The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Is there a standard secuity practices / hardening document that's kept up to date?

Discussion in 'Security' started by ambition13, Mar 26, 2011.

  1. ambition13

    ambition13 Active Member

    Joined:
    Jan 24, 2006
    Messages:
    35
    Likes Received:
    0
    Trophy Points:
    6
    Hello,

    I am trying to work on securing my server as much as possible. There don't seem to be any stickies in this section, so I was wondering is there a document (hopefully kept fairly up to date) that describes the best practices for security on a cpanel server? Thank you.
     
  2. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,448
    Likes Received:
    195
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Re: Is there a standard secuity practices / hardening document that's kept up to date

    All Documentation

    Try there for starters, search for the word security. Lots of results to get you going.
     
  3. nobodyk

    nobodyk Well-Known Member

    Joined:
    Aug 1, 2010
    Messages:
    90
    Likes Received:
    0
    Trophy Points:
    6
    Re: Is there a standard secuity practices / hardening document that's kept up to date

    Install CFS firewall then check server security.
     
  4. ckh

    ckh Well-Known Member

    Joined:
    Dec 6, 2003
    Messages:
    356
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Phoenix, AZ
    cPanel Access Level:
    DataCenter Provider
    Re: Is there a standard secuity practices / hardening document that's kept up to date

    I use Chirpy from ConfigServer to set up all my new servers. Chirpy will be more up-to-date than any document will be plus saves me a lot of time and for me is an excellent cost compared to the time I'd put in having to do it myself.

    He wrote the CSF Firewall, plus a lot of other goodies, is a moderator here, so that should give you an idea of his expertise level. If you want it done right, Chirpy is the way to go!
     
  5. k-planethost

    k-planethost Well-Known Member

    Joined:
    Sep 22, 2009
    Messages:
    199
    Likes Received:
    4
    Trophy Points:
    18
    Location:
    Athens Greece
    Re: Is there a standard secuity practices / hardening document that's kept up to date

    these pages are for beginners with cpanel
    is there any other guide including Secure and Optimize Apache (HTTP),sysctl.conf hardening,nsswitch.conf modification,ftp hardening Mod_Security special rules etc?
     
  6. ambition13

    ambition13 Active Member

    Joined:
    Jan 24, 2006
    Messages:
    35
    Likes Received:
    0
    Trophy Points:
    6
    Re: Is there a standard secuity practices / hardening document that's kept up to date

    I have CFS firewall installed and have done check security and used it to correct some items. Is it advisable to do every single thing it lists? I'm worried about some of them breaking some of the sites on my server?

     
  7. nobodyk

    nobodyk Well-Known Member

    Joined:
    Aug 1, 2010
    Messages:
    90
    Likes Received:
    0
    Trophy Points:
    6
    Re: Is there a standard secuity practices / hardening document that's kept up to date

    You don't have to do all of them. Here's a list of ones that I didn't do:
    "Check nameservers" Probably a good idea (not really a security issue)
    "Check cPanel login is SSL only" Kind of annoying
    "Check php for ini_set disabled" Not a good idea to disable this
    "Check SSH PasswordAuthentication" I will probably do it later
    "Check for cxs" Waste of resources imo

    My score is 132 :D

    I think this is a great way to secure your server. Especially for people like me that know a few linux commands, but are not experts.
     
  8. ambition13

    ambition13 Active Member

    Joined:
    Jan 24, 2006
    Messages:
    35
    Likes Received:
    0
    Trophy Points:
    6
    Re: Is there a standard secuity practices / hardening document that's kept up to date

    Ok, so I've been going through and fixing some of the warnings from the ConfigServer check. Unfortunately something I did is now causing some of my scripts to give the following error:

    Fatal error: Maximum execution time of 30 seconds exceeded in /home/sitename/scriptname.php

    While these scripts are running (for the 30 seconds) the cpu usage on the server shoots up to 100% and it is the httpd process that is causing the high cpu usage.

    This is an older server so I'm thinking some kind of encryption or SSL or something along those lines is just too much for the cpu to handle. I have went through and changed all SSL settings back to what they were before as well as the Apache MD5 setting. But the problem still persists. Anyone have any idea which other setting would be taxing the CPU so much?
     
  9. nobodyk

    nobodyk Well-Known Member

    Joined:
    Aug 1, 2010
    Messages:
    90
    Likes Received:
    0
    Trophy Points:
    6
    Re: Is there a standard secuity practices / hardening document that's kept up to date

    can you post your top -c
     
  10. ambition13

    ambition13 Active Member

    Joined:
    Jan 24, 2006
    Messages:
    35
    Likes Received:
    0
    Trophy Points:
    6
    Re: Is there a standard secuity practices / hardening document that's kept up to date

    PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
    17070 nobody 25 0 45504 31m 4132 D 82.0 1.6 0:25.34 /usr/local/apache/bin/httpd -k start -DSSL
     
  11. LinuxTechie

    LinuxTechie Well-Known Member

    Joined:
    Jan 22, 2011
    Messages:
    502
    Likes Received:
    2
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    Re: Is there a standard secuity practices / hardening document that's kept up to date

    Hey !

    You can install and peform the below given things for better security of the server :

    chkrootkit
    rkhunter
    maldetect
    LFD
    LSM
    Mod_Security
    Mod_Evasive
    Zend Optimizer
    Logwatch

    Hardening :

    Binaries
    Host.conf and sysctl
    SSH
    TCP/IP
    Disable unused services & disable functions.
     
  12. ambition13

    ambition13 Active Member

    Joined:
    Jan 24, 2006
    Messages:
    35
    Likes Received:
    0
    Trophy Points:
    6
    Re: Is there a standard secuity practices / hardening document that's kept up to date

    Thank you for the list, but at this point my question is how to resolve the high cpu usage that came from following some of the steps in the ConfigServer security recommendations.
     
    #12 ambition13, Mar 28, 2011
    Last edited: Mar 28, 2011
  13. nobodyk

    nobodyk Well-Known Member

    Joined:
    Aug 1, 2010
    Messages:
    90
    Likes Received:
    0
    Trophy Points:
    6
    Re: Is there a standard secuity practices / hardening document that's kept up to date

    what type of server is this? can you post the specs?

    You should probably focus on optimizing apache.
     
  14. nobodyk

    nobodyk Well-Known Member

    Joined:
    Aug 1, 2010
    Messages:
    90
    Likes Received:
    0
    Trophy Points:
    6
    Re: Is there a standard secuity practices / hardening document that's kept up to date

    Actually, why don't you post your cfs config file.
     
  15. k-planethost

    k-planethost Well-Known Member

    Joined:
    Sep 22, 2009
    Messages:
    199
    Likes Received:
    4
    Trophy Points:
    18
    Location:
    Athens Greece
    Re: Is there a standard secuity practices / hardening document that's kept up to date

    choose fail instead on blackhole on exim
    if you have chosen blackhole is a good reason for shooting cpu over the limits
     
  16. ambition13

    ambition13 Active Member

    Joined:
    Jan 24, 2006
    Messages:
    35
    Likes Received:
    0
    Trophy Points:
    6
    Re: Is there a standard secuity practices / hardening document that's kept up to date

    It is an older pentium 4 dual core server. I have completely disabled the ConfigServer firewall just to test, but the same thing occurs, so it's definitely not in the cfs config file.

    It started from me going to the ConfigServer option "Check Server Security" which was recommended earlier in this post. The Check Server Security goes in and checks a bunch of things against it's list and then recommends what you can do to make your server more secure. So I started doing those things and then later noticed how much my httpd process was now struggling, it's not even able to open pages that it was before due to timeouts. So some change I made must have added some overhead to httpd, I just can't figure out which one it was. I've tried going back and changing some of the items that I remember changing back to their original state but so far I haven't been able to get it.

    So I don't know at this point whether it's worth trying to troubleshoot from the ConfigServer list or if there is some way to troubleshoot the high cpu usage of apache...



     
  17. ambition13

    ambition13 Active Member

    Joined:
    Jan 24, 2006
    Messages:
    35
    Likes Received:
    0
    Trophy Points:
    6
    Re: Is there a standard secuity practices / hardening document that's kept up to date

    Ok I changed that setting to fail. Unfortunately no difference in the httpd cpu usage. Thanks for the suggestion though.



     
  18. nobodyk

    nobodyk Well-Known Member

    Joined:
    Aug 1, 2010
    Messages:
    90
    Likes Received:
    0
    Trophy Points:
    6
    Re: Is there a standard secuity practices / hardening document that's kept up to date

    Can you post your whm apache configuration

    Edit: please post your "service httpd status" output
     
  19. ambition13

    ambition13 Active Member

    Joined:
    Jan 24, 2006
    Messages:
    35
    Likes Received:
    0
    Trophy Points:
    6
    Re: Is there a standard secuity practices / hardening document that's kept up to date

    nobodyk - thank you so much for your help so far, this is really killing me.

    Here is my whm apache configuration:

    SSLCipherSuite ALL:!ADH:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP
    TraceEnable Off (PCI Recomended)
    ServerSignature Off (PCI Recomended)
    ServerTokens ProductOnly (PCI Recomended)
    FileETag None (PCI Recomended)
    Directory '/' Options (all are checked except MultiViews)
    ExecCGI
    FollowSymLinks
    Includes
    IncludesNOEXEC
    Indexes
    MultiViews
    SymLinksIfOwnerMatch
    StartServers 5
    MinSpareServers 5
    MaxSpareServers 10
    ServerLimit 256
    MaxClients 150
    MaxRequestsPerChild 10000
    KeepAlive On
    KeepAliveTimeout 5
    MaxKeepAliveRequests 100
    TimeOut 300



    And then here is the "service httpd status" output:

    Apache Server Status for localhost

    Server Version: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/0.9.7a
    mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
    PHP/5.2.17

    Server Built: Mar 28 2011 01:40:47
    _________________________________________________________________

    Current Time: Monday, 28-Mar-2011 23:22:52 EDT
    Restart Time: Monday, 28-Mar-2011 18:07:30 EDT
    Parent Server Generation: 3
    Server uptime: 5 hours 15 minutes 22 seconds
    Total accesses: 29477 - Total Traffic: 94.1 MB
    CPU Usage: u37.4 s7.9 cu.2 cs0 - .24% CPU load
    1.56 requests/sec - 5.1 kB/second - 3346 B/request
    3 requests currently being processed, 7 idle workers

    KW____W....__..._...............................................
    ................................................................
    ................................................................
    ................................................................



     
  20. nobodyk

    nobodyk Well-Known Member

    Joined:
    Aug 1, 2010
    Messages:
    90
    Likes Received:
    0
    Trophy Points:
    6
    Re: Is there a standard secuity practices / hardening document that's kept up to date

    Sorry. I keep forgetting to check this thread :/
    Do you have msn/gtalk?

    Your config looks super good. Just some minor changes:
    StartServers 5
    MinSpareServers 5
    MaxSpareServers 10
    ServerLimit 150
    MaxClients 150
    MaxRequestsPerChild 5000
    KeepAlive On
    KeepAliveTimeout 3
    MaxKeepAliveRequests 100
    TimeOut 15

    This probably won't help you. It seems something else is causing the load.
     
Loading...
Similar Threads - standard secuity practices
  1. John Napoletano
    Replies:
    3
    Views:
    171
  2. Dhillon
    Replies:
    3
    Views:
    290

Share This Page