Hardening Thread x cPanel on CentOS 6.x

webstyler

Well-Known Member
Nov 20, 2003
439
0
166
Hello

There are other threads in the forum on security, but are different from many years ago, or based on older versions of cpanel / CentOS that relate to script out of date or that do not work properly with the latest versions of CentOS.

So, why not group here suggests and link for hardening our servers based on CentOS 6.x versione and cPanel 11.xx ?

Thanks
 

cPanelMichael

Technical Support Community Manager
Staff member
Apr 11, 2011
47,911
2,234
363
cPanel Access Level
DataCenter Provider
Twitter
Hello :)

I recommend utilizing the Security Adviser feature in Web Host Manager if you are using cPanel version 11.40. It will scan your server for common security issues and offer recommendations.

Thank you.
 

webstyler

Well-Known Member
Nov 20, 2003
439
0
166
Hello :)

I recommend utilizing the Security Adviser feature in Web Host Manager if you are using cPanel version 11.40. It will scan your server for common security issues and offer recommendations.

Thank you.
Hello Michael

This is sure a good tool, but we speak about extra tools as chkrootkit, prm, logwatch

prm is a good software but is old.. may be other could suggest a valid alternative

Maybe usefull to many people a list of software for security and resource controll that could be used without conflict on cPanel/centos, and with hardening suggest

Thanks
 

ThinIce

Well-Known Member
Apr 27, 2006
352
9
168
Disillusioned in England
cPanel Access Level
Root Administrator
Hardening arguably begins at OS installation (alright alright planning the installation :p ), it's tempting to perform a standard install of the OS and then install cPanel straight off or use a VM OS image provided by your host without properly checking it out.

Before proceeding to install cPanel, check out the rpms that are installed, yum list installed, yum grouplist, yum groupinfo "group name here". Remove any groups that aren't absolutely necessary. Similarly check the repos that are enabled, are there any extra ones you don't want?

If you're using an OS image provided by somebody else, are there any editor backup ~ files hanging around? This can sometimes give you a clue as to how the image was built and it's history.

find ./ -name '*~'

I do agree it would be good to have a wiki page or stickied thread here on these sorts of things. A fair bit of HowTos/OS Protection - CentOS Wiki isn't appropriate directly to cPanel installs and some parts contradict the install instructions.

Steve Grubb suggests, and quite rightly so, that areas where users have write privileges be kept on their own partition. This allows you to prevent hard link privilege escalation attempts, prevent creative device additions, and other unsavory behavior.
At Step 5: Configure Your Operating System a partition at root / that fills the disk is recommended. I'm guessing this is a symptom of people originally making partitions too small for their future needs in the projected life of the server and then moaning at the cPanel guys after, but it would be nice to have a comment next to the link to the advanced partitioning guide as to whether there is any security trade off and the difference to this trade off that cloudlinux / grcsec would make etc...
 
Last edited:

webstyler

Well-Known Member
Nov 20, 2003
439
0
166
A lot of cPanel's Customer install by centos cpanel iso
so, there isn't really a cpanel pre-installation step..

I not understand what's so difficult to get a best list to operation and software to hardening cPanel server.
 

ThinIce

Well-Known Member
Apr 27, 2006
352
9
168
Disillusioned in England
cPanel Access Level
Root Administrator
I not understand what's so difficult to get a best list to operation and software to hardening cPanel server.
There's quite a bit to unpick around a question like that - the first is that security is a trade off, it sounds hackneyed but there we go. For example you're "best off" firewalling off your ssh port to access only by trusted IP addresses, but doing so will mean your users can't access the server by SFTP unless you also whitelist their addresses, which may or may not be important to you. You're potentially tightening one thing up there whilst making another less secure.

It's the same with some of the 3rd party security utilities available, do you trust their author? do you trust the update mechanism? (which is often running as root)

That's more or less the reason why there isn't a stickied thread here tightled "hardening 101" (although I still think that wouldn't be a bad idea) as far as the product goes there is some good advice on the docs, for examping on extra settings that can be made in suphp's config file.

If you want someone to take a comprehensive look at your setup and advise you, configserver and rack911 seem well regarded although I've not personally used them myself.