Sunday, February 22, 2009

Cpanel initial setup and hardning

Cpanel initial setup and hardning

From Shell prompt

Applicable : Centos/RedhatEnterprise/FedoraCore

check the hardware

cat /proc/cpuinfo
cat /etc/redhat-release
uname -a
cat /proc/meminfo
==========================

SSH Server Hardening

nano -w /etc/ssh/sshd_config

Uncomment #Protocol 2, 1

Change to Protocol 2

Append these lines to the bottom:

LoginGraceTime 120
IgnoreRhosts yes
X11Forwarding no

/etc/rc.d/init.d/sshd restart

============================

cd /etc

mv /etc/host.conf /etc/host.conf.bak

wget http://www.indiageeks.net/myscripts//host.conf

============================

mv /etc/sysctl.conf /etc/sysctl.conf.bak

cd /etc

wget http://www.indiageeks.net/myscripts/sysctl.conf

/sbin/sysctl -p

sysctl -w net.ipv4.route.flush=1

/sbin/ifconfig eth0 txqueuelen 1000

echo /dev/null > /proc/sys/kernel/core_pattern

=============================

cp /etc/fstab /etc/fstab.bak

First check to see that no /tmp partition is present.

df

If no /tmp partition is present, use this guide:

cd /usr

dd if=/dev/zero of=/usr/tmpMnt bs=1024 count=1000000

mke2fs -j /usr/tmpMnt
cd /

cp -R /tmp /tmp_backup

mount -o loop,noexec,nosuid,rw /usr/tmpMnt /tmp

chmod 0777 /tmp

/bin/cp -R /tmp_backup/* /tmp/

rm -rf /tmp_backup

nano -w /etc/fstab

At the bottom add

/usr/tmpMnt /tmp ext3 loop,noexec,nosuid,rw 0 0

If “df” shows a /usr/tmpDSK partition,

Then leave it!

If a standard /tmp partition is already present,

nano -w /etc/fstab

change “defaults” to loop,noexec,nosuid,rw

mount /tmp

/tmp should always have this: loop,noexec,nosuid,rw

/tmp and /var/tmp should be symlinked on EVERY server.

rm -rf /var/tmp

ln -s /tmp /var/tmp

/dev/shm

nano -w /etc/fstab

in /dev/shm line, change 'defaults' to noexec,nosuid

umount /dev/shm

mount /dev/shm

rm -rf /etc/httpd/proxy

rm -rf /var/spool/vbox

mount -o remount,noexec,nosuid /proc

Modify /etc/fstab, add options “noexec,nosuid” to the /proc line:
none /proc proc defaults,noexec,nosuid 0 0

=====================================

php -i | grep php.ini



disable_functions = dl,passthru,proc_open,proc_close,shell_exec,system

/etc/rc.d/init.d/httpd restart

=========================================

Logwatch

cd /root/

wget http://www.indiageeks.net/myscripts//logwatch-7.3.1-1.noarch.rpm

rpm -Uvh logwatch-7.3.1-1.noarch.rpm

rm -rf /etc/logwatch/conf/logwatch.conf

cd /etc/logwatch/conf

wget http://www.indiageeks.net/myscripts//logwatch.conf

=====================

chmod 750 /usr/bin/GET
chmod 750 /usr/bin/wget
chmod 750 /usr/bin/gcc
chmod 750 /usr/bin/rcp
chmod 750 /usr/bin/lynx
chmod 750 /usr/bin/links
chmod 750 /usr/bin/scp

history -c

=====================

From WHM:

Tweak Settings (Check all these options)

--------------

Allow Creation of Parked/Addon Domains that are not registered

Prevent users from parking/adding on common internet domains

E-mail users when they have reached 80% of bandwidth

Each domain can send out per hour: 500

Pop 3 in hour: 180

Allow Sharing Nameserver IPs

Use Jailshell as default

Set Default catch-all to FAIL

Delete each domain's access logs after stats run

Things to Uncheck

Boxtrapper

** When adding a new domain, if the domain is already registered, ignore the configured nameservers, and set the NS line to the authoritative (registered) ones.

** FormMail-clone cgi

Change:

The load average above the number of cpus at which logs file processing should be suspended (default 0):

To 10

** Number of minutes between mail server queue runs (default is 60).:

To 180

=================================================================================================

Tweak Security

--------------

open_basedir: Enable php open_basedir

Compilers disable

==========================

System Health - Background Process Killer

Check all of them

==========================

Please read carefully and make sure that you are aware of all the commands & settings and their effect.