Securing Linux Cpanel server
WHM
WHM >> Security Center
1. Compiler Access >> make sure it is disabled for all users except "root".
2. Configure Security Policies >> Password Strength
3. cPHulk Brute Force Protection >> Enable it. White List known IPs if required (say if customer has static IP from ISP).
4. Traceroute Enable/Disable >> Disable it.
5. Shell Fork Bomb Protection >> Enable.
OS and kernel
6. find / ( -perm -a+w ) ! -type l >> world_writable.txt : Look at world_writable.txt to see all world writable files and directories. This will reveal locations where an attacker can store files on your system. NOTE: Fixing permissions on some PHP/CGI scripts that are not properly coded will break them.
7. find / -nouser -o -nogroup >> no_owner.txt : Look at no_owner for all files that do not have a user or group associated with them. All files should be owned by a specific user or group to restrict access to them.
8. Make Sure No Non-Root Accounts Have UID Set To 0
awk -F: '($3 == "0") {print}' /etc/passwd (you should only see one o/p) like:
root:x:0:0:root:/root:/bin/bash
9. Tripwire – Monitors checksums of files and reports changes.
http://tripwire.com or http://sourceforge.net/projects/tripwire
10. Chrookit – Scans for common rootkits, backdoors, etc.
http://www.chkrootkit.org
11. Rkhunter – Scans for common rootkits, backdoors, etc.
http://www.rootkit.nl/projects/rootkit_hunter.html
Now create a cronjob so it will email you with notifications to the root mailbox:
#crontab -e
At the bottom add the following line
16 0 * * * /usr/local/bin/rkhunter -c --nocolors --cronjob --report-mode --createlogfile --skip-keypress --quiet
Press control x to save
12. Logwatch – Monitors and reports on daily system activity.
http://logwatch.org
13. Change SSH port to non-standard port.
14. Change SSH Protocol 2,1 to Protocol 2
15. Enable Email Alert on root login
cd /root ; vi .bashrc
Scroll to the end of the file then add the following:
echo 'ALERT - Root Shell Access (YourserverName) on:' `date` `who` | mail -s "Alert: Root Access from `who | cut -d"(" -f2 | cut -d")" -f1`" admin@domain.com
Firewall and mis security
17. Install CSF firewall and make sure test mode is disabled after opening all used ports.
IMP: Make sure SSH port set in #14 is opened in firewall.
CSF Connection Limit
There is in csf.conf CT option, configure it like this
CT_LIMIT = “100″
It means every IP with more than 100 connections is going to be blocked.
CT_PERMANENT = “1″
IP will blocked permanenty
CT_BLOCK_TIME = “1800″
IP will be blocked 1800 secs(1800 secs = 30 mins)
CT_INTERVAL = “60″
Set this to the the number of seconds between connection tracking scans.
After csf.conf editing, restart csf
18. Tweak LFD and CSF to prevent DOS.
19. Secure /tmp, /dev/shm and /var/tmp
PHP security
20. Disable vulnerable PHP functions. Find the disable_functions in php.ini file and
disable_functions = system, show_source, symlink, exec, dl,
shell_exec, passthru, phpinfo, escapeshellarg,escapeshellcmd
21. Enable suPHP if the server is for shared hosting.
22. WHM >> Configure PHP and suEXEC > set suPHP handler and suexec
Apache
22. Install mod_security and cmc to manage the mod sec rules via WHM. See http://configserver.com/cp/cmc.html
23. Install dos_evasive.
FTP
24. WHM >> Service Configuration >> FTP Server Configuration
Make sure Anonymous logins and uploads are disabled.
MySQL
25. Disable networking if you don't need anyone to remotely connect to MySQL server.
Add the below line to my.cnf
skip-networking
No comments:
Post a Comment