How To Secure&Optimize A cPanel Server! [Full of information]

[NationWebHost]

Start

If you do not know how to install cPanel - Proceed with this tutorial here:
How To Install cPanel - CentOS 5.

Firstly, this tutorial is based on CentOS. You can find information on other operating

system on the internet by using your friend.

I am writing this tutorial as me myself never found one large post containing all the

information you need to secure your VPS/Dedicated server. Everyone should know that there

is no such thing as 'Non hackable'. Sooner or later - exploits will come out. This

tutorial is based on cPanel/WHM running on CentOS 5.3.

We are starting from you have bought the vps/dedicated server with CentOS 5.3 installed

and cPanel installed. If cPanel is not installed, follow my tutorial above.

1.1) First of login to WHM as root. Navigate to 'Server Configuration

'. In this we will find a things that we are going to use to help secure our

server. First we are going to go into 'Change Root Password'.

As default, the root password is set at 'root', therefore we

need to change it as it will be prone to getting hacked. Set it to a strong password and

don't give it out to anyone.

1.2) Next we are going to set the time zone on the server, on forums and other software,

it will get the time from the servers time. I personally prefer it set to GMT. This is not

vital but I prefer the time zone being GMT.

1.3) We are now going to go into 'Statistics Software Configuration

'. This is were users can monitor their traffic they get to their website. We are

going to scroll down to 'Generators Configuration'. I

recommend

enabling all three; Analog, Awstats and Webalizer. Users may prefer one or another, most

people use Awstast.

Next we are going to move along to 'Schedule Configuration'.

We

are going to set 'Log Processing Frequency' to process every

'24 hours' and 'Bandwidth Processing Frequency

' every '2 hours'.

1.4) We are now going to tweak the servers settings. To tweak them we are going into an

area called 'Tweak Settings', still within '

Server Configuration'.

- cPAddons

Code: 

The default administrative contact for cPAddons moderation emails. 

(Resellers will be notified if their contact email is set in cPanel):

- Set this to your email address.

Code: 

Automatically keep all cPAddons Source Files up to date.

-

Tick This

Code: 

The maximum number of moderated requests that a user may have at any 

given time

- 99

Code: 

The maximum number of moderated requests per addon that a user may have 

at any given time

- 99

Code: 

Alert cPAddons administrator of pending moderation requests

-

Unchecked

Code: 

Prevent installation of addon scripts not provided by cPanel

- Unchecked

Code: 

Prevent installation of cPanel addon scripts that have been altered 

(Turning this off may be useful when testing custom addons.)

- Checked

Code: 

Notify owners when their users have cPAddon installations that need 

updated

- Checked

Code: 

Notify cPAddons Adminstrator of cPAddon installations that need updated.

- Checked

Code: 

Notify users when they have cPAddon installations that need updated.

- Allow users to choose

Display

'

Code: 

The login theme to display for cPanel Login. See the Universal Theme Manager for options. If you are posting to /login/ you can include "login_theme" as a uri/form variable to overwrite this setting on a per case basis.

' - Textbox = 'cpanel'

'

Code: 

Number (or all) of accounts to display per page in list accounts.

' - '30'

Domains

Code: 

Allow users to park subdomains of the server's hostname main domain.

- Unchecked

Code: 

Allow users to Park/Addon Domains on top of domains owned by other users. (probably a bad idea)

- Unchecked

Code: 

Allow Creation of Parked/Addon Domains that resolve to other servers (i.e. domain transfers) [This can be a major security problem. If you must have it enabled, be sure to not allow users to park common internet domains.]

- Unchecked

[code]Allow resellers to create accounts with subdomains of the server's hostname main domain.[code] - Unchecked

Code: 

Allow Creation of Parked/Addon Domains that are not registered

- Unchecked

Code: 

When adding a new domain, automatically create A entries for the registered nameservers if they would be contained in the zone.

- Checked

Code: 

Prevent users from parking/adding on common internet domains. (i.e. hotmail.com, aol.com)

- Checked

Code: 

Check zone file syntax when saving and syncing zones.

- Checked

Code: 

Application for processing dns requests. The default is to use cPanel Dns cluster system located at /usr/local/cpanel/whostmgr/bin/dnsadmin. (Recommended: leave blank to use the default).

- Textbox = 'blank'

Code: 

Add proxy VirtualHost to httpd.conf to automatically redirect unconfigured cpanel, webmail, webdisk and whm subdomains to the correct port (requires mod_rewrite and mod_proxy)

- Checked

Code: 

Automatically create cpanel, webmail, webdisk and whm proxy subdomain DNS entries for new accounts. When this is initially enabled it will add appropriate proxy subdomain DNS entries to all existing accounts. (Use /scripts/proxydomains to reconfigure the DNS entries manually)

- Checked

Code: 

Allow users to create cpanel, webmail, webdisk and whm subdomains that override automatically generated proxy subdomains

- Checked

Code: 

Prevent users from creating subdomains outside of their public_html directory.

- Unchecked

Code: 

When adding a new domain, if the domain is already registered, ignore the configured nameservers, and set the NS line to the authoritative (registered) ones.

- Unchecked

Logging

'Log dnsadmin requests to /usr/local/cpanel/logs/dnsadmin.log'

- Unchecked

'Enable verbose dns zone syncing (for testing purposes only, not for

production use)' - Unchecked

Mail

'Default catch-all/default address behavior for new accounts. "fail" is

usually the best choice if you are getting mail attacks.' - '

localuser'

'Silently Discard all FormMail-clone requests with a bcc: header in the

subject line' - Checked

'Allow mail account authentication using the password of the domain

owner's account' - Unchecked

'Number of minutes between mail server queue runs (default is 60).

' - 60

'Track the origin of messages sent though the mail server by adding the

X-Source headers (exim 4.34+ required)' - Unchecked

'The maximum each domain can send out per hour (0 is unlimited)

' - 100

'Prevent the user "nobody" from sending out mail to remote addresses (PHP

and CGI scripts generally run as nobody if you are not using PHPSuexec and Suexec

respectively.)' - Unchecked

'Include a list of Pop before SMTP senders in the X-PopBeforeSMTP header

when relaying mail. (exim 4.34-30+ required)' - Unchecked

'BoxTrapper Spam Trap' - Unchecked

'Horde Webmail' - Checked

'Mailman' - Checked

'RoundCube Webmail' - Checked

'SpamAssassin Spam Filter' - Checked

'SpamAssassin Spam Box delivery for messages marked as spam (user

configurable)' - Unchecked

'SquirrelMail Webmail' - Checked

'Add the mail. prefix for mailman urls (ie

http://mail.domain.com/mailman)' - Unchecked

Notifications

'Notify the admin, (or the reseller), when an account has reached the

"critical" Disk Usage state.' - Checked

'Threshold percentage where a user's disk usage is considered to be in the

"critical" state. (0 will disable this notification)' - 90

'Notify the admin, (or the reseller), when an account has reached the

"full" Disk Usage state.' - Checked

'Threshold percentage where a user's disk usage is considered to be in the

"full" state. (0 will disable this notification)' - 85

'Notify the admin, (or the reseller), when an account has reached the

"warn" Disk Usage state.' - Checked

'Threshold percentage where a user's disk usage is considered to be in the

"warn" state. (0 will disable this notification)' - 80

'Threshold percentage where a mailbox's disk usage is considered to be in

the "critical" state. (0 will disable this notification)' - 90

'Threshold percentage where a mailbox's disk usage is considered to be in

the "full" state. (0 will disable this notification)' - 85

'Threshold percentage where a mailbox's disk usage is considered to be in

the "warn" state. (0 will disable this notification)' - 80

'Email users when they have exceeded their bandwidth. Disabling this will

prevent all Bandwidth Limits Email from being sent.' - Checked

'Email users when they have reached 70% of their bandwidth
Email users when they have reached 75% of their bandwidth
Email users when they have reached 80% of their bandwidth
Email users when they have reached 85% of their bandwidth
Email users when they have reached 90% of their bandwidth
Email users when they have reached 95% of their bandwidth
Email users when they have reached 97% of their bandwidth
Email users when they have reached 98% of their bandwidth
Email users when they have reached 99% of their bandwidth' - From 90 Onwards

'Mail Box Usage Warnings' - Checked

'Disable Suspending accounts that exceed their bandwidth limit (will clear

all suspensions if disabled, and disable all bandwidth notifications.)' -

Unchecked

'Disk Space Usage Warnings' - Checked

PHP

'PHP max execution time for cPanel PHP execution in seconds (default 90)

' - 90

'PHP Max Post Size for cPanel PHP in Megabytes (default 55M with a maximum

value of 2047M)' - 55M

'cPanel PHP Register Globals (Off [unchecked] is recommended for security

reasons)' - Unchecked

'PHP Max Upload Size for cPanel PHP in Megabytes (default 50M with a

maximum value of 2047M)' - 2M

'Loader to use for internal cPanel PHP (Use oldsourceguardian for version

1.x and 2.x)' - ioncube

Redirection

'Always redirect users to the ssl/tls ports when visiting /cpanel,

/webmail, etc.' - Unchecked

'When visiting /cpanel or /whm or /webmail WITHOUT SSL, you can choose to

redirect to:' - hostname

'When visiting /cpanel or /whm or /webmail with SSL, you can choose to

redirect to:' - SSL Certificate Name

'Redirect user to the following URL upon logout of the cPanel interface. A

blank value specifies the default logout page.' - Textbox = 'blank'

Security

'Validate the IP addresses used in all cookie based logins. This will

limit the ability of attackers who capture cPanel session cookies to use them in an

exploit of the cPanel or WebHost Manager interfaces. For this setting to have maximum

effectiveness, proxydomains should also be disabled.' - Checked

'Allow WHM/Webmail/cPanel services to create core dumps for debugging

purposes. Core dumps often contain sensitive information but may be necessary for

debugging certain types of service crashes.' - Checked.

'Send passwords in plaintext over email when creating a new acccount.

Enabling this option is a security risk.' - Unchecked

'Only permit cpanel/whm/webmail to execute functions when the browser

provides a referrer. This will help prevent XSRF attacks, but may break integration with

other systems, login applications, and billing software. Cookies are required with this

option enabled.' - Unchecked

'Only permit cpanel/whm/webmail to execute functions when the browser

provided referrer (Domain/IP and Port) exactly matches the destination URL. This will help

prevent XSRF attacks, but may break integration with other systems, login applications,

and billing software. Cookies are required with this option enabled.' -

Unchecked

'Require SSL for all remote logins to cPanel, WHM and Webmail. This

setting is recommended.' - Checked

'Disable Http Authentication for cPanel/WebMail/WHM Logins (forces cookie

authentication.) This will help prevent certain types of XSRF attacks that rely on cached

Http Auth credentials.' - Checked

'Use MD5 encoded passwords in Apache htpasswd files. When this option is

disabled crypt encoded passwords will be used instead. Crypt encoded passwords are limited

to a maximum length of 8 characters while MD5 encoded passwords may be any length.

' - Checked

'Require security tokens for all interfaces. This will greatly improve the

security of cPanel and WHM against XSRF attacks, but may break integration with other

systems, login applications, billing software and third party themes.' - Checked

Software

'Interchange version to use (if you disable interchange, you must turn off

the service in the service manager)' - Disable

'FormMail-clone cgi' - Unchecked

'The path to the Urchin installation (if installed.) (Leave blank for

auto-detection.)' - Textbox = 'blank'

SQL

'Calculate the disk usage of account MySQL and PostgreSQL databases.

' - Checked

'Use old style (4.0) passwords with MySQL? 4.1+ (required if you have

problems with PHP apps authenticating)' - Unchecked

Stats and Logs

'Allow users to update Awstats from cPanel' - Checked

'Number of hours between processing bandwidth usage (default 2, max 24,

decimal values are ok)' - 4

'Number of hours between processing log files (positive values, default

24, decimal values are ok)' - 24

'Delete each domain's access logs after stats run' - Checked

'The load average above the number of cpus at which logs file processing

should be suspended (default 0)' - 0

'Do not include password in the raw log download link in cPanel (via

ftp).' - Unchecked

'Do not reset /usr/local/apache/domlogs/ftpxferlog after it has been

separated into each domain name's ftp log' - Unchecked

'Keep log files at the end of the month (default is off as you can run out

of disk space quickly)' - Unchecked

'Keep Stats Log (/usr/local/cpanel/logs/stats_log) between cPanel restarts

(default is off). Note that log rotation may affect this as well.' - Unchecked

'Chmod value for raw apache log files (0640 is the default)' -

0640

'Threshold in megabytes above which cpanellogd will rotate log files

configured for log rotation. (Minimum 10MB)' - 300

'When viewing bandwidth usage in WHM, always display in Megabytes first.

' - Unchecked

'Stats Log Level (default is 1, larger numbers indicate more debug

information in /usr/local/cpanel/logs/stats_log) [0...10]' - 1

Stats Programs

'Awstats Reverse Dns Resolution' - Unchecked

'Analog Stats' - Checked

'Awstats Stats' - Checked

'Webalizer Stats' - Checked

Status

'The load average that will cause the server status to appear red (leave

blank for default, whole numbers only)' - 2

Support

'Send the credentials of the logged in user when requesting support from

cPanel directly.' - Checked

System

'List of IP addresses or hostnames, separated by spaces, which are allowed

to view the /server-info and /server-status pages. See the Apache documentation for proper

values.' - Textbox = Blank

'Allow cPanel users to install SSL Hosts if they have a dedicated ip.

' - Checked

'Allow Perl updates from RPM based linux vendors' - Unchecked

'Do not send anonymous usage data to cPanel' - Unchecked

'The port on which Apache listens for HTTP connections. Specifying a

specific IP will prevent Apache from listening on all other IPs. (default: 0.0.0.0:80)

' - 0.0.0.0:80

'The port on which Apache listens for HTTPS connections. Specifying a

specific IP will prevent Apache from listening on all other IPs. (default: 0.0.0.0:443)

' - 0.0.0.0:443

'Number of seconds dnsadmin will wait before restarting BIND. Additional

restart requests during this time period will be silently discarded. On systems that

process very frequent DNS updates a setting of 300 or 600 seconds is recommended. On

systems with few DNS changes, the default setting of 0 is recommended. Note that DNS

changes will not take effect until the restart is complete.' - 0

'Conserve Memory at the expense of using more cpu/diskio.' -

Unchecked

'Allow usernames to be determined from the account domain name when no

username is provided.' - Unchecked

'Compress interface pages using gzip compression reducing bandwidth usage

for cPanel and WHM.' - Checked

'Disable use of compiled dnsadmin. Setting this option allows use of

system Perl modules within custom dnsadmin hooks. Setting this option will increase

execution time of dnsadmin functions.' - Unchecked

'Allow Sharing Nameserver Ips' - Unchecked

'Disable Disk Quota display caching (WHM will cache disk usage which may

result in the display of disk quotas being up to 15 minutes behind the actual disk usage.

Disabling this may result in a large performace degradation.)' - Unchecked

'Disable login with root or reseller password into the users' cPanel

interface. Also disable switch account dropdown in themes with switch account feature.

' - Unchecked

'Try to resolve each client's IP to a domain name when a user connects to

cPanel services (warning: This can degrade performance).' - Unchecked

'Enable CPAN:QLite for low memory perl module installs (experimental)

' - Unchecked

'Only allow reseller to log in to users' cPanel interface with reseller

password.' - Unchecked

'Display Errors in cPanel instead of logging them to

/usr/local/cpanel/logs/error_log' - Unchecked

'The maximum file size allowed for upload. This setting applies to all

uploads and form submissions in all web interfaces throughout cPanel and WHM. (Type

?unlimited? for unlimited; this is the default setting.)' - Textbox -

unlimited

'The minimum filesystem quota space required after file upload. This will

prevent users from hitting their quota limit; it applies to all uploads and form

submissions in all web interfaces throughout cPanel and WHM. (Default: 5MB)' -

5

'The maximum number of directories deep to look for .htaccess files when

doing .htaccess checks. Can be from 0 to 100. 2 is the default setting. Values higher than

this are discouraged.' - 2

'Do not warn about features that will be deprecated in later releases

(Warning: If you check this box, you will not be able to learn about features that will be

disappearing in future releases. This could lead to a non-functional server when the

feature is finally removed.)' - Unchecked

'Use jailshell as the default shell for all new accounts and modified

accounts' - Unchecked

'The maximum memory a cPanel process can use before it is killed off (in

megabytes). Values less than 256 megabytes can not be specified. A value of "0" will

disable the memory limits.' - Textbox = 256

'Use native SSL support if possible, negating need for Stunnel

' - Checked

'Do not send language file changes to cPanel' - Unchecked

'Specify the timeout in seconds for connections between this server and

other remote WHM servers. Values less than 35 cannot be specified.' - Textbox

= 35

'Maximum time in seconds that the system is permitted to spend fetching

diskusage and quota information before it considers the data unavailable.' -

Textbox = 60

'Allow cPanel users to reset their password via email' -

Unchecked

'Enable cPanel Software RollBack. This feature turns on a build archiving

and restoration facility, allowing the server administrator to "roll back" their cPanel

installation to previous build. All files are stored on the server.' -

Unchecked

'Do not start deprecated Melange 1.10 chat server.' - Checked

'Send a notification when a user's backup has errors' -

Checked

'Allow cpanel and admin binaries to be run from other applications besides

the cpanel server (cpsrvd). [parentcheck]' - Unchecked

'Disable whois lookups for the nameserver IP manager.' -

Checked

'The number of times a ChkServd TCP check must fail before notification is

sent and the service is restarted. On heavily loaded systems these types of service checks

fail occasionaly producing erroneous indications that services are down. A setting of 0

will disable all notifications and restarts due to TCP checks. Setting this value to 3 or

higher is recommended for most systems.' - 3

'Use Safe Quota Setting (quotas will be disabled, adjusted, and then re-

enabled). This option should be enabled if you are having problems with lost disk quotas

or other quota system corruption. Under software raid and other circumstances enabling

this option will degrade server performance.' - Unchecked

Save

We have now completed part one.

--------------------------------------------

2.1) Second, Navigate to 'Security Center'.

First we are going to go into 'Apache mod_userdir Tweak'.

In here we will disable 'Enable mod_userdir Protection' as it prevents users from accessing their website when the domain has not propogated.

2.2) Next we will go into 'Compiler Access'.

We want to make sure it is disabled.

2.3) Navigate to 'cPHulk Brute Force Protection'

Set it to enabled and you can fill in what you wish for bruteforce.

2.4) Navigate to 'PHP open_basedir Tweak'

We want to enable this and make sure all the sites hosted the server are not excluded from this.

2.5) Navigate to 'Shell Fork Bomb Protection'

This will not matter if your users do not have access to SSH. However I recommend not to have SSH access.

2.6) Navigate to 'SMTP Tweak'

Have this enabled - It basically just stops users from exceeding the email sending limit.

2.7) Navigate to 'Traceroute Enable/Disable'

The traceroute utility is a network tool that can be used to determine the route taken by information (packets) sent across the Internet. This often is the first step in pinpointing weaknesses for mounting an attack.

We have now completed part two.

--------------------------------------------

2.1) Third, Navigate to 'Service Configuration'.

First we are going to go into 'Apache Configuration >> PHP and SuExec Configuration'.

In here we will set 'Default PHP Version (.php files)'s' value to '5'.

'PHP 5' handler 'suphp'

'PHP 4' handler 'none'

'Apache suEXEC' value to 'on'

2.3) Next we will go into 'FTP Server Selection'.

We want to make sure it is on 'Pure-FTPD'

2.4) Navigate to 'Mailserver Selection'

Set it to 'Dovecot'.

2.5) Navigate to 'Nameserver Selection'

We want to set this to 'BIND'

2.6) Navigate to 'PHP Configuration Editor'

Download php.ini file

2.7) Navigate to 'Service Manager'

Tick 'tailwatchd' and all others in the table.

cpdavd: Monitor only
entropychat: Unchecked
exim: Enabled & Monitored
exim on another port: Unchecked
ftpd: Enabled
httpd: Enabled & Monitored
imap: Enabled & Monitored
ipaliases: Enabled
melange: Unchecked
mysql: Enabled & monitored
named: Enabled & Monitored
spamd: Enabled & Monitored
sshd: Enabled & Monitored
syslogd: Enabled & Monitored

We have now completed part three.

--------------------------------------------

Changing SSH Default Port

I recommend changing this, this is a security flaw. Login to your server with putty as root.

Using the file editor that you are familiar with, edit the following file:
'/etc/ssh/sshd_config'

I will use nano.
nano /etc/ssh/sshd_config

Search for the number 22, change it to the port of your choice. Make sure it is not firewalled or used by another program.

Now restart SSH
'/etc/init.d/sshd restart'

Write down the port number so you don't forget it or you will not be able to access SSH again.

We have now completed changing the default SSH port.

--------------------------------------------

How to install RootKit hunter

Rootkit scanner is scanning tool to ensure you for about 99.9%* you're clean of nasty tools. This tool scans for rootkits, backdoors and local exploits by running tests like:

- MD5 hash compare
- Look for default files used by rootkits
- Wrong file permissions for binaries
- Look for suspected strings in LKM and KLD modules
- Look for hidden files
- Optional scan within plaintext and binary files

Rootkit Hunter is released as GPL licensed project and free for everyone to use.

* No, not really 99.9%.. It's just another security layer.

Yet again you need to be logged into SSH. Use the above part to see how to login into SSH.

Once you are logged into type in:
'cd /usr/src/utils'
This will navigate you to direct /usr/src/utils

We are now going to download RootKit Hunter to the utils directory.
wget 'http://nchc.dl.sourceforge.net/project/rkhunter/rkhunter/1.3.6/rkhunter-1.3.6.tar.gz'

Once downloaded we are going to extract the tar file and then delete the download.
'tar xfz rkhunter-1.3.6.tar.gz'
'del rkhunter-1.3.6.tar.gz'

We are now going to proceed to the RootKit Hunter directory
'cd rkhunter-1.3.6'

Now for the installation
'sh installer.sh--install'

Successful installation

Now to scan the server for possible infections.
'rkhunter -c'

We have now completed installing RootKit Hunter.

--------------------------------------------

How to install (D)DoS-Deflate

MediaLayer was in need of a script to automatically mitigate (D)DoS attacks. The necessity started when MediaLayer was the target of a rather large, consistent attack originating from multiple IP addresses. Each IP would have a large amount of connections to the server, as shown as by:

Code: 

netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n

It became a general practice for us to be blocking IPs with a large amount of connections, but we wanted to get this automated. Zaf created a script mitigate this kind of attack. We kept improving it to meet our own needs and eventually posted it on Defender Hosting's Forum. (D)DoS-Deflate is now recognized as one of the best ways to block a (D)DoS attack at the software level.

We are now going to download (D)DoS-Deflate
'wget http://www.inetbase.com/scripts/ddos/install.sh'

Change it's permissions
'chmod 0700 install.sh'

Installation
'./install.sh'

Requires APF - APF Installation Guide

We have now completed installing (D)DoS-Deflate.

--------------------------------------------

I am not a server securing expert so If you think something is wrong or could be better, please post here .

NationWebHost Reviewed by NationWebHost on 30th Jun 2010. How To Secure&Optimize A cPanel Server! [Full of information] Start If you do not know how to install cPanel - Proceed with this tutorial here: How To Install cPanel - CentOS 5. Firstly, this tutorial is based on CentOS. You can find information on other operating system on the internet by using your friend. I am writing this tutorial as me myself never found one large post containing all the Rating: 5

[Rapid4All]

THANK YOU very useful

[NationWebHost]

Thanks !

[Angeix]

Nice job.

You Should of included some extra's like nginx that would help a lot of people.

[NationWebHost]

Still not finished, I've still to add a few more things.

[d0ped]

Is this really much of a "secure" cPanel thread. You havnt even said anything about disabled functions and that is one of the first things that comes into my head on shared hosting security.

[NationWebHost]

I've not finished writing this tutorial.