<html><head><meta http-equiv="Content-Type" content="text/html charset=windows-1252"><base href="x-msg://193/"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; ">Hi Sam,<div><br></div><div>Gary's advice is good, as is Seamus'.<div><br></div><div>Can we take as a given the usual:</div><div><br></div><div>- SSH password authorisation off</div><div>- SSH port set to random</div><div>- SSH keys </div><div>- no SSH for users if shared? (as most do). </div><div>- SSH login limited to nominated IPs (if above is enforced)</div><div>- running maldet or similar</div><div><br></div><div>We also have our cPanel instances set up to notify upon upload of scripts that can send email, and notification of top mail senders on each server each day.</div><div><br></div><div>To add to Gary's advice, cPanel 11.38 allows jailed apache support - each virtual host chrooted to it's own virtfs - in conjunction with mod_ruid2. The latest attack vector is to find an unpatched Wordpress or Joomla (surprise, surprise) site, gain control of the account and use symlinks to hijack all other Wordpress/Joomla accounts on the server. Unless you've used the aforementioned or carried out hardening of mod_suphp or php module of choice then it's easy enough to do:</div><div><br></div><div><a href="http://devzcyberarena.blogspot.co.nz/2013/01/how-to-hack-websites-using-symlink.html">http://devzcyberarena.blogspot.co.nz/2013/01/how-to-hack-websites-using-symlink.html</a></div><div><a href="http://thecybersaviours.com/wordpress-hack-through-symlink-bypass">http://thecybersaviours.com/wordpress-hack-through-symlink-bypass</a></div><div><br></div><div>There are solutions such as the below:</div><div><br></div><div><a href="http://whmscripts.net/misc/2013/apache-symlink-security-issue-fixpatch/">http://whmscripts.net/misc/2013/apache-symlink-security-issue-fixpatch/</a></div><div><br></div><div>and cPanel's own forums are useful:</div><div><br></div><div><a href="https://forums.cpanel.net/f185/solutions-handling-symlink-attacks-202242-p24.html">https://forums.cpanel.net/f185/solutions-handling-symlink-attacks-202242-p24.html</a></div><div><a href="https://forums.cpanel.net/f185/solutions-handling-symlink-attacks-202242-p4.html#post996441">https://forums.cpanel.net/f185/solutions-handling-symlink-attacks-202242-p4.html#post996441</a></div><div><a href="http://forums.cpanel.net/f442/mod_ruid2-vs-suphp-costs-vs-benefits-269601.html">http://forums.cpanel.net/f442/mod_ruid2-vs-suphp-costs-vs-benefits-269601.html</a></div><div><br></div><div>From a network perspective, distributed attempts to hit Wordpress logins are gaining momentum. One of the largest providers here have disabled wp-login for all sites for periods of time to mitigate the damage these types of attacks are causing, as traditional DDOS/firewalling can struggle. Best talk to someone like A10 networks or other WAF vendors about that. </div><div><br></div><div>k.</div><div><br><div apple-content-edited="true">
<span class="Apple-style-span" style="font-family: Calibri, sans-serif; font-size: 15px; "><b><span lang="EN-GB" style="font-family: 'Gill Sans MT', sans-serif; color: rgb(192, 0, 0); "><span class="Apple-style-span" style="color: rgb(0, 0, 0); font-family: Calibri, sans-serif; font-weight: normal; "><b><span lang="EN-GB" style="font-family: 'Gill Sans MT', sans-serif; color: rgb(192, 0, 0); ">l</span></b><b><span style="font-family: 'Gill Sans MT', sans-serif; color: rgb(74, 68, 42); ">E</span></b><span style="font-size: 10pt; font-family: 'Gill Sans MT', sans-serif; color: rgb(74, 68, 42); "> <a href="mailto:karl@mothership.co.nz">karl@mothership.co.nz</a> </span><b><span lang="EN-GB" style="font-family: 'Gill Sans MT', sans-serif; color: rgb(192, 0, 0); ">l</span></b><b><span style="font-family: 'Gill Sans MT', sans-serif; color: rgb(74, 68, 42); ">W <font class="Apple-style-span" size="3"><span class="Apple-style-span" style="font-size: 13px; font-weight: normal; "><a href="http://mothership.co.nz">mothership.co.nz</a> </span></font></span></b></span>l</span></b></span><span class="Apple-style-span" style="color: rgb(81, 81, 81); font-family: Calibri, sans-serif; font-size: 15px; "><b><span lang="EN-GB" style="font-family: 'Gill Sans MT', sans-serif; color: rgb(74, 68, 42); ">A</span></b></span><span class="Apple-style-span" style="color: rgb(81, 81, 81); font-family: Calibri, sans-serif; font-size: 15px; "><span lang="EN-GB" style="font-size: 10pt; font-family: 'Gill Sans MT', sans-serif; color: rgb(74, 68, 42); "> PO Box 99814, Newmarket</span></span><span class="Apple-style-span" style="color: rgb(81, 81, 81); font-family: Calibri, sans-serif; font-size: 15px; "><span lang="EN-GB"> </span></span><span class="Apple-style-span" style="font-family: Calibri, sans-serif; font-size: 15px; "><b><span lang="EN-GB" style="color: rgb(192, 0, 0); font-family: 'Gill Sans MT', sans-serif; ">l</span><span lang="EN-GB" style="font-family: 'Gill Sans MT', sans-serif; "><font color="#4a442a">M </font></span></b></span><span style="color: rgb(74, 68, 42); font-family: 'Gill Sans MT', sans-serif; font-size: 13px; ">021 999 990 </span><span class="Apple-style-span" style="color: rgb(81, 81, 81); font-family: Calibri, sans-serif; font-size: 15px; "><b><span lang="EN-GB" style="font-family: 'Gill Sans MT', sans-serif; color: rgb(192, 0, 0); ">l</span></b></span><span class="Apple-style-span" style="color: rgb(81, 81, 81); font-family: Calibri, sans-serif; font-size: 15px; "><b><span style="font-family: 'Gill Sans MT', sans-serif; color: rgb(74, 68, 42); ">P</span></b></span><span class="Apple-style-span" style="color: rgb(81, 81, 81); font-family: Calibri, sans-serif; font-size: 15px; "><span style="font-family: 'Gill Sans MT', sans-serif; color: rgb(74, 68, 42); font-size: 10pt; "> 974 3171</span></span><span class="Apple-style-span" style="color: rgb(81, 81, 81); font-family: Calibri, sans-serif; font-size: 15px; "><b><span lang="EN-GB" style="font-family: 'Gill Sans MT', sans-serif; "> </span></b></span>
</div>
<br><div><div>On 30/07/2013, at 11:33 AM, Gary Buckmaster <<a href="mailto:gary.buckmaster@digitalpacific.com.au">gary.buckmaster@digitalpacific.com.au</a>> wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite"><div lang="EN-AU" link="#0563C1" vlink="#954F72" style="font-family: Arial; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; "><div class="WordSection1" style="page: WordSection1; "><div style="margin: 0cm 0cm 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; "><span style="color: rgb(31, 73, 125); ">Further to this, ConfigServer offers a complete cPanel server hardening service which includes the license for CXS and optionally their MailScanner product:<o:p></o:p></span></div><div style="margin: 0cm 0cm 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; "><span style="color: rgb(31, 73, 125); "> </span></div><div style="margin: 0cm 0cm 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; "><a href="http://www.configserver.com/cp/cpanel.html" style="color: rgb(149, 79, 114); text-decoration: underline; ">http://www.configserver.com/cp/cpanel.html</a><o:p></o:p></div><div style="margin: 0cm 0cm 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; "><o:p> </o:p></div><div style="margin: 0cm 0cm 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; "><span style="color: rgb(31, 73, 125); "> </span></div><div style="margin: 0cm 0cm 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; "><span style="color: rgb(31, 73, 125); "> </span></div><div><div style="border-style: solid none none; border-top-width: 1pt; border-top-color: rgb(181, 196, 223); padding: 3pt 0cm 0cm; "><div style="margin: 0cm 0cm 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; "><b><span lang="EN-US" style="font-size: 10pt; font-family: Tahoma, sans-serif; ">From:</span></b><span lang="EN-US" style="font-size: 10pt; font-family: Tahoma, sans-serif; "><span class="Apple-converted-space"> </span>AusNOG [mailto:ausnog-<a href="mailto:bounces@lists.ausnog.net">bounces@lists.ausnog.net</a>]<span class="Apple-converted-space"> </span><b>On Behalf Of<span class="Apple-converted-space"> </span></b>Seamus Ryan<br><b>Sent:</b><span class="Apple-converted-space"> </span>Monday, 29 July 2013 6:08 PM<br><b>To:</b><span class="Apple-converted-space"> </span>'Samantha Scafe'; '<a href="mailto:AusNOG@lists.ausnog.net">AusNOG@lists.ausnog.net</a>'<br><b>Subject:</b><span class="Apple-converted-space"> </span>Re: [AusNOG] CPanel Hardening Recommendations<o:p></o:p></span></div></div></div><div style="margin: 0cm 0cm 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; "><o:p> </o:p></div><div style="margin: 0cm 0cm 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; ">If it is a fresh install and you are unfamiliar with cPanel here are some things to get you started:<o:p></o:p></div><div style="margin: 0cm 0cm 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; "><o:p> </o:p></div><div style="margin: 0cm 0cm 0.0001pt 36pt; font-size: 11pt; font-family: Calibri, sans-serif; text-indent: -18pt; ">1.<span style="font-size: 7pt; font-family: 'Times New Roman', serif; "> <span class="Apple-converted-space"> </span></span>Run /scripts/easyapache from the command line and be smart about what php/apache modules and versions to include in your build (Some general knowledge in this area will help)<o:p></o:p></div><div style="margin: 0cm 0cm 0.0001pt 36pt; font-size: 11pt; font-family: Calibri, sans-serif; text-indent: -18pt; ">2.<span style="font-size: 7pt; font-family: 'Times New Roman', serif; "> <span class="Apple-converted-space"> </span></span>Download and install CSF (its free) from<span class="Apple-converted-space"> </span><a href="http://configserver.com/cp/csf.html" style="color: rgb(149, 79, 114); text-decoration: underline; ">http://configserver.com/cp/csf.html</a>. Even if you dont run it as a firewall, it will still tell you loads about how secure your server is, and what things should be disabled/changed (Aim to achieve a score of about 125/130)<o:p></o:p></div><div style="margin: 0cm 0cm 0.0001pt 36pt; font-size: 11pt; font-family: Calibri, sans-serif; text-indent: -18pt; ">3.<span style="font-size: 7pt; font-family: 'Times New Roman', serif; "> <span class="Apple-converted-space"> </span></span>Get CXS (<a href="http://configserver.com/cp/cxs.html" style="color: rgb(149, 79, 114); text-decoration: underline; ">http://configserver.com/cp/cxs.html</a>) paid product, great for finding the nasties on various websites.<o:p></o:p></div><div style="margin: 0cm 0cm 0.0001pt 36pt; font-size: 11pt; font-family: Calibri, sans-serif; text-indent: -18pt; ">4.<span style="font-size: 7pt; font-family: 'Times New Roman', serif; "> <span class="Apple-converted-space"> </span></span>Run regular updates (via yum)<o:p></o:p></div><div style="margin: 0cm 0cm 0.0001pt 36pt; font-size: 11pt; font-family: Calibri, sans-serif; text-indent: -18pt; ">5.<span style="font-size: 7pt; font-family: 'Times New Roman', serif; "> <span class="Apple-converted-space"> </span></span>Run cloudlinux (paid product) to protect a single user from crashing the server when under load<o:p></o:p></div><div style="margin: 0cm 0cm 0.0001pt 36pt; font-size: 11pt; font-family: Calibri, sans-serif; text-indent: -18pt; ">6.<span style="font-size: 7pt; font-family: 'Times New Roman', serif; "> <span class="Apple-converted-space"> </span></span>If you must give users a shell, give them a jailshell (can be done through WHM)<o:p></o:p></div><div style="margin: 0cm 0cm 0.0001pt 36pt; font-size: 11pt; font-family: Calibri, sans-serif; text-indent: -18pt; ">7.<span style="font-size: 7pt; font-family: 'Times New Roman', serif; "> <span class="Apple-converted-space"> </span></span>Run cagefs (cloudlinux addon, locks users in an even more secure environment)<o:p></o:p></div><div style="margin: 0cm 0cm 0.0001pt 36pt; font-size: 11pt; font-family: Calibri, sans-serif; text-indent: -18pt; ">8.<span style="font-size: 7pt; font-family: 'Times New Roman', serif; "> <span class="Apple-converted-space"> </span></span>Run ksplice (great for many linux distros IMO)<o:p></o:p></div><div style="margin: 0cm 0cm 0.0001pt 36pt; font-size: 11pt; font-family: Calibri, sans-serif; text-indent: -18pt; ">9.<span style="font-size: 7pt; font-family: 'Times New Roman', serif; "> <span class="Apple-converted-space"> </span></span>Run regular updates<o:p></o:p></div><div style="margin: 0cm 0cm 0.0001pt 36pt; font-size: 11pt; font-family: Calibri, sans-serif; text-indent: -18pt; ">10.<span style="font-size: 7pt; font-family: 'Times New Roman', serif; "> <span class="Apple-converted-space"> </span></span>Run regular updates<o:p></o:p></div><div style="margin: 0cm 0cm 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; "><o:p> </o:p></div><div style="margin: 0cm 0cm 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; ">Regards,<o:p></o:p></div><div style="margin: 0cm 0cm 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; ">Seamus<o:p></o:p></div><div style="margin: 0cm 0cm 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; "><o:p> </o:p></div><div style="margin: 0cm 0cm 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; "><span lang="EN-US">-----Original Message-----<br>From: AusNOG [<a href="mailto:ausnog-bounces@lists.ausnog.net" style="color: rgb(149, 79, 114); text-decoration: underline; ">mailto:ausnog-bounces@lists.ausnog.net</a>] On Behalf Of Samantha Scafe<br>Sent: Monday, July 29, 2013 5:55 PM<br>To:<span class="Apple-converted-space"> </span><a href="mailto:AusNOG@lists.ausnog.net" style="color: rgb(149, 79, 114); text-decoration: underline; ">AusNOG@lists.ausnog.net</a><br>Subject: Re: [AusNOG] CPanel Hardening Recommendations</span><o:p></o:p></div><div style="margin: 0cm 0cm 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; "><o:p> </o:p></div><div style="margin: 0cm 0cm 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; ">Guys<o:p></o:p></div><div style="margin: 0cm 0cm 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; "><o:p> </o:p></div><div style="margin: 0cm 0cm 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; ">Can anyone offer me recommendations to harden cpanel, or offers that service Please reply offlist<o:p></o:p></div><div style="margin: 0cm 0cm 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; "><o:p> </o:p></div><div style="margin: 0cm 0cm 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; ">Kindest Regards<o:p></o:p></div><div style="margin: 0cm 0cm 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; "><o:p> </o:p></div><div style="margin: 0cm 0cm 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; "><o:p> </o:p></div><div style="margin: 0cm 0cm 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; ">Samantha Scafe<o:p></o:p></div><div style="margin: 0cm 0cm 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; "> <o:p></o:p></div><div style="margin: 0cm 0cm 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; "> <o:p></o:p></div><div style="margin: 0cm 0cm 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; ">Sam Scafe | System Adminstrator / Network Services SBDC HQ | 13 Mahogony Street, Holloways Beach Qld 4878<o:p></o:p></div><div style="margin: 0cm 0cm 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; ">PEN-DC-1 | Able Street Jamisontown NSW 2750<o:p></o:p></div><div style="margin: 0cm 0cm 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; ">BNE-DC-3 | Brunswick Street, Fortitude Valley Qld 4004<o:p></o:p></div><div style="margin: 0cm 0cm 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; "><o:p> </o:p></div><div style="margin: 0cm 0cm 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; ">Tel: 07 4242 4724 | Fax: 07 42424747 | Mobile: 0424 136 364<o:p></o:p></div><div style="margin: 0cm 0cm 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; ">Email: <a href="mailto:s.scafe@smellyblackdog.com.au" style="color: rgb(149, 79, 114); text-decoration: underline; "><span style="color: windowtext; text-decoration: none; ">s.scafe@smellyblackdog.com.au</span></a> | Web: <a href="http://www.smellyblackdog.com.au" style="color: rgb(149, 79, 114); text-decoration: underline; "><span style="color: windowtext; text-decoration: none; ">www.smellyblackdog.com.au</span></a><span class="Apple-converted-space"> </span>Amateur Radio: VK4FQ | VK4TTT | VK4RCN ADSL ADSL2+ - MOBILE BROADBAND BUSINESS ETHERNET WEB HOSTING DOMAIN NAMES REMOTE ADMINISTRATION- CO-LOCATION SERVICES - VOIP<o:p></o:p></div><div style="margin: 0cm 0cm 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; "> <o:p></o:p></div><div style="margin: 0cm 0cm 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; "><o:p> </o:p></div><div style="margin: 0cm 0cm 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; "><o:p> </o:p></div><div style="margin: 0cm 0cm 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; "><o:p> </o:p></div><div style="margin: 0cm 0cm 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; ">_______________________________________________<o:p></o:p></div><div style="margin: 0cm 0cm 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; ">AusNOG mailing list<o:p></o:p></div><div style="margin: 0cm 0cm 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; "><a href="mailto:AusNOG@lists.ausnog.net" style="color: rgb(149, 79, 114); text-decoration: underline; "><span style="color: windowtext; text-decoration: none; ">AusNOG@lists.ausnog.net</span></a><o:p></o:p></div><div style="margin: 0cm 0cm 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; "><a href="http://lists.ausnog.net/mailman/listinfo/ausnog" style="color: rgb(149, 79, 114); text-decoration: underline; "><span style="color: windowtext; text-decoration: none; ">http://lists.ausnog.net/mailman/listinfo/ausnog</span></a><o:p></o:p></div></div>_______________________________________________<br>AusNOG mailing list<br><a href="mailto:AusNOG@lists.ausnog.net">AusNOG@lists.ausnog.net</a><br>http://lists.ausnog.net/mailman/listinfo/ausnog</div></blockquote></div><br></div></div></body></html>