Security settings
SSH configurations
Brute force Protection
Password strength configuration
Open base_dir in PHP
Apache mod user
SSH keys
Compiler access
Shell Fork Bomb Protection
Anonymous FTP
Exim configurations
Firewall configurations
Analyzing the settings
Scanning the system
Chkservd
Updating the settings
System updates
SSH configurations
SSH configuration will allow/deny root level access to the hosts to the server. Adding the services that should be allowed for the IP’s is also enabled in WHM. You will be able to add the allow hosts and deny hosts with the services in the host access control interface. A proper configuration of this will help in making the server isolated from hackers. Normally, for shared servers, it is recommended to given shell access to administrator user only.
Wheel/sudo user management will also come under this. We can restrict the commands for the users in sudoers file. By allowing only limited commands to groups and managing those groups will also help to increase security level of the server. For cPanel, the wheel users can be managed from the WHM interface.
Reference : http://docs.cpanel.net/view/WHMDocs/DenyAccess
Brute force Protection
Enabling brute force protection will help in brutes attempts to hack a system. In cPanel, we can set the limit of attempts from the WHM interface. If the failed logins for more than that limit is exceeded, then the IP will be logged in the database and will block the access to the system then. The particular IP will be able to check it again after a predefined time. This is a very sensitive protection layer available in the cPanel.
Reference : http://docs.cpanel.net/twiki/bin/view/WHMDocs/CPHulk
Password strength configuration
Password strength configuration for the all the passwords that can be used in cPanel can be set by the administrator user from the WHM interface. For every passwords, we can set this value. Also, a common value can be set to all. If this is enabled and a good strength configuration is enabled, the users will not be able to use weak passwords and thus we can avoid account level hackings. Using weak passwords is one of the main security threat when a server is considered.
Reference : http://docs.cpanel.net/twiki/WHMDocs/PwordStrength
Open base_dir in PHP
PHP open base dir protection prevents the users to open files outside their home directory. If this is not allowed, the fopen() can be used by the users to open files which are not owned by them. This can also be attained by the disabled functions option in the PHP configurations. Disabling the function allow_url_fopen will prevent the remote file injection/access in the server using PHP scripts. This can be done in the global PHP configuration file.
Reference : http://docs.cpanel.net/twiki/WHMDocs/TweakPhp
Apache mod_user
Apache mod_user dir protection is another option which is not directly dealing with the server security but can affect the accounts. Apache’s mod_userdir allows users to view their sites by entering a tilde(~) and their username as the url on a specific host. For example “http://test.cpanel.net/~fred/” will bring up the user fred’s domain. The disadvantage of this feature is that any bandwidth usage used by this site will be put on the domain it is accessed under (in this case test.cpanel.net). mod_userdir protection prevents this from happening.
Reference : http://docs.cpanel.net/twiki/bin/WHMDocs/TweakModuserdir
Compiler access
Compiler access should be disabled for unprivileged users. In default, this will be disabled for all the users. Enabling this option to a user will allow the usage of working C compilers in the system. This will allow users to compile the scripts. Normally, this should be enabled only for root user.
Reference : http://docs.cpanel.net/twiki/bin/view/DisableCompilers
Shell Fork Bomb Protection
If this is disabled for the users having shell access, they will be able to utilise the resources of the system without any limit. So, enabling this option will prevent this from happening. Normally, this will be disabled in the server for all the users. Also, it is not recommended to allow the shell access for the cPanel users in shared servers.
Reference : http://docs.cpanel.net/twiki/bin/view/WHMDocs/ShellFork
Anonymous FTP
Anonymous FTP will enable the users or visitors to use anonymous ftp logins to upload contents. With this, the users will be able to gain access to the account. So, it is recommended to disable this option from the WHM. For all the cases, authorized access is recommended. Also, secured access to the server services will encrypt the connection to the server (SSL to be installed for the server and the services).
Reference : http://docs.cpanel.net/twiki/bin/CpanelDocs/AnonymousFTP
Exim configurations
Enabling sender verification will check for the validity of the sender. The mail will be delivered only if the sender is valid. Other wise the mail will be rejected. This will be a good option which will help in rejecting spam mails. There are further more options in the Exim configuration editor that can help in better working of the mail server.
Reference : http://docs.cpanel.net/twiki/bin/WHMDocs/EximConfig
Firewall configurations
CSF and LFD
For cPanel, CSF and LFD can contribute much in security. The mostly used firewall with the cPanel is CSF. By configuring the CSF properly, we can avoid trespassing to the servers. LFD is the other option available with the csf. LFD has a lot of options that can be enabled to detect the actions on the server. If this is enabled, it will mail all the alerts to the specified mail address with the details. By checking and fixing all those alerts on the server is highly recommended.
For monitoring these services, the cPanel have the option Chkservd in the service manager. From this interface, you can enable the checking and monitoring of almost all the services running in the cPanel. Also, you will be able to add custom service to chkservd. The main advantage of this service is that, it will automatically restart the added service if this is found to be stopped by any cause. Also, if the monitoring for the service is enabled, it will mail the details to the contact email regarding the status of the service and the restart attempts made. These alerts will let you know which all services were down/up. If a service is found to be down, it will alert you and you can start investigating on the root cause using the time stamp of the mail.
Reference : http://docs.cpanel.net/twiki/view/ApiDocs/ApiChkservd
Scanning the system
Security scan feature in cPanel will let you know the current status of the server configuration including the firewall settings in the server. It will also let you know a detailed report of each and every configurations. By analyzing this, we can tweak the configuration and can make it better. Configuring the settings according to this report for cPanel servers is highly recommended.
Reference : http://docs.cpanel.net/twiki/view/SecurityandVirusScanning
System updates
Enabling this feature on the WHM will update all the software automatically and thus patch the vulnerabilities. This will be done automatically and thus we can ensure that the system is up to date always. Also, enabling Linux environment security in the cPanel will help in adding attributes to system files and thus can avoid modification of files. This option will give attributes to the sensitive files. Any update that includes system file modification will be allowed only after disabling LES. So, this seems to be an important option that should be enabled on the server.
Reference :http://docs.cpanel.net/AllDocumentation/UpdateServerSoftware
The above is a very rough outline of cPanel security configuration
No comments:
Post a Comment