Monday, December 20, 2010

Installing cPanel/WHM on a vanilla CentOS 5 Server

12:05 AM Computer ! No comments

Page 1 of 5
After having initially installed your latest CentOS5 OS on your server you need to take a few steps to get cPanel/WHM running securily on your server. Log into root via SSH and disable selinux
nano /etc/selinux/config
and change
SELINUX=enforcing
to
SELINUX=disabled
You now need to either reboot for this to take effect, or disable it using this command:
setenforce 0
Then check if it is disabled:
cat /selinux/enforce
If this returns 0, SELinux is disabled. 
Also you need to stop your firewall IP tables
service iptables stop

iptables -L -n
 
Ok, so now after you have ordered a cPanel licence you need to initiate the install with those commands
mkdir /home/cpins
cd /home/cpins
wget http://layer1.cpanel.net/latest
sh latest  
 
The install can take quiet a while and is depending on hardware configuration and network speed
cPanel requires a fresh/clean server!
If you are serving websites off this server (and are
not already running cPanel) this installer will
overwrite all of your config files.  You should hit
Ctrl+C NOW!!!
Now is the time to go get another cup of coffee or two :)
 After the initial setup , it is always a good idea to firstly install your IPs for your name servers
In SSH via root
Edit the file
pico /etc/nameserverips
The format of the file is IP address = name server.  For example:

111.222.333.444=ns1.yourserver.com
Just put the IP address that you want to add in the first part and the name of the new name server in the second part.
To reboot or add IPs
/etc/init.d/ipaliases restart 
So now just logg into WHM

http://yournewserverip:2086/ 
After accepting the licence aggreement on the first page , you get redirected to 
Step 2 Basic cPanel/WHM Setup
There you set your  Server Contact E-Mail Address and other information
Once you are satisfied with the configuration, click the Next Step Button.
 
Quotas are now being setup in the right frame. You can continue at any time any quota setup will finish in the background.  
If you wish to enable the nameserver, you can do so in the right frame. Otherwise, just click the Next Step button.
 
Lets say that we are activating name servers and those would be the results then
 
  
Name Server Activated
Ensuring caching-nameserver is installed
Loading "installonlyn" plugin
Setting up Install Process
Setting up repositories
Reading repository metadata in from local files
Excluding Packages in global exclude list
Finished
Parsing package install arguments
Nothing to do
Activating name server monitoring (chkservd)
Setting up rndc configuration
Checking in /etc/named.conf to rcs system
Changing ownership of /etc/named.conf: named:named
Restarting Bind
Starting named: [
OK
]
Restarting Nameserver
Starting named: [
OK
]
Restarting chkservd
Stopping chkservd: [
OK
]
Starting chkservd: [
OK
]
Please complete the resolver configuration in the right frame, and then click the Next Step button.
The wizard will guide you through setting up your resolver configuration (/etc/resolv.conf).
You currently have one or more of cPanel.net's dns resolvers in your /etc/resolv.conf. You will need to set these to your datacenter's local resolvers as these servers are only intended for use during a cPanel install. If you continue to use them connections to your server be exceedingly slow because of the time it takes to complete a dns lookup.

 

Enter the ip address of at least two nameservers that you will use for dns resolution. Your datacenter should be able to provide you with at least one ip of a dns server you can access. If you do not know the ip address of your provider's local resolvers you should contact them. It is very important that these nameservers are correct, or you server will not function properly. If you do not know what to put in the boxes below and cannot contact your provider, please close this window and go though this setup at a later time; Your server should still function normally, however connections made to the server may be slower than normal.
 
Please set the mysql password in the right frame, and click Next Step.
 
And thats it
 
Inital Setup is now complete, click below to enter your Web Host Manager®
 
So the first thing after the initial setup should be that you add your second IP onto the server, so you name servers will function properly!
 go to IP Functionsipfunctions.gif > Add New IP >
and add your second IP there ! 
OK, so now you can set the second name server in SSH
pico /etc/nameserverips 
After this is done assign the IP adress and add an A entry for this name server in
Main >> Server Configuration >> Basic cPanel/WHM Setup ssetup.gif
Additionally I would strongly suggest to always do a yum upgrade to the newest kernel !
 uname -a
yum update \kernel*

Make sure the kernel is in grub

cat /boot/grub/grub.conf
and then reboot
 shutdown -rf now


OK, so after this initiall setup and reboot , lets go and secure this box now
Chirpy from ConfigServer has got some great free tools to help you with that
1/ ConfigServer Security & Firewall (csf) 
A Stateful Packet Inspection (SPI) firewall, Login/Intrusion Detection and Security application for Linux servers.
http://www.configserver.com/cp/csf.html 
 
2/ ConfigServer Explorer (cse)
This is an exclusive!  and free! add-on product for cPanel/WHM. The product provides you with a full featured Filesystem explorer and a Virtual Console to use within your web browser in WHM. It gives you root access from the top level of your disks and allows you to enter non-interactive commands and see the output.
http://www.configserver.com/cp/cse.html


3/ ConfigServer Mail Queues (cmq)
This is an exclusive!  and free! add-on product for cPanel/WHM. The product provides you with a full featured interface to the cPanel exim email queues from within WHM.
http://www.configserver.com/cp/cmq.html
 
4/ ConfigServer Mail Manage (cmm)
This is an exclusive!  and free! add-on product for cPanel/WHM. The product provides you with an interface to the cPanel user accounts email configuration without having to login to their accounts. It is domain based rather than account based and allows you to do all the following from within WHM:
http://www.configserver.com/cp/cmm.html
 
Additionally you really want to protect your tmp folder as well
 /scripts/securetmp
and follow the prompts. 
OK, so now lets log back in WHM to finish the initial securing

Go to
Main >> DNS Functions >> Add an A Entry for your Hostname and add the A entry!
Go to
 Main >> Server Configuration >> Tweak Settings restartservices.gif
 Those are the settings I got and they suit my fine although I guess it depends totaly on the individuals needs
Domains
** Allow users to Park/Addon Domains on top of domains owned by other users. (probably a bad idea)  
** Allow Creation of Parked/Addon Domains that resolve to other servers (i.e. domain transfers) [This can be a major security problem. If you must have it enabled, be sure to not allow users to park common internet domains.]  
** Allow Creation of Parked/Addon Domains that are not registered  
** When adding a new domain, automatically create A entries for the registered nameservers if they would be contained in the zone.  
** Prevent users from parking/adding on common internet domains. (i.e. hotmail.com, aol.com)  
** Check zone file syntax when saving and syncing zones.  
** Application for processing dns requests. The default is to use cPanel Dns cluster system located at /usr/local/cpanel/whostmgr/bin/dnsadmin. (Recommended: leave blank to use the default).  
** Prevent users from creating subdomains outside of their public_html directory.  
** When adding a new domain, if the domain is already registered, ignore the configured nameservers, and set the NS line to the authoritative (registered) ones.
 
Mail
** Default catch-all/default address behavior for new accounts. "fail" is usually the best choice if you are getting mail attacks.  
 localuser   blackhole   fail   
** Silently Discard all FormMail-clone requests with a bcc: header in the subject line  
** Number of minutes between mail server queue runs (default is 60).  
** Track the origin of messages sent though the mail server by adding the X-Source headers (exim 4.34+ required)  
** The maximum each domain can send out per hour (0 is unlimited)  
** Prevent the user "nobody" from sending out mail to remote addresses (PHP and CGI scripts generally run as nobody if you are not using PHPSuexec and Suexec respectively.)  
** Include a list of Pop before SMTP senders in the X-PopBeforeSMTP header when relaying mail. (exim 4.34-30+ required)  
** The number of times users are allowed to check their mail using pop3 per hour. Zero is unlimited.  
** Attempt to prevent pop3 connection floods  
** Automatically setup /etc/localdomains, /etc/remotedomains, /etc/secondarymx based on where the mx entry is pointed.  
** BoxTrapper Spam Trap
** Horde Webmail
** Mailman
** SpamAssassin Spam Filter
** SpamAssassin Spam Box delivery for messages marked as spam (user configurable)
** SquirrelMail Webmail
** Add the mail. prefix for mailman urls (ie http://mail.domain.com/mailman)  
 
 
MySQL®
MySQL® Version to use (you must run Software/Update Server Software (or /scripts/mysqlup) for this to take effect. You should then run buildapache/easyapache after changing this option. You may also need to run /scripts/perlinstaller --force Bundle::DBD::mysql. Updating from a previous version of MySQL® to a later version is not automatically reversable. You should backup your databases if you think you might wish to downgrade in the future.  
 5.0   4.1   
** Use old style (4.0) passwords with MySQL® 4.1+ (required if you have problems with PHP apps authenticating)  
Notifications
** Notify the admin, (or the reseller), when an account has reached the "critical" Disk Usage state.  
** Threshold percentage where a user's disk usage is considered to be in the "critical" state. (0 will disable this notification)  
** Notify the admin, (or the reseller), when an account has reached the "full" Disk Usage state.  
** Threshold percentage where a user's disk usage is considered to be in the "full" state. (0 will disable this notification)  
** Notify the admin, (or the reseller), when an account has reached the "warn" Disk Usage state.  
** Threshold percentage where a user's disk usage is considered to be in the "warn" state. (0 will disable this notification)  
** Threshold percentage where a mailbox's disk usage is considered to be in the "critical" state. (0 will disable this notification)  
** Threshold percentage where a mailbox's disk usage is considered to be in the "full" state. (0 will disable this notification)  
** Threshold percentage where a mailbox's disk usage is considered to be in the "warn" state. (0 will disable this notification)  
** Email users when they have exceeded their bandwidth. Disabling this will prevent all Bandwidth Limits Email from being sent.  
** Email users when they have reached 70% of their bandwidth  
** Email users when they have reached 75% of their bandwidth  
** Email users when they have reached 80% of their bandwidth  
** Email users when they have reached 85% of their bandwidth  
** Email users when they have reached 90% of their bandwidth  
** Email users when they have reached 95% of their bandwidth  
** Email users when they have reached 97% of their bandwidth  
** Email users when they have reached 98% of their bandwidth  
** Email users when they have reached 99% of their bandwidth  
** Mail Box Usage Warnings
** Disable Suspending accounts that exceed their bandwidth limit (will clear all suspensions if disabled, and disable all bandwidth notifications.)  
** Disk Space Usage Warnings
Redirection
** Always redirect users to the ssl/tls ports when visiting /cpanel, /webmail, etc.  
** When visiting /cpanel or /whm or /webmail WITHOUT SSL, you can choose to redirect to:  
 Hostname   Origin Domain Name   
** When visiting /cpanel or /whm or /webmail with SSL, you can choose to redirect to:  
 SSL Certificate Name   Hostname   Origin Domain Name   
** Redirect user to the following URL upon logout of the cPanel interface. A blank value specifies the default logout page.  
 
 
 
Software
Interchange version to use (if you disable interchange, you must turn off the service in the service manager)  
 5.0   4.8   4.9   disable   
** Loader to use for internal cPanel PHP (Use oldsourceguardian for version 1.x and 2.x)  
 none   ioncube   sourceguardian   oldsourceguardian   
** FormMail-clone cgi
** The path to the Urchin installation (if installed.) (Leave blank for auto-detection.)  
Stats Programs
** Awstats Reverse Dns Resolution  
Analog Stats
Awstats Stats
Webalizer Stats
Stats and Logs
Number of days between processing log files and bandwidth usage (default 1, decimal values are ok)  
** Delete each domain's access logs after stats run  
The load average above the number of cpus at which logs file processing should be suspended (default 0)  
** Do not include password in the raw log download link in cPanel (via ftp).  
** Do not reset /usr/local/apache/domlogs/ftpxferlog after it has been separated into each domain name's ftp log  
** Keep log files at the end of the month (default is off as you can run out of disk space quickly)  
Keep Stats Log (/usr/local/cpanel/logs/stats_log) between cPanel restarts (default is off)  
** Chmod value for raw apache log files (0640 is the default)  
** When viewing bandwidth usage in WHM, always display in Megabytes first.  
** Exim Stats Daemon (required for smtp bandwidth logging; must also be modified in the service manager as well)
Stats Log Level (default is 1, larger numbers indicate more debug information in /usr/local/cpanel/logs/stats_log) [0...10]  
Status
** The load average that will cause the server status to appear red (leave blank for default, whole numbers only)
System
** List of IP addresses or hostnames, separated by spaces, which are allowed to view the /server-info and /server-status pages. See the Apache documentation for proper values.  
** Allow cPanel users to install SSL Hosts if they have a dedicated ip.  
** Allow Perl updates from RPM based linux vendors  
** The port on which Apache listens for HTTP connections. Specifying a specific IP will prevent Apache from listening on all other IPs. (default: 0.0.0.0:80)  
** The port on which Apache listens for HTTPS connections. Specifying a specific IP will prevent Apache from listening on all other IPs. (default: 0.0.0.0:443)  
** Conserve Memory at the expense of using more cpu/diskio.  
** Allow usernames to be determined from the account hostname when no username is provided.  
** Compress interface pages using gzip compression reducing bandwidth usage for cPanel and WHM.  
** Disable use of compiled dnsadmin. Setting this option allows use of system Perl modules within custom dnsadmin hooks. Setting this option will increase execution time of dnsadmin functions.  
** Allow Sharing Nameserver Ips  
** Disable Disk Quota display caching (WHM will cache disk usage which may result in the display of disk quotas being up to 15 minutes behind the actual disk usage. Disabling this may result in a large performace degradation.)  
** Disable login with root or reseller password into the users' cPanel interface. Also disable switch account dropdown in themes with switch account feature.  
** Try to resolve each client's IP to a domain name when a user connects to cPanel services (warning: This can degrade performance).  
** Display Errors in cPanel instead of logging them to /usr/local/cpanel/logs/error_log  
** The maximum file size in MB allowed for upload through cPanel File manager. Use "unlimited" for unlimited  
** The minimum filesystem quota space in MB required after file upload through cPanel File manager (Default 5MB). This will prevent users from hitting their quota limit through File Manager file uploads  
** The maximum number of directories deep to look for .htaccess files when doing .htaccess checks. Can be from 0 to 100. 2 is the default setting. Values higher than this are discouraged.  
** Do not warn about features that will be deprecated in later releases (Warning: If you check this box, you will not be able to learn about features that will be disappearing in future releases. This could lead to a non-functional server when the feature is finally removed.)  
** Use jailshell as the default shell for all new accounts and modified accounts  
The maximum memory a cPanel process can use before it is killed off (in megabytes). Values less than 128 megabytes can not be specified.  
** Use native SSL support if possible, negating need for Stunnel  
** Do not warn users about the system backup being disabled in cPanel.  
** Specify the timeout in seconds for connections between this server and other remote WHM servers. Values less than 35 cannot be specified.  
** Allow cPanel users to reset their password via email
** Enable cPanel Software RollBack. This feature turns on a build archiving and restoration facility, allowing the server administrator to "roll back" their cPanel installation to previous build. All files are stored on the server.  
** Disable Http Authentication for cPanel/WebMail/WHM Logins (forces cookie authentication)  
** Do not start deprecated Melange 1.10 chat server.  
** Allow cpanel and admin binaries to be run from other applications besides the cpanel server (cpsrvd).  
** Disable whois lookups for the nameserver IP manager.

OK , so now to Main >> Security >> Security Center
 

 sshpass.gif

Password Strength Configuration

This area allows you to change the minimum required password strength for each area of cPanel/WHM that accepts a password.

cphulk.gif

cPHulk Brute Force Protection
cPHulk Brute Force Protection prevents malicious forces from trying to access your server's services by guessing the login password for that service.

hostaccess.gif

Host Access Control (block IP access)

Host Access Control allows you to allow or deny access to your server or specific services based on the IP address of the incoming request.

sshpass.gif

SSH Password Auth Tweak
The SSH Password Auth Tweak allows you to enable or disable password authentication for SSH. This can be used along with SSH keys to add extra security.

php_openbasedir.gif

PHP open_basedir Tweak

PHP's open_basedir protection prevents users from opening files outside of their home directory with PHP.

apache_moduserdir.gif

 Apache mod_userdir Tweak

The mod_userdir tweak enables/disables the ability to view sites on your server by typing http://servers.host.name/~username.

compilers.gif

 Compilers Tweak

This tweak will disable the system's C and C++ compilers for unprivileged. Many common exploits require a working C compiler on the system. You can also choose to allow some users to use the compilers while they remain disabled by default.

traceroute.gif

 Traceroute Tweak

This tweak will disable the system's traceroute utility. Traceroute displays the packet routing statistics from the server to another network host. It can be used to map the network's topology and subsequently be used as a tool to focus a hacking attack.

smtp.gif

 SMTP Tweak

This SMTP tweak will prevent users from bypassing the mail server to send mail (This is a common practice used by spammers). It will only allow the MTA (mail transport agent), mailman, and root to connect to remote SMTP servers.

bombs.gif

 Shell Fork Bomb Protection

Shell Fork bomb Protection will prevent users with terminal access (ssh/telnet) from using up the server's resources and possibly crashing the server.

0 comments:

Post a Comment

 
Design by GURU