Hardening script for Cpanel users

Portal Home > Knowledgebase > Articles Database > Hardening script for Cpanel users

Posted by supportoperator, 06-01-2014, 08:15 AM
We wanted to present you with our new cPanel server hardening script. This script was created by myself Milan from SupportOperator.com, an industry leading web hosting support company. If you are running the web hosting company, you would probably know how it's challenging to secure a server in a production server from the hands of intruder. Every managed client wants their server to be delivered with the highest security standards. This is the reason why we at supportoperator.com have designed this small linux hardening program to save you a lot of time to secure and optimize the linux cPanel server. At every step it will ask whether you need to secure the certain function or not. Here is what our hardening script does: Installs cPanel Installs & Configure CSF/LFD Installs Maldet scanner & configure Hardens your PHP Tweaks cPanel Settings Hardens FTP Disables unnecessary services Optimizes your MYSQL Server Secures /tmp Changes SSH port How to download & run the script This script is designed only for cPanel servers at this time. This script is under constant development. We are planning another version which will have more features. If you have any questions, comments, or recommendations for the script please email us at support@supportoperator.com. Thank you.
Posted by PCS-Chris, 06-01-2014, 08:44 AM
Before someone unsuspecting runs this, such scripts are not enough to harden/optimize a server and you need to be aware of what they are doing and their limitations. 1. This isn't a signed package and has no checksums etc, if supportoperator's server were to be hacked, this could contain a nice rootkit so check the source every time or do your own checksum. 2. "Manage Mounting" sets noexec,nosuid to EVERY partition in /etc/fstab, not just tmp/shm 3. "Harden FTP" doesnt check which FTP daemon you are running and modifies Pureftpd only, leaving Proftpd vulnerable on defaults. 4. "Disable unnecearry services" only disables 7 unnecesaarry services, believe me servers can come with alot more rubbish than that. 5. "Chnge SSH Port" also disables DNS in sshd. If you have poor DNS configuration SSH can be slow to login, disabling this works around the problem but you lose some functionality. 6. If SELinux is currently disabled, it will enable it in enforcing mode WITHOUT ASKING. 7. "Optimize Mysql" downloads a my.cnf from their server, then restarts sshd?? It's also very conserative with a 100 connection limit, and little in the way of caching. It's good of you to release this to the community but it needs some work. For a server management provider you have also missed out some basic fundamentals of security: - Check for users with shell access - Check for other points of entry e.g. telnet - Kernel options (sysctl) Add in a few more checks before the next release if you can Last edited by PCS-Chris; 06-01-2014 at 08:49 AM.
Posted by supportoperator, 06-01-2014, 09:30 AM
Thank you for your comments chris , we will definitely update the points mentioned by you in the next release as soon as possible . as this script is only used for basic hardening checks. we know there are many more features which can be added into it .
Posted by Steven, 06-01-2014, 11:04 AM
Can you please take this script down until you make it safer? This script is pretty dangerous and some unsuspecting user is going to run it and have a mess.
Posted by Steven, 06-01-2014, 11:12 AM
There is this little gem stuffed in there http://dev.mysql.com/doc/refman/5.0/...ead_cache_size Really that my.cnf configuration is awful. It is not useful at all and would cause most people problems.
Posted by supportoperator, 06-01-2014, 11:39 AM
We have removed that line thanks for pointing it out .
Posted by anon-e-mouse, 06-02-2014, 04:19 AM
Thread closed by request.

Add to Favourites Print this Article