Improving System Security On CPanel Systems (servermatrix)

<p>source: <a href="http://forums.servermatrix.com/viewtopic.html?t=2198">http://forums.servermatrix.com/viewtopic.html?t=2198</a></p><p><span class="postbody"><font size="2">Basic things that can be done to improve security. <br /><br /> <!--break--> -------------------------------------------------- <br /><br /><span style="FONT-WEIGHT: bold"><span style="TEXT-DECORATION: underline">Use The Latest Software</span></span> <br /><br />Keep the OS and 3rd party software up to date. Always! <br /><br />CPanel itself can be updated from the root WHM. <br /><br />-------------------------------------------------- <br /><br /><span style="FONT-WEIGHT: bold"><span style="TEXT-DECORATION: underline">Change Passwords</span></span> <br /><br />Change the root passwords <span style="FONT-STYLE: italic">at least</span> once a month and try to make them hard to guess. Yes it's a pain to have to keep remembering them, but it's better than being hacked. <br /><br />-------------------------------------------------- <br /><br /><span style="FONT-WEIGHT: bold"><span style="TEXT-DECORATION: underline">Set Up A More Secure SSH Environment</span></span> <br /><br />This section describes how to disable direct 'root' login to the machine and how to force the more secure SSH 2 protocols. <br /><br />Disabling direct root login will force a hacker to have to guess 2 seperate passwords to gain root access. <br /><br />After you do this, you will have to login as <span style="FONT-STYLE: italic">anotheruser</span> then you will 'su -' to get to root. <br /><br />We also will be forcing the use of SSH protocol 2, which is a newer, more secure SSH protocol <br /><br />Just a couple more ways to help your server stay safe from the bad guys. <br /><br /><span style="FONT-WEIGHT: bold">If you're using cPanel make sure you add your <span style="FONT-STYLE: italic">anotheruser</span> user to the 'wheel' group so that you will be able to 'su -' to root, otherwise you may lock yourself out of root.</span> <br /><br />1. Set up <span style="FONT-STYLE: italic">anotheruser</span> if you haven't already got one: <br /><br />i. Type: <span style="FONT-WEIGHT: bold"><em>groupadd <span style="COLOR: blue">anotheruser</span></em></span> <br />ii. Type: <span style="FONT-WEIGHT: bold"><em>useradd <span style="COLOR: blue">anotheruser</span> -g<span style="COLOR: blue">anotheruser</span></em></span> <br />iii. Type: <span style="FONT-WEIGHT: bold"><em>passwd <span style="COLOR: blue">anotheruser</span></em></span> and add a password for the new account. <br /><br />On a CPanel system, you can now go into root WHM and add <span style="FONT-STYLE: italic">anotheruser</span> to the wheel group. <br /><br />2. SSH into your server as <span style="FONT-STYLE: italic">anotheruser</span> and gain root access by going <span style="FONT-WEIGHT: bold">su - root</span> and entering the root password. <br /><br />3. Type: <em><span style="FONT-WEIGHT: bold">pico -w /etc/ssh/sshd_config</span> <br /></em><br />4. Find the line: <br /><br /></font></span></p><p><table cellspacing="1" cellpadding="3" width="90%" align="center" border="0"><tbody><tr><td><span class="genmed"><b><font size="2">Code:</font></b></span></td></tr><tr><td class="code"><br /><em>#Protocol 2, 1 <br /></em></td></tr></tbody></table></p><span class="postbody"><p><br /><br /><font size="2">Uncomment it and change it to look like: <br /><br /></font></p></span><p><table cellspacing="1" cellpadding="3" width="90%" align="center" border="0"><tbody><tr><td><span class="genmed"><b><font size="2">Code:</font></b></span></td></tr><tr><td class="code"><br /><em>Protocol 2</em> <br /></td></tr></tbody></table></p><span class="postbody"><p><br /><br /><font size="2">5. Next, find the line: <br /><br /></font></p></span><p><table cellspacing="1" cellpadding="3" width="90%" align="center" border="0"><tbody><tr><td><span class="genmed"><b><font size="2">Code:</font></b></span></td></tr><tr><td class="code"><br />#<em>PermitRootLogin yes <br /></em></td></tr></tbody></table></p><span class="postbody"><p><br /><br /><font size="2">Uncomment it and make it look like: <br /><br /></font></p></span><p><table cellspacing="1" cellpadding="3" width="90%" align="center" border="0"><tbody><tr><td><span class="genmed"><b><font size="2">Code:</font></b></span></td></tr><tr><td class="code"><br /><em>PermitRootLogin no</em> <br /></td></tr></tbody></table></p><span class="postbody"><p><br /><br /><font size="2">6. It is also recommended that the following additional lines are added to the file: <br /><br /></font></p></span><p><table cellspacing="1" cellpadding="3" width="90%" align="center" border="0"><tbody><tr><td><span class="genmed"><b><font size="2">Code:</font></b></span></td></tr><tr><td class="code"><br /><em>LoginGraceTime 300 <br />IgnoreRhosts yes <br />X11Forwarding no <br />UseLogin no</em> <br /></td></tr></tbody></table></p><span class="postbody"><p><br /><br /><font size="2">7. Hit <span style="FONT-WEIGHT: bold">CTRL+x</span>, then <span style="FONT-WEIGHT: bold">y</span> then enter to save the file. <br /><br />8. Restart SSH with <span style="FONT-WEIGHT: bold">/etc/rc.d/init.d/sshd restart</span> <br /><br />-------------------------------------------------- <br /><br /><span style="FONT-WEIGHT: bold"><span style="TEXT-DECORATION: underline">Disable Telnet</span></span> <br /><br />1. Type: <em><span style="FONT-WEIGHT: bold">pico -w /etc/xinetd.d/telnet</span> <br /></em>2. Change the <span style="FONT-STYLE: italic">disable = no</span> line to <em><span style="FONT-WEIGHT: bold">disable = yes</span>. <br /></em>3. Hit <span style="FONT-WEIGHT: bold">CTRL+X</span> press <span style="FONT-WEIGHT: bold">y</span> and then <span style="FONT-WEIGHT: bold">enter</span> to save the file. <br />4. Restart xinted with: <em><span style="FONT-WEIGHT: bold">/etc/rc.d/init.d/xinetd restart</span> <br /></em><br />-------------------------------------------------- <br /><br /><span style="FONT-WEIGHT: bold"><span style="TEXT-DECORATION: underline">Install A Firewall</span></span> <br /><br />I recommend APF firewall personally, but they all do a similar job. <br /><br />APF can be found at: </font><a class="postlink" href="http://www.rfxnetworks.com/apf.php" target="_blank"><font color="#547293" size="2">http://www.rfxnetworks.com/apf.php</font></a><font size="2"> <br /><br />Also guard against 'brute force' attacks with: </font><a href="http://www.rfxnetworks.com/bfd.php" target="_blank"><font color="#547293" size="2">http://www.rfxnetworks.com/bfd.php</font></a><font size="2"> <br /><br />-------------------------------------------------- <br /><br /><span style="FONT-WEIGHT: bold"><span style="TEXT-DECORATION: underline">Disable Unnecessary Ports</span></span> <br /><br />First backup the file that contains your list of ports with: <br /><br /><span style="FONT-WEIGHT: bold">cp /etc/services /etc/services.original</span> <br /><br />Now configure /etc/services so that it only has the ports you need in it. This will match the ports enabled in your firewall. <br /><br />On a <span style="FONT-WEIGHT: bold"><span style="FONT-STYLE: italic">typical</span></span> CPanel system it would look something like this: <br /><br /></font></p></span><p><table cellspacing="1" cellpadding="3" width="90%" align="center" border="0"><tbody><tr><td><span class="genmed"><b><font size="2">Code:</font></b></span></td></tr><tr><td class="code"><br />tcpmux          1/tcp                           # TCP port service multiplexer <br />echo            7/tcp <br />echo            7/udp <br />ftp-data        20/tcp <br />ftp             21/tcp <br />ssh             22/tcp                          # SSH Remote Login Protocol <br />smtp            25/tcp          mail <br />domain          53/tcp                          # name-domain server <br />domain          53/udp <br />http            80/tcp          www www-http    # WorldWideWeb HTTP <br />pop3            110/tcp         pop-3           # POP version 3 <br />imap            143/tcp         imap2           # Interim Mail Access Proto v2 <br />https           443/tcp                         # MCom <br />smtps           465/tcp                         # SMTP over SSL (TLS) <br />syslog          514/udp <br />rndc            953/tcp                         # rndc control sockets (BIND 9) <br />rndc            953/udp                         # rndc control sockets (BIND 9) <br />imaps           993/tcp                         # IMAP over SSL <br />pop3s           995/tcp                         # POP-3 over SSL <br />cpanel          2082/tcp <br />cpanels         2083/tcp <br />whm             2086/tcp <br />whms            2087/tcp <br />webmail         2095/tcp <br />webmails        2096/tcp <br />mysql           3306/tcp                        # MySQL <br /></td></tr></tbody></table></p><span class="postbody"><p><br /><br /><font size="2">Additional ports are controlled by /etc/rpc. These aren't generally needed, so get shot of that file with: <span style="FONT-WEIGHT: bold">mv /etc/rpc /etc/rpc-moved</span> <br /><br />-------------------------------------------------- <br /><br /><span style="FONT-WEIGHT: bold"><span style="TEXT-DECORATION: underline">Watch The Logs</span></span> <br /><br />Install something like <span style="FONT-WEIGHT: bold">logwatch</span> to keep an eye on your system logs. This will extract anything 'interesting' from the logs and e-mail to you on a daily basis. <br /><br />Logwatch can be found at: </font><a class="postlink" href="http://www.logwatch.org/" target="_blank"><font color="#5493b4" size="2">http://www.logwatch.org</font></a><font size="2"> <br /><br />-------------------------------------------------- <br /><br /><span style="FONT-WEIGHT: bold"><span style="TEXT-DECORATION: underline">Run A Root Kit Checker Regularly</span></span> <br /><br />You can get a root kit from </font><a class="postlink" href="http://www.chkrootkit.org/" target="_blank"><font color="#547293" size="2">http://www.chkrootkit.org</font></a><font size="2"> and make sure you run it on a regular basis, perhaps including it in a cron job. <br /><br />-------------------------------------------------- <br /><br /><span style="FONT-WEIGHT: bold"><span style="TEXT-DECORATION: underline">Limit The Kernel's Capabilities</span></span> <br /><br />1. Type: <span style="FONT-WEIGHT: bold"><em>wget </em><a class="postlink" href="ftp://rpmfind.net/linux/PLD/current/dists/ra/PLD/i686/PLD/RPMS/lcap-0.0.6-3.i686.rpm" target="_blank"><font color="#547293"><em>ftp://rpmfind.net/linux/PLD/current/dists/ra/PLD/i686/PLD/RPMS/lcap-0.0.6-3.i686.rpm</em></font></a></span><em> <br /></em>2. Type: <span style="FONT-WEIGHT: bold"><em>rpm -Uvh lcap-0.0.6-3.i686.rpm</em></span> <br />3. Type: <span style="FONT-WEIGHT: bold"><em>lcap CAP_SYS_PTRACE</em></span> <br /><br />This will limit the ptrace option which allows attaching to, and controlling the execution of, arbitrary processes. Debuggers do this sort of thing. <br /><br />The LCAP limitations only stay in place until the next reboot unless you put them in a startup file somewhere. <br /><br />LCAP can be used in various way to harden the kernel, but you also run the risk of locking yourself out of facilities you need, so research is recommended before messing about. One good place to start looking is in /usr/include/linux/capability.h which contains a brief description of kernel capabilities. <br /><br />-------------------------------------------------- <br /><br /><span style="FONT-WEIGHT: bold"><span style="TEXT-DECORATION: underline">Avoid CPanel Demo Mode</span></span> <br /><br />Switch it off via <span style="FONT-STYLE: italic">WHM Account Functions =&gt; Disable or Enable Demo Mode</span>. <br /><br />-------------------------------------------------- <br /><br /><span style="FONT-WEIGHT: bold"><span style="TEXT-DECORATION: underline">Jail All Users</span></span> <br /><br />Via <span style="FONT-STYLE: italic">WHM Account Functions =&gt; Manage Shell Access =&gt; Jail All Users</span>. <br /><br />Better still <span style="FONT-WEIGHT: bold">never allow shell access to anyone</span> - no exceptions. <br /><br />-------------------------------------------------- <br /><br /><span style="FONT-WEIGHT: bold"><span style="TEXT-DECORATION: underline">Disable Troublesome Formmails</span></span> <br /><br />Cpanel's formmails are known to be insecure and, worse, every time one attempts to disable them, the next CPanel upgrade comes along and enables them again. <br /><br />This is the recommended procedure for disabling them: <br /><br />1. SSH into the box. <br /><br />2. Type: <span style="FONT-WEIGHT: bold"><em>cd /usr/local/cpanel/cgi-sys</em></span> <br /><br />3. Type: <em><span style="FONT-WEIGHT: bold">chmod 0 cgiemail formmail.cgi FormMail.cgi FormMail-clone.cgi formmail.pl FormMail.pl helpdesk.cgi realhelpdesk.cgi realsignup.cgi signup.cgi</span> <br /></em><br />4. Type: <em><span style="FONT-WEIGHT: bold">chattr +i cgiemail formmail.cgi FormMail.cgi FormMail-clone.cgi formmail.pl FormMail.pl helpdesk.cgi realhelpdesk.cgi realsignup.cgi signup.cgi</span> <br /></em><br />-------------------------------------------------- <br /><br /><span style="FONT-WEIGHT: bold"><span style="TEXT-DECORATION: underline">Immediate Notification Of Specific Attackers</span></span> <br /><br />If you need immediate notification of a specific attacker (TCPWrapped services <span style="FONT-STYLE: italic">only</span>), add the following to <span style="FONT-WEIGHT: bold">/etc/hosts.deny</span> <br /><br /><span style="FONT-WEIGHT: bold">ALL : <span style="FONT-STYLE: italic">nnn.nnn.nnn.nnn</span> : spawn /bin/ 'date' %c %d | mail -s&quot;Access attempt by <span style="FONT-STYLE: italic">nnn.nnn.nnn.nnn</span> on for <span style="FONT-STYLE: italic">hostname</span>&quot; <span style="FONT-STYLE: italic">[email protected]</span></span> <br /><br />Replacing <span style="FONT-STYLE: italic">nnn.nnn.nnn.nnn</span> with the attacker's IP address. <br />Replacing <span style="FONT-STYLE: italic">hostname</span> with your hostname. <br />Replacing <span style="FONT-STYLE: italic">[email protected]</span> with your e-mail address. <br /><br />This will deny access to the attacker and e-mail the sysadmin about the access attempt. <br /><br />-------------------------------------------------- <br /><br /><span style="FONT-WEIGHT: bold"><span style="TEXT-DECORATION: underline">Check Open Ports</span></span> <br /><br />From time to time it's worth checking which ports are open to the outside world. This can be done with: <br /><br /><span style="FONT-WEIGHT: bold"><em>nmap -sT -O localhost</em></span> <br /><br />If nmap isn't installed, you can install from WHM -&gt; Software -&gt; Install RPM. <br /><br />-------------------------------------------------- <br /><br /><span style="FONT-WEIGHT: bold"><span style="TEXT-DECORATION: underline">Set The MySQL Root Password</span></span> <br /><br />This can be done in CPanel from the root WHM <span style="FONT-WEIGHT: bold">Server Setup</span> -&gt; <span style="FONT-WEIGHT: bold">Set MySQL Root Password</span>. <br /><br />Make it different to your root password! <br /><br />-------------------------------------------------- <br /><br /><span style="FONT-WEIGHT: bold"><span style="TEXT-DECORATION: underline">Tweak Security (CPanel)</span></span> <br /><br />From the root WHM, <span style="FONT-WEIGHT: bold">Server Setup</span> -&gt; <span style="FONT-WEIGHT: bold">Tweak Security</span>, you will most likely want to enable: <br /><br />- php open_basedir Tweak. <br />- SMTP tweak. <br /><br />You <span style="FONT-WEIGHT: bold">may</span> want to enable: <br /><br />- mod_userdir Tweak. But that will disable domain preview. <br /><br />-------------------------------------------------- <br /><br /><span style="FONT-WEIGHT: bold"><span style="TEXT-DECORATION: underline">Use SuExec (CPanel)</span></span> <br /><br />From root WHM, <span style="FONT-WEIGHT: bold">Server Setup</span> -&gt; <span style="FONT-WEIGHT: bold">Enable/Disable SuExec</span>. This is CPanel's decription of what it does: <br /><br />&quot;<span style="FONT-STYLE: italic">suexec allows cgi scripts to run with the user's id. It will also make it easier to track which user has sent out an email. If suexec is not enabled, all cgi scripts will run as nobody. </span>&quot; <br /><br />Even if you don't use <span style="FONT-WEIGHT: bold">phpsuexec</span> (which often causes more problems), SuExec should be considered. <br /><br />-------------------------------------------------- <br /><br /><span style="FONT-WEIGHT: bold"><span style="TEXT-DECORATION: underline">Use PHPSuExec (CPanel)</span></span> <br /><br />This needs to built into Apache (<span style="FONT-WEIGHT: bold">Software</span> -&gt; <span style="FONT-WEIGHT: bold">Update Apache</span> from the root WHM) and does the same as SuExec but for PHP scripts. <br /><br />Wisth PHPSuExec enabled, you users will have to make sure that all their PHP files have permissions <span style="FONT-WEIGHT: bold">no greater</span> than <span style="FONT-WEIGHT: bold">0755</span> and that their htaccess files contain no PHP directives. <br /><br />-------------------------------------------------- <br /><br /><span style="FONT-WEIGHT: bold"><span style="TEXT-DECORATION: underline">Disable Compilers</span></span> <br /><br />This will prevent hackers from compiling worms, root kits and the like on your machine. <br /><br />To disable them, do the following: <br /><br /></font></p></span><p><table cellspacing="1" cellpadding="3" width="90%" align="center" border="0"><tbody><tr><td><span class="genmed"><b><font size="2">Code:</font></b></span></td></tr><tr><td class="code"><br /><em>chmod 000 /usr/bin/perlcc <br />chmod 000 /usr/bin/byacc <br />chmod 000 /usr/bin/yacc <br />chmod 000 /usr/bin/bcc <br />chmod 000 /usr/bin/kgcc <br />chmod 000 /usr/bin/cc <br />chmod 000 /usr/bin/gcc <br />chmod 000 /usr/bin/i386*cc <br />chmod 000 /usr/bin/*c++ <br />chmod 000 /usr/bin/*g++ <br />chmod 000 /usr/lib/bcc /usr/lib/bcc/bcc-cc1 <br />chmod 000 /usr/i386-glibc21-linux/lib/gcc-lib/i386-redhat-linux/2.96/cc1 </em><br /></td></tr></tbody></table></p><span class="postbody"><p><br /><br /><font size="2"><span style="FONT-WEIGHT: bold">You will need to enable them again when you need to perform system updates</span>. To do this, run: <br /><br /></font></p></span><p><table cellspacing="1" cellpadding="3" width="90%" align="center" border="0"><tbody><tr><td><span class="genmed"><b><font size="2">Code:</font></b></span></td></tr><tr><td class="code"><br /><em>chmod 755 /usr/bin/perlcc <br />chmod 755 /usr/bin/byacc <br />chmod 755 /usr/bin/yacc <br />chmod 755 /usr/bin/bcc <br />chmod 755 /usr/bin/kgcc <br />chmod 755 /usr/bin/cc <br />chmod 755 /usr/bin/gcc <br />chmod 755 /usr/bin/i386*cc <br />chmod 755 /usr/bin/*c++ <br />chmod 755 /usr/bin/*g++ <br />chmod 755 /usr/lib/bcc /usr/lib/bcc/bcc-cc1 <br />chmod 755 /usr/i386-glibc21-linux/lib/gcc-lib/i386-redhat-linux/2.96/cc1 </em><br /></td></tr></tbody></table></p><span class="postbody"><p><br /><br /><font size="2">-------------------------------------------------- <br /><br />This is really just a start. There are many other things one can do too (tripwires etc.).</font></p><p><font size="2"></font></p><p><table cellspacing="5" cellpadding="0" width="100%" border="0"><tbody><tr><td colspan="3"><font face="Verdana, Arial" color="#ff0000" size="3"><b>cPanel Reset Password Vuln.</b></font></td><td width="1%"> </td></tr><tr><td colspan="3"><blockquote><font face="Verdana, Arial" size="2">A new 'backdoor' was found in cPanel that would allow malicious users to reboot your server, delete files, and gain unauthorized access. Basically you NEED to fix this or risk getting 'hacked/attacked'. The security issue resides with cPanels new 'request a password' feature for accounts. You can disable this feature as detailed below, and also fix the file that allows the malicious code to be executed. Right now the main issue seen is that anyone can reset any users password, such as *gasp* root.</font></blockquote><center /></td><td> </td></tr><tr><td colspan="3"><p> </p><blockquote><p><font face="Verdana, Arial" size="2"><b>Step 1</b></font></p></blockquote><ol><li><font face="Verdana, Arial" size="2"> Login to WHM as root</font> </li><li><font face="Verdana, Arial" size="2">Click &quot;Tweak Settings&quot;</font> </li><li><font face="Verdana, Arial" size="2">Scroll down to the bottom and <b>UNCHECK<br /></b><font color="#ff00ff">Allow cPanel users to reset their password via email</font></font> </li><li><font face="Verdana, Arial" size="2">Click Save</font> <p><font face="Verdana, Arial" size="2"><b>Step 2</b></font></p></li><li><font face="Verdana, Arial" size="2">Login to your server via SSH as root. (or su to root)</font> </li><li><font face="Verdana, Arial" size="2">Type: <font color="#ff00ff">chmod 600 /usr/local/cpanel/base/resetpass.cgi</font></font> </li><li><font face="Verdana, Arial" size="2">Type:</font><font face="Verdana, Arial" color="#ff00ff" size="2"> chattr +i /usr/local/cpanel/base/resetpass.cgi</font></li></ol></td></tr></tbody></table></p><p><br /></p></span><p />