[CentOS] Server Hacked: Cpanel

Wed Aug 9 18:05:48 UTC 2006
Rodrigo Barbosa <rodrigob at darkover.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Okey, lemme expand this a little bit, and even contradict you
(while agreeing).

On Wed, Aug 09, 2006 at 01:32:42PM -0400, Jim Perrin wrote:
> If you install something like Cpanel to a system, you're adding a
> level of complexity. You're stepping over what's provided in the base,
> and adding to it. This means you need to not only know the base inside
> and out, but you need to know Cpanel inside and out as well.

It is a bit more problematic than that. You are not only adding stuff,
but you are also replacing (exim, apache) a part of the system.

> 1. Minimal packageset.

Always a good thing to do, with or without a CP.

> 2. Regular updates and backups.

Backups ! Backups !

> 3. Config changes

Which is sad but true, specially for cPanel (can't say for sure with
the other CPs).

As a side note, even Webmin will screwup your iptables settings if
you enable bandwidth monitoring.

> 4. Permissions:
> Unix permissions by default are DAC style, where the user has the
> power to change permissions. Make sure that you stay on top of this
> and keep permissions in places like your webroot to a minimum to do
> the job. If you can, enable SELinux, which is MAC style based
> permission, which enforces restrictions no matter what the user does.

Also, take a look at POSIX ACLs. They are a bit more complex to use
than unix permissions, but much more flexible.

Nice checklist, Jim.

Best Regards,

- -- 
Rodrigo Barbosa
"Quid quid Latine dictum sit, altum viditur"
"Be excellent to each other ..." - Bill & Ted (Wyld Stallyns)

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iD8DBQFE2iP8pdyWzQ5b5ckRAoZFAJoD1I5X0NUdUxgkFU3Y45OehSBHFwCfUICi
I8/gpkvM8Zj8ROqopa+2xgk=
=f99Q
-----END PGP SIGNATURE-----