Attackers are growing day by day as well as the security of a server should be also increased right? So Today I would be helping you out with securing your VPS or Dedicated Server powered by cPanel Control Panel. These are the things that you want to do to secure your cPanel server.
Do you have these?
- PuTTy.
- Basic Knowledge of shell usage.
- Latest cPanel with CentOS or Cloudlinux (Recommended OS).
- Fast Download and Upload speed for your server.
Begin to Secure your cPanel server
We would be installing a firewall for your server. I would strongly recommend to install ConfigServer Firewall which is more user friendly than APF.
For Installing Configserver Firewall, Login as “root” user via PuTTy and enter the following commands :
wget http://www.configserver.com/free/csf.tgz
tar -xzf csf.tgz
cd csf
sh install.sh
Now you have successfully Installed Configserver! Now just go to your WHM and login as “root” user. After doing so, At left side you would see a lot of options and in that at the bottom you would see “ConfigServer Security&Firewall” option, click it.
In the next page, you would see an button named “Firewall Security Level“, Click it and and select “Medium” option.
Again, Go back to ConfigServer Security&Firewall and this time click on the option called “Check Server Security“
Now you can see some red color box with the text “WARNING” You should solve those warnings by reading the comment that is given just right of it.
Most of the warnings are simple to solve, It just need some copy some commands and paste it to the file, but there are some comments which doesn’t help you to fix it and I’ll be telling you how to solve those!
1. Check root forwarder (To get alerts of your server)
The root account should have a forwarder set so that you receive essential email from your server. To solve this you just need to create or open the file “/root/.forward” and in that file type any email id and save it.
2. Check VPS FTP PASV hole (if you don’t do this, FTP won’t work)
Since the Virtuozzo VPS iptables ip_conntrack_ftp kernel module is currently broken you have to open a PASV port hole in iptables for incoming FTP connections to work correctly. To solve this, All you have to do is to open the file “/etc/pure-ftpd.conf” and search for the line which says “PassivePortRange” and edit it to match like : “PassivePortRange 30000 35000” and go back to “ConfigServer Security&Firewall” and click “Firewall Configuration” option and you will see an option like “TCP_IN” where you see some numbers already entered like “20,21,22,25,53,80,110,143,443,465,587,993,995,2077,2078,2082,2083,2086,2087,2095,2096”
There you must add one more which should be “30000:35000”
3. Check for kernel logger
syslogd appears to be running, but not klogd which logs kernel firewall messages to syslog. You should ensure that klogd is running.
First of all edit the file “/etc/init.d/syslog” We can use “nano” command so that we could search a line. Use the command below to open the file :
nano -c /etc/init.d/syslog
Search the line below, (nearly at line # 42)
passed klogd skipped #daemon klogd $KLOGD_OPTIONS
Replace it with lines below,
#passed klogd skipped
daemon klogd $KLOGD_OPTIONS
Now search ‘status klogd’ (nearly at line #61) and uncomment it (removing the ‘#’ symbol at the beginning of the line).
Now save the file and remember to restart syslog by entering this command /etc/init.d/syslog restart
Have I missed something? Write a comment below so that I’d help you with it 🙂
Hope you know “EasyApache (Apache Update)” as this tool will guide you through the available options for updating your Apache web server, PHP, and optional modules. I have created a full configuration which is having all the latest PHP Modules as well as security stuffs, cache (For faster loading of websites) configured. You can download this file which i have created by clicking here (Right click and save it)
Upload that file and recompile Apache!
Thirdly, You can disable some functions in PHP. Please note this would stop loading some websites so if you see one site, Just check what’s the error message and remove that function from this list accordingly. But do not remove some functions like “shell” unless you get a detailed explanation from your customer on why it’s needed.
To disable these functions find and add following line to /usr/local/lib/php.ini
disable_functions = “dl,exec,shell_exec,system,passthru,popen,pclose,proc_open,proc_nice,proc_terminate,proc_get_status,proc_close,leak,apache_child_terminate,posix_kill,posix_mkfifo,posix_setpgid,posix_setsid,posix_setuid,escapeshellcmd,escapeshellarg,shell-exec,fpassthru,crack_check,crack_closedict,crack_getlastmessage,crack_opendict,psockopen,php_uname,symlink,mkdir,ini_restore,posix_getpwuid,error_log,print_r,scandir,copy,phpinfo,ini_set”
All right, So you wanna check whether your server is having any shell files or not? Check right away by saving this file to anywhere and execute it.
For instance I’m going to save this file to root folder with the file name “scan” so you should first login to your PuTTy and enter these commands :
cd /root
vi scan
Now you can paste the below code given here in that file :
#!/bin/bash
#Scanning all users directory for various php shell
# Below command is one line so see that its one line in your script or else it will generate errorecho “No PHP Shell was Found!” > /root/scan.txt
/bin/egrep “cgitelnet|webadmin|PHPShell|tryag|r57shell|c99shell|noexecshell|/etc/passwd|revengans|myshellexec” /home/*/public_html -R | cut -d: -f1 | uniq > /root/scan.txt/bin/cat /root/scan.txt | mail -s “PHP Shell Scan” youremailid@gmail.com
Where “youremailid@gmail.com” should be your email id! And save this file!
Now execute this script by running this command :
sh scan
It would take some time, even hours depending upon the number of files that your server has And it takes about 17.5% CPU (This is my server’s cpu usage of that particular process!)
Do you want to run this script automatically by cron? Well here is the answer “Yes you can!” Just run the command “crontab -e” and put this line at below of the file :
01 00 * * * /root/scan
What this do is that the script for checking PHP Shells will run at one minute past midnight each day!
Also, Please contact your customers to update their script to the latest versions and secure it accordingly. Make sure no php files contains “777” permission and make sure configuration files of your scripts are secured properly!
Another important thing is that in your server you got an option like Anonymous FTP, Please disable it from FTP Server Configuration since allowing anonymous FTP logins in generally considered to weaken the security of the server.
Well that’s all the tips I could give to you, If you have any questions or if you have any more tips, please feel free to post as a comment and I’d sure it would be helpful for everyone who is reading this article and working with a cPanel server.