Hardening rules from imunify360.com some confusion

[jeffschips]

Hello. Hope everyone is safe and healthy.

I'm following the recommendations on hardening cpanel provided by Imunify here: 17 Ways to Improve cPanel Security in 2021

How would the suggested change be reflected in the stanza below? The suggested changes don't really line up exactly as the pattern in the existing file.

Currently in /etc/apache2/apache.conf first stanza (although Imunify says it's located in /etc/httpd/conf/httpd.conf file) :
===============================================

<Directory "/">

    AllowOverride All
    Options Indexes ExecCGI FollowSymLinks IncludesNOEXEC

</Directory>

Suggested Imunify change:

Options Indexes FollowSymLinks

To the following:

Options FollowSymLinks

[/CODE]
===============================================
Also suggested from Immunify but I can't find it in WHM:

You can disable compilers using WHM. The Compilers Tweak option setting will let you disable compilers for any unprivileged user. The Compiler Tweak setting is found in the Security Center of WHM.

===============================================
And finally:

CPanel Security Advisor:

Apache vhosts are not segmented or chroot()ed.

Enable “mod_ruid2” in the “EasyApache 4” area, enable “Jail Apache” in the “Tweak Settings” area, and change users to jailshell in the “Manage Shell Access” area. Consider a more robust solution by using “CageFS on CloudLinux”. Note that this may break the ability to access mailman via Apache.

Toggling mod_ruid2 ON in Apache configuration does not take effect. It defaults to off.

 

[cPRex]

Hey there! I'll just answer these in order to make sure I don't miss anything.

The Apache Options line can be configured from WHM >> Apache Configuration >> Global Configuration under the "Directory “/” Options" section.

WHM >> Compiler Access would be the second thing you mention.

The third option is really a personal preference issue, although changing those configurations would keep the vhosts more separated for Apache's processing. You'd need to install the full mod_ruid2 package and let it change the handler if that isn't present already. Do you see any errors in the EA4 interface when you try to make that change?

 

[jeffschips]

Hi and thank you. I see no "Compiler Access" under WHM >> or anywhere for that matter.

Not in v96.0.9. At least I can't find it.

 

[cPRex]

That's interesting - it's one of the main links in WHM, so a search for "compiler" would bring it up:



Are you logged in as root to that system?

 

[jeffschips]

Hmmmm. . . me no have. See screenshot.

 

[jeffschips]

SOLVED: The version of WHM I'm using cannot access compiler setting via the suggested screenshot. It's rather inside tweak >> search on the right side of panel for "Compiler" and then it will show up

 

[cPRex]

Nice catch!