Secure Server using Free Security Audit Script
Hardening is a must process for any server to help us avoid unwanted access to server , malware attacks and unsolicitated mailing etc and secure server. Our server hardening process includes a total view of server security including all these aspects and helps to prevent the server from almost all kind of Malware attacks and infections.
Hardening levels can be Basic, Advanced and Extended levels which each client should start with our Basic Server Hardening Package where we cover these below areas mainly. For Advanced and Extended Hardening, you need to open a ticket which will be done case based on per hour rate.
Normally we use our below free Security Audit Script - Nixtree Audit Script and then start our basic hardening based on that and then will apply our hardening script as well and then our Final Manual Checks and confirmations.
CSF - CongfigServer Security Firewall
CongfigServer Security Firewall is becoming an inevitable part of cPanel servers, because it empower the security layer a lot. Rather than just acting as a firewall, it also can be configured to monitor server load, emailing, processes, etc which makes it to be a good security suit for the server. It works on top of netfilter aka iptables and it makes the administration of this tool very easy for a server administrator. Additionally it has very large user base, because it is uit basically to work quite beautifully with cPanel; so support and integrity will not be a problem. With ntPGo, we tweak many values in the CSF configuration in a general basis.
Securing Apache is very important. Generally it is recommended to set everything to "PCI Compliant" in Apache Global Configuration from WHM. Additionally you should consider disabling Directory Listing, Enabling SymLink Security Patch from EasyApache ( if you do not have CloudLinux kernel is installed ) and Enabling PJP Open Base Dir Rstriction.
Rkhunter is one of the famous tool that is used to scan Rookits on the server. With ntcPGo, we will installed Rkhunter and schedule it to run a server scan every day. Rather than just setting it up, we tweak the configuration to eliminate some of the common the false positives.
Disable unwanted processes
Not all processes that are the part of OS installation is needed for a server. Every services running and available to public must be managed and updated properly, so that you should be able to close down the vulnerabilities with the specific service / package. With ntcPGo, we will disable all services, that are not commonly required for a cPanel server.
Tweaking some of the kernel variables to prevent some of the common type of attacks ( like SYNFLOOD ) is recommended. We enforce sch changes via ntcPGo
By default cPanel provides a lot of options to make it secure. Please note that no system is secure by default;it may offer provision to enforce security and it is the duty of the system administrator to implement them. Based on such a perspective, ntcPGo do many security tweaks that cPanel provides with the system. Some of them are Background process killer, Disabling compiler access, Shell Bomb-Fork protection, Enforcing SSL, etc. It also enforce minimum password strength for users, so that your customer's account will not be compromised due to weak password.
Securing FTP is very important, because your users are depending on it to upload files. Some of the security settings are disabling plain FTP login, disabling root and anonymous login, etc.
Securing DNS should be done, just to protect your server from attack like DNS amplyfying attack. Some of the common security steps are disabling recursion, hide the bind version, etc
Additional Security Tools
ntcPGo installs many additional tools which can help you to manage security layer and enforce related monitoring. We install the suits provided by CongfigServers, RFXN
Moving SSH service to a non-standard port is an important step that should take while doing cPanel security. ntcPGo will warn you if you are using default port for SSH. Additional steps that you can like disabling direct root login, reducing login grace time and possibly disabling password authentication.