Apache + cPanel Security Part 1
05-13-2010 @ 3:54AM EDT
Now I hold no certs or degrees in IT-SEC or anything remotely close for that matter so this article is not meant to be used as any type of authority on the subject. I am merely passing on what I have learned and experienced in my years. Above all, I always recommend enlisting he help of a professional in some capacity, be it to harden your system or to perform a security audit.
First off, security is not a one time deal. With ever evolving technology you are required to continue expanding your knowledge and implementing new methods to combat new threats. Prevention is the key but since it's never 100% effective, reporting is your best friend... what I mean is CHECK YOUR LOGS DAILY! Always look for something suspicious, don't assume your server is safe just because it's still online and running fine. Setup scripts to alert you when something changes and act on those alerts promptly (although be cautious, don't start to rm -rf at the first sign of change).
So now I will go over part 1 of the basics that I feel is required of every Apache based webserver. This article is assuming you have installed CentOS 5 (this article should work for any RHEL based Linux distro) and cPanel, if you haven't please do this before continuing.
Part 1: SSH
The absolute first thing you should do on a clean server is secure SSH. Before you even consider anything else, edit your SSH configuration (vi /etc/ssh/sshd_config). The lines you should be concerned with are the following:
Code:
Port
PermitRootLogin
RSAAuthentication
PubkeyAuthentication
AuthorizedKeysFile
PasswordAuthentication
UseDNS
Banner
PermitRootLogin
RSAAuthentication
PubkeyAuthentication
AuthorizedKeysFile
PasswordAuthentication
UseDNS
Banner
(Make sure all of the above lines are uncommented (remove the # in front).)
[list]
[*]Change your Port to something other than 22, preferably either a random or hard to guess 5 digit number (no more than 65535). In reality any port other than 22 is a good port since that is the default SSH port, but be sure to check to make sure the port you pick won't conflict with other known ports.
[*]Set PermitRootLogin to no. This will prevent people from using root to login to SSH. Since root is the last thing you want anybody to have access to, the best way to prevent access is to disable it immediately. In a moment, I will explain how you will still be able to have root access even after disabling it. AFTER SETTING THIS DO NOT LOGOUT OF YOUR CURRENT SSH SESSION UNTIL YOU HAVE CONFIRMED THAT YOU CAN LOGIN WITH YOUR USERNAME AND RSA!
[*]Set RSAAuthentication and PubkeyAuthentication to yes. This will allow you to use an RSA key to SSH into your server instead of your password. Also verify that AuthorizedKeysFile is set to .ssh/authorized_keys.
[*]Set PasswordAuthentication to no. This will disable people from being able to login with a password which forces you and your staff to use RSA keys which are the most secure option you can have.
[*]Set UseDNS to no. This should be set for accurate logging and reporting for the ConfigServer Firewall we will be setting up later.
[*]Set Banner to something like /root/sshbanner. The actual location and name of the banner is up to you. Just make sure that the file includes something along the following lines:
Quoted by: Banner
This system is monitored and all logins are reported to the administrators. If you are not authorized to connect to this server disconnect now.
Of course this has little actual effect but some script kiddies might be scared off by this since by default they aren't use to seeing any kind of message when trying to login so it might make them think the server is more advanced/secure than others. Either way it's the equivalent to a "No Trespassing" notice so if you do have to ever resort to legal proceedings they can't say they didn't know. You should also setup a Message Of The Day (MOTD) with a similar message (vi /etc/motd) for the same reason.
[/list]
DO NOT RESTART SSHD!
Now once that has been setup you will want to create a new users that you will be logging in with since root will be disabled shortly. Create a new user for yourself (useradd). Now create a password for that user (passwd), ensure it is unique and differs from your root password. Not you will want to add that user to the wheel group (vi /etc/group find the wheel group and add the username to that line like so: wheel:x:10:root,username).
Once the user is added to the wheel group you will want to create an RSA key for this user. If you are using PuTTY then you will need to download PuTTYgen. (There are better tutorials out there for PuTTYgen but here's a quick run down I'm typing from memory so if you have problems do a search for one of the many guides out there... most with screenshots! ;))
[list=1]
[*]Open PuTTYgen.exe set the type to SSH2 RSA and minimum 1024 bits.
[*]Click Generate and move your mouse in the box for randomness.
[*]Edit the Comment to something you can easily identify if you plan to use multiple RSAs (different users, access to/from other servers, etc...).
[*]Set a Passphrase so even if somebody gets your RSA key they still cannot login to your server without entering the correct password. Do not use your username or root password!
[*]Save the public and private keys to your PC, then copy and paste the public key in the text box to a new authorized_keys file on your server (mkdir .ssh && chmod 0700 .ssh && cd .ssh && touch authorized_keys && chmod 0600 authorized_keys && vi authorized_keys).
[*]Now one last thing you will want to do is setup your server to send you an e-mail when somebody logs in under root on your server by adding the following line to .bashrc (vi /root/.bashrc):
Code:
echo 'ALERT - ROOT SHELL ACCESS ON:' `date` `who` | mail -s "ALERT: ROOT ACCESS FROM: `who | cut -d"(" -f2 | cut -d")" -f1`" root
This code will send an e-mail to your "root" e-mail (which we will define in WHM) when somebody logs into root.[/list]Now restart SSH in SSH (service sshd restart) while staying logged in to your current session. Open a second SSH session to your server using your new port, username, and RSA key to confirm it is working (also check for the banner and MOTD we setup). Once you are able to login with your new username and RSA key verify you can switch to root (su -). If everything worked correctly you should now have root SSH access with password authentication and root login disabled!
apache, servers, security, cpanel, tutorials
Comments
This article hasn't been commented yet.
Write a comment
* = required field