Securing your Linux VPS – Cpanel

After the basic configuration of the VPS, you may follow the below mentioned steps to configure your server for security & stability.

1. Update all operating system packages

# yum upgrade -y

2. Update cPanel

# /scripts/upcp

3. Install CSF – ConfigServer Security & Firewall

# cd /usr/local/src
# wget http://www.configserver.com/free/csf.tgz
# tar -zxvf csf.tgz
# sh install.sh

4. Install & configure Rootkit Hunter

Download the latest version from http://downloads.sourceforge.net/rkhunter

# wget http://downloads.sourceforge.net/rkhunter/rkhunter-x.x.x.tar.gz
# tar -zxvf rkhunter-x.x.x.tar.gz
# cd rkhunter-x.x.x
# ./installer.sh –install

Now run a test scan using the following command:

# /usr/local/bin/rkhunter -c

Also you can set up daily scan report to your email address. Please do the following to set up daily scan reports.

# vi /etc/cron.daily/rkhunter.sh

Put the following in the file /etc/cron.daily/rkhunter.sh

===========================
#!/bin/bash
(/usr/local/bin/rkhunter -c –cronjob 2>&1 | mail -s “Daily Rkhunter Scan
Report” [email protected])
===========================

replace ’[email protected]’ with your email address.

Change the permission of /etc/cron.daily/rkhunter.sh

# chmod +x /etc/cron.daily/rkhunter.sh

5. Disable direct root login

Please follow the given steps to disable direct root login access to the server:

a. Create a user

# groupadd test
# useradd test -g test
# passwd test

b. Add user to the wheel group

# grep wheel /etc/group
wheel:x:10:root

Add the user test

wheel:x:10:root,test

For cPanel servers, do the following:

* Log into your WHM and click on “Manage Wheel Group Users”
* Select the user (Here it is “test”) and click “Add to group”

Now before disabling the root access, check if the user ‘test’ can login and su – to gain root privileges.

c. Disable direct root login

# vi /etc/ssh/sshd_config

Find the line “Protocol 2, 1”

Uncomment it & change it to “Protocol 2”

Next find the line “PermitRootLogin yes”, uncomment it & change it to “PermitRootLogin no”

Save the file.

6. Apply the following WHM security tweaks

a) Enable HTTP Authentication –> Off
Leaving this option disabled enables cookie authentication, helping to prevent certain types of XSRF attacks.

b) Initial default/catch-all forwarder destination –> Fail
Selecting Fail for this option causes the server to automatically discard unroutable email sent to your server’s new accounts. This option is the best at protecting your server against mail attacks.

c) Default Required Password Strength –> 40
This ensures a minimum password strength for accounts hosted by your server.

d) PHP open_basedir Tweak –> Enabled
PHP’s open_basedir protection prevents users from opening files outside of their home directory with php.

e) Apache mod_userdir Tweak –> Enabled
Apache’s mod_userdir allows users to view their sites by entering a tilde(~) and their username as the uri on a specific host. For example http://test.cpanel.net/~testuser/ will bring up the user testuser’s domain. The disadvantage of this feature is that any bandwidth usage used by this site will be put on the domain it is accessed under (in this case test.cpanel.net).

f) Compiler Access –> disabled for unprivileged users.
Many common exploits require a working C compiler on the system. This tweak allows you to deny compiler access to unprivileged users.

++++++++++++++++++++++++++++++++++++++
root@server [~]# /scripts/compilers off
Compilers are disabled for unprivileged users.
++++++++++++++++++++++++++++++++++++++

7. Apply the following PCI recommended changes in the Apache configuration.

ServerTokens –> ProductOnly
ServerSignature –> Off
TraceEnable –> Off
FileETag –> Off

8. Secure /tmp.

++++++++++++++++++++++++++++++++++++++
root@server [~]# /scripts/securetmp
Would you like to secure /tmp & /var/tmp at boot time? (y/n) y
Would you like to secure /tmp & /var/tmp now? (y/n) y
Securing /tmp & /var/tmp
/tmp is already secure
/var/tmp is already secure
Checking fstab for entries …Done
Logrotate TMPDIR already configured
Process Complete
++++++++++++++++++++++++++++++++++++++

9. Ensure that there are no world writable/executable in /tmp and /dev/shm/.

++++++++++++++++++++++++++++++++++++++
root@server [~]# find /tmp -type f -perm -777
root@server [~]# find /dev/shm/ -type f -perm -777
root@server [~]#
++++++++++++++++++++++++++++++++++++++

10. Disable ‘allow_url_fopen’ in the ‘php.ini’ file to prevent URL injection attacks

—-
allow_url_fopen => Off => Off
—-

11. Disable vulnerable PHP fucntions. Following functions are recommended to be disabled.

++++++++++++++++++++++++++++++++++++++
show_source, system, shell_exec, passthru, exec, phpinfo, popen, proc_open, allow_url_fopen, ini_set, copy ,error_log ,tempnam, proc_get_status, proc_nice,proc_open, proc_terminate, highlight_file, escape, shellcmd, pclose, pfsockopen, chgrp, posix_getpwuid, get_current_user, getmyuid, apache_child_terminate, define_syslog_variables, posix_kill ,posix_mkfifo ,posix_setpgid, posix_setuid
++++++++++++++++++++++++++++++++++++++