{"id":206,"date":"2011-04-24T00:30:22","date_gmt":"2011-04-23T22:30:22","guid":{"rendered":"http:\/\/www.ayhanarda.com\/blog\/?p=206"},"modified":"2015-09-18T12:03:50","modified_gmt":"2015-09-18T10:03:50","slug":"cpanel-server-installation-security","status":"publish","type":"post","link":"https:\/\/www.ayhanarda.com\/blog\/2011\/04\/cpanel-server-installation-security\/","title":{"rendered":"Cpanel Server Security"},"content":{"rendered":"<p>cPanel Installation and Security<\/p>\n<p>This documentation covers how to install cPanel on a fresh Linux server and how to do initail server security.<\/p>\n<p>cPanel Installation :<\/p>\n<p>* cPanel can be install on Redhat based Linux servers and FreeBSD<br \/>\n* A freshly build latest stable Centos server is highly recommended<\/p>\n<p>How to Install cPanel :<\/p>\n<p>* Yum must be installed before installing cPanel. All most all Redhat based servers will have yum preinstalled, if not installed install it from rpm ( http:\/\/rpm.pbone.net\/ ).<\/p>\n<p># Update the system using Yum<\/p>\n<p>$ yum update<\/p>\n<p># Disable selinux on dedicated servers. Set SELINUX=disabled in \/etc\/selinux\/config<\/p>\n<p># Reboot the system<\/p>\n<p>$ reboot<\/p>\n<p># Download the cPanel installer and run<\/p>\n<p>$ cd \/root; wget http:\/\/httpupdate.cpanel.net\/latest; chmod +x latest; .\/latest<\/p>\n<p>Server security:<\/p>\n<p>* Remove telnet server; we dont want that.<\/p>\n<p>$ rpm -e telnet-server<br \/>\n<!--more-->* Check xinetd enabled services and dsiable them. Run below command and disable all services which shows &#8216;disable = no&#8217;<\/p>\n<p>$ cd \/etc\/xinetd.d; grep disable .\/*<\/p>\n<p>* Disable xinetd service itself. cPanel donot use xinetd<\/p>\n<p>$ \/etc\/init.d\/xinetd stop; chkconfig xinetd off<\/p>\n<p># Add a system user eg:- administrator<\/p>\n<p>$ useradd administrator<\/p>\n<p># Reset the administrator password. A strong password can be generated using following command<\/p>\n<p>$ mkpasswd -l 16<\/p>\n<p># Also reset the root password to a strong one<\/p>\n<p># Add administrator user to sudoer list. After this verify administrator user can sudo to root user.<\/p>\n<p>$ visudo<\/p>\n<p># Permit &#8216;su&#8217; for only wheel group members. Open \/etc\/pam.d\/su and add (order is important) or uncomment<\/p>\n<p>auth\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 required\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 pam_wheel.so use_uid<\/p>\n<p># Disable SSH protocol 1 and enable SSH protocol 2 in \/etc\/ssh\/sshd_config<\/p>\n<p># Disable rootlogin in \/etc\/ssh\/sshd_config (Make sure some user eg:- administrator is added in sudoer list with full privilege)<\/p>\n<p># Set a banner of legal warning in SSH. Add the contents in \/etc\/sshBanner.txt and add following to \/etc\/ssh\/sshd_config<\/p>\n<p>Banner \/etc\/sshBanner.txt<\/p>\n<p># Restart SSH service<\/p>\n<p>$ \/etc\/init.d\/sshd restart<\/p>\n<p># Change SSH port. Open \/etc\/ssh\/sshd_config and change Port 22<\/p>\n<p># Install AFICK. Download latest afick rpm from http:\/\/sourceforge.net\/projects\/afick\/files\/afick\/<\/p>\n<p>$ rpm -ivh afick-x.x.x.x.noarch.rpm<\/p>\n<p># Open \/etc\/afick.conf and set email id and enable cron run.<\/p>\n<p>@@define MAILTO email_id<br \/>\n@@define BATCH 1<\/p>\n<p># Ensure that AFICK donot update its database after a cron run. Database update should be run manually by sysadmin, else if we miss a cron email we will miss the file changes alert. Open \/etc\/cron.daily\/afick_cron and set ACTION=&#8221;-k&#8221;.<\/p>\n<p># Initialize AFICK database<\/p>\n<p>$ afick -c \/etc\/afick.conf -i -P<\/p>\n<p># Disable DNS recursion and version publish. Open \/etc\/named.conf and set<\/p>\n<p>Options {<br \/>\nrecursion no;<br \/>\nversion &#8220;No version for you&#8221;;<br \/>\n&#8230;..<\/p>\n<p># Restart bind<\/p>\n<p>$ \/etc\/init.d\/named restart<\/p>\n<p># Disable Exim version printing. Add following to \/usr\/local\/cpanel\/etc\/exim\/config_options<\/p>\n<p>smtp_banner = &#8220;${primary_hostname} ESMTP Mail service ready&#8221;<\/p>\n<p># Rebuild eximconf and restart exim service<\/p>\n<p>$\u00a0 \/scripts\/buildeximconf &amp;&amp; \/scripts\/restartsrv_exim<\/p>\n<p># Disable anonymous user login in \/etc\/pure-ftpd.conf<\/p>\n<p>NoAnonymous yes<\/p>\n<p># Disable pure-ftpd default banner. This shows server time and ftp service name. Create a file \/etc\/ftpWelcome.txt and add &#8220;FTP Service Is Ready&#8221;. Now open \/etc\/init.d\/pure-ftpd and add<\/p>\n<p>OPTIONS=&#8221;-F \/etc\/ftpWelcome.txt&#8221;<\/p>\n<p># Restart ftp serivce<\/p>\n<p>$ \/scripts\/restartsrv_ftpserver<\/p>\n<p># Disable apache signature. Open \/usr\/local\/apache\/conf\/httpd.con and add\/edit as follows<\/p>\n<p>ServerSignature Off<br \/>\nServerTokens Prod<\/p>\n<p># Permanently save the change<\/p>\n<p>$ \/usr\/local\/cpanel\/bin\/apache_conf_distiller &#8211;update<\/p>\n<p># Restart apache<\/p>\n<p>$ \/etc\/init.d\/httpd restart<\/p>\n<p># Install Rkhunter. Download latest rkhunter from http:\/\/www.rootkit.nl\/projects\/rootkit_hunter.html<\/p>\n<p>$ tar -xvzf rkhunter-x.x.x.tar.gz; cd rkhunter-x.x.x; .\/installer.sh &#8211;layout \/usr\/local &#8211;install; \/usr\/local\/bin\/rkhunter &#8211;update<\/p>\n<p># Create rkhunter cron job. Create file \/etc\/cron.daily\/rkhunter.sh and add the following. Make sure to replace replace-this@with-your-email.com with the system administrator email address<\/p>\n<p>#!\/bin\/bash<br \/>\n(\/usr\/local\/bin\/rkhunter -c &#8211;cronjob 2&gt;&amp;1 | mail -s &#8220;RKhunter Scan Details&#8221; replace-this@with-your-email.com)<\/p>\n<p># Give execute permission for the script<\/p>\n<p>$ chmod +x\u00a0 \/etc\/cron.daily\/rkhunter.sh<\/p>\n<p># Securing tmp<\/p>\n<p>$ \/scripts\/securetmp<\/p>\n<p># Root and administrator (sudo user) login alerts. Add following to both \/root\/.bashrc and \/home\/administrator\/.bashrc (Change the subject line as needed)<\/p>\n<p>echo &#8220;ALERT &#8211; Root Shell Access on `hostname`:&#8221; `date` `who` |mail -s &#8220;Alert: Root Access from `who | cut -d&#8221;(&#8221; -f2 | cut -d&#8221;)&#8221; -f1`&#8221; replace-this@with-your-email.com<\/p>\n<p># Install apf (firewall)<\/p>\n<p>$ wget http:\/\/www.rfxn.com\/downloads\/apf-current.tar.gz<br \/>\n$ tar -xvzf apf-current.tar.gz<br \/>\n$ cd afp-x.x.x<br \/>\n$ .\/install.sh<\/p>\n<p># The installer will display the current opened TCP and UDP ports. Copy them and add it to IG_TCP_CPORTS and IG_UDP_CPORTS respectively in \/etc\/apf\/conf.apf. We also need to enable ports 0-1024 (both TCP and UDP) in apf for portscanner detector to work, so add 0_1024 to IG_TCP_CPORTS and IG_UDP_CPORTS<\/p>\n<p># Start apf<\/p>\n<p>$ apf -s<\/p>\n<p># Install BFD (brute force detector)<\/p>\n<p>$ wget http:\/\/www.rfxn.com\/downloads\/bfd-current.tar.gz<br \/>\n$ tar -xvzf bfd-current.tar.gz<br \/>\n$ cd bfd-x.x.x<br \/>\n$ .\/install.sh<br \/>\n$ bfd -s<\/p>\n<p># Install portsentry (port scanner detector) from ftp:\/\/ftp.pbone.net\/mirror\/ftp.falsehope.net\/home\/tengel\/fedora\/4\/te\/i386\/RPMS\/portsentry-1.2-1.te.i386.rpm<\/p>\n<p># open \/etc\/portsentry\/portsentry.conf and comment KILL_ROUTE and add<\/p>\n<p>KILL_RUN_CMD=&#8221;\/usr\/local\/sbin\/apf -d $TARGET$ &#8216;Portscan detected on port $PORT$'&#8221;<\/p>\n<p>$ \/etc\/init.d\/portsentry restart<\/p>\n<p># Enable suphp and suexec<\/p>\n<p>$ \/usr\/local\/cpanel\/bin\/rebuild_phpconf &#8211;no-htaccess 5 none suphp 1<\/p>\n<p># Run \/scripts\/easyapache and enable mod_security<\/p>\n<p># Load mod_esecurity rules<\/p>\n<p>$ cd \/usr\/local\/apache\/conf\/<br \/>\n$ wget http:\/\/updates.atomicorp.com\/channels\/rules\/delayed\/modsec-2.5-free-latest.tar.bz2<br \/>\n$ tar -xvjf modsec-2.5-free-latest.tar.bz2<br \/>\n$ cd modsec\/<br \/>\n$ perl -i -pe &#8216;s\/\\\/etc\\\/asl\\\/whitelist\/whitelist\\.txt\/&#8217; *<br \/>\n$ &gt; domain-spam-whitelist.conf<br \/>\n$ mkdir \/usr\/local\/apache\/conf\/modsec\/ip<br \/>\n$ mkdir \/usr\/local\/apache\/conf\/modsec\/global<\/p>\n<p># open \/usr\/local\/apache\/conf\/modsec\/00_asl_rbl.conf and add<\/p>\n<p>SecDataDir \/usr\/local\/apache\/conf\/modsec<\/p>\n<p># open \/usr\/local\/apache\/conf\/modsec2.conf and add<\/p>\n<p>Include &#8220;\/usr\/local\/apache\/conf\/modsec\/*.conf&#8221;<\/p>\n<p># Restart apache<\/p>\n<p>$ \/etc\/init.d\/httpd restart<\/p>\n<p>cPanel Settings :<\/p>\n<p># Goto Main &gt;&gt; Server Configuration &gt;&gt; Basic cPanel &amp; WHM Setup and set the contact information<\/p>\n<p># Goto Main &gt;&gt; Server Configuration &gt;&gt; Tweak Settings &gt;&gt; All and<\/p>\n<p>Enable SpamAssassin spam filter = enabled<br \/>\nGIEmail and CGIEcho = disabled<br \/>\nCookie IP validation = strict<br \/>\nGenerate core dumps = off<br \/>\nSend passwords when creating a new account = off<br \/>\nBlank referrer safety check = on<br \/>\nReferrer safety check = on<br \/>\nRequire SSL = on<br \/>\nEnable HTTP Authentication = off<br \/>\nAllow PHP to be run by resellers in WHM = off<br \/>\nUse MD5 passwords with Apache = on<br \/>\nSecurity Tokens = on<br \/>\nDefault shell jailed = on<\/p>\n<p># Goto Main &gt;&gt; Security Center &gt;&gt; Apache mod_userdir Tweak and enable &#8220;Enable mod_userdir Protection&#8221;<\/p>\n<p># Goto Main &gt;&gt; Security Center &gt;&gt; Compiler Access and disable compilers for unprivileged users<\/p>\n<p># Main &gt;&gt; Security Center &gt;&gt; Configure Security Policies and<\/p>\n<p>Password Age = enabled (30 days)<br \/>\nPassword Strength = enabled (15 characters)<br \/>\nXML-API and JSON-API requests = enabled<br \/>\nDNS cluster requests = enabled<\/p>\n<p># Goto Main &gt;&gt; Security Center &gt;&gt; cPHulk Brute Force Protection and enable burte force protection<\/p>\n<p># Goto Main &gt;&gt; Security Center &gt;&gt; PHP open_basedir Tweak and enable &#8220;Enable php open_basedir Protection.&#8221;<\/p>\n<p># Goto Main &gt;&gt; Security Center &gt;&gt; Security Questions and setup the security question<\/p>\n<p># Goto Main &gt;&gt; Security Center &gt;&gt; Shell Fork Bomb Protection and enable protection<\/p>\n<p># Goto Main &gt;&gt; Security Center &gt;&gt; SMTP Tweak and enable protection<\/p>\n<p># Goto Main &gt;&gt; Security Center &gt;&gt; Traceroute Enable\/Disable and disable traceroute<\/p>\n<p># Goto Main &gt;&gt; Account Functions &gt;&gt; Manage Shell Access and disable shell access for all user. If shell access is required only enable jailed shell<\/p>\n<p># Goto Main &gt;&gt; cPanel &gt;&gt; Manage Plugins and install Clamav<\/p>\n<p>Daha g\u00fcvenli bir cpanel i\u00e7in <a href=\"http:\/\/www.cpanelguvenlik.com\" target=\"_blank\">cpanel g\u00fcvenlik<\/a> ile ileti\u015fime ge\u00e7ebilirsiniz.<\/p>\n<p>Ayhan ARDA<\/p>\n<div style=\"padding-bottom:20px; padding-top:10px;\" class=\"hupso-share-buttons\"><!-- Hupso Share Buttons - https:\/\/www.hupso.com\/share\/ --><a class=\"hupso_toolbar\" href=\"https:\/\/www.hupso.com\/share\/\"><img decoding=\"async\" src=\"https:\/\/static.hupso.com\/share\/buttons\/lang\/tr\/share-medium.png\" style=\"border:0px; padding-top: 5px; float:left;\" alt=\"Share Button\"\/><\/a><script type=\"text\/javascript\">var hupso_services_t=new Array(\"Twitter\",\"Facebook\",\"Google Plus\",\"Pinterest\",\"Linkedin\");var hupso_background_t=\"#EAF4FF\";var hupso_border_t=\"#66CCFF\";var hupso_toolbar_size_t=\"medium\";var hupso_image_folder_url = \"\";var hupso_twitter_via=\"ayhanarda\";var hupso_url_t=\"\";var hupso_title_t=\"Cpanel%20Server%20Security\";<\/script><script type=\"text\/javascript\" src=\"https:\/\/static.hupso.com\/share\/js\/share_toolbar.js\"><\/script><!-- Hupso Share Buttons --><\/div>","protected":false},"excerpt":{"rendered":"cPanel Installation and Security This documentation covers how to install cPanel on a fresh Linux server and how to do initail server security. cPanel Installation : * cPanel can be install on Redhat based Linux servers and FreeBSD * A freshly build latest stable Centos server is highly recommended How to Install cPanel : * [&hellip;]","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_coblocks_attr":"","_coblocks_dimensions":"","_coblocks_responsive_height":"","_coblocks_accordion_ie_support":"","footnotes":""},"categories":[17,113,66,313],"tags":[812,856,185,186,184,57],"class_list":["post-206","post","type-post","status-publish","format-standard","hentry","category-cpanel","category-hosting","category-linux-2","category-security","tag-cpanel","tag-cpanel-guvenlik","tag-cpanel-installation","tag-cpanel-kurulumu","tag-cpanel-security","tag-whm"],"amp_enabled":true,"_links":{"self":[{"href":"https:\/\/www.ayhanarda.com\/blog\/wp-json\/wp\/v2\/posts\/206","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.ayhanarda.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.ayhanarda.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.ayhanarda.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.ayhanarda.com\/blog\/wp-json\/wp\/v2\/comments?post=206"}],"version-history":[{"count":3,"href":"https:\/\/www.ayhanarda.com\/blog\/wp-json\/wp\/v2\/posts\/206\/revisions"}],"predecessor-version":[{"id":1008,"href":"https:\/\/www.ayhanarda.com\/blog\/wp-json\/wp\/v2\/posts\/206\/revisions\/1008"}],"wp:attachment":[{"href":"https:\/\/www.ayhanarda.com\/blog\/wp-json\/wp\/v2\/media?parent=206"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.ayhanarda.com\/blog\/wp-json\/wp\/v2\/categories?post=206"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.ayhanarda.com\/blog\/wp-json\/wp\/v2\/tags?post=206"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}