Securing a cpanel box

[mpope]

Hello,

I would like to start a topic about securing a cpanel box.

Basically, what should admins be doing on cpanel boxes to insure that they are secure? I have been told (by certain un-named people ) that cpanel does all necessary security fixes, etc. Although I don\'t know if I believe this, I have been somewhat afraid to install some RedHat security patches because I don\'t know if it will adversely affect the cpanel software.

I know cpanel has portsentry, but how much does this actually secure the system? I\'ve always thought portsentry was basically just a software firewall. How correct is this statement?

I have had a cpanel based server for a while now, and have not had it hacked yet (to my knowledge). I\'ve also had some non-cpanel servers, and they always seem to get hacked within a couple of days. So, obviously cpanel is adding a level of security to the box, I\'m just trying to nail down what it is, and what i need to do to prevent any hackers from getting into my systems.

Thanks, all comments are appreciated!

[Domenico]

This is certainly a thing to talk about but it allways turns out the samw direction.

The cpanel developers saying cpanel is just hostmanagement and nothing moren and the others wich tell you that control panels are never safe to use because of the cpanel needing root access to certain files and directories.

I think that the cpanel developers MUST do something about security too.
I can\'t stand cpanel breaking down after applying another security patch. I want the cpanel developers too tell exactly what cpanel is doing during installation and running and also what can be touched and what can\'t.

It is stupid to let the users swim around this way. What good is a control panel when it opens up the server for every (wannabe) hacker. Please keep security in mind and don\'t make it more difficult for us to secure a box.

[bdraco]

[quote:9ede81977c]Hello,

I would like to start a topic about securing a cpanel box.

Basically, what should admins be doing on cpanel boxes to insure that they are secure? I have been told (by certain un-named people ) that cpanel does all necessary security fixes, etc. Although I don\'t know if I believe this, I have been somewhat afraid to install some RedHat security patches because I don\'t know if it will adversely affect the cpanel software.
[/quote:9ede81977c]
Keep the kernel upgraded.

[quote:9ede81977c]
I know cpanel has portsentry, but how much does this actually secure the system? I\'ve always thought portsentry was basically just a software firewall. How correct is this statement?

I have had a cpanel based server for a while now, and have not had it hacked yet (to my knowledge). I\'ve also had some non-cpanel servers, and they always seem to get hacked within a couple of days. So, obviously cpanel is adding a level of security to the box, I\'m just trying to nail down what it is, and what i need to do to prevent any hackers from getting into my systems.

Thanks, all comments are appreciated!
[/quote:9ede81977c]


Cpanel feeds in all security updates from redhat/mandrake as well as security updates/patches that darkorb provides (ie chmod 700 /usr/bin/newgrp for the recent linux kernel problems .. see http://support.cpanel.net/new/viewthread.php?tid=658).

[alan]

Some might consider this as not related to securing a cpanel box, but it is.

A Linux version of TRIPWIRE is available for free from http://www.tripwire.com
A full GPL version is also available. (I think it\'s called AIDE) See freshmeat.

Tripwire won\'t stop a break in to your system. But it will tell you if one has
occurred. And that\'s critical, particulary if you have legal people who want
proof that you\'re doing a responsible job.

The problem with integrating Tripwire and CPanel is the need to tell Tripwire
that files just downloaded from cpanel.net are legit and shouldn\'t cause
Tripwire to go into a tizzy.

I\'ve written scripts that inform Tripwire of changes made by /scripts/sysup
and /scripts/rpmup. They were comparatively easy because I was able to grab
the list of RPM\'s that sysup and rpmup were downloading.

My UNSOLVED problem is the other stuff that /scripts/upcp does: eg: running
Installer and, frankly, whatever else it does.

It would REALLY HELP if I knew what upcp was really doing; even better would
be a list of files that it had added/changed/deleted.

Once my work is completed, I would be PLEASED TO GIVE THEM to any and all who
are interested/concerned about this issue.

Tripwire can do many things. For example, it could email a customer if
\"unauthorized\" changes have been made to their html files.

So, can anyone help with *my* challenge? ie: knowing what files upcp (not sysup
or rpmup) has touched?

[bdraco]

cpanel should only modify stuff in /usr/local/cpanel from upcp :-)

[alan]

\"cpanel should only modify stuff in /usr/local/cpanel from upcp\", you say?
... In that case, there\'s more going on than I\'ve surmised.
A quick looks shows:
16 files in /usr/sbin (many of which seem exim related)
16 files in /usr/lib (most of which are perl related)
600 files in /root/.cpan

[bdraco]

Those are from sysup and rpmup.. not upcp itself