[CentOS] Server Hacked: Cpanel

Fri Aug 11 18:02:59 UTC 2006
Timothy J Rice <tim.j.rice at hostitnow.com>

cPanel or ANY server solution should never be deployed until it is locked down!

We have been using cPanel for years as well as Hsphere and Plesk for both linux and windows.  They all are “hackable” if not locked down and hardened.  

We use Trustix, RHEL & CentOs for our Linux environments.  The more you allow (in cPanel or any control panel), the less secure.

Fix the tmp directory BEFORE you plug it in to the network.  File there should NOT be executed by ANYONE.  About 3 and a half years ago, we learned this the hard way and every index.* file on a particular server that had cpanel installed was defaced (RH 7 I believe).  This was NOT a cPanel issue.  It was a combination of a PHP exploit, tmp not being secured, and my lack of knowledge.

cPanel has a utility to secure the tmp directory.  On a machine that has cPanel installed type the below command:

/scripts/securetmp

I have never had a problem with this sort of attack after I secured the tmp directory.

I also recommend not giving shell access by default.  Only give it out to people who need it.  Make it a little difficult for the end user.  Ask them them to fax a copy of their DL and/or copy of  the first page of a utility bill.  Sure a bad person can create these documents, but it typically is not worth their time.  Also if a user needs ssh bad enough, they will send this info in and they probability will be good users.  It also lets them know that you are "security conscious".  You can also install a “keystroke auditing” system such as eas / easd so you can review ssh sessions should you suspect something.

If you grant a user ssh rights, reset the end users password to a secure password and let them know that they should maintain a strong password.  If their account is “bruteforced” due to a weak password, cancel their account, as they are too much of a risk for you (or ask them to go dedicated).

Install some type of BFD (Brute Force Detection) software.
I like http://www.rfxnetworks.com/bfd.php (free and easy to install)

Disable things like gcc, wget, lynx . . .etc.  I also like to chattr +i files.  A very good application is another product from rfnetworks called LES
http://www.rfxnetworks.com/les.php

Disable root direct login via ssh.
Block all incoming traffic except needed ports in iptables (22, 80, 443, 21, . . . ).

I like to block all outgoing traffic to all users except for root  with the exception of common API's such as Domain registration, Credit Card Gateway etc.)

Enable suexec and php safemode if possible.  Also disable the mod_dl and other php modules known to have caused problems.  If you have users who need “every module known to man”, setup a server with the php modules needed and only place these users on these systems who specifically need them.  Why introduce more risk to users who do NOT need all these features?

Install mod_evasive to help against Ddos as well as Mod Security.

Run updated rootkit checkers (rkhunter & chkrootkit) daily.  This is not perfect, but it will help determine a systems integrity.  If a machine has been hacked or owned - you MUST setup a new machine and restore the non binary files to the new machine.  This is the sad truth, but you never know what is hiding on a machine after its hacked (owned).

Do NOT allow cPanel to automatically update your software or you are asking for problems.  Have a cheap server or virtual server with cpanel running on it and update that "test" machine and make sure that nothing breaks.  

We have 50 beta users who we give hosting to.  We place on these users on beta (test)  machines.  The beta users are aware that these machines are at greater risk than the production machines and they are 100% responsible for backups.

It is worth giving away 50 free accounts and place them on test beta platforms so that we can actually simulate a "real" environment while testing cpanel upgrades.  If testing is successful, then roll out in production.

cPanel has broke many things in the past that were easily fixed by their support staff but why take chances???  

I recommend the above measures for any system (cPanel installed or not).

cPanel is the most popular control panel for Linux.  It allows the end user to control their site and cpanel ties into many billing systems so account provisioning can be automatic.  We use it because it offers features that end users demand.  Without it, we can't compete . . . so we have to adapt by securing the system as much as possible.

Tim Rice
Host It Now Networks
http://hostitnow.com/

Timothy Rice
Host It Now Networks
http://hostitnow.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.centos.org/pipermail/centos/attachments/20060811/ae628152/attachment-0005.html>