Basic things that can be done to improve security.

--------------------------------------------------

Use The Latest Software

Keep the OS and 3rd party software up to date. Always!

CPanel itself can be updated from the root WHM.

--------------------------------------------------

Change Passwords

Change the root passwords at least once a month and try to make them hard to guess. Yes it's a pain to have to keep remembering them, but it's better than being hacked.

--------------------------------------------------

Set Up A More Secure SSH Environment

This section describes how to disable direct 'root' login to the machine and how to force the more secure SSH 2 protocols.

Disabling direct root login will force a hacker to have to guess 2 seperate passwords to gain root access.

After you do this, you will have to login as anotheruser then you will 'su -' to get to root.

We also will be forcing the use of SSH protocol 2, which is a newer, more secure SSH protocol

Just a couple more ways to help your server stay safe from the bad guys.

If you're using cPanel make sure you add your anotheruser user to the 'wheel' group so that you will be able to 'su -' to root, otherwise you may lock yourself out of root.

1. Set up anotheruser if you haven't already got one:

i. Type: groupadd anotheruser
ii. Type: [b]useradd anotheruser
iii. Type: [b]passwd anotheruser and add a password for the new account.

On a CPanel system, you can now go into root WHM and add anotheruser to the wheel group.

2. SSH into your server as anotheruser and gain root access by going [b]su - root and entering the root password.

3. Type: pico -w /etc/ssh/sshd_config

4. Find the line:



Uncomment it and change it to look like:



5. Next, find the line:



Uncomment it and make it look like:



6. It is also recommended that the following additional lines are added to the file:



7. Hit CTRL+x, then y then enter to save the file.

8. Restart SSH with /etc/rc.d/init.d/sshd restart

--------------------------------------------------

Disable Telnet

1. Type: pico -w /etc/xinetd.d/telnet
2. Change the disable = no line to disable = yes.
3. Hit CTRL+X press y and then enter to save the file.
4. Restart xinted with: /etc/rc.d/init.d/xinetd restart

--------------------------------------------------

Install A Firewall

I recommend APF firewall personally, but they all do a similar job.

APF can be found at: http://www.rfxnetworks.com/apf.php

Also guard against 'brute force' attacks with: http://www.rfxnetworks.com/bfd.php

--------------------------------------------------

Disable Unnecessary Ports

First backup the file that contains your list of ports with:

cp /etc/services /etc/services.original

Now configure /etc/services so that it only has the ports you need in it. This will match the ports enabled in your firewall.

On a typical CPanel system it would look something like this:



Additional ports are controlled by /etc/rpc. These aren't generally needed, so get shot of that file with: mv /etc/rpc /etc/rpc-moved

--------------------------------------------------

Watch The Logs

Install something like logwatch to keep an eye on your system logs. This will extract anything 'interesting' from the logs and e-mail to you on a daily basis.

Logwatch can be found at: http://www.logwatch.org

--------------------------------------------------

Run A Root Kit Checker Regularly

You can get a root kit from http://www.chkrootkit.org and make sure you run it on a regular basis, perhaps including it in a cron job.

--------------------------------------------------

Limit The Kernel's Capabilities

1. Type: wget ftp://rpmfind.net/linux/PLD/current/dists....0.6-3.i686.rpm
2. Type: rpm -Uvh lcap-0.0.6-3.i686.rpm
3. Type: lcap CAP_SYS_PTRACE

This will limit the ptrace option which allows attaching to, and controlling the execution of, arbitrary processes. Debuggers do this sort of thing.

The LCAP limitations only stay in place until the next reboot unless you put them in a startup file somewhere.

LCAP can be used in various way to harden the kernel, but you also run the risk of locking yourself out of facilities you need, so research is recommended before messing about. One good place to start looking is in /usr/include/linux/capability.h which contains a brief description of kernel capabilities.

--------------------------------------------------

Avoid CPanel Demo Mode

Switch it off via WHM Account Functions => Disable or Enable Demo Mode.

--------------------------------------------------

Jail All Users

Via WHM Account Functions => Manage Shell Access => Jail All Users.

Better still never allow shell access to anyone - no exceptions.

--------------------------------------------------

Disable Troublesome Formmails

Cpanel's formmails are known to be insecure and, worse, every time one attempts to disable them, the next CPanel upgrade comes along and enables them again.

This is the recommended procedure for disabling them:

1. SSH into the box.

2. Type: cd /usr/local/cpanel/cgi-sys

3. Type: chmod 0 cgiemail formmail.cgi FormMail.cgi FormMail-clone.cgi formmail.pl FormMail.pl helpdesk.cgi realhelpdesk.cgi realsignup.cgi signup.cgi

4. Type: chattr +i cgiemail formmail.cgi FormMail.cgi FormMail-clone.cgi formmail.pl FormMail.pl helpdesk.cgi realhelpdesk.cgi realsignup.cgi signup.cgi

--------------------------------------------------

Immediate Notification Of Specific Attackers

If you need immediate notification of a specific attacker (TCPWrapped services only), add the following to /etc/hosts.deny

ALL : nnn.nnn.nnn.nnn : spawn /bin/ 'date' %c %d | mail -s"Access attempt by nnn.nnn.nnn.nnn on for hostname" notify@mydomain.com

Replacing nnn.nnn.nnn.nnn with the attacker's IP address.
Replacing hostname with your hostname.
Replacing notify@mydomain.com with your e-mail address.

This will deny access to the attacker and e-mail the sysadmin about the access attempt.

--------------------------------------------------

Check Open Ports

From time to time it's worth checking which ports are open to the outside world. This can be done with:

nmap -sT -O localhost

If nmap isn't installed, you can install from WHM -> Software -> Install RPM.

--------------------------------------------------

Set The MySQL Root Password

This can be done in CPanel from the root WHM Server Setup -> Set MySQL Root Password.

Make it different to your root password!

--------------------------------------------------

Tweak Security (CPanel)

From the root WHM, Server Setup -> Tweak Security, you will most likely want to enable:

- php open_basedir Tweak.
- SMTP tweak.

You may want to enable:

- mod_userdir Tweak. But that will disable domain preview.

--------------------------------------------------

Use SuExec (CPanel)

From root WHM, Server Setup -> Enable/Disable SuExec. This is CPanel's decription of what it does:

"suexec allows cgi scripts to run with the user's id. It will also make it easier to track which user has sent out an email. If suexec is not enabled, all cgi scripts will run as nobody. "

Even if you don't use phpsuexec (which often causes more problems), SuExec should be considered.

--------------------------------------------------

Use PHPSuExec (CPanel)

This needs to built into Apache (Software -> Update Apache from the root WHM) and does the same as SuExec but for PHP scripts.

Wisth PHPSuExec enabled, you users will have to make sure that all their PHP files have permissions no greater than 0755 and that their htaccess files contain no PHP directives.

--------------------------------------------------

Disable Compilers

This will prevent hackers from compiling worms, root kits and the like on your machine.

To disable them, do the following:



You will need to enable them again when you need to perform system updates. To do this, run:



--------------------------------------------------

This is really just a start. There are many other things one can do too (tripwires etc.).

Man u are a pimp... i didnt read this thread at first because i thought it was a question, and i didn't see no replies so i didn't bother lol... but i'm glad i read it.. this should be in a STICKY.

Hmm heres also a link to a post on cpanel about someones site who was hacked, and some advice someone there gave: http://forums.cpanel.net/showthread.php?s=...82888#post82888

Might want to take a look here as well: http://forum.rackshack.net/showthread.php?...&threadid=30333

P.S.

Thanks for this informative post and all the other ones you've posted... they've really helped me in knowing what to do with my server. Keep up the good work man.





[quote]Watch The Logs

Install something like logwatch to keep an eye on your system logs. This will extract anything 'interesting' from the logs and e-mail to you on a daily basis.

Logwatch can be found at: http://www.logwatch.org [/quote]

Does logwatch come with cpanel or SM servers by default? I recieve a daily email from LogWatch 4.3.1, but i never installed it manually myself.. i thought it was just something RH9 or cpanel did to keep you up to date on things.

[quote]This section describes how to disable direct 'root' login[/quote]
How can I disable root login when SM technichians need it ?

How then they will log to my box and install some pathches/see my problem details?

How is it possible?

[quote=AlexAT][quote]This section describes how to disable direct 'root' login[/quote]
How can I disable root login when SM technichians need it ?

How then they will log to my box and install some pathches/see my problem details?

How is it possible?[/quote]

What I've done is logged both the root and anotheruser passwords with SM (in Orbit) and explained that root login is disabled.

It's a fairly standard security procedure to disable direct root login and I'm sure SM are familiar with the process.

[quote=damainman]Does logwatch come with cpanel or SM servers by default? I recieve a daily email from LogWatch 4.3.1, but i never installed it manually myself.. i thought it was just something RH9 or cpanel did to keep you up to date on things.[/quote]

It may do now, although I've always had to install it myself previously.

[quote]What I've done is logged both the root and anotheruser passwords with SM (in Orbit) and explained that root login is disabled.

It's a fairly standard security procedure to disable direct root login and I'm sure SM are familiar with the process.[/quote]
Thank you.
Last question
Did this works? I.e. did SM techs at least 1 time use your such credentials and login to your box to fix problem?

[quote=AlexAT]Did this works? I.e. did SM techs at least 1 time use your such credentials and login to your box to fix problem?[/quote]

To be honest I don't think they've had to since I disabled root login. Perhaps one of the SM staff can confirm that they're okay with this process?

why isn't this a sticky, or in the how to section, or in the linux secruity section?

maybe because we are still waiting for SM tech response?

[quote=disoft]
Limit The Kernel's Capabilities

1. Type: wget ftp://rpmfind.net/linux/PLD/current/dists....0.6-3.i686.rpm
2. Type: rpm -Uvh lcap-0.0.6-3.i686.rpm
3. Type: lcap CAP_SYS_PTRACE

This will limit the ptrace option which allows attaching to, and controlling the execution of, arbitrary processes. Debuggers do this sort of thing.
[/quote]

I'm a bit curious as to what exactly this does, or what it means to security on my system. Does nyone have any more information or details on this particular step? I am always a tad hesitant to do anything that even remotely affects the kernel, and this one seems to be aiming right for it.

As far as I understand it, the PTRACE kernel function allows one process to take control over the execution of another. This what a debugger does when it allows you to 'step through' a bit of code line by line, for example - the debugger controls the execution of the underlying program.

It is thought that hackers could make use of this facility to corrupt processes running on the system, hence the security recommendation to remove the functionality.

If you use your box for development (and hence need a debugger) it is probably best not to disable this function, but I have it disabled on all my boxes and have not encountered any problems.

I understand your caution about kernel mods though ... I'm the same!

[quote=damainman]
Hmm heres also a link to a post on cpanel about someones site who was hacked, and some advice someone there gave: http://forums.cpanel.net/showthread.php?s=...82888#post82888
[/quote]

OMG That's me on old server, not on SM
now i'm moving to SM ! much much more better!

the old server provider suck, every help we ask they ask money!
we were asking to upgrade to RH 9 but they refuse to support if we go with RH9 LOL LOL LOL so we go with RH 7.3 and hacked LOL

and oh yeah this thread help lots THANKS!!

Bump

SM should make this a sticky...

[quote]1. Type: wget ftp://rpmfind.net/linux/PLD/current/dists....0.6-3.i686.rpm
2. Type: rpm -Uvh lcap-0.0.6-3.i686.rpm
3. Type: lcap CAP_SYS_PTRACE [/quote]
Is there a way to monitor this protection after it is enabled? How do I temporarily turn it off?

Rebooting will reset all the capabilities again (which I will alter my original post to mention).

You can do a lot to harden a kernel with LCAP, but you can also stop yourself from doing things you may need, so it really needs a bit of research before messing about too much.

Has anyone here used the "php open_basedir Tweak" under whm/tweek secruity?

Also should i enable the SMTP Tweak

I'm just curious how useful it is, and would it cause any script problems if i do use it? Anyone else here using it?

I'm going to be using my server as a webhost.

Thank you.

Yep, I use both.

open_basedir shouldn't cause problems, but you may get some complaints if people are using scripts that access places outside of their directory tree. It's probably worth asking why they're doing that if it arises.

I think i mightve slightly messed up my sshd_config .. I was trying to edit it using Vi..

Anyone everything in it looks good except at the very bottom it says this:

# override default of no subsystems
Subsystem sftp /usr/libexec/openssh/sftp-server
<80>kd<80>kd^M<80>kd<80>kr^M <80>ku<80>kd<80>kr<80>kd<80>kl<80>kuq^Mq^M^[q^M<80>kd<80>kd<80>KA^M<80>kd<80>kdi<80>kdii<80>kb<80>kb<80>kb<80>kbq^M^[q^Mqq^[

Are all those 80's and things suppose to be there?
Thank you.

Hi,

No, I don't think they're meant to be there. Not sure what your editor's done, but it's messed it up I think.

Is this the last line in that file:

# override default of no subsystems
Subsystem sftp /usr/libexec/openssh/sftp-server

Or is there more lines? I'm running RHE

It is in mine (RH9).

Aight thanks ..

Does this work for RHE as well:

chmod 000 /usr/bin/perlcc
chmod 000 /usr/bin/byacc
chmod 000 /usr/bin/yacc
chmod 000 /usr/bin/bcc
chmod 000 /usr/bin/kgcc
chmod 000 /usr/bin/cc
chmod 000 /usr/bin/gcc
chmod 000 /usr/bin/i386*cc
chmod 000 /usr/bin/*c++
chmod 000 /usr/bin/*g++
chmod 000 /usr/lib/bcc /usr/lib/bcc/bcc-cc1
chmod 000 /usr/i386-glibc21-linux/lib/gcc-lib/i386-redhat-linux/2.96/cc1

No idea about RHE I'm afraid.

It works on RH 7.3 and some of them work on RH 9.

lol.. aight i'll see if i can find out then report it here... but thanks for all your help and useful tutorials lol. I learned more from ur tutorials then i did from books... :?

---

I have two more quick questions:

1. I setup a second user so i can su- to root in shell, now my question is..when i log into whm, do i use the root password .. or the username and password for the new user i created?

2. My second question is: How long can the passwords be for root and the other user?

Excellent guide, we have been building a Cpanel security guide as an ongoing document and this had some nice things to add. Thanks a bunch.

We've been working on something similar for several months now and its already over 200 pages. :shock:

You still use the root password, which is why it's important to make sure you only use the SSL access protocol.



No idea!

what are the ip rang to allow in by ssh so that support can access the server and do some work ?
i added this line in /etc/hosts.allow
ALL:12.96.160.
but they still cant get in !
is there another ip rang or is redhat defrant then slackware and i have to add this line or something else in another file ?!
also i got some guy trying to hack his way in proftpd
so how to denany all from even connecting to it and only allow some ips ?

thanks

Because your missing some numbers? I think there's supposed to be a 0/24 or something similar at the end. 12.96.160.0/24

You could always switch to pure-ftp if your on a cpanel server, then disable the token/version output so they don't know it was switched.

Hi to all.
I just disable direct root login in my box,
so to get root access in shell I need to login withdministrative login and password, then su - and then root password.
But...
If i go http://ipadress:2087/
and root/rootpassword - I am in WHM as ROOT!
Is it normal or not?

Yes its normal... WHM runs as root... and since its like a webprogram theres realy no way to log-in as one user as su to root.. like u can in shell.

Many thanks...

This is a very useful thread - please sticky it.
Then delete this post.

Thank you :mrgreen:

Thread stickied! VERY good info here. No deleting posts, though. I haven't seen big red text around here in a while.

It's worth mentioning that APF will block RSYNC activity if you enable egress filtering (and really, you should consider it) with the default port listing.

This will stop you fetching CPanel updates, as they are handled over RSync.

Make sure you add TCP port 873 to your allowed egress ports to ensure that you can fetch cpanel updates.. (Recently shot myself in the foot with this one, so to speak.)

Does anyone know what egress ports have to be specifically enabled in APF to allow up2date to connect? I had to turn off egress filtering or else up2date is unable to fetch updates.

uh.. I just have the standard apf list of common egress ports and the rsync one:

# Common egress (outbound) TCP ports
EG_TCP_CPORTS="21,25,80,443,43,873"

# Common egress (outbound) UDP ports
EG_UDP_CPORTS="20,21,53"

up2date seems to work fine for me..

yup 873 tcp outbound is the port you need for rsync which is used by up2date and cpanel

Wierd - If I set the following in my conf.apf:



and then restart apf, and run up2date -u while I tail -f /var/log/messages I see the following:


and up2date just sits there and fails to connect.

This is on a RHE 3.0 cpanel server.

apf -version
APF version 0.9.3 <apf@r-fx.org>

Any ideas?

Port 443 is SSL. Cpanel I believe is trying to access via Secure Socket Layer to the cpanel update site.

You will need to add Port 443 to your egress filter.

That was it - added 443 outoing TCP allows up2date to connect fine. Thanks very much!

How do you know if APF is running?

I did ps -ax

And i cant see APF running?? what is the exact name im looking for??

apf --status

Should do the trick

top post thank you

I did the whole shell thing but when i log into anotheruser and do command:

su - root

I get this:

su: incorrect password

It wont ask me to enter password and i cant log into shell as root. I did add the anotheruser to the wheelpool thru whm. Anyone can help me???

try

su -

then it will ask for a password

How would you disable the version output on Pure-FTPd?

I don't recall what the settings are for pure-ftp at the moment, but proftp's are:
/etc/proftpd.conf
ServerIdent ProFTPD [version] Server (server name) [hostname]
ServerName "ProFTPD Server [version]"

And apaches ident's are under:
/etc/httpd/conf/httpd.conf
ServerSignature off
ServerTokens ProductOnly

I guess another option would be to just change proftp's ident to something else so when people logon they think they're using some other ftp server.

I fix the problem:

I had to set "anyuser" to have shell access