[CentOS] Server Hacked: Cpanel

Wed Aug 9 17:32:42 UTC 2006
Jim Perrin <jperrin at gmail.com>

<snipping everything>
Okay, here's my personal take on the matter, for the $0.000002 that it's worth.

For production machines, sometimes control panels are required for the
job. I'll preach against them, but that doesn't do much.

If you install something like Cpanel to a system, you're adding a
level of complexity. You're stepping over what's provided in the base,
and adding to it. This means you need to not only know the base inside
and out, but you need to know Cpanel inside and out as well. So, lets
go through the admin checklist:

1. Minimal packageset.
 Go through the rpms installed on your system and clean out ones that
you don't need or don't use. window managers, compilers, etc have no
business on a production box. If you need a compiler to install/update
cpanel, you might want to look at the possibility of removing them
after the install/update. If they stay on the system, you're only
giving the attacker something else to use that he doesn't have to
provide himself.

2. Regular updates and backups.
Duh, but still needs to be said. Too many people don't do this.

3. Config changes. Many default application settings are wide open.
Make sure that you lock down or disable what you don't need. For
example in php things like allow_url_fopen, globals, etc should be
off. Safe Mode should be on if you can manage it within your
application.

4. Permissions:
Unix permissions by default are DAC style, where the user has the
power to change permissions. Make sure that you stay on top of this
and keep permissions in places like your webroot to a minimum to do
the job. If you can, enable SELinux, which is MAC style based
permission, which enforces restrictions no matter what the user does.

5. Data input checking:
SQL injections and other such annoyances can be avoided with proper
input checking. Utilities like mod_security for apache are a must in
my book. If you're able, go through the code for whichever app you're
using and see if they're checking input properly. Invest some time in
mod_security and learning the rulesets. It's archaic, but the defaults
are good, and they stay updated.  If you're using a common app (phpbb
or some such) you shouldn't have to tweak much to enjoy the protection
of mod_security. (it's at centos.karan.org all packaged up for you.
Thank karanbir for it)

6. Log checking
use logwatch other other such utilities and keep up on your logs. If
someone's been poking at your site for a few days, and they've gone
from getting loads of 40(3,4)'s to 302s or 200's.. you'll want to know
about it.

Yes this is tailored mostly to web services. There are loads of other
things to do.. but these are the basics, and most people who get
bitten aren't staying on top of them.

-- 
During times of universal deceit, telling the truth becomes a revolutionary act.
George Orwell