1. Kernel update
# yum update kernel
2. Openssh & Openssl Version updation.
# yum update openssh && yum update openssl
3. Secure /tmp, /dev/shm & /var/tmp
For cPanel server,
cPanel >> /scripts/securetmp
4. Enable firewall (csf )
5. Malware scanner (LMD, rkhunter, clamAV)
16. Disable ssh tunneling.
Add following parameter in ssh config and restart ssh
# AllowTcpForwarding No
7. Enable Display Time and Date in HISTORY
echo 'export HISTTIMEFORMAT="%d/%m/%y %T "' >> ~/.bash_profile
source ~/.bash_profile
cPanel Security
======================
8. WHM >> HOME >> cPanel Security
Enable Apache mod_userdir Tweak
Disable compiler access
Password strength : set 70
Configure security policies — Set Passwd Age 90days
Enable Shell Fork Bomb Protection
Disable cpHulk Protection (if csf already installed)
Enable PHP open_basedir
Enable Check Referrer Security.
Enable Background Process Killer
Enable Check Referrer Blank Security.
9. Add disable_functions:
symlink, show_source, system, virtual, shell_exec,passthru, exec, popen,proc_open, proc_close, proc_nice, proc_terminate,proc_get_status, pfsockopen,allow_url_fopen, posix_getpwuid, eval,posix_setsid, posix_mkfifo, posix_setpgid,posix_setuid, posix_uname,posix_kill,apache_child_terminate, apache_setenv,define_syslog_variables,escapeshellarg, escapeshellcmd, leak, dl, fp, fput,ftp_connect, ftp_exec,ftp_get, ftp_login, ftp_nb_fput, ftp_put, ftp_raw, ftp_rawlist,highlight_file, ini_alter, ini_get_all, ini_restore, inject_code
10. Disable allow_url_fopen in php.ini including all phpselector
11. Turn off unused services and daemons
chkconfig cups off
service xfs stop
chkconfig xfs off
service nfslock stop
chkconfig nfslock off
service rpcidmapd stop
chkconfig rpcidmapd off
service bluetooth stop
chkconfig bluetooth off
service anacron stop
chkconfig anacron off
service gpm stop
chkconfig gpm off
service avahi-daemon stop
chkconfig avahi-daemon off
service hidd stop
chkconfig hidd off
service pcscd stop
chkconfig pcscd off
17. Install default mod-security vendor >> WHM >> mod-security vendor
Exim Settngs
======================
WHM >> Tweak Settings >> Mail & WHM >> HOME >> EXIM Configuration Manager
Install ClamAV and configure
Exim tweak setting and exim configuration Manager settings
1. Prevent nobody from sending mail [?] On
2. Max hourly emails per domain [?] 300
3. Initial default/catch-all forwarder destination [?] set fail
4. Set RDNS for mail Ips
5. Trust X-PHP-Script headers to determine the sender of email sent from processes running as nobody >> Enable
6. Enable SpamAssassin Spam Box delivery for messages marked as spam (user
configurable)
8. Dictionary attack protection enable
9. Reject remote mail sent to the server’s hostname [?] On
10. Configure custom RBL
11. Restrict outgoing SMTP to root, exim, and mailman (FKA SMTP Tweak)? On
12. Scan outgoing messages for malware [?] On
13. Scan messages for malware from authenticated senders (eximscan). [?] On
14.Tighten /etc/cpanel_exim_system_filter as other server and attribute the
file.
15. Enable SPF & DomainKey on domains for newly created accounts
16. Track email origin via X-Source email headers >> enable
17. Set Maximum percentage of failed or deferred messages a domain may send per hour
18. Install WHM addon to monitor and alert server IP blacklist
19. Enabling Extended Exim Logging
WHM >> Main >> Service Configuration >> Exim Configuration Editor >> Advanced Editor
log_selector = +address_rewrite +all_parents +arguments +connection_reject +delay_delivery +delivery_size +dnslist_defer +incoming_interface +incoming_port +lost_incoming_connection +queue_run +received_sender +received_recipients +retry_defer +sender_on_delivery +size_reject +skip_delivery +smtp_confirmation +smtp_connection +smtp_protocol_error +smtp_syntax_error +subject +tls_cipher +tls_peerdn
http://thecpaneladmin.com/plugin-database/
CSF Setting
================
1. Disable Testing mode
TESTING = “0”
2. Set RESTRICT_SYSLOG = “3”
3. Add following ports in TCP_IN
TCP_IN = 3306,5666,1167
4. Remove ssh port from csf
5. Enable SYNFLOOD
6. White list main client IP and our office Ips
7. Enable SSH port only for our office Ips and main client IP like below setting in csf.allow,
tcp|in|d=2231|s=122.174.216.172
8. Make following changes in csf conf for service connections,
LF_FTPD = “100”
# Enable login failure detection of SMTP AUTH connections
LF_SMTPAUTH = “100”
# Enable syntax failure detection of Exim connections
LF_EXIMSYNTAX = “100”
# Enable login failure detection of pop3 connections
LF_POP3D = “100”
# Enable login failure detection of imap connections
LF_IMAPD = “100”
# Enable login failure detection of cpanel, webmail and whm connections
LF_CPANEL = “10”
# Enable failure detection of repeated Apache mod_security rule triggers
LF_MODSEC = “25”
){kind=link}
Post A Comment:
0 comments: