The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

System Security

Discussion in 'Security' started by scottgem, May 9, 2003.

Thread Status:
Not open for further replies.
  1. scottgem

    scottgem Member

    Joined:
    Feb 24, 2003
    Messages:
    10
    Likes Received:
    0
    Trophy Points:
    1
    If my server is fully updated with all the RedHat Network updates and is running the newest release of Cpanel, is there anything else I can do to ensure the security of my server? Any suggestion would be great. Thanks in advance.

    Scott
     
  2. xsenses

    xsenses Well-Known Member

    Joined:
    Aug 29, 2002
    Messages:
    233
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Huntington Beach, Ca
    Here are a few items I have done. A few of the items are debateable by various folks (what isn't).

    1. Turn PHP safe mode on
    2. Disable direct root login
    3. Allow only trusted users to run cron jobs by /etc/cron.allow
    4. Run chkroot daily in cron
    5. Do not give shell access
    6. Disable unused services


    Pray
     
  3. MscLimp

    MscLimp Active Member

    Joined:
    Mar 3, 2003
    Messages:
    35
    Likes Received:
    0
    Trophy Points:
    6
    I have some questions about this...
    - How do you disable direct root login? What exactly does this do?
    - "Run chkroot daily in cron" what does this do? How do I turn it on?
    - "Disable unused services" such as....?
    And again, how would I do this?


    Thanks a lot,
    Greg

    cPanel.net Support Ticket Number:
     
  4. xsenses

    xsenses Well-Known Member

    Joined:
    Aug 29, 2002
    Messages:
    233
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Huntington Beach, Ca
    1. To disable root login you have to edit /etc/ssh/sshd_config (not really going to do much if running cPanel/WHM - because if someone gets root and logs into WHM it is over anyway), it denies the ability to ssh into root.
    2. chkrootkit is located at chkrootkit.org and must be installed
    3. You can disable quite a few services very easily from the Service Manager in WHM
    4. Use a firewall - do a search for APF on the forums
    5. use up2date
     
  5. www-lab

    www-lab Well-Known Member

    Joined:
    Feb 1, 2003
    Messages:
    62
    Likes Received:
    0
    Trophy Points:
    6
    Turning PHP safe mode to ON will not help you. CGI scripts will still work. It's better to use open_basedir + disable_functions.

    I dont get the root login part. Just change your password peridodically and don't write it anywhere, just keep it in your head. Nobody can get direct root access via ssh unless somebody can read your mind :)

    cPanel.net Support Ticket Number:

    cPanel.net Support Ticket Number:
     
  6. xsenses

    xsenses Well-Known Member

    Joined:
    Aug 29, 2002
    Messages:
    233
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Huntington Beach, Ca
    I know this has been argued to death in other forums, but the main point on the ssh direct login is that if you have to su to root it would take 2 password cracks and php_safe_mode on is just another added measure not that it can't be worked around.
     
  7. casey

    casey Well-Known Member

    Joined:
    Jan 17, 2003
    Messages:
    2,303
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    If there is trouble, it will find me
    Forgive my ignorance, but how does one go about "cracking" someone else's password? If I have one good root password, why would I need two of them? I'm not arguing, I just want to know what the advantage is. If it's more secure then I think I'd like to do it.

    cPanel.net Support Ticket Number:
     
  8. xsenses

    xsenses Well-Known Member

    Joined:
    Aug 29, 2002
    Messages:
    233
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Huntington Beach, Ca
    I am no security expert by any means, but was hoping to share the things I have done and things others have done. There are brute force cracking/library scripts and if you created any easy password or a word in the dictionary admin/god/superman etc. it might be real easy just to guess it, not to mention the datacenter most likely emailed it when they setup your server. If you have to su - root you would have to break 2 accounts.
     
  9. MscLimp

    MscLimp Active Member

    Joined:
    Mar 3, 2003
    Messages:
    35
    Likes Received:
    0
    Trophy Points:
    6
    xsenses,
    Thanks for clearing me up on how to do those.... but you didn't really mention exactly what they do... :(

    cPanel.net Support Ticket Number:
     
  10. xsenses

    xsenses Well-Known Member

    Joined:
    Aug 29, 2002
    Messages:
    233
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Huntington Beach, Ca
  11. Pda0

    Pda0 Well-Known Member

    Joined:
    Jun 13, 2003
    Messages:
    70
    Likes Received:
    0
    Trophy Points:
    6


    Can you give details on that?

    thanks

    .pd

    cPanel.net Support Ticket Number:
     
  12. Pda0

    Pda0 Well-Known Member

    Joined:
    Jun 13, 2003
    Messages:
    70
    Likes Received:
    0
    Trophy Points:
    6
    I thought that upcp & co did upgrade packages? up2date can harm cpanel, yes?

    .pd

    cPanel.net Support Ticket Number:
     
  13. casey

    casey Well-Known Member

    Joined:
    Jan 17, 2003
    Messages:
    2,303
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    If there is trouble, it will find me
    If you follow the instructions at
    http://admin0.info/security/introduction.html
    you'll be fine. Upcp does not upgrade the kernel.

    cPanel.net Support Ticket Number:
     
  14. PbG

    PbG Well-Known Member

    Joined:
    Mar 11, 2003
    Messages:
    241
    Likes Received:
    0
    Trophy Points:
    16
    Highly recommended!

    Minimally I suggest everyone update their pacakges and errata.
    Disable Telnet
    Disable compiler
    Terminate SSH for all except root/trusted customers
    Change root password frequently


    The following site provides very good instructions on doing all of this. Remember kernel upgrades require a reboot. Graceful as it may be . . . cheers!

    cPanel.net Support Ticket Number:
     
  15. casey

    casey Well-Known Member

    Joined:
    Jan 17, 2003
    Messages:
    2,303
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    If there is trouble, it will find me
    Re: Highly recommended!

    Out of curiosity, why should the root password be changed frequently? Is there a chance that the password might get leaked physically (since I don't believe in psychic abilities:))?

    cPanel.net Support Ticket Number:
     
  16. MscLimp

    MscLimp Active Member

    Joined:
    Mar 3, 2003
    Messages:
    35
    Likes Received:
    0
    Trophy Points:
    6
    How do you use open_basedir and the disable_functions?
    I have PHP safe mode ON, and lots of people need it OFF...
    Could you help me out?

    cPanel.net Support Ticket Number:
     
  17. sexy_guy

    sexy_guy Well-Known Member

    Joined:
    Mar 19, 2003
    Messages:
    848
    Likes Received:
    0
    Trophy Points:
    16
    Unplug your server from the power. Your as secure as you can be.

    cPanel.net Support Ticket Number:
     
  18. casey

    casey Well-Known Member

    Joined:
    Jan 17, 2003
    Messages:
    2,303
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    If there is trouble, it will find me
    Re: Re: System Security

    But ssh will stop working then, won't it?

    cPanel.net Support Ticket Number:
     
  19. goodmove

    goodmove Well-Known Member

    Joined:
    May 12, 2003
    Messages:
    624
    Likes Received:
    0
    Trophy Points:
    16
    Re: Re: Re: System Security

    :D
     
  20. isputra

    isputra Well-Known Member

    Joined:
    May 3, 2003
    Messages:
    576
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Mbelitar
    And whm/cpanel will not online then, won't it ? :confused:

    cPanel.net Support Ticket Number:
     
    #20 isputra, Aug 9, 2003
    Last edited: Aug 9, 2003
Loading...
Thread Status:
Not open for further replies.

Share This Page