Results 1 to 7 of 7
-
30th Jun 2010, 12:06 AM #1OPMemberWebsite's:
nationwebhost.comHow To Secure&Optimize A cPanel Server! [Full of information]
Start
If you do not know how to install cPanel - Proceed with this tutorial here:
How To Install cPanel - CentOS 5.
Firstly, this tutorial is based on CentOS. You can find information on other operating
system on the internet by using your friend.
I am writing this tutorial as me myself never found one large post containing all the
information you need to secure your VPS/Dedicated server. Everyone should know that there
is no such thing as 'Non hackable'. Sooner or later - exploits will come out. This
tutorial is based on cPanel/WHM running on CentOS 5.3.
We are starting from you have bought the vps/dedicated server with CentOS 5.3 installed
and cPanel installed. If cPanel is not installed, follow my tutorial above.
1.1) First of login to WHM as root. Navigate to 'Server Configuration
'. In this we will find a things that we are going to use to help secure our
server. First we are going to go into 'Change Root Password'.
As default, the root password is set at 'root', therefore we
need to change it as it will be prone to getting hacked. Set it to a strong password and
don't give it out to anyone.
1.2) Next we are going to set the time zone on the server, on forums and other software,
it will get the time from the servers time. I personally prefer it set to GMT. This is not
vital but I prefer the time zone being GMT.
1.3) We are now going to go into 'Statistics Software Configuration
'. This is were users can monitor their traffic they get to their website. We are
going to scroll down to 'Generators Configuration'. I
recommend
enabling all three; Analog, Awstats and Webalizer. Users may prefer one or another, most
people use Awstast.
Next we are going to move along to 'Schedule Configuration'.
We
are going to set 'Log Processing Frequency' to process every
'24 hours' and 'Bandwidth Processing Frequency
' every '2 hours'.
1.4) We are now going to tweak the servers settings. To tweak them we are going into an
area called 'Tweak Settings', still within '
Server Configuration'.
- cPAddons
Code:The default administrative contact for cPAddons moderation emails. (Resellers will be notified if their contact email is set in cPanel):
Code:Automatically keep all cPAddons Source Files up to date.
Tick This
Code:The maximum number of moderated requests that a user may have at any given time
Code:The maximum number of moderated requests per addon that a user may have at any given time
Code:Alert cPAddons administrator of pending moderation requests
Unchecked
Code:Prevent installation of addon scripts not provided by cPanel
Code:Prevent installation of cPanel addon scripts that have been altered (Turning this off may be useful when testing custom addons.)
Code:Notify owners when their users have cPAddon installations that need updated
Code:Notify cPAddons Adminstrator of cPAddon installations that need updated.
Code:Notify users when they have cPAddon installations that need updated.
Display
'Code:The login theme to display for cPanel Login. See the Universal Theme Manager for options. If you are posting to /login/ you can include "login_theme" as a uri/form variable to overwrite this setting on a per case basis.
'Code:Number (or all) of accounts to display per page in list accounts.
Domains
Code:Allow users to park subdomains of the server's hostname main domain.
Code:Allow users to Park/Addon Domains on top of domains owned by other users. (probably a bad idea)
Code:Allow Creation of Parked/Addon Domains that resolve to other servers (i.e. domain transfers) [This can be a major security problem. If you must have it enabled, be sure to not allow users to park common internet domains.]
[code]Allow resellers to create accounts with subdomains of the server's hostname main domain.[code] - Unchecked
Code:Allow Creation of Parked/Addon Domains that are not registered
Code:When adding a new domain, automatically create A entries for the registered nameservers if they would be contained in the zone.
Code:Prevent users from parking/adding on common internet domains. (i.e. hotmail.com, aol.com)
Code:Check zone file syntax when saving and syncing zones.
Code:Application for processing dns requests. The default is to use cPanel Dns cluster system located at /usr/local/cpanel/whostmgr/bin/dnsadmin. (Recommended: leave blank to use the default).
Code:Add proxy VirtualHost to httpd.conf to automatically redirect unconfigured cpanel, webmail, webdisk and whm subdomains to the correct port (requires mod_rewrite and mod_proxy)
Code:Automatically create cpanel, webmail, webdisk and whm proxy subdomain DNS entries for new accounts. When this is initially enabled it will add appropriate proxy subdomain DNS entries to all existing accounts. (Use /scripts/proxydomains to reconfigure the DNS entries manually)
Code:Allow users to create cpanel, webmail, webdisk and whm subdomains that override automatically generated proxy subdomains
Code:Prevent users from creating subdomains outside of their public_html directory.
Code:When adding a new domain, if the domain is already registered, ignore the configured nameservers, and set the NS line to the authoritative (registered) ones.
Logging
'Log dnsadmin requests to /usr/local/cpanel/logs/dnsadmin.log'
- Unchecked
'Enable verbose dns zone syncing (for testing purposes only, not for
production use)' - UncheckedMail
'Default catch-all/default address behavior for new accounts. "fail" is
usually the best choice if you are getting mail attacks.' - '
localuser'
'Silently Discard all FormMail-clone requests with a bcc: header in the
subject line' - Checked
'Allow mail account authentication using the password of the domain
owner's account' - Unchecked
'Number of minutes between mail server queue runs (default is 60).
' - 60
'Track the origin of messages sent though the mail server by adding the
X-Source headers (exim 4.34+ required)' - Unchecked
'The maximum each domain can send out per hour (0 is unlimited)
' - 100
'Prevent the user "nobody" from sending out mail to remote addresses (PHP
and CGI scripts generally run as nobody if you are not using PHPSuexec and Suexec
respectively.)' - Unchecked
'Include a list of Pop before SMTP senders in the X-PopBeforeSMTP header
when relaying mail. (exim 4.34-30+ required)' - Unchecked
'BoxTrapper Spam Trap' - Unchecked
'Horde Webmail' - Checked
'Mailman' - Checked
'RoundCube Webmail' - Checked
'SpamAssassin Spam Filter' - Checked
'SpamAssassin Spam Box delivery for messages marked as spam (user
configurable)' - Unchecked
'SquirrelMail Webmail' - Checked
'Add the mail. prefix for mailman urls (ie
http://mail.domain.com/mailman)' - UncheckedNotifications
'Notify the admin, (or the reseller), when an account has reached the
"critical" Disk Usage state.' - Checked
'Threshold percentage where a user's disk usage is considered to be in the
"critical" state. (0 will disable this notification)' - 90
'Notify the admin, (or the reseller), when an account has reached the
"full" Disk Usage state.' - Checked
'Threshold percentage where a user's disk usage is considered to be in the
"full" state. (0 will disable this notification)' - 85
'Notify the admin, (or the reseller), when an account has reached the
"warn" Disk Usage state.' - Checked
'Threshold percentage where a user's disk usage is considered to be in the
"warn" state. (0 will disable this notification)' - 80
'Threshold percentage where a mailbox's disk usage is considered to be in
the "critical" state. (0 will disable this notification)' - 90
'Threshold percentage where a mailbox's disk usage is considered to be in
the "full" state. (0 will disable this notification)' - 85
'Threshold percentage where a mailbox's disk usage is considered to be in
the "warn" state. (0 will disable this notification)' - 80
'Email users when they have exceeded their bandwidth. Disabling this will
prevent all Bandwidth Limits Email from being sent.' - Checked
'Email users when they have reached 70% of their bandwidth
Email users when they have reached 75% of their bandwidth
Email users when they have reached 80% of their bandwidth
Email users when they have reached 85% of their bandwidth
Email users when they have reached 90% of their bandwidth
Email users when they have reached 95% of their bandwidth
Email users when they have reached 97% of their bandwidth
Email users when they have reached 98% of their bandwidth
Email users when they have reached 99% of their bandwidth' - From 90 Onwards
'Mail Box Usage Warnings' - Checked
'Disable Suspending accounts that exceed their bandwidth limit (will clear
all suspensions if disabled, and disable all bandwidth notifications.)' -
Unchecked
'Disk Space Usage Warnings' - CheckedPHP
'PHP max execution time for cPanel PHP execution in seconds (default 90)
' - 90
'PHP Max Post Size for cPanel PHP in Megabytes (default 55M with a maximum
value of 2047M)' - 55M
'cPanel PHP Register Globals (Off [unchecked] is recommended for security
reasons)' - Unchecked
'PHP Max Upload Size for cPanel PHP in Megabytes (default 50M with a
maximum value of 2047M)' - 2M
'Loader to use for internal cPanel PHP (Use oldsourceguardian for version
1.x and 2.x)' - ioncubeRedirection
'Always redirect users to the ssl/tls ports when visiting /cpanel,
/webmail, etc.' - Unchecked
'When visiting /cpanel or /whm or /webmail WITHOUT SSL, you can choose to
redirect to:' - hostname
'When visiting /cpanel or /whm or /webmail with SSL, you can choose to
redirect to:' - SSL Certificate Name
'Redirect user to the following URL upon logout of the cPanel interface. A
blank value specifies the default logout page.' - Textbox = 'blank'Security
'Validate the IP addresses used in all cookie based logins. This will
limit the ability of attackers who capture cPanel session cookies to use them in an
exploit of the cPanel or WebHost Manager interfaces. For this setting to have maximum
effectiveness, proxydomains should also be disabled.' - Checked
'Allow WHM/Webmail/cPanel services to create core dumps for debugging
purposes. Core dumps often contain sensitive information but may be necessary for
debugging certain types of service crashes.' - Checked.
'Send passwords in plaintext over email when creating a new acccount.
Enabling this option is a security risk.' - Unchecked
'Only permit cpanel/whm/webmail to execute functions when the browser
provides a referrer. This will help prevent XSRF attacks, but may break integration with
other systems, login applications, and billing software. Cookies are required with this
option enabled.' - Unchecked
'Only permit cpanel/whm/webmail to execute functions when the browser
provided referrer (Domain/IP and Port) exactly matches the destination URL. This will help
prevent XSRF attacks, but may break integration with other systems, login applications,
and billing software. Cookies are required with this option enabled.' -
Unchecked
'Require SSL for all remote logins to cPanel, WHM and Webmail. This
setting is recommended.' - Checked
'Disable Http Authentication for cPanel/WebMail/WHM Logins (forces cookie
authentication.) This will help prevent certain types of XSRF attacks that rely on cached
Http Auth credentials.' - Checked
'Use MD5 encoded passwords in Apache htpasswd files. When this option is
disabled crypt encoded passwords will be used instead. Crypt encoded passwords are limited
to a maximum length of 8 characters while MD5 encoded passwords may be any length.
' - Checked
'Require security tokens for all interfaces. This will greatly improve the
security of cPanel and WHM against XSRF attacks, but may break integration with other
systems, login applications, billing software and third party themes.' - CheckedSoftware
'Interchange version to use (if you disable interchange, you must turn off
the service in the service manager)' - Disable
'FormMail-clone cgi' - Unchecked
'The path to the Urchin installation (if installed.) (Leave blank for
auto-detection.)' - Textbox = 'blank'
SQL
'Calculate the disk usage of account MySQL and PostgreSQL databases.
' - Checked
'Use old style (4.0) passwords with MySQL? 4.1+ (required if you have
problems with PHP apps authenticating)' - UncheckedStats and Logs
'Allow users to update Awstats from cPanel' - Checked
'Number of hours between processing bandwidth usage (default 2, max 24,
decimal values are ok)' - 4
'Number of hours between processing log files (positive values, default
24, decimal values are ok)' - 24
'Delete each domain's access logs after stats run' - Checked
'The load average above the number of cpus at which logs file processing
should be suspended (default 0)' - 0
'Do not include password in the raw log download link in cPanel (via
ftp).' - Unchecked
'Do not reset /usr/local/apache/domlogs/ftpxferlog after it has been
separated into each domain name's ftp log' - Unchecked
'Keep log files at the end of the month (default is off as you can run out
of disk space quickly)' - Unchecked
'Keep Stats Log (/usr/local/cpanel/logs/stats_log) between cPanel restarts
(default is off). Note that log rotation may affect this as well.' - Unchecked
'Chmod value for raw apache log files (0640 is the default)' -
0640
'Threshold in megabytes above which cpanellogd will rotate log files
configured for log rotation. (Minimum 10MB)' - 300
'When viewing bandwidth usage in WHM, always display in Megabytes first.
' - Unchecked
'Stats Log Level (default is 1, larger numbers indicate more debug
information in /usr/local/cpanel/logs/stats_log) [0...10]' - 1
Stats Programs
'Awstats Reverse Dns Resolution' - Unchecked
'Analog Stats' - Checked
'Awstats Stats' - Checked
'Webalizer Stats' - Checked
Status
'The load average that will cause the server status to appear red (leave
blank for default, whole numbers only)' - 2
Support
'Send the credentials of the logged in user when requesting support from
cPanel directly.' - CheckedSystem
'List of IP addresses or hostnames, separated by spaces, which are allowed
to view the /server-info and /server-status pages. See the Apache documentation for proper
values.' - Textbox = Blank
'Allow cPanel users to install SSL Hosts if they have a dedicated ip.
' - Checked
'Allow Perl updates from RPM based linux vendors' - Unchecked
'Do not send anonymous usage data to cPanel' - Unchecked
'The port on which Apache listens for HTTP connections. Specifying a
specific IP will prevent Apache from listening on all other IPs. (default: 0.0.0.0:80)
' - 0.0.0.0:80
'The port on which Apache listens for HTTPS connections. Specifying a
specific IP will prevent Apache from listening on all other IPs. (default: 0.0.0.0:443)
' - 0.0.0.0:443
'Number of seconds dnsadmin will wait before restarting BIND. Additional
restart requests during this time period will be silently discarded. On systems that
process very frequent DNS updates a setting of 300 or 600 seconds is recommended. On
systems with few DNS changes, the default setting of 0 is recommended. Note that DNS
changes will not take effect until the restart is complete.' - 0
'Conserve Memory at the expense of using more cpu/diskio.' -
Unchecked
'Allow usernames to be determined from the account domain name when no
username is provided.' - Unchecked
'Compress interface pages using gzip compression reducing bandwidth usage
for cPanel and WHM.' - Checked
'Disable use of compiled dnsadmin. Setting this option allows use of
system Perl modules within custom dnsadmin hooks. Setting this option will increase
execution time of dnsadmin functions.' - Unchecked
'Allow Sharing Nameserver Ips' - Unchecked
'Disable Disk Quota display caching (WHM will cache disk usage which may
result in the display of disk quotas being up to 15 minutes behind the actual disk usage.
Disabling this may result in a large performace degradation.)' - Unchecked
'Disable login with root or reseller password into the users' cPanel
interface. Also disable switch account dropdown in themes with switch account feature.
' - Unchecked
'Try to resolve each client's IP to a domain name when a user connects to
cPanel services (warning: This can degrade performance).' - Unchecked
'Enable CPAN:QLite for low memory perl module installs (experimental)
' - Unchecked
'Only allow reseller to log in to users' cPanel interface with reseller
password.' - Unchecked
'Display Errors in cPanel instead of logging them to
/usr/local/cpanel/logs/error_log' - Unchecked
'The maximum file size allowed for upload. This setting applies to all
uploads and form submissions in all web interfaces throughout cPanel and WHM. (Type
?unlimited? for unlimited; this is the default setting.)' - Textbox -
unlimited
'The minimum filesystem quota space required after file upload. This will
prevent users from hitting their quota limit; it applies to all uploads and form
submissions in all web interfaces throughout cPanel and WHM. (Default: 5MB)' -
5
'The maximum number of directories deep to look for .htaccess files when
doing .htaccess checks. Can be from 0 to 100. 2 is the default setting. Values higher than
this are discouraged.' - 2
'Do not warn about features that will be deprecated in later releases
(Warning: If you check this box, you will not be able to learn about features that will be
disappearing in future releases. This could lead to a non-functional server when the
feature is finally removed.)' - Unchecked
'Use jailshell as the default shell for all new accounts and modified
accounts' - Unchecked
'The maximum memory a cPanel process can use before it is killed off (in
megabytes). Values less than 256 megabytes can not be specified. A value of "0" will
disable the memory limits.' - Textbox = 256
'Use native SSL support if possible, negating need for Stunnel
' - Checked
'Do not send language file changes to cPanel' - Unchecked
'Specify the timeout in seconds for connections between this server and
other remote WHM servers. Values less than 35 cannot be specified.' - Textbox
= 35
'Maximum time in seconds that the system is permitted to spend fetching
diskusage and quota information before it considers the data unavailable.' -
Textbox = 60
'Allow cPanel users to reset their password via email' -
Unchecked
'Enable cPanel Software RollBack. This feature turns on a build archiving
and restoration facility, allowing the server administrator to "roll back" their cPanel
installation to previous build. All files are stored on the server.' -
Unchecked
'Do not start deprecated Melange 1.10 chat server.' - Checked
'Send a notification when a user's backup has errors' -
Checked
'Allow cpanel and admin binaries to be run from other applications besides
the cpanel server (cpsrvd). [parentcheck]' - Unchecked
'Disable whois lookups for the nameserver IP manager.' -
Checked
'The number of times a ChkServd TCP check must fail before notification is
sent and the service is restarted. On heavily loaded systems these types of service checks
fail occasionaly producing erroneous indications that services are down. A setting of 0
will disable all notifications and restarts due to TCP checks. Setting this value to 3 or
higher is recommended for most systems.' - 3
'Use Safe Quota Setting (quotas will be disabled, adjusted, and then re-
enabled). This option should be enabled if you are having problems with lost disk quotas
or other quota system corruption. Under software raid and other circumstances enabling
this option will degrade server performance.' - UncheckedSave
We have now completed part one.
--------------------------------------------
2.1) Second, Navigate to 'Security Center'.
First we are going to go into 'Apache mod_userdir Tweak'.
In here we will disable 'Enable mod_userdir Protection' as it prevents users from accessing their website when the domain has not propogated.
2.2) Next we will go into 'Compiler Access'.
We want to make sure it is disabled.
2.3) Navigate to 'cPHulk Brute Force Protection'
Set it to enabled and you can fill in what you wish for bruteforce.
2.4) Navigate to 'PHP open_basedir Tweak'
We want to enable this and make sure all the sites hosted the server are not excluded from this.
2.5) Navigate to 'Shell Fork Bomb Protection'
This will not matter if your users do not have access to SSH. However I recommend not to have SSH access.
2.6) Navigate to 'SMTP Tweak'
Have this enabled - It basically just stops users from exceeding the email sending limit.
2.7) Navigate to 'Traceroute Enable/Disable'
The traceroute utility is a network tool that can be used to determine the route taken by information (packets) sent across the Internet. This often is the first step in pinpointing weaknesses for mounting an attack.
We have now completed part two.
--------------------------------------------
2.1) Third, Navigate to 'Service Configuration'.
First we are going to go into 'Apache Configuration >> PHP and SuExec Configuration'.
In here we will set 'Default PHP Version (.php files)'s' value to '5'.
'PHP 5' handler 'suphp'
'PHP 4' handler 'none'
'Apache suEXEC' value to 'on'
2.3) Next we will go into 'FTP Server Selection'.
We want to make sure it is on 'Pure-FTPD'
2.4) Navigate to 'Mailserver Selection'
Set it to 'Dovecot'.
2.5) Navigate to 'Nameserver Selection'
We want to set this to 'BIND'
2.6) Navigate to 'PHP Configuration Editor'
Download php.ini file
2.7) Navigate to 'Service Manager'
Tick 'tailwatchd' and all others in the table.
cpdavd: Monitor only
entropychat: Unchecked
exim: Enabled & Monitored
exim on another port: Unchecked
ftpd: Enabled
httpd: Enabled & Monitored
imap: Enabled & Monitored
ipaliases: Enabled
melange: Unchecked
mysql: Enabled & monitored
named: Enabled & Monitored
spamd: Enabled & Monitored
sshd: Enabled & Monitored
syslogd: Enabled & Monitored
We have now completed part three.
--------------------------------------------
Changing SSH Default Port
I recommend changing this, this is a security flaw. Login to your server with putty as root.
Using the file editor that you are familiar with, edit the following file:
'/etc/ssh/sshd_config'
I will use nano.
nano /etc/ssh/sshd_config
Search for the number 22, change it to the port of your choice. Make sure it is not firewalled or used by another program.
Now restart SSH
'/etc/init.d/sshd restart'
Write down the port number so you don't forget it or you will not be able to access SSH again.
We have now completed changing the default SSH port.
--------------------------------------------
How to install RootKit hunter
Rootkit scanner is scanning tool to ensure you for about 99.9%* you're clean of nasty tools. This tool scans for rootkits, backdoors and local exploits by running tests like:
- MD5 hash compare
- Look for default files used by rootkits
- Wrong file permissions for binaries
- Look for suspected strings in LKM and KLD modules
- Look for hidden files
- Optional scan within plaintext and binary files
Rootkit Hunter is released as GPL licensed project and free for everyone to use.
* No, not really 99.9%.. It's just another security layer.
Yet again you need to be logged into SSH. Use the above part to see how to login into SSH.
Once you are logged into type in:
'cd /usr/src/utils'
This will navigate you to direct /usr/src/utils
We are now going to download RootKit Hunter to the utils directory.
wget 'http://nchc.dl.sourceforge.net/project/rkhunter/rkhunter/1.3.6/rkhunter-1.3.6.tar.gz'
Once downloaded we are going to extract the tar file and then delete the download.
'tar xfz rkhunter-1.3.6.tar.gz'
'del rkhunter-1.3.6.tar.gz'
We are now going to proceed to the RootKit Hunter directory
'cd rkhunter-1.3.6'
Now for the installation
'sh installer.sh--install'
Successful installation
Now to scan the server for possible infections.
'rkhunter -c'
We have now completed installing RootKit Hunter.
--------------------------------------------
How to install (D)DoS-Deflate
MediaLayer was in need of a script to automatically mitigate (D)DoS attacks. The necessity started when MediaLayer was the target of a rather large, consistent attack originating from multiple IP addresses. Each IP would have a large amount of connections to the server, as shown as by:
Code:netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n
We are now going to download (D)DoS-Deflate
'wget http://www.inetbase.com/scripts/ddos/install.sh'
Change it's permissions
'chmod 0700 install.sh'
Installation
'./install.sh'
Requires APF - APF Installation Guide
We have now completed installing (D)DoS-Deflate.
--------------------------------------------
I am not a server securing expert so If you think something is wrong or could be better, please post here .NationWebHost Reviewed by NationWebHost on . How To Secure&Optimize A cPanel Server! [Full of information] Start If you do not know how to install cPanel - Proceed with this tutorial here: How To Install cPanel - CentOS 5. Firstly, this tutorial is based on CentOS. You can find information on other operating system on the internet by using your friend. I am writing this tutorial as me myself never found one large post containing all the Rating: 5
-
30th Jun 2010, 12:57 AM #2BannedWebsite's:
google.com knownsrv.comTHANK YOU very useful
-
30th Jun 2010, 10:52 AM #3OPMemberWebsite's:
nationwebhost.comThanks !
-
30th Jun 2010, 10:53 AM #4BannedWebsite's:
orangevps.comNice job.
You Should of included some extra's like nginx that would help a lot of people.
-
30th Jun 2010, 11:01 AM #5OPMemberWebsite's:
nationwebhost.comStill not finished, I've still to add a few more things.
-
4th Jul 2010, 06:47 AM #6Member
Is this really much of a "secure" cPanel thread. You havnt even said anything about disabled functions and that is one of the first things that comes into my head on shared hosting security.
-
4th Jul 2010, 10:09 PM #7OPMemberWebsite's:
nationwebhost.comI've not finished writing this tutorial.
Sponsored Links
Thread Information
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)
Similar Threads
-
How To: Secure and Optimize your VPS
By Raptile in forum Technical and Security TutorialsReplies: 33Last Post: 22nd Aug 2012, 03:41 PM -
[Hiring] need someone to optimize my new server for vBulletin forum
By ihabhamed in forum ServicesReplies: 0Last Post: 20th Apr 2012, 03:45 AM -
[Selling] Website Security Scan With Full Report and Information how to fix it.
By MoWarez in forum Completed TransactionsReplies: 2Last Post: 4th Nov 2011, 11:38 PM -
Optimize or Get a new server.. ? Help
By EvilGenius in forum Technical Help Desk SupportReplies: 3Last Post: 30th Jul 2010, 07:11 AM -
HOW TO: Secure and Optimize your VPS
By Storming in forum Technical and Security TutorialsReplies: 9Last Post: 25th Nov 2009, 04:11 PM
themaManager - edit and manage...
Version 4.04 released. Open older version (or...