Securing your VPS using the WHM interface

[roger]

This thread is for new VPS users (like me).

There are several ways to secure your VPS but retain effective functionality for the hosted domain on that VPS server. One method is to use your WHM interface to help secure your server.

I'm hoping the "gurus" among us (Where are you? Show yourselves ) can add to this thread (I'll create a separate "how to" secure the VPS via SSH when I get the time - Or at least it's what I learned).

-------------------------------------------------------------------------------------------

Secure cPanel/WHM/Webmail to use encrypted connections only (that way users are not communicating information (usr/pwd) in plain text.
(This post created for WHM 11.2.0/cPanel 11.11.0-R16983).

Note: Obviously in each section, remember to save the settings before navigating to another area of your WHM. (If you don't save setting before moving to another area, you'll simply be wasting your time and not changing anything).

Navigate to: Main >> Service Configuration >> Manage Service SSL Certificates

And make sure the following all have appropriate certificates (if not, then install them):

Exim (SMTP) Server
Courier (POP3) Mail Server
cPanel/WHM/Webmail Service
Courier (IMAP) Mail Server
Ftp Server

Why? So that you can have encrypted connections. That way users are not sending usernames and passwords in plain text.

Navigate to Main >> Server Configuration >> Tweak Settings >> Redirection

Enable “Always redirect users to the ssl/tls ports when visiting /cpanel, /webmail, etc.”

Then in the “When visiting /cpanel or /whm or /webmail WITHOUT SSL, you can choose to redirect to:” option, select the “Hostname “ radio box.

And in the “When visiting /cpanel or /whm or /webmail with SSL, you can choose to redirect to:” option, select the “SSL Certificate Name “ radio box.

Navigate to Main >> Server Configuration >> Tweak Settings

Under "Domains"

Click the checkbox to turn this feature on: "Prevent users from parking/adding on common internet domains. (ie hotmail.com, aol.com)"

Under "Mail"

See "Default catch-all/default address behavior for new accounts. fail is usually the best choice if you are getting mail attacks." and select the radio button that says "blackhole"

Why? Using "Blackhole" means the server will not respond and therefore not telling spam operators that they have "hit" a live server. If they get a response, then they can start fishing. It also helps prevent spam sentto invalid addressses from apearing in your default email box.

See "Attempt to prevent pop3 connection floods" and click the checkbox to turn the feature on.

Under "System"

Click the checkbox to enable this feature if it's not already on: "Use jailshell as the default shell for all new accounts and modified accounts"

Why? Jailshell is a very limited shell that allows clients to logon to your server via SSH. It limits them to their home directories, keeping the rest of your files on your server from being viewed. Still use caution when giving users shell accounts on your server, as it's likely possible to breakout of the jailshell.

Navigate to: Main >> Security >> Security Center

Click "PHP open_basedir Tweak"
and click the checkbox that enables it if it's not already on.

Why? This stops users from opening files outside of their home directory with PHP. (And trying to do bad things).

Navigate to: Main >> Security >> Security Center

Click "Apache mod_userdir Tweak"
and click to enable "Enable mod_userdir Protection" if it's not already on

Why? This allows users to view their sites by entering a tilde(~) and their username as the url on a specific host. For example http://www.yourdomain.com/~accountname/ will bring up the user 'accountname' domain. The disadvantage of this feature is that any bandwidth usage used by this site will be put on the domain it is accessed under (in this case www.yourdomain.com). mod_userdir protection prevents this from happening.


Navigate to: Main >> Security >> Security Center

Select "Compilers Tweak"
Ensure the status says "Compilers are disabled for unprivileged users."
If not, disable it.

Why? This tweak will disable the system's C and C++ compilers for unprivileged. Many common exploits require a working C compiler on the system. You can also choose to allow some users to use the compilers while they remain disabled by default. You don't want everyone to be able to compile stuff.

Navigate to: Main >> Security >> Security Center

Select "Shell Fork Bomb Protection"
and ensure the status is enabled.

Why? This prevents users with terminal access (ssh/telnet) from using up the server's resources and possibly crashing the server.

Navigate to: Main >> Security >> Manage Wheel Group Users

and make sure that ONLY "root" is included in "Users Currently in the wheel group"
Remove non-root accounts.

This defines which groups can use the system's `su` utility. Among other things, su can be used to run multiple shells and on some systems can be used to brute force user passwords, etc.

Navigate to: Main >> Service Configuration >> FTP Configuration

Under the (bold) heading that says "Anonymous FTP", make sure the status says "disabled".

Navigate to: Main >> Account Functions >> Manage Shell Access

And make sure that under the "Shell" column, you see the word "disabled" beside every domain - Except yours!

Navigate to: Main >> Security >> Quick Security Scan

and run the "Quick Security Scan" by clicking the "Proceed" button.

Navigate to: Main >> Security >> Scan for Trojan Horses

and run the "Scan for Trojan Horses" by clicking the "Proceed" button.
As far as I could research, the following are NOT trojans:

/dev/stderr
/usr/bin/xsltproc
/usr/bin/dbiprof
/usr/sbin/pureauth
/usr/bin/xslt-config
/usr/lib/libexslt.la
/usr/lib/libxslt.la
/usr/bin/xmlcatalog
/usr/bin/xmllint
/etc/cron.daily/logrotate
/usr/bin/mysqlhotcopy
/usr/bin/curl
/usr/lib/libcurl.so.3.0.0
/usr/bin/cpan
/usr/bin/instmodsh
/usr/bin/prove
/usr/bin/psed
/usr/bin/pstruct
/usr/bin/s2p
/usr/bin/splain
/usr/bin/xsubpp
/usr/bin/xml2-config
/usr/lib/libxml2.la
/usr/bin/curl-config

There are some other minor tweaks that could be added via WHM (you can choose to do those when you see them), but this at least covers, what in my opinion are the most important areas. When I get time, I'll add another post about improving security via SSH (because there are some things you can't do via WHM).

Cheers!
Roger