- MD5 hash compare
- Look for default files used by rootkits
- Wrong file permissions for binaries
- Look for suspected strings in LKM and KLD modules
- Look for hidden files
- Optional scan within plaintext and binary files

How to install?

1. Login as root to your server
2. Download the package and extract it

wget http://prdownloads.sourceforge.net/rkhunter/rkhunter-1.3.0.tar.gz
tar -xzf rkhunter*

3. Run the installer

cd rkhunter-*
./installer.sh –layout default –install

4. Run rkhunter

/usr/local/bin/rkhunter -c

Enjoy !

How to install DomainKeys on a specific domain.

1. First check that you are running the latest version on RELEASE or CURRENT of cPanel 11.
2. Run the script

/usr/local/cpanel/bin/domain_keys_installer username

Where username is the cPanel user.

If you get an error similar to “Domain keys are not installed on this machine.” you either are not running the latest release or current version of cPanel or you have not converted yet to maildir. Maildir conversion is required before you install DomainKeys.
You will find an article about converting to maildir on this site !

Ok, we just installed DomainKeys for a domain, but how about if we want to install it for all the domains (users)?
Well I found the solution just a few days ago on a public forum. Someone wrote a nice bash script that will parse all the cpanel users and then run the installation for each of them.

for i in `ls /var/cpanel/users` ;do /usr/local/cpanel/bin/domain_keys_installer $i ;done

Ok, but what about if we want that every new created account to have DomainKeys installed. Well this is a bit harder to do.
I recommend editing /scripts/postwwwacct and adding:

my %OPTS = @ARGV;
my $user = $OPTS{’user’};
/usr/local/cpanel/bin/domain_keys_installer $user

Now test this by creating a new account.

If you have any problems please don’t hesitate to leave a commnent here.

O k, let’s get started. Before I explain how to install it please note that part of this article is inspired by a post on Defender Hosting Forum (http://forums.defenderhosting.com/showthread.php?t=2103)

1. Compiler check

/scripts/checkccompiler
rm -rf /home/cpphpbuild
mkdir /home/cpphpbuild
cd /home/cpphpbuild

2. Download and extract php

wget http://us2.php.net/get/php-5.2.4.tar.gz/from/this/mirror
tar zfx php-5.2.4.tar.gz
cd php-5.2.4

3. Configure and build the php installation (credits go to elix for an excellent work)

echo “#define HAVE_SENDMAIL 1″ >> /home/cpphpbuild/php-5.2.4/main/php_config.h
wget http://www.elix.us/tutorials/php5.gen.cpanel
chmod 700 php5.gen.cpanel
./php5.gen.cpanel
make
make install

4. Moving the files and finishing the configuration

cp -f /usr/local/php5/bin/php5 /usr/local/cpanel/cgi-sys/php5
chown root:wheel /usr/local/cpanel/cgi-sys/php5

cp -p /home/cpphpbuild/php-5.2.4/php.ini-recommended /usr/local/php5/lib/php.ini
chown root.root /usr/local/php5/lib/php.ini
chmod 644 /usr/local/php5/lib/php.ini

echo “cgi.fix_pathinfo = 1 ; needed for CGI/FastCGI mode” >> /usr/local/php5/lib/php.ini

5. Now we have to add a few lines to the httpd.conf file

pico /usr/local/apache/conf/httpd.conf

Add in the section – “index.php5″ before index.php4
Add after “AddType application/x-httpd-php .phtml”

Action application/x-httpd-php5 “/cgi-sys/php5″
AddHandler application/x-httpd-php5 .php5

6. Test the installation

service httpd configtest

If you get any errors please check that you done all the steps properly.
If everything is ok you can now restart apache

7. Restart apache

service httpd restart

Now any files with the extension .php5 will be parsed by php 5 and all the other files will be parsed by your “normal” php 4 installation.

perl -v

If you see anything like:

This is perl, v5.8.7 built for i686-linux

then you need to upgrade.

Upgrading is simple but I have seen a few problems in the past this is why I decided to write the how to.

1. Download the cPanel perl installer

wget http://layer1.cpanel.net/perl588installer.tar.gz

2. Extract the archive

tar zxvf perl588installer.tar.gz

3. Run the installer

cd perl588installer
./install

4. Check perl modules

/scripts/checkperlmodules

5. Force a cPanel update

/scripts/upcp –force

6. Update perl information in user’s cPanel

rm -rf /home/*/.cpanel;rm -rf /home/*/.cpanel-datastore

7. Check the actual new perl version

perl -v

This should now output something like:


This is perl, v5.8.8 built for i686-linux

(D)DoS Deflate is a shell script developed by Zaf, originally for use on MediaLayer servers to assist in combating denial of service attacks. However, it was seen to be very effective for our purpose, and therefore was released as a contribution to the web hosting community. (D)DoS Deflate is now used by not only many web hosts, but by many people who run their own servers looking for additional security in dealing with such attacks. 

How to install 

Installing DOS-Deflate is one of the simplest out there.

1. Login to your server as root
2. Download the install script

wget http://www.inetbase.com/scripts/ddos/install.sh

3. Run the installer

sh install.sh

DOS-Deflate should now be installed.

Please note that DOS-Deflate uses APF to ban IPs so you must have it installed for DOS-Deflate to work properly. I guide on how to install APF can be found here.

Customizing DOS-Deflate is very easy. You have to edit /usr/local/ddos/ddos.conf with your favorite editor for example

pico /usr/local/ddos/ddos.conf

Every setting is explained in the configuration file so I will not go over them as the explanations are quite easy to fallow up.

If you run into any problems please leave a comment here and I’ll try to help out.

Simply run as root:

mii-tool

This will output something like:

eth0: negotiated 100baseTx-FD, link ok

We do not guaranty that the following steps will make your server hack proof, but it will greatly reduce your chances of compromise.

Basic Steps to Securing CPanel (Linux based OS):

These are items inside of WHM/Cpanel that should be changed to secure your server.

Goto Server Setup =>> Tweak Settings

Check the following items…

Under Domains
Prevent users from parking/adding on common internet domains. (ie hotmail.com, aol.com)

Under Mail
Attempt to prevent pop3 connection floods
Default catch-all/default address behavior for new accounts – blackhole

Under System
Use jailshell as the default shell for all new accounts and modified accounts

Goto Server Setup =>> Tweak Security
Enable php open_basedir Protection
Enable mod_userdir Protection
Disabled Compilers for unprivileged users.

Goto Server Setup =>> Manage Wheel Group Users
Remove all users except for root and your main account from the wheel group.

Goto Server Setup =>> Shell Fork Bomb Protection
Enable Shell Fork Bomb/Memory Protection

When setting up Feature Limits for resellers in Resellers =>> Reseller Center, under Privileges always disable Allow Creation of Packages with Shell Access and enable Never allow creation of accounts with shell access; under Root Access disable All Features.

Goto Service Configuration =>> FTP Configuration
Disable Anonymous FTP

Goto Account Functions =>> Manage Shell Access
Disable Shell Access for all users (except yourself)

Goto Mysql =>> MySQL Root Password
Change root password for MySQL

Goto Security and run Quick Security Scan and Scan for Trojan Horses often. The following and similar items are not Trojans:
/sbin/depmod
/sbin/insmod
/sbin/insmod.static

/sbin/modinfo
/sbin/modprobe
/sbin/rmmod

These are measures that can be taken to secure your server, with SSH access.

Udate OS, Apache and CPanel to the latest stable versions.

This can be done from WHM/CPanel.

Restrict SSH Access

Disable Shell Accounts

To disable any shell accounts hosted on your server SSH into server and login as root.

At command prompt type: locate shell.php

Also check for:

locate irc
locate eggdrop
locate bnc
locate BNC
locate ptlink
locate BitchX
locate guardservices
locate psyBNC
locate .rhosts

Note: There will be several listings that will be OS/CPanel related. Examples are

/home/cpapachebuild/buildapache/php-4.3.1/ext/ircg
/usr/local/cpanel/etc/sym/eggdrop.sym
/usr/local/cpanel/etc/sym/bnc.sym
/usr/local/cpanel/etc/sym/psyBNC.sym
/usr/local/cpanel/etc/sym/ptlink.sym
/usr/lib/libncurses.so
/usr/lib/libncurses.a
etc.

Disable identification output for Apache

To disable the version output for proftp, SSH into server and login as root.

At command prompt type: pico /etc/httpd/conf/httpd.conf

Scroll (way) down and change the following line to

ServerSignature Off

Restart Apache

At command prompt type: /etc/rc.d/init.d/httpd restart

Install chkrootkit