How To: WHM/cPanel Hardening & Security - The Basics - Part 1

1. Introduction

A step by step paper how to secure linux server with cPanel/WHM and
Apache installed. By default, linux is not secured enough but you have
to understand there is no such thing as "totally secured server/system".
The purpose of this paper is to understand how to at least provide some
kind of security to the server.

Let's start

So, you bought the server with CentOS 5 installed. If you ordered cPanel/WHM together with the server you can skip 2.1 step

2. WHM\cPanel installation and configuration

2.1 WHM\cPanel Installation

To begin your installation, use the following commands into SSH:


Code:
cd /home
wget http://layer1.cpanel.net/latest
./latest cd /home - Opens /home directory
wget http://layer1.cpanel.net/latest - Fetches the latest installation file from the cPanel servers.
./latest - Opens and runs the installation files.

WHM\cPanel should be installed now. You should be able to access cPanel via
http://serverip:2082(SSL-2083) or http://serverip/cpanel and WHM via
http://serverip:2086(SSL-2087) or http://serverip/whm. Let's configure
it now.

2.2 WHM\cPanel Configuration

Login to WHM using root username/passwd
http://serverip:2086 or http://serverip/whm

WHM - Server setup - Tweak Security:

Enable open_basedir protection
Disable Compilers for all accounts(except root)
Enable Shell Bomb/memory Protection
Enable cPHulk Brute Force Protection
WHM - Account Functions:

Disable cPanel Demo Mode
Disable shell access for all accounts(except root)
WHM - Service Configuration - FTP Configuration:

Disable anonymous FTP access

WHM - MySQL:

Set some MySQL password(Don't set the same password like for the root access)
-If you didn't set MySQL password someone will be able to login into the DB with
username "root" without password and delete/edit/download any db on the server.

WHM - Service Configuration - Apache Configuration - PHP and SuExec Configuration

Enable suEXEC - suEXEC = On
When PHP runs as an Apache Module it executes as the user/group of the
webserver which is usually "nobody" or "apache". suEXEC changes this so
scripts are run as a CGI. Than means scripts are executed as the user
that created them. With suEXEC script permissions can't be set to
777(read/write/execute at user/group/world level)

3. The server and it's services - PHP Installation, Optimization & Security


3.1 Keep all services and scripts up to date and make sure that you running the latest secured version.

On CentOS type this into SSH to upgrade/update services on the server.


Code:
yum upgrade or

Code:
yum update 3.2 PHP installation/update, configuration and optimization + Suhosin patch

First download what you need, type the following into SSH:

 

Code:
cd /root
wget http://www.php.net/get/php-5.2.9.tar.bz2/from/this/mirror
wget http://download.suhosin.org/suhosin-patch-5.2.8-0.9.6.3.patch.gz

wget http://download.suhosin.org/suhosin-0.9.27.tgz Untar PHP:


Code:
tar xvjf php-5.2.9.tar.bz2 Patch the source:

Code:
gunzip < suhosin-patch-5.2.8-0.9.6.3.patch.gz | patch -p0 Configure the source. If you want to use the same config as you used for
the last php build it's not a problem but you will have to add:

enable-suhosin to old config. To get an old config type this into SSH:


Code:
php -i | grep ./configure
cd php-5.2.9
./configure --enable-suhosin + old config(add old config you got from "php -i | grep ./configure" here)
make
make install Note: If you get an error like make: command not found or patch: Command
not found, you will have to install "make" and "patch". It can be done
easly. Just type this into SSH:


Code:
yum install make
yum install patch Now check is everything as you want. Upload php script like this on the server:


Code:
phpinfo();
?> And open it via your browser and you will see your PHP configuration there.

3.3 Suhosin

We will install Suhosin now, it's an advanced protection system for PHP.


Code:
tar zxvf suhosin-0.9.27.tgz
cd suhosin-0.9.27
phpize
./configure
make
make install After you installed suhosin you will get something like this: It's installed to /usr/local/lib/php/extensions/no-debug-non-zts-20060613/
Now edit your php.ini. If you don't know where php.ini located is, type this into SSH.


Code:
php -i | grep php.ini Configuration File (php.ini) Path => /usr/local/lib
Loaded Configuration File => /usr/local/lib/php.ini
It means you have to edit /usr/local/lib/php.ini

Type into SHH:


Code:
nano /usr/local/lib/php.ini If you get an error, nano: Command not found, then:

Code:
yum install nano Find "extension_dir =" and add:
extension_dir = /usr/local/lib/php/extensions/no-debug-non-zts-20060613/
To save it, CTRL + O and press the enter button on your keyboard.

3.4 Zend Optimizer:

Download Zend Optimizer from http://www.zend.com/store/products/zend-optimizer.php


Code:
tar -zxvf ZendOptimizer-3.3.3-linux-glibc23-i386.tar.gz
cd ZendOptimizer-3.3.3-linux-glibc23-i386
./install.sh Welcome to Zend Optimizer installation..... - Press Enter button
Zend licence agreement... - Press Enter button
Do you accept the terms of this licence... - Yes, press Enter button
Location of Zend Optimizer... - /usr/local/Zend, press Enter button
Confirm the location of your php.ini file...- /usr/local/lib, press Enter button
Are you using Apache web-server.. - Yes, press Enter button
Specify the full path to the Apache control utility(apachectl)...-/usr/local/apache/bin/apachectl, press Enter button
The installation has completed seccessfully...- Press Enter button

Now restart apache, type this into SSH:

Code:
service httpd restart

3.5 php.ini & disabled functions
Edit php.ini like this:


Code:
nano /usr/local/lib/php.ini safe_mode = On
expose_php = Off
Enable_dl= Off
magic_quotes = On
register_globals = off
display errors = off
disable_functions = system, show_source, symlink, exec, dl,
shell_exec, passthru, phpinfo, escapeshellarg,escapeshellcmd


Code:
service httpd restart Or you can edit php.ini via WHM:
WHM - Service Configuration - PHP Configuration Editor

4. Kernel Hardening - Linux Kernel + Grsecurity Patch

Description : grsecurity is an innovative approach to security utilizing
a multi-layered detection, prevention, and containment model. It is
licensed under the GPL. It offers among many other features:
-An intelligent and robust Role-Based Access Control (RBAC) system that can generate least privilege policies for your entire system with no configuration
-Change root (chroot) hardening
-/tmp race prevention
-Extensive auditing
-Prevention of arbitrary code execution, regardless of the technique used (stack smashing, heap corruption, etc)
-Prevention of arbitrary code execution in the kernel
-Randomization of the stack, library, and heap bases
-Kernel stack base randomization
-Protection against exploitable null-pointer dereference bugs in the kernel
-Reduction of the risk of sensitive information being leaked by arbitrary-read kernel bugs
-A restriction that allows a user to only view his/her processes
-Security alerts and audits that contain the IP address of the person causing the alert

Downloading and patching kernel with grsecurity

Code:
cd /root
wget http://www.kernel.org/pub/linux/kernel/v2.6/linux-2.6.26.5.tar.gz
wget http://www.grsecurity.com/test/grsecurity-2.1.12-2.6.26.5-200809141715.patch
tar xzvf linux-2.6.26.5.tar.gz
patch -p0 < grsecurity-2.1.12-2.6.26.5-200809141715.patch
mv linux-2.6.26.5 linux-2.6.26.5-grsec
ln -s linux-2.6.26.5-grsec/ linux
cd linux
cp /boot/config-`uname -r` .config
make oldconfig
Compile the Kernel:
make bzImage
make modules
make modules_install
make install Check your grub loader config, and make sure default is 0

Code:
nano /boot/grub/grub.conf Reboot the server

Code:
reboot 5. SSH

In order to change SSH port and protocol you will have to edit sshd_config


Code:
nano /etc/ssh/sshd_config Change Protocol 2,1 to Protocol 2
Change #Port 22 to some other port and uncomment it
Like, Port 1337

There is a lot of script kiddiez with brute forcers and they will try to crack our ssh pass because they know username is root, port is 22

But we were smarter, we have changed SSH port


SSH Legal Message

edit /etc/motd, write in motd something like this:

"ALERT! That is a secured area. Your IP is logged. Administrator has been notified"
When someone logins into SSH he will see that message:
ALERT! That is a secured area. Your IP is logged. Administrator has been notified
If you want to recieve an email every time when someone logins into SSH as root, edit .bash_profile(It's located in /root directory) and put this at the end of file:
echo 'ALERT - Root Shell Access on:' `date` `who` | mail -s "Alert: Root Access from `who | awk '{print $6}'`" mail@something.com

And at the end restart SSH

Code:
service sshd restart

  • 0 Users Found This Useful
Was this answer helpful?

Related Articles

Enable DKIM and SPF on existing cPanel Accounts

To add domainkeys and SPF records, you can do the following. Please note that on CPanel servers...

How to change default SSH port for a VPS or Dedicated server.

Changing the default SSH port to your VPS or server is recommended for security reasons,...

How to install CHKRootkit

Install CHKROOTKIT Product Name: CHKROOTKIT Product Version: 0.49 Homepage:...

How to Install CSF Firewall

Installing a firewall on your VPS is of vital importance. One of the most respected, and widely...

How to install Malware Detect (Maldet) for CentOS 6 / Linux

Malware Detect is very easy to install on CentOS, regardless of the control panel you utilize...

Powered by WHMCompleteSolution