The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Security Advisor, Main Account, SFTP

Discussion in 'Security' started by cmo, Dec 20, 2013.

  1. cmo

    cmo Member

    Joined:
    Dec 20, 2013
    Messages:
    16
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Hi there,

    I'm new to WHM, have a little Linux experience, and have used cPanel as an end user for a long time. I setup my first VPS and installed CentOS 6.4 (updated to 6.5) and WHM/cPanel yesterday. My VPS specs are: KVM-based, 4GB RAM, 6 cores, 150GB drive space. Partitions are simple: / and swap.

    I am mainly interested in hosting my own sites, however, I might also host a handful of clients (not many, if any). Right now, all my domains are still with a shared hosting company, except the domain I am using for this VPS. Once I get this VPS locked down and running smoothly, I will start moving my shared hosting accounts to it.

    I have come to a point where I thought I should start asking questions - a couple of problems and a couple of "I dunno's".

    1. Security Advisor:
    I ran the Security Advisor and got the following 'fails'
    A) Apache vhosts are not segmented or chroot()ed - not sure about this yet
    B) No brute force protection detected - will install CSF/LFD
    C) Frontpage is installed
    ISSUE: I used EasyApache to compile Apache 2.4.7, remove FrontPage, and add mod_bw
    D) Current kernel version is out of date. current: 2.6.32-358.el6, expected: 2.6.32-431.1.2.0.1.el6
    ISSUE: uname -a shows "Linux my.host.com 2.6.32-431.1.2.0.1.el6.x86_64 #1 SMP Fri Dec 13 13:06:13 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux"
    E) SSH password authentication is enabled - not sure about this yet as I've never used ssh keys in lieu of passwords, will research
    F) SSH direct root logins are permitted
    ISSUE: I haven't set up a 2nd user account in CentOS yet. Do I just do this normally via cli (adduser/passwd user), or is there a section in WHM to do this? Also, do I add this user to sudoers normally via cli or is there a section in WHM to do this?

    2. Main Account:
    I haven't added any accounts or domains in WHM yet.
    A) Is there a section in WHM to add the server owner's account with main server domain, or do I just create a normal cPanel account for myself with the main server domain plus addon domains for the rest of my domains?
    B) I am not comfortable logging in as root to WHM. Is there a way to create a new WHM account that can still administer everything or is it normal to use the server's root account to log into WHM all the time?

    3. SFTP to Access All User Homes:
    A) I would like to be able to have a single SFTP login to access all user home directories. Is this possible?
    B) If I decide to host other clients and want to give someone FTP access to their files, can I force SFTP?
    C) If the answer to 3.B is yes, can I also keep them from having shell access outside of SFTP? This is probably a dumb question ...

    Thanks in advance for any help,

    cmo
     
  2. cmo

    cmo Member

    Joined:
    Dec 20, 2013
    Messages:
    16
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Since I can't edit my post, I thought I would update here.

    I have managed to take care of
    1.A: I recompiled with mod_ruid2
    1.C: I overlooked rpm -e frontpage a thousand times :eek:
    1.E: That wasn't as scary as I thought, I like key + key password :cool:

    I could still use help with the rest.
     
  3. cmo

    cmo Member

    Joined:
    Dec 20, 2013
    Messages:
    16
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Update # 2

    Everything in section 1 except item 1.D has been sorted. I have no idea why it still says my kernel is out of date.

    Server Status > Server Information shows:

    In addition, I now have a new problem. I have managed to get a CSF rating of 137/140, but I am still able to send email out via very simple (not secure) PHP scripts.

    How do I stop this? I would like that all PHP email scripts have to authenticate using a real email account on the VPS.

    Apache settings:

    CSF SMTP settings:

    cPanel Tweak settings for mail:
     
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
  5. cmo

    cmo Member

    Joined:
    Dec 20, 2013
    Messages:
    16
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Thank you so much for that link, Michael. I looked at that before but somehow overlooked the last part about renaming sendmail. THat's what I was looking for :)

    One quick follow-up question ... will renaming sendmail prevent WHM root messages and CSF messages from going out?
     
  6. cmo

    cmo Member

    Joined:
    Dec 20, 2013
    Messages:
    16
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    In CSF I found an option to change from sendmail to smtp and tested the email by issuing su while logged in as a user (enter 127.0.0.1 for LF_ALERT_SMTP). Will I need to make a similar setting change for WHM root messages?
     
  7. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    There are no such configurable settings for messages sent out by cPanel/WHM. Feel free to test this and let us know if you no longer receive notifications from cPanel/WHM.

    Thank you.
     
Loading...

Share This Page