Linux > Server Security & Hardening
Securing Linux Cpanel server
(1/1)
Leo.Prince:
Hi,
A cPanel server can be secured by many means. I am listing some of the efficient ways to do.
WHM
--- Code: ---WHM >> Security Center
--- End code ---
1. Compiler Access >> make sure it is disabled for all users except "root".
2. Configure Security Policies >> Password Strength
3. cPHulk Brute Force Protection >> Enable it. White listing should be done based on strict evaluation.
4. Traceroute Enable/Disable >> Disable it.
5. Shell Fork Bomb Protection >> Enable.
OS and kernel
6.
--- Code: ---find / ( -perm -a+w ) ! -type l >> globally_writable.txt
--- End code ---
Look at globally_writable.txt to see all world writable files and directories. This will reveal locations where an attacker can store files on your system. NOTE: Fixing permissions on some PHP/CGI scripts that are not properly coded will break them.
7.
--- Code: ---find / -nouser -o -nogroup >> no_owner.txt
--- End code ---
Look at no_owner for all files that do not have a user or group associated with them. All files should be owned by a specific user or group to restrict access to them.
8. Make Sure No Non-Root Accounts Have UID Set To 0
--- Code: ---awk -F: '($3 == "0") {print}' /etc/passwd
--- End code ---
Only root should have the UID as 0. Output should look like as follows
root:x:0:0:root:/root:/bin/bash
9. Tripwire – Monitors checksums of files and reports changes.
The package can be downloaded from the link http://sourceforge.net/projects/tripwire. To get its usage, Please refer the readme of the package
https://projects.honeynet.org/honeywall/browser/trunk/rpm-devel/tripwire/README.Fedora.in?rev=1
10. Chrookit – Scans for common rootkits, backdoors, etc.
http://www.chkrootkit.org
11. Rkhunter – Scans for common rootkits, backdoors, etc.
http://www.rootkit.nl/projects/rootkit_hunter.html
12. Logwatch – Monitors and reports on daily system activity.
http://sourceforge.net/projects/logwatch/files/
13. Change SSH port to non-standard port.
14. Change SSH Protocol 2,1 to Protocol 2
15. Enable Email Alert on root login
--- Code: ---vi /root/.bashrc
#Scroll to the end of the file then add the following
echo 'ALERT - Root Shell Access (YourserverName) on:' `date` `who` | mail -s "Alert: Root Access from `who | cut -d"(" -f2 | cut -d")" -f1`" admin@domain.com
--- End code ---
Firewall
17. Install CSF firewall and make sure test mode is disabled after opening all used ports.
Note : Make sure SSH port set in #14 is opened in firewall.
--- Code: ---#CSF Connection Limit
#There is in csf.conf CT option, configure it like this
CT_LIMIT = “100″
#It means every IP with more than 100 connections is going to be blocked.
CT_PERMANENT = “1″
#IP will blocked permanenty
CT_BLOCK_TIME = “1800″
#IP will be blocked 1800 secs(1800 secs = 30 mins)
CT_INTERVAL = “60″
#Set this to the the number of seconds between connection tracking scans.
#After csf.conf editing, restart csf
--- End code ---
18. Tweak LFD and CSF to prevent DOS.
19. Secure /tmp, /dev/shm and /var/tmp
Securing PHP
20. Disable vulnerable PHP functions. Find the disable_functions in php.ini file
--- Code: ---disable_functions = system, show_source, symlink, exec, dl,
shell_exec, passthru, phpinfo, escapeshellarg,escapeshellcmd
--- End code ---
21. Enable suPHP if the server is for shared hosting.
22. WHM >> Configure PHP and suEXEC > set suPHP handler and suexec
Apache
22. Install mod_security and cmc to manage the mod sec rules via WHM. See
http://configserver.com/cp/cmc.html
23. Install dos_evasive.
FTP
24. WHM >> Service Configuration >> FTP Server Configuration
Make sure Anonymous logins and uploads are disabled.
MySQL
25. Disable networking if you don't need anyone to remotely connect to MySQL server.
Add the following line to the my.cnf
--- Code: ---skip-networking
--- End code ---
If you are sure that these 25 steps has been strictly followed, You can sleep because your server is secured than ever 8)
Thanks :P ;D
Navigation
[0] Message Index
Go to full version