How to Secure your cPanel/WHM Server Installation

Document Sample
How to Secure your cPanel/WHM Server Installation Powered By Docstoc







1. Installation

To begin your installation, use the following commands
into SSH:

cd /home
sh latest

cd /home - Opens /home directory
wget - Fetches the latest
installation file from the cPanel servers.
sh latest - Opens and runs the installation files.

WHM\cPanel should be installed now.

You should be able to access cPanel via


or http://serverip/cpanel and

WHM via http://serverip:2086(SSL-2087)
or http://serverip/whm.

Now Let's configure it now.


Login to WHM using root username/passwd

http://serverip:2086 or http://serverip/whm

WHM - Server setup - Tweak Security:

Enable open_basedir protection
Disable Compilers for all accounts(except root)
Enable Shell Bomb/memory Protection
Enable cPHulk Brute Force Protection
WHM - Account Functions:

Disable cPanel Demo Mode
Disable shell access for all accounts(except root)
WHM - Service Configuration - FTP Configuration:

Disable anonymous FTP access


Set some MySQL password(Don't set the same password
like for the root access)
-If you didn't set MySQL password someone will be able to
login into the DB with
username "root" without password and
delete/edit/download any db on the server.

WHM - Service Configuration - Apache Configuration - PHP
and SuExec Configuration

Enable suEXEC - suEXEC = On
When PHP runs as an Apache Module it executes as the
user/group of the
webserver which is usually "nobody" or "apache". suEXEC
changes this so

scripts are run as a CGI. Than means scripts are executed
as the user
that created them. With suEXEC script permissions can't
be set to
777(read/write/execute at user/group/world level)

The server and it's services - PHP Installation,
Optimization & Security

>> Keep all services and scripts up to date and
make sure that you running the latest secured

On CentOS type this into SSH to upgrade/update services
on the server.

yum upgrade


yum update

>> PHP installation/update, configuration and
optimization + Suhosin patch

First download what you need, type the following into

cd /root wget
5.2.9.tar.bz2/from/this/mirror wget wget

Untar PHP:

tar xvjf php-5.2.9.tar.bz2

Patch the source:
gunzip < suhosin-patch-5.2.8- | patch -p0

Configure the source. If you want to use the same config
as you used for
the last php build it's not a problem but you will have to

enable-suhosin to old config. To get an old config type this
into SSH:

php -i | grep ./configure cd php-5.2.9 ./configure --
enable-suhosin + old config(add old config you got from
"php -i | grep ./configure" here) make make install

Note: If you get an error like make: command not found
or patch: Command
not found, you will have to install "make" and "patch". It
can be done
easly. Just type this into SSH:

yum install make yum install patch

Now check is everything as you want. Upload php script
like this on the server:

phpinfo(); ?>

And open it via your browser and you will see your PHP
configuration there.

>> Suhosin

We will install Suhosin now, it's an advanced protection
system for PHP.

tar zxvf suhosin-0.9.27.tgz cd suhosin-0.9.27 phpize
./configure make make install

After you installed suhosin you will get something like
this: It's installed to /usr/local/lib/php/extensions/no-

Now edit your php.ini. If you don't know where php.ini
located is, type this into SSH.

php -i | grep php.ini

Configuration File (php.ini) Path => /usr/local/lib
Loaded Configuration File => /usr/local/lib/php.ini
It means you have to edit /usr/local/lib/php.ini

Type into SHH:

nano /usr/local/lib/php.ini

If you get an error, nano: Command not found, then:

yum install nano

Find "extension_dir =" and add:
extension_dir = /usr/local/lib/php/extensions/no-debug-
To save it, CTRL + O and press the enter button on your

>> Zend Optimizer:

Download Zend Optimizer

tar -zxvf ZendOptimizer-3.3.3-linux-glibc23-i386.tar.gz
cd ZendOptimizer-3.3.3-linux-glibc23-i386 ./

Welcome to Zend Optimizer installation..... - Press Enter
Zend licence agreement... - Press Enter button
Do you accept the terms of this licence... - Yes, press
Enter button

Location of Zend Optimizer... - /usr/local/Zend, press
Enter button
Confirm the location of your php.ini file...- /usr/local/lib,
press Enter button
Are you using Apache web-server.. - Yes, press Enter
Specify the full path to the Apache control
utility(apachectl)...-/usr/local/apache/bin/apachectl, press
Enter button
The installation has completed seccessfully...- Press Enter

Now restart apache, type this into SSH:

service httpd restart

>> php.ini & disabled functions

Edit php.ini like this:

nano /usr/local/lib/php.ini

safe_mode = On
expose_php = Off
Enable_dl= Off
magic_quotes = On
register_globals = off
display errors = off
disable_functions = system, show_source, symlink, exec,
shell_exec, passthru, phpinfo,

service httpd restart

Or you can edit php.ini via WHM:
WHM - Service Configuration - PHP Configuration Editor

Kernel Hardening - Linux Kernel + Grsecurity Patch

Description : grsecurity is an innovative approach to
security utilizing
a multi-layered detection, prevention, and containment
model. It is
licensed under the GPL. It offers among many other
-An intelligent and robust Role-Based Access Control
(RBAC) system that can generate least privilege policies
for your entire system with no configuration
-Change root (chroot) hardening
-/tmp race prevention
-Extensive auditing
-Prevention of arbitrary code execution, regardless of the
technique used (stack smashing, heap corruption, etc)
-Prevention of arbitrary code execution in the kernel
-Randomization of the stack, library, and heap bases
-Kernel stack base randomization
-Protection against exploitable null-pointer dereference
bugs in the kernel
-Reduction of the risk of sensitive information being
leaked by arbitrary-read kernel bugs
-A restriction that allows a user to only view his/her
-Security alerts and audits that contain the IP address of
the person causing the alert

Downloading and patching kernel with grsecurity

cd /root wget wget tar xzvf linux- patch -p0 < grsecurity-2.1.12-
200809141715.patch mv linux- linux-
ln -s linux- linux cd linux cp
/boot/config-`uname -r` .config make oldconfig Compile

the Kernel: make bzImage make modules make
modules_install make install

Check your grub loader config, and make sure default is 0

nano /boot/grub/grub.conf

Reboot the server



In order to change SSH port and protocol you will have to
edit sshd_config

nano /etc/ssh/sshd_config

Change Protocol 2,1 to Protocol 2
Change #Port 22 to some other port and uncomment it
Like, Port 1337

There is a lot of script kiddiez with brute forcers and they
will try to crack our ssh pass because they know
username is root, port is 22

But we were smarter, we have changed SSH port

SSH Legal Message

edit /etc/motd, write in motd something like this:

"ALERT! That is a secured area. Your IP is logged.
Administrator has been notified"
When someone logins into SSH he will see that message:
ALERT! That is a secured area. Your IP is logged.
Administrator has been notified
If you want to recieve an email every time when someone

logins into SSH as root, edit .bash_profile(It's located in
/root directory) and put this at the end of file:
echo 'ALERT - Root Shell Access on:' `date` `who` | mail
-s "Alert: Root Access from `who | awk '{print

And at the end restart SSH

service sshd restart

Firewall - DDoS Protection

>> Firewall, CSF Installation

wget tar -xzf
csf.tgz cd csf

In order to install csf your server needs to have some ipt
enabled. csftest is a perl script and it comes with csf. You
can check
those mudules with it.


The output should be like this:

Testing ip_tables/iptable_filter...OK
Testing ipt_LOG...OK
Testing ipt_multiport/xt_multiport...OK
Testing ipt_REJECT...OK
Testing ipt_state/xt_state...OK
Testing ipt_limit/xt_limit...OK
Testing ipt_recent...OK
Testing ipt_owner...OK

Testing iptable_nat/ipt_REDIRECT...OK

Don't worry if you don't have all those modules enabled,
csf will work if
you didn't get any FATAL errors at the end of the output.

Now, get to installation


You will have to edit csf.conf file. It's located here:
You need to edit it like this:
Testing = "0"

And you need to configure open ports in csf.conf or you
won't be able to
access these ports. In most cases it should be configured
like this if
you are using cPanel/WHM. If you are running something
on some other port
you will have to enable it here. If you changed SSH port
you will have
to add a new port here:
# Allow incoming TCP ports
# Allow outgoing TCP ports
6.2) CSF Connection Limit
There is in csf.conf CT option, configure it like this
CT_LIMIT = "200"
It means every IP with more than 200 connections is
going to be blocked.
IP will blocked permanenty
CT_BLOCK_TIME = "1800"
IP will be blocked 1800 secs(1800 secs = 30 mins)

Set this to the the number of seconds between connection
tracking scans.
After csf.conf editing you need to restart csf
root@server [~# service csf restart
6.3) SYN Cookies
Edit the /etc/sysctl.conf file and add the following line in
order to enable SYN cookies protection:

# Enable TCP SYN Cookie Protection
net.ipv4.tcp_syncookies = 1

service network restart

>> CSF as security testing tool

CSF has an option "Server Security Check". Go to WHM -
Plugins - CSF -
Test Server Security. You will see additional steps how to
secure the
server even more. I'm writing only about most important
things here and
I covered most of them in the paper but if you want you
can follow steps
provided by CSF to get the server even more secured.

>> Mod_Evasive

ModEvasive module for apache offers protection against
DDoS (denial of service attacks) on your server.
To install it login into SSH and type:

cd /root/ wget
_1.10.1.tar.gz tar zxf mode_evasive-1.10.1.tar.gz cd

then type...

/usr/sbin/apxs -cia mod_evasive20.c

When mod_evasive is installed, place the following lines in
your httpd.conf (/etc/httpd/conf/httpd.conf)

DOSHashTableSize 3097
DOSPageCount 2
DOSSiteCount 50
DOSPageInterval 1
DOSSiteInterval 1
DOSBlockingPeriod 10

6.6 Random things:

csf -d IP - Block an IP with CSF
csf -dr IP - Unblock an IP with CSF
csf -s - Start firewall rules
csf -f - Flush/stop firewall rules
csf -r - Restart firewall rules
csf -x - Disable CSF
csf -e - Enable CSF
csf -c - Check for updates
csf -h - Show help screen
-Block an IP via iptables
iptables -A INPUT -s IP -j DROP
-Unblock an IP via iptables
iptables -A INPUT -s IP -j ACCEPT
-See how many IP addresses are connected to the server
and how many connections has each of them.
netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c
| sort -n


Mod_Security is a web application firewall and he can help
us to secure our sites against RFI, LFI, XSS, SQL Injection
If you use cPanel/WHM you can easly enable Mod_security
in WHM - Plugins - Enable Mod_Security and save
Now I will explain how to install Mod_security from
You can't install Mod_Security if you don't have libxml2

and http-devel libraries.
Also, you need to enable mod_unique_id in apache
modules, but don't worry, I will explain how to do it

Login into SSH and type...

yum install libxml2 libxml2-devel httpd-devel

libxml2 libxml2-devel httpd-devel should be installed now
then you need to edit httpd.conf file, you can find it here:

nano /etc/httpd/conf/httpd.conf

You need to add this in your httpd.conf file
LoadModule unique_id_module
Now download the latest version of mod_security for
apache2 from

login into SSH and type...

cd /root/ wget
apache_2.5.6.tar.gz tar zxf modsecurity-
apache_2.5.6.tar.gz cd modsecurity-apache_2.5.6 cd

then type:

./configure make make install

Go at the end of httpd.conf and place an include for our
config/rules file...
Include /etc/httpd/conf/modsecurity.conf

# /etc/httpd/conf/httpd.conf
LoadModule unique_id_module
LoadFile /usr/lib/
LoadModule security2_module modules/
Include /etc/httpd/conf/modsecurity.conf

You need to find a good rules for Mod_Security. You can
find them at
official Mod_Security site. Also, give a try to
rules. When
you find a good rules, just put them in
And restart httpd at the end, type "service httpd restart"
into SSH.

Anti-Virus - ClamAV

You need AV protection to protect the server against
worms and trojans
invading your mailbox and files! Just install clamav (a free
open source
antivirus software for linux). More information can be
found on clamav.
website -

In order to install CLamAV login into SSH and type

yum install clamav

Once you have installed clamav for your CentOS, here are
some basic commands you will need:

Update the antivirus database


Run antivirus

clamscan -r /home

Running as Cron Daily Job
To run antivirus as a cron job (automatically scan daily)

just run crontab -e from your command line. Then add the
following line and save the file.

@daily root clamscan -R /home

It means clamav will be scanning /home directory every
day. You can change the folder to whatever you want to


Rootkit scanner is scanning tool to ensure you for about
99.9%* you're clean of nasty tools.

This tool scans for rootkits, backdoors and local exploits
by running tests like:
-MD5 hash compare
-Look for default files used by rootkits
-Wrong file permissions for binaries
-Look for suspected strings in LKM and KLD modules
-Look for hidden files
-Optional scan within plaintext and binary files

Login into SSH and type

cd /root/ wget
1.2.7.tar.gz tar -zxvf rkhunter-1.2.7.tar.gz cd rkhunter

Scan the server with rkhunter

rkhunter -c

The Rest of it

>> Random suggestions

If you use bind DNS server then we need to edit
named.conf file
named.conf is located here: /etc/named.conf
and add
recursion no; under Options

recursion no;

Now restart bind, type into SSH

service named restart

This will prevent lookups from and similar
services and reduce server load
In order to prevent IP spoofing, you need to edit host.conf
file like this:
This file is located here: /etc/host.conf
Add that in host.conf

order bind,hosts
nospoof on

Hide the Apache version number:
edit httpd.conf (/etc/httpd/conf/httpd.conf)

ServerSignature Off

>> Passwords

Don't use the same password you are using for the server
on some other places.
When the Datacenter contacts you via e-mail or phone,
always request more information. Remember, someone
else could contact you to get some information or even
root passwords.

>> Random thoughts

No matter what you need to secure the server, don't think
you are safe only because you are not personally involved
in any shits with "hackers". When you are hosting
hacking/warez related sites you are the target. There is
no such thing as totally secured server. Most important
things are backups, make sure you will always have an
"up-to-date" offsite backups.	

The rest is self-explainable and easily done
through the WHM!



Shared By:
Description: This tutorial will teach you how to harden your cPanel server to prevent hacking and ddos