10 Tips for making your cPanel and WHM servers more secure

10 Tips for making your cPanel and WHM servers more secure


Server security is a collection of compromises, as any server that allows connections could be insecure. These tips are to be followed at your own risk.

1) Use secure passwords!

Insecure passwords are the most common security vulnerability for most servers. If an account password is insecure and is compromised, client sites can be defaced, infected, or used to spread viruses. Having secure passwords is paramount to having a secure server.

You can edit /etc/login.defs to configure many password options on your system. It is well documented.

Generally, a password utilizing at least 8 characters including alphanumeric and grammatical symbols is sufficient. Never use passwords based upon dictionary words or significant dates. If you are uncertain about the security of a password, then you can test it using JTR cracker. If a password can be broken in a few hours, then it is probably too insecure and should not be used. You can also install tools like pam_passwdqc to check the strength of passwords.



2) Secure SSH

Enable public key authentication for SSH and disable password authentication read more >>

Move SSH access to a different port. People are looking for port 22 as a possible way to access your servers. Moving SSH to a different port will add a simple way to deter those without specific knowledge of your server from easily discovering your SSH port.

You can modify the port that SSH runs on within /etc/ssh/sshd_config. Change the line that says #Port 22 to a different port such as: Port 1653. Make sure to keep your current SSH session open when testing the new port so you can change back to port 22 if the new port doesn’t work.

You should always use SSHv2 only as SSHv1 is not secure. Make sure to change the line in /etc/ssh/sshd_config that says #Protocol 2,1 to Protocol 2.

You may also wish to set Shell Resource Limits for you users to prevent applications and scripts from using all up your resources and taking down your server. You can configure shell resource limits in /etc/security/limits.conf on most Linux systems.



3) Secure Apache

The most readily available way to access a web server, is of course, the web server application. It is important to take steps to secure your Apache installation.

One of the best tools for preventing malicious Apache use is mod_security. This can be installed in Addon Modules in the cPanel section of WebHost Manager. You can find information about mod_security at http://www.modsecurity.org/.

When compiling Apache, you should include suexec to ensure that CGI applications and scripts run as the user that owns / executes them. This will help identify where malicious scripts are and who is running them. It will also enforce permission and environment controls.

We also recommend compiling Apache + PHP with PHPsuexec. PHPsuexec forces all PHP scripts to run as the user who owns the script. This means that you will be able to identify the owner of all PHP scripts running on your server. If one is malicious, you will be able to find it’s owner quickly and resolve the issue. To compile Apache + PHP with PHPsuexec, select the PHPSuexec option in the Apache Upgrade interface in WHM or when running /scripts/easyapache from the command line.

You should enable PHP’s open_basedir protection. This protection will prevent users from open files outside of their home directory with PHP. This can be enabled in Tweak Security within WebHost Manager.

You may also wish to include safe_mode for PHP 5.x and below. Safe_mode ensures that the owner of a PHP script matches the owner of any files to be operated on. You can enable safe_mode by changing the safe_mode = line in php.ini to safe_mode = On.



4) Secure your /tmp partition

We recommend that you use a separate partition for /tmp that is mounted with nosetuid. Nosetuid will force a process to run with the privileges of it’s executor. You may also wish to mount /tmp with noexec after installing cPanel. Check the mount man page for more information.

Also, Running /scripts/securetmp will mount your /tmp partition to a temporary file for extra security.



5) Upgrade your mail to maildir format

Maildir format adds extra security and speed to your mail system. Newer installs use maildir by default. If you’re running an older copy of cPanel, you’ll probably want to upgrade using /scripts/convert2maildir. Make sure to back up your current mail before converting to maildir, this can be done within /scripts/convert2maildir. If you see maildir is enabled when running /scripts/convert2maildir, you are already using maildir, and will not need to convert.



6) Lock down your system’s compilers

Most users do not require the use of C and C++ compilers. You can use the Compilers Tweak within Tweak Security in WebHost Manager to turn off use of the compilers for all unprivileged users, or to disable them for specific users only. Many pre-packaged exploits require working compilers. Disabling compilers will help protect against many exploits.



7) Turn off unused services and daemons

Any service or daemon that allows a connection to be established to your server is away for hackers to gain access. To reduce security risks, you should disable all services and daemons that are not being used.

For Daemons on Linux:

Check /etc/xinetd.conf for services you are not using. For example, cupsd (printing daemon) and nfs/statd (network file system daemons) are not used on many systems.

For Services:

Go to the Service Manager in the Service Configuration section of WHM and disable any services that you are not using.



8) Monitor your system

It is important to be up to date on what is going on with your system. Make sure that you know when accounts are being created, what software is being installed, when software needs updates, etc.

Check your system frequently to ensure it is functioning in the way you expect. Make sure to check things like:

netstat -anp : Look for programs attached to ports that you did not install / authorize

find / \( -perm -a+w \) ! -type l >> world_writable.txt : Look at world_writable.txt to see all world writable files and directories. This will reveal locations where an attacker can store files on your system. NOTE: Fixing permissions on some PHP/CGI scripts that are not properly coded will break them.

find / -nouser -o -nogroup >> no_owner.txt : Look at no_owner for all files that do not have a user or group associated with them. All files should be owned by a specific user or group to restrict access to them.

ls /var/log/: There are many different logs on your system which can be valuable resources. Check your system logs, apache logs, mail logs, and other logs frequently to make sure your system is functioning as expected.

There are many readily available utilities to monitor your system and to detect rootkits, backdoors, etc. Here are some commonly available utilities:

* Tripwire - Monitors checksums of files and reports changes.
http://tripwire.com or http://sourceforge.net/projects/tripwire
* Chrookit - Scans for common rootkits, backdoors, etc.
http://www.chkrootkit.org
* Rkhunter - Scans for common rootkits, backdoors, etc.
http://www.rootkit.nl/projects/rootkit_hunter.html
* Logwatch - Monitors and reports on daily system activity.
http://logwatch.org



9) Enable a Firewall

Installing a firewall to limit access to your server is useful. Removing all unused software on your system is more useful. Before you have the chance to remove all unused services and daemons, or the chance to figure out which services / daemons are unused, you can enable a firewall to prevent unwanted access.

The following will show the ports cPanel and WHM need open to function properly and what the port is used for:

http://faq.cpanel.net/show.cgi?qa=104689180407630

If you are using APF, see:

http://faq.cpanel.net/show.cgi?qa=108499296901804

Please note that these ports are for all services that can be used by cPanel and WHM, you may or may not be using all of these services or other services and should adjust your rules accordingly.

Remember to set a cron job to disable your firewall every 5 minutes when testing your rules, or you may be locked out of your server.



10) Stay up to date

It is important to make sure that you are running the latest stable versions of the software on your system to ensure that it has been patched of any security issues that past versions may be susceptible to. Make sure to keep on top of updates for:

* Kernel
* cPanel and WHM*
* User Applications (bulletin boards, CMS, blog engines, etc)**
* System Software*



*These can be set to automatically update in WebHost Manager under Update Config in the Server Configuration section.

**You can upgrade all cPAddon installations through Manage cPAddons in the cPanel section of WebHost Manager.

MRTG thoughts!!

MRTG is wonderful tool. You can use it to monitor traffic on your router or leased server located at remote IDC. Since it is written in Perl and some code in C language, it is portable and high performance tool.

"The Multi Router Traffic Grapher (MRTG) is a tool to monitor the traffic load on network-links. MRTG generates HTML pages containing GIF images which provide a LIVE visual representation of this traffic."

What is SNMP and why should I care?

SNMP is Simple Network Management Protocol. It is use to manage IP network devices such as servers, routers, switches etc. Administrator can find or manage network performance, solve problem or even optimize it further. For more information on official UNIX/Linux SNMP please see UCD-SNMP/NET-SNMP Tutorials and an excellent resource at Snmplink.org

: Make sure snmp server installed

Please note that snmpd configuration does not require using mrtg with remote network devices such as Routers and switches. If you just want mrtg graphs for router

Run rpm commands query option to find out snmp server installed or not:

# rpm -qa | grep snmp

If snmp installed then please refer step # 2; otherwise snmp server and utils were not present and your need to install them using following steps (login as a root user):

(a) Visit rpmfind.net to get snmp server and utilities rpms. If you are fedora user then use yum command as follows to install it:

# yum install net-snmp-utils net-snmp

(b) If you are RHEL subscriber then use up2date command as follows to install:

#up2date -v -i net-snmp-utils net-snmp

: Determine if snmp server is running or not

Run 'ps' command to see if snmp server is running or not:

# ps -aux | grep snmp

Output:

root   5512  0.0  2.3  5872 3012 pts/0    S    22:04   0:00 /usr/sbin/snmpd

Alternatively, you can try any of the following two commands as well:

# lsof -i :199

Output:

COMMAND  PID USER   FD   TYPE DEVICE SIZE NODE NAME
snmpd   5512 root    4u  IPv4  34432       TCP *:smux (LISTEN)

OR try out netstat command:

# netstat -natv | grep ':199'

Output:

tcp        0      0 0.0.0.0:199             0.0.0.0:*               LISTEN

If you found service is running or listing on port 199 then please see step #3; otherwise start service using following command:

# service snmpd start

Make sure snmpd service starts automatically, when linux comes us (add snmpd service):

# chkconfig --add snmpd
----------------------------------------------
Install MRTG
We've put together a RPM for MRTG based off the various how-to's
posted. This RPM is for Fedora and RHEL systems and will work on Ensim
3.7/4.0 out of the box, cPanel versions will be posted shortly



Fedora 1

mrtg-2.10.5-1.0.rhfc1.ct.i386.rpm



RHEL3 based servers

mrtg-2.10.5-1.0.rhel3.ct.i386.rpm



Installation:



rpm -Uvh rpmname

rm -f /etc/cron.d/mrtg



You will need to edit /etc/httpd/conf.d/mrtg.conf if you wish to
allow access to more than just localhost - by default this is a
security measure.



After installing, make sure you don't have a cron line in /etc/crontab for mrtg. You may do this via



pico -w /etc/crontab



Then



service mrtg start


By
Sylesh

Linux Screen Command

GNU Screen enables you to run many shell processes in a single terminal. So in one e.g. xterm you can have many bash instances like layers in GIMP or Adobe Photoshop. Even better, you can split your terminal into different regions.

Steps
—–
1)Create a screen using the command
#screen -S sylesh

2)Close the shell without logout

3)Open a new shell

4)Type screen -ls

[root@sylesh ~]# screen -ls
There are screens on:
16921.sds (Dead ???)
3981.name (Attached)
5002.sylesh(Attached)
Remove dead screens with ’screen -wipe’.
3 Sockets in /tmp/screens/S-root.

5)You can login to that screen using the command screen -r ’screen name’

[root@sylesh ~]# screen -r 5002.sylesh
There is a screen on:
5002.sylesh(Attached)

Exim Commands

To print a count of the messages in the queue
root@localhost# exim -bpc

Print a listing of the messages in the queue (time queued, size, message-id, sender, recipient)
root@localhost# exim -bp

Print a summary of messages in the queue (count, volume, oldest, newest, domain, and totals):
root@localhost# exim -bp | exiqsumm

Generate and display Exim stats from a logfile:
root@localhost# eximstats /var/log/exim_mainlog

Same as above, with less verbose output:
root@localhost# eximstats -ne -nr -nt /var/log/exim_mainlog

Same as above, for one particular day:
root@localhost# fgrep YYYY-MM-DD /var/log/exim_mainlog | eximstats

Print what Exim is doing right now:
root@localhost# exiwhat

Searching the queue

Search the queue for messages from a specific sender:
root@localhost# exiqgrep -f [luser]@domain

Search the queue for messages for a specific recipient/domain:
root@localhost# exiqgrep -r [luser]@domain

To Print just the message-id of the entire queue:
root@localhost# exiqgrep -i

Managing the queue

Start a queue run:
root@localhost# exim -q -v

Start a queue run for just local deliveries:
root@localhost# exim -ql -v

Remove a message from the queue:
root@localhost# exim -Mrm

Freeze a message:
root@localhost# exim -Mf

Deliver a specific message:
root@localhost# exim -M

Force a message to fail and bounce:
root@localhost# exim -Mg

Remove all frozen messages:
root@localhost# exiqgrep -z -i | xargs exim -Mrm

Freeze all queued mail from a given sender:
root@localhost# exiqgrep -i -f luser@example.tld | xargs exim -Mf

View a message’s headers:
root@localhost# exim -Mvh

View a message’s body:
root@localhost# exim -Mvb

View a message’s logs:
root@localhost# exim -Mvl