Hey Guys,
If you are going to harden any WHM/cPanel server, then you can use the below check list/settings for that.
Please make sure to check what you are doing, select the options that suites your need. Do not need to enable all options mentioned
1. The Tweak Settings checklist [Home >> Server Configuration >> Tweak Settings]
Enable HTTP Authentication Off
Cookie IP Validation On
Proxy Subdomain Creation Off
Require SSL On
Security Tokens On [helps to prevent XSRF attacks. ]
Block Common Domains Usage On [Help to prevent creation of hotmail.com or google.com by user]
Attempt to prevent pop3 connection floods On
Default catch-all/default address behavior for new accounts Blackhole
BoxTrapper Spam Trap Off
Allow cPanel users to reset their password via email Off
Send passwords in plaintext over email when creating a new account Off
2. The Security Center checklist [Home >> Security Center]
Password Strength Configuration: A value of 50 or greater.
PHP open_basedir Tweak: Enabled
Apache mod_userdir Tweak: Enabled
Compiler Access: Disabled
Manage Wheel Group Users: Remove all users except for root and your main account.
Shell Fork Bomb Protection: Enabled
Manage Shell Access: Disable shell access for all other users.
cPHulk Brute Force Protection: Enabled
cPanel Demo Mode: Disable
3. Disable identification output for Apache
a.Log in to WHM and access the Apache Global Configuration feature (Home >> Service Configuration >> Apache Configuration >> Global Configuration).
b.Select Off (PCI Recommended) from the ServerSignature menu.
c.Click Save.
4. EasyApache configuration
Enable below modules
suPHP
Suhosin [Optional]
mod_security [OPtional]
Do not include by default
mod_frontpage
mod_perl
mod_JK
mod_Mono
mod_Mono2
Xcache
EAccelerator
Any other modules that are marked as End-Of-Life or Deprecated.
6. php.ini & disabled functions
safe_mode = On
expose_php = Off
Enable_dl= Off
magic_quotes = On
register_globals = off
display errors = off
disable_functions = system, show_source, symlink, exec, dl,
shell_exec, passthru, phpinfo, escapeshellarg,escapeshellcmd,popen, proc_open, allow_url_fopen
7. SSH
# vi /etc/ssh/sshd_config
Change Protocol 2,1 to Protocol 2
Change #Port 22 to some other port and uncomment it
Like, Port 1337
Note: Make sure new port is already enabled in Firewall rules.
8. Firewall, CSF Installation
#vi /etc/csf/csf.conf
# Allow incoming TCP ports
TCP_IN = "20,21,22,25,53,80,110,143,443,465,587,993,995,2077,2078,2082,2083,2086,2087,2095,2096"
# Allow outgoing TCP ports
TCP_OUT = "20,21,22,25,37,43,53,80,110,113,443,587,873,2087,2089,2703"
CT_LIMIT = “200″
CT_PERMANENT = “1″
CT_BLOCK_TIME = “1800″
CT_INTERVAL = “60″
CSF has an option “Server Security Check”. Go to WHM >> Plugins >> CSF >> Test Server Security to see more security options.
9. SYN Cookies
# vi /etc/sysctl.conf
# Enable TCP SYN Cookie Protection
net.ipv4.tcp_syncookies = 1
service network restart [If you have access to the server via IPMI or via Node]
10. Apache Settings [Main » Service Configuration » Apache Configuration » Global Configuration]
SSLCipherSuite: ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP
TraceEnable: Off
ServerSignature: Off
ServerTokens: Product Only
FileETag: None
MaxRequestsPerChild: 1000
11. FTP Settings
Allow Anonymous Logins: No
Allow Anonymous Uploads: No
Allow Logins with Root Password: No
Mitigate Slowloris Attacks: http://docs.cpanel.net/twiki/bin/view/EasyApache/Apache/SlowlorisAttacks
Symlink Race Condition Protection: http://docs.cpanel.net/twiki/bin/view/EasyApache/Apache/SymlinkPatch
CSF Configuration: http://blog.softlayer.com/2013/iptables-tips-and-tricks-csf-configuration/
OpenSSH Server Best Security Practices: http://www.cyberciti.biz/tips/linux-unix-bsd-openssh-server-best-practices.html
PHP Security Best Practices: http://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html
No comments:
Post a Comment