Hardening rules from imunify360.com some confusion

jeffschips

Well-Known Member
Jun 5, 2016
204
21
68
new york
cPanel Access Level
Root Administrator
Hello. Hope everyone is safe and healthy.

I'm following the recommendations on hardening cpanel provided by Imunify here: 17 Ways to Improve cPanel Security in 2021

How would the suggested change be reflected in the stanza below? The suggested changes don't really line up exactly as the pattern in the existing file.

Currently in /etc/apache2/apache.conf first stanza (although Imunify says it's located in /etc/httpd/conf/httpd.conf file) :
===============================================
Code:
<Directory "/">

    AllowOverride All
    Options Indexes ExecCGI FollowSymLinks IncludesNOEXEC

</Directory>
Suggested Imunify change:

Code:
Options Indexes FollowSymLinks
To the following:
Code:
Options FollowSymLinks
[/CODE]
===============================================
Also suggested from Immunify but I can't find it in WHM:

Code:
You can disable compilers using WHM. The Compilers Tweak option setting will let you disable compilers for any unprivileged user. The Compiler Tweak setting is found in the Security Center of WHM.
===============================================
And finally:

Code:
CPanel Security Advisor:

Apache vhosts are not segmented or chroot()ed.

Enable “mod_ruid2” in the “EasyApache 4” area, enable “Jail Apache” in the “Tweak Settings” area, and change users to jailshell in the “Manage Shell Access” area. Consider a more robust solution by using “CageFS on CloudLinux”. Note that this may break the ability to access mailman via Apache.
Toggling mod_ruid2 ON in Apache configuration does not take effect. It defaults to off.
 

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
6,810
895
313
cPanel Access Level
Root Administrator
Hey there! I'll just answer these in order to make sure I don't miss anything.

The Apache Options line can be configured from WHM >> Apache Configuration >> Global Configuration under the "Directory “/” Options" section.

WHM >> Compiler Access would be the second thing you mention.

The third option is really a personal preference issue, although changing those configurations would keep the vhosts more separated for Apache's processing. You'd need to install the full mod_ruid2 package and let it change the handler if that isn't present already. Do you see any errors in the EA4 interface when you try to make that change?
 

jeffschips

Well-Known Member
Jun 5, 2016
204
21
68
new york
cPanel Access Level
Root Administrator
SOLVED: The version of WHM I'm using cannot access compiler setting via the suggested screenshot. It's rather inside tweak >> search on the right side of panel for "Compiler" and then it will show up
 

Attachments