Security 1

Physical Security
Local Security
Remote Security

Your server is just like your office.
Keep a secure server, and know whats going on at
all times.

Insecure passwords are the most common security
Use at least 8 characters
Include alphanumeric and grammatical symbols.

Shell Access for Users
Limit shell access
Always use Jailshell

Secure SSH
Run ssh on a different port
Use Protocol 2 only
– Port 22 -> Port 1887
– Protocol 2,1 -> Protocol 2
Enable public key authentication
Disable password and PAM authentication

SSH Keys
A great tool for locking down access to your server.
Public key authentication uses a private key and a
public key to authenticate users.

SSH Password Auth Tweak
Disables Password Authentication
Creates a key to authenticate SSH sessions

Shell Resource Limits
Start with very relaxed settings and set stricter limits
as needed.

Limits.conf Explained
<domain> can be:
- an user name
- a group name, with @group syntax
<type> can have the two values:
- "soft" for enforcing the soft limits
- "hard" for enforcing hard limits
<item> can be one of the following:
- nofile - max number of open files
- rss - max resident set size (KB)
- cpu - max CPU time (MIN)
- nproc - max number of processes
- maxlogins - max number of logins for this user

Shell Resource Limits cont.
Example settings to start with
– <domain> <type><item><value>
– @users hard nofile 500
– @users hard cpu 30
– @users hard nproc 150
– @users soft nproc 100
– @users hard rss 50000
– @users - maxlogins 3
– nobody hard nofile 16384

Shell Fork Bomb Protection
Prevent shell users from using up the server's
resources and possibly crashing the server.
Sets up rules based on 'ulimit' in bashrc.

Securing /tmp
Many exploits can be run from an insecure tmp
Use a separate partition for /tmp that is mounted
with nosuid.
/scripts/securetmp will mount your /tmp partition to a
temporary file for extra security.

Wheel Group Users
The ‘wheel’ group is a group of user accounts that
are allowed to get root access.
If you aren’t in the ‘wheel’ group, you are denied
access to root when using the 'su' command.

'su' gives a user full root access
'sudo' will allow users to run certain commands as
root without having full root privileges.
You can use /etc/sudoers to limit command access
to certain users.

Compilers Tweak
Disables the systems c and c++ compilers for all
Give specific users compiler access as needed.

Traceroute Tweak
Disables the system's traceroute utility.
Keeps users from running traceroute to map your
server's network.
Low-Level risk

Remote Security
Brute Force Attacks
Access Control
Apache & PHP

iptables - Linux
APF – iptables frontend
ipfw – FreeBSD
For a full list of ports used, see:

Brute Force Protection
New feature of cPanel 11
cPanel uses 'cPHulkd' for protection
Monitors all pam auth modules and logs to a mysql
Protects all services using pam authentication, this
includes cPanel, WHM, SSH, FTP, IMAP and POP3

Brute Force Protection cont.
When an attack is detected, cPHulkd will disable
authentication to the service being attacked.
You can use WHM to customize thresholds and lock
out times.

Host Access Control
New feature of cPanel 11
Allows you to control access to server and specific

SMTP Tweak
Prevents users from bypassing the mail server to
send mail
Only allows MTA, mailman and root to connect to
remote SMTP servers.

Apache/PHP Security
PHP makes it simple for an amateur coder to
introduce a very insecure script or application.
Backdoors, shell imitation scripts, etc. can be
launched to give full access to the server, even if the
account has no shell access.

Apache Memory Usage
Calculates memory and CPU limits for apache
– Sets RlimitCPU and RlimitMEM
• RLimitCPU
– Sets a limit on CPU usage for all processes forked
off from child processes.
• RlimitMEM
– Sets a limit on memory usage for all processes
forked off from child processes.

Apache open_basedir
Prevents users from opening files outside of their
home directory with php scripts.

Allows easier tracking of scripts and forces them to
run as the user instead of 'nobody'
Enforces more secure file permissions.

Enable using Apache Update within WHM or
EasyApache to rebuild PHP with PHPSuExec
Things to keep in mind when enabling PHPSuExec
– User's local php.ini

PHP Configuration Editor
New feature of cPanel 11
Allows easy editing of global php.ini
– register_globals – Off
– safe_mode - On

WHM Plugins > mod_security
Realtime analysis of web requests and blocks
malicious requests.

ModSecurity Example
SecFilter "THEME_DIR=http"
[Mon May 28 06:08:01 2007] [error] [client] mod_security: Access denied with code 406.
Pattern match "THEME_DIR=http" at REQUEST_URI
[severity "EMERGENCY"] [hostname ""]
[uri "/modules/coppermine/themes/coppercop/theme.php?THEME_DIR="]
Request: - -
[28/May/2007:06:08:01 -0500]
"GET /modules/coppermine/themes/coppercop/theme.php?THEME_DIR=
HTTP/1.1" 406 381 "-" "libwww-perl/5.803" - "-"
GET /modules/coppermine/themes/coppercop/theme.php?THEME_DIR= HTTP/1.1
Connection: TE, close
TE: deflate,gzip;q=0.3
User-Agent: libwww-perl/5.803
mod_security-action: 406
mod_security-message: Access denied with code 406. Pattern match "THEME_DIR=http" at REQUEST_URI [severity "EMERGENCY"]
HTTP/1.1 406 Not Acceptable
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html; charset=iso-8859-1

Quick Security Scan
Automatically scans and stops unneeded services.
– Portmap, atd, cups, gpm, NIS, NFS statd
Check /etc/xinetd.conf and /etc/xinetd.d/

Other Security Concerns
Web Applications

Site Software
Proper Installation
Stay updated

Find all world writable files and directories
– find / \( -perm -a+w \) ! -type l >> world_writable.txt
• Fixing bad permissions can break poorly coded php/cgi

Find all suid/gid files
– find /\( -perm -4000 -o -perm -2000 \) -exec ls -ldb {} \; >>
• Many files need these elevated permissions, do not “fix”
the reported files without knowing exactly how it will
affect the system
– sudo, su, mount, etc.
Find all files with no owner or group
– find / -nouser -o -nogroup >> no_owner.txt
• All files should be owned by a specific user or group

Trojan Horse Scan
Looks for any modified binary files on the system
that could be a potential trojan or rootkit.

3rd Party Security Tools
ELS – Easy Linux Security
– Commercial:
– OSS Branch:

Scan Alert
HackerSafe + PCI Compliance
cPanel Partner

Day to Day Security
Look for programs attached to ports that you did not
install / authorize
– netstat -anp
Check logs frequently to make sure your system is
functioning as expected.
– /var/log/
– /usr/local/apache/logs/

General Policies
Use sftp, scp, smtp+ssl, pop+ssl and cPanel over
Change passwords frequently
Monitor the system logs.

Stay Informed
Join mailing lists to get information when it is first
• Bugtraq
• Incidents
• One of the best, unmoderated sources of security issues.

cPanel Security Center
Reference for all security news and updates
regarding cPanel

Q & A
Ask away!

  • 0 Χρήστες που βρήκαν το παρόν κατατοπιστικό
Η απάντηση ήταν κατατοπιστική?

Σχετικά Άρθρα

A Beginner's Guide to Securing Your Server

A Beginner's Guide to Securing Your Server These are items inside of WHM/Cpanel that should be...

Recommended Security Settings

Recommended Security SettingsCopyright © 2009 cPanel, Inc.Revision HistoryRevision 1 Sept. 28,...

/tmp directory

/tmp directoryA lot of the time malicious scripts will be installed intothe /tmp directoryYou...

Security 2

Main TopicsDisabling toolsSYN cookiessysctlApache modulesWhat to do if your hacked. Disable...

Securing Linux

Local security measures● Protecting against common remote attacks● What to do after an...