Securing your cPanel server is most important to protect your data. This script is used to complete the basic cPanel server hardening. We can execute this on CentOS 6, 7 and Cloud Linux 6,7 servers (Stock kernel).
This script will install the following software on the cPanel server.
- CSF installation and tweaks
- Maldet scanner
- Clamscan
- Comodo ModSecurity Control
- Rkhunter
- Chkrootkit
Below are the changes will be made in server settings. Before that, it will automatically take the backup of configuration files in the same location so that you can easily revert back the changes.
Here I have mentioned the changes and its description which will happen in the server configuration files.
Changes in cPanel configuration file:
Proxy subdomains off
Add proxy VirtualHost to httpd.conf to automatically redirect unconfigured cpanel, webmail, webdisk, cpcalendars, cpcontacts, and whm subdomains to the correct port (requires mod_rewrite, mod_headers, and mod_proxy)
Blank referrer safety checks on
Only permit cpanel/whm/webmail to execute functions when the browser provides a referrer. This will help prevent XSRF attacks but may break integration with other systems, login applications, and billing software. Cookies are required with this option enabled.
Referrer safety check On
Only permit cpanel/whm/webmail to execute functions when the browser provided referrer (Domain/IP and Port) exactly matches the destination URL. This will help prevent XSRF attacks but may break integration with other systems, login applications, and billing software. Cookies are required with this option enabled
Reset Password for cPanel accounts Off
This setting enables the Reset Password feature for cPanel account users. The Reset Password feature uses the account’s contact email address to verify a password reset request. The email contains a security code that verifies whether the user can access to the Subaccount’s contact email address as part of the password reset verification process. The link to request this email displays in the cPanel login interface.
Reset Password for Subaccounts Off
This setting enables the Reset Password feature and new Subaccount invites for cPanel Subaccount users. The Reset Password feature uses the Subaccount’s contact email address to verify a password reset request. The email contains a security code that verifies whether the user can access to the contact email address as part of the password reset verification process. The link to request this email displays in the cPanel login interface
Hide login password from cgi scripts on
This setting hides the REMOTE_PASSWORD variable from scripts that the cpsrvd daemon’s CGI handler executes.
Enable Box Trapper spam trap Off
This setting allows you to enable Box Trapper. Box Trapper is a spam prevention system that uses blacklists, whitelists, and ignore lists, and an automated response-verification system.
Max hourly emails per domain to 150
The maximum number of emails each domain can send out per hour.
Restrict your system’s compilers
This script will disable system compilers. Most users do not require the use of C and C++ compilers. Many pre-packaged exploits require functional compilers.
To revert the changes, from the WHM interface, use WHM’s Compiler Access interface (WHM >> Home >> Security Center >> Compiler Access).
Changes in CSF configuration file:
TESTING mode to 0
CSF is in TESTING mode. If the firewall is working set TESTING to “0” in the Firewall Configuration otherwise it will continue to be stopped
RESTRICT_SYSLOG option check
RESTRICT_SYSLOG is “3” to restrict who can access the syslog/syslog Unix socket.
PT_USERMEM disabled to avoid bulk notification from LFD
SMTP_BLOCK disabled since it will not work if we are running CSF
PT_USERPROC disabled to avoid bulk notification from LFD
LF_SCRIPT_ALERT enabled, this will notify you when a large amount of email is sent from a script on the server, helping track down spam scripts
ConfigServer ModSecurity Control (CMC) installation.
This is an original and free add-on product for cPanel/WHM. The product provides you with an interface to the cPanel mod_security implementation from within WHM.
With ConfigServer ModSecurity Control you can:
- Disable mod_security rules that have unique ID numbers on a global, per cPanel user or per hosted domain level
- Disable mod_security entirely, also on a global, per cPanel user or per hosted domain level
- Edit files containing mod_security configuration settings in /usr/local/apache/conf
- View the latest mod_security log entries
SSH PORT CHANGE
While executing the script it will ask you to change the SSH port as a part of security measures. If you continue with “y” (yes) option, it will automatically change the port in SSH configuration file and allowed in CSF firewall TCP_IN.
NOTE: If you are using AWS EC2 instances, Google cloud instances or external firewall you need add this port to their firewall rule list.
DISABLE FUNCTIONS IN PHP:
It will add common disable function in all the PHP versions (Including Easy apache 4 and Alt PHP) installed on the server.
Most common disable functions are “show_source, system, shell_exec, passthru, exec, phpinfo, popen, proc_open”
HOST.CONF Tweak:
This will update the below entries in /etc/host.conf file to prevent IP spoofing and DNS poisoning.
[root@server /]# cat /etc/host.conf
order bind,hosts
multi on
nospoof on
KERNEL UPDATE:
Finally it will check the available latest kernel. If yes, it will ask user for confirmation to update the kernel to latest
Version. After updating kernel it will check the kernel entry in grub file to make sure it is added to it.
To download the file:
Run the below command in your Linux terminal
#wget -O harden.sh https://www.dropbox.com/s/thd1lcs46ztsuqk/hardening.sh?dl=0
#chmod +x harden.sh
To start the server hardening process:
#./harden.sh
Now provide the runtime arguments to complete the server hardening process.
Thanks.
D KarthiKeyan