A Beginner's Guide to Securing Your Linux/cPanel Server
Part 1 of 3 (Security Inside WHM/CPanel)
These are items inside of WHM/Cpanel that should be changed to secure your server.
Goto Server Setup =>> Tweak Settings
Check the following items...
Under Domains
Prevent users from parking/adding on common internet domains. (ie hotmail.com, aol.com)
Under Mail
Attempt to prevent pop3 connection floods
Default catch-all/default address behavior for new accounts - blackhole
Under System
Use jailshell as the default shell for all new accounts and modified accounts
Goto Server Setup =>> Tweak Security
Enable php open_basedir Protection
Enable mod_userdir Protection
Disabled Compilers for unprivileged users.
Goto Server Setup =>> Manage Wheel Group Users
Remove all users except for root and your main account from the wheel group.
Goto Server Setup =>> Shell Fork Bomb Protection
Enable Shell Fork Bomb/Memory Protection
When setting up Feature Limits for resellers in Resellers =>> Reseller Center, under Privileges always disable Allow Creation of Packages with Shell Access and enable Never allow creation of accounts with shell access; under Root Access disable All Features.
Goto Service Configuration =>> FTP Configuration
Disable Anonymous FTP
Goto Account Functions =>> Manage Shell Access
Disable Shell Access for all users (except yourself)
Goto Mysql =>> MySQL Root Password
Change root password for MySQL
Goto Security and run Quick Security Scan and Scan for Trojan Horses often. The following and similar items are not Trojans:
/sbin/depmod
/sbin/insmod
/sbin/insmod.static
/sbin/modinfo
/sbin/modprobe
/sbin/rmmod
These are measures that can be taken to secure your server, with SSH access.
Udate OS, Apache and CPanel to the latest stable versions.
This can be done from WHM/CPanel.
Restrict SSH Access
To restrict and secure SSH access, bind sshd to a single IP that is different than the main IP to the server, and on a different port than port 22.
SSH into server and login as root.
Note: You can download Putty by Clicking Here. It's a clean running application that will not require installation on Windows-boxes.
At command prompt type: pico /etc/ssh/sshd_config
Scroll down to the section of the file that looks like this:
Code:
#Port 22
#Protocol 2, 1
#ListenAddress 0.0.0.0
#ListenAddress ::
Uncomment and change
#Port 22
to look like
Port 5678 (choose your own 4 to 5 digit port number (49151 is the highest port number)
Uncomment and change
#Protocol 2, 1
to look like
Protocol 2
Uncomment and change
#ListenAddress 0.0.0.0
to look like
ListenAddress 123.123.123.15 (use one of your own IP Addresses that has been assigned to your server)
Note 1: If you would like to disable direct Root Login, scroll down until you find
#PermitRootLogin yes
and uncomment it and make it look like
PermitRootLogin no
Save by pressing Ctrl o on your keyboard, and then exit by pressing Ctrl x on your keyboard.
Note 2: You can also create a custome nameserver specifically for your new SSH IP address. Just create one called something like ssh.xyz.com or whatever. Be sure to add an A address to your zone file for the new nameserver.
Now restart SSH
At command prompt type: /etc/rc.d/init.d/sshd restart[B]
Exit out of SSH, and then re-login to SSH using the new IP or nameserver, and the new port.
[B]Note: If you should have any problems, just Telnet into your server, fix the problem, then SSH in again. Telnet is a very unsecure protocol, so change your root password after you use it.
Disable Telnet
To disable telnet, SSH into server and login as root.
At command prompt type: pico -w /etc/xinetd.d/telnet
change disable = no to disable = yes
Save and Exit
At command prompt type: /etc/init.d/xinetd restart
Server e-mail everytime someone logs in as root
To have the server e-mail you everytime someone logs in as root, SSH into server and login as root.
At command prompt type: pico .bash_profile
Scroll down to the end of the file and add the following line:
echo 'ALERT - Root Shell Access on:' `date` `who` | mail -s "Alert: Root Access from `who | awk '{print $6}'`" your@email.com
Save and exit.
Set an SSH Legal Message
To an SSH legal message, SSH into server and login as root.
At command prompt type: pico /etc/motd
Enter your message, save and exit.
Note: I use the following message...
Code:
ALERT! You are entering a secured area! Your IP and login information
have been recorded. System administration has been notified.
This system is restricted to authorized access only. All activities on
this system are recorded and logged. Unauthorized access will be fully
investigated and reported to the appropriate law enforcement agencies.
Now everytime someone logs in as root, they will see this message... go ahead a try it.
Disable Shell Accounts
To disable any shell accounts hosted on your server SSH into server and login as root.
At command prompt type: locate shell.php
Also check for:
locate irc
locate eggdrop
locate bnc
locate BNC
locate ptlink
locate BitchX
locate guardservices
locate psyBNC
locate .rhosts
Note: There will be several listings that will be OS/CPanel related. Examples are
/home/cpapachebuild/buildapache/php-4.3.1/ext/ircg
/usr/local/cpanel/etc/sym/eggdrop.sym
/usr/local/cpanel/etc/sym/bnc.sym
/usr/local/cpanel/etc/sym/psyBNC.sym
/usr/local/cpanel/etc/sym/ptlink.sym
/usr/lib/libncurses.so
/usr/lib/libncurses.a
etc.
Disable identification output for Apache
To disable the version output for proftp, SSH into server and login as root.
At command prompt type: pico /etc/httpd/conf/httpd.conf
Scroll (way) down and change the following line to
ServerSignature Off
Restart Apache
At command prompt type: /etc/rc.d/init.d/httpd restart
These are applications that will help to secure your server.
Install chkrootkit
To install chrootkit, SSH into server and login as root.
At command prompt type: cd /root/
At command prompt type: wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz
At command prompt type: tar xvzf chkrootkit.tar.gz
At command prompt type: cd chkrootkit-0.44
At command prompt type: make sense
To run chkrootkit
At command prompt type: /root/chkrootkit-0.44/chkrootkit
Make sure you run it on a regular basis, perhaps including it in a cron job.
Install APF Firewall
To install APF, SSH into server and login as root.
At command prompt type: cd /root/
At command prompt type: wget http://www.rfxnetworks.com/downloads/apf-current.tar.gz
At command prompt type: tar -xvzf apf-current.tar.gz
At command prompt type: rm -f apf-current.tar.gz
At command prompt type: cd apf-0.9.4-6
At command prompt type: sh ./install.sh
After APF has been installed, you need to edit the configuration file.
At command prompt type: cd /etc/apf
At command prompt type: pico -w conf.apf
Scroll down and find
USE_DS="0"
change it to
USE_DS="1"
Now scroll down and configure the Ports. The following ports are required for CPanel:
Code:
Common ingress (inbound) TCP ports
IG_TCP_CPORTS="21,22,25,53,80,110,143,465,953,993,995,2082,2083 ,2084,2086,2087,2095,2096,3306,6666,7786,3000_35 00"
Note: If you changed the port for SSH, be sure to include that port and remove port 22.
-----
21 FTP (TCP)
22 SSH (TCP)
25 SMTP (TCP)
53 DNS - Domain Name Server (TCP)
80 HTTP (TCP)
110 POP3 (TCP)
143 IMAP (TCP)
443 HTTPS (TCP)
465 sSMTP (TCP)
953 ??BIND??
993 IMAP4 protocol over TLS/SSL (TCP)
995 POP3 protocol over TLS/SSL (was spop3) (TCP)
2082 CPANEL (http://sitename.com:2082) (TCP)
2083 CPANEL SSL (https://sitename.com:2083) (TCP)
2084 entropychat server (disable from CPANEL service manager if not used) (TCP)
2086 WHM (http://sitename.com:2086) (TCP)
2087 WHM SSL (https://sitename.com:2087) (TCP)
2095 WebMail (http://sitename.com:2095) (TCP)
2096 WebMail SSL (https://sitename.com:2096)
3306 mySQL remote access (TCP)
6666 Melange chat Server (disable from CPANEL service manager if not used) (TCP)
7786 Interchange (TCP)
3000_3500
-----
5100 for ASP,
8080 and 8443 for JSP if you use them.
-----
Code:
Common ingress (inbound) UDP ports
IG_UDP_CPORTS="53,6277
-----
53 DNS - Domain Name Server
6277 SpamAssassin / DCC (email scanning)
-----
Code:
Common ICMP (inbound) types
IG_ICMP_TYPES="3,5,11,0,30,8"
-----
0 Echo Reply
3 Destination Unreachable
5 Destination Unreachable
8 Echo
11 Time Exceeded
30 Traceroute
-----
Code:
Common egress (outbound) TCP ports
EG_TCP_CPORTS="21,25,37,53,80,110,113,#123,443,43,873,953,2089, 2703,3306"
-----
21 FTP
25 SMTP
37 Required for CPANEL Licensing
53 DNS - Domain Name Server
80 HTTP
110 POP3 (if you have scripts that need to retrieve email via POP, e.g. HelpDesk)
113 Authentication Protocol (AUTH)
123 NTP (Network Time)
443 HTTPS
43 WHOIS
873 rsync (CPanel updates)
953 BIND ??
2089 Required for CPANEL Licensing
2703 Razor (email scanning)
3306 mySQL remote access
-----
Code:
Common egress (outbound) UDP ports
EG_UDP_CPORTS="20,21,53,873,953,6277"
-----
20 ftp-data
21 FTP
53 DNS - Domain Name Server
873 rsync
953 BIND ??
6277 SpamAssassin / DCC (email scanning)
-----
Code:
Common ICMP (outbound) types
EG_ICMP_TYPES="all"
Save the changes then exit.
To start APF
At command prompt type: /usr/local/sbin/apf -s
APF commands are:
-s start
-r restart
-f flush - stop
-l list
-st status
-a HOST allow HOST
-d HOST deny HOST
Log out of SSH and then login again.
After you are sure everything is working fine, change the DEV option
At command prompt type: cd /etc/apf
At command prompt type: pico -w conf.apf
Scroll down and find
DEVM="1"
change it to
DEVM="0"
Save changes, exit and then restart firewall,
At command prompt type: /usr/local/sbin/apf -r
Install BFD (Brute Force Detection)
To install BFD, SSH into server and login as root.
At command prompt type: cd /root/
At command prompt type: wget http://www.rfxnetworks.com/downloads/bfd-current.tar.gz
At command prompt type: tar -xvzf bfd-current.tar.gz
At command prompt type: cd bfd-0.4
At command prompt type: ./install.sh
After BFD has been installed, you need to edit the configuration file.
At command prompt type: pico /usr/local/bfd/conf.bfd
Under Enable brute force hack attempt alerts:
Find
ALERT_USR="0"
and change it to
ALERT_USR="1"
Find
EMAIL_USR="root"
and change it to
EMAIL_USR="your@email.com"
Save the changes then exit.
To start BFD
At command prompt type: /usr/local/sbin/bfd -s
Modify LogWatch
Logwatch is a customizable log analysis system. It parses through your system's logs for a given period of time and creates a report analyzing areas that you specify, in as much detail as you require. Logwatch is already installed on most CPanel servers.
To modify LogWatch, SSH into server and login as root.
At command prompt type: pico -w /etc/log.d/conf/logwatch.conf
Scroll down to
MailTo = root
and change to
Mailto = your@email.com
Note: Set the e-mail address to an offsite account incase you get hacked.
Now scroll down to
Detail = Low
Change that to Medium, or High...
Detail = 5 or Detail = 10
Note: High will give you more detailed logs with all actions.
Save and exit.
Setting up Custom/Private Nameservers for your Resellers
This was the hardest topic to find clear and useful information on. I never did find any... but after taking a chance and experimenting with one of my dedis, it became clear.
Goto Server Setup =>> Tweak Settings
Scroll down to System and check Allow Sharing Nameserver Ips
When you setup a new reseller account...
Goto Account Functions =>> Create a New Account
Create new reseller account. Put a check in the Reseller box and Owner (only if reseller) box.
Goto Resellers =>> Reseller Center
Select the reseller and click on Edit Privileges/Nameservers.
Set account creation and feature limits
At the bottom enter resellers nameservers (ns1.reseller.com, ns2.reseller.com).
IMPORTANT
If you wish to assign private IPs click on Assign Ip Address, and then Add an A entry for this nameserver.
If you want the name server to use shared IP addresses do not assign an IP address.
Save your changes.
Goto DNS Functions =>> Edit a DNS Zone
Select reseller
Enter A entries for the nameservers along with their corrosponding IP addresses
Code:
ns1 14440 IN A 123.123.123.12
ns2 14440 IN A 123.123.123.13
Save your changes.
Your reseller's will have to create their nameservers at their domain registry as well. If they use Managed DNS, they will also have to add A records for the nameservers to their domain.
More Discussion Please check out WebHostingChat.com
Below you'll find our directory layout. You an browse the listings of companies that offer dedicated server web hosting, based on the categories below: The Latest Reviews Of Dedicated Server Web Hosting Companies
 | | Siteplot, is offering windows dedicated servers starting at $89 per month. They also recently started offering linux servers as well. Same day setup in most cases, and they offer 24x7 support. According to their website, there are also offering no setup fees, but it goes on to state that it is for a limited time only. | | Read our full Siteplot! review |  | | E-Insites offers both windows and linux dedicated servers. From reviewing their site the good news is that they have their very own custom built control panel that can be included with your server. Their control panel is called Cwipanel, and from the demo that I've seen, it seems to work pretty good. | | Read our E-Insites review |  | | RackSpace is one of the most renown dedicated server companies on the net, because of the length of period they have been in business. The prices are a bit steep for the average person looking for a server, but considering the managed solutions they provide, and the redundancy network, it is a safe decision to choose RackSpace as a provider. | | Read our RackSpace review |  | | X2Hosting offers managed dedicated servers in both windows and linux platforms. Posted on their site currently is a special to get one free month, the problem I currently see with that, is it states it expires October 15th, which was over two weeks ago. Hopefully someone notices that soon, and updates to show that the notice needs to updated. | | Read our X2Hosting review |  | | Atlantic.net boasts about their capacity to handle high traffic websites. Their network seems to be pretty stable and extensive. They state they are the perfect solution for users looking for high bandwidth and lots of storage. Also mentioned is the security procedures which upon reading seem to be very advanced. | | Read our Atlantic.net review | |
Windows Dedicated Servers 
