The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

What do i need to install for security

Discussion in 'Security' started by popeye, May 23, 2013.

  1. popeye

    popeye Well-Known Member

    Joined:
    May 23, 2013
    Messages:
    313
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Texas
    cPanel Access Level:
    Root Administrator
    Hi,

    I have had managed servers for years, and just now getting our own and just wanted to know what's the best things to install for security ? any help would be very much appreciated.
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    675
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
  3. popeye

    popeye Well-Known Member

    Joined:
    May 23, 2013
    Messages:
    313
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Texas
    cPanel Access Level:
    Root Administrator
  4. 24x7server

    24x7server Well-Known Member

    Joined:
    Apr 17, 2013
    Messages:
    1,146
    Likes Received:
    34
    Trophy Points:
    48
    Location:
    India
    cPanel Access Level:
    Root Administrator
  5. popeye

    popeye Well-Known Member

    Joined:
    May 23, 2013
    Messages:
    313
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Texas
    cPanel Access Level:
    Root Administrator
  6. storminternet

    storminternet Well-Known Member

    Joined:
    Nov 2, 2011
    Messages:
    462
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Root Administrator
    Install ClamAV from WHM > Home »cPanel »Manage Plugins if you have not already installed.
     
  7. 24x7server

    24x7server Well-Known Member

    Joined:
    Apr 17, 2013
    Messages:
    1,146
    Likes Received:
    34
    Trophy Points:
    48
    Location:
    India
    cPanel Access Level:
    Root Administrator
  8. whm-expert

    whm-expert Active Member

    Joined:
    Nov 10, 2012
    Messages:
    40
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    DataCenter Provider
    Install mod_security
    user these rule


    Code:
    # Deprecated due to security issues so it should be off: [url=http://blog.modsecurity.org/2008/08/transformation.html]ModSecurity Blog: Transformation Caching Unstable, Fixed, But Deprecated[/url]
    SecCacheTransformations Off
    
    # Check Content-Length and reject all non numeric ones
    SecRule REQUEST_HEADERS:Content-Length "!^\d+$" "deny,log,auditlog,msg:'Content-Length HTTP header is not numeric', severity:'2',id:'1234123444'"
    
    # Do not accept GET or HEAD requests with bodies
    SecRule REQUEST_METHOD "^(?:GET|HEAD)$" "chain,phase:2,t:none,deny,log,auditlog,status:400,msg:'GET or HEAD requests with bodies', severity:'2',id:'1234123443',tag:'PROTOCOL_VIOLATION/EVASION'"
    SecRule REQUEST_HEADERS:Content-Length "!^0?$" t:none
    
    # Require Content-Length to be provided with every POST request.
    SecRule REQUEST_METHOD "^POST$" "chain,phase:2,t:none,deny,log,auditlog,status:400,msg:'POST request must have a Content-Length header',id:'1234123442',tag:'PROTOCOL_VIOLATION/EVASION',severity:'4'"
    SecRule &REQUEST_HEADERS:Content-Length "@eq 0" t:none
    
    # Don't accept transfer encodings we know we don't know how to handle
    SecRule REQUEST_HEADERS:Transfer-Encoding "!^$" "phase:2,t:none,deny,log,auditlog,status:501,msg:'ModSecurity does not support transfer encodings',id:'1234123441',tag:'PROTOCOL_VIOLATION/EVASION',severity:'3'"
    
    # Check decodings
    SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer "@validateUrlEncoding" \
    	"chain, deny,log,auditlog,msg:'URL Encoding Abuse Attack Attempt',id:'1234123440',severity:'4'"
    SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer "\%(?![0-9a-fA-F]{2}|u[0-9a-fA-F]{4})"
    
    SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer "@validateUtf8Encoding" "deny,log,auditlog,msg:'UTF8 Encoding Abuse Attack Attempt',id:'1234123439',severity:'4'"
    
    # Proxy access attempt
    SecRule REQUEST_URI_RAW ^\w+:/ "phase:2,t:none,deny,log,auditlog,status:400,msg:'Proxy access attempt', severity:'2',id:'1234123438',tag:'PROTOCOL_VIOLATION/PROXY_ACCESS'"
    
    # Restrict type of characters sent
    SecRule REQUEST_FILENAME|REQUEST_HEADERS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer \
    	"@validateByteRange 1-255" \
    	"log,auditlog,msg:'Request Missing an Accept Header', severity:'2',id:'1234123437',t:urlDecodeUni,phase:1"
    
    SecRule ARGS|ARGS_NAMES "@validateByteRange 1-255" \
    	"deny,log,auditlog,msg:'Invalid character in request',id:'1234123436',severity:'4',t:urlDecodeUni,phase:2"
    
    # allow request methods
    SecRule REQUEST_METHOD "!^((?:(?:POS|GE)T|OPTIONS|HEAD))$" \
        "phase:2,t:none,log,auditlog,status:501,msg:'Method is not allowed by policy', severity:'2',id:'1234123435',tag:'POLICY/METHOD_NOT_ALLOWED'"
    
    # Restrict file extension
    # removed exe so that frontpage will work
    
    # Restricted HTTP headers 
    SecRule REQUEST_HEADERS_NAMES "\.(?:Lock-Token|Translate|If)$" \
        "deny,log,auditlog,msg:'HTTP header is restricted by policy',id:'1234123434',severity:'4'"
    
    SecRule HTTP_User-Agent "(?:\b(?:m(?:ozilla\/4\.0 \(compatible\)|etis)|webtrends security analyzer|pmafind)\b|n(?:-stealth|sauditor|essus|ikto)|b(?:lack ?widow|rutus|ilbo)|(?:jaascoi|paro)s|internet explorer|webinspect|\.nasl)" \
            "deny,log,auditlog,msg:'Request Indicates a Security Scanner Scanned the Site',id:'1234123433',severity:'2'"
    SecRule REQUEST_HEADERS_NAMES "\bacunetix-product\b" \
            "deny,log,auditlog,msg:'Request Indicates a Security Scanner Scanned the Site',id:'1234123432',severity:'2'"
    SecRule REQUEST_FILENAME "^/nessustest" \
            "deny,log,auditlog,msg:'Request Indicates a Security Scanner Scanned the Site',id:'1234123431',severity:'2'"
    
    SecRule REQUEST_HEADERS:User-Agent "(?:m(?:ozilla\/(?:4\.0 \(compatible; advanced email extractor|2\.0 \(compatible; newt activex; win32\))|ailto:craftbot\@yahoo\.com)|e(?:mail(?:(?:collec|harves|magne)t|(?: extracto|reape)r|siphon|wolf)|(?:collecto|irgrabbe)r|xtractorpro|o browse)|a(?:t(?:tache|hens)|utoemailspider|dsarobot)|w(?:eb(?:emailextrac| by mail)|3mir)|f(?:astlwspider|loodgate)|p(?:cbrowser|ackrat|surf)|(?:digout4uagen|takeou)t|(?:chinacla|be)w|hhjhj@yahoo|rsync|shai|zeus)" \
            "deny,log,auditlog,msg:'Rogue web site crawler',id:'1234123430',severity:'2'"
    
    SecRule REQUEST_HEADERS:User-Agent "(?:\b(?:(?:indy librar|snoop)y|microsoft url control|lynx)\b|d(?:ownload demon|isco)|w(?:3mirror|get)|l(?:ibwww|wp)|p(?:avuk|erl)|cu(?:sto|rl)|big brother|autohttp|netants|eCatch)" \
            "chain,log,auditlog,msg:'Request Indicates an automated program explored the site',id:'1234123429',severity:'5'"
    SecRule REQUEST_HEADERS:User-Agent "!^apache.*perl"
    
    # Session fixation
    SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer "@pm set-cookie .cookie" \
            "phase:2,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,pass,nolog,skip:1,id:1234123428"
    SecAction phase:2,pass,nolog,skipAfter:1234123454,id:1234123427
    SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES "(?:\.cookie\b.*?;\W*?(?:expires|domain)\W*?=|\bhttp-equiv\W+set-cookie\b)" \
            "phase:2,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,capture,ctl:auditLogParts=+E,log,auditlog,msg:'Session Fixation',id:'1234123426',tag:'WEB_ATTACK/SESSION_FIXATION',logdata:'%{TX.0}',severity:'2'"
    SecRule REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer "(?:\.cookie\b.*?;\W*?(?:expires|domain)\W*?=|\bhttp-equiv\W+set-cookie\b)" \
            "phase:2,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,capture,ctl:auditLogParts=+E,log,auditlog,msg:'Session Fixation',id:'1234123454',tag:'WEB_ATTACK/SESSION_FIXATION',logdata:'%{TX.0}',severity:'2'"
    
    # Blind SQL injection
    SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer "@pm sys.user_triggers sys.user_objects @@spid msysaces instr sys.user_views sys.tab charindex sys.user_catalog constraint_type locate select msysobjects attnotnull sys.user_tables sys.user_tab_columns sys.user_constraints waitfor mysql.user sys.all_tables msysrelationships msyscolumns msysqueries" \
     
  9. popeye

    popeye Well-Known Member

    Joined:
    May 23, 2013
    Messages:
    313
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Texas
    cPanel Access Level:
    Root Administrator
    Hi not sure what you mean by above Install mod_security user these rule ?

    Do i have to add all that text somewhere ?
     
  10. robb3369

    robb3369 Well-Known Member

    Joined:
    Mar 1, 2008
    Messages:
    122
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Root Administrator
    Although Chirpy is too busy to take on new clients, here is a list of what he does for his cpanel hardening and should point you in the right direction:

    ConfigServer Server Services

    Once you get CSF installed, it will recommend further settings... I agree with 24x7 on all his recommendations as well.

    If you get stuck, you may be better off getting some help, but be warned... some "admins" just run a few scripts and cross their fingers that everything gets installed correctly.
     
  11. popeye

    popeye Well-Known Member

    Joined:
    May 23, 2013
    Messages:
    313
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Texas
    cPanel Access Level:
    Root Administrator
    There is loads of things i don't know what most of them are :( also do i have to do this on every server i have or is there a way i backup all my settings for the next one ?
     
  12. robb3369

    robb3369 Well-Known Member

    Joined:
    Mar 1, 2008
    Messages:
    122
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Root Administrator
    I would suggest either getting a server admin to do this for you or get your DC to manage the server. And yes, every server gets this done.
     
  13. faisikhan

    faisikhan Well-Known Member

    Joined:
    Dec 12, 2011
    Messages:
    88
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Islamabad, Pakistan
    cPanel Access Level:
    Root Administrator
  14. popeye

    popeye Well-Known Member

    Joined:
    May 23, 2013
    Messages:
    313
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Texas
    cPanel Access Level:
    Root Administrator
    Thanks very that site is great, i cant believe how easy it is to update the system with them commands.
     
Loading...

Share This Page