Server hardening bash script for cPanel servers

Server Hardening scripts for cpanel

Securing your cPanel server is most important to protect your data. This script is used to complete the basic cPanel server hardening. We can execute this on CentOS 6, 7 and Cloud Linux 6,7 servers (Stock kernel).

This script will install the following software on the cPanel server.

  • CSF installation and tweaks
  • Maldet scanner
  • Clamscan
  • Comodo ModSecurity Control
  • Rkhunter
  • Chkrootkit

Below are the changes will be made in server settings. Before that, it will automatically take the backup of configuration files in the same location so that you can easily revert back the changes.

Here I have mentioned the changes and its description which will happen in the server configuration files.

Changes in cPanel configuration file:

Proxy subdomains off

Add proxy VirtualHost to httpd.conf to automatically redirect unconfigured cpanel, webmail, webdisk, cpcalendars, cpcontacts, and whm subdomains to the correct port (requires mod_rewrite, mod_headers, and mod_proxy)

Blank referrer safety checks on

Only permit cpanel/whm/webmail to execute functions when the browser provides a referrer. This will help prevent XSRF attacks but may break integration with other systems, login applications, and billing software. Cookies are required with this option enabled.

Referrer safety check On

Only permit cpanel/whm/webmail to execute functions when the browser provided referrer (Domain/IP and Port) exactly matches the destination URL. This will help prevent XSRF attacks but may break integration with other systems, login applications, and billing software. Cookies are required with this option enabled

Reset Password for cPanel accounts Off

This setting enables the Reset Password feature for cPanel account users. The Reset Password feature uses the account’s contact email address to verify a password reset request. The email contains a security code that verifies whether the user can access to the Subaccount’s contact email address as part of the password reset verification process. The link to request this email displays in the cPanel login interface.

Reset Password for Subaccounts Off

This setting enables the Reset Password feature and new Subaccount invites for cPanel Subaccount users. The Reset Password feature uses the Subaccount’s contact email address to verify a password reset request. The email contains a security code that verifies whether the user can access to the contact email address as part of the password reset verification process. The link to request this email displays in the cPanel login interface

Hide login password from cgi scripts on

This setting hides the REMOTE_PASSWORD variable from scripts that the cpsrvd daemon’s CGI handler executes.

Enable Box Trapper spam trap Off

This setting allows you to enable Box Trapper. Box Trapper is a spam prevention system that uses blacklists, whitelists, and ignore lists, and an automated response-verification system.

Max hourly emails per domain to 150

The maximum number of emails each domain can send out per hour.

Restrict your system’s compilers:

This script will disable system compilers. Most users do not require the use of C and C++ compilers. Many pre-packaged exploits require functional compilers.

To revert the changes, from the WHM interface, use WHM’s Compiler Access interface (WHM >> Home >> Security Center >> Compiler Access).

Changes in CSF configuration file:

TESTING mode to 0

CSF is in TESTING mode. If the firewall is working set TESTING to “0” in the Firewall Configuration otherwise it will continue to be stopped

RESTRICT_SYSLOG option check

RESTRICT_SYSLOG is “3” to restrict who can access the syslog/syslog Unix socket.

PT_USERMEM disabled to avoid bulk notification from LFD

SMTP_BLOCK disabled since it will not work if we are running CSF

PT_USERPROC disabled to avoid bulk notification from LFD

LF_SCRIPT_ALERT enabled, this will notify you when a large amount of email is sent from a script on the server, helping track down spam scripts

ConfigServer ModSecurity Control (CMC) installation.

This is an original and free add-on product for cPanel/WHM. The product provides you with an interface to the cPanel mod_security implementation from within WHM.

With ConfigServer ModSecurity Control you can:

  • Disable mod_security rules that have unique ID numbers on a global, per cPanel user or per hosted domain level
  • Disable mod_security entirely, also on a global, per cPanel user or per hosted domain level
  • Edit files containing mod_security configuration settings in /usr/local/apache/conf
  • View the latest mod_security log entries

SSH PORT CHANGE:

While executing the script it will ask you to change the SSH port as a part of security measures. If you continue with “y” (yes) option, it will automatically change the port in SSH configuration file and allowed in CSF firewall TCP_IN.

NOTE: If you are using AWS EC2 instances, Google cloud instances or external firewall you need add this port to their firewall rule list.

DISABLE FUNCTIONS IN PHP:

It will add common disable function in all the PHP versions (Including Easy apache 4 and Alt PHP) installed on the server.

Most common disable functions are “show_source, system, shell_exec, passthru, exec, phpinfo, popen, proc_open”

HOST.CONF Tweak:

This will update the below entries in /etc/host.conf file to prevent IP spoofing and DNS poisoning.

[root@server /]# cat /etc/host.conf

order bind,hosts

multi on

nospoof on

KERNEL UPDATE:

Finally it will check the available latest kernel. If yes, it will ask user for confirmation to update the kernel to latest

Version. After updating kernel it will check the kernel entry in grub file to make sure it is added to it.

To download the file:

Run the below command in your Linux terminal

#wget  -O harden.sh  https://www.dropbox.com/s/thd1lcs46ztsuqk/hardening.sh?dl=0

#chmod +x harden.sh

To start the server hardening process:

#./harden.sh

Now provide the runtime arguments to complete the server hardening process.

Thanks.

 

Share on facebook
Facebook
Share on twitter
Twitter
Share on pinterest
Pinterest
Share on linkedin
LinkedIn
More Interested Related Posts
zfs pool usage

ZFS Pool and Dataset Usage

ZFS Pool and Dataset Usage   I am back with another blog to provide the useful script to the Freebsd users to determine the zpool

Assistanz Networks

Installing Zabbix Agent in FreeBSD 12.0

Zabbix Agent Installation and Configuration Guide on FreeBSD 12.0   Zabbix is an open-source monitoring software tool for diverse IT components, including networks, servers, virtual

DirectAdmin Server Management Plans

Premium Support

24/7 End User Support from your Helpdesk
$ 99 Monthly / Server
  • Unlimited Support Plan
  • 24/7 Emergency Phone
  • Chat Support for Admin
  • Separate Account Manager
  • NDA & SLA
  • SLA Review Meetings
  • FREE Consultancy Services
  • Simple SignUp Process
  • Instant Account Activation
  •  

Platinum Support

24/7 Proactive Support
$ 49 Monthly / Server
  • Unlimited Support Plan
  • 24/7 Emergency Phone
  • Chat Support for Admin
  • Separate Account Manager
  • Advance Proactive Monitoring
  • Guaranteed SLA
  • SLA Review Meetings
  • 3rd Party Application Support
  • FREE Consultancy Services
  • Server Migration Support
  • Weekly Status Report
  • No End User Support
Popular

Unlimited Support

24/7 Support

$ 30 Monthly / Server
  • Unlimited Support Plan
  • 24/7 Support
  • Basic Monitoring
  • 30 Minutes Response Time
  • 4 Hours Resolution time for the Possible Issues
  • Security and Performance Optimization
  • React to Customers queries
  • Simple SignUp Process
  • Instant Account Activation
  • No Third party application support
  • No Migration and End User Support

Cpanel Server Management Plans

Premium Support

24/7 End User Support from your Helpdesk

$ 99 Monthly / Server
  • 24/7 End User White Label Support
  • Unlimited Number of Tickets
  • Chat Support for Admin
  • Separate Account Manager
  • Guaranteed SLA
  • Weekly Status Reports
  • FREE Consultancy Services
  • Simple SignUp Process
  • Instant Account Activation

Platinum Support

24/7 Proactive Server Management
$ 49 Monthly / Server
  • Unlimited Support Plan
  • 24/7 Emergency Phone
  • Chat Support for Admin
  • Separate Account Manager
  • Advance Proactive Monitoring
  • Guaranteed SLA
  • SLA Review Meetings
  • 3rd Party Application Support
  • FREE Consultancy Services
  • Server Migration Support
  • Weekly Status Report
  • No End User Support
Popular

Unlimited Support

24/7 Server Management

$ 29 Monthly / Server
  • Unlimited Admin Tasks
  • 24/7 Support
  • Basic Monitoring
  • 30 Minutes Response time
  • 4 hours Response time for possible issues
  • Security and Performance Optimization
  • React to Customers queries
  • No Third party application support
  • No Migration and End User Support

Cpanel Server Management Plans

Premium Support

24/7 End User Support from your Helpdesk

$ 99 Monthly / Server
  • 24/7 End User White Label Support
  • Unlimited Number of Tickets
  • Chat Support for Admin
  • Separate Account Manager
  • Guaranteed SLA
  • Weekly Status Reports
  • FREE Consultancy Services
  • Simple SignUp Process
  • Instant Account Activation

Platinum Support

24/7 Proactive Server Management
$ 49 Monthly / Server
  • Unlimited Support Plan
  • 24/7 Emergency Phone
  • Chat Support for Admin
  • Separate Account Manager
  • Advance Proactive Monitoring
  • Guaranteed SLA
  • SLA Review Meetings
  • 3rd Party Application Support
  • FREE Consultancy Services
  • Server Migration Support
  • Weekly Status Report
  • No End User Support
Popular

Unlimited Support

24/7 Server Management

$ 29 Monthly / Server
  • Unlimited Admin Tasks
  • 24/7 Support
  • Basic Monitoring
  • 30 Minutes Response time
  • 4 hours Response time for possible issues
  • Security and Performance Optimization
  • React to Customers queries
  • No Third party application support
  • No Migration and End User Support