SSH Commands

wooden

For the basics in linux shell

SSH Commands Guide List | Suggest A Guide
HostGeekz Hosting Guides | cPanel | Cheap Domains | Web Hosting Talk

Secure/Setup cPanel/WHM

READ ALL THIS:

This tutorial is based on the release version of cpanel. With updates is is bound to change with time.

This setup is based on security, performance and tries to take consideration to new setups as well as existing setups. If a setting isn't mentioned here you are safe to make sure your own setting. This is also only a guide. If you are a web hosting company and DO offer Front Page services then naturally you need to ensure it is turned on in the Feature Lists - however you should make sure its only turned on in packages where you are offering that feature. Use common sense and always think of security first.

Form: For your convenience and for hard copy records you can use the check list provided and print afterwards.

Server IP Address

 

Server Configuration

Basic cPanel/WHM Setup

Set a Server Contact E-Mail Address

 

Change Root Password

Reset Root Password

 

Server Time

Set correct time zone for syncing. Ensures time is setup for updates to be setup later

 

Tweak Settings

Untick: Allow users to Park/Addon Domains on top of domains owned by other users

Untick: Allow Creation of Parked/Addon Domains that are not registered

Tick: Prevent users from parking/adding on common internet domains

Blackhole: Default catch-all/default address behavior for new accounts. fail will generally save the most CPU time

Tick: Email users when they have reached 80% of their bandwidth

60: Number of minutes between mail server queue runs (default is 60)

Tick: Track the origin of messages sent though the mail server by adding the X-Source headers (exim 4.34+ required)

50: The maximum each domain can send out per hour

Tick: Prevent the user "nobody" from sending out mail to remote addresses (PHP and CGI scripts generally run as nobody if you are not using PHPSuexec and Suexec respectively.)

120: The number of times users are allowed to check their mail using pop3 per hour. Zero is unlimited

Tick: Attempt to prevent pop3 connection floods

Tick: Mail Box Usage Warnings

Untick: Disable Suspending accounts that exceed their bandwidth limit

Tick: Disk Space Usage Warnings

Untick: FormMail-clone cgi

Tick: Allow Sharing Nameserver Ips

Untick: Disable Disk Quota display caching

Tick: Display Errors in cPanel instead of logging them to /usr/local/cpanel/logs/error_log

Untick: Do not warn about features that will be depreciated in later releases

Untick: Use jailshell as the default shell for all new accounts and modified accounts

Untick: Allow cPanel users to reset their password via email

Untick: Disable Http Authentication for cPanel/WebMail/WHM Logins (forces cookie authentication)

Set: The default administrative contact for cPAddons moderation emails

Tick: Alert cPAddons administrator of pending moderation requests

Tick: Prevent installation of addon scripts not provided by cPanel

Tick: Prevent installation of cPanel addon scripts that have be altered

 

Update Config

cPanel/WHM Updates: Automatic (RELEASE tree)

cPanel Package Updates: Automatic

Security Package Updates: Automatic

 

Networking Setup

Hostname

Set Valid Hostname. Set a name that describes the server's role.

 

Resolver Configuration

Set Resolver IP addresses - Run a WHOIS on the IP addresses already present to check if the provider has already entered these values. If not, contact your provider for the resolver IP addresses.

 

Security

Fix Insecure Permissions (Scripts)

Run - Only have to click link in nav to run it

 

Manage Wheel Group Users

WARNING: Only proceed with this one if you have disabled direct root login with SSH
Remove all users who shouldn't have su (switch user) access. Generally this should include root if direct root login is disabled for security.

 

Manage Wheel Group Users

Run - Only have to click link in nav to run it

 

Quick Security Scan

Run - Only have to click link in nav to run it. Everything should have [FAILED] next to it.

 

Shell Fork Bomb Protection

Enable Protection

 

Tweak Security

Php open_basedir Tweak: Enable php open_basedir Protection & Untick all other boxes

mod_userdir Tweak: Enable mod_userdir Protection

Compilers Tweak: Disable Compilers

Traceroute Tweak: Disable

SMTP Tweak: Enable

 

Server Contacts

Alert Type Assignment

AIM: 1

ICQ: 2

Email: 3

Pager: 4

 

Alert Priority Assignment

Set all to 3

 

Resellers
(Needs to be setup before anyone is added. If not, the default settings have to be overwritten or an ACL List made and set on creation of a reseller account)

Edit Privileges/Nameservers

Untick: Enabling/Disabling FrontPage Extensions

Untick: Turn an account into a demo account

Untick: Allow Creation of Packages with Shell Access

Untick: Allow creation of packages with Addon Domains

Untick: Allow creation of packages with Parked Domains

Tick: Disallow creation of accounts with packages that are not global or not owned by this user

Tick: Never allow creation of accounts with shell access

Untick: All Features (warning: root access)

 

Service Configuration

Enable/Disable SuExec

Enable

 

Exim Configuration Editor

Untick: Always set the Sender: header when the sender is changed from the actual sender

Tick: Verify the existance of email senders

Tick: Use callouts to verify the existance of email senders

Tick: Discard emails for users who have exceeded their quota instead of keeping them in the queue

 

FTP Configuration

Ensure "pure-ftpd" is in use - Change otherwise

Anonymous Ftp: Disabled

 

Service Manager

For performance untick enabled and monitoring on:

entropychat
imap
interchange
melange

Only tick the monitor option for things you want customers to see. Best to reduce to cause less confusion. Try and stick to minimum like FTP, HTTPD, BIND and MYSQL.

 

Account Information

List Parked Domains

Check for any unauthorised domains

 

List Suspended Accounts

Check and become familiar with any suspended accounts

 

Show Accounts over Quota

Check and become familiar with any accounts over quotas

 

View Bandwidth Usage

Check and become familiar with any accounts over limits

 

Account Functions

Manage Shell Access

Disable all accounts

 

Modify Suspended Account Page

Change to:

<b>Attention: This account has been suspended. Please contact your provider for more information</b>

 

Skeleton Directory

Check this path, then SSH into the server and setup the directory. Remove any rubbish and leave only what is needed. Ensure that no Front page Server Extensions are present.

 

FrontPage

Uninstall FrontPage Extensions

Uninstall any known installations of these. Note: Doing so will rename the .htaccess file in the document root on the account. Only do this is you know it installed and want it removed. You may have to login to the account, rename the .htaccess.986984278 (or something similar) back to .htaccess and manually remove any FrontPage rubbish from the file.

 

Packages

Add Packages

If there are no packages, add a default package with the following:

Package Name: Default
Untick: Shell Access
Max Parked Domains: 0
Max Addon Domains: 0
Untick: Cgi Access
Untick: Frontpage Extentions
Feature List: default

Others can be left blank.

 

Delete Packages

As required: Remove any old packages or packages belonging to users that no longer exist.

 

Edit Packages

Check all packages and make sure the following is set:

Untick: Shell Access
Max Parked Domains: 0
Max Addon Domains: 0
Untick: Cgi Access
Untick: Frontpage Extentions

 

Feature Manager

Untick: SSH Window

Untick: Frontpage

Untick: Parked Domain Manager

Untick: Addon Domain Manager

Tick: Fantastico (if available)

Tick: Fantastico De Luxe (if available)

 

Email

Mail Queue Manager

Check that there is no back log. If any, check why frozen. Investigate any large back logs.

 

Repair Mailbox permissions

Run

 

System Health

Background Process Killer

Tick all boxes:

BitchX
bnc
eggdrop
generic-sniffers
guardservices
ircd
psyBNC
ptlink
services

Remove any trusted users.

 

cPanel

Addon Modules

Tick: Install and Keep Updated

Tick: clamavconnector

Tick: modsecurity

Tick: addonupdates

Tick: cronconfig

Allow to install. Then close WHM and reopen.

 

Install cPAddon Scripts

Untick anything giving a rank of 1 - these are the most insecure or ones that are going to give hell.

 

Addon Scripts (Deprecated)

Uninstall anything in here - these are "handy" but in the end cause trouble especially if they are allowed to get out dated.

 

Modify cPanel/WHM News

Global cPanel News:

<p><br><b>Account Tips:</b>
<ul>
<li>Set all unrouted mail or your default email address on all domains and subdomains to <i><b>:blackhole:</b></i> to avoid spam attacks against your account.</li>
<li>Set a contact email address that is not located on this server so you can be contacted in emergencies (eg. gmail or hotmail).</li>
<li>Ensure Anonymous FTP Access is turned off on your account.</li>
<li>Disable directory listing on your public_html folder to secure your files.</li>
<li>Use a strong password and change it regularly.</li>
<li>Back up your data regularly. Customers are responsible for backing up their own data.</li></ul>
<p>If you need help with any of the above, please contact our support department.</p>

cPanel News (displayed in all of your customers cPanels):

Welcome to $company_name. For all your support needs, <a href="http://www.support-url-here.com" target="_blank">contact our helpdesk</a> and we'd be glad to help.

 

Synchronize FTP Passwords

Run

 

Add-ons

Addon Script Manager

Check for any out of date install that are open to attack

 

Configure cPanel Cron Times

Configure to a time that know that your server load is low. The default may be okay, but this needs to be checked.

 

Configure ClamAV Scanner

Tick: Scan Entire Home Directory

Tick: Scan Mail

Tick: Scan Public FTP Space

Tick: Scan Public Web Space

 

Mod Security

Press Edit button

Press Default button

 

After you have finished the above run, under Security go back and run Scan for Trojan Horses.

 

Setup By:


© Copyright, Simplec Services - Australia, 2017

Visit HostGeekz.com For More!
Cheap .Com Domains from $8.50