The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Improving Server Security Questions

Discussion in 'Security' started by bins_uk, Jan 27, 2017.

Tags:
  1. bins_uk

    bins_uk Registered

    Joined:
    Jan 27, 2017
    Messages:
    4
    Likes Received:
    1
    Trophy Points:
    3
    Location:
    London
    cPanel Access Level:
    Root Administrator
    I have just moved to cPanel and am really happy with the security it imposed, especially with software version.

    My server gets checked for vulnerabilities via Beyondsecurity and only some minor issues pop up:

    FTP Service AUTH TLS Command Support
    IMAP Service STARTTLS Command Support
    SSH Server Backported Security Patches
    FTP Clear Text Authentication
    HTTP Packet Inspection
    Mailman Detection
    BIND Version Gathering

    Wanting to be as tight as possible, can any one suggest ways to close these little holes?
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    37,171
    Likes Received:
    1,295
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello @bins_uk,

    The following document is helpful when initially setting up your server:

    Recommended Security Settings - cPanel Knowledge Base - cPanel Documentation

    Regarding the reports, I'll address each one individually:

    There's a thread on this topic at:

    Pure-FTPd Cipher Settings

    This is discussed on the following thread:

    Disabling STARTTLS for IMAP services.

    Could you provide some more information about the specific data or test that was ran for this particular report?

    You can adjust the TLS Encryption Support value to Required (Command/Data) via "WHM >> FTP Server Configuration":

    FTP Server Configuration - Documentation - cPanel Documentation

    Could you provide some more information about the specific data or test that was ran for this particular vulnerability?

    You can disable the Mailman feature via "WHM >> Tweak Settings" and "WHM >> Service Manager", however there is currently an open bug report regarding the mailman aliases. This is discussed on the following thread:

    Disabling mailman

    You can modify the /etc/named.conf file on the system and add the following line within the "Options" section (just above or below the "recursion no;" line is acceptable):

    Code:
    version none;
    Then, restart Named via the /scripts/restartsrv_named command.

    Thank you.
     
  3. bins_uk

    bins_uk Registered

    Joined:
    Jan 27, 2017
    Messages:
    4
    Likes Received:
    1
    Trophy Points:
    3
    Location:
    London
    cPanel Access Level:
    Root Administrator
    Thanks for this great & detailed response.

    I did search for answers, but must have used wrong search strings.

    Anyway, all implemented and here is more info on the other bits:
    SSH Server Backported Security Patches
    Security patches may have been 'back ported' to the remote SSH server without changing its version number. Banner-based checks have been disabled to avoid false positives.

    HTTP Packet Inspection (2 reports)
    This test gives some information about the remote HTTP protocol - the version used, whether HTTP Keep-Alive and HTTP pipelining are enabled, etc.

    Protocol version: HTTP/1.1
    SSL: no
    Pipelining: yes
    Keep-Alive: yes
    Options allowed: (Not implemented)
    Headers:
    Date: Wed, 01 Feb 2017 02:02:59 GMT
    Server: Apache
    Set-Cookie: dac8ea8dfedad2d1de375b143a684be4=s0ekbv31p4u62fbffj5g09itq2, path=... Location: example.com
    Content-Length: 0
    Keep-Alive: timeout=5, max=100
    Connection: Keep-Alive
    Content-Type: text/html, charset=utf-8
    ----------------------------------------
    This test gives some information about the remote HTTP protocol - the version used, whether HTTP Keep-Alive and HTTP pipelining are enabled, etc.

    Protocol version: HTTP/1.1
    SSL: yes
    Pipelining: yes
    Keep-Alive: yes
    Options allowed: (Not implemented)
    Headers:
    Date: Wed, 01 Feb 2017 02:03:03 GMT
    Server: Apache
    X-Logged-In: False
    X-Content-Powered-By: K2 v2.7.1 (by JoomlaWorks)
    P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
    Expires: Wed, 17 Aug 2005 00:00:00 GMT
    Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
    Pragma: no-cache
    Set-Cookie: dac8ea8dfedad2d1de375b143a684be4=greq69brsg6bj0pvq6cgos1ri7, path=... Last-Modified: Wed, 01 Feb 2017 02:03:05 GMT
    Keep-Alive: timeout=5, max=100
    Connection: Keep-Alive
    Transfer-Encoding: chunked
    Content-Type: text/html, charset=utf-8
     
    #3 bins_uk, Feb 1, 2017
    Last edited by a moderator: Feb 1, 2017
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    37,171
    Likes Received:
    1,295
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    This is how the patches are handled by your Operating System, and is unrelated to the cPanel software. There's a URL where this is explained at:

    Security Backporting Policy - Red Hat Customer Portal

    You can use a command like this if you want to list security patches that were backported:

    Code:
    rpm -q --changelog openssh | grep CVE
    You can verify the following options are disabled via "WHM >> Service Configuration >> Apache Configuration >> Global Configuration":

    Trace Enable
    Server Signature
    Server Tokens (Product Only)
    File ETag

    Additionally, you can browse to "WHM >> Software >> MultiPHP INI Editor", switch to Editor Mode, search for the "expose_php" option, and set it to "No".

    Thank you.
     
  5. bins_uk

    bins_uk Registered

    Joined:
    Jan 27, 2017
    Messages:
    4
    Likes Received:
    1
    Trophy Points:
    3
    Location:
    London
    cPanel Access Level:
    Root Administrator
    Many thanks for your quick responses and help.

    this is great support other could learn from!
     
    cPanelMichael likes this.
Loading...

Share This Page