WHM security and tips

Ideal place for discussions related to Linux/Windows server security, Apache, MySQL, MS SQL and PHP, including tutorials and questions.
Site Admin
Posts: 50
Joined: Thu May 30, 2013 10:28 pm

WHM security and tips

Postby hrdedicated » Fri May 31, 2013 12:41 pm

A step by step paper how to secure linux server with cPanel/WHM and Apache installed. By default linux is not secured enough but you have to understand there is no such thing as totally secured server/system.

The purpose of this paper is to understand how to at least provide some kind of security to the server.
Lets start
So you bought the server with CentOS 5 installed. If you ordered cPanel/WHM together with the server you can skip 2.1 step

WHM\cPanel installation and configuration

WHM\cPanel Installation

To begin your installation use the following commands into SSH:
cd /home
wget http://layer1.cpanel.net/latest

cd /home – Opens /home directory
wget http://layer1.cpanel.net/latest – Fetches the latest installation file from the cPanel servers.
./latest – Opens and runs the installation files.

WHM\cPanel should be installed now. You should be able to access cPanel via
http://serverip:2082(SSL-2083) or http://serverip/cpanel and WHM via
http://serverip:2086(SSL-2087) or http://serverip/whm. Lets configure
it now.

2.2 WHM\cPanel Configuration

Login to WHM using root username/passwd
http://serverip:2086 or http://serverip/whm

WHM – Server setup – Tweak Security:

Enable open_basedir protection
Disable Compilers for all accounts(except root)
Enable Shell Bomb/memory Protection
Enable cPHulk Brute Force Protection
WHM – Account Functions:

Disable cPanel Demo Mode
Disable shell access for all accounts(except root)
WHM – Service Configuration – FTP Configuration:

Disable anonymous FTP access


Set some MySQL password(Dont set the same password like for the root access)
-If you didnt set MySQL password someone will be able to login into the DB with
username root without password and delete/edit/download any db on the server.

WHM – Service Configuration – Apache Configuration – PHP and SuExec Configuration

Enable suEXEC – suEXEC = On
When PHP runs as an Apache Module it executes as the user/group of the
webserver which is usually nobody or apache. suEXEC changes this so
scripts are run as a CGI. Than means scripts are executed as the user
that created them. With suEXEC script permissions cant be set to
777(read/write/execute at user/group/world level)

3. The server and its services – PHP Installation Optimization & Security

3.1 Keep all services and scripts up to date and make sure that you running the latest secured version.

On CentOS type this into SSH to upgrade/update services on the server.
yum upgrade

yum update

3.2 PHP installation/update configuration and optimization + Suhosin patch

First download what you need type the following into SSH:
cd /root
wget http://www.php.net/get/php-5.2.9.tar.bz ... his/mirror
wget http://download.suhosin.org/suhosin-pat ... 3.patch.gz
wget http://download.suhosin.org/suhosin-0.9.27.tgz

Untar PHP:
tar -xvjf php-5.2.9.tar.bz2

Patch the source:
gunzip < suhosin-patch-5.2.8- | patch -p0

Configure the source. If you want to use the same config as you used for
the last php build its not a problem but you will have to add:

enable-suhosin to old config. To get an old config type this into SSH:
php -i | grep ./configure
cd php-5.2.9
./configure --enable-suhosin + old config(add old config you got from php -i | grep ./configure here)
make install

Note: If you get an error like make: command not found or patch: Command
not found you will have to install make and patch. It can be done
easily. Just type this into SSH:
yum install make
yum install patch

Now check is everything as you want. Upload php script like this on the server:

And open it via your browser and you will see your PHP configuration there.

3.3 Suhosin

We will install Suhosin now its an advanced protection system for PHP.
tar zxvf suhosin-0.9.27.tgz
cd suhosin-0.9.27
make install

After you installed suhosin you will get something like this: Its installed to /usr/local/lib/php/extensions/no-debug-non-zts-20060613/
Now edit your php.ini. If you dont know where php.ini located is type this into SSH.
php -i | grep php.ini

Configuration File (php.ini) Path => /usr/local/lib
Loaded Configuration File => /usr/local/lib/php.ini
It means you have to edit /usr/local/lib/php.ini

Type into SSH:
nano /usr/local/lib/php.ini

If you get an error nano: Command not found then:
yum install nano

Find extension_dir = and add:
extension_dir = /usr/local/lib/php/extensions/no-debug-non-zts-20060613/
To save it CTRL + O and press the enter button on your keyboard.

3.4 Zend Optimizer:

Download Zend Optimizer from http://www.zend.com/store/products/zend-optimizer.php
tar -zxvf ZendOptimizer-3.3.3-linux-glibc23-i386.tar.gz
cd ZendOptimizer-3.3.3-linux-glibc23-i386

Welcome to Zend Optimizer installation….. – Press Enter button
Zend licence agreement… – Press Enter button
Do you accept the terms of this licence… – Yes press Enter button
Location of Zend Optimizer… – /usr/local/Zend press Enter button
Confirm the location of your php.ini file…- /usr/local/lib press Enter button
Are you using Apache web-server.. – Yes press Enter button
Specify the full path to the Apache control utility(apachectl)…-/usr/local/apache/bin/apachectl press Enter button
The installation has completed seccessfully…- Press Enter button

Now restart apache type this into SSH:
service httpd restart

3.5 php.ini & disabled functions
Edit php.ini like this:
nano /usr/local/lib/php.ini
safe_mode = On
expose_php = Off
Enable_dl= Off
magic_quotes = On
register_globals = off
display errors = off
disable_functions = system show_source symlink exec dl
shell_exec passthru phpinfo escapeshellargescapeshellcmd

Then restart Apache
service httpd restart

Or you can edit php.ini via WHM:
WHM – Service Configuration – PHP Configuration Editor

4. Kernel Hardening – Linux Kernel + Grsecurity Patch

Description : grsecurity is an innovative approach to security utilizing
a multi-layered detection prevention and containment model. It is
licensed under the GPL. It offers among many other features:
-An intelligent and robust Role-Based Access Control (RBAC) system that can generate least privilege policies for your entire system with no configuration
-Change root (chroot) hardening
-/tmp race prevention
-Extensive auditing
-Prevention of arbitrary code execution regardless of the technique used (stack smashing heap corruption etc)
-Prevention of arbitrary code execution in the kernel
-Randomization of the stack library and heap bases
-Kernel stack base randomization
-Protection against exploitable null-pointer dereference bugs in the kernel
-Reduction of the risk of sensitive information being leaked by arbitrary-read kernel bugs
-A restriction that allows a user to only view his/her processes
-Security alerts and audits that contain the IP address of the person causing the alert

Downloading and patching kernel with grsecurity
cd /root
wget http://www.kernel.org/pub/linux/kernel/ ... 6.5.tar.gz
wget http://www.grsecurity.com/test/grsecuri ... 1715.patch
tar -xzvf linux-
patch -p0 < grsecurity-2.1.12-
mv linux- linux-
ln -s linux- linux
cd linux
cp /boot/config-uname -r .config
make oldconfig
Compile the Kernel:
make bzImage
make modules
make modules_install
make install

Check your grub loader config and make sure default is 0
nano /boot/grub/grub.conf

Reboot the server

5. SSH

In order to change SSH port and protocol you will have to edit sshd_config
nano /etc/ssh/sshd_config

Change Protocol 21 to Protocol 2
Change #Port 22 to some other port and uncomment it
Like Port 1337

There is a lot of script kiddiez with brute forcers and they will try to crack our ssh pass because they know username is root port is 22

But we were smarter we have changed SSH port

SSH Legal Message

edit /etc/motd write in motd something like this:
ALERT! That is a secured area. Your IP is logged. Administrator has been notified
When someone logins into SSH he will see that message:
ALERT! That is a secured area. Your IP is logged. Administrator has been notified
If you want to recieve an email every time when someone logins into SSH as root edit .bash_profile(Its located in /root directory) and put this at the end of file:
echo ALERT - Root Shell Access on: date who | mail -s Alert: Root Access from who | awk {print $6} mail@something.com

And at the end restart SSH
service sshd restart

6. Firewall – DDoS Protection

6.1 Firewall CSF Installation
wget http://www.configserver.com/free/csf.tgz
tar -xzf csf.tgz
cd csf

In order to install csf your server needs to have some ipt modules
enabled. csftest is a perl script and it comes with csf. You can check
those mudules with it.

The output should be like this:
Testing ip_tables/iptable_filter...OK
Testing ipt_LOG...OK
Testing ipt_multiport/xt_multiport...OK
Testing ipt_REJECT...OK
Testing ipt_state/xt_state...OK
Testing ipt_limit/xt_limit...OK
Testing ipt_recent...OK
Testing ipt_owner...OK
Testing iptable_nat/ipt_REDIRECT...OK

Dont worry if you dont have all those mudules enabled csf will work if
you didnt get any FATAL errors at the end of the output.

Now get to installation

You will have to edit csf.conf file. Its located here:
nano /etc/csf/csf.conf

You need to edit it like this:
Testing = 0

And you need to configure open ports in csf.conf or you wont be able to
access these ports. In most cases it should be configured like this if
you are using cP/WHM. If you are running something on some other port
you will have to enable it here. If you changed SSH port you will have
to add a new port here:
# Allow incoming TCP ports
TCP_IN = 20212225538011014344346558799399520772078208220832086208720952096
# Allow outgoing TCP ports
TCP_OUT = 2021222537435380110113443587873208720892703

6.2) CSF Connection Limit
There is in csf.conf CT option configure it like this
CT_LIMIT = 200
It means every IP with more than 200 connections is going to be blocked.
IP will blocked permanenty
IP will be blocked 1800 secs(1800 secs = 30 mins)
Set this to the the number of seconds between connection tracking scans.
After csf.conf editing you need to restart csf
service csf restart

6.3) SYN Cookies
Edit the /etc/sysctl.conf file and add the following line in order to enable SYN cookies protection:
# Enable TCP SYN Cookie Protection
net.ipv4.tcp_syncookies = 1

Restart the network service
service network restart

6.4 CSF as security testing tool

CSF has an option Server Security Check. Go to WHM – Plugins – CSF -
Test Server Security. You will see additional steps how to secure the
server even more. Im writing only about most important things here and
I covered most of them in the paper but if you want you can follow steps
provided by CSF to get the server even more secured.

6.5 Mod_Evasive

ModEvasive module for apache offers protection against DDoS (denial of service attacks) on your server.
To install it login into SSH and type:
cd /root/
wget http://www.zdziarski.com/projects/mod_e ... 0.1.tar.gz
tar zxf mode_evasive-1.10.1.tar.gz
cd mod_evasive

then type…
/usr/sbin/apxs -cia mod_evasive20.c

When mod_evasive is installed place the following lines in your httpd.conf (/etc/httpd/conf/httpd.conf)
DOSHashTableSize 3097
DOSPageCount 2
DOSSiteCount 50
DOSPageInterval 1
DOSSiteInterval 1
DOSBlockingPeriod 10

6.6 Random things:

csf -d IP – Block an IP with CSF
csf -dr IP – Unblock an IP with CSF
csf -s – Start firewall rules
csf -f – Flush/stop firewall rules
csf -r – Restart firewall rules
csf -x – Disable CSF
csf -e – Enable CSF
csf -c – Check for updates
csf -h – Show help screen
-Block an IP via iptables
iptables -A INPUT -s IP -j DROP

-Unblock an IP via iptables
iptables -A INPUT -s IP -j ACCEPT

-See how many IP addresses are connected to the server and how many connections has each of them.
netstat -ntu | awk {print $5} | cut -d: -f1 | sort | uniq -c | sort -n

7. Mod_Security

Mod_Security is a web application firewall and he can help us to secure our sites against RFI LFI XSS SQL Injection etc
If you use cP/WHM you can easly enable Mod_security in WHM – Plugins – Enable Mod_Security and save
Now I will explain how to install Mod_security from source.
You cant install Mod_Security if you dont have libxml2 and http-devel libraries.
Also you need to enable mod_unique_id in apache modules but dont worry I will explain how to do it

Login into SSH and type…
yum install libxml2 libxml2-devel httpd-devel

libxml2 libxml2-devel httpd-devel should be installed now
then you need to edit httpd.conf file you can find it here:
nano /etc/httpd/conf/httpd.conf

You need to add this in your httpd.conf file
LoadModule unique_id_module modules/mod_unique_id.so
Now download the latest version of mod_security for apache2 from http://www.modsecurity.org

login into SSH and type…
cd /root/
wget http://www.modsecurity.org/download/mod ... 5.6.tar.gz
tar zxf modsecurity-apache_2.5.6.tar.gz
cd modsecurity-apache_2.5.6
cd apache2

then type:
make install

Go at the end of httpd.conf and place an include for our config/rules file…
Include /etc/httpd/conf/modsecurity.conf
LoadModule unique_id_module modules/mod_unique_id.so
LoadFile /usr/lib/libxml2.so
LoadModule security2_module modules/mod_security2.so
Include /etc/httpd/conf/modsecurity.conf

You need to find a good rules for Mod_Security. You can find them at
official Mod_Security site. Also give a try to gotroot.com rules. When
you find a good rules just put them in /etc/httpd/conf/modsecurity.conf
And restart httpd at the end type service httpd restart into SSH.

8. Anti-Virus – ClamAV

You need AV protection to protect the server against worms and trojans
invading your mailbox and files! Just install clamav (a free open source
antivirus software for linux). More information can be found on clamav.
website – http://www.clamav.net

In order to install CLamAV login into SSH and type
yum install clamav

Once you have installed clamav for your CentOS here are some basic commands you will need:

Update the antivirus database

Run antivirus
clamscan -r /home

Running as Cron Daily Job
To run antivirus as a cron job (automatically scan daily) just run
crontab -e from your command line. Then add the following line and save
the file.
@daily root clamscan -R /home

It means clamav will be scanning /home directory every day. You can change the folder to whatever you want to scan.

9. Rootkit

Rootkit scanner is scanning tool to ensure you for about 99.9%* youre clean of nasty tools.

This tool scans for rootkits backdoors and local exploits by running tests like:
-MD5 hash compare
-Look for default files used by rootkits
-Wrong file permissions for binaries
-Look for suspected strings in LKM and KLD modules
-Look for hidden files
-Optional scan within plaintext and binary files

Login into SSH and type

cd /root/
wget http://sourceforge.net/projects/rkhunte ... irror=iweb
tar -zxvf rkhunter-1.4.0.tar.gz
cd rkhunter-1.4.0
./installer.sh --install

Scan the server with rkhunter
rkhunter -c

10. The Rest of it

10.1 Random suggestions

If you use bind DNS server then we need to edit named.conf file
named.conf is located here: /etc/named.conf
and add
recursion no; under Options
recursion no;

Now restart bind type into SSH
service named restart

This will prevent lookups from dnstools.com and similar services and reduce server load
In order to prevent IP spoofing you need to edit host.conf file like this:
This file is located here: /etc/host.conf
Add that in host.conf
order bindhosts
nospoof on

Hide the Apache version number:
edit httpd.conf (/etc/httpd/conf/httpd.conf)
ServerSignature Off

10.2 Passwords
Dont use the same password you are using for the server on some other places.
When the Datacenter contacts you via e-mail or phone always request
more informations. Remember someone alse could contact you to get some
information or even root passwords.

10.3 Random thoughts
No matter what you need to secure the server dont think you are safe
only because you are not personally involved in any shits with
hackers. When you are hosting hacking/warez related sites you are the
target. There is no such thing as totally secured server. Most important
things are backups make sure you will always have an up-to-date
offsite backups

Posts: 2
Joined: Thu May 30, 2013 12:51 pm

Re: WHM security and tips

Postby Christina9 » Fri May 31, 2013 12:51 pm

I have gone through the post and good information provided . Thanks for the post . we will be waiting for some good post from your end .
Thank you once again .
:D :)

Return to “System Security”

Who is online

Users browsing this forum: No registered users and 1 guest