Description: Server Security is very important to keep your websites and other data secure as new methods of attacks and hacks are popping up almost every day, so it is critically important to keep your servers secure and updated. Here I have explained ways to secure CPanel server.
Procedure: Here are some basic ways to secure Cpanel server
Procedure: Here are some basic ways to secure Cpanel server
- Strong Server Password: Set such password which is not easy to guess. So set password with complexity and lengthy with multiple characters. Also change server password in regular retention.
- Create Wheel user: Create new user and disable ssh access for root user. So SSH console will access with that user only. Here are the steps.
# useradd authuser
- Change default ssh port and disable root ssh access from configuration file
# vi /etc/ssh/sshd_config
Port 2255
Set PermitRootLogin to 'No'
PermitRootLogin no
- Updating CPanel: Updating CPanel to the latest version is the best way to keep the system from vulnerabilities and bugs as CPanel releases the bug fixes regularly.
You can update cPanel via WHM,
WHM >> cPanel >> Upgrade to Latest Version >> Click to upgrade
You can also do this via Command Line
#/scripts/upcp --force
- Install and Config Server Firewall (CSF)
# rm -fv csf.tgz
# wget http://www.configserver.com/free/csf.tgz
# tar -xzf csf.tgz
# cd csf
# sh install.sh
# cd /etc/csf/
# mv csf.conf csf.conf.BKP
# wget http://jarry.web-dns1.com/~heberge/csf.tar.gz
# tar -zxf csf.tar.gz
# rm -rf csf.tar.gz
# csf –r
- Install Maldet Malware Scanner
# cd /usr/src
# wget http://www.rfxn.com/downloads/maldetect-current.tar.gz
# tar -xzf maldetect-current.tar.gz
# cd maldetect-*
# sh ./install.sh
# maldet –update-ver
- Install ClamAV AntiVirus (From WHM/CPanel)
Log in to WHM
Click on Manage Plugins
Check the ClamAV box
At bottom click Save
Wait for process to finish (It will take approx 15 minutes)
Go to http://downloads.sourceforge.net/project/rkhunter/
and locate the latest version. Copy the URL into source url below.
# wget http://sourceforge.net/projects/rkhu…ar.gz/download
# tar -xvzf rkhunter-*
# cd rkhunter-*
# sh installer.sh –install –layout default
# rkhunter -c
Results are logged to: /var/log/rkhunter.log
WHM >> Server Configuration >> Tweak Settings >> Redirection
- Enable CPHulk Brute Force Protection:
cPHulk is a commonly used tool to protect the server from Brute Force attacks. You can enable cPHulk via:
WHM >> Security Center >> cPHulk Brute Force Protection.
- Apache And PHP Security Tweak.
You can enable ModSecurity in WHM for securing Apache from attacks like code injection etc. There are specific rules defined in the ModSecurity configuration file and any connection not matching the rules will be blocked. You can install ModSecurity via:
WHM >> Plugins >> Mod Security
Configure suPHP as the PHP handler and suEXEC for executing the CGI scripts in the user privilege. You can enable suPHP and suEXCEC via:
WHM >> Service Configuration >> suEXEC
Change the PHP handler to suPHP, Turn Apache suEXEC to ‘ON’ and click Save New Configuration.
WHM >> Security Center >> PHP open_basedir Tweak >> check box the option Enable PHP open_basedir Protection >> Click Save.
You need to tweak the PHP configuration to disable some of the PHP functions.
WHM >> Service Configuration >> PHP Configuration Editor >> Select Advanced mode
And set the following parameters.
register_globals: Off
disable_functions: show_source, system, shell_exec, passthru, exec, phpinfo, popen, proc_open, allow_url_fopen
Then click ‘Save’
- Disable Compiler Access To Users Other Than Root: You can either disable "disable compiler access" to all users or you can enable it for trusted users via:
# WHM >> Security Center >> Compiler Access
- Hardening /Tmp: We can set /tmp partition mounted with the nosuid option because this will force the file in to be executed in its user privilege. cPanel/WHM has a custom script for this and you can simply run the script via Command Line. Here is the script/command.
#/scripts/securetmp
- Checking Suspicious Files And Folders: Files and folders with full permissions and with out user and or groups is always suspicious as it can be accessed by the attackers easily. So we need to find such files and check if it is necessary.
#find / \( -type f -o -type d \) -perm /o+w 2>/dev/null | egrep -v '/(proc|sys)' > suspecius_files.txt
Command to find no owner files and folders is:
#find / -nouser -o -nogroup >> no_owner_files.txt
- Disable Anonymous FTP & Logins: With Root Attackers always tend to upload malicious scripts as the anonymous user. So it is advised to disable Anonymous user and you can do it via:
WHM >> Service Configuration >> FTP Server Configuration
- Disable Recursion In Bind: Enabling Recursion in Bind may lead to DNS amplification attacks, lookups from DNS lookup websites etc. So it is recommended to turn it off.
#vi /etc/named.conf
recursion no
- Most of time Hacker manipulate your index page [index.html, index.php etc..] under public_html directory. So below script is use to find out page by "Hacked by" somewhere or someone. So create script and add in cron scheduler.
#!/bin/sh
for i in `cat /etc/trueuserdomains| awk {'print $2'}`;
do grep -rl "Hacked" /home/$i/public_html/index.htm;
done | mail -s "Infected Files" EmailID
for i in `cat /etc/trueuserdomains| awk {'print $2'}`;
do grep -rl "Hacked" /home/$i/public_html/index.html;
done | mail -s "Infected Files" EmailID
for i in `cat /etc/trueuserdomains| awk {'print $2'}`;
do grep -rl "Hacked" /home/$i/public_html/index.php;
done | mail -s "Infected Files" EmailID
- To find out malicious script from server you can use below command to find out script from server
# perl <(find2perl /home/*/etc/*/shadow\.* -print )
No comments:
Post a Comment