How to optimize cPanel server
Basic steps to secure the server in regards to hack attemptsSteps for optimization :
1) First make sure the server is setup properly in WHM and that the proper features are selected (open_basedir turned on, things like that).
2) In WHM setup a user with username admin (and some random password). Then turn off direct root login in the SSHD configuration, and add the username admin to the wheel group in /etc/wheel. In the SSHD configuration also make sure to select a different port as port 22 and make sure to only use protocol 2. Afterwards restart SSHD.
service sshd restart
3)Proceed by setting up APF. Make sure to enable features such as USE_AD. With most servers egress filtering is not necessary. Ingress filtering should be configured with ports that are necessary for cPanel, and nothing else. Make sure to close port 22, and open a new port for SSH instead (whichever port you used in the ssh configuration). It's quite good to use this tutorial;
http://www.eth0.us/?q=apf (don't forget to take out port 22).
4) Install BFD from rfxnetworks.net
5) Install LSM from rfxnetworks.net
6) Install SIM from rfxnetworks.net and use the configuration wizard to configure it. I assume you know what needs to be monitored. Make sure to
set it up so that it monitors the right services (make sure to leave FTP and SMTP disabled) and make sure you enter the email address of the client
when it asks for the email address (you can find the client's email address in their ticket).
7) Secure the tmp partitions (/tmp and /dev/shm). I assume you know how to do this (fstab, noexec, nosuid and such).
8) Run /scripts/compilers off
9) Use this tutorial to secure sysctl: http://www.eth0.us/?q=sysctl
10) Use /scripts/easyapache (option 6) to recompile Apache. Right now make sure to use PHP4.3.11 (unless stated otherwise by the client) and enable modules such as GD, curl, curl ssl, mcrypt.
11) Use /scripts/installzendopt to install zend optimizer
12) Use this tutorial to further secure PHP: http://www.eth0.us/?q=php
13) Setup eaccelerator using the attached RPM (which will only work for 4.3.11 - do NOT use it if you have setup a different PHP version). Just run the RPM, and afterwards do this:
- pico /usr/lib/php.ini
- enter "ctrl + w" to search in the document and search for zend_extension - then insert this under that line: zend_extension="/usr/lib/php4/eaccelerator.so" -
then save the file and exit
- now create a directory called /tmp/eaccelerator and chmod it to
0777. - now restart apache. If the server is active and PHP scripts
are running you'll see that /tmp/eaccelerator directory filling up
with cached requests - It's important that you verify apache is
running after this is done. If not, make sure to take out the line
that you inserted in the php.ini and then restart apache again (then
eaccelerator is disabled). If this ever happens let me know.
14) Lastly an important note about eaccelerator: if eaccelerator is running and you upgrade apache to a different version, Apache will keep on failing
until eaccelerator is disabled. The proper procedure is: first disable eaccelerator, then upgrade apache, then upgrade eaccelerator to the right version.
15) use this guide to install mod_security: http://www.eth0.us/?q=mod_security
16) - Run the following commands:
chmod 750 /usr/bin/rcp
chmod 750 /usr/bin/wget
chmod 750 /usr/bin/lynx
chmod 750 /usr/bin/links
chmod 750 /usr/bin/scp
chmod 000 /etc/httpd/proxy/
17) Make sure the kernel is up to date, and if not make sure to upgrade it to the latest version. Same goes for all other system software.
18) Enable mysql query cache by inserting the following two lines in /etc/my.cnf (at the right place):
query-cache-type = 1
query-cache-size = 100M
You can adjust that 100M to whatever number you see fit. Make sure to restart mysql afterwards.
/etc/init.d/mysql restart
19) install rkhunter and run it (if it shows errors make sure to run rkhunter --update and try again when it's done).
20) Also setup the following in the crontab:
10 0 * * * /usr/local/bin/rkhunter --update > /dev/null 2>&1
25 0 * * * /usr/local/bin/rkhunter -c --nocolors --cronjob --report-mode --createlogfile --skip-keypress --quiet
- enter this in /root/.bash_profile all the way at the bottom and replace email@address.com by the email address of the client:
echo 'ALERT - Root Shell Access on:' `date` `who` | mail -s "Alert: Root Access from `who | awk '{print $6}'`" email@address.com
21) Enter this in /etc/motd:
This computer system is for authorized users only. All activity is logged and regulary checked by systems personal. Individuals using this system without authority or in excess of their authority are subject to having all their services revoked. Any illegal services run by user or attempts to take down this server or its services will be reported to local law enforcement, and said user will be punished to the full extent of the law.
Anyone using this system consents to these terms.
22) Tweak the httpd.conf. Mainly just look at how active Apache is and increase the number of allowed connections to whatever it needs. Never decrease this number.
23) Furthermore it's important to look at the specific purpose of the server (if the server is already in use that shouldn't be too hard to see, and if the server isn't in use yet just ask the client). If you see a specific resource hog it's important to focus on that and improve the server's performance as you see fit.
If you did all the above securities with treaks on your server then I am sure it is really hard for a hacker to get the server ....... lol
posted by The Great Anil @ 3:03 AM
Comments: 0
