Enabling or disabling SuExec in WHM
SuExec is an Apache feature that gives users the ability to run CGI and SSI programs using user IDs that are different from the user ID of the calling web server. This effectively means that CGI and SSI programs will not have access to the root account or have root permissions.
To enable or disable SuExec:
1.Click on the Enable/Disable SuExec link in the Server Setup menu.
2.Click on the Enable button to enable SuExec or click on the Disable button to disable SuExec.
suEXEC is based on a setuid “wrapper” program that is called by the main Apache web server. This wrapper is called when an HTTP request is made for a CGI or SSI program that the administrator has designated to run as a userid other than that of the main server. When such a request is made, Apache provides the suEXEC wrapper with the program’s name and the user and group IDs under which the program is to execute.
Disabling services in RPM distros
There are several services running by default that may be safely disabled. First, we’ll generate a list of services that are enabled at runlevel 3.
chkconfig –list | awk ‘/3:on/ { print $1 }’
We will disable the following services
gpm kudzu netfs anacron atd apmd pcmcia nfslock isdn autofs portmap rhnsd
for SERVICE in gpm kudzu netfs anacron atd apmd pcmcia nfslock isdn autofs portmap rhnsd
do
/sbin/chkconfig $SERVICE off
/sbin/service $SERVICE stop
done
Disabling SSH Login for root user
Below are instructions for disabling the root user and allowing another user to assume the root users permissions. This adds another layer of security because an additional username and password must now be entered before gaining the root user privileges.
Before you disable root logins you should add an administrative user that can ssh into the server and become root with su.
In the following example we are using buddy for the username, but can be replaced with any username you wish to use.
root@dell:~# useradd buddy
root@dell:~# id buddy
uid=1005(buddy) gid=1007(buddy) groups=1007(buddy)
Set the password for the buddy user. When prompted type and then retype the password.
root@dell:~# passwd buddy
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully
SSH to the server with the new admin user and ensure that the login works.
Verify that you can su (switch user) to root with the admin user.
buddy@dell:/$ su
Password:
root@dell:/# whoami
root
Edit /etc/ssh/sshd_config with your favorite text editor.
Change this line:
to this:
Ensure that you are logged into the box with another shell before restarting sshd to avoid locking yourself out of the server.
# /etc/init.d/sshd restart
Enabling & Disabling suEXEC
Upon startup of Apache, it looks for the file “suexec” in the “sbin” directory (default is “/usr/local/apache/sbin/suexec”). If Apache finds a properly configured suEXEC wrapper, it will print the following message to the error log:
[notice] suEXEC mechanism enabled (wrapper: /path/to/suexec)
If you don’t see this message at server startup, the server is most likely not finding the wrapper program where it expects it, or the executable is not installed setuid root.
If you want to enable the suEXEC mechanism for the first time and an Apache server is already running you must kill and restart Apache. Restarting it with a simple HUP or USR1 signal will not be enough.
If you want to disable suEXEC you should kill and restart Apache after you have removed the “suexec” file.
Disabling Root Using PAM
PAM, through the /lib/security/pam_listfile.so module, allows great flexibility in denying specific accounts.
This allows the administrator to point the module at a list of users who are not allowed to log in.
Below is an example of how the module is used for the vsftpd FTP server in the /etc/pam.d/vsftpd PAM configuration file (the \ character at the end of the first line in the following example is not necessary if the directive is on one line):
auth required /lib/security/pam_listfile.so item=user \ sense=deny file=/etc/vsftpd.ftpus
This tells PAM to consult the file /etc/vsftpd.ftpusers and deny access to the service for any user listed. The administrator is free to change the name of this file, and can keep separate lists for each service or use one central list to deny access to multiple services.