Refer following steps to disable direct root login.

1. SSH into your server as root user.

2. Open file sshd_config in your favorite editor

pico /etc/ssh/sshd_config

3. Find the line

Protocol 2, 1

4. Uncomment line and change it to look like

Protocol 2

5. Now find the line
PermitRootLogin yes

6. And Uncomment libe and make it look like as
PermitRootLogin no

7. Save the file sshd_config file,

8. Restart SSH service
/etc/rc.d/init.d/sshd restart

Once root login disabled on server generate authentication key by using following steps.

1. Add user for example we will add user support

useradd support

2.Assigne user support in wheel group.

usermod -G wheel support

3. Set correct permission for sudoers files.

chmod 644 /etc/sudoers

4. Now open sudoers file and set followings line in sudoers file.

pico /etc/sudoers

# User privilege specification
root    ALL=(ALL) ALL

# Same thing without a password
%wheel        ALL=(ALL)       NOPASSWD: ALL

5. Make sure that sudo file binery file is secure.

chmod 4111 /usr/bin/sudo

If you are not sure about sudo binery path then run commamd to confirm the path.

which sudo

6.Now create .ssh directory in support users home directory.

cd /home/support

mkdir .ssh

7. Now generate the key by using PuTTYgen software and save the key on your local machine as support.ppk file.

8. Create authorized_keys file in .ssh directory and copy content from file support.ppk to authorized_keys file.

9. Confirm permission and ownership for files.

cd /home

ll | grep support

The ownership shuold be

drwx——    7 support support          4096 Jul 10 03:44 support

cd /home/support

ll | grep .ssh

drwxr-xr-x    2 root   root        4096 Jul 12  3:34 .ssh/

ll .ssh

The ownership shoud be

drwxr-xr-x 2 root    root    4096 Jul 12 03:22 ./
drwx—— 7 support support 4096 Jul 12 03:44 ../
-rw-r–r– 1 root    root    224  Jul 12 03:40 authorized_keys

Note : Do not close current Shell until you are able to access server with the support.ppk key.

©2010 Linux Servers cPanel webhosting blog. All Rights Reserved.

1st)  Correct cPanel users files/directories ownership.

——

for i  in `cat /etc/trueuserdomains   | awk ‘{print $2}’`
do
chown $i.$i /home/$i -R;
chown $i.mail /home/$i/etc -R;
chown $i.nobody /home/$i/public_html;
done;

—–

2nd) Correct permission for files and directories for cPanel users from shell but make sure that you logged in as root user and running following command in /home partition.

—–

find . -type d  -perm 777 -exec chmod 755 {} \;

find . -type  f  -perm 777 -exec chmod 755 {} \;

—–

©2010 Linux Servers cPanel webhosting blog. All Rights Reserved.

mysqladmin -i3 pr

We are getting result.

056 | unauthenticated user | localhost |    | Connect |      | Reading from net |

To avoid such problem add following lines in /etc/my.cnf file to avoid access for unauthenticated user.

root@server [~]# pico /etc/my.cnf

skip-networking
skip-name-resolve
skip-host-cache
skip-locking

Now restart the mysql service and check mysql process logs again.

©2010 Linux Servers cPanel webhosting blog. All Rights Reserved.

Tweak Settings :
Number (or all) of accounts to display per page in list accounts == 30
Disable : Allow users to park subdomains of the server’s hostname main domain
Disable : Allow users to Park/Addon Domains on top of domains owned by other users.
Disable : Allow users to Park/Addon Domains on top of domains owned by other users.
Disable : Allow resellers to create accounts with subdomains of the server’s hostname main domain
Disable : Allow Creation of Parked/Addon Domains that are not registered
Disable : When adding a new domain, automatically create A entries for the registered nameservers if they would be contained in the zone
Enable : Prevent users from parking/adding on common internet domain

Enable : Silently Discard all FormMail-clone requests with a bcc: header in the subject line
Set Default Mail to FAIL.
Disable : Track the origin of messages sent though the mail server by adding the X-Source headers.
The maximum each domain can send out per hour = 300

Prevent the user “nobody” from sending out mail to remote addresses : Disable should enabled on server with phpsuexec.
Disable : BoxTrapper Spam Trap
Disable : Add the mail. prefix for mailman urls

Disable : Send passwords in plaintext over email when creating a new acccount

Disable : Awstats Reverse Dns Resolution
Disable : Analog
Disable : Allow users to update Awstats from cPanel
Number of days between processing log files and bandwidth usage = 1
Enable : Delete each domain’s access logs after stats run
The load average above the number of cpus at which logs file processing should be suspended = 10
Enable : Keep Stats Log between cPanel restarts

Disable : Allow Perl updates from RPM based linux vendors
Enable : Use jailshell as the default shell for all new accounts and modified accounts
Disable : Allow cPanel users to reset their password via email
Enable : Spamassasssin

Tweak Security :
Enable PHP open_basedir Protection.
Enable mod_userdir Protection.
Enable SMTP Tweak
Disable Compilers for unprivileged users.

©2010 Linux Servers cPanel webhosting blog. All Rights Reserved.

First Download ClamAV from www.clamav.net in default locations under /usr/local/[bin,man,share]
Run following from shell.

root@server[]perl -MCPAN -e shell
root@server[]install Parse::RecDescent
root@server[]install Inline
root@server[]install Mail::ClamAV

Second option run /scripts/perlinstaller from shell

root@server[]/scripts/perlinstaller Net::CIDR Archive::Zip Compress::Zlib Convert::BinHex Inline::C
or

root@server[]/scripts/perlinstaller Mail::ClamAV

Third you can install ClamAV from WHM

Select Main >> Software >> Install a Perl Module from WHM .

install perl module:-
search for Mail::clamAV
install it

We can also enabled virus scanner feature to cPanel user from WHM >> Main >> cPanel >> Manage Plugins

Select  “Name: clamavconnector” from list and install it.

©2010 Linux Servers cPanel webhosting blog. All Rights Reserved.

Apache SuExec is a feature of the Apache Web server. It allows users to run CGI and SSI applications as a different user. Normally, all web server processes run as the default web server user (often apache or nobody)

Presently, suExec does not allow ‘root’ user as well as ‘root’ group to execute CGI/SSI programs because SuExec is basically developed to run CGI and SSI based programs under the specific user ids other then common user name like nobody.

When PHP runs as an Apache module, PHP files work under the Apache user/group known as “nobody”. When a PHP script creates or uploads a new file under your account, the new file will be owned by the user “nobody”. If you FTP or cPanel into your account, all files owned by “nobody” will not be available for you to move, rename or delete. In this case the only way to remove the “nobody” owned files would be through a file on the shell by using root user.

When PHP runs as a CGI with Suexec, PHP files work under your user/group. PHP files no longer require loose permissions to function; now they will require strict permissions. Setting your directories or PHP files to 777 will cause them to produce a “500 Internal Server Error”, this happens to protect your PHP files from being abused by outside sources.

How to check SuExec configured value?

You can run suexec -V on server by using root login details. It will give you following result.

-D AP_DOC_ROOT=”/var/www”
-D AP_GID_MIN=100
-D AP_HTTPD_USER=”apache”
-D AP_LOG_EXEC=”/var/log/httpd/suexec.log”
-D AP_SAFE_PATH=”/usr/local/bin:/usr/bin:/bin”
-D AP_UID_MIN=500
-D AP_USERDIR_SUFFIX=”public_html”

By default following values are used while configuring SuExec.

–enable-suexec
This option enables the suEXEC feature which is never installed or activated by default. At least one –suexec-xxxxx option has to be provided together with the –enable-suexec option to let APACI accept your request for using the suEXEC feature.

–with-suexec-docroot=DIR
Define as the DocumentRoot set for Apache. This will be the only directory aside from UserDirs that can be used for SuExec behavior. The default directory is the –datadir value with the suffix “/htdocs”, e.g. if you configure with “–datadir=/var/www” the directory “/var/www/” is used as document root for the SuExec wrapper.

–with-suexec-caller=UID
The username under which Apache normally runs. This is the only user allowed to execute this program.

SuExec-gidmin value?

–with-suexec-gidmin=GID

Define this as the lowest GID allowed to be a target group for SuExec. For most servers 100 are common and therefore used as default value. The numerical equivalent of the primary group name which is referenced by the system and applications when determining access privileges. When ever new user accounts are added, the new user accounts are assigned the first available UID and GID starting at 100. The next new user account is assigned UID/GID 101, followed by UID/GID 102, and so on. Because UIDs and GIDs below 100 are reserved for system uses Unlike UID/GID zero (0), UIDs and GIDs below 100 are not treated specially by Server. However, these UIDs/GIDs are never to be assigned to a user, as it is likely that some system component either currently uses or will use these UIDs/GIDs at some point in the future.

SuExec-userdir and SuExec-bin?

–with-suexec-userdir=DIR

Define to be the subdirectory under users’ home directories where SuExec access should be allowed. All executables under this directory will be executable by SuExec as the user so they should be “safe” programs. If you are using a “simple” UserDir directive this should be set to the same value. SuExec will not work properly in cases where the UserDir directive points to a location that is not the same as the user’s home directory as referenced in the passwd file. Default value is “public_html”. If you have virtual hosts with a different UserDir for each, you will need to define them to all reside in one parent directory; then name that parent directory here. If this is not defined properly, “~userdir” cgi requests will not work!

Advantages of SuExec?

This allows processes to run as your own user, rather than the global web server user like nobody.
The advantages are that any files created by your script are owned by your own user, and not a different (web server) user, allowing you to control, remove, add, and edit them via FTP, the control panel, File Manager, web page editor, SSH/shell,
If any abuses, spam, attacks, illicit processes, etc. are easier and more immediately tracked and controlled by using SuExec log files.

Disadvantage of SuExec server?

Security risks involved with allowing users to develop and run private CGI or SSI programs. However, if SuExec is improperly configured, it can cause any number of problems and possibly create new holes in your server’s security
Presently, suExec does not allow root or root group to execute CGI/SSI programs

©2010 Linux Servers cPanel webhosting blog. All Rights Reserved.

root@server [~]# wget http://www.kernel.org/pub/linux/kernel/v2.6/
Select latest Kernel and download it

root@server [~]# tar –zxvf linux-2.6.28.tar.gz
root@server [~]#cd linux-2.6.28
root@server [~]# make clean
root@server [~]# make mrproper
root@server [~]# uname -r
root@server [~] # cp /boot/config-’uname -r’ .config
root@server [~] # make oldconfig
root@server [~] # make menuconfig
root@server [~] # make
root@server [~] # make modules_install
root@server [~] # make install
root@server [~] # grubby –bootloader-probe
root@server [~] # pico /etc/grub.conf

Change the default as per the entry for your new kernel.
root@server [~]# reboot

Some time after reboot server it won’t up and running with the new kennel due to that before rebooting server, make following

changes.

root@server [~]#grub

Above command will give you grub prompt.

grub > savedefault –default=0 –once

grub>quit

root@server [~]#reboot

If server is up and running after reboot you can set new kernel as default server in grub.conf file.

root@server [~]#pico /boot/grub/grub.conf

Set

default=1

to

default=0

©2010 Linux Servers cPanel webhosting blog. All Rights Reserved.

You can either set up iptables rule so that current stat is saved the rule upon restart or stop/start:

You need to make changes in following file as per your requirement for values received in following GREP result.

root@server[~]# grep IPTABLES_SAVE /etc/sysconfig/iptables-config
IPTABLES_SAVE_ON_STOP=”no”
IPTABLES_SAVE_ON_RESTART=”no”
IPTABLES_SAVE_COUNTER=”no”

Or overwrite current settings with iptables-save to /etc/sysconfig/iptables file:

root@server[~]# iptables-save > /etc/sysconfig/iptables

Note : Its always good if we use NO option for following options because some time due to wrong rule we face major problem to access server.

IPTABLES_SAVE_ON_STOP=”no”
IPTABLES_SAVE_ON_RESTART=”no”
IPTABLES_SAVE_COUNTER=”no”

©2010 Linux Servers cPanel webhosting blog. All Rights Reserved.

root@serevr[~]#pico /etc/ssh/sshd_config

Uncomment  #Protocol 2, 1

Change to Protocol 2

Append these lines to the bottom:

LoginGraceTime 120
IgnoreRhosts yes
X11Forwarding no
Save file and restart the SSH service.

root@serevr[~]#/etc/rc.d/init.d/sshd restart

Note : SSH Protocol one  based servers are facing many automated root kits attacks.As a result to step up the security Protcol 2 should be enabled on server.The reason to use SSH Protocol 2 on any webserver is that it is more secure as compare to protocol 1.

©2010 Linux Servers cPanel webhosting blog. All Rights Reserved.

————
Options -Indexes
————-

©2010 Linux Servers cPanel webhosting blog. All Rights Reserved.