[AusNOG] CPanel Hardening Recommendations
Gary Buckmaster
gary.buckmaster at digitalpacific.com.au
Wed Jul 31 10:35:17 EST 2013
This is excellent advice, although one point of note:
mod_ruid2 is still marked as experimental by cPanel due to the fact that its
got a number of important incompatibilities. Notably its incompatible with
mod_security which is installed by the ConfigServer hardening services.
http://docs.cpanel.net/twiki/bin/view/EasyApache/Apache/ModRuid#Incompatibil
ities
Seamus' advice to use CageFS under CloudLinux is a very good one and does
much of the same work you get with the jailed apache configuration, although
it's a bit of work to set up.
From: AusNOG [mailto:ausnog-bounces at lists.ausnog.net] On Behalf Of Karl
Hardisty
Sent: Wednesday, 31 July 2013 8:13 AM
To: ausnog at lists.ausnog.net
Cc: s.scafe at smellyblackdog.com.au
Subject: Re: [AusNOG] CPanel Hardening Recommendations
Hi Sam,
Gary's advice is good, as is Seamus'.
Can we take as a given the usual:
- SSH password authorisation off
- SSH port set to random
- SSH keys
- no SSH for users if shared? (as most do).
- SSH login limited to nominated IPs (if above is enforced)
- running maldet or similar
We also have our cPanel instances set up to notify upon upload of scripts
that can send email, and notification of top mail senders on each server
each day.
To add to Gary's advice, cPanel 11.38 allows jailed apache support - each
virtual host chrooted to it's own virtfs - in conjunction with mod_ruid2.
The latest attack vector is to find an unpatched Wordpress or Joomla
(surprise, surprise) site, gain control of the account and use symlinks to
hijack all other Wordpress/Joomla accounts on the server. Unless you've used
the aforementioned or carried out hardening of mod_suphp or php module of
choice then it's easy enough to do:
http://devzcyberarena.blogspot.co.nz/2013/01/how-to-hack-websites-using-syml
ink.html
http://thecybersaviours.com/wordpress-hack-through-symlink-bypass
There are solutions such as the below:
http://whmscripts.net/misc/2013/apache-symlink-security-issue-fixpatch/
and cPanel's own forums are useful:
https://forums.cpanel.net/f185/solutions-handling-symlink-attacks-202242-p24
.html
https://forums.cpanel.net/f185/solutions-handling-symlink-attacks-202242-p4.
html#post996441
http://forums.cpanel.net/f442/mod_ruid2-vs-suphp-costs-vs-benefits-269601.ht
ml
>From a network perspective, distributed attempts to hit Wordpress logins are
gaining momentum. One of the largest providers here have disabled wp-login
for all sites for periods of time to mitigate the damage these types of
attacks are causing, as traditional DDOS/firewalling can struggle. Best talk
to someone like A10 networks or other WAF vendors about that.
k.
lE karl at mothership.co.nz lW mothership.co.nz lA PO Box 99814, Newmarket lM
021 999 990 lP 974 3171
On 30/07/2013, at 11:33 AM, Gary Buckmaster
<gary.buckmaster at digitalpacific.com.au> wrote:
Further to this, ConfigServer offers a complete cPanel server hardening
service which includes the license for CXS and optionally their MailScanner
product:
<http://www.configserver.com/cp/cpanel.html>
http://www.configserver.com/cp/cpanel.html
From: AusNOG [mailto:ausnog-bounces at lists.ausnog.net] On Behalf Of Seamus
Ryan
Sent: Monday, 29 July 2013 6:08 PM
To: 'Samantha Scafe'; 'AusNOG at lists.ausnog.net'
Subject: Re: [AusNOG] CPanel Hardening Recommendations
If it is a fresh install and you are unfamiliar with cPanel here are some
things to get you started:
1. Run /scripts/easyapache from the command line and be smart about
what php/apache modules and versions to include in your build (Some general
knowledge in this area will help)
2. Download and install CSF (its free) from
<http://configserver.com/cp/csf.html> http://configserver.com/cp/csf.html.
Even if you don't run it as a firewall, it will still tell you loads about
how secure your server is, and what things should be disabled/changed (Aim
to achieve a score of about 125/130)
3. Get CXS ( <http://configserver.com/cp/cxs.html>
http://configserver.com/cp/cxs.html) paid product, great for finding the
nasties on various websites.
4. Run regular updates (via yum)
5. Run cloudlinux (paid product) to protect a single user from
crashing the server when under load
6. If you must give users a shell, give them a jailshell (can be done
through WHM)
7. Run cagefs (cloudlinux addon, locks users in an even more secure
environment)
8. Run ksplice (great for many linux distros IMO)
9. Run regular updates
10. Run regular updates
Regards,
Seamus
-----Original Message-----
From: AusNOG [ <mailto:ausnog-bounces at lists.ausnog.net>
mailto:ausnog-bounces at lists.ausnog.net] On Behalf Of Samantha Scafe
Sent: Monday, July 29, 2013 5:55 PM
To: <mailto:AusNOG at lists.ausnog.net> AusNOG at lists.ausnog.net
Subject: Re: [AusNOG] CPanel Hardening Recommendations
Guys
Can anyone offer me recommendations to harden cpanel, or offers that service
Please reply offlist
Kindest Regards
Samantha Scafe
Sam Scafe | System Adminstrator / Network Services SBDC HQ | 13 Mahogony
Street, Holloways Beach Qld 4878
PEN-DC-1 | Able Street Jamisontown NSW 2750
BNE-DC-3 | Brunswick Street, Fortitude Valley Qld 4004
Tel: 07 4242 4724 | Fax: 07 42424747 | Mobile: 0424 136 364
Email: <mailto:s.scafe at smellyblackdog.com.au> s.scafe at smellyblackdog.com.au
| Web: <http://www.smellyblackdog.com.au> www.smellyblackdog.com.au
Amateur Radio: VK4FQ | VK4TTT | VK4RCN ADSL - ADSL2+ - MOBILE BROADBAND -
BUSINESS ETHERNET - WEB HOSTING DOMAIN NAMES - REMOTE ADMINISTRATION-
CO-LOCATION SERVICES - VOIP
_______________________________________________
AusNOG mailing list
<mailto:AusNOG at lists.ausnog.net> AusNOG at lists.ausnog.net
<http://lists.ausnog.net/mailman/listinfo/ausnog>
http://lists.ausnog.net/mailman/listinfo/ausnog
_______________________________________________
AusNOG mailing list
AusNOG at lists.ausnog.net
http://lists.ausnog.net/mailman/listinfo/ausnog
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20130731/51ec4f57/attachment.html>
More information about the AusNOG
mailing list