Thursday, 10 May 2012

Secure your Server

1. Enable suexec & suphp on the server.
suPHP does for PHP Scripts what SuExec does for Perl files, that is, it makes them run under your specific user account, as opposed to the Apache user account. This allows us to better monitor the resource usage
of accounts, as well as track down runaway script files with greater ease. Also, it gives you the benefit of all your php scripts running 'in' your account. For some PHP applications, such as PHPWebSite, this
is a great help because now when you create files/folders from inside the script, they will be owned properly by your account and not the generic Apache user account.

2. Install mod-security on the server.
Mod_Security is an open source intrusion detection and prevention engine for web applications (or you can say is a web application firewall). Operating as an Apache Web server module. The current stable version of it is 1.9.4.The purpose of ModSecurity is to increase web application security, protecting web applications from known and unknown attacks. Mod_security is great and I encourage it be used by everyone; it does have the potential to break some web applications but so far i have seen very few issues to say the least. Likewise it is easy to fix any applications that may break with the granular filter rules that can be setup to either deny or allow certain content. Overall mod_security is a needed addition to apache, providing a layer of security yet unseen for apache.

3. Install suhosin on the server.
Suhosin is an advanced protection system for PHP installations. It was designed to protect servers and users from known and unknown flaws in PHP applications and the PHP core. Suhosin comes in two independent
parts, that can be used separately or in combination. The first part is a small patch against the PHP core, that implements a few low-level protections against bufferoverflows or format string vulnerabilities and the second part is a powerful PHP extension that implements all the other protections.

4. Install csf firewall on the server.
One of the best compatible firewall with cPanel servers. Read more at http://www.configserver.com

5- strong cpanel passwords( THIS WE DO)

6. You can even disable default FTP access (using cPanel login details.) OR limit FTP access to only limited IP's and block other IP's all over the world.
*(could we provide you with a few ip's for WHM administration access only) ?*

7. Install RkHunter (Rootkit)

8. Add log selectors in /etc/exim.conf

9. Disable vulnerable php functions as per your requirement.
The vulnerable functions are "shell_exec,system,passthru,exec,popen,proc_close,proc_get_status,proc_nice,proc_open,proc_terminate,highlight_file,escapeshellcmd,define_syslog_variables,posix_uname,posix_getpwuid,apache_child_terminate,posix_kill,posix_mkfifo,posix_setpgid,posix_setsid,posix_setuid,escapeshellarg,posix_uname,ftp_exec,ftp_connect,ftp_login,ftp_get,ftp_put,ftp_nb_fput,ftp_raw,ftp_rawlist,ini_alter,ini_restore,inject_code,syslog,openlog,define_syslog_variables,apache_setenv,mysql_pconnect"

No comments:

Post a Comment