Categories: LinuxWHM / Cpanel

Cpanel Server Security

Merhaba Değerli Ziyaretçimiz

cPanel Installation and Security
This documentation covers how to install cPanel on a fresh Linux server and how to do initail server security.
cPanel Installation :
* cPanel can be install on Redhat based Linux servers and FreeBSD* A freshly build latest stable Centos server is highly recommended
How to Install cPanel :
* Yum must be installed before installing cPanel. All most all Redhat based servers will have yum preinstalled, if not installed install it from rpm ( http://rpm.pbone.net/ ).
# Update the system using Yum
$ yum update
# Disable selinux on dedicated servers. Set SELINUX=disabled in /etc/selinux/config
# Reboot the system
$ reboot
# Download the cPanel installer and run
$ cd /root; wget http://httpupdate.cpanel.net/latest; chmod +x latest; ./latest
Server security:
* Remove telnet server; we dont want that.
$ rpm -e telnet-server* Check xinetd enabled services and dsiable them. Run below command and disable all services which shows ‘disable = no’
$ cd /etc/xinetd.d; grep disable ./*
* Disable xinetd service itself. cPanel donot use xinetd
$ /etc/init.d/xinetd stop; chkconfig xinetd off
# Add a system user eg:- administrator
$ useradd administrator
# Reset the administrator password. A strong password can be generated using following command
$ mkpasswd -l 16
# Also reset the root password to a strong one
# Add administrator user to sudoer list. After this verify administrator user can sudo to root user.
$ visudo
# Permit ‘su’ for only wheel group members. Open /etc/pam.d/su and add (order is important) or uncomment
auth            required        pam_wheel.so use_uid
# Disable SSH protocol 1 and enable SSH protocol 2 in /etc/ssh/sshd_config
# Disable rootlogin in /etc/ssh/sshd_config (Make sure some user eg:- administrator is added in sudoer list with full privilege)
# Set a banner of legal warning in SSH. Add the contents in /etc/sshBanner.txt and add following to /etc/ssh/sshd_config
Banner /etc/sshBanner.txt
# Restart SSH service
$ /etc/init.d/sshd restart
# Change SSH port. Open /etc/ssh/sshd_config and change Port 22
# Install AFICK. Download latest afick rpm from http://sourceforge.net/projects/afick/files/afick/
$ rpm -ivh afick-x.x.x.x.noarch.rpm
# Open /etc/afick.conf and set email id and enable cron run.
@@define MAILTO email_id@@define BATCH 1
# Ensure that AFICK donot update its database after a cron run. Database update should be run manually by sysadmin, else if we miss a cron email we will miss the file changes alert. Open /etc/cron.daily/afick_cron and set ACTION=”-k”.
# Initialize AFICK database
$ afick -c /etc/afick.conf -i -P
# Disable DNS recursion and version publish. Open /etc/named.conf and set
Options {recursion no;version “No version for you”;…..
# Restart bind
$ /etc/init.d/named restart
# Disable Exim version printing. Add following to /usr/local/cpanel/etc/exim/config_options
smtp_banner = “${primary_hostname} ESMTP Mail service ready”
# Rebuild eximconf and restart exim service
$  /scripts/buildeximconf && /scripts/restartsrv_exim
# Disable anonymous user login in /etc/pure-ftpd.conf
NoAnonymous yes
# Disable pure-ftpd default banner. This shows server time and ftp service name. Create a file /etc/ftpWelcome.txt and add “FTP Service Is Ready”. Now open /etc/init.d/pure-ftpd and add
OPTIONS=”-F /etc/ftpWelcome.txt”
# Restart ftp serivce
$ /scripts/restartsrv_ftpserver
# Disable apache signature. Open /usr/local/apache/conf/httpd.con and add/edit as follows
ServerSignature OffServerTokens Prod
# Permanently save the change
$ /usr/local/cpanel/bin/apache_conf_distiller –update
# Restart apache
$ /etc/init.d/httpd restart
# Install Rkhunter. Download latest rkhunter from http://www.rootkit.nl/projects/rootkit_hunter.html
$ tar -xvzf rkhunter-x.x.x.tar.gz; cd rkhunter-x.x.x; ./installer.sh –layout /usr/local –install; /usr/local/bin/rkhunter –update
# Create rkhunter cron job. Create file /etc/cron.daily/rkhunter.sh and add the following. Make sure to replace replace-this@with-your-email.com with the system administrator email address
#!/bin/bash(/usr/local/bin/rkhunter -c –cronjob 2>&1 | mail -s “RKhunter Scan Details” replace-this@with-your-email.com)
# Give execute permission for the script
$ chmod +x  /etc/cron.daily/rkhunter.sh
# Securing tmp
$ /scripts/securetmp
# Root and administrator (sudo user) login alerts. Add following to both /root/.bashrc and /home/administrator/.bashrc (Change the subject line as needed)
echo “ALERT – Root Shell Access on `hostname`:” `date` `who` |mail -s “Alert: Root Access from `who | cut -d”(” -f2 | cut -d”)” -f1`” replace-this@with-your-email.com
# Install apf (firewall)
$ wget http://www.rfxn.com/downloads/apf-current.tar.gz$ tar -xvzf apf-current.tar.gz$ cd afp-x.x.x$ ./install.sh
# The installer will display the current opened TCP and UDP ports. Copy them and add it to IG_TCP_CPORTS and IG_UDP_CPORTS respectively in /etc/apf/conf.apf. We also need to enable ports 0-1024 (both TCP and UDP) in apf for portscanner detector to work, so add 0_1024 to IG_TCP_CPORTS and IG_UDP_CPORTS
# Start apf
$ apf -s
# Install BFD (brute force detector)
$ wget http://www.rfxn.com/downloads/bfd-current.tar.gz$ tar -xvzf bfd-current.tar.gz$ cd bfd-x.x.x$ ./install.sh$ bfd -s
# Install portsentry (port scanner detector) from ftp://ftp.pbone.net/mirror/ftp.falsehope.net/home/tengel/fedora/4/te/i386/RPMS/portsentry-1.2-1.te.i386.rpm
# open /etc/portsentry/portsentry.conf and comment KILL_ROUTE and add
KILL_RUN_CMD=”/usr/local/sbin/apf -d $TARGET$ ‘Portscan detected on port $PORT$’”
$ /etc/init.d/portsentry restart
# Enable suphp and suexec
$ /usr/local/cpanel/bin/rebuild_phpconf –no-htaccess 5 none suphp 1
# Run /scripts/easyapache and enable mod_security
# Load mod_esecurity rules
$ cd /usr/local/apache/conf/$ wget http://updates.atomicorp.com/channels/rules/delayed/modsec-2.5-free-latest.tar.bz2$ tar -xvjf modsec-2.5-free-latest.tar.bz2$ cd modsec/$ perl -i -pe ‘s/\/etc\/asl\/whitelist/whitelist\.txt/’ *$ > domain-spam-whitelist.conf$ mkdir /usr/local/apache/conf/modsec/ip$ mkdir /usr/local/apache/conf/modsec/global
# open /usr/local/apache/conf/modsec/00_asl_rbl.conf and add
SecDataDir /usr/local/apache/conf/modsec
# open /usr/local/apache/conf/modsec2.conf and add
Include “/usr/local/apache/conf/modsec/*.conf”
# Restart apache
$ /etc/init.d/httpd restart
cPanel Settings :
# Goto Main >> Server Configuration >> Basic cPanel & WHM Setup and set the contact information
# Goto Main >> Server Configuration >> Tweak Settings >> All and
Enable SpamAssassin spam filter = enabledGIEmail and CGIEcho = disabledCookie IP validation = strictGenerate core dumps = offSend passwords when creating a new account = offBlank referrer safety check = onReferrer safety check = onRequire SSL = onEnable HTTP Authentication = offAllow PHP to be run by resellers in WHM = offUse MD5 passwords with Apache = onSecurity Tokens = onDefault shell jailed = on
# Goto Main >> Security Center >> Apache mod_userdir Tweak and enable “Enable mod_userdir Protection”
# Goto Main >> Security Center >> Compiler Access and disable compilers for unprivileged users
# Main >> Security Center >> Configure Security Policies and
Password Age = enabled (30 days)Password Strength = enabled (15 characters)XML-API and JSON-API requests = enabledDNS cluster requests = enabled
# Goto Main >> Security Center >> cPHulk Brute Force Protection and enable burte force protection
# Goto Main >> Security Center >> PHP open_basedir Tweak and enable “Enable php open_basedir Protection.”
# Goto Main >> Security Center >> Security Questions and setup the security question
# Goto Main >> Security Center >> Shell Fork Bomb Protection and enable protection
# Goto Main >> Security Center >> SMTP Tweak and enable protection
# Goto Main >> Security Center >> Traceroute Enable/Disable and disable traceroute
# Goto Main >> Account Functions >> Manage Shell Access and disable shell access for all user. If shell access is required only enable jailed shell
# Goto Main >> cPanel >> Manage Plugins and install Clamav

 

Yardımcı olması dileğiyle…

admin

Recent Posts

“A.TR” 3. Kategori Başvuruları Başladı!

“a.tr Geçiş Süreci” kapsamında işlemlerin yürütüleceği 3. Kategori Başvuruları 14 Şubat 2024’te başladı. Bu kategori sırasıyla;… Read More

8 ay ago

Öğretmenler Günü ve 20. Yıl Kutlaması: %80 İndirim Fırsatını Kaçırmayın!

Sayın Müşterimiz,Ekonomikhost İnternet ve Bilişim Hizmetleri olarak, öğretmenlerimize ve 20. yıldönümümüze özel bir kampanya ile… Read More

1 sene ago

Fırsatları Kaçırmayın! Com.tr Alan Adınızı 65 TL’ye Kaydedin!

Siz değerli müşterilerimize her zaman daha iyi hizmet sunmanın yollarını arıyoruz vebu sefer sizin için… Read More

1 sene ago

20 Yıldır Daima Hızlı, Ekonomik ve Güvenilir Hosting | Ekonomikhost 20. yaşında

Sayın Ekonomikhost Müşterileri, Bugün Ekonomikhost olarak büyük bir gurur ve mutlulukla 20. yılımızı kutlamanın heyecanını… Read More

1 sene ago

Caching (Önbelleğe Alma) Nedir ve Nasıl Çalışır?

Caching (önbelleğe alma), bilgisayar sistemlerinde ve yazılımlarda sık kullanılan verilerin geçici olarak saklanmasıdır. Bu, veriye… Read More

1 sene ago

Windows Dijital Delil İzleri: Kabuk Çantaları(Shellbags) nedir?

Bu makalemizde Windows Forensic incelemelerinde göz atılabilecek delillerden birisi olan Shellbag’lerden bahsedeceğiz. Windows’ta bir pencereyi… Read More

1 sene ago