Have You Tried the cPanel Security Advisor?

[Infopro]

Have you tried the new cPanel Security Advisor? cPanel is planning on adding this as an WHM add-on at some point in the near future, quite possibly even in with 11.40. You can get your hands on it right now, and, have some input to it's ongoing development and usefulness to you, if you're interested.

The original thread announcing this add-on posted by cPanelNick, back in May, is located here:
[11.38] Open source cPanel Security Advisor Addon [ALPHA VERSION] - cPanel Forums

This is coming along quite well and I felt a new thread with a nice screenshot might be helpful.

Here's a screenshot from within WHM of the cPanel Security Advisor UI:


Here's where you can read more about it:
addon_securityadvisor - Security Advisor Addon for cPanel - GitHub

This URL takes you right to the suggestions area for this plug-in on github:
addon_securityadvisor - Security Advisor Addon for cPanel Issues - GitHub
(or feel free to comment on this right here on the forums.)

Installing this is straight forward and easy, using Git. Git is a powerful version control tool cPanel, Inc. uses in house. It's also included with cPanel & WHM and the tool used here to check out the cPanel Security Advisor. Git is also distributed with CentOS/RHEL, but, cPanel has it's own version based on the perl modules that cPanel installs.


To install:

/usr/local/cpanel/3rdparty/bin/git clone https://github.com/bdraco/addon_securityadvisor.git

cd addon_securityadvisor/pkg

./install

Next, log into WHM and go to the Plugins section on left menu to locate the Security Advisor Tool.

Clicking thru that link will automatically run the cPanel Security Advisor, and the test will only take a moment. Once completed, as seen in the screenshot above, you'll be told whats in good shape and what needs some attention.

It's important to know that each security decision you are making here, is a risk versus reward situation. If you choose to take the risk, it's important to know consequences and to be best prepared. Security is a journey not a destination, so it requires continued vigor. Safety of previous decisions can be made unsafe by a single security advisory.

Please do let us know what you think about this new tool. We very much appreciate your feedback.

Thanks!

 

[jimlongo]

The plugin installation was easy, and the information appreciated.

2 comments:

1. it kept telling me that I had Frontpage extension installed, when I know my build of easyApache has it off. It wasn't until I removed the rpm that the warning went away.

2. The first recommendation is Apache vhosts are not segmented or chroot()ed.
Enable “Jail Apache” in the “Tweak Settings” area, and change users to jailshell in the “Manage Shell Access” area. Consider a more robust solution by using “CageFS on CloudLinux” however that selection is greyed out in Tweak Settings and is not available. I guess that's because I don't have mod Ruid2 installed, mostly because it's listed as experimental.

3. Unable to determine kernel version. Ensure that yum and rpm are working on your system. I'm sure they're both installed.

Thanks for any input on #2 and #3.

 

[ThinIce]

Have been meaning to give this a whirl, can it be fully uninstalled once installed?

 

[Infopro]

Yes. Not sure how this will work when added to WHM by default though.

/usr/local/cpanel/3rdparty/bin/addon_securityadvisor/pkg/

./uninstall

@jimlongo
#2 - Correct.
#3 - I can't answer this one, but I'm sure someone will be by who can.

 

[kernow]

cPanel Security Advisor is very basic, perhaps you could use the CSF security check as a starting point and build on that?
#3 CL kernel was correctly identified in our test.

 

[Infopro]

In the original thread about this, linked at top of post, Nick has outlined the goals of this, which are a bit different than CSF. I asked him the same question myself, prior to that post.

# 3, same for me here.


HTH!

 

[ThinIce]

I guess it's a consequence of them being suspended but currently suspended users are showing up under the "Users running outside of the jail:" check.

On an instance with the kernel outside the VM, the alert "Unable to determine kernel version Ensure that yum and rpm are working on your system" is displayed, the running kernel can however be obtained normally with uname

Same frontpage warning here, I guess due to the rpm having been in place by default even if it's never been used.

And same comment on the apache jails alert as that above - last I remember asking the jury was out on whether this was 'better' and would replace the current default of suphp (I realise we can argue the definition of better )

Edit for clarity

 

[jimlongo]

And same comment on the apache jails alert as that above - last I remember asking the jury was out on whether this was 'better' and would replace the current default of suphp (I realise we can argue the definition of better )

I was considering enabling mod_ruid2 until I read the this would disable mod_security.
Doesn't seem like a fair tradeoff.

 

[ThinIce]

It was this from the mods own page I was most interested in (I realise there is an if/when implicit)

-there are some security issues, for instance if attacker successfully exploits the httpd process, he can set effective capabilities and setuid to root. i recommend to use some security patch in kernel (grsec), or something..

 

[Viborahost]

Disengage The Building of Experimental Mod_Ruid

I have been testing cpanel 11.40 build 2 and I am not satisfied with the Security Manager Notifications suggestions. This Security Advisor is advising all to install Ruid2 / Mod security shall be obligatory from 11.42 apparently buy yet Cpanel has stated on some forum that Mod2 with Apache DSO / Mod Security is presently unstable at times

I feel that the Advisor would be better off advising the most stable and better tested global feature which would be in my opinion:

Advisor:
Do not install Experimental Ruid2 DSO instead install Mod Security with a SuPhp Exec enviroment as it is better tested and is Stable.

If any newbie where to pay attention to the Security advisor regarding this Ruid2, he or she is quite likely to run into a whole bunch of issues as I have found that just too many bumps along the road when messing around with Ruid2

I am aware that using Ruid2 DSO is what appears to be a much faster enviroment but it most certainly is not a safer enviroment, some examples are the Jailshell issue... This is totally experimental.

The typical issue I personally come accross with the Ruid2 running a DSO envirmoent is that when I go to the website of a newly created account, I immediately get this error saying that Not Allowed to Access this page and I have checked the /public_hrml and have quite sure that index.htm, index.shtml and other indexes do in fact exist.

My experience led me to rebuilding Apache to sql 5.5, php 5.4 making it compatible for an Sup and disengaging Ruid2 of course, as soon as I did that, everything appears to function correctly.

So as far as 11.40 build 2 goes, I will not be listening to much of what the Security Advisor is saying regarding Jailshell for Ruid2 until it is much more stable and tested.

Just my humble opinion

 

[Infopro]

Re: Disengage The Building of Experimental Mod_Ruid

I have been testing cpanel 11.40 build 2 and I am not satisfied with the Security Manager Notifications suggestions.

...

I've moved your post into this thread and removed the poll. No need for a poll.

 

[dualmonitor]

Sweet feature! Thanks for putting the work into something so important!

 

[Infopro]

As of 11.40 this is now bundled into cPanel, there will no longer be a need to manually install. You should remove the plugin if you had it installed prior to cPanel 11.40.

11.40 was pushed out to CURRENT, today.

 

[Infopro]

One small update to my prior comment. It seems the most awesome cPanel Development team has taken care of us by automagically removing this plugin if it finds it on upgrading to 11.40.

I love those guys. :p

 

[ThinIce]

Just a thought - could you perhaps develop a / a set of security realated certs on cpanel university? I view this tool as a realisation that whilst every hosting provider should have procedures capable of covering this sort of stuff and dedicated security staff where possible, a lot of the time that just doesn't happen.

I know the problems inherant in doing this and I think a lot of them are probably the same as argued for offering / not offering this tool, but I don't see where the harm would be in using the material from the docs on security to come up with an extra set of questions to quickly bring people up to a base line of some sort and to get them interested in learning more.

 

[Infopro]

You're talking about adding a Security Knowledge Certification to go along with these others I take it?

cPanel University Technical Certification Exams - cPanel University

I think it's an interesting idea. Have you contacted the Professor about it? You should.

 

[Demitris]

Hi There,

After upgrade to WHM 11.40 Security Advisor was not there. i install it using the Infopro first post option:

Installing this is straight forward and easy, using Git. Git is a powerful version control tool cPanel, Inc. uses in house. It's also included with cPanel & WHM and the tool used here to check out the cPanel Security Advisor. Git is also distributed with CentOS/RHEL, but, cPanel has it's own version based on the perl modules that cPanel installs.


To install:

/usr/local/cpanel/3rdparty/bin/git clone https://github.com/bdraco/addon_securityadvisor.git

cd addon_securityadvisor/pkg

./install

Next, log into WHM and go to the Plugins section on left menu to locate the Security Advisor Tool.

But when i go to WHM Plugins i see that is not functional (button "Scan Again" not work).








i try to unistall it using :

/usr/local/cpanel/3rdparty/bin/addon_securityadvisor/pkg/

./uninstall

but Putty print's me that:






Any Help pls..?

 

[cPanelMichael]

Hello

Security Advisor is included in cPanel version 11.40. You should not attempt to install it manually. You can find it in Web Host Manager under the "Security Center" menu on the left.

Thank you.

 

[Demitris]

Hi Michael,

After i locate where was the addon_securityadvisor folder and i unistall the plugin, i get 404 error both in Security Center, and Plugins menu.

is there any way to fix somehow..?


please look at screens below what i mean:

 

[cPanelNick]

Hi Michael,

After i locate where was the addon_securityadvisor folder and i unistall the plugin, i get 404 error both in Security Center, and Plugins menu.

is there any way to fix somehow..?


please look at screens below what i mean:

View attachment 18101 View attachment 18102

Please try

/scripts/upcp --force

after the removal of the old plugin. This should restore any files the uninstaller may have removed that are needed for the 11.40 version.