I'm a relative newbie when it comes to server administration (at least insofar as cPanel/WHM) compared to many others. (I have been running my own Ubuntu servers for some time now, but also "cheat" a little by using Webmin and getting help online.) Recently, I had to move from a shared/reseller hosting platform to a VPS at a different company (running Xen/CentOS 6) because I got fed up with all the restrictions that were arbitrarily (at least to me) being implemented on the shared platfirm with no upfront notification (which ended up breaking things). Now I'm on a managed VPS, and the company offering it has been extremely helpful, but ultimately I understand how I proceed is up to me (and I also want to learn and understand as I move forward).
I've gone through the WHM panel pretty thoroughly now, and want to ensure that my VPS is fully configured and protected before I deploy it to my clients (and for my own purposes as well). To that end, I ran the Security Advisor, and while a few of the items that popped up are understandble (i.e. SSH password authentication is enabled, SSH direct root logins are permitted, The pseudo-user “nobody” is permitted to send email, Outbound SMTP connections are unrestricted, etc.), there are one or two that I'm running into difficulties deciding how to proceed on:
- Apache vhosts are not segmented or chroot()ed.
Enable “Jail Apache” in the “Tweak Settings” area, and change users to jailshell in the “Manage Shell Access” area. Consider a more robust solution by using “CageFS on CloudLinux”
- No symlink protection detected
You do not appear to have any symlink protection enabled on this server. You can protect against this in multiple ways. Please review the following documentation to find a solution that is suited to your needs.
It seems that for the first one (Apache vhosts are not segmented or chroot()ed.), my options are:
- continue to leave things as is, using suPHP (and I presume jailed shells also since that is configured under "Managed Shell Access" already as jailed)
- move to mod_ruid2 (under EasyApache) and DSO (under Configure PHP and suEXEC) and then possibly enable that "Experimental" mod_ruid2 jailed shell option under "Tweak Settings" (or maybe not and just move to mod_ruid2 and DSO?)
- move to CloudLinux and CageFS (which I understand is a whole different OS from CentOS, and yet isn't that hard to switch to, although I believe I'd have additional monthly costs then)
Is that an accurate understanding of my options? Can anyone advise on which one might be the best? Basically, I want to ensure all "normal" things work on my VPS (i.e. Joomla websites, WordPress websites, email, etc.), but also want to make sure it's secure so that I don't run into disasters down the road. I haven't really deployed anything on it yet, and want to make sure it's fully configured and secure before doing so (but also want to make sure when I do so, everything works). Any help on this is greatly appreciated.
And then for the second one I'm unsure about (No symlink protection detected), I'm also not sure how to proceed. I'm not quite clear on whether the changes I might make above would have an impact on resolving this issue, or if I need to resolve this issue, or if there is something else to be done? I know there is something called Apache Symlink Protection or Symlink Race Condition Protection or something else similar (maybe those are two different things?), but not sure how to implement, how it applies, and what it might do exactly. Any help with this is greatly appreciated also!
Thanks very much!
P.S. Is CloudLinux and CageFS the recommended method (over CentOS) of running WHM/cPanel in a secure environment (while still allowing full functionality for websites, etc.)? If so, I might just bite the bullet and do that even if it costs more money, but does it function in much the same way as CentOS? And if I've made some customizations (such as installing Webmin, installing VPN to access Webmin, installing a remote access client, customizing CSF to allow all of these, etc.), will these all still work? Thanks!
I've gone through the WHM panel pretty thoroughly now, and want to ensure that my VPS is fully configured and protected before I deploy it to my clients (and for my own purposes as well). To that end, I ran the Security Advisor, and while a few of the items that popped up are understandble (i.e. SSH password authentication is enabled, SSH direct root logins are permitted, The pseudo-user “nobody” is permitted to send email, Outbound SMTP connections are unrestricted, etc.), there are one or two that I'm running into difficulties deciding how to proceed on:
- Apache vhosts are not segmented or chroot()ed.
Enable “Jail Apache” in the “Tweak Settings” area, and change users to jailshell in the “Manage Shell Access” area. Consider a more robust solution by using “CageFS on CloudLinux”
- No symlink protection detected
You do not appear to have any symlink protection enabled on this server. You can protect against this in multiple ways. Please review the following documentation to find a solution that is suited to your needs.
It seems that for the first one (Apache vhosts are not segmented or chroot()ed.), my options are:
- continue to leave things as is, using suPHP (and I presume jailed shells also since that is configured under "Managed Shell Access" already as jailed)
- move to mod_ruid2 (under EasyApache) and DSO (under Configure PHP and suEXEC) and then possibly enable that "Experimental" mod_ruid2 jailed shell option under "Tweak Settings" (or maybe not and just move to mod_ruid2 and DSO?)
- move to CloudLinux and CageFS (which I understand is a whole different OS from CentOS, and yet isn't that hard to switch to, although I believe I'd have additional monthly costs then)
Is that an accurate understanding of my options? Can anyone advise on which one might be the best? Basically, I want to ensure all "normal" things work on my VPS (i.e. Joomla websites, WordPress websites, email, etc.), but also want to make sure it's secure so that I don't run into disasters down the road. I haven't really deployed anything on it yet, and want to make sure it's fully configured and secure before doing so (but also want to make sure when I do so, everything works). Any help on this is greatly appreciated.
And then for the second one I'm unsure about (No symlink protection detected), I'm also not sure how to proceed. I'm not quite clear on whether the changes I might make above would have an impact on resolving this issue, or if I need to resolve this issue, or if there is something else to be done? I know there is something called Apache Symlink Protection or Symlink Race Condition Protection or something else similar (maybe those are two different things?), but not sure how to implement, how it applies, and what it might do exactly. Any help with this is greatly appreciated also!
Thanks very much!
P.S. Is CloudLinux and CageFS the recommended method (over CentOS) of running WHM/cPanel in a secure environment (while still allowing full functionality for websites, etc.)? If so, I might just bite the bullet and do that even if it costs more money, but does it function in much the same way as CentOS? And if I've made some customizations (such as installing Webmin, installing VPN to access Webmin, installing a remote access client, customizing CSF to allow all of these, etc.), will these all still work? Thanks!
