Secure cPanel

Submitted by eth00 on
How-To secure cPanel














*********************WARNING********************



This guide is no longer going to be updated as it is too large and complex to maintain. Instead all of the other guides on the right will continue to be updated. I am going to leave it up just because some people still look at it for a general idea of what to do with a new server. I would suggest that you not actually follow these directions as the versions may be old.


First and foremost I want to say that this is not going to make your server 100% cracker proof, there is always a possibility that somebody will find a way in. I have listed a lot of things you can do to protect your server and that will help you secure it. While securing your server you have to find a median between what is secure and what restricts your clients or websites. You can easily make your server 100% secure from remote attacks by unplugging the ethernet cable, but chances are you will not get much good with it. This is not a complete guide and I will update it when I find time or it needs it. Overall it is a very good start and it is probably more then most servers have.

If you have any problems with the guide please post them and I will try and help/update the guide. I have not included everything you can do but it is a very good start. If you need somebody to secure server please feel free to private message or email me.

Donations are always accepted, please send them via paypal to admin@eth0.us

For now on I will try and keep a list of updates.

Updates:

December 17th:
Updated mod_security rules
Update mod_dosevasive rules
Updated register_globals
Created cron for rkhunter automatic updates


December 3rd:
Added a link to linux socket monitor (LES) which helps secure system binaries.
Fixed a few problems with mod_dosevasive

November 28th:
Register_globals turned off

November 20th:
Added mod_dosevasive
Added how to secure /dev/shm
Updated permission changes to also block a few common places for scripts to be uploaded
Fixed a few typos and updatd misc small stuff

--------------------------

First step is to updated your software. Make sure up2date says you are fully updated:
-----command-----
up2date -u
-----command-----

Now update the kernel. Below I have posted the directions for a server using lilo as the bootloader. I will add in directions for grub later as I do not run grub on any of my servers. If you are using grub please skip this section and upgrade the kernel at another time.

-----command-----
cd /var/spool/up2date
-----command-----

 

If you have a dual processor server:

-----command-----
up2date --download --force kernel-smp
rpm -ivh kernel-smp-2.4.21-20.EL.i686.rpm
lilo -v -v
lilo -R 2.4.21-20
shutdown -r now
-----command-----


If you have a single processor server:
-----command----
up2date --download --force kernel
rpm -ivh kernel-2.4.21-20.EL.i686.rpm
lilo -v -v
lilo -R 2.4.21-20
shutdown -r now
-----command-----


When you run lilo -v -v make sure that no errors appear, if so you probably need to look at the lilo.conf for the problem.

The lilo -R command will make it reboot only once to the new kernel. If for some reason just put in a reboot TT and it will automatically boot to the old kernel. If it comes back up fine then you can edit the /etc/lilo.conf and set "default=" the new kernel label.


--------------------------


A firewall should be the first thing installed.. I recommend advanced protection firewall (APF) by rfxnetworks. APF will block unused outgoing and incoming ports. It can also be configured to use information from some block lists.
http://rfxnetworks.net/apf.php

-----command-----
#cd /usr/src
wget http://rfxnetworks.net/downloads/apf-current.tar.gz
tar -zxf apf-current.tar.gz
cd apf-0.*
./install.sh
-----command-----

 

Now edit config file
-----command-----
pico -w /etc/apf/conf.apf
-----command-----

Change the following:
USE_DS="1"
USE_AD="1"


Scroll down to this section:


# Common ingress (inbound) TCP ports
IG_TCP_CPORTS="20,21,22,25,26,53,80,110,143,443,465,993,995,2082,2083,2086,2087,2095,2096"
# Common ingress (inbound) UDP ports
IG_UDP_CPORTS="21,53,465,873"

# Common ICMP (inbound) types
# 'internals/icmp.types' for type definition; 'all' is wildcard for any
IG_ICMP_TYPES="3,5,11,0,30,8"


Scroll down a bit then find this section:

EGF="1"
# Common egress (outbound) TCP ports
EG_TCP_CPORTS="21,22,25,26,27,37,43,53,80,110,113,443,465,873,2089"
# Common egress (outbound) UDP ports
EG_UDP_CPORTS="20,21,53,123,465,873"


Save the file and start apf via.
-----command-----
apf -s
-----command-----

If everything still works then edit the config file and turn dev mode off.
DEVM="0"

Now restart APF
-----command-----
apf -r
-----command-----


--------------------------


The following scripts are fairly easy to use and install, I might add documentation later but for now I will not.

Along with installing APF I would suggest installing brute force monitor (BFD) also by rfxnetworks. BFD will monitor your ssh and ftp services and automatically ban users that try to brute force a password. If you install BFD make sure you can get a separate ip to ssh into your server incase it blocks you for some reason! You can add yaour ip to the allow list via "apf -a IP" if you have a static ip.
http://rfxnetworks.net/bfd.php


Yet another very handy tool by rfxnetworks is linux socket monitor (LSM). This tool will alert you whenever a new port is opened on the server. This is very helpful in detecting any users running weird processes or attempting to run backdoors. When any program that it does not recognized is started it will email you with the information. It does tend to be somewhat cpu intensive but I think it is well worth it. You never know what backdoor somebody may try to install on your system.
http://rfxnetworks.net/lsm.php


Another tool I would suggest, but that is not really part of securing your server, is system integrity monitor (SIM) which is also by rfxnetworks. SIM will automatically detect when a service is down and restarts it. I would highly recommend this for any server.
http://rfxnetworks.net/sim.php


I always recommend to turn off compilers. Most rootkits come precompiled but not all of them do. It will also prevent shell users from trying to compile any irc related programs. To turn the compilers on switch the off to on.

-----command-----
/scripts/compilers off
-----command-----


--------------------------


mod_security

First we will download and unzip mod_security. This guide compiles for apache1.3.x which is what cPanel currently uses.

**Warning** even the low level rules will break vbb3.x. I have gotten a few emails about it so I took the rules down temporarily. They are backup now but please be aware that you are going to have to remove the 1 or two rules causing the problems. If somebody could email me the error that would be great as well.

 


-----command-----
wget http://www.modsecurity.org/download/mod_security-1.8.6.tar.gz
tar zxf mod_security-1.8.6.tar.gz
cd mod_security-1.8.6/apache1
-----command-----


Next compile mod_security at a module:
-----command-----
/etc/httpd/bin/apxs -cia mod_security.c
-----command-----

Make a backup of your httpd.conf before touching anything so you have something to go back to if it does not work.
-----command-----
cp /etc/httpd/conf/httpd.conf /etc/httpd/conf/httpd.conf-mod_sec
-----command-----


Now edit the httpd.conf
-----command-----
pico -w /etc/httpd/conf/httpd.conf
-----command-----


Scroll down below the following line:
AddModule mod_security.c
There are multple rulesets that I have placed below. The strict one is probably going to be way to strict for most shared hosts. If you are running a shared host start off with the low one. The mod-sec-rfxn is from ryan at rfxnetworks and is a very good choice for ruleset. If you want to configure it exactly how you want it then go with the strict rules and gradually remove what you do not need. Sorry about any problems from people using the old set of rules, it is what is the strict rules now.


Create the error log file:
-----command-----
touch /var/log/httpd/audit_log
-----command-----

Restart apache
-----command-----
service httpd restart
-----command-----

If sites start to have problems look at error log.
/var/log/httpd/audit_log


--------------------------

Another good way to prevent some attacks against your webserver is mod_dosevasive. It will help prevent the overloading of a webserver from a quest based attack, script attacks, brute force attacks, or even some malicious CGI scripts. Once it detects a problem it will add the offending ip to APF, which must be installed. This module has been known to cause problems with frontpage! Do not use it if you use frontpage!

-----command-----
wget http://www.nuclearelephant.com/projects/dosevasive/mod_dosevasive.1.8.tar.gz
tar -zxf mod_dosevasive.1.8.tar.gz
cd mod_dosevasive
/etc/httpd/bin/apxs -cia mod_dosevasive.c
-----command-----


Add the following to the httpd.conf right above the mod_security stuff added above.

<IfModule mod_dosevasive.c>
DOSHashTableSize 3097
DOSPageCount 5
DOSSiteCount 50
DOSPageInterval 2
DOSSiteInterval 2
DOSBlockingPeriod 10
DOSEmailNotify root
DOSSystemCommand "sudo /usr/local/sbin/apf -d %s"
</IfModule>

Exit and save out of the httpd.conf

Run
-----command-----
visudo
-----command-----

Add the following line to allow apache access to APF firewall. Without this the server will be unable to ban users from the server. Make sure and change hostname to your server hostname or it will not work. Only include the first part of the hostname. Example hostname.myhost.com only use hostname.

nobody HOSTNAME = NOPASSWD: /usr/local/sbin/apf -d *

Now it should be ready to go. Exit out of pico and restart apache.
-----command-----
service httpd restart
-----command-----

--------------------------

The /tmp partition is one the common places for script kiddies and crackers alike to place trojans or scripts. Because of that you should have the /tmp partition mounted noexec. First we need to check if your /tmp is secure.
-----command-----
df -h |grep tmp
-----command-----

 

If that displays nothing then go below to create a tmp partition. If you do have a tmp partition you need to see if it mounted with noexec.
-----command-----
cat /etc/fstab |grep tmp
-----command-----

If there is a line that includes /tmp and noexec then it is already mounted as non-executable. You will also want to check if /var/tmp is linked to /tmp.
-----command-----
ls -alh /var/ |grep tmp
-----command-----

If it shows something to the effect of "tmp -> /tmp/" then you are ok. If not go ahead an remove the old /var/tmp and replace it with a sym link to /tmp.
-----command-----
rm -rf /var/tmp/
ln -s /tmp/ /var/
-----command-----


If you do not have any /tmp partition you will need to follow the directions below to create and mount a partition.

Create a 190Mb partition
-----command-----
cd /dev/; dd if=/dev/zero of=tmpMnt bs=1024 count=200000
-----command-----

Format the partion
-----command-----
mke2fs /dev/tmpMnt
-----command-----


Make a backup of the old data
-----command-----
cp -Rp /tmp /tmp_backup
-----command-----

Mount the temp filesystem
-----command-----
mount -o loop,noexec,nosuid,rw /dev/tmpMnt /tmp
-----command-----

Set the permissions
-----command-----
chmod 0777 /tmp
-----command-----

Copy the old files back
-----command-----
cp -Rp /tmp_backup/* /tmp/
-----command-----

Once you do that go ahead and start mysql and make sure it works ok. If it does you can add this line to the bottom of the /etc/fstab to automatically have it mounted:
/dev/tmpMnt /tmp ext2 loop,noexec,nosuid,rw 0 0

While we are at it we are going to secure /dev/shm. Look for the mount line for /dev/shm and change it to the following:
none /dev/shm tmpfs noexec,nosuid 0 0

Umount and remount /dev/shm for the changes to take effect.
-----command-----
umount /dev/shm
mount /dev/shm
-----command-----

Next delete the old /var/tmp and create a link to /tmp
-----command-----
rm -rf /var/tmp/
ln -s /tmp/ /var/
-----command-----

If everything still works fine you can go ahead and delete the /tmp_backup directory.
-----command-----
rm -rf /tmp_backup
-----command-----


--------------------------

Linux enviromental security (LES) is a new tool from rfxnetworks that I have not had much time to work with but looks like it is a very interesting project. Instead of just changing a few permissions like I have below LES goes though the entire system and secures important binaries so only root can use them. The only thing to beware is if you use the disable-all function the rpm database is locked and must be unlocked before any rpm upgrades are allowed.
http://rfxnetworks.net/les.php


Many php exploit scritps use common *nix tools to download rootkits or backdoors. By simply chmod'ing the files so that no none-wheel or root user can use them we can eliminate many possible problems. The downside to doing this is that shell users will be inconvenienced by not being able to use the the commands below. If you run LES, which I would suggest, then you do not need to run the first group of chmods. If you get an error on the chmod 000 because a directory does not exist to not worry they are not on every server.

-----command-----
chmod 750 /usr/bin/rcp
chmod 750 /usr/bin/wget
chmod 750 /usr/bin/lynx
chmod 750 /usr/bin/links
chmod 750 /usr/bin/scp

chmod 000 /etc/httpd/proxy/
chmod 000 /var/mail/vbox
-----command-----


--------------------------


Now we will install rkhunter so we will atleast know if the server has been cracked. Note that a false positive is not always bad and you need to investigate the error before thinking you are hacked. Things such as compiling a 2.6.9 kernel on your server will cause binaries to change and rkhunter to suspect the server was cracked.

Download and unzip rkhunter
-----command-----
cd /usr/local/src/
wget http://downloads.rootkit.nl/rkhunter-1.1.4.tar.gz
tar -zxf rkhunter-1.1.4.tar.gz
cd rkhunter
-----command-----

Install it
-----command-----
./installer.sh
-----command-----

Now create a cronjob so it will email you with notifications to the root mailbox:
-----command-----
crontab -e
-----command-----

Now the crontab is going to be created. The first line is an update function so that you can be assured your rkhunter has the latest rules before it scans your system. The second line will run the actual scan an email root the results. At the bottom add the following line
10 0 * * * /usr/local/bin/rkhunter --update > /dev/null 2>&1
25 0 * * * /usr/local/bin/rkhunter -c --nocolors --cronjob --report-mode --createlogfile --skip-keypress --quiet

Press control x to save

--------------------------

Register_globals is something that idealy php coders would code to allow to be turned off but many do not. Because of that disabling this feature may cause a lot of scripts to break. If you are on a shared host it is probably best if you do not enable this. If you are not a shared host then there is probably nothing wrong with it but do make sure by looking at all of your websites to ensure it did not break any. That being said if you can get away with it then your server is going to be more secure. This comes down to the usability vs security issue, yes it makes it more secure but it also blocks some popular scripts. Use this at your own risk! To diable it search for "register_globals". It will currently be set to "On" go ahead and change it to "Off".

First open the php.ini file
-----command-----
pico -w /usr/local/lib/php.ini
-----command-----
Restart apache for it to take effect.
-----command-----
service httpd restart
-----command-----


--------------------------


Version numbers can be used by various software scanners to determine if your server is vulnerable. Though you should have the latest versions of everything security though obsecurity is one method that can be employed to help secure your server.

First we are going to hide the version information in apache.

-----command-----
pico /etc/httpd/conf/httpd.conf
-----command-----


Press control + w to search for "ServerSignature"
It should say On, change it to Off
This will remove the identification of apache from error pages

Right below that add a line that has the following:
" ServerTokens Prod"
This will identify apache simply as "apache" with no version numbers or OS information

Save out of the file and restart apache
-----command-----
service httpd restart
-----command-----

Next we will disable named from giving a version.
-----command-----
pico /etc/named.conf
-----command-----


Search for "query-source address * port 53;"
Add a line right below it with
version "Named";
Save and restart named

Next we will disable the exim version
-----command-----
pico /etc/exim.conf
-----command-----


Search for " smtp_banner = "${primary_hostname"
This is the welcome banner for the email server, anything can be set here. To quickly replace it just do something like the following

smtp_banner = "${primary_hostname} MailServer \n\
We do not authorize the use of this system to transport unsolicited, \n\
and/or bulk e-mail."

Then save out and restart exim.
-----command-----
service exim restart
-----command-----


Remeber this is just security though obsecurity and you still need to keep the server updated! This is just going to stop some people from finding your server in the first place. It will not help at all if somebody is trying to actually hack the server.


--------------------------
Thanks to all that have helped me compile this. Thanks to TheLinuxGuy, RFXN, err0r, and all the people that I have forgotten!

Donations are always accepted! Please send them to the paypal address admin@eth0.us

I will be adding more but that is a very good start. This guide is going to be posted on a few forums and http://eth0.us. The website will always have the latest version!

Articles and guides: