Securing your VPS using the WHM interface

[roger]

This thread is for new VPS users (like me).

There are several ways to secure your VPS but retain effective functionality for the hosted domain on that VPS server. One method is to use your WHM interface to help secure your server.

I'm hoping the "gurus" among us (Where are you? Show yourselves ) can add to this thread (I'll create a separate "how to" secure the VPS via SSH when I get the time - Or at least it's what I learned).

-------------------------------------------------------------------------------------------

Secure cPanel/WHM/Webmail to use encrypted connections only (that way users are not communicating information (usr/pwd) in plain text.
(This post created for WHM 11.2.0/cPanel 11.11.0-R16983).

Note: Obviously in each section, remember to save the settings before navigating to another area of your WHM. (If you don't save setting before moving to another area, you'll simply be wasting your time and not changing anything).

Navigate to: Main >> Service Configuration >> Manage Service SSL Certificates

And make sure the following all have appropriate certificates (if not, then install them):

Exim (SMTP) Server
Courier (POP3) Mail Server
cPanel/WHM/Webmail Service
Courier (IMAP) Mail Server
Ftp Server

Why? So that you can have encrypted connections. That way users are not sending usernames and passwords in plain text.

Navigate to Main >> Server Configuration >> Tweak Settings >> Redirection

Enable “Always redirect users to the ssl/tls ports when visiting /cpanel, /webmail, etc.”

Then in the “When visiting /cpanel or /whm or /webmail WITHOUT SSL, you can choose to redirect to:” option, select the “Hostname “ radio box.

And in the “When visiting /cpanel or /whm or /webmail with SSL, you can choose to redirect to:” option, select the “SSL Certificate Name “ radio box.

Navigate to Main >> Server Configuration >> Tweak Settings

Under "Domains"

Click the checkbox to turn this feature on: "Prevent users from parking/adding on common internet domains. (ie hotmail.com, aol.com)"

Under "Mail"

See "Default catch-all/default address behavior for new accounts. fail is usually the best choice if you are getting mail attacks." and select the radio button that says "blackhole"

Why? Using "Blackhole" means the server will not respond and therefore not telling spam operators that they have "hit" a live server. If they get a response, then they can start fishing. It also helps prevent spam sentto invalid addressses from apearing in your default email box.

See "Attempt to prevent pop3 connection floods" and click the checkbox to turn the feature on.

Under "System"

Click the checkbox to enable this feature if it's not already on: "Use jailshell as the default shell for all new accounts and modified accounts"

Why? Jailshell is a very limited shell that allows clients to logon to your server via SSH. It limits them to their home directories, keeping the rest of your files on your server from being viewed. Still use caution when giving users shell accounts on your server, as it's likely possible to breakout of the jailshell.

Navigate to: Main >> Security >> Security Center

Click "PHP open_basedir Tweak"
and click the checkbox that enables it if it's not already on.

Why? This stops users from opening files outside of their home directory with PHP. (And trying to do bad things).

Navigate to: Main >> Security >> Security Center

Click "Apache mod_userdir Tweak"
and click to enable "Enable mod_userdir Protection" if it's not already on

Why? This allows users to view their sites by entering a tilde(~) and their username as the url on a specific host. For example http://www.yourdomain.com/~accountname/ will bring up the user 'accountname' domain. The disadvantage of this feature is that any bandwidth usage used by this site will be put on the domain it is accessed under (in this case www.yourdomain.com). mod_userdir protection prevents this from happening.


Navigate to: Main >> Security >> Security Center

Select "Compilers Tweak"
Ensure the status says "Compilers are disabled for unprivileged users."
If not, disable it.

Why? This tweak will disable the system's C and C++ compilers for unprivileged. Many common exploits require a working C compiler on the system. You can also choose to allow some users to use the compilers while they remain disabled by default. You don't want everyone to be able to compile stuff.

Navigate to: Main >> Security >> Security Center

Select "Shell Fork Bomb Protection"
and ensure the status is enabled.

Why? This prevents users with terminal access (ssh/telnet) from using up the server's resources and possibly crashing the server.

Navigate to: Main >> Security >> Manage Wheel Group Users

and make sure that ONLY "root" is included in "Users Currently in the wheel group"
Remove non-root accounts.

This defines which groups can use the system's `su` utility. Among other things, su can be used to run multiple shells and on some systems can be used to brute force user passwords, etc.

Navigate to: Main >> Service Configuration >> FTP Configuration

Under the (bold) heading that says "Anonymous FTP", make sure the status says "disabled".

Navigate to: Main >> Account Functions >> Manage Shell Access

And make sure that under the "Shell" column, you see the word "disabled" beside every domain - Except yours!

Navigate to: Main >> Security >> Quick Security Scan

and run the "Quick Security Scan" by clicking the "Proceed" button.

Navigate to: Main >> Security >> Scan for Trojan Horses

and run the "Scan for Trojan Horses" by clicking the "Proceed" button.
As far as I could research, the following are NOT trojans:

/dev/stderr
/usr/bin/xsltproc
/usr/bin/dbiprof
/usr/sbin/pureauth
/usr/bin/xslt-config
/usr/lib/libexslt.la
/usr/lib/libxslt.la
/usr/bin/xmlcatalog
/usr/bin/xmllint
/etc/cron.daily/logrotate
/usr/bin/mysqlhotcopy
/usr/bin/curl
/usr/lib/libcurl.so.3.0.0
/usr/bin/cpan
/usr/bin/instmodsh
/usr/bin/prove
/usr/bin/psed
/usr/bin/pstruct
/usr/bin/s2p
/usr/bin/splain
/usr/bin/xsubpp
/usr/bin/xml2-config
/usr/lib/libxml2.la
/usr/bin/curl-config

There are some other minor tweaks that could be added via WHM (you can choose to do those when you see them), but this at least covers, what in my opinion are the most important areas. When I get time, I'll add another post about improving security via SSH (because there are some things you can't do via WHM).

Cheers!
Roger

[Scott]

This is a really good post. The only thing I would suggest is possibly describing to the new VPS users why they need to enable/disable some of these things.

For instance, what is "Click "PHP open_basedir Tweak"" ? I have no idea. Heh

[roger]

<Smiling>
Okay, added some info.
HAPPY?
<LOL here!!!>
Hahahahaha
Cheers!

[Scott]

Yep. Happy! Haha

[lnxcode]

Roger - we will have to call you our "security guru" as you seem to be the man when it comes to security. Thanks for your /WHM post - keep up the good work.

[roger]

Quote:

Originally Posted by lnxcode

Roger - we will have to call you our "security guru" as you seem to be the man when it comes to security. Thanks for your /WHM post - keep up the good work.

Ha ha... So I'll have to put that in the forum signature!
We get to wear cool "Security" t-shirts and shades.
Cheers!

[lnxcode]

Yea, thats for sure. :P

[Scott]

LOL, based on the avatar, I don't think that look will.. uhh, work?

[marcOpolo]

Tweak Settings this is a pretty good resource, and the url can be backstepped

[roger]

Can someone follow-up on the stuff below? I think there's some ambiguity in the wording?

The link that marcOpolo submitted (Tweak Settings) says:

"Disable Disk Quota display caching - If disabled, disk quotas will be updated continuously, but will slow down the machine significantly. If not disabled, disk quotas will be delayed by up 15 minutes."

This makes me think the check box should selected.

But WHM on the VPS says instead:

"Disable Disk Quota display caching (WHM will cache disk usage which may result in the display of disk quotas being up to 15 minutes behind the actual disk usage. Disabling this may result in a large performance degradation.)"

This makes me think the check box NOT be selected.

I think it should not be selected, is that correct?