Cpanel Server Security

cPanel Installation and Security

This documentation covers how to install cPanel on a fresh Linux server and how to do initail server security.

cPanel Installation :

* cPanel can be install on Redhat based Linux servers and FreeBSD
* A freshly build latest stable Centos server is highly recommended

How to Install cPanel :

* Yum must be installed before installing cPanel. All most all Redhat based servers will have yum preinstalled, if not installed install it from rpm ( http://rpm.pbone.net/ ).

# Update the system using Yum

$ yum update

# Disable selinux on dedicated servers. Set SELINUX=disabled in /etc/selinux/config

# Reboot the system

$ reboot

# Download the cPanel installer and run

$ cd /root; wget http://httpupdate.cpanel.net/latest; chmod +x latest; ./latest

Server security:

* Remove telnet server; we dont want that.

$ rpm -e telnet-server
* Check xinetd enabled services and dsiable them. Run below command and disable all services which shows ‘disable = no’

$ cd /etc/xinetd.d; grep disable ./*

* Disable xinetd service itself. cPanel donot use xinetd

$ /etc/init.d/xinetd stop; chkconfig xinetd off

# Add a system user eg:- administrator

$ useradd administrator

# Reset the administrator password. A strong password can be generated using following command

$ mkpasswd -l 16

# Also reset the root password to a strong one

# Add administrator user to sudoer list. After this verify administrator user can sudo to root user.

$ visudo

# Permit ‘su’ for only wheel group members. Open /etc/pam.d/su and add (order is important) or uncomment

auth            required        pam_wheel.so use_uid

# Disable SSH protocol 1 and enable SSH protocol 2 in /etc/ssh/sshd_config

# Disable rootlogin in /etc/ssh/sshd_config (Make sure some user eg:- administrator is added in sudoer list with full privilege)

# Set a banner of legal warning in SSH. Add the contents in /etc/sshBanner.txt and add following to /etc/ssh/sshd_config

Banner /etc/sshBanner.txt

# Restart SSH service

$ /etc/init.d/sshd restart

# Change SSH port. Open /etc/ssh/sshd_config and change Port 22

# Install AFICK. Download latest afick rpm from http://sourceforge.net/projects/afick/files/afick/

$ rpm -ivh afick-x.x.x.x.noarch.rpm

# Open /etc/afick.conf and set email id and enable cron run.

@@define MAILTO email_id
@@define BATCH 1

# Ensure that AFICK donot update its database after a cron run. Database update should be run manually by sysadmin, else if we miss a cron email we will miss the file changes alert. Open /etc/cron.daily/afick_cron and set ACTION=”-k”.

# Initialize AFICK database

$ afick -c /etc/afick.conf -i -P

# Disable DNS recursion and version publish. Open /etc/named.conf and set

Options {
recursion no;
version “No version for you”;
…..

# Restart bind

$ /etc/init.d/named restart

# Disable Exim version printing. Add following to /usr/local/cpanel/etc/exim/config_options

smtp_banner = “${primary_hostname} ESMTP Mail service ready”

# Rebuild eximconf and restart exim service

$  /scripts/buildeximconf && /scripts/restartsrv_exim

# Disable anonymous user login in /etc/pure-ftpd.conf

NoAnonymous yes

# Disable pure-ftpd default banner. This shows server time and ftp service name. Create a file /etc/ftpWelcome.txt and add “FTP Service Is Ready”. Now open /etc/init.d/pure-ftpd and add

OPTIONS=”-F /etc/ftpWelcome.txt”

# Restart ftp serivce

$ /scripts/restartsrv_ftpserver

# Disable apache signature. Open /usr/local/apache/conf/httpd.con and add/edit as follows

ServerSignature Off
ServerTokens Prod

# Permanently save the change

$ /usr/local/cpanel/bin/apache_conf_distiller –update

# Restart apache

$ /etc/init.d/httpd restart

# Install Rkhunter. Download latest rkhunter from http://www.rootkit.nl/projects/rootkit_hunter.html

$ tar -xvzf rkhunter-x.x.x.tar.gz; cd rkhunter-x.x.x; ./installer.sh –layout /usr/local –install; /usr/local/bin/rkhunter –update

# Create rkhunter cron job. Create file /etc/cron.daily/rkhunter.sh and add the following. Make sure to replace replace-this@with-your-email.com with the system administrator email address

#!/bin/bash
(/usr/local/bin/rkhunter -c –cronjob 2>&1 | mail -s “RKhunter Scan Details” replace-this@with-your-email.com)

# Give execute permission for the script

$ chmod +x  /etc/cron.daily/rkhunter.sh

# Securing tmp

$ /scripts/securetmp

# Root and administrator (sudo user) login alerts. Add following to both /root/.bashrc and /home/administrator/.bashrc (Change the subject line as needed)

echo “ALERT – Root Shell Access on `hostname`:” `date` `who` |mail -s “Alert: Root Access from `who | cut -d”(” -f2 | cut -d”)” -f1`” replace-this@with-your-email.com

# Install apf (firewall)

$ wget http://www.rfxn.com/downloads/apf-current.tar.gz
$ tar -xvzf apf-current.tar.gz
$ cd afp-x.x.x
$ ./install.sh

# The installer will display the current opened TCP and UDP ports. Copy them and add it to IG_TCP_CPORTS and IG_UDP_CPORTS respectively in /etc/apf/conf.apf. We also need to enable ports 0-1024 (both TCP and UDP) in apf for portscanner detector to work, so add 0_1024 to IG_TCP_CPORTS and IG_UDP_CPORTS

# Start apf

$ apf -s

# Install BFD (brute force detector)

$ wget http://www.rfxn.com/downloads/bfd-current.tar.gz
$ tar -xvzf bfd-current.tar.gz
$ cd bfd-x.x.x
$ ./install.sh
$ bfd -s

# Install portsentry (port scanner detector) from ftp://ftp.pbone.net/mirror/ftp.falsehope.net/home/tengel/fedora/4/te/i386/RPMS/portsentry-1.2-1.te.i386.rpm

# open /etc/portsentry/portsentry.conf and comment KILL_ROUTE and add

KILL_RUN_CMD=”/usr/local/sbin/apf -d $TARGET$ ‘Portscan detected on port $PORT$'”

$ /etc/init.d/portsentry restart

# Enable suphp and suexec

$ /usr/local/cpanel/bin/rebuild_phpconf –no-htaccess 5 none suphp 1

# Run /scripts/easyapache and enable mod_security

# Load mod_esecurity rules

$ cd /usr/local/apache/conf/
$ wget http://updates.atomicorp.com/channels/rules/delayed/modsec-2.5-free-latest.tar.bz2
$ tar -xvjf modsec-2.5-free-latest.tar.bz2
$ cd modsec/
$ perl -i -pe ‘s/\/etc\/asl\/whitelist/whitelist\.txt/’ *
$ > domain-spam-whitelist.conf
$ mkdir /usr/local/apache/conf/modsec/ip
$ mkdir /usr/local/apache/conf/modsec/global

# open /usr/local/apache/conf/modsec/00_asl_rbl.conf and add

SecDataDir /usr/local/apache/conf/modsec

# open /usr/local/apache/conf/modsec2.conf and add

Include “/usr/local/apache/conf/modsec/*.conf”

# Restart apache

$ /etc/init.d/httpd restart

cPanel Settings :

# Goto Main >> Server Configuration >> Basic cPanel & WHM Setup and set the contact information

# Goto Main >> Server Configuration >> Tweak Settings >> All and

Enable SpamAssassin spam filter = enabled
GIEmail and CGIEcho = disabled
Cookie IP validation = strict
Generate core dumps = off
Send passwords when creating a new account = off
Blank referrer safety check = on
Referrer safety check = on
Require SSL = on
Enable HTTP Authentication = off
Allow PHP to be run by resellers in WHM = off
Use MD5 passwords with Apache = on
Security Tokens = on
Default shell jailed = on

# Goto Main >> Security Center >> Apache mod_userdir Tweak and enable “Enable mod_userdir Protection”

# Goto Main >> Security Center >> Compiler Access and disable compilers for unprivileged users

# Main >> Security Center >> Configure Security Policies and

Password Age = enabled (30 days)
Password Strength = enabled (15 characters)
XML-API and JSON-API requests = enabled
DNS cluster requests = enabled

# Goto Main >> Security Center >> cPHulk Brute Force Protection and enable burte force protection

# Goto Main >> Security Center >> PHP open_basedir Tweak and enable “Enable php open_basedir Protection.”

# Goto Main >> Security Center >> Security Questions and setup the security question

# Goto Main >> Security Center >> Shell Fork Bomb Protection and enable protection

# Goto Main >> Security Center >> SMTP Tweak and enable protection

# Goto Main >> Security Center >> Traceroute Enable/Disable and disable traceroute

# Goto Main >> Account Functions >> Manage Shell Access and disable shell access for all user. If shell access is required only enable jailed shell

# Goto Main >> cPanel >> Manage Plugins and install Clamav

Daha güvenli bir cpanel için cpanel güvenlik ile iletişime geçebilirsiniz.

Ayhan ARDA

Share Button

Bir cevap yazın

E-posta hesabınız yayımlanmayacak. Gerekli alanlar * ile işaretlenmişlerdir

*
*

This site uses Akismet to reduce spam. Learn how your comment data is processed.