The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Securing Apache in cPanel

Discussion in 'EasyApache' started by crosswinds, Jun 16, 2009.

  1. crosswinds

    crosswinds Member

    Joined:
    Jul 15, 2003
    Messages:
    10
    Likes Received:
    0
    Trophy Points:
    1
    First, I'd like to state that I've been using Apache since the 1.0 days and deploying working/secured systems into production environments since 1995. I have been using cPanel since 2004 and am not a complete noob, but have not fully delved into all the aspects of the system (time constraints).

    I have been attempting to solve a security breach with a user and when I read through the httpd.conf it dawned on me what I was seeing.

    Apache 2.2.x
    <Directory "/">
    Options ExecCGI FollowSymLinks Includes IncludesNOEXEC Indexes -MultiViews SymLinksIfOwnerMatch
    AllowOverride All
    </Directory>

    Apache 1.3.37
    <Directory "/">
    Options All
    AllowOverride All
    </Directory>

    These made my jaw drop - this is 100% against good security practices, even those that Apache themselves state:

    Security Tips - Apache HTTP Server

    So, I attempted the obvious and secure the / directory and allow the options/overrides for user/virtualhost folders but then stuff everywhere failed to work. Explicit Directory options are needed for the system cgi, for php to work in suexec/suphp mode... lots of work that should have already been done for the out of box setup.

    Both my cPanels have been updated in the past 30 days and are sitting at 11.24.

    My Google-fu failed to help me locate and identify anyone that has identified all the paths and which files to place these overrides (I am assuming the /var/cpanel/templates/ files).

    Any pointers to save me the time that should have already been put in would be appreciated! If/when I can collect this information I will bring them all together and do a how to secure your apache setup better.
     
  2. PlatinumServerM

    PlatinumServerM Well-Known Member
    PartnerNOC

    Joined:
    Jul 10, 2005
    Messages:
    397
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    New Jersey, USA
    cPanel Access Level:
    Root Administrator
    Those are just the basic default settings. They are not intended to be left the way they are. They are made as options because some people need them enabled, even though they are insecure.

    If you are having security issues, I would suggest contacting an admin to do this for you. Just following a how-to guide usually is not too effective. A perfect example of this is modsecurity, most guides tell you to install modsecurity for http security, but it is the configuration in it that determines how strict and effective it is. Just installing it and not configuring it properly can be disastrous.

    Security is not black and white. It is a combination of both experience knowing how to implement sufficient security and experience with seeing how other servers get hacked. There are also positives/negatives to almost every change you make, so arbitrarily making changes just because a guide tells you to often leads to problems.
     
  3. crosswinds

    crosswinds Member

    Joined:
    Jul 15, 2003
    Messages:
    10
    Likes Received:
    0
    Trophy Points:
    1
    I'm very aware of the security issues - been doing security in many spaces (programming, server, network, physical and social) for 15 years.

    What I was looking for is a comprehensive listing of paths for cPanel binaries and gotchas if anyone had already hit them. I just have a very full plate and doing the work that should have been done out of the box isn't appealing. I have 2 other control panels in place and they have secured paths in by default - cPanel really should do the same.

    As it stands I've already started compiling the list of paths that must work. ScriptAlias et al are starters but cPanel has enough little gotchas that finding them all before a customer complains will be very difficult.

    The exploit turned out to be a new set of trojans that have appeared over the past 3 days on the computer of one of my customers. It was in the investigation of this, that I noticed the defaults for Apache in cPanel.
     
  4. Spiral

    Spiral BANNED

    Joined:
    Jun 24, 2005
    Messages:
    2,023
    Likes Received:
    7
    Trophy Points:
    0
    Wow just call this one the "experts" thread! :D

    Crosswinds, spoken with you a bit. Nice refreshing conversations there! ;)

    Platinum, seen you over the past few years and got a good idea of your skills.

    Me myself, over 30+ years systems administration, security consulting, etc.

    Gee, all we need now is chirpy in the thread. ;)

    It's a nice idea to put together a more detailed step by step list addressing
    some of the more often missed security issues particularly for those who
    don't really understand what is going on behind the scenes as much
    especially with Apache where most users don't understand it under the hood
    well enough to know any of the pitfalls.

    I've actually been working on putting together much of the same and, I have
    also been lately testing out some scripts I wrote recently to try to automate
    some of the changes that users could apply to better lock down the weaker
    configurations you get by the general default Cpanel installations.

    Anyway, crosswinds, I'll give you a hand with that project of yours. I know with
    our combined skills, we should be able to come up with something to improve
    things for everyone to balance security without breaking Cpanel.
     
  5. crosswinds

    crosswinds Member

    Joined:
    Jul 15, 2003
    Messages:
    10
    Likes Received:
    0
    Trophy Points:
    1
    Actually that is precisely the end goal - to assist and hopefully educate. It is possible to tighten cPanel's apache config up so that it doesn't break 99.9% of things - but there is always one customer that wants X or Y that it breaks. Usually it can be worked around. If we can document it for initial installs, for people here to learn, and maybe get cPanel to adopt?, I'd be a happier camper.

    I did a second quick pass with some spare time and ended up breaking only half the sites and frontpage! Well anything that was obvious - I shudder to thing what else I haven't accounted for but that's where logs help. All I need now is time!

    Spiral: Yeah - nice chat :) Too busy today to get onto MSN
     
  6. cPanelKenneth

    cPanelKenneth cPanel Development
    Staff Member

    Joined:
    Apr 7, 2006
    Messages:
    4,461
    Likes Received:
    22
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    Quality information such as you are proposing is invaluable. If I could make a suggestion, have this thread be your WIP thread. Once you are satisfied with the resulting document/howto/etc, post it in a new thread and we can sticky it.

    Let me know if there is information, or clarity, needed on cPanel peculiarities. If it is within my power I will provide it.

    As an aside, it is nice seeing you active again on the forum Spiral.
     
Loading...

Share This Page