Results 1 to 25 of 27
Thread: How-To secure cPanel
-
08-10-2004, 03:47 PM #1Web Hosting Master
- Join Date
- Apr 2003
- Location
- NC
- Posts
- 3,093
How-To secure cPanel
How-To secure cPanel
First and foremost I want to say that this is not going to make your server 100% cracker proof, there is always a possibility that somebody will find a way in. I have listed a lot of things you can do to protect your server and that will help you secure it. While securing your server you have to find a median between what is secure and what restricts your clients or websites. You can easily make your server 100% secure from remote attacks by unplugging the ethernet cable, but chances are you will not get much good with it. This is not a complete guide and I will update it when I find time or it needs it. Overall it is a very good start and it is probably more then most servers have.
If you have any problems with the guide please post them and I will try and help/update the guide. I have not included everything you can do but it is a very good start. If you need somebody to secure server please feel free to private message or email me.
All commands meant to be run in ssh will begin with "#"
--------------------------
First step is to updated your software. Make sure up2date says you are fully updated:
#up2date -u
Now update the kernel. Below I have posted the directions for a server using lilo as the bootloader. I will add in directions for grub later as I do not run grub on any of my servers. If you are using grub please skip this section and upgrade the kernel at another time.
#cd /var/spool/up2date
If you have a dual processor server:
#up2date --download --force kernel-smp
#rpm -ivh kernel-smp-2.4.21-15.0.4.EL.i686.rpm
#lilo -v -v
#lilo -R 2.4.21-15.0.4.1
#shutdown -r now
If you have a single processor server:
#up2date --download --force kernel
#rpm -ivh kernel-2.4.21-15.0.4.EL.i686.rpm
#lilo -v -v
#lilo -R 2.4.21-15.0.4.1E
#shutdown -r now
When you run lilo -v -v make sure that no errors appear, if so you probably need to look at the lilo.conf for the problem.
The lilo -R command will make it reboot only once to the new kernel. If for some reason just put in a reboot TT and it will automatically boot to the old kernel. If it comes back up fine then you can edit the /etc/lilo.conf and set "default=" the new kernel label.
--------------------------
A firewall should be the first thing installed.. I recommend advanced protection firewall (APF) by rfxnetworks. APF will block unused outgoing and incoming ports. It can also be configured to use information from some block lists.
http://rfxnetworks.net/apf.php
#cd /usr/src
#wget http://rfxnetworks.net/downloads/apf-current.tar.gz
#tar -zxf apf-current.tar.gz
#cd apf-0.*
#./install.sh
Now edit config file
#pico -w /etc/apf/conf.apf
Change the following:
USE_DS="1"
USE_AD="1"
Scroll down to this section:
# Common ingress (inbound) TCP ports IG_TCP_CPORTS="20,21,22,25,26,53,80,110,143,443,465,993,995,2082,2083,2086,2087,2095,2096"
# Common ingress (inbound) UDP ports
IG_UDP_CPORTS="21,53,465,873"
# Common ICMP (inbound) types
# 'internals/icmp.types' for type definition; 'all' is wildcard for any
IG_ICMP_TYPES="3,5,11,0,30,8"
Scroll down a bit then find this section:
EGF="1"
# Common egress (outbound) TCP ports EG_TCP_CPORTS="21,22,25,26,27,37,43,53,80,110,113,443,465,873,2089"
# Common egress (outbound) UDP ports
EG_UDP_CPORTS="20,21,53,123,465,873"
Save the file and start apf via.
apf -s
If everything still works then edit the config file and turn dev mode off.
DEVM="0"
Now restart APF
#apf -r
--------------------------
The following scripts are fairly easy to use and install, I might add documentation later but for now I will not.
Along with installing APF I would suggest installing brute force monitor (BFD) also by rfxnetworks. BFD will monitor your ssh and ftp services and automatically ban users that try to brute force a password. If you install BFD make sure you can get a separate ip to ssh into your server incase it blocks you for some reason! You can add your ip to the allow list via "apf -a IP" if you have a static ip.
http://rfxnetworks.net/bfd.php
Yet another very handy tool by rfxnetworks is socket monitor (PMON). This tool will alert you whenever a new port is opened on the server. This is very helpful in detecting any users running weird processes or attempting to run backdoors. When any program that it does not recognized is started it will email you with the information.
http://rfxnetworks.net/pmon.php
Another tool I would suggest, but that is not really part of securing your server, is system integrity monitor (SIM) which is also by rfxnetworks. SIM will automatically detect when a service is down and restarts it.
http://rfxnetworks.net/sim.php
I always recommend to turn off compilers. Most rootkits come precompiled but not all of them do. It will also prevent shell users from trying to compile any irc related programs. To turn the compilers on switch the off to on.
/scripts/compilers off
--------------------------
mod_security
First we will download and unzip mod_security. This guide compiles for apache1.3.x which is what cPanel currently uses.
#wget http://www.modsecurity.org/download/...y-1.8.4.tar.gz
#tar zxf mod_security-1.8.4.tar.gz
#cd mod_security-1.8.4/apache1
Next compile mod_security at a module:
#/etc/httpd//bin/apxs -cia mod_security.c
Make a backup of your httpd.conf before touching anything so you have something to go back to if it does not work.
#cp /etc/httpd/conf/httpd.conf /etc/httpd/conf/httpd.conf-mod_sec
Now edit the httpd.conf
pico -w /etc/httpd/conf/httpd.conf
Scroll down below the following line:
AddModule mod_security.c
The rules listed in the text file below can just be pasted in. They are a collection of rules, many of them taken from snort, that block most of the common attacks while still letting normal requests by.
http://eth0.us/faq/modsec.txt
Create the error log file:
#touch /var/log/httpd/audit_log
Restart apache
#service httpd restart
If sites start to have problems look at error log.
/var/log/httpd/audit_log
--------------------------
The /tmp partition is one the common places for script kiddies and crackers alike to place trojans or scripts. Because of that you should have the /tmp partition mounted noexec. First we need to check if your /tmp is secure.
#df -h |grep tmp
If that displays nothing then go below to create a tmp partition. If you do have a tmp partition you need to see if it mounted with noexec.
#cat /etc/fstab |grep tmp
If there is a line that includes /tmp and noexec then it is already mounted as non-executable. You will also want to check if /var/tmp is linked to /tmp.
ls -alh /var/ |grep tmp
If it shows something to the effect of "tmp -> /tmp/" then you are ok. If not go ahead an remove the old /var/tmp and replace it with a sym link to /tmp.
#rm -rf /var/tmp/
#ln -s /tmp/ /var/
If you do not have any /tmp partition you will need to follow the directions below to create and mount a partition.
Create a 190Mb partition
#cd /dev/; dd if=/dev/zero of=tmpMnt bs=1024 count=200000
Format the partion
#mke2fs /dev/tmpMnt
Make a backup of the old data
#cp -Rp /tmp /tmp_backup
Mount the temp filesystem
#mount -o loop,noexec,nosuid,rw /dev/tmpMnt /tmp
Set the permissions
#chmod 0777 /tmp
Copy the old files back
#cp -Rp /tmp_backup/* /tmp/
Once you do that go ahead and start mysql and make sure it works ok. If it does you can add this line to the bottom of the /etc/fstab to automatically have it mounted:
/dev/tmpMnt /tmp ext2 loop,noexec,nosuid,rw 0 0
Next delete the old /var/tmp and create a link to /tmp
#rm -rf /var/tmp/
#ln -s /tmp/ /var/
If everything still works fine you can go ahead and delete the /tmp_backup directory.
#rm -rf /tmp_backup
--------------------------
Many php exploit scritps use common *nix tools to download rootkits or backdoors. By simply chmod'ing the files so that no none-wheel or root user can use them we can eliminate many possible problems. The downside to doing this is that shell users will be inconvenienced by not being able to use the the commands below. Mod_security really removes the need to chmod this, but it is an added layer of protection.
#chmod 750 /usr/bin/rcp
#chmod 750 /usr/bin/wget
#chmod 750 /usr/bin/lynx
#chmod 750 /usr/bin/links
#chmod 750 /usr/bin/scp
--------------------------
Now we will install rkhunter so we will atleast know if the server has been cracked.
Download and unzip rkhunter
#cd /usr/local/src/
#wget http://downloads.rootkit.nl/rkhunter-1.1.4.tar.gz
#tar -zxf rkhunter-1.1.4.tar.gz
#cd rkhunter
Install it
#./install.sh
Now create a cronjob so it will email you with notifications to the root mailbox:
#crontab -e
At the bottom add the following line
16 0 * * * /usr/local/bin/rkhunter -c --nocolors --cronjob --report-mode --createlogfile --skip-keypress --quiet
Press control x to save
--------------------------
Thanks to all that have helped me compile this.Last edited by sprintserve; 08-28-2004 at 12:44 PM.
-
08-10-2004, 04:23 PM #2Web Hosting Guru
- Join Date
- May 2003
- Location
- Massachusetts, USA
- Posts
- 298
That's a very good HOW-TO! I'm sure it will help keep a lot of newbies out of trouble.
<Signature Removed>Last edited by choon; 08-11-2004 at 01:48 PM.
-
08-10-2004, 06:31 PM #3Web Hosting Master
- Join Date
- Apr 2001
- Posts
- 2,611
At quick glance, you have a lot of outbound TCP ports open, for what reason ? Also, why would the average person want ports 6666 and 6667 open, or even mysql port ?
Also, some people may already have a tmp partition, just not secured. You should have notes on how to check if its on a partition ( ie, df -h;cat /etc/fstab ) and then how to secure from there as well.
Finally, not all users have lilo, i believe grub is most common ( and is default w/ rhel ).
<Signature Removed>Last edited by choon; 08-11-2004 at 01:49 PM.
-
08-10-2004, 06:59 PM #4Web Hosting Master
- Join Date
- Apr 2003
- Location
- NC
- Posts
- 3,093
The outbound 6667 was something I forgot about and was using it for a particular server, I will remove it.
The incoming 6666 is for the chat server that comes with cPanel, I might remove that.
The checking into the temp partition is a good idea, I will add that later tonight.
I have always used lilo on my servers but will look into the grub or atleast mention it.
Thanks
<Signature Removed>Last edited by choon; 08-11-2004 at 01:49 PM.
-
08-11-2004, 01:41 PM #5Retired Moderator
- Join Date
- Jul 2001
- Location
- Singapore
- Posts
- 1,889
You might consider to add in File Integrity Checking as that is a must tool to me to take a snapshot to any new system before creating or open for production use. Just my suggestion
-
08-13-2004, 04:55 PM #6Web Hosting Master
- Join Date
- Feb 2004
- Location
- Sofia
- Posts
- 1,354
Thank you for the great HT. Please, consider these corrections in the mod_security part:
#tar zxf mod_security-1.7.4.tar.gz
#cd mod_security-1.7.4/apache1
Next compile mod_security at a module:
#/etc/httpd//bin/apxs -cia mod_security.c
#tar zxf mod_security-1.8.4.tar.gz
#cd mod_security-1.8.4/apache1
Next compile mod_security at a module:
#/usr/local/apache/bin/apxs -cia mod_security.c
There is also no need to backup the httpd.conf as this is performed in the compilation process.
-
08-13-2004, 05:34 PM #7Web Hosting Master
- Join Date
- Apr 2003
- Location
- NC
- Posts
- 3,093
Thanks I am going to write up the integrity checking then I will change them mod_security stuff.
John W, CISSP, C|EH
MS Information Security and Assurance
ITEagleEye.com - Server Administration and Security
Yawig.com - Managed VPS and Dedicated Servers with VIP Service
-
08-19-2004, 01:51 PM #8Newbie
- Join Date
- Aug 2004
- Posts
- 17
something quick I noticed in your guide:
When securing the /tmp and copying the files from the backup, -p should be added to preserve file permissions.
-
08-27-2004, 11:00 PM #9Web Hosting Evangelist
- Join Date
- Nov 2002
- Posts
- 514
I already got kernal version 2.4.24 .. Is 2.4.21 more secure ?
Get help with your server optimization - A forum on server optimization...
ExoPHPDesk - Powerful PHP HelpDesk
-
08-28-2004, 01:47 AM #10Web Hosting Master
- Join Date
- Apr 2003
- Location
- NC
- Posts
- 3,093
Originally posted by Mike_R
I already got kernal version 2.4.24 .. Is 2.4.21 more secure ?John W, CISSP, C|EH
MS Information Security and Assurance
ITEagleEye.com - Server Administration and Security
Yawig.com - Managed VPS and Dedicated Servers with VIP Service
-
09-11-2004, 01:54 AM #11Junior Guru Wannabe
- Join Date
- Jan 2003
- Location
- UK
- Posts
- 99
Thanks for the excellent howto!
I installed mod_security, running great, thanks!
I do have problems with apf. When I start apf NOTHING works including websites etc. It almost looks like apf blocks everything..
I tried many things with no luck..
Ijust thought about checking the iptables config, which might be causing this issue.. Do you know if there is something not ok in my iptables config?
# cat /etc/sysconfig/iptables-config
# Load additional iptables modules (nat helpers)
# Default: -none-
# Space separated list of nat helpers (e.g. 'ip_nat_ftp ip_nat_irc'), which
# are loaded after the firewall rules are applied. Options for the helpers are
# stored in /etc/modules.conf.
#IPTABLES_MODULES=""
# Unload modules on restart and stop
# Value: yes|no, default: yes
# This option has to be 'yes' to get to a sane state for a firewall
# restart or stop. Only set to 'no' if there are problems unloading netfilter
# modules.
#IPTABLES_MODULES_UNLOAD="yes"
# Save current firewall rules on stop.
# Value: yes|no, default: no
# Saves all firewall rules to /etc/sysconfig/iptables if firewall gets stopped
# (e.g. on system shutdown).
#IPTABLES_SAVE_ON_STOP="no"
# Save current firewall rules on restart.
# Value: yes|no, default: no
# Saves all firewall rules to /etc/sysconfig/iptables if firewall gets
# restarted.
#IPTABLES_SAVE_ON_RESTART="no"
# Save (and restore) rule and chain counter.
# Value: yes|no, default: no
# Save counters for rules and chains to /etc/sysconfig/iptables if
# 'service iptables save' is called or on stop or restart if SAVE_ON_STOP or
# SAVE_ON_RESTART is enabled.
#IPTABLES_SAVE_COUNTER="no"
# Numeric status output
# Value: yes|no, default: no
# Print IP addresses and port numbers in numeric format in the status output.
#IPTABLES_STATUS_NUMERIC="no"
root@wd03 [/usr/local/apf-0.9.4-5]# cat /etc/sysconfig/iptables-config | more
# Load additional iptables modules (nat helpers)
# Default: -none-
# Space separated list of nat helpers (e.g. 'ip_nat_ftp ip_nat_irc'), which
# are loaded after the firewall rules are applied. Options for the helpers are
# stored in /etc/modules.conf.
#IPTABLES_MODULES=""
# Unload modules on restart and stop
# Value: yes|no, default: yes
# This option has to be 'yes' to get to a sane state for a firewall
# restart or stop. Only set to 'no' if there are problems unloading netfilter
# modules.
#IPTABLES_MODULES_UNLOAD="yes"
# Save current firewall rules on stop.
# Value: yes|no, default: no
# Saves all firewall rules to /etc/sysconfig/iptables if firewall gets stopped
# (e.g. on system shutdown).
#IPTABLES_SAVE_ON_STOP="no"
# Save current firewall rules on restart.
# Value: yes|no, default: no
# Saves all firewall rules to /etc/sysconfig/iptables if firewall gets
# restarted.
#IPTABLES_SAVE_ON_RESTART="no"
# Save (and restore) rule and chain counter.
# Value: yes|no, default: no
# Save counters for rules and chains to /etc/sysconfig/iptables if
# 'service iptables save' is called or on stop or restart if SAVE_ON_STOP or
# SAVE_ON_RESTART is enabled.
#IPTABLES_SAVE_COUNTER="no"
# Numeric status output
# Value: yes|no, default: no
# Print IP addresses and port numbers in numeric format in the status output.
#IPTABLES_STATUS_NUMERIC="no"
Thanks!European Web Hosting and Dedicated Server solutions since 2003.
-
09-11-2004, 02:24 AM #12Web Hosting Master
- Join Date
- Apr 2001
- Posts
- 2,611
You seem to have conveniently missed out on pasting the ports you have open.. might come in handy if ya do indeed need help
-
09-11-2004, 03:57 AM #13Junior Guru Wannabe
- Join Date
- Jan 2003
- Location
- UK
- Posts
- 99
Originally posted by Haze
You seem to have conveniently missed out on pasting the ports you have open.. might come in handy if ya do indeed need help
# IG_TCP_CPORTS="21,22,25,53,80,443,110,143,6000_7000"
# IG_UDP_CPORTS="20,21,53,123"
# IG_ICMP_TYPES="3,5,11,0,30,8"
IG_TCP_CPORTS="20,21,22,25,26,53,80,110,143,443,465,993,995,2082,2083,2086,2087,2095,2096"
IG_UDP_CPORTS="21,53,465,873"
IG_ICMP_TYPES="3,5,11,0,30,8"
root@bb [/usr/local/apf-0.9.4-5]# cat /etc/apf/conf.apf | grep EG
# egress filtering on or off with the EGF variable. Format is comma seperated
# EG_TCP_CPORTS="21,25,80,443,43"
# EG_UDP_CPORTS="20,21,53"
# EG_ICMP_TYPES="all"
EGF="1"
EG_TCP_CPORTS="21,22,25,26,27,37,43,53,80,110,113,443,465,873,2089"
EG_UDP_CPORTS="20,21,53,123,465,873"
EG_ICMP_TYPES="all"
# Format: EG_[TCP|UDP]_UID="uid:port"
# EG_TCP_UID="0:22"
EG_TCP_UID=""
EG_UDP_UID=""
ThanksEuropean Web Hosting and Dedicated Server solutions since 2003.
-
10-03-2004, 02:24 AM #14Retired Moderator
- Join Date
- Jan 2003
- Posts
- 9,049
The Mod_security configuration here will cause a lot of false positives for example since it's blocking very short strings (example rm etc). I suggest you read up and tweak the mod_security rules yourself for the least problems.
••• Like us on Facebook to qualify for discounts! •••
••• http://www.sprintserve.net •••
••• Offering: | Internap FCP Bandwidth! | Rebootless Kernel Updates! | Magento Optimized Hosting | Wordpress Hosting | •••
••• Services: | Managed Multiple Cores 64bit Servers | Server Management | •••
-
10-03-2004, 02:49 AM #15Problem Solver
- Join Date
- Mar 2003
- Location
- California USA
- Posts
- 13,681
cat is another example.
Steven Ciaburri | Industry's Best Server Management - Rack911.com
Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance
-
10-03-2004, 11:50 AM #16New Member
- Join Date
- Jul 2004
- Posts
- 3
ty very much for this.
-
10-22-2004, 11:05 AM #17WHT Addict
- Join Date
- Jun 2004
- Posts
- 113
Thanks a lot for this. Very useful.
I installed PMON (Port Monitor). It has added a cron.d entry to /etc/cron.d/lsm
However, I do not see this entry when I do 'crontab -e'. Can someone please explain what is going on?
-
11-16-2004, 08:40 AM #18WHT Addict
- Join Date
- Jan 2002
- Posts
- 174
Can mod_security be used to stop shell script?
-
11-16-2004, 10:42 AM #19Retired Moderator
- Join Date
- Jan 2003
- Posts
- 9,049
Mod_security won't stop shell scripts. It's meant to protect against script hacking, script injection attacks, exploitation of vulnerable scripts etc.
••• Like us on Facebook to qualify for discounts! •••
••• http://www.sprintserve.net •••
••• Offering: | Internap FCP Bandwidth! | Rebootless Kernel Updates! | Magento Optimized Hosting | Wordpress Hosting | •••
••• Services: | Managed Multiple Cores 64bit Servers | Server Management | •••
-
11-16-2004, 11:17 AM #20Web Hosting Master
- Join Date
- Apr 2003
- Location
- NC
- Posts
- 3,093
As sprintserve said mod_security is just going to prevent the server from being exploited via apache. It will not protect against any other way of getting into the server.
-
11-17-2004, 04:37 AM #21WHT Addict
- Join Date
- Jan 2002
- Posts
- 174
Thank you for the info. But can mod_security be set to filter the word "shell" in .php and .cgi?
Is the rule set given by this thread's starter is enough for mod_security on shared web hosting server?
-
11-17-2004, 08:29 AM #22Web Hosting Master
- Join Date
- Apr 2003
- Location
- NC
- Posts
- 3,093
There would be nothing to be gained by filtering the word shell, it filters the actual commands. Yes the ruleset above is very sensitive and chances are you will end up removing some of the rules over time.
-
11-19-2004, 06:22 PM #23Disabled
- Join Date
- Nov 2004
- Location
- San jose
- Posts
- 16
thank you
This is a very usefull thread.
Thank you
-
12-18-2005, 03:26 PM #24Junior Guru Wannabe
- Join Date
- Nov 2005
- Posts
- 79
Excellent, I recommend these standards highly.
-
02-02-2006, 02:29 AM #25Newbie
- Join Date
- Nov 2004
- Posts
- 28
I've got a cpanel on CentOS. Everytime I reboot the server, the file /dev/tmpMnt is deleted. Is this common?