Minimum cPanel password length

MindServer

Well-Known Member
Mar 18, 2020
205
30
28
Spain
cPanel Access Level
Root Administrator
Hi,

-How can i set the minimum password length for all cPanel accounts?.

I know about "Configure Security Policies -> Password Strength", but not have minimum password length option.

-Other thing: when finalized the WHM/cPanel's installation, not removed automatically the file "lastest" and the directory "cPanel Install". I attached an image.

Can i remove him?, or this file/directory need be stay for work correctly: latest (file) and cPanel Install (directory).

Thank you very much.
 

Attachments

Last edited:

MindServer

Well-Known Member
Mar 18, 2020
205
30
28
Spain
cPanel Access Level
Root Administrator
In addition to my last message, I have other security question:

-In you documentation you writed this: Always use SSHv2 only. SSHv1 will not properly secure connections. You must change the #Protocol 2,1 line in the /etc/ssh/sshd_config file to Protocol 2

But i edit the file "/etc/ssh/sshd_config" and not have any line with "Protocol" word (i checked too with cat + grep command).

I have WHM/cPanel last version with CloudLinux. I need add this line manually?, where i add him for work correctly?.

-How can I enable "noexec" and "nosuid" in temporary directories?. I'm checking this guide: Tips to Make Your Server More Secure | cPanel & WHM Documentation

You recommend execute this command: /usr/local/cpanel/scripts/securetmp

With this automatically will secure tmp directories with noexec and nosuid? (/tmp, /var/tmp, /dev/shm). Or i need do anything?.

Thank you!
 

cPSamuelM

Technical Analyst Team Lead
Staff member
Nov 20, 2019
196
38
103
USA
cPanel Access Level
Root Administrator
Hello @MindServer

- You can set the password strength requirement on the Home >> Security Center >> Password Strength Configuration page in WHM. Note, this is not the password length, rather it is the strength. For more information see the documentation on the following page:

https://docs.cpanel.net/whm/security-center/password-strength-configuration/

- The /root/latest file should remain on your server. However, I am not familiar with the /root/cPanelInstall directory. What is inside it?

- OpenSSH 7.4 removed support for Protocol 1: https://www.openssh.com/txt/release-7.4

- To mount /tmp with the noexec and nosuid options, you would need to update its fstab entry. This page should help you accomplish this. Alternatively, running the securetmp script does so as well.

Best regards.
 
  • Like
Reactions: MindServer

MindServer

Well-Known Member
Mar 18, 2020
205
30
28
Spain
cPanel Access Level
Root Administrator
Hello @MindServer

- You can set the password strength requirement on the Home >> Security Center >> Password Strength Configuration page in WHM. Note, this is not the password length, rather it is the strength. For more information see the documentation on the following page:

https://docs.cpanel.net/whm/security-center/password-strength-configuration/

- The /root/latest file should remain on your server. However, I am not familiar with the /root/cPanelInstall directory. What is inside it?

- OpenSSH 7.4 removed support for Protocol 1: https://www.openssh.com/txt/release-7.4

- To mount /tmp with the noexec and nosuid options, you would need to update its fstab entry. This page should help you accomplish this. Alternatively, running the securetmp script does so as well.

Best regards.
-I finded this: edit the file "/etc/login.defs" -> modify "PASS_MIN_LEN" for set minimum password length. This will work correctly in last WHM/cPanel version?.

-"/root/cPanelInstall" are empty now in my server.

-I not need do nothing for prohibit the use of SSHv1? WHM/cPanel only permit SSHv2 in last version?. If any user try to login with SSHv1 will refused her connection?

-But you writed this in your guide: We recommend that you use a separate /tmp partition and that you mount it with the nosuid option. This option forces a process to run with the privileges of the user who executes it. You may also wish to mount the /tmp directory with noexec after you install cPanel & WHM.

Run the /usr/local/cpanel/scripts/securetmp script to mount your /tmp partition to a temporary file for extra security. The temporary file will use 1% of the available disk space in the /usr partition, from a minimum size of 500MB to a maximum size of 4GB.

Link: Tips to Make Your Server More Secure | cPanel & WHM Documentation

This not will secure "tmp" directories with the noexec and nosuid options?.

-Last security question: after enable MariaDB (in "WHM -> MySQL/MariaDB Upgrade") I need execute this function for secure him?: mysql_secure_installation

Or WHM/cPanel executed him automatically?.

Thank you very much. Have nice day.
 
Last edited:

cPSamuelM

Technical Analyst Team Lead
Staff member
Nov 20, 2019
196
38
103
USA
cPanel Access Level
Root Administrator
Hello again,

1. cPanel/WHM does not provide an option to modify the minimum password length for the system. We do not provide support for this. However, you might find the following page helpful:

https://www.ostechnix.com/how-to-set-password-policies-in-linux/

Note, any changes you make to the authentication system of the OS may not be compatible cPanel/WHM. I would encourage you to express your interest in the following feature request: https://features.cpanel.net/topic/change-the-default-length-and-type-of-the-password-generator

2. If the /root/cPanelInstall directory is empty, you may remove it. It is not found in a standard cPanel installation, as far as I know.

3. You do not need to make any changes to the SSH configuration. You might want to verify that your server has OpenSSH version 7.4 to ensure that Protocol 1 is not available:

Code:
-bash-4.2# rpm -qa openssh
openssh-7.4p1-21.el7.x86_64
If a user attempts to connect with an unsupported protocol, their connection will fail.

4. Yes, the securetmp script mounts the /tmp partition with the nosuid and noexec options.

5. It is not necessary to run the mysql_secure_installation script manually, as the tasks it performs are completed when MariaDB is first installed. You can read more about that here.

Best regards
 
  • Like
Reactions: MindServer

MindServer

Well-Known Member
Mar 18, 2020
205
30
28
Spain
cPanel Access Level
Root Administrator
Hello again,

1. cPanel/WHM does not provide an option to modify the minimum password length for the system. We do not provide support for this. However, you might find the following page helpful:

https://www.ostechnix.com/how-to-set-password-policies-in-linux/

Note, any changes you make to the authentication system of the OS may not be compatible cPanel/WHM. I would encourage you to express your interest in the following feature request: https://features.cpanel.net/topic/change-the-default-length-and-type-of-the-password-generator

2. If the /root/cPanelInstall directory is empty, you may remove it. It is not found in a standard cPanel installation, as far as I know.

3. You do not need to make any changes to the SSH configuration. You might want to verify that your server has OpenSSH version 7.4 to ensure that Protocol 1 is not available:

Code:
-bash-4.2# rpm -qa openssh
openssh-7.4p1-21.el7.x86_64
If a user attempts to connect with an unsupported protocol, their connection will fail.

4. Yes, the securetmp script mounts the /tmp partition with the nosuid and noexec options.

5. It is not necessary to run the mysql_secure_installation script manually, as the tasks it performs are completed when MariaDB is first installed. You can read more about that here.

Best regards
Thank you very much for all, I solved all questions with your information except this:

1- The files aren't in "/root" directory, are in "/home" directory:

/home/latest (file)
/home/cPanelInstall/ (directory)

This appear after WHM/cPanel installation:

cd /home
curl -o latest -L https://securedownloads.cpanel.net/latest
sh latest
reboot

Please confirm me if I need remove this for security (latest and cPanelInstaller) or need be remain for all work correctly.

2- In the link your coworker writed this: but it's not typically required because actions such as configuring a root password, removing the test database, and removing the anonymous user are already done during the initial setup.

For change MySQL to MariaDB I used "MySQL/MariaDB Upgrade" in WHM/cPanel (I attached you an image). With this method WHM/cPanel too executed automatically "mysql_secure_installation"?, because not appear the steps in my screen.

Thank you again. Have nice day.
 

Attachments

Last edited:

cPSamuelM

Technical Analyst Team Lead
Staff member
Nov 20, 2019
196
38
103
USA
cPanel Access Level
Root Administrator
Hello @MindServer

1. It is not necessary to remove the latest file and the cPanelInstall directory, but there will be no problems if you delete them. Feel free to do what works best for you.

2. It is not necessary to run the mysql_secure_installation script when using the MySQL/MariaDB Upgrade tool in WHM.

Best regards
 
  • Like
Reactions: MindServer

MindServer

Well-Known Member
Mar 18, 2020
205
30
28
Spain
cPanel Access Level
Root Administrator
Hello @MindServer

1. It is not necessary to remove the latest file and the cPanelInstall directory, but there will be no problems if you delete them. Feel free to do what works best for you.

2. It is not necessary to run the mysql_secure_installation script when using the MySQL/MariaDB Upgrade tool in WHM.

Best regards
Thank you very much.

-Last question please, sorry my ignorance: When I install WHM/cPanel, he execute automatically "/usr/local/cpanel/scripts/securetmp"?, or I need execute him manually?.

In this things the cPanel's documentation are abiguious, I don't know which things are automatized and which It's mandatory execute manually.

-When I execute the script "/usr/local/cpanel/scripts/securetmp" will secure too "/var/tmp" and "/dev/shm" directories? or your script only will secure "/tmp" directory?.

Remember I have CloudLinux and CageFS.

Thanks again.
 
Last edited:

cPSamuelM

Technical Analyst Team Lead
Staff member
Nov 20, 2019
196
38
103
USA
cPanel Access Level
Root Administrator
Hello again @MindServer

The securetmp script is executed upon server startup. A service exists to ensure this script is run every time the server starts:

Code:
-bash-4.2# systemctl list-unit-files |grep securetmp
securetmp.service                             enabled
-bash-4.2# systemctl cat securetmp
# /etc/systemd/system/securetmp.service
[Unit]
Description=securetmp service
ConditionFileIsExecutable=/usr/local/cpanel/scripts/securetmp
ConditionPathExists=!/var/cpanel/version/securetmp_disabled
Before=network.target network-online.target

[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/usr/local/cpanel/scripts/securetmp --auto --nodaemonize

[Install]
WantedBy=multi-user.target

The script does not act on /dev/shm, only /tmp and /var/tmp.

Best regards
 
  • Like
Reactions: MindServer

MindServer

Well-Known Member
Mar 18, 2020
205
30
28
Spain
cPanel Access Level
Root Administrator
Hello again @MindServer

The securetmp script is executed upon server startup. A service exists to ensure this script is run every time the server starts:

Code:
-bash-4.2# systemctl list-unit-files |grep securetmp
securetmp.service                             enabled
-bash-4.2# systemctl cat securetmp
# /etc/systemd/system/securetmp.service
[Unit]
Description=securetmp service
ConditionFileIsExecutable=/usr/local/cpanel/scripts/securetmp
ConditionPathExists=!/var/cpanel/version/securetmp_disabled
Before=network.target network-online.target

[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/usr/local/cpanel/scripts/securetmp --auto --nodaemonize

[Install]
WantedBy=multi-user.target

The script does not act on /dev/shm, only /tmp and /var/tmp.

Best regards
Perfect, thank you very much for all.

Now I only need find guide for secure "/dev/shm" in WHM/cPanel for can finalize this.

Have nice day!
 

MindServer

Well-Known Member
Mar 18, 2020
205
30
28
Spain
cPanel Access Level
Root Administrator
Hello again @MindServer

The securetmp script is executed upon server startup. A service exists to ensure this script is run every time the server starts:

Code:
-bash-4.2# systemctl list-unit-files |grep securetmp
securetmp.service                             enabled
-bash-4.2# systemctl cat securetmp
# /etc/systemd/system/securetmp.service
[Unit]
Description=securetmp service
ConditionFileIsExecutable=/usr/local/cpanel/scripts/securetmp
ConditionPathExists=!/var/cpanel/version/securetmp_disabled
Before=network.target network-online.target

[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/usr/local/cpanel/scripts/securetmp --auto --nodaemonize

[Install]
WantedBy=multi-user.target

The script does not act on /dev/shm, only /tmp and /var/tmp.

Best regards
Hi,

I executed this command in my server: mount | grep /dev/shm

I received this info: attached you an image.

I not configured nothing, but by default the server are using "nosuid" and "noexec" in shared memory (/dev/shm)?, or I not understanded correctly?.

I need do anything for securize "/dev/shm"?.

Thank you!
 

Attachments