We use to perform server hardening for our Managed Dedicated servers and cpanel server management services customers and thought to share those steps to secure cPanel server. The following steps will suite for cPanel (CentOS).
At, Medha Hosting we do this 15 steps server hardening process.
Let’s do the “cPanel Hardening”
1) Disable direct root login.
Important note: Please do not log out from your System after disabling the direct root login. Please follow the steps until you create a dedicated SSH user and then you can log out. Otherwise you won’t be able to login to your system again. Please be careful.
Root user is the one that have the license to do anything in your system. What if someone got access to the root user account?! Let’s disable direct root login by following the below steps.
Edit the SSH main configuration file.
vi /etc/ssh/sshd_config
You can find the below line.
#PermitRootLogin yes
Change it as below.And also uncomment that line
PermitRootLogin no
Restart SSH to update the changes.
service sshd restart
Now you have disabled direct root login. Now follow the below steps to create a dedicated SSH user.
2) Create dedicated SSH user.
After disabling the direct root login, the next step is to create a dedicated SSH user. ( Only this user will have SSH login permission in your system. )
We are going to create a dedicated user called “sshusr” Please follow the below steps.
Create the user account.
#useradd sshusr Set Password. #passwd sshusr Add this user to “/etc/sudoers” file. edit this file or run the below command. #visudo You can find a line as shown below. root ALL=(ALL) ALL
The above line means root user can run any commands anywhere. Add the line given below under this line.
sshusr ALL=(ALL) ALL
Now save the file.
Now on, the user “sshusr” have the permission to run any commands anywhere. But for this you have to add “sudo” the begining of every command that you execute as user “sshusr”.
For example, if you login as “sshusr” and want to restart Apache. You have to do it as shown below.
sudo /etc/init.d/httpd restart
You can also switch this user to root user. Please run the below command.
sudo su -
Now we have disabled direct root login and created a user called “sshusr” with full permission in your system. But this doesn’t mean “sshusr” is a dedicated SSH user. May be there are other users in your system that have SSH shell access. Please follow the below steps to block all those users and to set “sshusr” as dedicated SSH user.
Edit the main SSH configuration file.
vi /etc/ssh/sshd_config
Add the below lines.
AllowUsers sshusr
Save the file and restart SSH service to update these changes.
service sshd restart
You have created a dedicated SSH user.
READ THIS: How to Choose Best Managed Service Provider
3) Change SSH default port
Everyone knows 22 is the default SSH port. So it’s always good to change this default port and set it to something unguessable. Please follow the below steps.
Here I’m going to change the port to 4242. Edit the main SSH configuration file.
vi /etc/ssh/sshd_config
You can find the below line.
#Port 22
Change it as below.
Port 4242
Restart SSH to update the changes.
service sshd restart
That’s it!! You have changed the SSH port to 4242.
To login as “sshusr” from a remote Linux machine you can run the below command.
ssh sshusr@IP/Hostname -p 4242
4) Disable ping request.
Please run the following command to disable ping request to your server.
echo 1 >/proc/sys/net/ipv4/icmp_echo_ignore_all
You can also do the same using IPtables. Please run the below command if you want to disable the ping request using IPtables.
iptables -A INPUT -p icmp -j DROP
You have disabled ping request to your server.
[sociallocker]
5) Setup CSF firewall
CSF is a Stateful Packet Inspection (SPI) firewall, Login/Intrusion Detection and Security application for Linux servers.
Please follow the below steps to install and configure CSF. ( If already installed, ignore these steps )
Go to “/opt”, download the latest CSF source files and untar it.
cd /opt wget https://download.configserver.com/csf.tgz tar -xvf csf.tgz cd csf
Execute the “install.sh” shell script to install the CSF.
./install.sh
Next, test whether you have the required iptables modules:
perl /etc/csf/csftest.pl
If you have any APF or BFD firewalls installed in your system, you can run the below command to uninstall it. ( Otherwise there will be conflict. )
sh /etc/csf/remove_apf_bfd.sh
By default CSF will be running in “test” mode. Please follow the below steps to disable “test” mode and to make CSF full functional.
Edit the CSF main configuration file.
vi /etc/csf/csf.conf
You can find the below lines.
TESTING = “1”
Change it as follows.
TESTING = “0”
Also you need to add Plesk “8880” and “8443” ports in the CSF “TCP_IN” and “TCP_OUT” list.
You can find the below lines.
# Allow incoming TCP ports TCP_IN = “20,21,22,25,53,80,110,143,443,465,587,993,995,4242” # Allow outgoing TCP ports TCP_OUT = “20,21,22,25,53,80,110,113,443”
Add the ports 8443 and 8880 in the list.
# Allow incoming TCP ports TCP_IN = “20,21,22,25,53,80,110,143,443,465,587,993,995,4242,8443,8880” # Allow outgoing TCP ports TCP_OUT = “20,21,22,25,53,80,110,113,443,8443,8880”
Also make sure to disable ICMP ( Ping ). By changing “ICMP_IN” to “0”.
# Allow incoming PING ICMP_IN = “0”
Now restart CSF and LFD to update the changes.
/etc/init.d/csf restart /etc/init.d/lfd restart csf -r
You have Installed and configured CSF and LFD in your cheap dedicated server.
6) Setup Mod_Evasive
“mod_evasive” is an evasive maneuvers module for Apache to provide evasive action in the event of an HTTP DoS or DDoS attack or brute force attack. I have installed it in several servers and seems very efficient to prevent normal DDoS attacks. Please follow the below steps to install it in your server.
Go to “/opt” directory and download the latest the “mod_evasive” source and extract it.
cd /opt wget http://www.zdziarski.com/blog/wp-content/uploads/2010/02/mod_evasive_1.10.1.tar.gz tar -xvf mod_evasive_1.10.1.tar.gz cd mod_evasive
We are going to compile the “mod_evasive” module with Apache with “apxs” tool. “apxs” is a tool came with “httpd-devel” package. First step is to check if you have the “httpd-devel” package.
rpm -qa | grep httpd-devel
You won’t get any result and that means you don’t have that package. If you don’t have, please follow the below steps to install it in your server.
yum install httpd-devel
After installing httpd-devel, run the below command to compile the “mod_evasive”with Apache. ( In case of cPanel, the bin path of apxs is – “/usr/local/apache/bin/apxs” and you may have to use the full path )
apxs -cia mod_evasive20.c
Add the following rules at the end of /etc/httpd/conf/httpd.conf :
DOSHashTableSize 3097 DOSPageCount 6 DOSSiteCount 100 DOSPageInterval 2 DOSSiteInterval 2 DOSBlockingPeriod 600
Now restart Apache to update the changes.
/etc/init.d/httpd restart
It will install and create all necessary configurations for “mod_evasive”.
7) Setup Mod_Security
ModSecurity supplies an array of request filtering and other security features for Apache.
You can either install it using EasyApache. To avoid the downtime you can follow the manual steps given below )
Enable Atomic repo.
wget -q -O - http://www.atomicorp.com/installers/atomic | sh Install “ModSecurity”. yum install mod_security
If you want to setup rules. You can <>
8) Scan your system with RootKit Hunter.
This tool scans for rootkits, backdoors and local exploits by running tests like:
– MD5 hash compare – Look for default files used by rootkits – Wrong file permissions for binaries – Look for suspected strings in LKM and KLD modules – Look for hidden files – Optional scan within plaintext and binary files
Please follow the below steps to scan your system using RootKit Hunter.
1) Go to “/opt” and download the latest RootKit Hunter from here >>
http://sourceforge.net/projects/rkhunter/
cd /opt wget http://nchc.dl.sourceforge.net/project/rkhunter/rkhunter/1.4.0/rkhunter-1.4.0.tar.gz tar -xvf rkhunter-1.4.0.tar.gz cd rkhunter-1.4.0
( Please note that, the above URL won’t work always. So you need to find the correct package and download link from here >> http://sourceforge.net/projects/rkhunter/ )
Install the RootKit Hunter by running the installer.sh script with “–install” switch.
./installer.sh --install
Run the below command to update RootKit Hunter.
rkhunter --update
Run the below command to perform the scan. ( Where -c is to check the local system and –sk is to skip key press )
rkhunter -c -sk
That’s it. It will scan the local system and will give you a detailed out put.
( Let us know if you find any issues and we will be right here for your help. )
9) Scan your system using maldet
maldet – It is an efficient Malware Detect virus scanner for Linux. Please follow the below steps to install it in your system.
Go to “/opt” and download the latest “maldet” source and untar it. cd /opt wget http://www.rfxn.com/downloads/maldetect-current.tar.gz tar -xvf maldetect-current.tar.gz cd maldetect-1.4.2
Install the maldet using the “install.sh” shell script.
./install.sh
Now open a new screen session and scan the whole system by running the below command.
maldet -a /
( Please note that, this will take hours to complete depending on the disk usage in your system and that is the reason why we are running it in a screen session. )
You can detach and enter to screen session any time and check the status .
If the scan complete. You will get a result as shown below.
Linux Malware Detect v1.4.2 (C) 2002-2013, R-fx Networks <proj@r-fx.org> (C) 2013, Ryan MacDonald <ryan@r-fx.org> inotifywait (C) 2007, Rohan McGovern <rohan@mcgovern.id.au> This program may be freely redistributed under the terms of the GNU GPL v2 maldet(20920): {scan} signatures loaded: 11272 (9404 MD5 / 1868 HEX) maldet(20920): {scan} building file list for /, this might take awhile... /usr/bin/find: /proc/20974/task/20974/fdinfo/4: No such file or directory /usr/bin/find: /proc/20974/fdinfo/4: No such file or directory maldet(20920): {scan} file list completed, found 271615 files... maldet(20920): {scan} 271615/271615 files scanned: 12 hits 0 cleaned maldet(20920): {scan} scan completed on /: files 271615, malware hits 12, cleaned hits 0 maldet(20920): {scan} scan report saved, to view run: maldet --report 051913-1142.20920 maldet(20920): {scan} quarantine is disabled! set quar_hits=1 in conf.maldet or to quarantine results run: maldet -q 051913-1142.20920 From the result you will get the scan report ID. In this case, the scan report ID is – 051913-1142.20920. Run the below command to view the detailed report. maldet --report 051913-1142.20920 You can put the infected files to quarantine by running the below command. maldet -q 051913-1142.20920
( Please note:These files will deleted from your system within 14 days. )
You have completed the maldet scan. Your system is now malware free.
10) Scan your system using Clam AntiVirus.
ClamAV is an open source (GPL) antivirus engine designed for detecting Trojans, viruses, malware and other malicious threats. It is the de facto standard for mail gateway scanning. It provides a high performance mutli-threaded scanning daemon, command line utilities for on demand file scanning, and an intelligent tool for automatic signature updates.
Please follow the below steps to install and configure ClamAV in your system.
Install the Atomic repository in your system.
wget -q -O - http://www.atomicorp.com/installers/atomic | sh
Install ClamAV using yum.
yum install clamd
It will install clamd, clamav and clamav-db in your system. Run the below command to update the virus definitions.
freshclam
Start the ClamAV.
/etc/init.d/clamd start
Now open a new screen session and scan the whole system by running the below command.
clamscan -ril /opt/clamscan.log /
( Please note that, this will take hours to complete depending on the disk usage in your system and that is the reason why we are running it in a screen session. )
You can detach and enter to screen session any time and check the status .
You will get the scan result at the end and the command will only list the infected files. You can find the files in “/opt/clamscan.log”. ( grep the word FOUND ) You may either remove or correct these files or else run the below command that will remove all infected files in your system ( Make sure to run in screen session )
clamscan -ril /opt/clamscan.log --remove=yes /
You have removed the virus and malicious codes from your system.
11) Setup cron job to run Clam AntiVirus weekly.
Setting up ClamAV cron is a easy task and a user called “Stefano Stagnaro” uploaded a grate cron script called “clamav-cron” in Google codes that will update ClamAV, will scan the system and will send a brief report via e-mail. Please follow the below steps to set this.
Go to “/opt” ,download the “clamav-cron” and give execute permission.
cd /opt wget http://clamav-cron.googlecode.com/files/clamav-cron-0.6 -O /usr/local/bin/clamav-cron chmod 755 /usr/local/bin/clamav-cron
Open the “/usr/local/bin/clamav-cron” and edit user informations.
vim /usr/local/bin/clamav-cron --- # Notification e-mail recipient: CV_MAILTO="your email ID here" # Notification e-mail secondary recipients: CV_MAILTO_CC="cc mails here" # Notification e-mail subject: CV_SUBJECT="Desired Subject line here" ---
Set a cron job. I’m going to set a cron job to run this task every Saturday 11.45PM.
crontab -e
Add the lines at the end.
45 23 * * 6 /usr/local/bin/clamav-cron / Restart cron service. /etc/init.d/crond restart
You have setup the ClamAV cron script.
12) Disable Apache header information.
It is not good to expose your serve information to the public. Please follow the below steps to disable Apache header information.
Edit your mail Apache configuration file and add you can see the below lines somewhere in that file.
vim /etc/httpd/conf/httpd.conf --- ServerSignature On ServerTokens OS ---
Change it to as shown below.
ServerSignature off ServerTokens Prod
Also add the below entries somewhere in it to disable Apache Last Modified header.
<filesMatch “.*$”> Header unset Last-Modified
Restart Apache.
/etc/init.d/httpd restart
You have disabled Apache header information.
13) Hide PHP Version information.
Like Apache, it is not good to expose your PHP information to the public. Please follow the below steps to hide it from the public.
Find your main PHP configuration file.
php -i | grep php.ini
You will get the location of your mail php.ini file from this. Edit the file and you can see the below lines.
vim /usr/local/lib/ php . ini --- expose_php = on
—
Edit it as follows.
expose_php = off
Restart Apache
/etc/init.d/httpd restart
You have disabled PHP version information.
14) Disable FTP. Use SFTP instead.
FTP is always the favourite back-door of hacker and there are a million ways to hack an FTP account. May be you are not that familiar with SSH and disabling FTP may put you in trouble. I have an alternative option. If you are some one that want the simplicity of FTP with the security features of SSH, you can use SFTP. It is not a big deal. Any users that have SSH access to your system can use SFTP. WinSCP is a SFTP client for Windows and you can find it here >> http://winscp.net/eng/index.php
Let’s disable the 21 port by setting up a firewall rule as shown below.
iptables -A INPUT -p tcp –dport 21 -j REJECT
That’s all you have to do.
15) Disable shell access for unknown users.
Run the below command to list all users that have shell access to your system.
grep bin/bash$ /etc/passwd root:x:0:0:root:/root:/bin/bash mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/bash test2:x:10002:10002::/home/test2:/bin/bash hduser:x:10003:10003::/home/hduser:/bin/bash admin:x:10004:10004::/home/admin:/bin/bash boot:x:0:0:root:/root:/bin/bash sshusr:x:10006:10006::/home/sshusr:/bin/bash u1:x:10007:10007::/home/u1:/bin/bash
Below Command will change the shell of unknown user to /sbin/nologin.
Here I’m going to change the shell of “u1″ user to /sbin/nologin”.
chsh u1 Changing shell for u1. New shell [/bin/bash]: /sbin/nologin Shell changed.
This way you can change the shell of a user.
[/sociallocker]
Yep! we have completed the cPanel and Plesk hardening and your server is hard as rock now.
Of course, you don’t have to do any of this if you use one of our Cheap Dedicated Servers hosting services or cpanel servers or cpanel server management services, in which case you can simply ask our expert Linux admins to do server hardening.They are available 24×7 and will take care of your request immediately.
PS. If you liked this post please share it with your friends on the social networks using the buttons below or simply leave a comment in the comments section. Thanks.