The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Hardening Thread x cPanel on CentOS 6.x

Discussion in 'Security' started by webstyler, Nov 16, 2013.

  1. webstyler

    webstyler Well-Known Member

    Joined:
    Nov 20, 2003
    Messages:
    432
    Likes Received:
    0
    Trophy Points:
    16
    Hello

    There are other threads in the forum on security, but are different from many years ago, or based on older versions of cpanel / CentOS that relate to script out of date or that do not work properly with the latest versions of CentOS.

    So, why not group here suggests and link for hardening our servers based on CentOS 6.x versione and cPanel 11.xx ?

    Thanks
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    648
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    I recommend utilizing the Security Adviser feature in Web Host Manager if you are using cPanel version 11.40. It will scan your server for common security issues and offer recommendations.

    Thank you.
     
  3. webstyler

    webstyler Well-Known Member

    Joined:
    Nov 20, 2003
    Messages:
    432
    Likes Received:
    0
    Trophy Points:
    16
    Hello Michael

    This is sure a good tool, but we speak about extra tools as chkrootkit, prm, logwatch

    prm is a good software but is old.. may be other could suggest a valid alternative

    Maybe usefull to many people a list of software for security and resource controll that could be used without conflict on cPanel/centos, and with hardening suggest

    Thanks
     
  4. ThinIce

    ThinIce Well-Known Member

    Joined:
    Apr 27, 2006
    Messages:
    346
    Likes Received:
    7
    Trophy Points:
    18
    Location:
    Disillusioned in England
    cPanel Access Level:
    Root Administrator
    Hardening arguably begins at OS installation (alright alright planning the installation :p ), it's tempting to perform a standard install of the OS and then install cPanel straight off or use a VM OS image provided by your host without properly checking it out.

    Before proceeding to install cPanel, check out the rpms that are installed, yum list installed, yum grouplist, yum groupinfo "group name here". Remove any groups that aren't absolutely necessary. Similarly check the repos that are enabled, are there any extra ones you don't want?

    If you're using an OS image provided by somebody else, are there any editor backup ~ files hanging around? This can sometimes give you a clue as to how the image was built and it's history.

    find ./ -name '*~'

    I do agree it would be good to have a wiki page or stickied thread here on these sorts of things. A fair bit of HowTos/OS Protection - CentOS Wiki isn't appropriate directly to cPanel installs and some parts contradict the install instructions.

    At Step 5: Configure Your Operating System a partition at root / that fills the disk is recommended. I'm guessing this is a symptom of people originally making partitions too small for their future needs in the projected life of the server and then moaning at the cPanel guys after, but it would be nice to have a comment next to the link to the advanced partitioning guide as to whether there is any security trade off and the difference to this trade off that cloudlinux / grcsec would make etc...
     
    #4 ThinIce, Nov 20, 2013
    Last edited: Nov 20, 2013
  5. webstyler

    webstyler Well-Known Member

    Joined:
    Nov 20, 2003
    Messages:
    432
    Likes Received:
    0
    Trophy Points:
    16
    A lot of cPanel's Customer install by centos cpanel iso
    so, there isn't really a cpanel pre-installation step..

    I not understand what's so difficult to get a best list to operation and software to hardening cPanel server.
     
  6. ThinIce

    ThinIce Well-Known Member

    Joined:
    Apr 27, 2006
    Messages:
    346
    Likes Received:
    7
    Trophy Points:
    18
    Location:
    Disillusioned in England
    cPanel Access Level:
    Root Administrator
    There's quite a bit to unpick around a question like that - the first is that security is a trade off, it sounds hackneyed but there we go. For example you're "best off" firewalling off your ssh port to access only by trusted IP addresses, but doing so will mean your users can't access the server by SFTP unless you also whitelist their addresses, which may or may not be important to you. You're potentially tightening one thing up there whilst making another less secure.

    It's the same with some of the 3rd party security utilities available, do you trust their author? do you trust the update mechanism? (which is often running as root)

    That's more or less the reason why there isn't a stickied thread here tightled "hardening 101" (although I still think that wouldn't be a bad idea) as far as the product goes there is some good advice on the docs, for examping on extra settings that can be made in suphp's config file.

    If you want someone to take a comprehensive look at your setup and advise you, configserver and rack911 seem well regarded although I've not personally used them myself.
     
Loading...

Share This Page