source: http://servermove.us/forum/viewtopic.php?t=251
Below are the Minimum Settings for proper security on your server. Failure to do so may (take this seriously) result in either server termination and/or support time charged to locate spamming issues and or hacks and kiddie scripts and hacks. This will also repair and keep repaired Fantastico if you are having the sourceguardian issue.
To update your server properly, please due the following
Go to your WebHostManager
First of all be sure that you have updated Cpanel/WHM to at least Current or Release.
If need be, go to Server Settings > Update config and be sure to select either current or release at least for these updates...You can go back to stable later if you like (in a few weeks).
The go toward the bottom of your WHM on the left to the "cPanel 9.X.X-XXX" category and click Upgrade to latest version
Once finished, refresh the page and go to the following and be sure they are set as follows:
In your WHM > Server Settings > Tweak Settings
***************************************
--------------------------------------------
Under domains please enable:
--------------------------------------------
Prevent users from parking/adding on common internet domains. (ie hotmail.com, aol.com)
--------------------------------------------------
Under mail please do the following:
--------------------------------------------------
Default catch-all/default address behavior for new accounts. >> select fail
Please enable the following:
Include a list of Pop before SMTP senders in the X-PopBeforeSMTP header when relaying mail. (exim 4.34-30+ required)
Track the origin of messages sent though the mail server by adding the X-Source headers (exim 4.34+ required)
----------------------
Go to Software:
----------------------
Loader to use for internal cPanel PHP and select sourceguardian (Otherwise Fantastico will fail)
**************************************************************************
In your WHM , Server Settings > Tweak Security please enable:
**************************************************************************
Php open_basedir Tweak
Compilers Tweak
SMTP Tweak
**************************************************************************
In your WHM > Server Configuration...
**************************************************************************
FTP configuration..Make sure Anonymous FTP is disabled
Exim Configuration editor > enable Verify the existence of email senders
**************************************************************************************
In your WHM , cPanel 9.X.X-XXX go to AddOnModules and please enable:
**************************************************************************************
Cpanel Pro
addonupdates
(you may enable others but those are the only two we have tested ourselves to be stable)
**************************************************************************************
In your WHM , cPanel 9.X.X-XXX go to AddOnScripts and please enable:
**************************************************************************************
everything.
***************
***************
Unless you have total control over each and every site on the server this is best. This way Cpanel will track any new installations of any of the packages and, using the addonupdate feature you can bulk update all installs on the server is there is a security issue (and PHPNuke and PHPbb are famous for them as are all Bulletin Boards)
OK..all done.
Now when you once again refresh the page you will see at the very bottom of the left column a new link called
WHM > Add-ons > Addon Script Manager
And check your server for outdated software and update where appropriate
Forgot one more
WHM > Tweak Settings > Use jailshell as the default shell for all new accounts and modified accounts
and enable
also in tweak settings, set
Default catch-all/default address behavior for new accounts.
+++++++++++++++++++++++
Just my two cents, I would make some other minimum recommendations, that are mentioned in various places thruout this forum and the cpanel.net forum.
1) Make /Dev/tmp and /dev/shm NOEXEC (non executable), this limits some of the exploits that take advantage of Session's . There are some good tutorials on making these changes, I'd recommend following them.
2) Mod-Security - use it, there are also some good resources on a basic set of commands you can put into effect to reduce your exposure. Check the cpanel.net forums for some basic commands.
3) For the more adventurious - Upgrade Port-Sentry and use the advance rules
4) Install a Firewall to augement IPTables - I like using AFP from http://www.rfxnetworks.com/apf.php, there a few special considerations for Cpanel, but nothing difficult. There are other good products.
5) Also install BFP - Brute Force Protection (same company) to limit attacks on SSH and other ports.
6) Install Webmin and limit access to your own IP. This will allow you to view the logs, IPTables and other apps, outside WHM .
++++++++++++++++++++++++++
Please remember when using these guides, Visit the applications site to Check for the Newest Version that is available.
Guide To Install APF:
http://www.webhostgear.com/61.html
Guide To Install BFD:
http://www.webhostgear.com/60.html
Guide to install/ Auto email Rkhunter and or Results daily:
http://www.webhostgear.com/index.php?art/id:141
Guide to install/Auto email Chkrootkit and or Results daily:
http://www.webhostgear.com/index.php?art/id:25
How to disable Telenet:
http://www.webhostgear.com/74.html
Email Alert to Root SSH logins:
http://www.webhostgear.com/43.html
How to Disable Direct Root Logins
http://www.webhostgear.com/24.html
Last But not least if you do get Apf installed along with BFD here is a link to the Current list of Bad IPS that you can download and add to your APF installation. Right click on link and Save as:
http://forums.ev1servers.net/attachment.php?s=19620fc6dafc09147fe03a947d587434&postid=312919
Or if you want to read the entire Discussion about the APF block list it is located here:
http://forums.ev1servers.net/showthread.php?s=&threadid=39366&highlight=block+list
These sites helped me secure my server even more. I haved used them all and they all work correctly. I am not an expert but these articles really helped me out and pointed me in the right direction and what questions to ask before I installed them.