1330 Avenue of the Americas
Suite 23A,New York, NY 10019
+1.646.775.2855
+1.212.653.0368
[email protected] Skype:Medhacloud
[email protected]

15 easy steps to secure your cPanel Server as rock hard

cpanel server management

We use to perform server hardening and thought to share those steps. The following steps will suite for cPanel (CentOS).

At, Medha Hosting we do this 15 steps server hardening process.

Let’s do the “cPanel Hardening”

cpanel server management

cpanel server management

  1. Disable direct root login.
  2. Create dedicated SSH user.
  3. Change SSH default port
  4. Disable ping request.
  5. Setup CSF firewall
  6. Setup Mod_Evasive
  7. Setup Mod_Security
  8. Scan your system with RootKit Hunter
  9. Scan your system using maldet
  10. Scan your system using Clam AntiVirus.
  11. Setup cron job to run Clam AntiVirus weekly.
  12. Disable Apache header informations.
  13. Hide PHP Version informations.
  14. Disable FTP. Use SFTP instead.
  15. Disable shell access for unknown users.

 

1) Disable direct root login.

Impotent note: Please do not log out from your System after disabling the direct root login. Please follow the steps until you create a dedicated SSH user and then you can log out. Otherwise you won’t be able to login to your system again. Please be careful.
Root user is the one that have the license to do anything in your system. What if someone got access to the root user account?! Let’s disable direct root login by following the below steps.
Edit the SSH main configuration file.

vi /etc/ssh/sshd_config
You can find the below line.

 

#PermitRootLogin yes
Change it as below.

PermitRootLogin no

Restart SSH to update the changes.
/etc/init.d/sshd restart

Now you have disabled direct root login. Now follow the below steps to create a dedicated SSH user.
2) Create dedicated SSH user.

After disabling the direct root login, the next step is to create a dedicated SSH user. ( Only this user will have SSH login permission in your system. )

We are going to create a dedicated user called “sshusr” Please follow the below steps.

Create the user account.

useradd sshusr

Set Password.

passwd sshusr

Add this user to “/etc/sudoers” file. edit this file or run the below command.

visudo

You can find a line as shown below.

root ALL=(ALL) ALL

The above line means root user can run any commands anywhere. Add the line given below under this line.

sshusr ALL=(ALL) ALL

Now save the file.

Now on, the user “sshusr” have the permission to run any commands anywhere. But for this you have to add “sudo” the begining of every command that you execute as user “sshusr”.

For example, if you login as “sshusr” and want to restart Apache. You have to do it as shown below.

sudo /etc/init.d/httpd restart

You can also switch this user to root user. Please run the below command.

sudo su –

Now we have disabled direct root login and created a user called “sshusr” with full permission in your system. But this doesn’t mean “sshusr” is a dedicated SSH user. May be there are other users in your system that have SSH shell access. Please follow the below steps to block all those users and to set “sshusr” as dedicated SSH user.

Edit the main SSH configuration file.

vi /etc/ssh/sshd_config

Add the below lines.

AllowUsers sshusr

Save the file and restart SSH service to update these changes.

/etc/init.d/sshd restart

You have created a dedicated SSH user.

3) Change SSH default port

Everyone knows 22 is the default SSH port. So it’s always good to change this default port and set it to something unguessable. Please follow the below steps.

Here I’m going to change the port to 4242. Edit the main SSH configuration file.

vi /etc/ssh/sshd_config

You can find the below line.

#Port 22

Change it as below.

Port 4242

Restart SSH to update the changes.

/etc/init.d/sshd restart

That’s it!! You have changed the SSH port to 4242.

To login as “sshusr” from a remote Linux machine you can run the below command.

ssh [email protected]/Hostname -p 4242

4) Disable ping request.

Please run the following command to disable ping request to your server.

echo “1” > /proc/sys/net/ipv4/icmp_echo_ignore_all

You can also do the same using IPtables. Please run the below command if you want to disable the ping request using IPtables.

iptables -A INPUT -p icmp -j DROP

You have disabled ping request to your server.

5) Setup CSF firewall

CSF is a Stateful Packet Inspection (SPI) firewall, Login/Intrusion Detection and Security application for Linux servers.

Please follow the below steps to install and configure CSF. ( If already installed, ignore these steps )

Go to “/opt”, download the latest CSF source files and untar it.

cd /opt wget https://download.configserver.com/csf.tgz tar -xvf csf.tgz cd csf

Execute the “install.sh” shell script to install the CSF.

./install.sh

Next, test whether you have the required iptables modules:

perl /etc/csf/csftest.pl

If you have any APF or BFD firewalls installed in your system, you can run the below command to uninstall it. ( Otherwise there will be conflict. )

sh /etc/csf/remove_apf_bfd.sh

By default CSF will be running in “test” mode. Please follow the below steps to disable “test” mode and to make CSF full functional.

Edit the CSF main configuration file.

vi /etc/csf/csf.conf

You can find the below lines.

TESTING = “1”

Change it as follows.

TESTING = “0”

Also you need to add Plesk “8880” and “8443” ports in the CSF “TCP_IN” and “TCP_OUT” list.

You can find the below lines.

# Allow incoming TCP ports TCP_IN = “20,21,22,25,53,80,110,143,443,465,587,993,995,4242” # Allow outgoing TCP ports TCP_OUT = “20,21,22,25,53,80,110,113,443”

Add the ports 8443 and 8880 in the list.

# Allow incoming TCP ports TCP_IN = “20,21,22,25,53,80,110,143,443,465,587,993,995,4242,8443,8880” # Allow outgoing TCP ports TCP_OUT = “20,21,22,25,53,80,110,113,443,8443,8880”

Also make sure to disable ICMP ( Ping ). By changing “ICMP_IN” to “0”.

# Allow incoming PING ICMP_IN = “0”

Now restart CSF and LFD to update the changes.

/etc/init.d/csf restart /etc/init.d/lfd restart csf -r

You have Installed and configured CSF and LFD in your system.

6) Setup Mod_Evasive

“mod_evasive” is an evasive maneuvers module for Apache to provide evasive action in the event of an HTTP DoS or DDoS attack or brute force attack. I have installed it in several servers and seems very efficient to prevent normal DDoS attacks. Please follow the below steps to install it in your server.

Go to “/opt” directory and download the latest the “mod_evasive” source and extract it.

cd /opt wget http://www.zdziarski.com/blog/wp-content/uploads/2010/02/mod_evasive_1.10.1.tar.gz tar -xvf mod_evasive_1.10.1.tar.gz cd mod_evasive

We are going to compile the “mod_evasive” module with Apache with “apxs” tool. “apxs” is a tool came with “httpd-devel” package. First step is to check if you have the “httpd-devel” package.

rpm -qa | grep httpd-devel

You won’t get any result and that means you don’t have that package. If you don’t have, please follow the below steps to install it in your server.

yum install httpd-devel

vps server

After installing httpd-devel, run the below command to compile the “mod_evasive”with Apache. ( In case of cPanel, the bin path of apxs is – “/usr/local/apache/bin/apxs” and you may have to use the full path )

 

apxs -cia mod_evasive20.c

 

Add the following rules at the end of /etc/httpd/conf/httpd.conf :

 

DOSHashTableSize 3097 DOSPageCount 6 DOSSiteCount 100 DOSPageInterval 2 DOSSiteInterval 2 DOSBlockingPeriod 600

 

Now restart Apache to update the changes.

 

/etc/init.d/httpd restart

 

It will install and create all necessary configurations for “mod_evasive”.

 

7) Setup Mod_Security

 

ModSecurity supplies an array of request filtering and other security features for Apache.

You can either install it using EasyApache. To avoid the downtime you can follow the manual steps given below )

 

Enable Atomic repo.

 

wget -q -O – http://www.atomicorp.com/installers/atomic | sh

 

Install “ModSecurity”.

 

yum install mod_security

 

If you want to setup rules. You can <<download it from here >>

 

8) Scan your system with RootKit Hunter.

 

This tool scans for rootkits, backdoors and local exploits by running tests like:

 

– MD5 hash compare – Look for default files used by rootkits – Wrong file permissions for binaries – Look for suspected strings in LKM and KLD modules – Look for hidden files – Optional scan within plaintext and binary files

 

Please follow the below steps to scan your system using RootKit Hunter.

 

1) Go to “/opt” and download the latest RootKit Hunter from here >> http://sourceforge.net/projects/rkhunter/

 

cd /opt wget http://nchc.dl.sourceforge.net/project/rkhunter/rkhunter/1.4.0/rkhunter-1.4.0.tar.gz tar -xvf rkhunter-1.4.0.tar.gz cd rkhunter-1.4.0

 

( Please note that, the above URL won’t work always. So you need to find the correct package and download link from here >> http://sourceforge.net/projects/rkhunter/ )

 

Install the RootKit Hunter by running the installer.sh script with “–install” switch.

 

./installer.sh –install

 

Run the below command to update RootKit Hunter.

 

rkhunter –update

 

Run the below command to perform the scan. ( Where -c is to check the local system and –sk is to skip key press )

 

rkhunter -c -sk

 

That’s it. It will scan the local system and will give you a detailed out put.

 

( Let us know if you find any issues and we will be right here for your help. )

 

9) Scan your system using maldet

 

maldet – It is an efficient Malware Detect virus scanner for Linux. Please follow the below steps to install it in your system.

 

Go to “/opt” and download the latest “maldet” source and untar it.

 

cd /opt wget http://www.rfxn.com/downloads/maldetect-current.tar.gz tar -xvf maldetect-current.tar.gz cd maldetect-1.4.2

 

Install the maldet using the “install.sh” shell script.

 

./install.sh

 

Now open a new screen session and scan the whole system by running the below command.

 

maldet -a /

 

( Please note that, this will take hours to complete depending on the disk usage in your system and that is the reason why we are running it in a screen session. )

 

You can detach and enter to screen session any time and check the status .

 

If the scan complete. You will get a result as shown below.

 

Linux Malware Detect v1.4.2 (C) 2002-2013, R-fx Networks <[email protected]> (C) 2013, Ryan MacDonald <[email protected]> inotifywait (C) 2007, Rohan McGovern <[email protected]> This program may be freely redistributed under the terms of the GNU GPL v2 maldet(20920): {scan} signatures loaded: 11272 (9404 MD5 / 1868 HEX) maldet(20920): {scan} building file list for /, this might take awhile… /usr/bin/find: /proc/20974/task/20974/fdinfo/4: No such file or directory /usr/bin/find: /proc/20974/fdinfo/4: No such file or directory maldet(20920): {scan} file list completed, found 271615 files… maldet(20920): {scan} 271615/271615 files scanned: 12 hits 0 cleaned maldet(20920): {scan} scan completed on /: files 271615, malware hits 12, cleaned hits 0 maldet(20920): {scan} scan report saved, to view run: maldet –report 051913-1142.20920 maldet(20920): {scan} quarantine is disabled! set quar_hits=1 in conf.maldet or to quarantine results run: maldet -q 051913-1142.20920

 

From the result you will get the scan report ID. In this case, the scan report ID is – 051913-1142.20920. Run the below command to view the detailed report.

 

maldet –report 051913-1142.20920

 

You can put the infected files to quarantine by running the below command.

 

maldet -q 051913-1142.20920

 

( Please note:These files will deleted from your system within 14 days. )

 

You have completed the maldet scan. Your system is now malware free.

 

10) Scan your system using Clam AntiVirus.

 

ClamAV is an open source (GPL) antivirus engine designed for detecting Trojans, viruses, malware and other malicious threats. It is the de facto standard for mail gateway scanning. It provides a high performance mutli-threaded scanning daemon, command line utilities for on demand file scanning, and an intelligent tool for automatic signature updates.

 

Please follow the below steps to install and configure ClamAV in your system.

 

Install the Atomic repository in your system.

 

wget -q -O – http://www.atomicorp.com/installers/atomic | sh

 

Install ClamAV using yum.

 

yum install clamd

 

It will install clamd, clamav and clamav-db in your system. Run the below command to update the virus definitions.

 

freshclam

 

Start the ClamAV.

 

/etc/init.d/clamd start

 

Now open a new screen session and scan the whole system by running the below command.

 

clamscan -ril /opt/clamscan.log /

 

( Please note that, this will take hours to complete depending on the disk usage in your system and that is the reason why we are running it in a screen session. )

 

You can detach and enter to screen session any time and check the status .

 

You will get the scan result at the end and the command will only list the infected files. You can find the files in “/opt/clamscan.log”. ( grep the word FOUND ) You may either remove or correct these files or else run the below command that will remove all infected files in your system ( Make sure to run in screen session )

 

clamscan -ril /opt/clamscan.log –remove=yes /

 

You have removed the virus and malicious codes from your system.

 

11) Setup cron job to run Clam AntiVirus weekly.

 

Setting up ClamAV cron is a easy task and a user called “Stefano Stagnaro” uploaded a grate cron script called “clamav-cron” in Google codes that will update ClamAV, will scan the system and will send a brief report via e-mail. Please follow the below steps to set this.

 

Go to “/opt” ,download the “clamav-cron” and give execute permission.

 

cd /opt wget http://clamav-cron.googlecode.com/files/clamav-cron-0.6 -O /usr/local/bin/clamav-cron chmod 755 /usr/local/bin/clamav-cron

 

Open the “/usr/local/bin/clamav-cron” and edit user informations.

 

vim /usr/local/bin/clamav-cron — # Notification e-mail recipient: CV_MAILTO=”your email ID here” # Notification e-mail secondary recipients: CV_MAILTO_CC=”cc mails here” # Notification e-mail subject: CV_SUBJECT=”Desired Subject line here” —

 

Set a cron job. I’m going to set a cron job to run this task every Saturday 11.45PM.

 

crontab -e

 

Add the lines at the end.

 

45 23 * * 6 /usr/local/bin/clamav-cron /

 

Restart cron service.

 

/etc/init.d/crond restart

 

You have setup the ClamAV cron script.

 

12) Disable Apache header information.

 

It is not good to expose your serve information to the public. Please follow the below steps to disable Apache header information.

 

Edit your mail Apache configuration file and add you can see the below lines somewhere in that file.

 

vim /etc/httpd/conf/httpd.conf — ServerSignature On ServerTokens OS —

 

Change it to as shown below.

 

ServerSignature off ServerTokens Prod

 

Also add the below entries somewhere in it to disable Apache Last Modified header.

 

<filesMatch “.*$”> Header unset Last-Modified

 

Restart Apache.

 

/etc/init.d/httpd restart

 

You have disabled Apache header information.

 

13) Hide PHP Version information.

 

Like Apache, it is not good to expose your PHP information to the public. Please follow the below steps to hide it from the public.

 

Find your main PHP configuration file.

 

php -i | grep php.ini

 

You will get the location of your mail php.ini file from this. Edit the file and you can see the below lines.

 

vim /usr/local/lib/ php . ini — expose_php = on —

 

Edit it as follows.

 

expose_php = off

 

Restart Apache

 

/etc/init.d/httpd restart

 

You have disabled PHP version information.

 

14) Disable FTP. Use SFTP instead.

 

FTP is always the favourite back-door of hacker and there are a million ways to hack an FTP account. May be you are not that familiar with SSH and disabling FTP may put you in trouble. I have an alternative option. If you are some one that want the simplicity of FTP with the security features of SSH, you can use SFTP. It is not a big deal. Any users that have SSH access to your system can use SFTP. WinSCP is a SFTP client for Windows and you can find it here >> http://winscp.net/eng/index.php

 

Let’s disable the 21 port by setting up a firewall rule as shown below.

 

iptables -A INPUT -p tcp –dport 21 -j REJECT

 

That’s all you have to do.

 

15) Disable shell access for unknown users.

 

Run the below command to list all users that have shell access to your system.

 

grep bin/bash$ /etc/passwd root:x:0:0:root:/root:/bin/bash mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/bash test2:x:10002:10002::/home/test2:/bin/bash hduser:x:10003:10003::/home/hduser:/bin/bash admin:x:10004:10004::/home/admin:/bin/bash boot:x:0:0:root:/root:/bin/bash sshusr:x:10006:10006::/home/sshusr:/bin/bash u1:x:10007:10007::/home/u1:/bin/bash

 

Below Command will change the shell of unknown user to /sbin/nologin.

 

Here I’m going to change the shell of “u1″ user to /sbin/nologin”.

 

chsh u1 Changing shell for u1. New shell [/bin/bash]: /sbin/nologin Shell changed.

 

This way you can change the shell of a user.

 

So we have completed the cPanel and Plesk hardening and your server is hard as rock now.


Server Deals Straight To Your Inbox