There are alot of things floating around the forums on what to install to get the best degree of safety. I'd really like to get down how to do these installs the first time around, so it'll be easier to do it the second time. I'm going to basically post my current checklist of what to do after looking threw the forums, and if anyone has any ideas on something else, or if it doesn't have a link to a howto, post it pwease?

I first plan on making this projected towards cpanel, but I will soon expand to other admin panels.

######################

Things I know for sure to install/ do on my server in order of importance:

- Full Cpanel (stable) upgrade [Already installed Cpanel Feature]
This should upgrade openssh and all of that good stuff so all those locks show locked.
- Recompile Apache [Already installed Cpanel Feature]
- Disable Telnet

# pico -w /etc/xinetd.d/telnet
# (change disable = no to yes)
# /etc/init.d/xinetd restart

- Bind sshd to only 1 ip, and make it a different ip then my main site, and on a different high level port.
- Chroot/Jail [Link]

Then this is where a few questions come up:

Firewalls, I hear of: PMFirewall, Kiss my firewall, APF, Bastille etc.. Whats the best?

Ipchains.. Iptables.. What are these? I'm pretty sure they are something the firewalls look at for instructions on what to do, but i'm not sure if they are, or if they are some type of program.

Also, I heard portsentry was bad, but what is it? Is it a type firewall?

- Tripwire [Link]
- Anti-Virus Scanner [Link]
- Email Anti-Virus Scanner (MailScanner) [Link]
- chkrootkit [Link]
- Disable direct root login [Link]
- PRM (Process Resource Monitor) [Link]
- MRTG bandwidth monitor
- Mask apache server & services version numbers [Link]

I hear alot about programs that check logs for you, but they all trail off and don't help at all. Help on that?

######################

Thats about all I have, other then a set of 'always do this' rules.

1.) Always try to use sftp.
2.) Always use ssh2
3.) Never ever have passwords lying around or use easily crackable passwords. Nice password holder and gen program is Personal Vault. You can check it out and download it here [Link]

This is all I have for now, and I plan on making a defintive howto when i'm done, on howto properly secure your cpanel box to its fullest. I'd really like to help the community once I find all of this stuff out, but I need help.

Thanks for understanding and helping!

Btw, I posted this in the security forum and general forum, but it got no response at all.

top

Come on, if I get this right then we can expand the cpanel newbie guide to include security.

im a newbie to linux, how can this be done?

thanks!

mangohead

i dont know if this has anything to do with the security guide.
i applied some of the secure settings, however i notice that the " service " command no longer works.


eg.

admin@plain [~]# service apf stop
bash: service: command not found
admin@plain [~]#

Does anyone know if any of the items on the security checklist would disable this?

thanks!

mangohead

To bind to a different ip and port:



And mang0head, when you login to root you have to use the 'su -' command, not 'su.'

Getwired,

thanks alot for your help!