Following are the steps for securing cpanel servers:
1. Sysctl Hardening
http://www.eth0.us/sysctl
2.Secure /tmp
http://www.eth0.us/tmp
3.LES Linux Environment Security
Linux Environment Security is intended as a facility to quickly & easily secure RedHat/RPM based environments (i.e: turbo linux, open linux). It does such by enforcing root-only permissions on system binaries (binaries that have no place being
executed by normal users), enforcing root-only path traversal on system paths, enforcing immutable bit on essential rpm package contents (i.e: coreutils), and enforcing immutable bit on shell profile scripts.
4.Removal of Insecure packages
Please check to see the packages that are not needed on a web server. You can use the command rpm -qa to list all the installed rpm packages on the server. From the list remove packages choose the packages that are not required.
Some common examples of unnecessary packages are given below.
mtools
yp-tools
redhat-config-nfs
redhat-config-samba
tftp-server
ypserv
redhat-config-printer-gui
samba
samba-swat
cups
gmp-devel
ElectricFence
doxygen
Xfree86-xfs
redhat-config-printer
cups-libs
samba-common
samba-client
5.Firewall (CSF + LFD)
6.AIDE (Advanced Intrusion Detection Environment)
http://www.cs.tut.fi/~rammer/aide.html
7. Logwatch Installation and configuration
8. ClamAV (virus scanner) Installation with Exim on cPanel servers
9. Installing chkrootkit
10. LibSafe Installation
2010/03/18
Sender Policy Framework (SPF)
Sender Policy Framework (SPF), is an e-mail validation system designed to prevent e-mail spam by addressing a common vulnerability, source address spoofing. SPF allows administrators to specify which hosts are allowed to send e-mail from a given domain by creating a specific DNS SPF record in the public DNS..
example.org. IN SPF "v=spf1 a mx -all"
"v=" defines the version of SPF used. The following words provide mechanisms to use to determine if a domain is eligible to send mail. The "a" and "mx" specify the systems permitted to send messages for the given domain. The "-all" at the end specifies that, if the previous mechanisms did not match, the message should be rejected.
[edit] Mechanisms
Eight mechanisms are defined:
ALL Matches always; used for a default result like -all for all IPs not matched by prior mechanisms.
A If the domain name has an address record (A or AAAA) that can be resolved to the sender's address, it will match.
IP4 If the sender is in a given IPv4 address range, match.
IP6 If the sender is in a given IPv6 address range, match.
MX If the domain name has an MX record resolving to the sender's address, it will match (i.e. the mail comes from one of the domain's mail servers).
PTR If the domain name (PTR record) for the client's address is in the given domain and that domain name resolves to the client's address (forward-confirmed reverse DNS), match.
EXISTS If the given domain name resolves to any address, match (no matter the address it resolves to). This is rarely used. Along with the SPF macro language it offers more complex matches like DNSBL-queries.
INCLUDE If the included (a misnomer) policy passes the test this mechanism matches. This is typically used to include policies of more than one ISP.
example.org. IN SPF "v=spf1 a mx -all"
"v=" defines the version of SPF used. The following words provide mechanisms to use to determine if a domain is eligible to send mail. The "a" and "mx" specify the systems permitted to send messages for the given domain. The "-all" at the end specifies that, if the previous mechanisms did not match, the message should be rejected.
[edit] Mechanisms
Eight mechanisms are defined:
ALL Matches always; used for a default result like -all for all IPs not matched by prior mechanisms.
A If the domain name has an address record (A or AAAA) that can be resolved to the sender's address, it will match.
IP4 If the sender is in a given IPv4 address range, match.
IP6 If the sender is in a given IPv6 address range, match.
MX If the domain name has an MX record resolving to the sender's address, it will match (i.e. the mail comes from one of the domain's mail servers).
PTR If the domain name (PTR record) for the client's address is in the given domain and that domain name resolves to the client's address (forward-confirmed reverse DNS), match.
EXISTS If the given domain name resolves to any address, match (no matter the address it resolves to). This is rarely used. Along with the SPF macro language it offers more complex matches like DNSBL-queries.
INCLUDE If the included (a misnomer) policy passes the test this mechanism matches. This is typically used to include policies of more than one ISP.
Subscribe to:
Posts (Atom)