The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Security measures to host malicious students

Discussion in 'Security' started by calande2, Jun 28, 2007.

Thread Status:
Not open for further replies.
  1. calande2

    calande2 Well-Known Member

    Joined:
    Jun 28, 2005
    Messages:
    72
    Likes Received:
    0
    Trophy Points:
    6
    I am going to host students of computer science. They love to hack around and I need to take security measures to host malicious students. I'm think about for instance limiting daily e-mails to no more than 100 e-mails sent per day per student. Is there a way I could do that? What else do you think I could limit so that they don't break too many things? :)
     
  2. cPanelDavidG

    cPanelDavidG Technical Product Specialist

    Joined:
    Nov 29, 2006
    Messages:
    11,279
    Likes Received:
    8
    Trophy Points:
    38
    Location:
    Houston, TX
    cPanel Access Level:
    Root Administrator
    You can limit number of emails sent per hour per domain in WHM. I'd also recommend securing your /tmp directory by running /scripts/securetmp and preventing user nobody from doing anything (this can be done in WHM -> Server Configuration -> Tweak Settings).

    In addition, I'd recommend running phpSuExec or suPHP along with suExec so that scripts run as the user they are running under instead of "nobody" so it is easier to track abuse.

    The Security Center (WHM -> Security -> Security Center) has many nifty settings you can enable including Brute Force Protection, Fork Bomb protection and such. Disabling compilers if the students don't need it is a good idea as well.

    Also, if the students do not need shell access, do not grant shell access. If they need shell access, give them only jailed shell access.

    cPanel/WHM comes with most of the tools you need to harden your server against malicious users. However, you will need to take a little bit of time to enable the features you feel are most appropriate for your server.
     
  3. rpmws

    rpmws Well-Known Member

    Joined:
    Aug 14, 2001
    Messages:
    1,824
    Likes Received:
    5
    Trophy Points:
    38
    Location:
    back woods of NC, USA
    I would suggest unplugging the network from that server !!!!!!!!!!!!! or you will wind up being the "student"
     
  4. dysk

    dysk Well-Known Member

    Joined:
    Apr 22, 2003
    Messages:
    52
    Likes Received:
    0
    Trophy Points:
    6
    Honestly, if I were you I wouldn't use a cPanel server, as it opens up a lot of variables that aren't on a standard linux box. Consider setting up a virtual-server based system, or heavily jailed accounts.
     
  5. rpmws

    rpmws Well-Known Member

    Joined:
    Aug 14, 2001
    Messages:
    1,824
    Likes Received:
    5
    Trophy Points:
    38
    Location:
    back woods of NC, USA
    or put them on a windows box so they with have plenty of other hackers and hacks they can try and learn from.
     
  6. hostmedic

    hostmedic Well-Known Member

    Joined:
    Apr 30, 2003
    Messages:
    559
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Washington Court House, Ohio, United States
    cPanel Access Level:
    DataCenter Provider
    Lol

    I absolutely had to laugh when reading this...


    One suggestion I would make is to do a few things

    1. mod-bandwidth
    2. mod-security
    3. csf and lsf (see chirpy's firewall)
    4. jail-shell (if any)
    5. Hardware Firewall
    6. Keep the OS up to date
    7. Keep cPanel up to date
    8. Keep Kernel Patched
    9. Keep 3rd Party Apps up to date (perl, php, and even scripts)
    10. change ssh to protocol 2 only
    11. Do not allow root direct logins - force su logins
    12. Disable Telnet
    13. Disable all unnecessary ports (" nmap -sT -O localhost " will show all open ports)
    14. Install Log Watch (www.logwatch.com)
    15. Review logs daily
    16. force notification on any root or su login to external e-mail address
    17. Limit the Kernel's capability (LCAP or similar)
    18. Disable cPanels form-mails
    19. Change the MySQL root password (do not make it the same as the servers root pass either)
    20. Install SuExec
    21. Utilize PhpSuexec
    22. Disable Compilers
    23. Change the default port for SSH
    24. Force use of SSL ports for all cpanel and whm access
    25. Allow Listen Address for SSH to only 1 ip (perhaps an internal ip only )
    26. Utilize iptables tunnel all SSH traffic to the ip you want it to go to (your desk only perhaps)
    27. AUDIT AUDIT AUDIT
    28. harden sysctl.conf
    29. Install chkrootkit
    30. chmod dangerous files to root only
    31. Secure /tmp, /var/tmp, and /dev/shm partitions
    32. Install RkHunter
    33. Disable dangerous PHP functions
    34. Do not allow external mysql connections
    35.


    I am sure there are more - but that should help you get started :)

    :)
     
    #6 hostmedic, Jul 2, 2007
    Last edited: Jul 2, 2007
  7. rpmws

    rpmws Well-Known Member

    Joined:
    Aug 14, 2001
    Messages:
    1,824
    Likes Received:
    5
    Trophy Points:
    38
    Location:
    back woods of NC, USA
    THEN after all of that ..search entire server for possible students and delete them one at a time and you should be ok ..oh wait ..you want to **allow** students in on purpose? man ..let's see. ahhhh ..isn't that kinda like dumping a pail full of roaches on the floor of your kitchen and then asking how to keep roaches out? cornfusedamicated ????:confused:
     
  8. rpmws

    rpmws Well-Known Member

    Joined:
    Aug 14, 2001
    Messages:
    1,824
    Likes Received:
    5
    Trophy Points:
    38
    Location:
    back woods of NC, USA
    You mean they are about to host YOU!!! LOL
     
  9. nyjimbo

    nyjimbo Well-Known Member

    Joined:
    Jan 25, 2003
    Messages:
    1,125
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    New York
    DO NOT GIVE THEM SHELL ACCESS. EVER. PERIOD. TELL THEM IT DOESN'T EXIST. THAT IS ALL.

    :) Have a nice day.
     
  10. hostmedic

    hostmedic Well-Known Member

    Joined:
    Apr 30, 2003
    Messages:
    559
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Washington Court House, Ohio, United States
    cPanel Access Level:
    DataCenter Provider
    check out r1soft

    check out the backup stuff from r1soft

    that might help you restore quickly if ever needed...
     
  11. rpmws

    rpmws Well-Known Member

    Joined:
    Aug 14, 2001
    Messages:
    1,824
    Likes Received:
    5
    Trophy Points:
    38
    Location:
    back woods of NC, USA
    i second that idea!!! at the end of each day or the start of each new day do a bare metal restore with R1soft's restore.

    That is if you can get them to give you back root access LOL
     
  12. DomineauX

    DomineauX Well-Known Member
    PartnerNOC

    Joined:
    Apr 12, 2003
    Messages:
    414
    Likes Received:
    4
    Trophy Points:
    18
    Location:
    Houston, TX
    cPanel Access Level:
    Root Administrator


    Just ran across this and have to say:


    If they have FTP or any other access to place pages on the server then they will eventually manage some form of web shell I would expect.
     
  13. Captin Jack

    Captin Jack Member

    Joined:
    Feb 22, 2011
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1
    This can be stopped by using a nice set of rules with suhosin. While extreme I currently use the following on one of my servers that provides free hosting and has just over 1000 accounts (have had no complaints so far about scripts not working) and when ever clamav picks up a shell I check it manually and all so far have yet to function.

    Code:
    suhosin.executor.func.blacklist = dl,system,passthru,exec,popen,proc_close,proc_get_status,proc_nice,proc_open,proc_terminate,shell_exec,escape,shellcmd,pclose,pfsockopen,chgrp,debugger_off,debugger_on,leak,listen,define_syslog_variables,ftp_exec,posix_uname,posix_getpwuid,get_current_user,getmyuid,getmygid,apache_child_terminate,posix_kill,posix_mkfifo,posix_setpgid,posix_setsid,posix_setuid,pfsockopen,chgrp,debugger_off,debugger_on,leak,listen,define_syslog_variables,ftp_exec,posix_uname,posix_getpwuid,get_current_user,getmyuid,getmygid,apache_child_terminate,posix_kill,posix_mkfifo,posix_setpgid,posix_setsid,posix_setuid,escapeshellarg,getservbyport,getservbyname,myshellexec,escapeshellarg,symlink,shell_exec,exec,proc_close,proc_open,popen,system,dl,passthru,escapeshellarg,escapeshellcmd,posix_getgid,posix_getgrgid,dl,exec,pclose,proc_nice,proc_terminate,proc_get_status,pfsockopen,leak,apache_child_terminate,posix_kill,posix_mkfifo,posix_setpgid,posix_setsid,posix_setuid,hypot,pg_host,pos,posix_access,posix_getcwd,posix_getservbyname,myshellexec,getpid,posix_getsid,posix_getuid,posix_isatty,posix_kill,posix_mknod,posix_setgid,posix_setsid,posix_setuid,posix_times,posix_uname,ps_fill,posix_getpwuid,global,ini_restore,bzopen,bzread,bzwrite,apache_get_modules,apache_get_version,phpversionphpinfo,php_ini_scanned_files,get_current_user,error_log,disk_total_space,diskfreespace,leak,imap_list,hypo,filedump,gethostbyname,safe_mode,getmygid,,apache_getenv,apache_setenv,bzread,bzwrite,posix_access,bzopen,phpini,dos_conv,get_current_user,get_cwd,error_log,cmd,e_name,vdir,get_dir,only_read
    
     
  14. crazyaboutlinux

    crazyaboutlinux Well-Known Member

    Joined:
    Nov 3, 2007
    Messages:
    938
    Likes Received:
    0
    Trophy Points:
    16
    Also advisable to change default SSH port
     
  15. cPanelJared

    cPanelJared Technical Analyst
    Staff Member

    Joined:
    Feb 25, 2010
    Messages:
    1,842
    Likes Received:
    18
    Trophy Points:
    38
    Location:
    Houston, TX
    cPanel Access Level:
    Root Administrator
    Prior to this week, the last reply to this thread was 3.5 (three and a half) years ago, so it is unlikely that the original poster is still dealing with the same issue. I am closing this thread.
     
Loading...
Thread Status:
Not open for further replies.

Share This Page