[AusNOG] CPanel Hardening Recommendations

Karl Hardisty karl at mothership.co.nz
Wed Jul 31 08:13:25 EST 2013


Hi Sam,

Gary's advice is good, as is Seamus'.

Can we take as a given the usual:

- SSH password authorisation off
- SSH port set to random
- SSH keys 
- no SSH for users if shared? (as most do). 
- SSH login limited to nominated IPs (if above is enforced)
- running maldet or similar

We also have our cPanel instances set up to notify upon upload of scripts that can send email, and notification of top mail senders on each server each day.

To add to Gary's advice, cPanel 11.38 allows jailed apache support - each virtual host chrooted to it's own virtfs - in conjunction with mod_ruid2. The latest attack vector is to find an unpatched Wordpress or Joomla (surprise, surprise) site, gain control of the account and use symlinks to hijack all other Wordpress/Joomla accounts on the server. Unless you've used the aforementioned or carried out hardening of mod_suphp or php module of choice then it's easy enough to do:

http://devzcyberarena.blogspot.co.nz/2013/01/how-to-hack-websites-using-symlink.html
http://thecybersaviours.com/wordpress-hack-through-symlink-bypass

There are solutions such as the below:

http://whmscripts.net/misc/2013/apache-symlink-security-issue-fixpatch/

and cPanel's own forums are useful:

https://forums.cpanel.net/f185/solutions-handling-symlink-attacks-202242-p24.html
https://forums.cpanel.net/f185/solutions-handling-symlink-attacks-202242-p4.html#post996441
http://forums.cpanel.net/f442/mod_ruid2-vs-suphp-costs-vs-benefits-269601.html

From a network perspective, distributed attempts to hit Wordpress logins are gaining momentum. One of the largest providers here have disabled wp-login for all sites for periods of time to mitigate the damage these types of attacks are causing, as traditional DDOS/firewalling can struggle. Best talk to someone like A10 networks or other WAF vendors about that. 

k.

lE karl at mothership.co.nz lW mothership.co.nz  lA PO Box 99814, Newmarket  lM 021 999 990 lP 974 3171 

On 30/07/2013, at 11:33 AM, Gary Buckmaster <gary.buckmaster at digitalpacific.com.au> wrote:

> Further to this, ConfigServer offers a complete cPanel server hardening service which includes the license for CXS and optionally their MailScanner product:
>  
> http://www.configserver.com/cp/cpanel.html
>  
>  
>  
> From: AusNOG [mailto:ausnog-bounces at lists.ausnog.net] On Behalf Of Seamus Ryan
> Sent: Monday, 29 July 2013 6:08 PM
> To: 'Samantha Scafe'; 'AusNOG at lists.ausnog.net'
> Subject: Re: [AusNOG] CPanel Hardening Recommendations
>  
> If it is a fresh install and you are unfamiliar with cPanel here are some things to get you started:
>  
> 1.       Run /scripts/easyapache from the command line and be smart about what php/apache modules and versions to include in your build (Some general knowledge in this area will help)
> 2.       Download and install CSF (its free) from http://configserver.com/cp/csf.html. Even if you don’t run it as a firewall, it will still tell you loads about how secure your server is, and what things should be disabled/changed (Aim to achieve a score of about 125/130)
> 3.       Get CXS (http://configserver.com/cp/cxs.html) paid product, great for finding the nasties on various websites.
> 4.       Run regular updates (via yum)
> 5.       Run cloudlinux (paid product) to protect a single user from crashing the server when under load
> 6.       If you must give users a shell, give them a jailshell (can be done through WHM)
> 7.       Run cagefs (cloudlinux addon, locks users in an even more secure environment)
> 8.       Run ksplice (great for many linux distros IMO)
> 9.       Run regular updates
> 10.   Run regular updates
>  
> Regards,
> Seamus
>  
> -----Original Message-----
> From: AusNOG [mailto:ausnog-bounces at lists.ausnog.net] On Behalf Of Samantha Scafe
> Sent: Monday, July 29, 2013 5:55 PM
> To: AusNOG at lists.ausnog.net
> Subject: Re: [AusNOG] CPanel Hardening Recommendations
>  
> Guys
>  
> Can anyone offer me recommendations to harden cpanel, or offers that service Please reply offlist
>  
> Kindest Regards
>  
>  
> Samantha Scafe
>  
>  
> Sam Scafe | System Adminstrator / Network Services SBDC HQ   | 13 Mahogony Street, Holloways Beach Qld 4878
> PEN-DC-1 |  Able Street Jamisontown NSW 2750
> BNE-DC-3 |  Brunswick Street, Fortitude Valley Qld 4004
>  
> Tel: 07 4242 4724  |  Fax: 07 42424747  | Mobile: 0424 136 364
> Email: s.scafe at smellyblackdog.com.au   |  Web: www.smellyblackdog.com.au Amateur Radio:  VK4FQ | VK4TTT | VK4RCN ADSL – ADSL2+ - MOBILE BROADBAND – BUSINESS ETHERNET – WEB HOSTING DOMAIN NAMES – REMOTE ADMINISTRATION- CO-LOCATION SERVICES - VOIP
>  
>  
>  
>  
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20130731/a4a71d5a/attachment.html>


More information about the AusNOG mailing list