Securing Apache in cPanel

[crosswinds]

First, I'd like to state that I've been using Apache since the 1.0 days and deploying working/secured systems into production environments since 1995. I have been using cPanel since 2004 and am not a complete noob, but have not fully delved into all the aspects of the system (time constraints).

I have been attempting to solve a security breach with a user and when I read through the httpd.conf it dawned on me what I was seeing.

Apache 2.2.x
<Directory "/">
Options ExecCGI FollowSymLinks Includes IncludesNOEXEC Indexes -MultiViews SymLinksIfOwnerMatch
AllowOverride All
</Directory>

Apache 1.3.37
<Directory "/">
Options All
AllowOverride All
</Directory>

These made my jaw drop - this is 100% against good security practices, even those that Apache themselves state:

Security Tips - Apache HTTP Server

So, I attempted the obvious and secure the / directory and allow the options/overrides for user/virtualhost folders but then stuff everywhere failed to work. Explicit Directory options are needed for the system cgi, for php to work in suexec/suphp mode... lots of work that should have already been done for the out of box setup.

Both my cPanels have been updated in the past 30 days and are sitting at 11.24.

My Google-fu failed to help me locate and identify anyone that has identified all the paths and which files to place these overrides (I am assuming the /var/cpanel/templates/ files).

Any pointers to save me the time that should have already been put in would be appreciated! If/when I can collect this information I will bring them all together and do a how to secure your apache setup better.

[PlatinumServerM]

Those are just the basic default settings. They are not intended to be left the way they are. They are made as options because some people need them enabled, even though they are insecure.

If you are having security issues, I would suggest contacting an admin to do this for you. Just following a how-to guide usually is not too effective. A perfect example of this is modsecurity, most guides tell you to install modsecurity for http security, but it is the configuration in it that determines how strict and effective it is. Just installing it and not configuring it properly can be disastrous.

Security is not black and white. It is a combination of both experience knowing how to implement sufficient security and experience with seeing how other servers get hacked. There are also positives/negatives to almost every change you make, so arbitrarily making changes just because a guide tells you to often leads to problems.

[crosswinds]

I'm very aware of the security issues - been doing security in many spaces (programming, server, network, physical and social) for 15 years.

What I was looking for is a comprehensive listing of paths for cPanel binaries and gotchas if anyone had already hit them. I just have a very full plate and doing the work that should have been done out of the box isn't appealing. I have 2 other control panels in place and they have secured paths in by default - cPanel really should do the same.

As it stands I've already started compiling the list of paths that must work. ScriptAlias et al are starters but cPanel has enough little gotchas that finding them all before a customer complains will be very difficult.

The exploit turned out to be a new set of trojans that have appeared over the past 3 days on the computer of one of my customers. It was in the investigation of this, that I noticed the defaults for Apache in cPanel.

[Spiral]

Wow just call this one the "experts" thread!

Crosswinds, spoken with you a bit. Nice refreshing conversations there!

Platinum, seen you over the past few years and got a good idea of your skills.

Me myself, over 30+ years systems administration, security consulting, etc.

Gee, all we need now is chirpy in the thread.

It's a nice idea to put together a more detailed step by step list addressing
some of the more often missed security issues particularly for those who
don't really understand what is going on behind the scenes as much
especially with Apache where most users don't understand it under the hood
well enough to know any of the pitfalls.

I've actually been working on putting together much of the same and, I have
also been lately testing out some scripts I wrote recently to try to automate
some of the changes that users could apply to better lock down the weaker
configurations you get by the general default Cpanel installations.

Anyway, crosswinds, I'll give you a hand with that project of yours. I know with
our combined skills, we should be able to come up with something to improve
things for everyone to balance security without breaking Cpanel.

[crosswinds]

Actually that is precisely the end goal - to assist and hopefully educate. It is possible to tighten cPanel's apache config up so that it doesn't break 99.9% of things - but there is always one customer that wants X or Y that it breaks. Usually it can be worked around. If we can document it for initial installs, for people here to learn, and maybe get cPanel to adopt?, I'd be a happier camper.

I did a second quick pass with some spare time and ended up breaking only half the sites and frontpage! Well anything that was obvious - I shudder to thing what else I haven't accounted for but that's where logs help. All I need now is time!

Spiral: Yeah - nice chat Too busy today to get onto MSN

[cpanelkenneth]

Quality information such as you are proposing is invaluable. If I could make a suggestion, have this thread be your WIP thread. Once you are satisfied with the resulting document/howto/etc, post it in a new thread and we can sticky it.

Let me know if there is information, or clarity, needed on cPanel peculiarities. If it is within my power I will provide it.

As an aside, it is nice seeing you active again on the forum Spiral.