Security Advisor, Main Account, SFTP

cmo

Member
Dec 20, 2013
16
0
1
cPanel Access Level
Root Administrator
Hi there,

I'm new to WHM, have a little Linux experience, and have used cPanel as an end user for a long time. I setup my first VPS and installed CentOS 6.4 (updated to 6.5) and WHM/cPanel yesterday. My VPS specs are: KVM-based, 4GB RAM, 6 cores, 150GB drive space. Partitions are simple: / and swap.

I am mainly interested in hosting my own sites, however, I might also host a handful of clients (not many, if any). Right now, all my domains are still with a shared hosting company, except the domain I am using for this VPS. Once I get this VPS locked down and running smoothly, I will start moving my shared hosting accounts to it.

I have come to a point where I thought I should start asking questions - a couple of problems and a couple of "I dunno's".

1. Security Advisor:
I ran the Security Advisor and got the following 'fails'
A) Apache vhosts are not segmented or chroot()ed - not sure about this yet
B) No brute force protection detected - will install CSF/LFD
C) Frontpage is installed
ISSUE: I used EasyApache to compile Apache 2.4.7, remove FrontPage, and add mod_bw
D) Current kernel version is out of date. current: 2.6.32-358.el6, expected: 2.6.32-431.1.2.0.1.el6
ISSUE: uname -a shows "Linux my.host.com 2.6.32-431.1.2.0.1.el6.x86_64 #1 SMP Fri Dec 13 13:06:13 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux"
E) SSH password authentication is enabled - not sure about this yet as I've never used ssh keys in lieu of passwords, will research
F) SSH direct root logins are permitted
ISSUE: I haven't set up a 2nd user account in CentOS yet. Do I just do this normally via cli (adduser/passwd user), or is there a section in WHM to do this? Also, do I add this user to sudoers normally via cli or is there a section in WHM to do this?

2. Main Account:
I haven't added any accounts or domains in WHM yet.
A) Is there a section in WHM to add the server owner's account with main server domain, or do I just create a normal cPanel account for myself with the main server domain plus addon domains for the rest of my domains?
B) I am not comfortable logging in as root to WHM. Is there a way to create a new WHM account that can still administer everything or is it normal to use the server's root account to log into WHM all the time?

3. SFTP to Access All User Homes:
A) I would like to be able to have a single SFTP login to access all user home directories. Is this possible?
B) If I decide to host other clients and want to give someone FTP access to their files, can I force SFTP?
C) If the answer to 3.B is yes, can I also keep them from having shell access outside of SFTP? This is probably a dumb question ...

Thanks in advance for any help,

cmo
 

cmo

Member
Dec 20, 2013
16
0
1
cPanel Access Level
Root Administrator
Since I can't edit my post, I thought I would update here.

I have managed to take care of
1.A: I recompiled with mod_ruid2
1.C: I overlooked rpm -e frontpage a thousand times :eek:
1.E: That wasn't as scary as I thought, I like key + key password :cool:

I could still use help with the rest.
 

cmo

Member
Dec 20, 2013
16
0
1
cPanel Access Level
Root Administrator
Update # 2

Everything in section 1 except item 1.D has been sorted. I have no idea why it still says my kernel is out of date.

Server Status > Server Information shows:
Linux my.host.com 2.6.32-431.1.2.0.1.el6.x86_64 #1 SMP Fri Dec 13 13:06:13 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux

In addition, I now have a new problem. I have managed to get a CSF rating of 137/140, but I am still able to send email out via very simple (not secure) PHP scripts.

How do I stop this? I would like that all PHP email scripts have to authenticate using a real email account on the VPS.

Apache settings:
Default PHP Version (.php files) = 5
PHP 5 Handler = dso
Apache suEXEC = on
Apache Ruid2 = on

CSF SMTP settings:
SMTP_BLOCK = 1
SMTP_ALLOWLOCAL = 0
SMTP_ALLOWUSER = cpanel
SMTP_ALLOWGROUP = mail,mailman

cPanel Tweak settings for mail:
Prevent “nobody” from sending mail = on
Restrict outgoing SMTP to root, exim, and mailman (FKA SMTP Tweak) = off (per CSF SMTP_BLOCK)
 

cmo

Member
Dec 20, 2013
16
0
1
cPanel Access Level
Root Administrator
Thank you so much for that link, Michael. I looked at that before but somehow overlooked the last part about renaming sendmail. THat's what I was looking for :)

One quick follow-up question ... will renaming sendmail prevent WHM root messages and CSF messages from going out?
 

cmo

Member
Dec 20, 2013
16
0
1
cPanel Access Level
Root Administrator
One quick follow-up question ... will renaming sendmail prevent WHM root messages and CSF messages from going out?
In CSF I found an option to change from sendmail to smtp and tested the email by issuing su while logged in as a user (enter 127.0.0.1 for LF_ALERT_SMTP). Will I need to make a similar setting change for WHM root messages?
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,913
2,202
363
There are no such configurable settings for messages sent out by cPanel/WHM. Feel free to test this and let us know if you no longer receive notifications from cPanel/WHM.

Thank you.