Get your server issues fixed by our experts for a price starting at just 25 USD/Hour. Click here to register and open a ticket with us now!

Author Topic: Securing Linux Cpanel server  (Read 3569 times)

0 Members and 1 Guest are viewing this topic.

Leo.Prince

  • Guest
Securing Linux Cpanel server
« on: November 03, 2013, 10:15:09 pm »
Hi,

A cPanel server can be secured by many means. I am listing some of the efficient ways to do.

WHM

Code: [Select]
WHM >> Security Center
1. Compiler Access >> make sure it is disabled for all users except "root".

2. Configure Security Policies >> Password Strength

3. cPHulk Brute Force Protection >> Enable it. White listing should be done based on strict evaluation.

4. Traceroute Enable/Disable >> Disable it.

5. Shell Fork Bomb Protection >> Enable.

OS and kernel

6.
Code: [Select]
find / ( -perm -a+w ) ! -type l >> globally_writable.txt  Look at globally_writable.txt to see all world writable files and directories. This will reveal locations where an attacker can store files on your system. NOTE: Fixing permissions on some PHP/CGI scripts that are not properly coded will break them.

7.
Code: [Select]
find / -nouser -o -nogroup >> no_owner.txt  Look at no_owner for all files that do not have a user or group associated with them. All files should be owned by a specific user or group to restrict access to them.

8. Make Sure No Non-Root Accounts Have UID Set To 0

Code: [Select]
awk -F: '($3 == "0") {print}' /etc/passwd
Only root should have the UID as 0. Output should look like as follows

root:x:0:0:root:/root:/bin/bash

9. Tripwire – Monitors checksums of files and reports changes.

The package can be downloaded from the link http://sourceforge.net/projects/tripwire. To get its usage, Please refer the readme of the package

https://projects.honeynet.org/honeywall/browser/trunk/rpm-devel/tripwire/README.Fedora.in?rev=1

10. Chrookit – Scans for common rootkits, backdoors, etc.

http://www.chkrootkit.org

11. Rkhunter – Scans for common rootkits, backdoors, etc.

http://www.rootkit.nl/projects/rootkit_hunter.html


12. Logwatch – Monitors and reports on daily system activity.

http://sourceforge.net/projects/logwatch/files/

13. Change SSH port to non-standard port.

14. Change SSH Protocol 2,1 to Protocol 2

15. Enable Email Alert on root login

Code: [Select]
vi  /root/.bashrc
#Scroll to the end of the file then add the following

echo 'ALERT - Root Shell Access (YourserverName) on:' `date` `who` | mail -s "Alert: Root Access from `who | cut -d"(" -f2 | cut -d")" -f1`" admin@domain.com

Firewall

17. Install CSF firewall and make sure test mode is disabled after opening all used ports.

Note : Make sure SSH port set in #14 is opened in firewall.

Code: [Select]
#CSF Connection Limit
   #There is in csf.conf CT option, configure it like this
   CT_LIMIT = “100″
   #It means every IP with more than 100 connections is going to be blocked.
   CT_PERMANENT = “1″
   #IP will blocked permanenty
   CT_BLOCK_TIME = “1800″
   #IP will be blocked 1800 secs(1800 secs = 30 mins)
   CT_INTERVAL = “60″
   #Set this to the the number of seconds between connection tracking scans.
   #After csf.conf editing, restart csf

18. Tweak LFD and CSF to prevent DOS.

19. Secure /tmp, /dev/shm and /var/tmp

Securing PHP


20. Disable vulnerable PHP functions. Find the disable_functions in php.ini file


Code: [Select]
disable_functions = system, show_source, symlink, exec, dl,
    shell_exec, passthru, phpinfo, escapeshellarg,escapeshellcmd

21. Enable suPHP if the server is for shared hosting.

22. WHM >> Configure PHP and suEXEC > set suPHP handler and suexec

Apache

22. Install mod_security and cmc to manage the mod sec rules via WHM. See

http://configserver.com/cp/cmc.html

23. Install dos_evasive.

FTP

24. WHM >> Service Configuration >> FTP Server Configuration

Make sure Anonymous logins and uploads are disabled.

MySQL

25. Disable networking if you don't need anyone to remotely connect to MySQL server.

Add the following line to the my.cnf

Code: [Select]
skip-networking
If you are sure that these 25 steps has been strictly followed, You can sleep because your server is secured than ever  8)

Thanks  :P ;D