LinkBack URL
About LinkBacksIf my server is fully updated with all the RedHat Network updates and is running the newest release of Cpanel, is there anything else I can do to ensure the security of my server? Any suggestion would be great. Thanks in advance.
Scott
System Security
If my server is fully updated with all the RedHat Network updates and is running the newest release of Cpanel, is there anything else I can do to ensure the security of my server? Any suggestion would be great. Thanks in advance.
Scott
Here are a few items I have done. A few of the items are debateable by various folks (what isn't).
1. Turn PHP safe mode on
2. Disable direct root login
3. Allow only trusted users to run cron jobs by /etc/cron.allow
4. Run chkroot daily in cron
5. Do not give shell access
6. Disable unused services
Pray
I have some questions about this...Originally posted by xsenses
Here are a few items I have done. A few of the items are debateable by various folks (what isn't).
1. Turn PHP safe mode on
2. Disable direct root login
3. Allow only trusted users to run cron jobs by /etc/cron.allow
4. Run chkroot daily in cron
5. Do not give shell access
6. Disable unused services
Pray
- How do you disable direct root login? What exactly does this do?
- "Run chkroot daily in cron" what does this do? How do I turn it on?
- "Disable unused services" such as....?
And again, how would I do this?
Thanks a lot,
Greg
cPanel.net Support Ticket Number:
1. To disable root login you have to edit /etc/ssh/sshd_config (not really going to do much if running cPanel/WHM - because if someone gets root and logs into WHM it is over anyway), it denies the ability to ssh into root.Originally posted by MscLimp
I have some questions about this...
- How do you disable direct root login? What exactly does this do?
- "Run chkroot daily in cron" what does this do? How do I turn it on?
- "Disable unused services" such as....?
And again, how would I do this?
Thanks a lot,
Greg
cPanel.net Support Ticket Number:
2. chkrootkit is located at chkrootkit.org and must be installed
3. You can disable quite a few services very easily from the Service Manager in WHM
4. Use a firewall - do a search for APF on the forums
5. use up2date
Turning PHP safe mode to ON will not help you. CGI scripts will still work. It's better to use open_basedir + disable_functions.
I dont get the root login part. Just change your password peridodically and don't write it anywhere, just keep it in your head. Nobody can get direct root access via ssh unless somebody can read your mind
cPanel.net Support Ticket Number:
cPanel.net Support Ticket Number:
I know this has been argued to death in other forums, but the main point on the ssh direct login is that if you have to su to root it would take 2 password cracks and php_safe_mode on is just another added measure not that it can't be worked around.
Forgive my ignorance, but how does one go about "cracking" someone else's password? If I have one good root password, why would I need two of them? I'm not arguing, I just want to know what the advantage is. If it's more secure then I think I'd like to do it.Originally posted by xsenses
I know this has been argued to death in other forums, but the main point on the ssh direct login is that if you have to su to root it would take 2 password cracks and php_safe_mode on is just another added measure not that it can't be worked around.
cPanel.net Support Ticket Number:
I am no security expert by any means, but was hoping to share the things I have done and things others have done. There are brute force cracking/library scripts and if you created any easy password or a word in the dictionary admin/god/superman etc. it might be real easy just to guess it, not to mention the datacenter most likely emailed it when they setup your server. If you have to su - root you would have to break 2 accounts.Originally posted by casey
Forgive my ignorance, but how does one go about "cracking" someone else's password? If I have one good root password, why would I need two of them? I'm not arguing, I just want to know what the advantage is. If it's more secure then I think I'd like to do it.
cPanel.net Support Ticket Number:
xsenses,
Thanks for clearing me up on how to do those.... but you didn't really mention exactly what they do...
cPanel.net Support Ticket Number:
Here is a link to a good security guide:
http://admin0.info/security/introduction.html
Can you give details on that?Originally posted by www-lab
[B]It's better to use open_basedir + disable_functions.
thanks
.pd
cPanel.net Support Ticket Number:
Join mailing lists and forums with M2F - www.mail2forum.com
Ingenieria de Software en Español - www.fabricadesoftware.cl
I thought that upcp & co did upgrade packages? up2date can harm cpanel, yes?Originally posted by xsenses
5. use up2date
.pd
cPanel.net Support Ticket Number:
Join mailing lists and forums with M2F - www.mail2forum.com
Ingenieria de Software en Español - www.fabricadesoftware.cl
If you follow the instructions atOriginally posted by Pda0
I thought that upcp & co did upgrade packages? up2date can harm cpanel, yes?
.pd
cPanel.net Support Ticket Number:
http://admin0.info/security/introduction.html
you'll be fine. Upcp does not upgrade the kernel.
cPanel.net Support Ticket Number:
Highly recommended!
Minimally I suggest everyone update their pacakges and errata.
Disable Telnet
Disable compiler
Terminate SSH for all except root/trusted customers
Change root password frequently
The following site provides very good instructions on doing all of this. Remember kernel upgrades require a reboot. Graceful as it may be . . . cheers!
cPanel.net Support Ticket Number:Originally posted by xsenses
Here is a link to a good security guide:
http://admin0.info/security/introduction.html
Re: Highly recommended!
Out of curiosity, why should the root password be changed frequently? Is there a chance that the password might get leaked physically (since I don't believe in psychic abilitiesOriginally posted by PbG
Change root password frequently
cPanel.net Support Ticket Number:)?
cPanel.net Support Ticket Number:
