How to make cPanel / WHM Servers More Secure?


Published on cPanel / WHM Servers Security Guide.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

How to make cPanel / WHM Servers More Secure?

  1. 1. How to make cPanel / WHM servers more secure? 1) Apache / PHP Suexec: Known as a more secure management for PHP. It also allows to track and monitor client’s usage on shared servers. That means PHP scripts correctly identified by their true owner as opposed to “nobody” user. In addition, apache http server, Suexec provides Apache users an ability to run CGI and SSI programs under user Ids which differs from the user ID of the calling web-server. Generally, when a CGI or SSI program executes, they run with the same user who is running the web-server. a. PHPSuexec: If PHP runs as an Apache Module without PHPSuexec then the user / group of a web server may execute as “nobody”. This causes real problems when PHP scripts are sending mail out as nobody@servername. In this case you will be unable to track abuse or hijack issues. When PHPSuexec is enabled (running as CGI with suexec enabled) your PHP scripts execute under your UID/GID level and not nobody. b. Files or directories that you require for your PHP scripts to write no longer need to have 777 permissions. In fact, assigning 777 permissions to all scripts or the directories will reside them in and instead of running properly it would cause a 500 internal server error when attempting to execute them. So make sure your scripts have a maximum 755 permissions, read/write/execute by you and read/execute for everyone else. It means PHPSuexec is much more secure than PHP running as an Apache module. 2) Mod Security: mod_security provides an array of request filtering and other security features of the Apache HTTP Server.ModSecurity which is an open source intrusion detection and prevention for web applications. While operating Apache Web Server Module one thing you
  2. 2. should keep remembers, the purpose of ModSecurity is to increase security of web applications to protect them from known and unknown attacks. 3) PHP Security – Suhosin: Suhosin is an advanced protection system for PHP installations. It is designed in a way to protect servers and users from knowing and unknown flaws in PHP applications and the PHP core. Suhosin comes in two independent parts which can be used separately or in combination. The first part is a small patch against the PHP core that implements a few low level protections against buffer overflows or format string vulnerabilities. The second part is a powerful PHP extension that implements all other essential protections. 4) Disable Some PHP Functions: You need to disable some PHP functions through shell commands because some of them can manipulate server side settings. a. For Example: disable_functions = system,passthru,exec,popen,proc_close,proc_get_status,proc_nice,proc_open,proc_terminate,s hell_exec,escapeshellcmd,define_syslog_variables,posix_uname,posix_getpwuid,apache_child_t erminate,posix_kill,posix_mkfifo,posix_setpgid,posix_setsid,posix_setuid,escapeshellarg,posix_u name,ftp_exec,ftp_connect,ftp_login,ftp_get,ftp_put,ftp_nb_fput,ftp_raw,ftp_rawlist,ini_alter,i ni_restore,inject_code,syslog,openlog,define_syslog_variables,apache_setenv,mysql_pconnect, eval,phpAds_XmlRpc,phpAds_remoteInfo,phpAds_xmlrpcEncode,phpAds_xmlrpcDecode,xmlrpc _entity_decode,fp,fput 5) Disable FTP access for the default users: You also need to disable FTP access for all the default users of your accounts. You will have to create additional FTP user for the accounts from the respective cPanel control panel. In cPanel you will find FTP account options through which you can manage the complete account. 6) Always use secure password: Insecure predictable passwords are the most common cause of security vulnerability for the most servers. If an account password is insecure and compromised, your websites can be defaced, infected, or used to spread viruses. Having secure passwords is standard practice to make a secure server. a. In addition, you can edit /etc/login.defs to configure many passwords on your system. Usually, a password utilizes at least 8 characters including alphanumeric and special symbols which are quite sufficient. Remember never ever use passwords based upon dictionary words or significant dates. If you are uncertain about the security of a password, then you can test by using JTR cracker. If you notice that your password can be broken in a few hours, then it is probably too much insecure and should not be used. You can also install tools like pam_passwdqc to check the strength of passwords.
  3. 3. 7) Secure SSH: Enable public key authentication for SSH and disable password authentication. Read more >> Move SSH access to a different port. Hackers usually look for port 22 as a possible way to access servers. So moving SSH to a different port will add a simple way to prevent those hackers without giving specific knowledge of your server from easily discovering the SSH port of your server. You can modify the port that SSH runs on within /etc/ssh/sshd_config. Change the line that says #Port 22 to a different port such as: Port 1653. Make sure to keep your current SSH session open when testing the new port so you can change back to port 22 if the new port doesn’t work. You should always use SSHv2 instead of SSHv1 as it may not be secure. Make sure you change the line in /etc/ssh/sshd_config that says #Protocol 2, 1 to Protocol 2. You may also wish to set Shell Resource Limits for your users to prevent applications and scripts from using up all your resources and taking down your server. You can configure shell resource limits in /etc/security/limits.conf on most Linux systems. 8) Secure your /tmp partition: It is recommended that you use a separate partition for /tmp that is mounted with nosetuid because nosetuid will force to run with privileges of its executor. You may also wish to mount /tmp with noexec after installing cPanel. Check the mount man page for more information. And running /scripts/securetmp will mount your /tmp partition to a temporary file for extra security. 9) Upgrade your mail to maildir format: Maildir format adds extra security and speed up your mail system. Newer installs using mail-order by default. If you’re running an older copy of cPanel, you will probably want to upgrade using /scripts/convert2maildir. Make sure to back up your current mail before converting to maildir, this can be done within /scripts/convert2maildir. If you see maildir is enabled when running /scripts/convert2maildir, it means you are already using maildir, and will not need to convert.
  4. 4. 10) Lock down your system’s compilers: Most users do not require the use of C and C++ compilers. You can use the Compilers Tweak within Tweak Security in WHM (Web Host Manager) to turn off use of the compilers for all privileged users, or to disable them for specific users only. Many pre-packaged exploits require working compilers. Disabling compilers will help protect against many exploits. 11) Turn off unused services and daemons: Any service or daemon that allows a connection to be established to your server is way for hackers to gain access. To reduce security risks, you should disable all services and daemons that are not being used. Daemons on Linux: Check /etc/xinetd.conf for services you are not using. For example, cupsd (printing daemon) and nfs/statd (network file system daemons) which are generally not used in many systems. For Services: Go to the Service Manager in the Service Configuration section of WHM and disable any services that you are not using. 12) Monitor your system: It is important to be up to date on what is going on with your system. Make sure that you know when accounts are being created, what software is being installed, and when software need to be updated, etc. Check your system frequently to ensure it is functioning in the way you expect. Make sure to check things like: Netstat -amp: Look for programs attached to ports that you did not install / or authorize. find / ( -perm -a+w ) ! -type l >> world_writable.txt : Look at world_writable.txt to see all world writable files and directories. This will reveal locations where an attacker can store files on your system. NOTE: Fixing permissions on some PHP/CGI scripts that are not properly coded will break them.
  5. 5. find / -nouser -o -nogroup >> no_owner.txt : Look at no_owner for all files that do not have a user or group associated with them. All files should be owned by a specific user or group to restrict access to them. ls /var/log/: There are many different logs on your system which can be valuable resources. Check your system logs, apache logs, mail logs, and other logs frequently to make sure your system is functioning as expected. There are many readily available utilities to monitor your system and to detect rootkits, backdoors, etc. Here are some commonly available utilities: Tripwire - Monitors checksums of files and reports changes. or Chrookit - Scans for common rootkits, backdoors, etc. Rkhunter - Scans for common rootkits, backdoors, etc. Logwatch - Monitors and reports on daily system activity. 13) Enable a Firewall: Installing a firewall to limit access to your server is useful. Removing all unused software on your system is more useful. Before you have the chance to remove all unused services and daemons, or the chance to figure out which services / daemons are unused, you can enable a firewall to prevent unwanted access. 14) Stay up to date: It is important to make sure that you are running the latest stable versions of the software on your system to ensure that it has been patched of any security issues that past versions may be susceptible to. Make sure to keep on top of updates for: Kernel cPanel and WHM User Applications (bulletin boards, CMS, blog engines, etc) System Software