The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Improving System Security On CPanel Systems

Discussion in 'Security' started by billau, Jul 31, 2004.

  1. billau

    billau Well-Known Member

    Joined:
    Dec 24, 2003
    Messages:
    65
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Brisbane, Australia
    Improving System Security On CPanel Systems
    Basic things that can be done to improve security.
    Orignally posted by: disoft on the servermatrix forums
    --------------------------------------------------

    Use The Latest Software

    Keep the OS and 3rd party software up to date. Always!

    CPanel itself can be updated from the root WHM.

    --------------------------------------------------

    Change Passwords

    Change the root passwords at least once a month and try to make them hard to guess. Yes it's a pain to have to keep remembering them, but it's better than being hacked.

    --------------------------------------------------

    Set Up A More Secure SSH Environment

    This section describes how to disable direct 'root' login to the machine and how to force the more secure SSH 2 protocols.

    Disabling direct root login will force a hacker to have to guess 2 seperate passwords to gain root access.

    After you do this, you will have to login as anotheruser then you will 'su -' to get to root.

    We also will be forcing the use of SSH protocol 2, which is a newer, more secure SSH protocol

    Just a couple more ways to help your server stay safe from the bad guys.

    If you're using cPanel make sure you add your anotheruser user to the 'wheel' group so that you will be able to 'su -' to root, otherwise you may lock yourself out of root.

    1. Set up anotheruser if you haven't already got one:

    i. Type: groupadd anotheruser
    ii. Type: useradd anotheruser -ganotheruser
    iii. Type: passwd anotheruser and add a password for the new account.

    On a CPanel system, you can now go into root WHM and add anotheruser to the wheel group.

    2. SSH into your server as anotheruser and gain root access by going su - root and entering the root password.

    3. Type: pico -w /etc/ssh/sshd_config

    4. Find the line:
    Code:

    #Protocol 2, 1


    Uncomment it and change it to look like:
    Code:

    Protocol 2


    5. Next, find the line:
    Code:

    #PermitRootLogin yes


    Uncomment it and make it look like:
    Code:

    PermitRootLogin no


    6. It is also recommended that the following additional lines are added to the file:
    Code:

    LoginGraceTime 300
    IgnoreRhosts yes
    X11Forwarding no
    UseLogin no


    7. Hit CTRL+x, then y then enter to save the file.

    8. Restart SSH with /etc/rc.d/init.d/sshd restart

    --------------------------------------------------

    Disable Telnet

    1. Type: pico -w /etc/xinetd.d/telnet
    2. Change the disable = no line to disable = yes.
    3. Hit CTRL+X press y and then enter to save the file.
    4. Restart xinted with: /etc/rc.d/init.d/xinetd restart

    --------------------------------------------------

    Install A Firewall

    I recommend APF firewall personally, but they all do a similar job.

    APF can be found at: http://www.rfxnetworks.com/apf.php

    Also guard against 'brute force' attacks with: http://www.rfxnetworks.com/bfd.php

    --------------------------------------------------

    Disable Unnecessary Ports

    First backup the file that contains your list of ports with:

    cp /etc/services /etc/services.original

    Now configure /etc/services so that it only has the ports you need in it. This will match the ports enabled in your firewall.


    Additional ports are controlled by /etc/rpc. These aren't generally needed, so get shot of that file with: mv /etc/rpc /etc/rpc-moved

    --------------------------------------------------

    Watch The Logs

    Install something like logwatch to keep an eye on your system logs. This will extract anything 'interesting' from the logs and e-mail to you on a daily basis.

    Logwatch can be found at: http://www.logwatch.org

    --------------------------------------------------

    Run A Root Kit Checker Regularly

    You can get a root kit from http://www.chkrootkit.org and make sure you run it on a regular basis, perhaps including it in a cron job.

    --------------------------------------------------

    Limit The Kernel's Capabilities

    1. Type: wget ftp://rpmfind.net/linux/PLD/current....0.6-3.i686.rpm
    2. Type: rpm -Uvh lcap-0.0.6-3.i686.rpm
    3. Type: lcap CAP_SYS_PTRACE

    This will limit the ptrace option which allows attaching to, and controlling the execution of, arbitrary processes. Debuggers do this sort of thing.

    The LCAP limitations only stay in place until the next reboot unless you put them in a startup file somewhere.

    LCAP can be used in various way to harden the kernel, but you also run the risk of locking yourself out of facilities you need, so research is recommended before messing about. One good place to start looking is in /usr/include/linux/capability.h which contains a brief description of kernel capabilities.

    --------------------------------------------------

    Avoid CPanel Demo Mode

    Switch it off via WHM Account Functions => Disable or Enable Demo Mode.
    ramprage
    View Public Profile
    Send a private message to ramprage
    Send email to ramprage
    Visit ramprage's homepage!
    Find all posts by ramprage
    Add ramprage to Your Buddy List
    #2
    01-13-2004, 09:50 AM

    ramprage
    Administrator

    Join Date: Jan 2004
    Posts: 89
    --------------------------------------------------

    Jail All Users

    Via WHM Account Functions => Manage Shell Access => Jail All Users.

    Better still never allow shell access to anyone - no exceptions.

    --------------------------------------------------

    Disable Troublesome Formmails

    Cpanel's formmails are known to be insecure and, worse, every time one attempts to disable them, the next CPanel upgrade comes along and enables them again.

    This is the recommended procedure for disabling them:

    1. SSH into the box.

    2. Type: cd /usr/local/cpanel/cgi-sys

    3. Type: chmod 0 cgiemail formmail.cgi FormMail.cgi FormMail-clone.cgi formmail.pl FormMail.pl helpdesk.cgi realhelpdesk.cgi realsignup.cgi signup.cgi

    4. Type: chattr +i cgiemail formmail.cgi FormMail.cgi FormMail-clone.cgi formmail.pl FormMail.pl helpdesk.cgi realhelpdesk.cgi realsignup.cgi signup.cgi

    --------------------------------------------------

    Immediate Notification Of Specific Attackers

    If you need immediate notification of a specific attacker (TCPWrapped services only), add the following to /etc/hosts.deny

    ALL : nnn.nnn.nnn.nnn : spawn /bin/ 'date' %c %d | mail -s"Access attempt by nnn.nnn.nnn.nnn on for hostname" notify@mydomain.com

    Replacing nnn.nnn.nnn.nnn with the attacker's IP address.
    Replacing hostname with your hostname.
    Replacing notify@mydomain.com with your e-mail address.

    This will deny access to the attacker and e-mail the sysadmin about the access attempt.

    --------------------------------------------------

    Check Open Ports

    From time to time it's worth checking which ports are open to the outside world. This can be done with:

    nmap -sT -O localhost

    If nmap isn't installed, you can install from WHM -> Software -> Install RPM.

    --------------------------------------------------

    Set The MySQL Root Password

    This can be done in CPanel from the root WHM Server Setup -> Set MySQL Root Password.

    Make it different to your root password!

    --------------------------------------------------

    Tweak Security (CPanel)

    From the root WHM, Server Setup -> Tweak Security, you will most likely want to enable:

    - php open_basedir Tweak.
    - SMTP tweak.

    You may want to enable:

    - mod_userdir Tweak. But that will disable domain preview.

    --------------------------------------------------

    Use SuExec (CPanel)

    From root WHM, Server Setup -> Enable/Disable SuExec. This is CPanel's decription of what it does:

    "suexec allows cgi scripts to run with the user's id. It will also make it easier to track which user has sent out an email. If suexec is not enabled, all cgi scripts will run as nobody. "

    Even if you don't use phpsuexec (which often causes more problems), SuExec should be considered.

    --------------------------------------------------

    Use PHPSuExec (CPanel)

    This needs to built into Apache (Software -> Update Apache from the root WHM) and does the same as SuExec but for PHP scripts.

    Wisth PHPSuExec enabled, you users will have to make sure that all their PHP files have permissions no greater than 0755 and that their htaccess files contain no PHP directives.

    --------------------------------------------------

    Disable Compilers

    This will prevent hackers from compiling worms, root kits and the like on your machine.

    To disable them, do the following:
    Code:

    chmod 000 /usr/bin/perlcc
    chmod 000 /usr/bin/byacc
    chmod 000 /usr/bin/yacc
    chmod 000 /usr/bin/bcc
    chmod 000 /usr/bin/kgcc
    chmod 000 /usr/bin/cc
    chmod 000 /usr/bin/gcc
    chmod 000 /usr/bin/i386*cc
    chmod 000 /usr/bin/*c++
    chmod 000 /usr/bin/*g++
    chmod 000 /usr/lib/bcc /usr/lib/bcc/bcc-cc1
    chmod 000 /usr/i386-glibc21-linux/lib/gcc-lib/i386-redhat-linux/2.96/cc1


    You will need to enable them again when you need to perform system updates. To do this, run:
    Code:

    chmod 755 /usr/bin/perlcc
    chmod 755 /usr/bin/byacc
    chmod 755 /usr/bin/yacc
    chmod 755 /usr/bin/bcc
    chmod 755 /usr/bin/kgcc
    chmod 755 /usr/bin/cc
    chmod 755 /usr/bin/gcc
    chmod 755 /usr/bin/i386*cc
    chmod 755 /usr/bin/*c++
    chmod 755 /usr/bin/*g++
    chmod 755 /usr/lib/bcc /usr/lib/bcc/bcc-cc1
    chmod 755 /usr/i386-glibc21-linux/lib/gcc-lib/i386-redhat-linux/2.96/cc1


    --------------------------------------------------

    This is really just a start. There are many other things one can do too (tripwires etc.).
     
  2. jeffheld

    jeffheld Active Member

    Joined:
    Jan 7, 2004
    Messages:
    26
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    financial capital
    thanx for the nfo.. to add to that i would recommend
    Prelude: an Open Source, Hybrid Intrusion Detection System
    insted of tripwire*
     
  3. sneader

    sneader Well-Known Member

    Joined:
    Aug 21, 2003
    Messages:
    1,126
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    La Crosse, WI
    cPanel Access Level:
    Root Administrator
    Just an FYI, SuExec is actually enabled or disabled under "Service Configuration" not "Server Setup"

    - Scott
     
  4. AbeFroman

    AbeFroman BANNED

    Joined:
    Feb 16, 2002
    Messages:
    654
    Likes Received:
    1
    Trophy Points:
    0
    I can also be enabled in easyapache
     
  5. StevenC

    StevenC Well-Known Member

    Joined:
    Jan 1, 2004
    Messages:
    254
    Likes Received:
    0
    Trophy Points:
    16

    What losers. Here is the original location:

    http://www.webhostgear.com/forums/showthread.php?t=20
     
  6. DomineauX

    DomineauX Well-Known Member
    PartnerNOC

    Joined:
    Apr 12, 2003
    Messages:
    414
    Likes Received:
    4
    Trophy Points:
    18
    Location:
    Houston, TX
    cPanel Access Level:
    Root Administrator
  7. isputra

    isputra Well-Known Member

    Joined:
    May 3, 2003
    Messages:
    576
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Mbelitar
    or maybe ramprage and disoft is one person ?
     
  8. AbeFroman

    AbeFroman BANNED

    Joined:
    Feb 16, 2002
    Messages:
    654
    Likes Received:
    1
    Trophy Points:
    0
    Add abefroman to your Buddy List
     
    #8 AbeFroman, Oct 4, 2004
    Last edited: Oct 4, 2004
  9. robert2807351

    robert2807351 Member

    Joined:
    Oct 11, 2004
    Messages:
    11
    Likes Received:
    0
    Trophy Points:
    1
    i hope that I am not out of line in posting this question, but what is the reason or purpose for "server safe mode"

    The company that I have a reseller account with refuses to set the "server safe mode" to off (for security reason or so they say... and this is causing me problems with running certain scripts and server side software...??

    any thoughts on server safe mode?

    PS the software company says server safe mode must be off and to find another reseller account and the reseller acount people say yes it is very necessary (i have no idea - could someone enlighten me please)

    thank you
     
    #9 robert2807351, Oct 11, 2004
    Last edited: Oct 12, 2004
  10. SarcNBit

    SarcNBit Well-Known Member

    Joined:
    Oct 14, 2003
    Messages:
    1,010
    Likes Received:
    3
    Trophy Points:
    38
  11. robert2807351

    robert2807351 Member

    Joined:
    Oct 11, 2004
    Messages:
    11
    Likes Received:
    0
    Trophy Points:
    1
    yes - thank you...

    that site says,
    which is completely understandable, the problem is that i don't know what "The PHP safe mode is an attempt to solve the shared-server security problem" means exactly. I suppose if I knew that, then perhaps I could decide if I need to co-locate a server and turn it off myself, or find some different software.
     
    #11 robert2807351, Oct 12, 2004
    Last edited: Oct 12, 2004
  12. SarcNBit

    SarcNBit Well-Known Member

    Joined:
    Oct 14, 2003
    Messages:
    1,010
    Likes Received:
    3
    Trophy Points:
    38
    Read the description of each of the configuration options. If you do not understand what functions they are restricting, then look them up on that site.

    I have no idea what 'the split' is amongst cpanel hosts, but I know a large number of hosts do not run php in safe mode because of script incompatibilities. There are also a number of hosts that would never think of running anything but safe mode on their servers. It is something of a 'less filling, tastes great' debate and people can make arguments for both sides. At the end of the day, only you can decide what works for you.
     
Loading...

Share This Page