General Discussion

How to Make cPanel / WHM Servers More Secure?

1) Apache / PHP Suexec: Known as more secure management for PHP. It also allows to track and monitoring of clients’ usage on shared servers. That means PHP scripts are correctly identified by their true owner as opposed to the “nobody” user. In addition, the apache http server, Suexec provides Apache users the ability to run CGI and SSI programs under user Ids that differ from the user ID of the calling web server. Generally, when a CGI or SSI program executes, they run with the same user who is running the web server.

a. PHPSuexec: If PHP runs as an Apache Module without PHPSuexec then the user/group of a web server may execute as “nobody”. This causes real problems when PHP scripts are sending mail out as nobody@servername. In this case, you will be unable to track abuse or hijack issues. When PHPSuexec enabled (running as CGI with suexec enabled) your PHP scripts execute under your UID/GID level and not nobody.

a. In addition, you can edit /etc/login.defs to configure many passwords on your system. Usually, a password utilizes at least 8 characters including alphanumeric and special symbols which are quite sufficient. Remember never ever use passwords based upon dictionary words or significant dates. If you are uncertain about the security of a password, then you can test by using a JTR cracker. If you notice that your password broken in a few hours, then it is probably too much insecure and should not be used. You can also install tools like pam_passwdqc to check the strength of passwords.

b. Files or directories that you require for your PHP scripts to write no longer need to have 777 permissions. In fact, assigning 777 permissions to all scripts or the directories will reside in and instead of running properly it would cause a 500 internal server error when attempting to execute them. So make sure your scripts have a maximum of 755 permissions, read/write/execute by you and read/execute for everyone else. It means PHPSuexec is much more secure than PHP running as an Apache module.

2) Mod Security: mod_security provides an array of request filtering and other security features of the Apache HTTP Server.ModSecurity is an open-source intrusion detection and prevention for web applications. While operating the Apache Web Server Module one thing you should keep remembering, the purpose of ModSecurity is to increase the security of web applications to protect them from known and unknown attacks.

3) PHP Security – Suhosin: Suhosin is an advanced protection system for PHP installations. It is designed in a way to protect servers and users from knowing and unknown flaws in PHP applications and the PHP core. Suhosin comes in two independent parts which used separately or in combination. The first part is a small patch against the PHP core that implements a few low-level protections against buffer overflows or format string vulnerabilities. The second part is a powerful PHP extension that implements all other essential protections.

4) Disable Some PHP Functions: You need to disable some PHP functions through shell commands because some of them can manipulate server-side settings.

a. For Example:

disable_functions = system, passthru, exec, popen, proc_close, proc_get_status, proc_nice, proc_open, proc_terminate, shell_exec, escapeshellcmd, define_syslog_variables, posix_uname, posix_getpwuid, apache_child_terminate, posix_kill, posix_mkfifo, posix_setpgid, posix_setsid, posix_setuid, escapeshellarg, posix_uname, ftp_exec, ftp_connect, ftp_login, ftp_get, ftp_put, ftp_nb_fput, ftp_raw, ftp_rawlist, ini_alter, ini_restore, inject_code, syslog, openlog, define_syslog_variables, apache_setenv, mysql_pconnect, eval, phpAds_XmlRpc, phpAds_remoteInfo, phpAds_xmlrpcEncode, phpAds_xmlrpcDecode, xmlrpc_entity_decode, fp, fput

5) Disable FTP access for the default users: You also need to disable FTP access for all the default users of your accounts. You will have to create additional FTP users for the accounts from the respective cPanel control panel. In cPanel you will find FTP account options through which you can manage the complete account.

6) Always use secure passwords: Insecure predictable passwords are the most common cause of security vulnerability for most servers. If an account password insecure and compromised, your websites can be defaced, infected, or used to spread viruses. Having secure passwords is standard practice to make a secure server.

a. In addition, you can edit /etc/login.defs to configure many passwords on your system. Usually, a password utilizes at least 8 characters including alphanumeric and special symbols which are quite sufficient. Remember never ever use passwords based upon dictionary words or significant dates. If you are uncertain about the security of a password, then you can test by using a JTR cracker. If you notice that your password broken in a few hours. Then it is probably too much insecure and should not be used. You can also install tools like pam_passwdqc to check the strength of passwords.

7) Secure SSH: Enable public key authentication for SSH and disable password authentication.

Move SSH access to a different port. Hackers usually look for port 22 as a possible way to access servers. So moving SSH to a different port will add a simple way to prevent those hackers without giving specific knowledge of your server from easily discovering the SSH port of your server.

You can modify the port that SSH runs on within /etc/ssh/sshd_config. Change the line that says #Port 22 to a different port such as Port 1653. Make sure to keep your current SSH session open when testing the new port so you can change back to port 22 if the new port doesn’t work.

You should always use SSHv2 instead of SSHv1 as it may not be secure. Make sure you change the line in /etc/ssh/sshd_config that says #Protocol 2, 1 to Protocol 2.

You may also wish to set Shell Resource Limits for your users to prevent applications and scripts from using up all your resources and taking down your server. You can configure shell resource limits in /etc/security/limits.conf on most Linux systems.

8) Secure your /tmp partition: It recommended that you use a separate partition for /tmp that mounted with nosetuid because nosetuid will force it to run with the privileges of its executor. You may also wish to mount /tmp with noexec after installing cPanel. Check the mount man page for more information. And running /scripts/securetmp will mount your /tmp partition to a temporary file for extra security.

9) Upgrade your mail to maildir format: Maildir format adds extra security and speeds up your mail system. Newer installs using mail-order by default. If you’re running an older copy of cPanel, you will probably want to upgrade using /scripts/convert2maildir. Make sure to back up your current mail before converting to maildir, this done within /scripts/convert2maildir. If you see maildir enabled when running /scripts/convert2maildir. It means you are already using maildir, and will not need to convert.

10) Lock down your system’s compilers: Most users do not require the use of C and C++ compilers. You can use the Compilers Tweak within Tweak Security in WHM (Web Host Manager) to turn off the use of the compilers for all privileged users or to disable them for specific users only. Many pre-packaged exploits require working compilers. Disabling compilers will help protect against many exploits.

11) Turn off unused services and daemons: Any service or daemon that allows a connection to be established to your server is a way for hackers to gain access. To reduce security risks, you should disable all services and daemons that not being used.

Daemons on Linux:

Check /etc/xinetd.conf for services you are not using. For example, cupsd (printing daemon) and nfs/statd (network file system daemons) which generally not used in many systems.

For Services:

Go to the Service Manager in the Service Configuration section of WHM and disable any services that you are not using.

12) Monitor your system: It is important to be up to date on what is going on with your system. Make sure that you know when accounts being created. What software is being installed, when software needs to be updated, etc.

Check your system frequently to ensure it is functioning in the way you expect. Make sure to check things like:

Netstat -amp: Look for programs attached to ports that you did not install / or authorize.

find / \( -perm -a+w \) ! -type l >> world_writable.txt : Look at world_writable.txt to see all world writable files and directories. This will reveal locations where an attacker can store files on your system. NOTE: Fixing permissions on some PHP/CGI scripts that not properly coded will break them.

find / -nouser -o -nogroup >> no_owner.txt : Look at no_owner for all files that do not have a user or group associated with them. All files owned by a specific user or group to restrict access to them.

ls /var/log/: There are many different logs on your system that can be valuable resources. Check your system logs, apache logs, mail logs, and other logs frequently to make sure your system is functioning as expected.

There are many readily available utilities to monitor your system and to detect rootkits, backdoors, etc. Here are some commonly available utilities:

  • Tripwire – Monitors checksums of files and reports changes.
  • http://tripwire.com or http://sourceforge.net/projects/tripwire
  • Chrookit – Scans for common rootkits, backdoors, etc.
  • http://www.chkrootkit.org
  • Rkhunter – Scans for common rootkits, backdoors, etc.
  • http://www.rootkit.nl/projects/rootkit_hunter.html
  • Logwatch – Monitors and reports on daily system activity.
  • http://logwatch.org

13) Enable a Firewall: Installing a firewall to limit access to your server is useful. Removing all unused software on your system is more useful. Before you have the chance to remove all unused services and daemons. Or the chance to figure out which services/daemons are unused, you can enable a firewall to prevent unwanted access.

14) Stay up to date: It is important to make sure that you are running the latest stable versions of the software on your system to ensure. That patched for any security issues that past versions may be susceptible to. Make sure to keep on top of updates for:

  • Kernel
  • cPanel and WHM
  • User Applications (bulletin boards, CMS, blog engines, etc)
  • System Software