Results 1 to 4 of 4
  1. #1
    Join Date
    May 2004
    Location
    Lansing, MI, USA
    Posts
    1,548

    Who's got some KILLER tips on Server Hardening with cPanel?

    Ok, I'm at my wits end.

    I've always thought I was decent at securing servers. Not the best, but better than usual.

    I've been put to shame a few times this week.

    What happened, was the server was rooted, had to have been rooted, no other way i can think of that virtually everything in / would be removed.

    Here's a quick overview of what was done:

    GRSec Kernel 2.6.11.12 was installed (with grsec enabled. If you want specific options I can dig them out).
    APF & BFD installed.
    Root logins disabled. 2 wheel users, both with random alphanumeric passwords, each 32 characters in length (md5sum).
    mod_security with 'decent' ruleset (trying not to hinder usability)
    Root PW was client specified, though relatively strong (using special symbols and such).
    This was done more than once using courier and uwimap as imap servers on different times, if this matters.
    Client was only using https form of WHM access.
    MySQL 4.0.x
    PHP 4.4.1
    Everything else was off-the-shelf cPanel CURRENT specification.

    I've looked around and haven't seen ANY obvious exploits that would enable this.

    Anyone have any suggestions? The long nights are getting a little harsh.

  2. #2
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,294
    GRSec Kernel 2.6.11.12 was installed (with grsec enabled. If you want specific options I can dig them out).
    That kernel is vulnerable.

    http://www.frsirt.com/english/advisories/2005/2359
    http://www.frsirt.com/english/advisories/2005/2173
    http://www.frsirt.com/english/advisories/2005/1863
    http://www.frsirt.com/english/advisories/2005/1701
    http://www.frsirt.com/english/advisories/2005/1329

    and a few more. not sure if thats the reason for the exploit but its possible.

    what is the operating system you were using? could have been an exploit in another package.

    how was the permissions on directorys?
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  3. #3
    I always like to change the root login port and deny access to port 22 via apf.
    Eleven2 Web Hosting - World-Wide Hosting, Done Right!

  4. #4
    Join Date
    May 2004
    Location
    Lansing, MI, USA
    Posts
    1,548
    Quote Originally Posted by Steven
    That kernel is vulnerable.

    http://www.frsirt.com/english/advisories/2005/2359
    http://www.frsirt.com/english/advisories/2005/2173
    http://www.frsirt.com/english/advisories/2005/1863
    http://www.frsirt.com/english/advisories/2005/1701
    http://www.frsirt.com/english/advisories/2005/1329

    and a few more. not sure if thats the reason for the exploit but its possible.

    what is the operating system you were using? could have been an exploit in another package.

    how was the permissions on directorys?
    Thank, a ton. I'll have to keep that site on file.

    Running CentOS 3.6, with the latest grsec kernel.

    We also found some extra ssh access allowed where it was not needed... which has been removed

    Now the killer question... run 2.6.14.2 w/ no ssh access for anyone but admins to have GRsec, or find some copy of the 14.4 (which is not stable?? according to kernel.org 14.2 is the stable one) and run that vanilla?

    Which directory permissions? Quite a bit was removed... it wasn't only php related things.
    Jacob - WebOnce Technologies - 30 Day 100% Satisfaction Guarantee - Over 5 Years Going Strong!
    Website Hosting, PHP4&5, RoR, MySQL 5.0, Reseller Hosting, Development, and Designs
    Powered By JAM - Professional Website Development - PHP, MySQL, JavaScript, AJAX - Projects Small & Large

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •