BLOG HOME -  UK WEB HOSTING -  PHP MYSQL HOSTING -  RESELLER HOSTING -  eUKhost FORUMS -  VPS HOSTING

cPanel Server Security

July 29, 2006 at 8:00 pm · Filed under Server Security

Hi everyone,

Someone requested me to send details about how we (currently) take care of security tweaks and security of servers.

These security packages are meant for customers with cPanel at the moment, but we are also going to offer them for any other control panel (or no control panel). But all clients who currently have it, have cPanel on their server. Also some clients have a monthly updating service with it, so we just check everything for updates then and fix/secure/optimize things where necessary.

There is not really a default package we use, since every system has different needs. The client often leaves it all entirely up to us. With a new system we can’t know what it’ll be used for though, so in that case we just ask the client a couple of questions what he will use the server for, so we can optimize the server for that purpose. For instance if a server uses a lot of PHP and MySQL, it’s a good idea to setup a PHP accelerator and MySQL query caching, since that improves performance a lot. Same goes for CGI, and you can picture the rest..

With the example above it’s a regular cPanel server, intended for regular shared hosting. I’ll go through the report step by step.

- In the main configuration we did the initial setup of the cPanel server, nothing unusual, same goes for basic security.
- SSH configuration: just disabling direct root access and things like that, speaks for itself. If you need details on how I did something in particular, please ask.
- Instructions to login is just for information purposes
- Firewall configuration: we use APF from rfxnetworks.net and just configure it. I found these guidelines useful: http://www.eth0.us/?q=apf. Furthermore some other scripts from rfxnetworks.net were installed like bfd and lsm
- System integrity is also from rfxnetworks.net and the installation all speaks for itself. Make sure to not enable monitoring SMTP and FTP though since that very often leads to false positives
- Environmental security: simply securing the tmp patitition and things like that. For sysctl I usually use the ruleset here: http://www.eth0.us/?q=sysctl
- For mod_security I usually use the steps described here: http://www.eth0.us/?q=mod_security
- For Apache compilations in cPanel we use /scripts/easyapache and by default we enable things like GD, curl, curl ssl
- ssh security is just a matter of installing the latest versions
- rkhunter can be found on www.rootkit.nl. If it returns false positives make sure to run rkhunter –update (or something like that, don’t recall the exact command)
- the email scanning thing was a special request of this client and is usually not included. I used this tutorial: http://www.rvskin.com/index.php?page=public/antispam

Furthermore we just take care of things that speak for themselves, such as kernel upgrades, security patches, software upgrades, and anything else that may be useful like disabling the following apps for unauthorized users:

chmod 750 /usr/bin/rcp
chmod 750 /usr/bin/wget
chmod 750 /usr/bin/lynx
chmod 750 /usr/bin/links
chmod 750 /usr/bin/scp

Furthermore we usually setup eaccelerator (if you need assistance with that let me know) and mysql query caching. For some clients we setup fastcgi per their request.

If you have any useful suggestions for additions be sure to let me know.

web hosting

digg this

« What is APF (Advanced Policy Firewall)? APF Firewall
custom requirement »

This post is compiled by eUKhost.com

Leave a Comment

You must be logged in to post a comment.