Cpanel Server Hardening

Below are the steps to Harden the cPanel server:

Contents
1 Create Wheel User
2 Change SSH Port & Disable Direct Root Login
3 Install ConfigServer Firewall (CSF)
4 Install Maldet Malware Scanner
5 Install ClamAV AntiVirus (From WHM/CPanel)
6 Install Mod_Security (From WHM/CPanel)
7 Install ConfigServer Mod Security Control (WHM Plugin)
8 Install ConfigServer Mail Queues (WHM Plugin)
9 ConfigServer Mail Manage (WHM Plugin)
10 Rootkit Hunter
========================================

1.Create Wheel User

root@server4 [~]# groupadd sshadmin
root@server4 [~]# useradd sshadmin -g sshadmin
root@server4 [~]# passwd sshadmin
Then add a password for the new account.
Activate from WHM under Wheel Users

2.Change SSH Port & Disable Direct Root Login

root@server4 [~]# vi /etc/ssh/sshd_config
To change the port from 22 to any
Find line:
#Port 22
Uncomment the line.
Port 22
(For security, change the default port 22 to different and add the given port in csf.conf file.)
To disable direct root login:
Warning: make sure you have created a proper wheel user or you will block yourself out of the server
Find line:
#PermitRootLogin yes
Change to:
PermitRootLogin no
Save and exit
root@server4 [~]# service sshd restart

3.Install ConfigServer Firewall (CSF)

root@server4 [~]# rm -fv csf.tgz
root@server4 [~]# wget http://www.configserver.com/free/csf.tgz
root@server4 [~]# tar -xzf csf.tgz
root@server4 [~]# cd csf
root@server4 [~]# sh install.sh
root@server4 [~]# cd /etc/csf/
root@server4 [~]# mv csf.conf csf.conf.BKP
root@server4 [~]# wget http://jarry.web-dns1.com/~heberge/csf.tar.gz
root@server4 [~]# tar -zxf csf.tar.gz
root@server4 [~]# rm -rf csf.tar.gz
root@server4 [~]# csf –r

4.Install Maldet Malware Scanner

root@server4 [/]# cd ~
root@server4 [~]# wget http://www.rfxn.com/downloads/maldetect-current.tar.gz
root@server4 [~]# tar -xzf maldetect-current.tar.gz
root@server4 [~]# cd maldetect-*
root@server4 [~]# sh ./install.sh
root@server4 [~]# maldet –update-ver
root@server4 [~]# maldet –update

5.Install ClamAV AntiVirus (From WHM/CPanel)

Log in to WHM
Click on Manage Plugins
Check the ClamAV box
At bottom click Save
Wait for process to finish (It will take approx 15 minutes)

6.Install Mod_Security (From WHM/CPanel)

This is done via EasyApache in WHM
Log in to WHM
Click on EasyApache
Select the desired PHP version
In the options list, make sure Mod_Security option is checked.
Save and build (approx 30 minutes)

7.Install ConfigServer Mod Security Control (WHM Plugin)

Useful to manage Mod_security blocks and rules.
root@server4 [~]# wget http://configserver.com/free/cmc.tgz
root@server4 [~]# tar -xzf cmc.tgz
root@server4 [~]# cd cmc/
root@server4 [~]# sh install.sh

8.Install ConfigServer Mail Queues (WHM Plugin)

Useful to quickly see messages stuck in the mail queue, in order to clean, filter, suspend, etc.
root@server4 [~]# cd ~
root@server4 [~]# wget http://configserver.com/free/cmq.tgz
root@server4 [~]# tar -xzf cmq.tgz
root@server4 [~]# cd cmq/
root@server4 [~]# sh install.sh

Login to WHM and scroll to the bottom of the left hand menu and you should see “ConfigServer Mail Manage”

If you want to uninstall, simply:

root@server4 [~]# rm -fv /usr/local/cpanel/whostmgr/docroot/cgi/addon_cmq.cgi
root@server4 [~]# rm -fv /usr/local/cpanel/whostmgr/docroot/cgi/cmqversion.txt
root@server4 [~]# rm -Rfv /usr/local/cpanel/whostmgr/docroot/cgi/cmq/

9.ConfigServer Mail Manage (WHM Plugin)

Useful to quickly and easily manage email accounts and send limits on a cPanel box.
root@server4 [~]# cd ~
root@server4 [~]# wget http://configserver.com/free/cmm.tgz
root@server4 [~]# tar -xzf cmm.tgz
root@server4 [~]# cd cmm/
root@server4 [~]# sh install.sh

Login to WHM and scroll to the bottom of the left hand menu and you should see “ConfigServer Mail Manage”

If you want to uninstall, simply:
root@server4 [~]# rm -fv /usr/local/cpanel/whostmgr/docroot/cgi/addon_cmm.cgi
root@server4 [~]# rm -fv /usr/local/cpanel/whostmgr/docroot/cgi/cmmversion.txt
root@server4 [~]# rm -Rfv /usr/local/cpanel/whostmgr/docroot/cgi/cmm/

10.Install Rootkit Hunter

Go to http://downloads.sourceforge.net/project/rkhunter/ and locate the latest version. Copy the URL into sourceurl below.
root@server4 [~]# cd ~
root@server4 [~]# wget http://sourceforge.net/projects/rkhu…ar.gz/download
root@server4 [~]# tar -xvzf rkhunter-*
root@server4 [~]# cd rkhunter-*
root@server4 [~]# sh installer.sh –install –layout default
root@server4 [~]# Afterwards, you can run it with:
root@server4 [~]# rkhunter -c

Results are logged to: /var/log/rkhunter.log

Here you done with required server hardening !!!

Posted in Server Management, Web Hosting