A few tips against hacking

[bjarne]

here are som tips to protect from hacker's

read the error log file apache generate and find the php scripts they use to access the server and secure them, like Gallery and Yabb ..

chmod 700 all programs used to compile source code and lynx, wget links whatever they can use to download stuff.

Use open_basedir as whm provides, its not for fun they put it there ... This limits the access to where they can go

add the noexec option for /tmp dir in /etc/fstab

Disable all php functions who gives shell access and simular.

Use a firewall to close all unused ports and close outgoing trafick where not needed so they can not use the server as scanner or for DOS.

Cpanel! It would be great to see a iptables script inside WHM - how much work can it be and how much will it help?

Also it would be good to have a script that can be used to test websites for unsecure php.

[haze]

IMHO I think iptables is beyond the realm of what cpanel / WHM does. There are plenty of frontend's to iptables out there that work great. I recommend checking out apf: http://www.rfxnetworks.com/apf.php

[bjarne]

Well maybe iptables is outside og what WHM shuld do, but it would be simple to add a config so that WHM servers are firewall enabled by iptables with a mouseclick, so much hacking and problems there is now - it is needed. A lot of people using WHM are not experts in these areas, but still shuld be protected. For experts it could be disabled for custom config.

[Afro Boy]

Originally posted by bjarne
add the noexec option for /tmp dir in /etc/fstab

Disable all php functions who gives shell access and simular.

Use a firewall to close all unused ports and close outgoing trafick where not needed so they can not use the server as scanner or for DOS.

Cpanel! It would be great to see a iptables script inside WHM - how much work can it be and how much will it help?

This stuff is great. Would love to see more things like this on the board.

In particular with the ones you mentioned above, can anyone provide some tips and actual commands (almost a short guide) on doing these things. That would go a long way to helping us newbies out there. Also would be good as a check list for doing right after WHM is set-up by the provider and handed over.

Cheers,
Af.

[kris1351]

There is a script called /scripts/securetmp now for the noexec /tmp. Also, there is /scripts/secureit now from Cpanel that helps shut down some potentially dangerous programs.

APF is now availabe from http://www.rfxnetworks.com and there is a Cpanel section under Ryan's forums that shows the minimum Cpanel ports to leave open. We run his recommendations without issues. The fewer openings into your box you have the better is the thing to remember.

Chkrootkit is a must these days (http://www.chkrootkit.org). You can install this and run it as a cron very easily. We run ours a few times a day on every server as it is easy to get a root kit.

Kill un-needed ports and services is a must. On things such as lynx and other system programs change them to 700. If you use Fantastico you will have to change wget from 700 to 755 to do updates, this is a pain.

Limit SSH access to your server and do not allow any Telnet. In /etc/ssh/sshd_config uncomment the Protocol line and take out the 1 so it reads Protocol 2. This forces a more secure ssh level. You can remove root access to all of your boxes except for your master name server by scrolling down and selecting Permit root login No. If you turn off root login on the master nameserver your secondaries cannot update so that is something to remember. It is a pain, but this is how Cpanel works currently.

There are some good checklists here on the forums and on ev1servers.net. We are making a cover all server start up list here which I will post parts of here on the forums in a few weeks. Things that are covered are the above and things such as Mail-Watch, cleanhttpd, FM-Check and other free tools the great scripters on this board have given us.

[bjarne]

cleanhttpd - what is is and where can I find it? :-)