The Planet Forums > Cpanel Security

The Planet Forums > Control Panels > cPanel/WHM > Cpanel/WHM HOWTOs

aepinc

Dec 1 2006, 10:38 AM

here is a list that I follow whenever we setup a new server, although there is more that can be done to setup a new box this list covers most of the basic stuff that is pretty imperative.

this list doesnt cover tweaking out the box for performance but that can easily be found in a search in these forums.

also alot of these links will show pico /###/###

I highly recommend you always add -w to your pico commands as certain files will get trashed if not

ex: pico -w /###/###

and as always it is a great idea to make bakups of the files you are editing, easy as

# cp filename.cnf filename.cnf.bak

these list have been posted in the past i just wanted to add this because it is a good compilation to work with

also i would like to thank all the people who have prepared these how-to's as it does make a huge differance after being hacked a few times in the past

------------lets have some fun-----------

QUOTE

kernal update

# up2date -f kernel

Now reboot the server

# shutdown -r now

*********************************************************************************

Mount the backup Drive

First check to see if there are any drives mounted.

# df -h

You should get something simular to this if it isent mounted yet:

code:--------------------------------------------------------------------------------
[root@localhost root]# df -h
Filesystem Size Used Avail Use% Mounted on
/dev/hda2 37G 1.4G 33G 4% /
/dev/hda1 101M 7.7M 88M 9% /boot
none 125M 0 125M 0% /dev/shm
[root@localhost root]#
--------------------------------------------------------------------------------

if it is mounted you will see something like this:

code:--------------------------------------------------------------------------------
-bash-2.05b# df -h
Filesystem Size Used Avail Use% Mounted on
/dev/hda3 53G 31G 20G 62% /
/dev/hda1 99M 14M 80M 15% /boot
none 248M 0 248M 0% /dev/shm
/dev/hdc3 53G 31G 20G 61% /mnt/old
-bash-2.05b#
--------------------------------------------------------------------------------

as you can see hdc3 is the old drive, and it is mounted as /mnt/old. Yours will be diffent

possibly. But keep in mind you need to know the mount point for the backup drive for the

following steps.

Lets mount if not already mounted.

# fdisk -l

check for additional drives, in this tutorial we will use /dev/hdc3.

# mount /dev/hdb3 /mnt/old

# mount /dev/hdc2 /mnt/old

now that the drive is mounted you can browse files like:

# ls /mnt/old/home

*********************************************************************************

Now would be a good time to change your password for root:

# passwd

*********************************************************************************

Updating software and restarting services

# /scripts/upcp

# /scripts/updatenow

# /scripts/sysup

# /scripts/fixeverything

# /scripts/exim4

# /scripts/easyapache

# /scripts/securetmp

Restarting services

# /scripts/restartsrv httpd

# /etc/rc.d/init.d/cpanel restart

# /scripts/restartsrv mysql

# /scripts/restartsrv named

# /scripts/restartsrv exim

*********************************************************************************

lets disable direct login and version 2 ssh

http://www.webhostgear.com/24.html

*********************************************************************************

email alert on rootssh

http://www.webhostgear.com/43.html

*********************************************************************************

Creating a Welcome message for SSH logins

http://www.webhostgear.com/26.html

*********************************************************************************

change ssh port#

Changing your ssh port will dramatically drop the amount of bruteforce attacks to your
server and i recommend a high port (be sure to add port to firewall once installed)

# pico -w /etc/ssh/sshd_config

find #Port 22

uncoment this line and change your port number to high port

restart ssh

# /etc/rc.d/init.d/sshd restart

****** important*******
do not close the shell you are in, open putty and make sure you can open a session to
new port # also try to open sesion to port 22, you should get a session error on 22

*********************************************************************************

How to Disable Telnet

http://www.webhostgear.com/74.html

*********************************************************************************

Install APF (Advanced Policy Firewall)

http://www.webhostgear.com/61.html

*********************************************************************************

Changing APF log for TDP/UDP drops

http://www.webhostgear.com/167.html

*********************************************************************************

install bfd

http://www.webhostgear.com/60.html

*********************************************************************************

chkrootkit

http://www.webhostgear.com/25.html

*********************************************************************************

Rkhunter Installation

http://www.webhostgear.com/141.html

*********************************************************************************

Sysctl.conf hardening

http://www.eth0.us/taxonomy/term/10

*********************************************************************************

Security by obscurity

http://www.eth0.us/obscurity

*********************************************************************************

Install lsm (linux socket monitor)

# cd ~/downloads

# wget http://rfxnetworks.com/downloads/lsm-current.tar.gz

# tar xvfz lsm-current.tar.gz

# cd lsm-0.6

# ./install.sh

you will see the following

.: LSM installed
Install path: /usr/local/lsm
Config path: /usr/local/lsm/conf.lsm
Executable path: /usr/local/sbin/lsm
LSM version 0.2
Copyright © 2004, R-fx Networks
2004, Ryan MacDonald
This program may be freely redistributed under the terms of the GNU GPL

generated base comparison files

# pico -w /usr/local/lsm/conf.lsm

ctrl-w to find USER=\"root\" and change to USER=\"user@domain.com\"

# ctrl-x , y enter

# /usr/local/sbin/lsm -g

# /usr/local/sbin/lsm -c

*********************************************************************************

Many php exploit scritps use common *nix tools to download rootkits or backdoors. By simply

chmod'ing the files so that no none-wheel or root user can use them we can eliminate many

possible problems. The downside to doing this is that shell users will be inconvenienced by not

being able to use the the commands below. If you run LES, which I would suggest, then you do not

need to run the first group of chmods. If you get an error on the chmod 000 because a directory

does not exist to not worry they are not on every server.

# chmod 750 /usr/bin/rcp
# chmod 750 /usr/bin/wget
# chmod 750 /usr/bin/lynx
# chmod 750 /usr/bin/links
# chmod 750 /usr/bin/scp

# chmod 000 /etc/httpd/proxy/
# chmod 000 /var/spool/samba/
# chmod 000 /var/mail/vbox/

**********************************************************************************

eth00

Dec 1 2006, 11:47 AM

If you are copying/pasting entire sections of text as your own you should at least cite where they came from. I recognized a few of the explanations above that came from my website

aepinc

Dec 1 2006, 12:38 PM

QUOTE

also i would like to thank all the people who have prepared these how-to's as it does make a huge differance after being hacked a few times in the past

not trying to make anyone mad and of course alot of this is stuff comes from your site, and it is really appreciated.

in fact quite a few of the urls are yours, just trying to help someone, maybe a fresh admin from some headaches, not trying to steal any thunder.

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.