cPanel Security Hardening

Server Security is something an exception. One day or another, your server will be attacked and the integrity of your data will be at risk, that does not mean you will lose the current and existing customers in the process. cPanel provides easy access to your search and accessibility, user-friendly interface for managing your website. However, it is subject to various security issues, such as any server application or environment. As a responsible webmaster or server admin, you’re caught up to identify these issues and take steps to hack some loopholes to access your server or website.

A cPanel server can be secured by many means. For an easy setup and understanding I have categorized things in below manner. We can start with updating cPanel to latest version.

1. Keep cPanel up to date

For every outdated application there will be a chance of greater vulnerability, for overcoming this issue we need to make sure that you have the latest version of cPanel running. You can simply update cPanel by running below command on the command line.

# /scripts/upcp --force

If you are not familiar with command line, you follow below steps

Login into WHM > Software > Update Server Software > Proceed

Also I recommend you enable daily updates by going to WHM > Server Configuration > Update Preferences & Save

2. MYSQL Hardening

Set MySQL password

(Don’t set the same password like for the root access)

-If you didn’t set MySQL password someone will be able to login into the DB with
username “root” without password and delete/edit/download any db on the server.

Disable symlinks from database

The MySQL database starts up by default permitting the usage of symlinks. When a table that is using symlinks is dropped, both the symlink and the file to which the symlink points are dropped.

An unauthorized user can create symlinks within a table that point to key configuration files and then drop the table.

Solution:

Edit /etc/my.cnf file and use –skip-symbolic-links option to disable symlinks. After save changes restart mysql service with below command.

# service mysqld restart

Remove unwanted database user account

There are default anonymous user accounts which are created when MySQL is initially installed. These user accounts have no password by default. A strong password must be set or these accounts removed.

An unauthorized user who discovers that a MySQL server is running can directly log in to the server without entering a password.

Solution:

Remove the anonymous account or set a strong password for it:

# mysql -u root -p
mysql> DELETE FROM mysql.user WHERE User = '';
mysql> FLUSH PRIVILEGES;

Rename the administrator account

The administrator account in MySQL is called root. This must be renamed to something different.

Malicious user can try to compromise the system using root account. The effort involved in trying to brute force a MySQL password is reduced because the attacker already knows the username.

Solution:

Rename the root account to something else using the following query.

mysql> update user set user='mydbadmin' where user='root';
mysql> flush privileges;

Enable logs in mysql server

Enabling logging will help administrators to monitor critical events in a MySQL server.

Malicious activities will not be detected. Early warning towards attempts at malicious access will go undetected.

Solution:

Mysql has different types of logs. You can enabled it by adding lines in /etc/my.cnf file.

log-error=/var/log/mysqld.log
log-slow-queries=/var/log/mysql-slow.log
long-query-time=1

Remove unused database from the server

There is a default database that comes preinstalled with MySQL. This database should be removed if not required.

An unauthorized user can access sensitive information stored in this database.

Solution:

Remove the preinstalled database “test” if it is not required. It can be removed as follows:

mysql> drop database test;

Mysql should be run on non default port

Mysql runs on default 3306 port the configuration should be change to run mysql on different port.

The port will be detected as open by a port scanner by an Hacker. By this information Hacker can steal more information about mysql server.

Solution:

You can change port from mysql configuration file /etc/my.cnf. You can set different not default port, for example 5532.

3. PHP Hardening

Type php –ini in command line to show the configuration file of php

Configuration File (php.ini) Path => /usr/local/lib
Loaded Configuration File => /usr/local/lib/php.ini

We should edit in /usr/local/lib/php.ini

php .ini & disabled functions

safe_mode = On

Safe Mode is off by default.
Safe Mode does a user check on files that are opened by a process. By default, the users of the file and the process need to match.

expose_php = Off

Setting expose_php = Off just prevents the webserver from sending back the X-Powered-By header.
Potential hackers could look for out of date versions of PHP with security holes to exploit, they could potentially do the same even if the header was turned off

Enable_dl= Off

The configuration directive enable_dl instructs PHP whether or not to enable dynamic loading of PHP modules with dl().
If you enable dynamic module loading, it’s possible to bypass the safe_mode restrictions. Dynamic loading is enabled by default.

magic_quotes = On

It helps to escaping special characters with a ‘\’ to allow a string to be entered into a database. This is considered ‘magic’ because PHP can do this automatically for you if you have magic_quotes_gpc turned on.

NOTE: This feature has been DEPRECATED as of PHP 5.3.0 and REMOVED as of PHP 5.4.0.

register_globals = off

register_globals is an internal PHP setting which registers the $_REQUEST array’s elements as variables. If you submit a value in a form, via POST or GET, the value of that input will automatically be accessible via variable in the PHP script, named after the name of the input field.By Default they have register_globals=on,better to turn it off

display errors = off

This option will helps to not display error  on the webpage,so that the others cant find any vulnerabilities.

disable_functions = system, show_source, symlink, exec, dl,shell_exec, passthru, phpinfo, escapeshellarg,escapeshellcmd

According to several Security Websites administrators are strongly encouraged to disable some dangerous php-functions which can be used to exploit several php-installations and software. To protect yourself we encourage you to disable whenever possible the following functions!

# service httpd restart

4.Apache Hardening

Hide Apache Version

To prevent Apache to not to display these information to the world, we need to make some changes in Apache main configuration file.

Open configuration file with vi editor and search for “ServerSignature“, its by default On. We need to Off these server signature and the second line “ServerTokens Prod” tells Apache to return only Apache as product in the server response header on the every page request

ServerSignature Off
ServerTokens Prod
# service httpd restart

or

You can also change this option by going WHM >> Service Configuration >> Apache Configuration >> Global Configuration & Click Save

Disable Directory Listing

By default Apache list all the content of Document root directory in the absence of index file

We can turn off directory listing by using Options directive in configuration file for a specific directory. For that we need to make below entry in httpd.conf

<Directory /var/www/html>
Options -Indexes
</Directory>

Use Allow and Deny to Restrict access to Directories

We can restrict access to directories with “Allow” and “Deny” options in httpd.conf file.

<Directory />
Options None
Order deny,allow
Deny from all
</Directory>

Options “None” – This option will not allow users to enable any optional features.
Order deny, allow – This is the order in which the “Deny” and “Allow” directives will be processed.
Here it will “deny” first and “allow” next.
Deny from all – This will deny request from everybody to the root directory, nobody will be able to access root directory.

Use Mod Security to Secure Apache

Mod Security works as a firewall for our web applications and allows us to monitor traffic on a real time basis. It also helps us to protect our websites or web server from brute force attacks.

Install mod_security

# yum install ea-apache24-mod_security2
# service httpd restart

Installing mod_security is can be done within a few minutes with few changes to existing infrastructure.

You can enable it from Easy Apache configuration.

Also malware.expert is providing advanced Mod_Security rules for Webhosting, which are based on intelligence gathered from real-world investigations, penetration tests and research data in the REAL LIFE environment of over 10 000 domains. These rules are developed over ten years with the help of real traffic to websites.

5. SSH Hardening

Changing SSH port to custom

Open the ssh configuration file : /etc/ssh/sshd_config

When someone tries to attack the first thing they will be trying to attack on the default ssh port which is 22 .So we have to change it a custom one .

Port 1313

Here I have set the ssh port to 1313

open the port that you are setting up for SSH in your firewall.

PermitEmptyPasswords no

SSH access without password will be avaialble which is a securtity threat .

PermitRootLogin no

It is always desired to restrict direct root access .You can ssh to server with custom user and gain root access with sudo .

After editing changes in configuration file ,restart the service

# service sshd restart

6. CSF Hardening

CSF is commonly used firewall that provides a good level of protection with easy to manage commands. Here are the following steps to install and configure CSF :

# cd /usr/local/src/
# wget&amp;amp;nbsp;http://www.configserver.com/free/csf.tgz
# tar -xzf csf.tgz
# cd csf
# ./install.sh

After installation we have to make few tweaks in CSF configuration file which is located at : /etc/csf/csf.conf

In CSF,for a basic security, stability and settings check on the server we need to performed this actions in configuration file,

-Disable testing
-Change security warning restrict_syslog to 3
-Restrict syslog/rsyslog access to
-SMTP_BLOCK = 0 to 1
-LF_SCRIPT_ALERt =0 to 1
-SYSLOG_CHECK  = set to 300
-PT_ALL_USERS = set to 1
-Local-infile=0 in mysql configuration file.
-Change ssh port number to 1313
-Disable PasswordAuthentication
-Enable shell Fork Bomb Protection Whm-security-Shell Fork Bomb-enable
-Enable each item in the WHM > Background Process Killer
-Create the file /root/.forward, and add  email address in it
-WHM-Edit System Mail Preferences-Forward mail for “root” to:email address
-Set apache  TraceEnable = off and rebuilded configuration
-Change WHM - Apache Configuration - Global Configuration - ServerTokens - ProductOnly in apache configuration
-Change WHM - Apache Configuration - Global Configuration - FileETag - None in apache configuration
-Change WHM - Security Center - mod_userdir Tweak in apache configuration
-Change php version to latest version for more security
easyapache-nextstep-php version selection-save and build
-Modify /usr/local/lib/php.ini and set:
enable_dl = Off
-Disable abused php functions in php configuration file
-Enable php open_basedir Tweak
-WHM - Security Center - php open_basedir Tweak
-Redirected to ssl
WHM > Tweak Settings > Always redirect users to the ssl/tls ports when visiting /cpanel, /webmail.
-Disable WHM - Tweak Settings - BoxTrapper Spam Trap
-Set  value for WHM - Tweak Settings -the maximum mail can send out per hour by domains= 20
-Disable compilers WHM - Security Center - Compilers Tweak
-WHM - FTP Server Configuration - Allow Logins with Root Password - No
-WHM - Tweak Settings - Allow Creation of Parked/Addon Domains that resolve to other servers
-Disable WHM - Tweak Settings - Allow users to Park/Addon Domains on top of domains owned by other users
-Disable WHM - Tweak Settings - Proxy subdomains.
WHM - Tweak Settings - Accounts that can access a cPanel user account set to user only
-Enable WHM - Tweak Settings - Blank referrer safety check
-Enable WHM - Tweak Settings - Referrer safety check
-Enable WHM - Tweak Settings - Hide login password from cgi scripts
-Disable WHM - Security Center - SMTP Restrictions and use the csf configuration option SMTP_BLOCK instead
-Stop and disable portreserve

Your Score: 138/142*(you will get a score according to the security you have done in csf)

After saving changes restart csf

# csf -r

7. Kernel Hardening

Open /etc/sysctl.conf using vi editor

/etc/sysctl.conf file is used to configure kernel parameters at runtime. Linux reads and applies settings from /etc/sysctl.conf at boot time.

Turn on execshield

kernel.exec-shield=1
kernel.randomize_va_space=1

ExecShield is security Linux kernel patch to avoid worms and other problems

Enable IP spoofing protection

net.ipv4.conf.all.rp_filter=1

The spoofing protection prevents your network from being the source of spoofed.
Forged communications that are often used in DoS attacks

Disable IP source routing

net.ipv4.conf.all.accept_source_route=0

These commands disable forwarding of IPv4 packets on all interfaces

net.ipv4.icmp_echo_ignore_broadcasts=1
net.ipv4.icmp_ignore_bogus_error_messages=1

These command disable ping on the server.

Make sure spoofed packets get logged

net.ipv4.conf.all.log_martians = 1

These option  enables Martian packet logs

8. DNS Hardening

To hide BIND version

# vi /etc/named.conf
version "BIND";

instead of bind you can give your message so as to hide the DNS version .

Turn off recursion

# vi /etc/named.conf
recursion no;

This will stop recursive queries from the DNS server

9. FTP Hardening

To disable anonymous logins

# vi /etc/pure-ftpd.conf
Allow Anonymous Logins No

Allowing anonymous FTP logins in generally considered to weaken the security of the server. Setting this option to “No” is recommended.

To disable anonymous uploads

Allow Anonymous Uploads No

Allowing anonymous FTP uploads in generally considered to weaken the security of the server. Setting this option to “No” is recommended.

Setting FTP Maximum number of connection at a time

Maximum Connections 30

Maximum number of FTP connections to accept.

10. Enable cpHulkd

To enable cphulk run this commands on command line

# /usr/local/cpanel/etc/init/startcphulkd
# /usr/local/cpanel/bin/cphulk_pam_ctl --enable
# mysqlcheck -r cphulkd

Or

You can also change this option by going WHM >> Security Center >> cPHulk Brute Force Protection  & change from OFF to On.

11. Enable Shell Fork Bomb Protection on cPanel server

Fork Bomb Protection denies users who have terminal access (SSH/Telnet) the ability to use all of the resources on the server.

Login to WHM and click on “Shell Fork Bomb Protection” under “Security Center”.  Click on “enable protection” to enable Shell Fork Bomb Protection.

12. Harden /tmp directory

Hardening tmp plays a big role in safeguarding your server from external attacks. All applications use the /tmp directory to temporarily store data. If /tmp are not secure, there is a chance to attack the server using Trojans. Temp hardening restricts all activities in / tmp. This prevents the attacker from enforcing the code in the /tmp folder.

a. Create a file size 512 MB or more for /tmp

# dd if=/dev/zero of=/var/TMP bs=1024 count=524288

b. Make it ext3

# mke2fs j /var/TMP

c. Backup the original /tmp

# mv&amp;amp;nbsp; /tmp /tmp_backup

d. Create new /tmp folder

# mkdir /tmp

e. Mount the new temp file to /tmp

# mount -o loop,noexec,nosuid,rw /var/TMP /tmp

f. Set Permission of /tmp

# chmod 1777 /tmp

g. Restore original /tmp and delete the Backup

# cp -R /tmp_backup/* /tmp/
# rm -rf /tmp_backup

13. Installing Rkhunter

Rkhunter (Rootkit Hunter) is an open source Unix/Linux based scanner tool for Linux systems released underGPL that scans backdoors, rootkits and local exploits on your systems. It scans hidden files, wrong permissions set on binaries, suspicious strings in kernel etc.

a. Download the stable version of Rkhunter

# cd /tmp
# wget&amp;amp;nbsp;http://ncu.dl.sourceforge.net/project/rkhunter/rkhunter/1.4.0/rkhunter-1.4.0.tar.gz

b. Run the following commands as a root user to install it.

# tar -xvf rkhunter-1.4.0.tar.gz
# cd rkhunter-1.4.0
# ./installer.sh --layout default --install

c. Create a file called rkhunter.sh under /etc/cron.daily/, which then scans your file system every day and sends email notifications to your email id. operate with vi editor

# vi /etc/cron.daily/rkhunter.sh

d. Add the following lines of code to it and replace “YourServerNameHere” with your “Server Name” and “your@email.com” with your “Email Id“.

#!/bin/sh
(
/usr/local/bin/rkhunter --versioncheck
/usr/local/bin/rkhunter --update
/usr/local/bin/rkhunter --cronjob --report-warnings-only
) | /bin/mail -s 'rkhunter Daily Run (PutYourServerNameHere)' your@email.com

e. Set execute permission on the file.

# chmod 755 /etc/cron.daily/rkhunter.sh

f. To scan the entire file system, run the Rkhunter as a root user.

# rkhunter --check

14. Kill unwanted Background Process

There is lot of unnecessary process running on linux server which will slow down the server, we can run the below commands in terminal to stop them all

# echo "ptlink" >> /var/cpanel/killproc.conf
# echo "psyBNC" >> /var/cpanel/killproc.conf
# echo "ircd" >> /var/cpanel/killproc.conf
# echo "guardservices" >> /var/cpanel/killproc.conf
# echo "generic-sniffers" > /var/cpanel/killproc.conf
# echo "eggdrop" >> /var/cpanel/killproc.conf
# echo "bnc" >> /var/cpanel/killproc.conf
# echo "BitchX" >> /var/cpanel/killproc.conf

15. Disable Compiler Access

Compiler Access is used to gain access C or C++ compiler on the server.It is recommended to disable this compiler as Disabling these compilers will result in a more secure server as most of the attacks require a working C or C++ compiler on the server.

Run the command in terminal

# chmod 750 /usr/bin/gcc /usr/bin/i386-redhat-linux-gcc
# chown root:compiler /usr/bin/gcc /usr/bin/i386-redhat-linux-gcc

Install cPguard Plugin – A Complete server security suite

If you are lazy in doing a setup for all the above hardening, you can install cPguard, which is all in one security plugin with artificial intelligence. cPguard security plugin offers fast, light and intuitive protection against viruses and attacks giving you the best protection that’s easy to use and won’t affect server performance.


Plugin contains ultimate security solution for your Linux servers and has more advanced features than any other plugin that is available on the market now, some of the features are.

  • Smart Antivirus
  • Least resource demand
  • Cloud based Auto Clean Malware (New)
  • Easily customizable
  • Realtime Anti spam with cPGuard Exim
  • Domain Reputation powered by Google Safebrowsing
  • DNSBL IP Reputation Check
  • Customizable cPanel plugin
  • Web Application Firewall

AND MANY MORE… You can find more information and features about the plugin from here.

Conclusion

In this Modern era, server without proper security will always pave the way for hackers to get into it. Once a server is hacked we are unable to find what all harmful contents are uploaded to the server, if it happens the only solution left is to migrate all the server contents to a new server and it anyway consumes some time and treasures. The smartest thing you can do is implement proper security measures for cPanel as soon as your hosting account is set up.

For more server security tips and tricks, click on subscribe.