The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Server Security Checklist - Secure your box now!!

Discussion in 'Security' started by GetWired, Sep 6, 2003.

Thread Status:
Not open for further replies.
  1. GetWired

    GetWired Active Member

    Joined:
    Aug 4, 2003
    Messages:
    39
    Likes Received:
    0
    Trophy Points:
    6
    Last updated:9/06/03

    Orginally Posted by me at rackshack.
    http://forum.rackshack.net/showthread.php?s=&threadid=30333

    There are alot of things floating around the forums on what to install to get the best degree of safety. Alot of these things are basic, and should be done right after getting ANY server. I have taken the time to do the homework for you and put it in a simple checklist form. To me, an unsecure box on RS's network is a threat to me and anyone else on the network, so please, take the time to secure your box.

    The main goal of this checklist will be to help any one person setup a working, secure server.

    I run mostly Cpanel servers, but control panel upgrades should be around the same method and most basic thing to perform; therefore I will not go indepth on other control panels.

    This checklist assumes you know the basics of linux, the shell, and are using this all VIA SSH with the program putty.

    Note: This is a common mistake people have; anything listed here must be done in root. To get root, please use the command "su -" not "su".

    ######################
    ~~~~~~~~~~~~~~~~~~~~
    ######################

    Things to do on your server in order of importance:
    • Full Cpanel (stable) upgrade [Already installed Cpanel/WHM Feature] [Link]
      Note: This should upgrade openssh and all of that good stuff so all those locks show locked.
    • Recompile Apache [Already installed Cpanel/WHM Feature]
    • Bind sshd to only 1 ip, and make it a different ip then your main site, and on a different high level port. Not to forget, disable direct root login.

      Note 2: Though you could still login to root logging into admin and su - to root, it would be best to delete the admin login from your server. This'll give hackers an even harder time trying to crack your box. You should keep in mind that the admin login is only a rackshack thing, and is not a default thing, so it might be best to remove it anyways. Delete user admin, add another user, and add that user to the usergroup whell.
    • Have the server e-mail everytime someone logs in as root:

      Advice from freddo:
      Make sure the email address you send to also forwards to an off-server email address. This way the hacker cannot delete the warning email (without hacking another server anyway).
    • Disable Telnet:

    • Chroot/Jail [Link]
      Note: If you have a Cpanel server there is a feature already included to Jail the shell account. Please do this ASAP if you plan on giving out shell accounts.
      [*] APF Firewall
      [*] Tripwire [Link]
      [*] Email Anti-Virus Scanner (MailScanner) & Anti-Virus Scanner (ClamAV) [Link]
      [*] chkrootkit [Link]
      [*] Disable direct root login [Link]
      [*] PRM (Process Resource Monitor) [Link]
      [*] MRTG bandwidth monitor
      [*] Mask apache server & services version numbers [Link]
      [*] Set a SSH Legal Message [Link]
      Note: I like to put a legal notice here. Something like:

      This computer system is for authorized users only. All activity is logged and regulary checked by systems personal. Individuals using this system without authority or in excess of their authority are subject to having all their services revoked. Any illegal services run by user or attempts to take down this server or its services will be reported to local law enforcement, and said user will be punished to the full extent of the law. Anyone using this system consents to these terms.



    ######################
    ~~~~~~~~~~~~~~~~~~~~
    ######################

    Thats about all I have, other then a set of 'always do this' rules.

    1.) Always try to use sftp.
    2.) Always use ssh2 protocol.
    3.) Never ever have passwords lying around or use easily crackable passwords. Nice password holder and gen program is Personal Vault. You can check it out and download it here [Link]

    I plan on making a defintive howto page on my website on howto properly secure your cpanel box to its fullest with each howto on its proper page so you don't have to go looking around. However, that is once I get permission from each person that wrote each HOWTO. :p

    If you have a comment on this or something you think that should be added, please PM me. I want to keep this thread as clean as possible so newbs don't have to scroll threw pages of stuff.

    I will constantly update this when required.

    cPanel.net Support Ticket Number:
     
  2. GetWired

    GetWired Active Member

    Joined:
    Aug 4, 2003
    Messages:
    39
    Likes Received:
    0
    Trophy Points:
    6
  3. Radio_Head

    Radio_Head Well-Known Member

    Joined:
    Feb 15, 2002
    Messages:
    2,051
    Likes Received:
    1
    Trophy Points:
    38
    Good , I think too we should have it sticked , please .
    Another good idea could be to have a "Cpanel Security Forum" , I asked it long time ago , but it was never activated .

    GetWired , what do you think of these things ?

    a) "web root protection" with "php_suxec" . Is it Good to have it ? (or is still better to have php safe mode ON without phpsuexec ?) .

    b) Cpanel demo . I noticed recently is safer . Since I had some intrusion providing Cpanel Demo , do you think now Cpanel demo it's more safer ?


    Bye

    cPanel.net Support Ticket Number:
     
  4. GetWired

    GetWired Active Member

    Joined:
    Aug 4, 2003
    Messages:
    39
    Likes Received:
    0
    Trophy Points:
    6
    Hey, thanks mate.

    I'd say you'll be fine with just php_suxec on. Sometimes alot of scripts break if you have safe mode on.

    Cpanel demo HAS become alot better to use, but i'd still make sure that shell is off and that it has a 0 quota for space, bandwidth, databases, etc... so nothing can be changed just incase.

    Other then that, its all great. :)

    cPanel.net Support Ticket Number:
     
  5. Jeff Schwartz

    Jeff Schwartz Registered

    Joined:
    Oct 4, 2003
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    SFTP under JailShell needed

    Yet another reason to support SFTP. Sending FTP username/password cleartext is a big security hole for just about anyone to gain access to your account.

    I use a public wireless AP (no WEP) when away from home, and would like to encrypt everything important.
     
  6. visiondream3

    visiondream3 Active Member

    Joined:
    Mar 3, 2003
    Messages:
    31
    Likes Received:
    0
    Trophy Points:
    6
    customised firewall

    Hello,
    I'm trying to enable a customised firewall for a cpanel server. In the process, I decided to enable individual ports which are required in the INPUT chain.
    Here it is :
    $IPT -A INPUT -p tcp -s 0/0 --dport 993 -j ACCEPT
    $IPT -A INPUT -p tcp -s 0/0 --dport 1 -j ACCEPT
    $IPT -A INPUT -p tcp -s 0/0 --dport 995 -j ACCEPT
    $IPT -A INPUT -p tcp -s 0/0 --dport 110 -j ACCEPT
    $IPT -A INPUT -p tcp -s 0/0 --dport 783 -j ACCEPT
    $IPT -A INPUT -p tcp -s 0/0 --dport 111 -j ACCEPT
    $IPT -A INPUT -p tcp -s 0/0 --dport 143 -j ACCEPT
    $IPT -A INPUT -p tcp -s 0/0 --dport 80 -j ACCEPT
    $IPT -A INPUT -p tcp -s 0/0 --dport 465 -j ACCEPT
    $IPT -A INPUT -p tcp -s 0/0 --dport 53 -j ACCEPT
    $IPT -A INPUT -p tcp -s 0/0 --dport 21 -j ACCEPT
    $IPT -A INPUT -p tcp -s 0/0 --dport 22 -j ACCEPT
    $IPT -A INPUT -p tcp -s 0/0 --dport 25 -j ACCEPT
    $IPT -A INPUT -p tcp -s 0/0 --dport 953 -j ACCEPT
    $IPT -A INPUT -p tcp -s 0/0 --dport 443 -j ACCEPT
    $IPT -A INPUT -p tcp -s 0/0 --dport 2082 -j ACCEPT
    $IPT -A INPUT -p tcp -s 0/0 --dport 2086 -j ACCEPT
    $IPT -A INPUT -p tcp -s 0/0 --dport 3306 -j ACCEPT
    $IPT -A INPUT -p tcp -s 0/0 --dport 1024:65535 -j ACCEPT
    $IPT -A INPUT -p udp -s 0/0 -j ACCEPT

    But I realised that with ftp in use, I'm unable to take away the second last line which allows the higher non privilege ports to be open.

    Is there a way to tweak ftp without going for secure ftp so that I can close down those ports as well.

    I need only those ports which require service to be open.
    Any new ideas will be appreciated.
     
  7. SarcNBit

    SarcNBit Well-Known Member

    Joined:
    Oct 14, 2003
    Messages:
    1,010
    Likes Received:
    3
    Trophy Points:
    38
    It depends on which ftp package you are using, but with any decent package you can define the range of ports used. You can then setup your firewall to only allow the specific range you have defined.
     
  8. visiondream3

    visiondream3 Active Member

    Joined:
    Mar 3, 2003
    Messages:
    31
    Likes Received:
    0
    Trophy Points:
    6
    how do I do that ? can u help ?
    I couldnt find anything in the conf. I use pure-ftpd.
     
  9. damainman

    damainman Well-Known Member

    Joined:
    Nov 13, 2003
    Messages:
    515
    Likes Received:
    0
    Trophy Points:
    16
    in WHM where it has install RPMs... in the list provided it shows tripwire .... does that mean its installed.. or can i safely choose it and install it...or should i just download the source and install it myself?
     
  10. visiondream3

    visiondream3 Active Member

    Joined:
    Mar 3, 2003
    Messages:
    31
    Likes Received:
    0
    Trophy Points:
    6
    yep. tripwire installation could be done that way. but u got to configure it afterwards ( for monitored files).
    but then, anybody has clue to my question above? Any help will be appreciated because its annoying having to allow 1024:65535 in the firewall.
    ftp rejects passive mode transaction if I take that away :(
     
  11. damainman

    damainman Well-Known Member

    Joined:
    Nov 13, 2003
    Messages:
    515
    Likes Received:
    0
    Trophy Points:
    16
    Thank you...

    But is it safe to do it that way? Or should i just do it from source?
     
  12. visiondream3

    visiondream3 Active Member

    Joined:
    Mar 3, 2003
    Messages:
    31
    Likes Received:
    0
    Trophy Points:
    6
  13. macmeister

    macmeister Member

    Joined:
    Nov 21, 2003
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1
    SFTP Not Possible

    CPanel requests we use jailshell for security reasons, but this breaks the ability to allow secure transactions using SCP and/or SFTP and other commands like tail, etc.

    Please, if there is a configuration change that needs to be made on our server to get other GUI SSH tools to work, let me know what that is. But to reproduce just one of the problems do this below (no GUI necessary):

    See that this standard command works right now:
    /bin/ls -la | /usr/bin/uuencode f-o_++_o-f

    1. From window one, SSH in with:
    ssh -l user www.domain.com

    2. From your local machine in another terminal do an upload with:
    scp -p test.txt user@www.domain.com:/home/user

    3. Go back to window one and again try:
    /bin/ls -la | /usr/bin/uuencode f-o_++_o-f
    (it worked before the upload, now the command doesn't exist!!!)

    Still no fix. I'm finding more posts on this forum all the time of individuals not being able to SFTP. My only solution now is to use FTP, and this is unacceptable and insecure!
     
  14. cyo

    cyo Active Member

    Joined:
    Oct 26, 2001
    Messages:
    35
    Likes Received:
    0
    Trophy Points:
    6
    Re: SFTP Not Possible

    I would also like this fixed, i would jail most of my accounts if this is fixed.
     
  15. cyo

    cyo Active Member

    Joined:
    Oct 26, 2001
    Messages:
    35
    Likes Received:
    0
    Trophy Points:
    6
    i am trying to get apf but www.r-fx.net is nolonger there. Does anyone know where can i get apf?
     
  16. purplepaws

    purplepaws Well-Known Member

    Joined:
    Jan 15, 2002
    Messages:
    153
    Likes Received:
    0
    Trophy Points:
    16
  17. Doctor

    Doctor Well-Known Member

    Joined:
    Apr 26, 2003
    Messages:
    180
    Likes Received:
    0
    Trophy Points:
    16
    .bash_profile NOTIFICATION CONFUSION

    I just edited the .bash_profile like getwired suggested.

    Why is it that when I login to root when someone logs in to jailshell, I get a notification that says myself and the others have logged into root?
     
  18. Alterego

    Alterego Member

    Joined:
    Mar 20, 2003
    Messages:
    16
    Likes Received:
    0
    Trophy Points:
    1
    Re: SFTP Not Possible

    Yes, please fix the Jail Shell, or better yet, remove it entirely. It's a laughable product in security circles. Use something that doesn't break existing security standards; perhaps something like pdksh for an excellent bourne shell.


     
  19. kris1351

    kris1351 Well-Known Member

    Joined:
    Apr 18, 2003
    Messages:
    963
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Lewisville, Tx
    Is there a way to block root direct logins and not break secondary server DNS updates?
     
  20. kris1351

    kris1351 Well-Known Member

    Joined:
    Apr 18, 2003
    Messages:
    963
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Lewisville, Tx
    Well it seems that changing to Protocol 2 actually messed up /scripts/dnstransfer on the secondary. Now it asks for a login even though I set up a Trust Relationship through WHM. Anyone have any help on making it so we can secure SSH more and not lose secondary DNS functions?
     
Loading...
Thread Status:
Not open for further replies.

Share This Page