Cpanel Server Security

152

Merhaba Değerli Ziyaretçimiz

cPanel Installation and Security
This documentation covers how to install cPanel on a fresh Linux server and how to do initail server security.
cPanel Installation :
* cPanel can be install on Redhat based Linux servers and FreeBSD* A freshly build latest stable Centos server is highly recommended
How to Install cPanel :
* Yum must be installed before installing cPanel. All most all Redhat based servers will have yum preinstalled, if not installed install it from rpm ( http://rpm.pbone.net/ ).
# Update the system using Yum
$ yum update
# Disable selinux on dedicated servers. Set SELINUX=disabled in /etc/selinux/config
# Reboot the system
$ reboot
# Download the cPanel installer and run
$ cd /root; wget http://httpupdate.cpanel.net/latest; chmod +x latest; ./latest
Server security:
* Remove telnet server; we dont want that.
$ rpm -e telnet-server* Check xinetd enabled services and dsiable them. Run below command and disable all services which shows ‘disable = no’
$ cd /etc/xinetd.d; grep disable ./*
* Disable xinetd service itself. cPanel donot use xinetd
$ /etc/init.d/xinetd stop; chkconfig xinetd off
# Add a system user eg:- administrator
$ useradd administrator
# Reset the administrator password. A strong password can be generated using following command
$ mkpasswd -l 16
# Also reset the root password to a strong one
# Add administrator user to sudoer list. After this verify administrator user can sudo to root user.
$ visudo
# Permit ‘su’ for only wheel group members. Open /etc/pam.d/su and add (order is important) or uncomment
auth            required        pam_wheel.so use_uid
# Disable SSH protocol 1 and enable SSH protocol 2 in /etc/ssh/sshd_config
# Disable rootlogin in /etc/ssh/sshd_config (Make sure some user eg:- administrator is added in sudoer list with full privilege)
# Set a banner of legal warning in SSH. Add the contents in /etc/sshBanner.txt and add following to /etc/ssh/sshd_config
Banner /etc/sshBanner.txt
# Restart SSH service
$ /etc/init.d/sshd restart
# Change SSH port. Open /etc/ssh/sshd_config and change Port 22
# Install AFICK. Download latest afick rpm from http://sourceforge.net/projects/afick/files/afick/
$ rpm -ivh afick-x.x.x.x.noarch.rpm
# Open /etc/afick.conf and set email id and enable cron run.
@@define MAILTO email_id@@define BATCH 1
# Ensure that AFICK donot update its database after a cron run. Database update should be run manually by sysadmin, else if we miss a cron email we will miss the file changes alert. Open /etc/cron.daily/afick_cron and set ACTION=”-k”.
# Initialize AFICK database
$ afick -c /etc/afick.conf -i -P
# Disable DNS recursion and version publish. Open /etc/named.conf and set
Options {recursion no;version “No version for you”;…..
# Restart bind
$ /etc/init.d/named restart
# Disable Exim version printing. Add following to /usr/local/cpanel/etc/exim/config_options
smtp_banner = “${primary_hostname} ESMTP Mail service ready”
# Rebuild eximconf and restart exim service
$  /scripts/buildeximconf && /scripts/restartsrv_exim
# Disable anonymous user login in /etc/pure-ftpd.conf
NoAnonymous yes
# Disable pure-ftpd default banner. This shows server time and ftp service name. Create a file /etc/ftpWelcome.txt and add “FTP Service Is Ready”. Now open /etc/init.d/pure-ftpd and add
OPTIONS=”-F /etc/ftpWelcome.txt”
# Restart ftp serivce
$ /scripts/restartsrv_ftpserver
# Disable apache signature. Open /usr/local/apache/conf/httpd.con and add/edit as follows
ServerSignature OffServerTokens Prod
# Permanently save the change
$ /usr/local/cpanel/bin/apache_conf_distiller –update
# Restart apache
$ /etc/init.d/httpd restart
# Install Rkhunter. Download latest rkhunter from http://www.rootkit.nl/projects/rootkit_hunter.html
$ tar -xvzf rkhunter-x.x.x.tar.gz; cd rkhunter-x.x.x; ./installer.sh –layout /usr/local –install; /usr/local/bin/rkhunter –update
# Create rkhunter cron job. Create file /etc/cron.daily/rkhunter.sh and add the following. Make sure to replace replace-this@with-your-email.com with the system administrator email address
#!/bin/bash(/usr/local/bin/rkhunter -c –cronjob 2>&1 | mail -s “RKhunter Scan Details” replace-this@with-your-email.com)
# Give execute permission for the script
$ chmod +x  /etc/cron.daily/rkhunter.sh
# Securing tmp
$ /scripts/securetmp
# Root and administrator (sudo user) login alerts. Add following to both /root/.bashrc and /home/administrator/.bashrc (Change the subject line as needed)
echo “ALERT – Root Shell Access on `hostname`:” `date` `who` |mail -s “Alert: Root Access from `who | cut -d”(” -f2 | cut -d”)” -f1`” replace-this@with-your-email.com
# Install apf (firewall)
$ wget http://www.rfxn.com/downloads/apf-current.tar.gz$ tar -xvzf apf-current.tar.gz$ cd afp-x.x.x$ ./install.sh
# The installer will display the current opened TCP and UDP ports. Copy them and add it to IG_TCP_CPORTS and IG_UDP_CPORTS respectively in /etc/apf/conf.apf. We also need to enable ports 0-1024 (both TCP and UDP) in apf for portscanner detector to work, so add 0_1024 to IG_TCP_CPORTS and IG_UDP_CPORTS
# Start apf
$ apf -s
# Install BFD (brute force detector)
$ wget http://www.rfxn.com/downloads/bfd-current.tar.gz$ tar -xvzf bfd-current.tar.gz$ cd bfd-x.x.x$ ./install.sh$ bfd -s
# Install portsentry (port scanner detector) from ftp://ftp.pbone.net/mirror/ftp.falsehope.net/home/tengel/fedora/4/te/i386/RPMS/portsentry-1.2-1.te.i386.rpm
# open /etc/portsentry/portsentry.conf and comment KILL_ROUTE and add
KILL_RUN_CMD=”/usr/local/sbin/apf -d $TARGET$ ‘Portscan detected on port $PORT$’”
$ /etc/init.d/portsentry restart
# Enable suphp and suexec
$ /usr/local/cpanel/bin/rebuild_phpconf –no-htaccess 5 none suphp 1
# Run /scripts/easyapache and enable mod_security
# Load mod_esecurity rules
$ cd /usr/local/apache/conf/$ wget http://updates.atomicorp.com/channels/rules/delayed/modsec-2.5-free-latest.tar.bz2$ tar -xvjf modsec-2.5-free-latest.tar.bz2$ cd modsec/$ perl -i -pe ‘s/\/etc\/asl\/whitelist/whitelist\.txt/’ *$ > domain-spam-whitelist.conf$ mkdir /usr/local/apache/conf/modsec/ip$ mkdir /usr/local/apache/conf/modsec/global
# open /usr/local/apache/conf/modsec/00_asl_rbl.conf and add
SecDataDir /usr/local/apache/conf/modsec
# open /usr/local/apache/conf/modsec2.conf and add
Include “/usr/local/apache/conf/modsec/*.conf”
# Restart apache
$ /etc/init.d/httpd restart
cPanel Settings :
# Goto Main >> Server Configuration >> Basic cPanel & WHM Setup and set the contact information
# Goto Main >> Server Configuration >> Tweak Settings >> All and
Enable SpamAssassin spam filter = enabledGIEmail and CGIEcho = disabledCookie IP validation = strictGenerate core dumps = offSend passwords when creating a new account = offBlank referrer safety check = onReferrer safety check = onRequire SSL = onEnable HTTP Authentication = offAllow PHP to be run by resellers in WHM = offUse MD5 passwords with Apache = onSecurity Tokens = onDefault shell jailed = on
# Goto Main >> Security Center >> Apache mod_userdir Tweak and enable “Enable mod_userdir Protection”
# Goto Main >> Security Center >> Compiler Access and disable compilers for unprivileged users
# Main >> Security Center >> Configure Security Policies and
Password Age = enabled (30 days)Password Strength = enabled (15 characters)XML-API and JSON-API requests = enabledDNS cluster requests = enabled
# Goto Main >> Security Center >> cPHulk Brute Force Protection and enable burte force protection
# Goto Main >> Security Center >> PHP open_basedir Tweak and enable “Enable php open_basedir Protection.”
# Goto Main >> Security Center >> Security Questions and setup the security question
# Goto Main >> Security Center >> Shell Fork Bomb Protection and enable protection
# Goto Main >> Security Center >> SMTP Tweak and enable protection
# Goto Main >> Security Center >> Traceroute Enable/Disable and disable traceroute
# Goto Main >> Account Functions >> Manage Shell Access and disable shell access for all user. If shell access is required only enable jailed shell
# Goto Main >> cPanel >> Manage Plugins and install Clamav

 

Yardımcı olması dileğiyle…


Article Tags: · · · ·

Leave a Comment

Paylaş