After having initially installed your latest CentOS5 OS on your server you need to take a few steps to get cPanel/WHM running securily on your server.

Log into root via SSH and disable selinux

nano /etc/selinux/config

and change

SELINUX=enforcing

to

SELINUX=disabled

You now need to either reboot for this to take effect, or disable it using this command:

setenforce 0

Then check if it is disabled:

cat /selinux/enforce

If this returns 0, SELinux is disabled. 

Also you need to stop your firewall IP tables

service iptables stop

iptables -L -n

 

Ok, so now after you have ordered a cPanel licence you need to initiate the install with those commands

mkdir /home/cpins
cd /home/cpins
wget http://layer1.cpanel.net/latest
sh latest  

 

The install can take quiet a while and is depending on hardware configuration and network speed

cPanel requires a fresh/clean server!
If you are serving websites off this server (and are
not already running cPanel) this installer will
overwrite all of your config files.  You should hit
Ctrl+C NOW!!!

Now is the time to go get another cup of coffee or two :)

 After the initial setup , it is always a good idea to firstly install your IPs for your name servers

In SSH via root

Edit the file

pico /etc/nameserverips

The format of the file is IP address = name server.  For example:

111.222.333.444=ns1.yourserver.com

Just put the IP address that you want to add in the first part and the name of the new name server in the second part.

To reboot or add IPs

/etc/init.d/ipaliases restart 

So now just logg into WHM

http://yournewserverip:2086/ 

After accepting the licence aggreement on the first page , you get redirected to 

Step 2 Basic cPanel/WHM Setup

There you set your  Server Contact E-Mail Address and other information

Once you are satisfied with the configuration, click the Next Step Button.

 



Quotas are now being setup in the right frame. You can continue at any time any
quota setup will finish in the background.

 



If you wish to enable the nameserver, you can do so in the right frame.
Otherwise, just click the Next Step button. 

 

 

 {mospagebreak}

Lets say that we are activating name servers and those would be the results then

 

  

Name Server Activated
Ensuring caching-nameserver is installed
Loading "installonlyn" plugin
Setting up Install Process
Setting up repositories
Reading repository metadata in from local files
Excluding Packages in global exclude list
Finished
Parsing package install arguments
Nothing to do
Activating name server monitoring (chkservd)
Setting up rndc configuration
Checking in /etc/named.conf to rcs system
Changing ownership of /etc/named.conf: named:named
Restarting Bind
Starting named: [
OK
]
Restarting Nameserver
Starting named: [
OK
]
Restarting chkservd
Stopping chkservd: [
OK
]
Starting chkservd: [
OK
]

Please complete the resolver
configuration in the right frame, and then click the Next Step button.

The wizard will guide you through setting up your resolver configuration
(/etc/resolv.conf).
You currently have one or more of cPanel.net’s dns resolvers in your
/etc/resolv.conf. You will need to set these to your datacenter’s local
resolvers as these servers are only intended for use during a cPanel install. If
you continue to use them connections to your server be exceedingly slow because of the time it takes to complete a dns
lookup.

 

Enter the ip address of at least two nameservers that you will use for dns
resolution. Your datacenter should be able to provide you with at least one ip
of a dns server you can access. If you do not know the ip address of your
provider’s local resolvers you should contact them. It is very important that
these nameservers are correct, or you server will not function properly. If you
do not know what to put in the boxes below and cannot contact your provider,
please close this window and go though this setup at a later time; Your server
should still function normally, however connections made to the server may be
slower than normal.

 

Please set the mysql
password in the right frame, and click Next Step.

 

And thats it

 

Inital Setup is now
complete, click below to enter your Web Host Manager®

 

So the first thing after the initial setup should be that you add your second IP onto the server, so you name servers will function properly!

 go to IP Functionsipfunctions.gif > Add New IP >

and add your second IP there ! 

OK, so now you can set the second name server in SSH

pico /etc/nameserverips 

After this is done assign the IP adress and add an A entry for this name server in

Main >> Server
Configuration >> Basic cPanel/WHM
Setup ssetup.gif

Additionally I would strongly suggest to always do a yum upgrade to the newest kernel !

 uname -a

yum update \kernel*


Make sure the kernel is in grub

cat /boot/grub/grub.conf

and then reboot

 shutdown -rf now

{mospagebreak}

OK, so after this initiall setup and reboot , lets go and secure this box now

Chirpy from ConfigServer has got some great free tools to help you with that

1/ ConfigServer Security & Firewall (csf) 

A Stateful Packet Inspection (SPI) firewall, Login/Intrusion Detection and
Security application for Linux servers.

http://www.configserver.com/cp/csf.html 

 

2/ ConfigServer Explorer (cse)

This is an exclusive!  and free! add-on product for cPanel/WHM. The product
provides you with a full featured Filesystem explorer and a Virtual Console to
use within your web browser in WHM. It gives you root access from the top level
of your disks and allows you to enter non-interactive commands and see the
output.

http://www.configserver.com/cp/cse.html

3/ ConfigServer Mail Queues (cmq)

This is an exclusive!  and free! add-on product for cPanel/WHM. The product
provides you with a full featured interface to the cPanel exim email queues from
within WHM.

http://www.configserver.com/cp/cmq.html

 

4/ ConfigServer Mail Manage (cmm)

This is an exclusive!  and free! add-on product for cPanel/WHM. The product
provides you with an interface to the cPanel user accounts email configuration
without having to login to their accounts. It is domain based rather than
account based and allows you to do all the following from within WHM:

http://www.configserver.com/cp/cmm.html

 

Additionally you really want to protect your tmp folder as well

 /scripts/securetmp

and follow the prompts. 

OK, so now lets log back in WHM to finish the initial securing

 {mospagebreak}

Go to


Main >> DNS Functions >> Add an A Entry for your Hostname and add the A entry!

Go to

 Main >> Server
Configuration >> Tweak Settings restartservices.gif

 Those are the settings I got and they suit my fine although I guess it depends totaly on the individuals needs

Domains
** Allow users to Park/Addon Domains
on top of domains owned by other users. (probably a bad idea)		  
** Allow Creation of Parked/Addon
Domains that resolve to other servers (i.e. domain transfers) [This can be a
major security problem. If you must have it enabled, be sure to not allow users
to park common internet domains.]		  
** Allow Creation of Parked/Addon
Domains that are not registered		  
** When adding a new domain,
automatically create A entries for the registered nameservers if they would be
contained in the zone.		  
** Prevent users from parking/adding
on common internet domains. (i.e. hotmail.com, aol.com)		  
** Check zone file syntax when saving
and syncing zones.		  
** Application for processing dns
requests. The default is to use cPanel Dns cluster system located at
/usr/local/cpanel/whostmgr/bin/dnsadmin. (Recommended: leave blank to use the
default).		  
** Prevent users from creating
subdomains outside of their public_html directory.		  
** When adding a new domain, if the
domain is already registered, ignore the configured nameservers, and set the NS
line to the authoritative (registered) ones.

 

Mail
** Default catch-all/default address
behavior for new accounts. "fail" is usually the best choice if you are getting
mail attacks.		  
 localuser 
 blackhole 
 fail  		 
** Silently Discard all
FormMail-clone requests with a bcc: header in the subject line		  
** Number of minutes between mail
server queue runs (default is 60).		  
** Track the origin of messages sent
though the mail server by adding the X-Source headers (exim 4.34+ required)		  
** The maximum each domain can
send out per hour (0 is unlimited)		  
** Prevent the user "nobody" from
sending out mail to remote addresses (PHP and CGI scripts generally run as
nobody if you are not using PHPSuexec and Suexec respectively.)		  
** Include a list of Pop before SMTP
senders in the X-PopBeforeSMTP header when relaying mail. (exim 4.34-30+
required)		  
** The number of times users are
allowed to check their mail using pop3 per hour. Zero is unlimited.		  
** Attempt to prevent pop3 connection
floods		  
** Automatically setup
/etc/localdomains, /etc/remotedomains, /etc/secondarymx based on where the mx
entry is pointed.		  
** BoxTrapper Spam Trap
** Horde Webmail
** Mailman
** SpamAssassin Spam Filter
** SpamAssassin Spam Box delivery for
messages marked as spam (user configurable)
** SquirrelMail Webmail
** Add the mail. prefix for mailman
urls (ie http://mail.domain.com/mailman)		  

 

 

MySQL®
MySQL® Version to use (you must run Software/Update
Server Software (or /scripts/mysqlup) for this to take effect. You should then
run buildapache/easyapache after changing this option. You may also need to run
/scripts/perlinstaller –force Bundle::DBD::mysql. Updating from a previous
version of MySQL® to a later version is not automatically
reversable. You should backup your databases if you think you might wish to
downgrade in the future.		  
 5.0 
 4.1  		 
** Use old style (4.0) passwords with
MySQL® 4.1+ (required if you have problems with PHP apps
authenticating)		  
Notifications
** Notify the admin, (or the
reseller), when an account has reached the "critical" Disk Usage state.		  
** Threshold percentage where a
user’s disk usage is considered to be in the "critical" state. (0 will disable
this notification)		  
** Notify the admin, (or the
reseller), when an account has reached the "full" Disk Usage state.		  
** Threshold percentage where a
user’s disk usage is considered to be in the "full" state. (0 will disable this
notification)		  
** Notify the admin, (or the
reseller), when an account has reached the "warn" Disk Usage state.		  
** Threshold percentage where a
user’s disk usage is considered to be in the "warn" state. (0 will disable this
notification)		  
** Threshold percentage where a
mailbox’s disk usage is considered to be in the "critical" state. (0 will
disable this notification)		  
** Threshold percentage where a
mailbox’s disk usage is considered to be in the "full" state. (0 will disable
this notification)		  
** Threshold percentage where a
mailbox’s disk usage is considered to be in the "warn" state. (0 will disable
this notification)		  
** Email users when they have
exceeded their bandwidth. Disabling this will prevent all Bandwidth Limits Email
from being sent.		  
** Email users when they have reached
70% of their bandwidth		  
** Email users when they have reached
75% of their bandwidth		  
** Email users when they have reached
80% of their bandwidth		  
** Email users when they have reached
85% of their bandwidth		  
** Email users when they have reached
90% of their bandwidth		  
** Email users when they have reached
95% of their bandwidth		  
** Email users when they have reached
97% of their bandwidth		  
** Email users when they have reached
98% of their bandwidth		  
** Email users when they have reached
99% of their bandwidth		  
** Mail Box Usage Warnings
** Disable Suspending accounts that
exceed their bandwidth limit (will clear all suspensions if disabled, and
disable all bandwidth notifications.)		  
** Disk Space Usage Warnings
Redirection
** Always redirect users to the
ssl/tls ports when visiting /cpanel, /webmail, etc.		  
** When visiting /cpanel or /whm or
/webmail WITHOUT SSL, you can choose to redirect to:		  
 Hostname 
 Origin Domain Name  		 
** When visiting /cpanel or /whm or
/webmail with SSL, you can choose to redirect to:		  
 SSL Certificate Name 
 Hostname 
 Origin Domain Name  		 
** Redirect user to the following URL
upon logout of the cPanel interface. A blank value specifies the default logout
page.		  

 

 

 

Software
Interchange version to use (if you disable interchange, you must
turn off the service in the service manager)		  
 5.0 
 4.8 
 4.9 
 disable  		 
** Loader to use for internal cPanel
PHP (Use oldsourceguardian for version 1.x and 2.x)		  
 none 
 ioncube 
 sourceguardian 
 oldsourceguardian  		 
** FormMail-clone cgi
** The path to the Urchin
installation (if installed.) (Leave blank for auto-detection.)		  
Stats Programs
** Awstats Reverse Dns
Resolution		  
Analog Stats
Awstats Stats
Webalizer Stats
Stats and Logs
Number of days between processing log files and bandwidth usage
(default 1, decimal values are ok)		  
** Delete each domain’s access logs
after stats run		  
The load average above the number of cpus at which logs file
processing should be suspended (default 0)		  
** Do not include password in the raw
log download link in cPanel (via ftp).		  
** Do not reset
/usr/local/apache/domlogs/ftpxferlog after it has been separated into each
domain name’s ftp log		  
** Keep log files at the end of the
month (default is off as you can run out of disk space quickly)		  
Keep Stats Log (/usr/local/cpanel/logs/stats_log) between cPanel
restarts (default is off)		  
** Chmod value for raw apache log
files (0640 is the default)		  
** When viewing bandwidth usage in
WHM, always display in Megabytes first.		  
** Exim Stats Daemon (required for
smtp bandwidth logging; must also be modified in the service manager as
well)
Stats Log Level (default is 1, larger numbers indicate more
debug information in /usr/local/cpanel/logs/stats_log) [0...10]		  
Status
** The load average that will cause
the server status to appear red (leave blank for default, whole numbers
only)
System
** List of IP addresses or hostnames,
separated by spaces, which are allowed to view the /server-info and
/server-status pages. See the Apache documentation for proper values.		  
** Allow cPanel users to install SSL
Hosts if they have a dedicated ip.		  
** Allow Perl updates from RPM based
linux vendors		  
** The port on which Apache listens
for HTTP connections. Specifying a specific IP will prevent Apache from
listening on all other IPs. (default: 0.0.0.0:80)		  
** The port on which Apache listens
for HTTPS connections. Specifying a specific IP will prevent Apache from
listening on all other IPs. (default: 0.0.0.0:443)		  
** Conserve Memory at the expense of
using more cpu/diskio.		  
** Allow usernames to be determined
from the account hostname when no username is provided.		  
** Compress interface pages using
gzip compression reducing bandwidth usage for cPanel and WHM.		  
** Disable use of compiled dnsadmin.
Setting this option allows use of system Perl modules within custom dnsadmin
hooks. Setting this option will increase execution time of dnsadmin
functions.		  
** Allow Sharing Nameserver Ips  
** Disable Disk Quota display caching
(WHM will cache disk usage which may result in the display of disk quotas being
up to 15 minutes behind the actual disk usage. Disabling this may result in a
large performace degradation.)		  
** Disable login with root or
reseller password into the users’ cPanel interface. Also disable switch account
dropdown in themes with switch account feature.		  
** Try to resolve each client’s IP to
a domain name when a user connects to cPanel services (warning: This can degrade
performance).		  
** Display Errors in cPanel instead
of logging them to /usr/local/cpanel/logs/error_log		  
** The maximum file size in MB
allowed for upload through cPanel File manager. Use "unlimited" for
unlimited		  
** The minimum filesystem quota space
in MB required after file upload through cPanel File manager (Default 5MB). This
will prevent users from hitting their quota limit through File Manager file
uploads		  
** The maximum number of directories
deep to look for .htaccess files when doing .htaccess checks. Can be from 0 to
100. 2 is the default setting. Values higher than this are discouraged.		  
** Do not warn about features that
will be deprecated in later releases (Warning: If you check this box, you will
not be able to learn about features that will be disappearing in future
releases. This could lead to a non-functional server when the feature is finally
removed.)		  
** Use jailshell as the default shell
for all new accounts and modified accounts		  
The maximum memory a cPanel process can use before it is killed
off (in megabytes). Values less than 128 megabytes can not be specified.		  
** Use native SSL support if
possible, negating need for Stunnel		  
** Do not warn users about the system
backup being disabled in cPanel.		  
** Specify the timeout in seconds for
connections between this server and other remote WHM servers. Values less than
35 cannot be specified.		  
** Allow cPanel users to reset their
password via email
** Enable cPanel Software RollBack.
This feature turns on a build archiving and restoration facility, allowing the
server administrator to "roll back" their cPanel installation to previous build.
All files are stored on the server.		  
** Disable Http Authentication for
cPanel/WebMail/WHM Logins (forces cookie authentication)		  
** Do not start deprecated Melange
1.10 chat server.		  
** Allow cpanel and admin binaries to
be run from other applications besides the cpanel server (cpsrvd).		  
** Disable whois lookups for the
nameserver IP manager.		  

 

{mospagebreak}

OK , so now to Main >> Security >> Security Center

 

 sshpass.gif

Password
Strength Configuration

This area allows you to change the minimum required
password strength for each area of cPanel/WHM that accepts a password.

cphulk.gif

cPHulk Brute
Force Protection

cPHulk Brute Force Protection prevents malicious forces
from trying to access your server’s services by guessing the login password for
that service.

hostaccess.gif

Host Access
Control (block IP access)

Host Access Control allows you to allow or deny access to
your server or specific services based on the IP address of the incoming
request.

sshpass.gif

SSH
Password Auth Tweak

The SSH Password Auth Tweak allows you to enable or disable
password authentication for SSH. This can be used along with SSH keys to add
extra security.

php_openbasedir.gif

PHP
open_basedir Tweak

PHP’s open_basedir protection prevents users from opening
files outside of their home directory with PHP.

apache_moduserdir.gif

 Apache mod_userdir Tweak

The mod_userdir tweak enables/disables the ability to view
sites on your server by typing http://servers.host.name/~username.

compilers.gif

 Compilers Tweak

This tweak will disable the system’s C and C++ compilers
for unprivileged. Many common exploits require a working C compiler on the
system. You can also choose to allow some users to use the compilers while they
remain disabled by default.

traceroute.gif

 Traceroute
Tweak

This tweak will disable the system’s traceroute utility.
Traceroute displays the packet routing statistics from the server to another
network host. It can be used to map the network’s topology and subsequently be
used as a tool to focus a hacking attack.

smtp.gif

 SMTP
Tweak

This SMTP tweak will prevent users from bypassing the mail
server to send mail (This is a common practice used by spammers). It will only
allow the MTA (mail transport agent), mailman, and root to connect to remote
SMTP servers.

bombs.gif

 Shell Fork Bomb
Protection

Shell Fork bomb Protection will prevent users with terminal
access (ssh/telnet) from using up the server’s resources and possibly crashing
the server.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

To be continued  

 

 

 

 

This entry was posted on February 19, 2008, 13:03 and is filed under Linux Tutorials, Techno Babble, cPanel Guidelines. You can follow any responses to this entry through RSS 2.0. You can leave a response, or trackback from your own site.