What do i need to install for security

24x7server

Well-Known Member
Apr 17, 2013
1,911
96
78
India
cPanel Access Level
Root Administrator
Twitter

popeye

Well-Known Member
May 23, 2013
368
2
18
Texas
cPanel Access Level
Root Administrator

24x7server

Well-Known Member
Apr 17, 2013
1,911
96
78
India
cPanel Access Level
Root Administrator
Twitter

whm-expert

Active Member
Nov 10, 2012
40
0
6
cPanel Access Level
DataCenter Provider
Install mod_security
user these rule


Code:
# Deprecated due to security issues so it should be off: [url=http://blog.modsecurity.org/2008/08/transformation.html]ModSecurity Blog: Transformation Caching Unstable, Fixed, But Deprecated[/url]
SecCacheTransformations Off

# Check Content-Length and reject all non numeric ones
SecRule REQUEST_HEADERS:Content-Length "!^\d+$" "deny,log,auditlog,msg:'Content-Length HTTP header is not numeric', severity:'2',id:'1234123444'"

# Do not accept GET or HEAD requests with bodies
SecRule REQUEST_METHOD "^(?:GET|HEAD)$" "chain,phase:2,t:none,deny,log,auditlog,status:400,msg:'GET or HEAD requests with bodies', severity:'2',id:'1234123443',tag:'PROTOCOL_VIOLATION/EVASION'"
SecRule REQUEST_HEADERS:Content-Length "!^0?$" t:none

# Require Content-Length to be provided with every POST request.
SecRule REQUEST_METHOD "^POST$" "chain,phase:2,t:none,deny,log,auditlog,status:400,msg:'POST request must have a Content-Length header',id:'1234123442',tag:'PROTOCOL_VIOLATION/EVASION',severity:'4'"
SecRule &REQUEST_HEADERS:Content-Length "@eq 0" t:none

# Don't accept transfer encodings we know we don't know how to handle
SecRule REQUEST_HEADERS:Transfer-Encoding "!^$" "phase:2,t:none,deny,log,auditlog,status:501,msg:'ModSecurity does not support transfer encodings',id:'1234123441',tag:'PROTOCOL_VIOLATION/EVASION',severity:'3'"

# Check decodings
SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer "@validateUrlEncoding" \
	"chain, deny,log,auditlog,msg:'URL Encoding Abuse Attack Attempt',id:'1234123440',severity:'4'"
SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer "\%(?![0-9a-fA-F]{2}|u[0-9a-fA-F]{4})"

SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer "@validateUtf8Encoding" "deny,log,auditlog,msg:'UTF8 Encoding Abuse Attack Attempt',id:'1234123439',severity:'4'"

# Proxy access attempt
SecRule REQUEST_URI_RAW ^\w+:/ "phase:2,t:none,deny,log,auditlog,status:400,msg:'Proxy access attempt', severity:'2',id:'1234123438',tag:'PROTOCOL_VIOLATION/PROXY_ACCESS'"

# Restrict type of characters sent
SecRule REQUEST_FILENAME|REQUEST_HEADERS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer \
	"@validateByteRange 1-255" \
	"log,auditlog,msg:'Request Missing an Accept Header', severity:'2',id:'1234123437',t:urlDecodeUni,phase:1"

SecRule ARGS|ARGS_NAMES "@validateByteRange 1-255" \
	"deny,log,auditlog,msg:'Invalid character in request',id:'1234123436',severity:'4',t:urlDecodeUni,phase:2"

# allow request methods
SecRule REQUEST_METHOD "!^((?:(?:POS|GE)T|OPTIONS|HEAD))$" \
    "phase:2,t:none,log,auditlog,status:501,msg:'Method is not allowed by policy', severity:'2',id:'1234123435',tag:'POLICY/METHOD_NOT_ALLOWED'"

# Restrict file extension
# removed exe so that frontpage will work

# Restricted HTTP headers 
SecRule REQUEST_HEADERS_NAMES "\.(?:Lock-Token|Translate|If)$" \
    "deny,log,auditlog,msg:'HTTP header is restricted by policy',id:'1234123434',severity:'4'"

SecRule HTTP_User-Agent "(?:\b(?:m(?:ozilla\/4\.0 \(compatible\)|etis)|webtrends security analyzer|pmafind)\b|n(?:-stealth|sauditor|essus|ikto)|b(?:lack ?widow|rutus|ilbo)|(?:jaascoi|paro)s|internet explorer|webinspect|\.nasl)" \
        "deny,log,auditlog,msg:'Request Indicates a Security Scanner Scanned the Site',id:'1234123433',severity:'2'"
SecRule REQUEST_HEADERS_NAMES "\bacunetix-product\b" \
        "deny,log,auditlog,msg:'Request Indicates a Security Scanner Scanned the Site',id:'1234123432',severity:'2'"
SecRule REQUEST_FILENAME "^/nessustest" \
        "deny,log,auditlog,msg:'Request Indicates a Security Scanner Scanned the Site',id:'1234123431',severity:'2'"

SecRule REQUEST_HEADERS:User-Agent "(?:m(?:ozilla\/(?:4\.0 \(compatible; advanced email extractor|2\.0 \(compatible; newt activex; win32\))|ailto:craftbot\@yahoo\.com)|e(?:mail(?:(?:collec|harves|magne)t|(?: extracto|reape)r|siphon|wolf)|(?:collecto|irgrabbe)r|xtractorpro|o browse)|a(?:t(?:tache|hens)|utoemailspider|dsarobot)|w(?:eb(?:emailextrac| by mail)|3mir)|f(?:astlwspider|loodgate)|p(?:cbrowser|ackrat|surf)|(?:digout4uagen|takeou)t|(?:chinacla|be)w|[email protected]|rsync|shai|zeus)" \
        "deny,log,auditlog,msg:'Rogue web site crawler',id:'1234123430',severity:'2'"

SecRule REQUEST_HEADERS:User-Agent "(?:\b(?:(?:indy librar|snoop)y|microsoft url control|lynx)\b|d(?:ownload demon|isco)|w(?:3mirror|get)|l(?:ibwww|wp)|p(?:avuk|erl)|cu(?:sto|rl)|big brother|autohttp|netants|eCatch)" \
        "chain,log,auditlog,msg:'Request Indicates an automated program explored the site',id:'1234123429',severity:'5'"
SecRule REQUEST_HEADERS:User-Agent "!^apache.*perl"

# Session fixation
SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer "@pm set-cookie .cookie" \
        "phase:2,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,pass,nolog,skip:1,id:1234123428"
SecAction phase:2,pass,nolog,skipAfter:1234123454,id:1234123427
SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES "(?:\.cookie\b.*?;\W*?(?:expires|domain)\W*?=|\bhttp-equiv\W+set-cookie\b)" \
        "phase:2,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,capture,ctl:auditLogParts=+E,log,auditlog,msg:'Session Fixation',id:'1234123426',tag:'WEB_ATTACK/SESSION_FIXATION',logdata:'%{TX.0}',severity:'2'"
SecRule REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer "(?:\.cookie\b.*?;\W*?(?:expires|domain)\W*?=|\bhttp-equiv\W+set-cookie\b)" \
        "phase:2,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,capture,ctl:auditLogParts=+E,log,auditlog,msg:'Session Fixation',id:'1234123454',tag:'WEB_ATTACK/SESSION_FIXATION',logdata:'%{TX.0}',severity:'2'"

# Blind SQL injection
SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer "@pm sys.user_triggers sys.user_objects @@spid msysaces instr sys.user_views sys.tab charindex sys.user_catalog constraint_type locate select msysobjects attnotnull sys.user_tables sys.user_tab_columns sys.user_constraints waitfor mysql.user sys.all_tables msysrelationships msyscolumns msysqueries" \
 

robb3369

Well-Known Member
Mar 1, 2008
122
1
66
cPanel Access Level
Root Administrator
Although Chirpy is too busy to take on new clients, here is a list of what he does for his cpanel hardening and should point you in the right direction:

ConfigServer Server Services

Once you get CSF installed, it will recommend further settings... I agree with 24x7 on all his recommendations as well.

If you get stuck, you may be better off getting some help, but be warned... some "admins" just run a few scripts and cross their fingers that everything gets installed correctly.
 

robb3369

Well-Known Member
Mar 1, 2008
122
1
66
cPanel Access Level
Root Administrator
I would suggest either getting a server admin to do this for you or get your DC to manage the server. And yes, every server gets this done.