The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

HOW-TO: Secure cPanel

Discussion in 'General Discussion' started by eth00, Aug 28, 2004.

  1. eth00

    eth00 Well-Known Member
    PartnerNOC

    Joined:
    Mar 30, 2003
    Messages:
    723
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    NC
    cPanel Access Level:
    Root Administrator
    How-To secure cPanel


    First and foremost I want to say that this is not going to make your server 100% cracker proof, there is always a possibility that somebody will find a way in. I have listed a lot of things you can do to protect your server and that will help you secure it. While securing your server you have to find a median between what is secure and what restricts your clients or websites. You can easily make your server 100% secure from remote attacks by unplugging the ethernet cable, but chances are you will not get much good with it. This is not a complete guide and I will update it when I find time or it needs it. Overall it is a very good start and it is probably more then most servers have.

    If you have any problems with the guide please post them and I will try and help/update the guide. I have not included everything you can do but it is a very good start. If you need somebody to secure server please feel free to private message or email me.

    All commands meant to be run in ssh will begin with "#"



    --------------------------



    First step is to updated your software. Make sure up2date says you are fully updated:
    #up2date -u

    Now update the kernel. Below I have posted the directions for a server using lilo as the bootloader. I will add in directions for grub later as I do not run grub on any of my servers. If you are using grub please skip this section and upgrade the kernel at another time.

    #cd /var/spool/up2date

    If you have a dual processor server:

    #up2date --download --force kernel-smp
    #rpm -ivh kernel-smp-2.4.21-15.0.4.EL.i686.rpm
    #lilo -v -v
    #lilo -R 2.4.21-15.0.4.1
    #shutdown -r now

    If you have a single processor server:
    #up2date --download --force kernel
    #rpm -ivh kernel-2.4.21-15.0.4.EL.i686.rpm
    #lilo -v -v
    #lilo -R 2.4.21-15.0.4.1E
    #shutdown -r now


    When you run lilo -v -v make sure that no errors appear, if so you probably need to look at the lilo.conf for the problem.

    The lilo -R command will make it reboot only once to the new kernel. If for some reason just put in a reboot TT and it will automatically boot to the old kernel. If it comes back up fine then you can edit the /etc/lilo.conf and set "default=" the new kernel label.


    --------------------------


    A firewall should be the first thing installed.. I recommend advanced protection firewall (APF) by rfxnetworks. APF will block unused outgoing and incoming ports. It can also be configured to use information from some block lists.
    http://rfxnetworks.net/apf.php
    #cd /usr/src
    #wget http://rfxnetworks.net/downloads/apf-current.tar.gz
    #tar -zxf apf-current.tar.gz
    #cd apf-0.*
    #./install.sh

    Now edit config file
    #pico -w /etc/apf/conf.apf

    Change the following:
    USE_DS="1"
    USE_AD="1"


    Scroll down to this section:


    # Common ingress (inbound) TCP ports IG_TCP_CPORTS="20,21,22,25,26,53,80,110,143,443,465,993,995,2082,2083,2086,2087,2095,2096"
    # Common ingress (inbound) UDP ports
    IG_UDP_CPORTS="21,53,465,873"

    # Common ICMP (inbound) types
    # 'internals/icmp.types' for type definition; 'all' is wildcard for any
    IG_ICMP_TYPES="3,5,11,0,30,8"


    Scroll down a bit then find this section:

    EGF="1"
    # Common egress (outbound) TCP ports EG_TCP_CPORTS="21,22,25,26,27,37,43,53,80,110,113,443,465,873,2089"
    # Common egress (outbound) UDP ports
    EG_UDP_CPORTS="20,21,53,123,465,873"


    Save the file and start apf via.
    apf -s
    If everything still works then edit the config file and turn dev mode off.
    DEVM="0"

    Now restart APF
    #apf -r




    --------------------------


    The following scripts are fairly easy to use and install, I might add documentation later but for now I will not.

    Along with installing APF I would suggest installing brute force monitor (BFD) also by rfxnetworks. BFD will monitor your ssh and ftp services and automatically ban users that try to brute force a password. If you install BFD make sure you can get a separate ip to ssh into your server incase it blocks you for some reason! You can add your ip to the allow list via "apf -a IP" if you have a static ip.
    http://rfxnetworks.net/bfd.php


    Yet another very handy tool by rfxnetworks is socket monitor (PMON). This tool will alert you whenever a new port is opened on the server. This is very helpful in detecting any users running weird processes or attempting to run backdoors. When any program that it does not recognized is started it will email you with the information.
    http://rfxnetworks.net/pmon.php


    Another tool I would suggest, but that is not really part of securing your server, is system integrity monitor (SIM) which is also by rfxnetworks. SIM will automatically detect when a service is down and restarts it.
    http://rfxnetworks.net/sim.php


    I always recommend to turn off compilers. Most rootkits come precompiled but not all of them do. It will also prevent shell users from trying to compile any irc related programs. To turn the compilers on switch the off to on.
    /scripts/compilers off


    --------------------------


    mod_security

    First we will download and unzip mod_security. This guide compiles for apache1.3.x which is what cPanel currently uses.
    #wget http://www.modsecurity.org/download/mod_security-1.8.4.tar.gz
    #tar zxf mod_security-1.8.4.tar.gz
    #cd mod_security-1.8.4/apache1


    Next compile mod_security at a module:
    #/etc/httpd//bin/apxs -cia mod_security.c

    Make a backup of your httpd.conf before touching anything so you have something to go back to if it does not work.
    #cp /etc/httpd/conf/httpd.conf /etc/httpd/conf/httpd.conf-mod_sec

    Now edit the httpd.conf
    pico -w /etc/httpd/conf/httpd.conf


    Scroll down below the following line:
    AddModule mod_security.c
    The rules listed in the text file below can just be pasted in. They are a collection of rules, many of them taken from snort, that block most of the common attacks while still letting normal requests by.
    http://eth0.us/faq/modsec.txt

    Create the error log file:
    #touch /var/log/httpd/audit_log

    Restart apache
    #service httpd restart

    If sites start to have problems look at error log.
    /var/log/httpd/audit_log


    --------------------------


    The /tmp partition is one the common places for script kiddies and crackers alike to place trojans or scripts. Because of that you should have the /tmp partition mounted noexec. First we need to check if your /tmp is secure.
    #df -h |grep tmp

    If that displays nothing then go below to create a tmp partition. If you do have a tmp partition you need to see if it mounted with noexec.
    #cat /etc/fstab |grep tmp

    If there is a line that includes /tmp and noexec then it is already mounted as non-executable. You will also want to check if /var/tmp is linked to /tmp.
    ls -alh /var/ |grep tmp

    If it shows something to the effect of "tmp -> /tmp/" then you are ok. If not go ahead an remove the old /var/tmp and replace it with a sym link to /tmp.
    #rm -rf /var/tmp/
    #ln -s /tmp/ /var/




    If you do not have any /tmp partition you will need to follow the directions below to create and mount a partition.

    Create a 190Mb partition
    #cd /dev/; dd if=/dev/zero of=tmpMnt bs=1024 count=200000

    Format the partion
    #mke2fs /dev/tmpMnt


    Make a backup of the old data
    #cp -Rp /tmp /tmp_backup

    Mount the temp filesystem
    #mount -o loop,noexec,nosuid,rw /dev/tmpMnt /tmp

    Set the permissions
    #chmod 0777 /tmp

    Copy the old files back
    #cp -Rp /tmp_backup/* /tmp/

    Once you do that go ahead and start mysql and make sure it works ok. If it does you can add this line to the bottom of the /etc/fstab to automatically have it mounted:
    /dev/tmpMnt /tmp ext2 loop,noexec,nosuid,rw 0 0

    Next delete the old /var/tmp and create a link to /tmp
    #rm -rf /var/tmp/
    #ln -s /tmp/ /var/

    If everything still works fine you can go ahead and delete the /tmp_backup directory.
    #rm -rf /tmp_backup


    --------------------------


    Many php exploit scritps use common *nix tools to download rootkits or backdoors. By simply chmod'ing the files so that no none-wheel or root user can use them we can eliminate many possible problems. The downside to doing this is that shell users will be inconvenienced by not being able to use the the commands below. Mod_security really removes the need to chmod this, but it is an added layer of protection.

    #chmod 750 /usr/bin/rcp
    #chmod 750 /usr/bin/wget
    #chmod 750 /usr/bin/lynx
    #chmod 750 /usr/bin/links
    #chmod 750 /usr/bin/scp



    --------------------------


    Now we will install rkhunter so we will atleast know if the server has been cracked.

    Download and unzip rkhunter
    #cd /usr/local/src/
    #wget http://downloads.rootkit.nl/rkhunter-1.1.4.tar.gz
    #tar -zxf rkhunter-1.1.4.tar.gz
    #cd rkhunter

    Install it
    #./install.sh

    Now create a cronjob so it will email you with notifications to the root mailbox:
    #crontab -e

    At the bottom add the following line
    16 0 * * * /usr/local/bin/rkhunter -c --nocolors --cronjob --report-mode --createlogfile --skip-keypress --quiet

    Press control x to save


    --------------------------

    Thanks to all that have helped me compile this.


    I will be adding more but that is a very good start. This guide is going to be posted on a few forums and http://eth0.us/faq/secure.htm
     
  2. fizz

    fizz Well-Known Member

    Joined:
    Jan 25, 2002
    Messages:
    202
    Likes Received:
    0
    Trophy Points:
    16
    this deserves a sticky! very well written document!
     
  3. jeffheld

    jeffheld Active Member

    Joined:
    Jan 7, 2004
    Messages:
    26
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    financial capital
    got root?

    like
    16 0 * * * /usr/local/bin/rkhunter -c --nocolors --cronjob --report-mode --createlogfile --skip-keypress --quiet
    you can also use
    16 0 * * * (/usr/local/bin/rkhunter -c --cronjob --report-mode --createlogfile | mail -s "RKhunter scan report" admin@domain.com)

    to have it emailed to you.

    also run this command to find and change any 777 permissions to 755 or whatever u need
    perm=755; find / -type d -perm 777 -ok chmod -v $perm '{}' \;

    where $perm is permission to set.

    you can also automate the link from var/tmp with
    if [ -L /var/tmp ]; then echo "found /var/tmp directory to be a symbolic link, making require changes"; read a
    rm -rf /var/tmp; ln -s /tmp/ /var/; else echo "/var/tmp is not a symbolic link"; fi

    "above is 2 lines"

    below is for changing permissions on certain folders
    dirs="/usr/bin/rcp /usr/bin/wget /usr/bin/lynx /usr/bin/links /usr/bin/scp"
    findperm=777 changeperm=755
    for file in $( find $dirs -perm $findperm -print ); do chmod -v $changeperm $file; done

    above looks for each dir in $dirs variable if permission $findperm is set, if true then do chmod $changeperm $dirs
    P.S $ is variable i.e
    variable=root
    echo $variable # shows root
    # is comment

    here is a little script to secure tmp partition
    echo securing tmp; read a; cd /dev; echo "generating partition space, please wait"
    dd if=/dev/zero of=tmpsec bs=1024 count=1000000; /sbin/mke2fs /dev/tmpsec; echo done; cd -; cd /; cp -R /tmp /tmp_backup
    echo mounting partition space; read a; mount -o loop,noexec,nosuid,rw /dev/tmpsec /tmp; chmod 0777 /tmp
    cp -R /tmp_backup/* /tmp/; rm -rf /tmp_backup; cd -; cat /tmpsecure >>/etc/fstab; rm -f /tmpsecure; echo done securing tmp dir;

    above partition is 1gig and it will not allow anyone from executing anything in it, this includes 'root' note: make a txt file named tmpsecure with, before running above code:
    /dev/tmpsec /tmp ext2 loop,noexec,nosuid,rw 0 0

    well that's it for now. stay secure.... P.S if you don't know bash then don't use any of the above code. u will get errors :P
     
  4. casey

    casey Well-Known Member

    Joined:
    Jan 17, 2003
    Messages:
    2,303
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    If there is trouble, it will find me
    Those rules are causing problems for my users.

    "ps\x20" was preventing search engines from linking to one of my clients' xoops sites.
    "rm\x20" was preventing another client from using FrontPage.
    "cc\x20" blocked me from updating information in ModernBill.
    "\;id" blocked access to a clients' bbs.
     
  5. casey

    casey Well-Known Member

    Joined:
    Jan 17, 2003
    Messages:
    2,303
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    If there is trouble, it will find me
  6. v-rod

    v-rod Well-Known Member

    Joined:
    Sep 18, 2002
    Messages:
    52
    Likes Received:
    0
    Trophy Points:
    6
    I now get the following error after creating the tmp partition:

    Starting eximstats: DBI connect('eximstats:localhost','eximstats',...) failed: Access denied for user: 'eximstats@localhost' (Using password: YES) at /usr/local/cpanel/bin/eximstats line 262
    Can't Connect at /usr/local/cpanel/bin/eximstats line 265.


    MySQL seems to be running fine.

    Thanks
     
  7. webits

    webits Well-Known Member

    Joined:
    May 15, 2004
    Messages:
    114
    Likes Received:
    0
    Trophy Points:
    16
    I'm going to try this out :))))
    Dont forget bouncer ;))
     
  8. AbeFroman

    AbeFroman BANNED

    Joined:
    Feb 16, 2002
    Messages:
    654
    Likes Received:
    1
    Trophy Points:
    0
    I get an error when trying to create the audit log:
    # touch /var/log/httpd/audit_log
    touch: cannot touch `/var/log/httpd/audit_log': No such file or directory

    Did anyone else get that error?
     
  9. eth00

    eth00 Well-Known Member
    PartnerNOC

    Joined:
    Mar 30, 2003
    Messages:
    723
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    NC
    cPanel Access Level:
    Root Administrator

    Apparently your server does not have the "touch" command. Go ahead and just create a blank file with that name and then restart apache.
     
  10. AbeFroman

    AbeFroman BANNED

    Joined:
    Feb 16, 2002
    Messages:
    654
    Likes Received:
    1
    Trophy Points:
    0
    Which bbs?
     
  11. AbeFroman

    AbeFroman BANNED

    Joined:
    Feb 16, 2002
    Messages:
    654
    Likes Received:
    1
    Trophy Points:
    0
    I have touch
    # which touch
    /bin/touch
     
  12. AbeFroman

    AbeFroman BANNED

    Joined:
    Feb 16, 2002
    Messages:
    654
    Likes Received:
    1
    Trophy Points:
    0
    I dont have a httpd directory inside /var/log, is that bad?
     
  13. eth00

    eth00 Well-Known Member
    PartnerNOC

    Joined:
    Mar 30, 2003
    Messages:
    723
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    NC
    cPanel Access Level:
    Root Administrator
    You can go ahead and create the directory, what I have posted is for redhat and your system probably does the directory structure a bit different. Another option is to look in the httpd.conf at the lines you pasted and change the log file directory.
     
  14. AbeFroman

    AbeFroman BANNED

    Joined:
    Feb 16, 2002
    Messages:
    654
    Likes Received:
    1
    Trophy Points:
    0
    What does the -cia mean in /etc/httpd//bin/apxs -cia ?
     
  15. anup123

    anup123 Well-Known Member

    Joined:
    Mar 29, 2004
    Messages:
    897
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    This Planet
    mod_security has more problems than comfort.
    installation and configuration is not a problem. It's those rules which break one thing or the other until you have almost everything commented out within the

    <IfModule mod_security.c>
    .....
    .....
    </IfModule>

    Specially the POST Payload thing... that breaks many webmail systems :/

    Anup
     
  16. anup123

    anup123 Well-Known Member

    Joined:
    Mar 29, 2004
    Messages:
    897
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    This Planet
    c : compile
    i : install
    a : adding a corresponding LoadModule line to Apache's httpd.conf

    A would do the same as a but with a #

    Anup
     
  17. AbeFroman

    AbeFroman BANNED

    Joined:
    Feb 16, 2002
    Messages:
    654
    Likes Received:
    1
    Trophy Points:
    0
    WHat do you mean by that?
     
  18. AbeFroman

    AbeFroman BANNED

    Joined:
    Feb 16, 2002
    Messages:
    654
    Likes Received:
    1
    Trophy Points:
    0
    My `/var/log/httpd/audit_log' file grew to 2.1M overnight, including blocking frontpage find and replace's and even images with csh in the image name.

    Does anyone have a scaled down set of rules?

    I havent heard of anyone getting hacked from allowing csh in the URL.
     
Loading...

Share This Page