Cpanel hardning from shell
Posted by Mayur's BLOG
From Shell prompt
Applicable : Centos/RedhatEnterprise/FedoraCore
check the hardware
cat /proc/cpuinfo
cat /etc/redhat-release
uname -a
cat /proc/meminfo
==========================
SSH Server Hardening
nano -w /etc/ssh/sshd_config
Uncomment #Protocol 2, 1
Change to Protocol 2
Append these lines to the bottom:
LoginGraceTime 120
IgnoreRhosts yes
X11Forwarding no
/etc/rc.d/init.d/sshd restart
============================
cd /etc
mv /etc/host.conf /etc/host.conf.bak
wget http://www.indiageeks.net/myscripts//host.conf
============================
mv /etc/sysctl.conf /etc/sysctl.conf.bak
cd /etc
wget http://www.indiageeks.net/myscripts/sysctl.conf
/sbin/sysctl -p
sysctl -w net.ipv4.route.flush=1
/sbin/ifconfig eth0 txqueuelen 1000
echo /dev/null > /proc/sys/kernel/core_pattern
=============================
cp /etc/fstab /etc/fstab.bak
First check to see that no /tmp partition is present.
df
If no /tmp partition is present, use this guide:
cd /usr
dd if=/dev/zero of=/usr/tmpMnt bs=1024 count=1000000
mke2fs -j /usr/tmpMnt
cd /
cp -R /tmp /tmp_backup
mount -o loop,noexec,nosuid,rw /usr/tmpMnt /tmp
chmod 0777 /tmp
/bin/cp -R /tmp_backup/* /tmp/
rm -rf /tmp_backup
nano -w /etc/fstab
At the bottom add
/usr/tmpMnt /tmp ext3 loop,noexec,nosuid,rw 0 0
If “df” shows a /usr/tmpDSK partition,
Then leave it!
If a standard /tmp partition is already present,
nano -w /etc/fstab
change “defaults” to loop,noexec,nosuid,rw
mount /tmp
/tmp should always have this: loop,noexec,nosuid,rw
/tmp and /var/tmp should be symlinked on EVERY server.
rm -rf /var/tmp
ln -s /tmp /var/tmp
/dev/shm
nano -w /etc/fstab
in /dev/shm line, change 'defaults' to noexec,nosuid
umount /dev/shm
mount /dev/shm
rm -rf /etc/httpd/proxy
rm -rf /var/spool/vbox
mount -o remount,noexec,nosuid /proc
Modify /etc/fstab, add options “noexec,nosuid” to the /proc line:
none /proc proc defaults,noexec,nosuid 0 0
=====================================
php -i | grep php.ini
disable_functions = dl,passthru,proc_open,proc_close,shell_exec,system
/etc/rc.d/init.d/httpd restart
=========================================
Logwatch
cd /root/
wget http://www.indiageeks.net/myscripts//logwatch-7.3.1-1.noarch.rpm
rpm -Uvh logwatch-7.3.1-1.noarch.rpm
rm -rf /etc/logwatch/conf/logwatch.conf
cd /etc/logwatch/conf
wget http://www.indiageeks.net/myscripts//logwatch.conf
=====================
chmod 750 /usr/bin/GET
chmod 750 /usr/bin/wget
chmod 750 /usr/bin/gcc
chmod 750 /usr/bin/rcp
chmod 750 /usr/bin/lynx
chmod 750 /usr/bin/links
chmod 750 /usr/bin/scp
history -c
=====================
From WHM:
Tweak Settings (Check all these options)
--------------
Allow Creation of Parked/Addon Domains that are not registered
Prevent users from parking/adding on common internet domains
E-mail users when they have reached 80% of bandwidth
Each domain can send out per hour: 500
Pop 3 in hour: 180
Allow Sharing Nameserver IPs
Use Jailshell as default
Set Default catch-all to FAIL
Delete each domain's access logs after stats run
Things to Uncheck
Boxtrapper
** When adding a new domain, if the domain is already registered, ignore the configured nameservers, and set the NS line to the authoritative (registered) ones.
** FormMail-clone cgi
Change:
The load average above the number of cpus at which logs file processing should be suspended (default 0):
To 10
** Number of minutes between mail server queue runs (default is 60).:
To 180
=================================================================================================
Tweak Security
--------------
open_basedir: Enable php open_basedir
Compilers disable
==========================
System Health - Background Process Killer
Check all of them
==========================
Please read carefully and make sure that you are aware of all the commands & settings and their effect.
No comments:
Post a Comment