The Security Check Feature

This feature is enabled by CSF, which integrates a user interface inside Web-host manager software. You can find the Config Security and Firewall link on the Addons section on WHM. Once there you will find the first button to perform security check. These are the basic guidelines that configserver places forward to maintain a healthy hosting environment. Most of the time the security checks are below par, so this is the reason why I write this article. The security score can be seriously increased with few quick

steps as follows:

1. Check csf LF_SCRIPT_ALERT

the first warning message that you might encounter, in this case you can either use the configuration editor option on the page or log on to server via ssh and follow the commands:

vi /etc/csf/csf.conf

and search in for LF_SCRIPT_ALERT and change the value from 0 to 1.

2. Check csf PT_ALL_USERS

while you are at the configuration menu you can also ensure that PT_ALL_USERS is also enabled by changing the value from 0 to 1

3. Check MySQL LOAD DATA

for the above error you will need to edit mysql configuration as:

vi /etc/my.cnf

and insert the entry :

local-infile=0

under the [mysqld] section. and restart mysql services.

/etc/init.d/mysql restart

4. Check for IPv6

if there are no active ipv6 users then you can disable this feature using the commands:

service ip6tables stop

chkconfig ip6tables off

5. There are few more suggestions on SSH configuration but this is again a personal choice and wont be causing much harm to the scores.

6. Check Background Process Killer

another wonderful tool from CPanel, you can use WHM ( root login) to kill the processes and once the processes are selected you can save the entries and get back to the security check.

7. Check exim for extended logging (log_selector)

This feature will allow you to get more information from the header entries, for this to work you can either use:

vi /etc/exim.conf

or we can try using the WHM > Exim Configuration editor and add the entry :

log_selector = +arguments +subject +received_recipients

on to the first text box section on the configuration editor page.

8. Apache Checks

here are the next few sections where you will be required to maintain the latest version ( Apache v2.2 for now) and also enable suphp with php5 as default. But this will be dependent on how your scripts are set to behave.

Next to this we will need to update the SSL.conf file on the server to reflect the following changes:

* Add -SSLv2 to SSLCipherSuite

* Set TraceEnable as Off

* Set ServerSignature Off

* Set ServerTokens as ProductOnly

* Set FileETag as None

once this is done you should save the file and restart Apache services.

This can also be done via WHM > Apache Configuration > Global Configuration

9. Coming on to the WHM settings,

- Update WHM to the latest

- You should disable box-trapper spam Trap via WHM > Tweak Settings

- Disable the option to retrieve Cpanel password via email

- Disable Anonymous login via FTP Configuration menu on WHM or use /etc/pure-ftpd.conf or /etc/proftpd.conf

- Disable log ins to FTP as root ( again using WHM > FTP configuration menu )

- Enable security tokens : WHM > Tweak settings > Require security tokens

- Enable Only permit cpanel/whm/webmail to execute functions when the browser provided referrer (Domain/IP and Port) exactly matches the destination URL

- Enable Validate the IP addresses used in all cookie based logins on tweak settings menu

10. Finally Disable the services that are not required:

service cups stop
chkconfig cups off

service xfs stop
chkconfig xfs off

service atd stop
chkconfig atd off

service nfslock stop
chkconfig nfslock off

Fuente: Ver