Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

What do i need to install for security

Discussion in 'Security' started by popeye, May 23, 2013.

  1. popeye

    popeye Well-Known Member

    Joined:
    May 23, 2013
    Messages:
    344
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Texas
    cPanel Access Level:
    Root Administrator
    Hi,

    I have had managed servers for years, and just now getting our own and just wanted to know what's the best things to install for security ? any help would be very much appreciated.
     
  2. cPanelMichael

    cPanelMichael Technical Support Community Manager
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    44,803
    Likes Received:
    1,898
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. popeye

    popeye Well-Known Member

    Joined:
    May 23, 2013
    Messages:
    344
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Texas
    cPanel Access Level:
    Root Administrator
  4. 24x7server

    24x7server Well-Known Member

    Joined:
    Apr 17, 2013
    Messages:
    1,880
    Likes Received:
    89
    Trophy Points:
    78
    Location:
    India
    cPanel Access Level:
    Root Administrator
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. popeye

    popeye Well-Known Member

    Joined:
    May 23, 2013
    Messages:
    344
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Texas
    cPanel Access Level:
    Root Administrator
  6. storminternet

    storminternet Well-Known Member

    Joined:
    Nov 2, 2011
    Messages:
    460
    Likes Received:
    0
    Trophy Points:
    66
    cPanel Access Level:
    Root Administrator
    Install ClamAV from WHM > Home »cPanel »Manage Plugins if you have not already installed.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  7. 24x7server

    24x7server Well-Known Member

    Joined:
    Apr 17, 2013
    Messages:
    1,880
    Likes Received:
    89
    Trophy Points:
    78
    Location:
    India
    cPanel Access Level:
    Root Administrator
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  8. whm-expert

    whm-expert Active Member

    Joined:
    Nov 10, 2012
    Messages:
    40
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    DataCenter Provider
    Install mod_security
    user these rule


    Code:
    # Deprecated due to security issues so it should be off: [url=http://blog.modsecurity.org/2008/08/transformation.html]ModSecurity Blog: Transformation Caching Unstable, Fixed, But Deprecated[/url]
    SecCacheTransformations Off
    
    # Check Content-Length and reject all non numeric ones
    SecRule REQUEST_HEADERS:Content-Length "!^\d+$" "deny,log,auditlog,msg:'Content-Length HTTP header is not numeric', severity:'2',id:'1234123444'"
    
    # Do not accept GET or HEAD requests with bodies
    SecRule REQUEST_METHOD "^(?:GET|HEAD)$" "chain,phase:2,t:none,deny,log,auditlog,status:400,msg:'GET or HEAD requests with bodies', severity:'2',id:'1234123443',tag:'PROTOCOL_VIOLATION/EVASION'"
    SecRule REQUEST_HEADERS:Content-Length "!^0?$" t:none
    
    # Require Content-Length to be provided with every POST request.
    SecRule REQUEST_METHOD "^POST$" "chain,phase:2,t:none,deny,log,auditlog,status:400,msg:'POST request must have a Content-Length header',id:'1234123442',tag:'PROTOCOL_VIOLATION/EVASION',severity:'4'"
    SecRule &REQUEST_HEADERS:Content-Length "@eq 0" t:none
    
    # Don't accept transfer encodings we know we don't know how to handle
    SecRule REQUEST_HEADERS:Transfer-Encoding "!^$" "phase:2,t:none,deny,log,auditlog,status:501,msg:'ModSecurity does not support transfer encodings',id:'1234123441',tag:'PROTOCOL_VIOLATION/EVASION',severity:'3'"
    
    # Check decodings
    SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer "@validateUrlEncoding" \
    	"chain, deny,log,auditlog,msg:'URL Encoding Abuse Attack Attempt',id:'1234123440',severity:'4'"
    SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer "\%(?![0-9a-fA-F]{2}|u[0-9a-fA-F]{4})"
    
    SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer "@validateUtf8Encoding" "deny,log,auditlog,msg:'UTF8 Encoding Abuse Attack Attempt',id:'1234123439',severity:'4'"
    
    # Proxy access attempt
    SecRule REQUEST_URI_RAW ^\w+:/ "phase:2,t:none,deny,log,auditlog,status:400,msg:'Proxy access attempt', severity:'2',id:'1234123438',tag:'PROTOCOL_VIOLATION/PROXY_ACCESS'"
    
    # Restrict type of characters sent
    SecRule REQUEST_FILENAME|REQUEST_HEADERS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer \
    	"@validateByteRange 1-255" \
    	"log,auditlog,msg:'Request Missing an Accept Header', severity:'2',id:'1234123437',t:urlDecodeUni,phase:1"
    
    SecRule ARGS|ARGS_NAMES "@validateByteRange 1-255" \
    	"deny,log,auditlog,msg:'Invalid character in request',id:'1234123436',severity:'4',t:urlDecodeUni,phase:2"
    
    # allow request methods
    SecRule REQUEST_METHOD "!^((?:(?:POS|GE)T|OPTIONS|HEAD))$" \
        "phase:2,t:none,log,auditlog,status:501,msg:'Method is not allowed by policy', severity:'2',id:'1234123435',tag:'POLICY/METHOD_NOT_ALLOWED'"
    
    # Restrict file extension
    # removed exe so that frontpage will work
    
    # Restricted HTTP headers 
    SecRule REQUEST_HEADERS_NAMES "\.(?:Lock-Token|Translate|If)$" \
        "deny,log,auditlog,msg:'HTTP header is restricted by policy',id:'1234123434',severity:'4'"
    
    SecRule HTTP_User-Agent "(?:\b(?:m(?:ozilla\/4\.0 \(compatible\)|etis)|webtrends security analyzer|pmafind)\b|n(?:-stealth|sauditor|essus|ikto)|b(?:lack ?widow|rutus|ilbo)|(?:jaascoi|paro)s|internet explorer|webinspect|\.nasl)" \
            "deny,log,auditlog,msg:'Request Indicates a Security Scanner Scanned the Site',id:'1234123433',severity:'2'"
    SecRule REQUEST_HEADERS_NAMES "\bacunetix-product\b" \
            "deny,log,auditlog,msg:'Request Indicates a Security Scanner Scanned the Site',id:'1234123432',severity:'2'"
    SecRule REQUEST_FILENAME "^/nessustest" \
            "deny,log,auditlog,msg:'Request Indicates a Security Scanner Scanned the Site',id:'1234123431',severity:'2'"
    
    SecRule REQUEST_HEADERS:User-Agent "(?:m(?:ozilla\/(?:4\.0 \(compatible; advanced email extractor|2\.0 \(compatible; newt activex; win32\))|ailto:craftbot\@yahoo\.com)|e(?:mail(?:(?:collec|harves|magne)t|(?: extracto|reape)r|siphon|wolf)|(?:collecto|irgrabbe)r|xtractorpro|o browse)|a(?:t(?:tache|hens)|utoemailspider|dsarobot)|w(?:eb(?:emailextrac| by mail)|3mir)|f(?:astlwspider|loodgate)|p(?:cbrowser|ackrat|surf)|(?:digout4uagen|takeou)t|(?:chinacla|be)w|hhjhj@yahoo|rsync|shai|zeus)" \
            "deny,log,auditlog,msg:'Rogue web site crawler',id:'1234123430',severity:'2'"
    
    SecRule REQUEST_HEADERS:User-Agent "(?:\b(?:(?:indy librar|snoop)y|microsoft url control|lynx)\b|d(?:ownload demon|isco)|w(?:3mirror|get)|l(?:ibwww|wp)|p(?:avuk|erl)|cu(?:sto|rl)|big brother|autohttp|netants|eCatch)" \
            "chain,log,auditlog,msg:'Request Indicates an automated program explored the site',id:'1234123429',severity:'5'"
    SecRule REQUEST_HEADERS:User-Agent "!^apache.*perl"
    
    # Session fixation
    SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer "@pm set-cookie .cookie" \
            "phase:2,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,pass,nolog,skip:1,id:1234123428"
    SecAction phase:2,pass,nolog,skipAfter:1234123454,id:1234123427
    SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES "(?:\.cookie\b.*?;\W*?(?:expires|domain)\W*?=|\bhttp-equiv\W+set-cookie\b)" \
            "phase:2,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,capture,ctl:auditLogParts=+E,log,auditlog,msg:'Session Fixation',id:'1234123426',tag:'WEB_ATTACK/SESSION_FIXATION',logdata:'%{TX.0}',severity:'2'"
    SecRule REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer "(?:\.cookie\b.*?;\W*?(?:expires|domain)\W*?=|\bhttp-equiv\W+set-cookie\b)" \
            "phase:2,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,capture,ctl:auditLogParts=+E,log,auditlog,msg:'Session Fixation',id:'1234123454',tag:'WEB_ATTACK/SESSION_FIXATION',logdata:'%{TX.0}',severity:'2'"
    
    # Blind SQL injection
    SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer "@pm sys.user_triggers sys.user_objects @@spid msysaces instr sys.user_views sys.tab charindex sys.user_catalog constraint_type locate select msysobjects attnotnull sys.user_tables sys.user_tab_columns sys.user_constraints waitfor mysql.user sys.all_tables msysrelationships msyscolumns msysqueries" \
     
  9. popeye

    popeye Well-Known Member

    Joined:
    May 23, 2013
    Messages:
    344
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Texas
    cPanel Access Level:
    Root Administrator
    Hi not sure what you mean by above Install mod_security user these rule ?

    Do i have to add all that text somewhere ?
     
  10. robb3369

    robb3369 Well-Known Member

    Joined:
    Mar 1, 2008
    Messages:
    122
    Likes Received:
    0
    Trophy Points:
    66
    cPanel Access Level:
    Root Administrator
    Although Chirpy is too busy to take on new clients, here is a list of what he does for his cpanel hardening and should point you in the right direction:

    ConfigServer Server Services

    Once you get CSF installed, it will recommend further settings... I agree with 24x7 on all his recommendations as well.

    If you get stuck, you may be better off getting some help, but be warned... some "admins" just run a few scripts and cross their fingers that everything gets installed correctly.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  11. popeye

    popeye Well-Known Member

    Joined:
    May 23, 2013
    Messages:
    344
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Texas
    cPanel Access Level:
    Root Administrator
    There is loads of things i don't know what most of them are :( also do i have to do this on every server i have or is there a way i backup all my settings for the next one ?
     
  12. robb3369

    robb3369 Well-Known Member

    Joined:
    Mar 1, 2008
    Messages:
    122
    Likes Received:
    0
    Trophy Points:
    66
    cPanel Access Level:
    Root Administrator
    I would suggest either getting a server admin to do this for you or get your DC to manage the server. And yes, every server gets this done.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  13. faisikhan

    faisikhan Well-Known Member

    Joined:
    Dec 12, 2011
    Messages:
    88
    Likes Received:
    0
    Trophy Points:
    56
    Location:
    Islamabad, Pakistan
    cPanel Access Level:
    Root Administrator
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  14. popeye

    popeye Well-Known Member

    Joined:
    May 23, 2013
    Messages:
    344
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Texas
    cPanel Access Level:
    Root Administrator
    Thanks very that site is great, i cant believe how easy it is to update the system with them commands.
     
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice