Securing Apache in cPanel

First, I'd like to state that I've been using Apache since the 1.0 days and deploying working/secured systems into production environments since 1995. I have been using cPanel since 2004 and am not a complete noob, but have not fully delved into all the aspects of the system (time constraints).

I have been attempting to solve a security breach with a user and when I read through the httpd.conf it dawned on me what I was seeing.

Apache 2.2.x
<Directory "/">
Options ExecCGI FollowSymLinks Includes IncludesNOEXEC Indexes -MultiViews SymLinksIfOwnerMatch
AllowOverride All
</Directory>

Apache 1.3.37
<Directory "/">
Options All
AllowOverride All
</Directory>

These made my jaw drop - this is 100% against good security practices, even those that Apache themselves state:

Security Tips - Apache HTTP Server

So, I attempted the obvious and secure the / directory and allow the options/overrides for user/virtualhost folders but then stuff everywhere failed to work. Explicit Directory options are needed for the system cgi, for php to work in suexec/suphp mode... lots of work that should have already been done for the out of box setup.

Both my cPanels have been updated in the past 30 days and are sitting at 11.24.

My Google-fu failed to help me locate and identify anyone that has identified all the paths and which files to place these overrides (I am assuming the /var/cpanel/templates/ files).

Any pointers to save me the time that should have already been put in would be appreciated! If/when I can collect this information I will bring them all together and do a how to secure your apache setup better.

 

I'm very aware of the security issues - been doing security in many spaces (programming, server, network, physical and social) for 15 years.

What I was looking for is a comprehensive listing of paths for cPanel binaries and gotchas if anyone had already hit them. I just have a very full plate and doing the work that should have been done out of the box isn't appealing. I have 2 other control panels in place and they have secured paths in by default - cPanel really should do the same.

As it stands I've already started compiling the list of paths that must work. ScriptAlias et al are starters but cPanel has enough little gotchas that finding them all before a customer complains will be very difficult.

The exploit turned out to be a new set of trojans that have appeared over the past 3 days on the computer of one of my customers. It was in the investigation of this, that I noticed the defaults for Apache in cPanel.

 

Actually that is precisely the end goal - to assist and hopefully educate. It is possible to tighten cPanel's apache config up so that it doesn't break 99.9% of things - but there is always one customer that wants X or Y that it breaks. Usually it can be worked around. If we can document it for initial installs, for people here to learn, and maybe get cPanel to adopt?, I'd be a happier camper.

I did a second quick pass with some spare time and ended up breaking only half the sites and frontpage! Well anything that was obvious - I shudder to thing what else I haven't accounted for but that's where logs help. All I need now is time!

Spiral: Yeah - nice chat Too busy today to get onto MSN