SSH Security On cPanel Servers.
1. Change SSH port number.
Edit your ssh configuration file under /etc/ssh/sshd_config and add/replace this line:
# What ports, IPs and protocols we listen for
Port 22
2. Allow only the IP’s that you would like to have access to SSH through your firewall.
iptables -A INPUT -i eth0 -s 192.168.1.1 -p tcp –dport 22 -j ACCEPT
3. Use a utility like BFD, BlockHosts and DenyHosts
denyhosts - a utility to help system admins thwart ssh crackers
4. Use iptables to limit the rate of incoming connections to SSH.
iptables -I INPUT -p tcp –dport 22 -i eth0 -m state –state NEW -m recent –update –seconds 60 –hitcount 4 -j DROP
This will limit incoming connections to port 22 to no more than 3 attempts in a minute. Any more will be dropped.
Creating a Rewrite for Ruby on Rails Application in cPanel
Ruby on Rails uses its own server, users visiting your Ruby on Rails application will need to be redirected to the appropriate port.
Because Ruby on Rails uses its own server, users visiting your website (and subsequently your Ruby on Rails application) will need to be redirected to the appropriate port.
Ruby does not respond on the standard HTTP port number, 80. Thus, visitors would need to specify the port number with the domain — for example, example.com:12001.
To configure a rewrite for Ruby on Rails Application in cPanel
1. Log into cPanel.
2. Navigate to the Software/Services section of your cPanel interface.
3. Click the Ruby on Rails icon. This step will open the Ruby on Rails management interface.
4. Click the Create Rewrite button corresponding to the appropriate application in the Create A Rewrite table.
Catch-all/default address behavior for new accounts in Cpanel.
The catch-all or default address handles email sent to nonexistent users on your server’s domains. It is useful to keep in mind that spammers frequently use Directory Harvest Attacks to try to guess recipient usernames at known domains. Thus, a domain may receive a large number of spam messages sent to nonexistent users, costing you server resources.
fail — Checks for the intended email recipient and, if no matching recipient is found, denies the SMTP request before downloading the message. This option is recommended.
blackhole — Discards the message after downloading it. This option uses system resources.
localuser — Allows users to set up their own catch-all email addresses. These email accounts will mainly serve to collect spam.
Reference : http://cpanel.net
Cpanel php extensionmgr
EasyApache has the ability to install, uninstall, and update several popular PHP extensions as part of the build process. When EasyApache runs, it will automatically determine which extensions are active in the main php.ini file at /usr/local/lib/php.ini. Active extensions will automatically be selected in the EasyApache interface.
Rerunning EasyApache is not required in order to enable or disable the standard PHP extensions. cPanel now provides a tool called /scripts/phpextensionmgr that can also be used for the installation or removal of PHP extensions. For detailed information about this tool, run the following command:
/scripts/phpextensionmgr –help
Example: Install
/scripts/phpextensionmgr install EAccelerator
Example: Uninstall
/scripts/phpextensionmgr uninstall EAccelerator
Reference : http://cpanel.net/
Using hardening tools Suhosin in Cpanel Servers for PHP
The Suhosin extension “was designed to protect servers and users from known and unknown flaws in PHP applications and the PHP core.”
Reference : http://www.hardened-php.net/suhosin/
Perhaps more importantly, the Suhosin community would be an excellent starting point for learning about flaws in PHP, as well as other extensions, configurations, and techniques you can use to protect your server.
Since many popular scripts are not compatible with Suhosin’s restrictions, you need to test it before moving to production.
