cPanel Inital Server Hardening
Wednesday, July 9th, 2008Hello,
This is a very requested tutorial from client and providers alike, and I will try not to disappoint with my all-in-one solution and tutorial.
Requirements
- cPanel/WHM Fresh Installation
- Root Access
- CentOS 4 or 5
Startup
First of all, we need to install the require scripts, like a firewall, and email queue manager, as well as a file explorer so we can edit files just in case we lock our self out of SSH during this tutorial. I have prepared the following script, and can be run using:
# wget http://rabidrichard.com/wp-content/uploads/2008/07/cpanel-hard.sh
# chmod 0777 cpanel-hard.sh
# ./cpanel-hard.sh
What the above commands do, is download a script I created, that installs these applications, including chkrootkit to detect Rootkits, and also shuts down un-needed applications that could slow down and be a security risk to your server.
After the install of these applications, you should see the following appear at the bottom or WHM:
- ConfigServer Mail Manage
- ConfigServer Mail Queues
- ConfigServer Explorer
- ConfigServer Security&Firewall
We wont configure these yet - as we have not finished in SSH yet.
SSH Login Notice
This is a very important feature for the root account, the reason being, it will alert you, without anyone knowing, if you have someone in your root account that should not be there, and its very simple to carry out. All you need to do is the following:
Move to the root Directory:
# cd /root
Load the bash_profile file with a text editor:
# nano .bash_profile
At the very end of the document, insert the following, replacing your email address:
echo ‘ALERT - Root SSH Access on:’ `date` `who` | mail -s “Alert: Root Access from `who | awk ‘{print $6}’`” your@email.com
Save, and exit the text editor, using the following keyboard shortcuts:
Ctrl + o
Ctrl + x
Securing SSH
Now, its time to change the port and protocol that SSH uses when connecting, this will make your VPS harder to brute force, therefore, harder to hack.
Edit the SSH configuration file:
# nano /etc/ssh/sshd_config
Find the part that looks like:
#Port 22
#Protocol 2, 1
#ListenAddress 0.0.0.0
#ListenAddress ::
Change that to look like:
Port 42537
Protocol 2
#ListenAddress 0.0.0.0
#ListenAddress ::
It is recomended you change the port above, mine was only an example, the highest port is: 49151
Save, and exit the text editor, using the following keyboard shortcuts:
Ctrl + o
Ctrl + x
Once done, restart your SSH process via the following:
# service sshd restart
And reconnect using the port you stated in your configuration file.
Configuring Log Watch
When the script I created was run, it also install “LogWatch”. Logwatch is a great utility that will run once or more per day and email the server administrator any statistics they may need to know… Logwatch carefully watches all of the system logs and will notify you if there are any problems.
We now need to configure LogWatch to email the correct address;
Open the logwatch configuration file:
# nano /usr/share/logwatch/default.conf/logwatch.conf
Find the email line (MailTo =) and replace the email with your own.
Save, and exit the text editor, using the following keyboard shortcuts:
Ctrl + o
Ctrl + x
Well, your be glad to know! That’s the SSH part over!
Configuring the Firewall
This part is actually quite easy. Just click: “ConfigServer Security&Firewall” in your WHM list (It should be right at the bottom) and then click: “Firewall Configuration” (Its a button).
Once the firewall configuration page has loaded, just make sure “TESTING“ is equal to 1, you should also make sure that “LF_SCRIPT_ALERT” is equal to 1, as this emails you when an account sends out a lot of emails. You should then go back and activate the firewall - if everything works fine, you can go back and update “TESTING” to 0 and restart the firewall.
Securing WHM/cPanel
Now comes the time where you should secure cPanel and WHM itself, so your clients cannot abuse the service you are going to offer. First of all, you should disallow IRC clients/bots to run, and stop other unwanted software, you should tick everything found on the list at the following link, replacing the IP with yourown IP.
http://<YourIP>:2086/scripts2/dkillproc
You should also enable cpanels PHP Open_basedir tweak, that can be done using the following URL, again, replacing with the IP or your server;
http://<YourIP>:2086/scripts2/tweakphpdir
You should also disable compilers from being run, a this could mean a user could get around your security buy running code as root. To do so, use the following URL;
http://<YourIP>:2086/scripts2/tweakcompilers
You should also disable anonymous FTP, as many hackers use this to gain entry into your personal files, it can easily be done via this URL:
http://<YourIP>:2086/scripts2/tweakftp