by cPanel Inc. with Comments by Travis Schaffner of FastServers.Net
As we all know, dedicated server security is a never ending battle. Security is very important to keeping your business up and running and your customers in place. Unfortunately, security and customer friendliness / usability are usual inverses. Luckily, there are a few simple steps you can take to lock down your cPanel dedicated servers without forcing your customers to log in from a bank vault with armed guards at their side. For this article in it's entirety with links, instructions, and more information, please see http://www.cpanel.net/security/commontips.htm
Please note that these tips are suggestions only and cPanel takes no responsibility for modifications to individual servers, or the security practices of individual servers. Server security is a collection of compromises, as any server that allows connections could be insecure. These tips are to be followed at your own risk.
This article was provided by cPanel for the publishing in the November 2006 FastServers.Net newsletter. Travis Schaffner, CTO of FastServers.Net reviewed the article and made additional comments and suggestions to these tips.
Tip 1: Use secure passwords!
Insecure passwords are the most common security vulnerability for most servers. If an account password is insecure and is compromised, client sites can be defaced, infected, or used to spread viruses. Having secure passwords is paramount to having a secure server. Generally, a password utilizing at least 8 characters including alphanumeric and grammatical symbols is sufficient. Never use passwords based upon dictionary words or significant dates.
You can edit /etc/login.defs to configure many password options on your system. It is well documented.
My Comments...
It's an excellent practice to encourage your end-users to update their critical passwords, alongside the abovementioned complexity requirements; at least on a quarterly basis... it's a responsible practice that we all need to get accustomed to! You certainly will not regret it.
Tip 2: Secure SSH
Enable public key authentication for SSH and disable password authentication.
Move SSH access to a different port. People are looking for port 22 as a possible way to access your servers. Moving SSH to a different port will add a simple way to deter those without specific knowledge of your server from easily discovering your SSH port.
You should always use SSHv2 only as SSHv1 is not secure.
You may also wish to set Shell Resource Limits for you users to prevent applications and scripts from using all up your resources and taking down your server.
My Comments...
More specifics on the file in question located at /etc/ssh/sshd_config, on cPanel boxes. Additionally, we'd recommend disabling root login attempts straight to the SSH daemon... require your admins to have a shell with wheel group permissions instead!
Tip 3: Secure Apache
The most readily available way to access a web server, is of course, the web server application. It is important to take steps to secure your Apache installation.
One of the best tools for preventing malicious Apache use is mod_security. You can find information about mod_security at http://www.modsecurity.org/.
When compiling Apache, you should include suexec to ensure that CGI applications and scripts run as the user that owns / executes them. This will help identify where malicious scripts are and who is running them. It will also enforce permission and environment controls.
We also recommend compiling Apache + PHP with PHPsuexec. PHPsuexec forces all PHP scripts to run as the user who owns the script. This means that you will be able to identify the owner of all PHP scripts running on your server. If one is malicious, you will be able to find it's owner quickly and resolve the issue.
You should enable PHP's open_basedir protection. This protection will prevent users from open files outside of their home directory with PHP.
You may also wish to include safe_mode for PHP 5.x and below. Safe_mode ensures that the owner of a PHP script matches the owner of any files to be operated on.
My Commnets...
More specifics on building apache in advanced mode you'll find the self-extracting archive (actually a big, phat shell script) at http://layer1.cpanel.net/. Grabbing the buildapache.sea directly allows you to maintain the apache installation hierarchy within the locality of your choosing on the webserver in question... enter into "Advanced Mode" after starting up the executable to enable suEXEC, phpsuEXEC, and the other modules (and php sub-modules) that you and your users require! Of course, you'll want to make sure you alert your customer base to any changes, if necessary, as the instantiation of any suEXEC-type technology *will* shatter older scripts & applications or at the very least cause slight to moderate incompatibility issues. Be wary!
Tip 4: Secure your /tmp partition
We recommend that you use a separate partition for /tmp that is mounted with nosetuid. Nosetuid will force a process to run with the privileges of it's executor. You may also wish to mount /tmp with noexec after installing cPanel. Check the mount man page for more information.
Also, Running /scripts/securetmp will mount your /tmp partition to a temporary file for extra security.
My Comments...
And once again, as eluded to in Tip 3 there is the potential for inconsistency issues or other related chaos if your customers are using scripts that require a sloppily (out-of-the-box) configured /tmp directory... it's important to keep the general populace informed if this is the first time that /tmp will be properly secured on your webserver!
Tip 5: Turn off unused services and daemons
Any service or daemon that allows a connection to be established to your server is away for hackers to gain access. To reduce security risks, you should disable all services and daemons that are not being used.
My Comments...
Additionally, RedHat-based systems include a variety of unnecessary "default" users and groups, which could be hijacked for unscrupulous purposes in the future. Dump 'em. (lp, games, gopher, ident, rpc, uucp, news, nfsnobody, operator, sync, adm)... Of course, you may have a unique reason to keep one or two of those, but that would be a fairly rare occasion for a cPanel server, indeed.
My Conclusion..
We'd also encourage users to subscribe to our Security Forum at http://forums.fastservers.net/ :: while not every piece of errata or patch release for RedHat systems is *critical* or even slightly so, within this venue we'll make sure you're aware of the updates that are certainly worth your while to imbue as quickly as possible!
*** You may have heard something along these lines mentioned before: "Make Sure Your Users Are Keeping Their Site Content & Applications/Scripts/CGI/Bells/Whistles/Carnival_Rides Up-To-Date". Remind them, often, to make sure they're receiving updates from the application vendors in question on any new releases of potentially afflicted software. What's "potentially afflicted" ? That's simple: anything and everything! Do your part to make sure your end users are doing theirs. Beyond perhaps keeping your kernel consistently updated, there is nothing even close to as critical as this factor. Stay diligent!
Spread the Word: Click below to share this with the rest of the world
