Results 1 to 24 of 24
  1. #1

    Hardening/securing cpanel centos

    Hi Guys,

    I have a dedicated server which I host a few cpanel accounts on. I have done the following.

    Setup csf
    Installed a rootkit detector
    Installed mod security
    Set apache signature/tokens

    Are there any other things I can do. Eg securing partions etc?

    Any advice or shh commands would be very much appreciated.

    Thanks

    CSD

  2. #2
    Join Date
    Jun 2011
    Location
    USA/UK/SG
    Posts
    3,632
    Are these personal sites, or are you offering shared hosting for other people?
    ~]# Ethernet Servers Ltd - Est. 2014! - sales @ ethernetservers.com
    ~]# Try out our WordPress speed tests for yourself!
    ~]# NVMe Web Hosting | Unmanaged VPS | Fully Managed VPS | Dedicated Servers | Domain Names
    ~]# Don't settle for any less than the very best - come & join our family today!

  3. #3
    Join Date
    Oct 2004
    Location
    Kerala, India
    Posts
    4,771
    There are a lot of things that you can do to secure a server. But as just mentioned above, it depends upon the purpose of the server. You don't have to do extensive things, if the server is for your personal sites. But if you are planning something like hosting, you will need a lot more.
    David | www.cliffsupport.com
    Affordable Server Management Solutions sales AT cliffsupport DOT com
    CliffWebManager | Access WHM from iPhone and Android

  4. #4
    Join Date
    Aug 2010
    Location
    Belgium
    Posts
    657
    CSF also has a few steps you can follow that are well documented in order to secure your server. As I'm no longer working in shared hosting business I'm not too sure where to find it in the CSF panel, but it's not that hard to find.

    You can also limit some PHP functions such as exec and shell_exec. Also don't forget to set a max mail count per hour and don't forget to disable anonymous FTP.

    These are a few good reads:
    PHP functions to be disabled on shared hosting
    Disable insecure/dangerous PHP functions
    10 Tips for making your cPanel and WHM servers more secure
    Recommended Security Settings

    Hope that helps.
    AssetGateway
    █ Skype da_arco

  5. #5
    Join Date
    May 2013
    Location
    India
    Posts
    747
    More security setting in cPanel like Shell bomb fork protectin, background process killer, ftp configuration, some security settings in tweak settings. Apparently Go to WHM >> ConfigServers Firewall >> Click on button " Test Server Security"; that will show you lot of security settings for your server. Don't just follow them all; check the red ones and update necessary settings. Also disable unwanted processes.

    Code:
    cd /usr/local/src/ && wget http://nixtree.com/download/free/services_dis_ded.txt && for i in `cat services_dis_vps.txt`; do chkconfig $i off; service $i stop; done; rm -f services_dis_ded.txt

  6. #6

    Re: Hardening/securing cpanel centos

    Hi, it was for peraonal but im goning to start offering hosting to the public so im looking for any good advice :-) Thanks

  7. #7
    Quote Originally Posted by nixtree View Post
    More security setting in cPanel like Shell bomb fork protectin, background process killer, ftp configuration, some security settings in tweak settings. Apparently Go to WHM >> ConfigServers Firewall >> Click on button " Test Server Security"; that will show you lot of security settings for your server. Don't just follow them all; check the red ones and update necessary settings. Also disable unwanted processes.

    Code:
    cd /usr/local/src/ && wget http://nixtree.com/download/free/services_dis_ded.txt && for i in `cat services_dis_vps.txt`; do chkconfig $i off; service $i stop; done; rm -f services_dis_ded.txt
    What exactly does this command do?

    Chris

  8. #8
    Join Date
    May 2013
    Location
    India
    Posts
    747
    That will disable all the services from dedicated server, that normally not necessary for a server. It is good to run only necessary services on a server.

  9. #9
    So i would simply run the command and that would shutdown any service not required for a hosting enviroment. :-)
    Chris

  10. #10
    Join Date
    May 2013
    Location
    India
    Posts
    747
    Yes, correct. We compiled in that list based on our previous experience with presetting servers.

  11. #11
    Join Date
    Jun 2011
    Location
    USA/UK/SG
    Posts
    3,632
    In that case, I'd suggest using cloudlinux with CageFS and SecureLinks.

    Costs a couple of bucks extra per month but it's worth it.

    Quote Originally Posted by csdnet View Post
    Hi, it was for peraonal but im goning to staprt offering hosting to the public so im looking for any good advice :-) Thanks
    ~]# Ethernet Servers Ltd - Est. 2014! - sales @ ethernetservers.com
    ~]# Try out our WordPress speed tests for yourself!
    ~]# NVMe Web Hosting | Unmanaged VPS | Fully Managed VPS | Dedicated Servers | Domain Names
    ~]# Don't settle for any less than the very best - come & join our family today!

  12. #12
    Thanks for all the info guys, real big help :-) What volumes should i secure and how do i do it via ssh?

  13. #13
    Join Date
    Feb 2013
    Posts
    353

    Re: Hardening/securing cpanel centos

    Id highly suggest disabling direct root login and changing the default port it runs on as a basic measure.
    █ • North Hosts Limited - Company Number 8808995 Affordable UK Web Hosting
    █ • Shared • Reseller • VPS • Dedicated • 24/7/365 Support • Instant Activation
    █ • Trendy Site Builder • CloudFlare • Softaculous • Seo Tools • cPanel

  14. #14
    Join Date
    Jan 2005
    Location
    In your server
    Posts
    2,945
    Quote Originally Posted by NorthHosts View Post
    Id highly suggest disabling direct root login and changing the default port it runs on as a basic measure.
    I always cringe when I see people advising to change the default SSH port. Any time I have looked at logs on a server that is being bruteforced, ssh attempts are rarely on port 22, they are always on some random port, and that is because the internet is full of people telling others to change the default port for SSH. If you secure your logins correctly, ie by disabling pasword based SSH auth, then it doesnt matter how much someone bruteforces SSH on a certain port, they aren't getting in.

    I strongly advise that you generate an SSH key pair and set a good passsword on your private key, enable the public key for root login on WHM then use password tweak to disable ssh password login. That will give you far more protection than changing the ssh port on a server.
    If you need help about anything to do with WHT, check out the Helpdesk

  15. #15
    Hi, i have already disabled direct root access through ssh :-) Thanks for ssh advice :-)

  16. #16
    Join Date
    Feb 2013
    Posts
    353

    Re: Hardening/securing cpanel centos

    Quote Originally Posted by railto View Post
    I always cringe when I see people advising to change the default SSH port. Any time I have looked at logs on a server that is being bruteforced, ssh attempts are rarely on port 22, they are always on some random port, and that is because the internet is full of people telling others to change the default port for SSH. If you secure your logins correctly, ie by disabling pasword based SSH auth, then it doesnt matter how much someone bruteforces SSH on a certain port, they aren't getting in.

    I strongly advise that you generate an SSH key pair and set a good passsword on your private key, enable the public key for root login on WHM then use password tweak to disable ssh password login. That will give you far more protection than changing the ssh port on a server.
    You always cringe? We get lots of attempts on port 22 actually! Changing the default port to a high number coupled with disabling direct root login is better than doing nothing.
    █ • North Hosts Limited - Company Number 8808995 Affordable UK Web Hosting
    █ • Shared • Reseller • VPS • Dedicated • 24/7/365 Support • Instant Activation
    █ • Trendy Site Builder • CloudFlare • Softaculous • Seo Tools • cPanel

  17. #17
    Join Date
    Sep 2002
    Location
    Top Secret
    Posts
    14,134
    Disabling direct root login can be bad, and creates more work for people, which can delay problems getting resolved. For example, if you've got a server that's loaded down, logging in once can be problematic, logging in twice (ie: sudo or su) will just add to that. It's a better option to just require keys to login as root.

    In fact, disable password login entirely via SSH, lock it up completely. Your users can upload their keys if they need to

    As far as changing the port, well, that isn't that hard to discover . Not saying that it doesn't do anything, but it's not hard to detect what port you're running ssh on
    Tom Whiting, WHMCS Guru extraordinaire
    Linux problems? WHMCS Problems? Give me a shout
    Check out my WHMCS Addons

  18. #18
    As someone said before, you need to check out PHP hardening, as it can be very tricky, and it's certainly not limited to disabling shell & shell_exec functions only. What if they overwrite your php.ini with the local one? This goes for any type of hardening.
    BeltHosting.com Staff. Shared Web Hosting | Reseller Web Hosting | IRCD Hosting | psyBNC/sBNC/eggdrop/znc Hosting
    xShellz Linux Shell & IRCD Hosting.
    24/7 Live & Ticket Support

  19. #19
    Hi StefanHost, do you know of any guides for php hardening, i do have some info on it but any relevant material is worth looking over :-)

  20. #20
    Quote Originally Posted by csdnet View Post
    Hi StefanHost, do you know of any guides for php hardening, i do have some info on it but any relevant material is worth looking over :-)
    I don't follow any particular guide as that's very bad pratice, but you might get a sense of what is going on with this: http://www.cyberciti.biz/tips/php-se...-tutorial.html and to disable functions: http://www.cyberciti.biz/faq/linux-u...ble-functions/
    BeltHosting.com Staff. Shared Web Hosting | Reseller Web Hosting | IRCD Hosting | psyBNC/sBNC/eggdrop/znc Hosting
    xShellz Linux Shell & IRCD Hosting.
    24/7 Live & Ticket Support

  21. #21
    Join Date
    Dec 2004
    Location
    Seattle
    Posts
    4
    These are items inside of WHM/Cpanel that should be changed to secure your server.



    Goto Server Setup =>> Tweak Settings


    Check the following items...


    Under Domains

    Prevent users from parking/adding on common internet domains. (ie hotmail.com, aol.com)


    Under Mail

    Attempt to prevent pop3 connection floods

    Default catch-all/default address behavior for new accounts - blackhole


    Under System

    Use jailshell as the default shell for all new accounts and modified accounts



    Goto Server Setup =>> [/B]Tweak Security[/B]

    Enable php open_basedir Protection

    Enable mod_userdir Protection

    Disabled Compilers for unprivileged users.



    Goto Server Setup =>> Manage Wheel Group Users

    Remove all users except for root and your main account from the wheel group.



    Goto Server Setup =>> Shell Fork Bomb Protection

    Enable Shell Fork Bomb/Memory Protection



    When setting up Feature Limits for resellers in Resellers =>> Reseller Center, under Privileges always disable Allow Creation of Packages with Shell Access and enable Never allow creation of accounts with shell access; under Root Access disable All Features.



    Goto Service Configuration =>> FTP Configuration

    Disable Anonymous FTP



    Goto Account Functions =>> Manage Shell Access

    Disable Shell Access for all users (except yourself)


    Goto Mysql =>> MySQL Root Password

    Change root password for MySQL



    Goto [B]Security[B] and run [B]Quick Security Scan[B] and [B]Scan for Trojan Horses[B] often. The following and similar items are not Trojans:

    /sbin/depmod
    /sbin/insmod
    /sbin/insmod.static
    /sbin/modinfo
    /sbin/modprobe
    /sbin/rmmod

  22. #22
    Join Date
    Dec 2004
    Location
    Seattle
    Posts
    4
    These are measures that can be taken to secure your server, with SSH access.


    Udate OS, Apache and CPanel to the latest stable versions. This can be done from WHM/CPanel.



    Restrict SSH Access


    To restrict and secure SSH access, bind sshd to a single IP that is different than the main IP to the server, and on a different port than port 22.


    SSH into server and login as root.

    Note: You can download Putty by Clicking Here. It's a clean running application that will not require installation on Windows-boxes.


    At command prompt type: pico /etc/ssh/sshd_config

    Scroll down to the section of the file that looks like this:

    -------------------------------------------

    #Port 22
    #Protocol 2, 1
    #ListenAddress 0.0.0.0
    #ListenAddress ::

    -------------------------------------------


    Uncomment and change

    #Port 22

    to look like

    Port 5678 (choose your own 4 to 5 digit port number

    (49151 is the highest port number)


    Uncomment and change

    #Protocol 2, 1

    to look like

    Protocol 2


    Uncomment and change

    #ListenAddress 0.0.0.0

    to look like

    ListenAddress 123.123.123.15 (use one of your own IP Addresses that has been assigned to your server)


    Note 1: If you would like to disable direct Root Login, scroll down until you find

    #PermitRootLogin yes

    and uncomment it and make it look like

    PermitRootLogin no

    Save by pressing Ctrl o on your keyboard, and then exit by pressing Ctrl x on your keyboard.


    Note 2: You can also create a custome nameserver specifically for your new SSH IP address. Just create one called something like ssh.xyz.com or whatever. Be sure to add an A address to your zone file for the new nameserver.


    Now restart SSH

    At command prompt type: [B]/etc/rc.d/init.d/sshd restart[B]


    Exit out of SSH, and then re-login to SSH using the new IP or nameserver, and the new port.


    Note: If you should have any problems, just Telnet into your server, fix the problem, then SSH in again. Telnet is a very unsecure protocol, so change your root password after you use it.




    Disable Telnet

    To disable telnet, SSH into server and login as root.

    At command prompt type: pico -w /etc/xinetd.d/telnet

    change disable = no to disable = yes

    Save and Exit

    At command prompt type: /etc/init.d/xinetd restart




    Server e-mail everytime someone logs in as root

    To have the server e-mail you everytime someone logs in as root, SSH into server and login as root.

    At command prompt type: pico .bash_profile

    Scroll down to the end of the file and add the following line:

    echo 'ALERT - Root Shell Access on:' `date` `who` | mail -s "Alert: Root Access from `who | awk '{print $6}'`" your@email.com

    Save and exit.




    Set an SSH Legal Message

    To an SSH legal message, SSH into server and login as root.

    At command prompt type: pico /etc/motd

    Enter your message, save and exit.

    Note: I use the following message...

    -------------------------------------------

    ALERT! You are entering a secured area! Your IP and login information
    have been recorded. System administration has been notified.

    This system is restricted to authorized access only. All activities on
    this system are recorded and logged. Unauthorized access will be fully
    investigated and reported to the appropriate law enforcement agencies.

    -------------------------------------------

    Now everytime someone logs in as root, they will see this message... go ahead a try it.




    Disable Shell Accounts

    To disable any shell accounts hosted on your server SSH into server and login as root.

    At command prompt type: locate shell.php

    Also check for:

    [B]locate irc
    locate eggdrop
    locate bnc
    locate BNC
    locate ptlink
    locate BitchX
    locate guardservices
    locate psyBNC
    locate .rhosts[B]


    Note: There will be several listings that will be OS/CPanel related. Examples are

    /home/cpapachebuild/buildapache/php-4.3.1/ext/ircg
    /usr/local/cpanel/etc/sym/eggdrop.sym
    /usr/local/cpanel/etc/sym/bnc.sym
    /usr/local/cpanel/etc/sym/psyBNC.sym
    /usr/local/cpanel/etc/sym/ptlink.sym
    /usr/lib/libncurses.so
    /usr/lib/libncurses.a
    etc.




    Disable identification output for Apache

    To disable the version output for proftp, SSH into server and login as root.

    At command prompt type: pico /etc/httpd/conf/httpd.conf


    Scroll (way) down and change the following line to

    ServerSignature Off


    Restart Apache

    At command prompt type: /etc/rc.d/init.d/httpd restart

  23. #23

    Re: Hardening/securing cpanel centos

    Many thanks for the info :-)

  24. #24

    Re: Hardening/securing cpanel centos

    Many thanks for all the info you guys have given me, this is such an awesome community! Going back php can anyone give me a clear list of things to do to secure php? :-) thanks again im very gratefull!!!

Similar Threads

  1. Centos/Cpanel Server Hardening Service
    By spithi in forum Managed Service Provider Offers
    Replies: 0
    Last Post: 06-23-2013, 11:49 AM
  2. Centos + cpanel hardening for free hosting
    By serverlad in forum Systems Management Requests
    Replies: 8
    Last Post: 05-08-2011, 10:21 PM
  3. Advanced Securing & Hardening Of Linux Server -cPanel
    By LENOVOhost in forum Hosting Security and Technology
    Replies: 5
    Last Post: 10-17-2010, 11:49 PM
  4. Server hardening for CentOS cPanel WHM VPS
    By bubba1356 in forum Systems Management Requests
    Replies: 14
    Last Post: 07-12-2010, 12:55 PM
  5. Securing / Hardening a Virtuozzo account?
    By brianbloom in forum Hosting Security and Technology
    Replies: 2
    Last Post: 04-03-2004, 03:27 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •