Knowledgebase

A Beginner's Guide to Securing Your Server Part 1 of 3 (Security Inside WHM/CPanel)


These are items inside of WHM/Cpanel that should be changed to secure your server.



Goto Server Setup =>> Tweak Settings


Check the following items...


Under Domains

Prevent users from parking/adding on common internet domains. (ie hotmail.com, aol.com)


Under Mail

Attempt to prevent pop3 connection floods

Default catch-all/default address behavior for new accounts - blackhole


Under System

Use jailshell as the default shell for all new accounts and modified accounts



Goto Server Setup =>> [/B]Tweak Security[/B]

Enable php open_basedir Protection

Enable mod_userdir Protection

Disabled Compilers for unprivileged users.



Goto Server Setup =>> Manage Wheel Group Users

Remove all users except for root and your main account from the wheel group.



Goto Server Setup =>> Shell Fork Bomb Protection

Enable Shell Fork Bomb/Memory Protection



When setting up Feature Limits for resellers in Resellers =>> Reseller Center, under Privileges always disable Allow Creation of Packages with Shell Access and enable Never allow creation of accounts with shell access; under Root Access disable All Features.



Goto Service Configuration =>> FTP Configuration

Disable Anonymous FTP



Goto Account Functions =>> Manage Shell Access

Disable Shell Access for all users (except yourself)


Goto Mysql =>> MySQL Root Password

Change root password for MySQL


A Beginner's Guide to Securing Your Server Part 2 of 3 (with SSH access)


These are measures that can be taken to secure your server, with SSH access.


Udate OS, Apache and CPanel to the latest stable versions. This can be done from WHM/CPanel.



Restrict SSH Access


To restrict and secure SSH access, bind sshd to a single IP that is different than the main IP to the server, and on a different port than port 22.


SSH into server and login as root.

Note: You can download Putty by Clicking Here. It's a clean running application that will not require installation on Windows-boxes.


At command prompt type: pico /etc/ssh/sshd_config

Scroll down to the section of the file that looks like this:

-------------------------------------------

#Port 22
#Protocol 2, 1
#ListenAddress 0.0.0.0
#ListenAddress ::

-------------------------------------------


Uncomment and change

#Port 22

to look like

Port 5678 (choose your own 4 to 5 digit port number (49151 is the highest port number)


Uncomment and change

#Protocol 2, 1

to look like

Protocol 2


Uncomment and change

#ListenAddress 0.0.0.0

to look like

ListenAddress 123.123.123.15 (use one of your own IP Addresses that has been assigned to your server)


Note 1: If you would like to disable direct Root Login, scroll down until you find

#PermitRootLogin yes

and uncomment it and make it look like

PermitRootLogin no

Save by pressing Ctrl o on your keyboard, and then exit by pressing Ctrl x on your keyboard.


Note 2: You can also create a customenameserver specifically for your new SSH IP address. Just create one called something like ssh.xyz.com or whatever. Be sure to add an A address to your zone file for the new nameserver.


Once done, run:

/etc/init.d/sshd restart

Now start a new SSH session (don’t close your existing one), to make sure that you can get in.

The new port must be opened in the firewall e.g CSF Firewall

Note: If you should have any problems, just Telnet into your server, fix the problem, then SSH in again. Telnet is a very unsecure protocol, so change your root password after you use it.




Disable Telnet

To disable telnet, SSH into server and login as root.

At command prompt type: pico -w /etc/xinetd.d/telnet

change disable = no to disable = yes

Save and Exit

At command prompt type: /etc/init.d/xinetd restart




Server e-mail everytime someone logs in as root

To have the server e-mail you everytime someone logs in as root, SSH into server and login as root.

At command prompt type: pico .bash_profile

Scroll down to the end of the file and add the following line:

echo 'ALERT - Root Shell Access on:' `date` `who` | mail -s "Alert: Root Access from `who | awk '{print $6}'`" your@email.com

Save and exit.




Set an SSH Legal Message

To an SSH legal message, SSH into server and login as root.

At command prompt type: pico /etc/motd

Enter your message, save and exit.

Note: I use the following message...

-------------------------------------------

ALERT! You are entering a secured area! Your IP and login information
have been recorded. System administration has been notified.

This system is restricted to authorized access only. All activities on
this system are recorded and logged. Unauthorized access will be fully
investigated and reported to the appropriate law enforcement agencies.

-------------------------------------------

Now everytime someone logs in as root, they will see this message... go ahead a try it.




Disable Shell Accounts

To disable any shell accounts hosted on your server SSH into server and login as root.

At command prompt type: locate shell.php

Also check for:

[B]locate irc
locate eggdrop
locate bnc
locate BNC
locate ptlink
locate BitchX
locate guardservices
locate psyBNC
locate .rhosts[B]


Note: There will be several listings that will be OS/CPanel related. Examples are

/home/cpapachebuild/buildapache/php-4.3.1/ext/ircg
/usr/local/cpanel/etc/sym/eggdrop.sym
/usr/local/cpanel/etc/sym/bnc.sym
/usr/local/cpanel/etc/sym/psyBNC.sym
/usr/local/cpanel/etc/sym/ptlink.sym
/usr/lib/libncurses.so
/usr/lib/libncurses.a
etc.




Disable identification output for Apache

To disable the version output for proftp, SSH into server and login as root.

At command prompt type: pico /etc/httpd/conf/httpd.conf


Scroll (way) down and change the following line to

ServerSignature Off


Restart Apache

At command prompt type: /etc/rc.d/init.d/httpd restart


A Beginner's Guide to Securing Your Server Part 3 of 3 (Apps to install)


These are applications that will help to secure your server.



Install chkrootkit

To install chrootkit, SSH into server and login as root.

At command prompt type: cd /root/

At command prompt type: wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz

At command prompt type: tar xvzf chkrootkit.tar.gz

At command prompt type: cd chkrootkit-0.44

At command prompt type: make sense


To run chkrootkit

At command prompt type: /root/chkrootkit-0.44/chkrootkit

Make sure you run it on a regular basis, perhaps including it in a cron job.