQL server.
Add the following line to the my.cnf
skip-networkingIf you are sure that these 25 steps has been strictly followed, You can sleep because your server is secured than ever
Thanks
