How can you access cPanel like, say, http://domainname.com/xyz ? This is for security purposes.

Solution :

This can be done but not recommended as it would not be of much effect security-wise.
Even if you change it, cPanel/WHM would still run on the standard ports (2082/2083 & 2086/2087) which is known to everyone. If you have a valid cPanel license then you can contact their support and get the ports changed. This coupled with a strong password (change regularly) should be good enough.

However, coming back to the original question, you can achieve it in the following way :

Go to /usr/local/apache/conf/httpd.conf
Find the following line :

ScriptAliasMatch ^/?cpanel/?$ /usr/local/cpanel/cgi-sys/redirect.cgi

Comment it out by adding a ‘#’ at the beginning and add the following line below that line :

ScriptAliasMatch ^/?xyz/?$ /usr/local/cpanel/cgi-sys/redirect.cgi

SFTP users can view server files and folders by simply changing the path to ‘/’. How can this be avoided?

Solution :

SFTP means FTP access over SSH.
You will have to chroot the individual users in order to prevent them from viewing files outside their chroot jail.
Normal FTP access has chroot isolation at the ftp daemon level.

Following message occurs every time when trying to connect to an own dedicated server from other servers.

Access Denied: Referrer Check

Functions in cPanel / WHM are available only directly through the cPanel and WHM interfaces or through our XML API. It appears that this request is coming from a referring site and might be malicious. Administrator Note: If new ips
were recently bound to this server manually you must restart cpsrvd.
If you wish to continue to this page, you may do so but please note that allowing other sites to tell you which actions to perform in cPanel / WHM could be a security risk. Continue at Your Own Risk!

Fix :

The message says it all. Isn’t it?

But if you still want to prevent this message from coming up every time you try to connect then disable the following option in WHM >> Tweak Settings >> Security section :

Only permit cpanel/whm/webmail to execute functions when the browser provided referrer (Domain/IP and Port) exactly matches the destination URL. This will help prevent XSRF attacks, but may break integration with other systems, login applications, and billing software. Cookies are required with this option enabled.

Rkhunter is a tool used to check trojans, rootkits, and other security problems.
Here are the installation steps:-

root@server1 [~]#wget http://downloads.rootkit.nl/rkhunter-1.2.7.tar.gz
root@server1 [~]#tar -zxvf rkhunter-1.2.7.tar.gz
root@server1 [~]#cd rkhunter-1.2.7
root@server1 [~]#./installer.sh

You can scan the server by using the following command:-

root@server1 [~]#/usr/local/bin/rkhunter -c

You can update the rkhunter database by issuing the following command:-

root@server1 [~]#rkhunter –update

Chrootkit Installation

Chrootkit is a tool used for scanning the trojans in the server.

Here are the installation steps:-

1) Download the source package

root@server1 [~]#wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz

2)Check the MD5 SUM of the download for security.

root@server1 [~]#ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.md5
root@server1 [~]#md5sum chkrootkit.tar.gz

3) Extract the source file and install it.

root@server1 [~]#tar xvzf chkrootkit.tar.gz
root@server1 [~]#cd chkrootkit*
root@server1 [~]#make sense

4) Scan the server.

root@server1 [~]#./chkrootkit

When an user tries to access a non-existent page or when a new account is created and no index page is uploaded then the following information can be viewed :

Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.8 Server at domain.com Port 80

Fix :

Disable the Server Signature via WHM >> Main >> Service Configuration >> Apache Configuration >> ServerSignature

OR

Add the following lines in the httpd.conf file :

ServerSignature Off
ServerTokens Prod
FileETag None

Nessus is one of the best vulnerability scanning tool available today. It is available free of cost for personal use. It can detect potential vulnerabilities in an individual system or a network.

In the Unix/Linux environment,  Nessus consists of two parts :-

nessusd – It is the daemon which does the scanning.
Nessus  – the client which controls the scanning and provides the report to the user.

Source and guidelines for the installation is available on the official Nessus website – www.nessus.org

Once you are done with the installation you need to make sure that the nessusd daemon is up and running. After that an user needs to be added. This can be done using the command ‘nessus-adduser’ (of course, without the quotes).
The figure below explains it quite well:

Adding an user

This user will be able to login to the client and run the scan.

Then you can start the client by entering the command ‘nessus’ through the console.
You will be presented with an interface like in figure 2 .

This screen shot was taken while we were running a scan for one of our clients.

Figure 2

You just need to fill in the fields and click ‘Log in’

Please note that you might have to update the plugins and for that you need to get your scanner registered online. The process takes just a couple of minutes and the instructions are available at http://www.nessus.org/plugins/index.php?view=register-info

Then you need to click on the tab ‘Plugins’

Figure 3

Enable all the plugins as shown above in figure 3. If you do not enable the required plugins then the scan will not return the desired results.

Certain plugins might cause freezing of the network from which you are running the scan . So, make sure  you have the system administrators ready in case you run into any trouble.

Now, you need to mention the ‘target’ machine on which the scan is going to be run.  Please refer to figure 4 below :

Figure 4

Now, you can go ahead and ‘Start the scan’ . You can see the progress of the scan on your screen as shown in figure 5.

Figure 5

Once the scan is completed, you will be presented  with a report as the one given below in figure 6.

Figure 6

This report can be exported to html or pdf format also.

For reference, I am pasting parts of the pdf that we got after scanning the client server.

The above part depicts the summary of the scan on the whole.

The one below shows the part which explains one of the vulnerability and the suggested solution.

Likewise, you will get a detailed report about the potential problems and the suggested fixes.
If all the vulnerabilities are fixed then the server is most likely to achieve PCI compliance.

I hope this article would be helpful for some people out here. If you have any further queries then do get back to us. We would be happy to help you.

Now, this client is basically a provider of e-commerce based hosting solutions. They deal with plenty of sensitive and important data. Hence, becoming PCI Compliant was mandatory for them. Recently they were getting too many potential customer queries whether they are PCI Compliant. Achieving this has helped them grow their business by almost 50% in last couple of quarters.

A PCI Scan tells you what could be potentially insecure about your server. This is particularly important where storage of sensitive data occurs. Therefore, PCI Compliance is something which is preferred by most credit-card companies these days.

The PCI Security Standards Council talks about 12 basic requirements broadly divided into 6 categories. This is called the PCI-DSS (Payment Card Industry Data Security Standard)

This is required in order to avoid data frauds where card information is stored.

You can find these details at https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml

Following are the important steps that we took in order to ensure that their cPanel servers pass the PCI Scan :-

- Installed a firewall : A server is not likely to pass the PCI Scan if there are unnecessary open ports. We installed CSF on the server. Alternatively, APF can also be used. We closed all the ports except for the ones required for the essential services. Certain standard ports like 2082, 2086 and 2095 could produce a negative result. So, we configured WHM to use the secure ports only.

- Updating the packages : Just run /scripts/upcp to update all the packages. Also, we had to make sure that Apache , PHP and MySQL were running the latest version.

The suggested versions are :

MySQL 4.1.22 or above
PHP 5.2.5 or above
Apache 1.3.39 or above ( Certain scans might require Apache 2.0.x )

OpenSSL 0.9.7j or above

cPanel suggests that you should keep cPAddons up to date as well.

- Disabled mod_userdir : If a site on the server can be accessed as http://serverip/~username

then it means that mod_userdir is ‘enabled’. We can disable it through WHM > Security Center > Apache mod_userdir Tweak

- SSL : At least, one SSL certificate from a recognized certificate authority is required. We

installed SSL for Apache. SSL can be installed for other services as well.

- Apache Setup should not be revealed: We all have seen the ’404 Error’ page at some point. Information about the Apache Setup

should not be available on that page. This can be achieved by adding the following lines to the ‘httpd.conf’ file :

ServerSignature Off

ServerTokens Prod

FileETag None

- Disable SSLv2 and other weak encryption methods : Some services doesn’t allow you to

choose between SSL protocols but most PCI Scan overlook it.

The Weak SSL cipher issue has been an headache for people who want to pass the scan.

Thankfully, cPanel 11.24 has got an in-built solution for that.

Just go to WHM > Apache Configuration > Global configuration and copy paste the following :

ALL:!ADH:!NULL:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:-LOW:+SSLv3:+TLSv1

- mod FrontPage – It is likely to cause a scan failure. Therefore, we kept it disabled.

- Separate services – cPanel recommends that you keep services separate like MySQL server on

a local subnet, remote DNS only, no local BIND etc

- 2 factor authentication – This is another suggestion by cPanel that we adopted. A 2-factor

authentication procedure which requires a key and a passphrase.

- Besides all these, another important measure that we took was running the Nessus Scan.

It is a wonderful freely available tool to find any vulnerabilities on your server. You can find the details on the official Nessus website – http://nessus.org

Nessus basically consists of two parts, the server and the client. Once you are done with the two installations you need to add an user for the scanner and then you can start a scan on any remote server. The scan might take a while. It will give you a detailed report about all the package related vulnerabilities and any security loopholes. The best thing about Nessus is that it will also give you suggestions on how to fix those.

Thus, Nessus will tell you almost everything that needs to be done in order to achieve PCI Compliance.

I will be discussing about the installation and working of Nessus in the coming articles.

Let me tell you that different scan companies have a different approach . Hence, the requirements vary and they might have many more than the ones mentioned above. But these are the very basic ones that need to implemented for sure. I hope this article would be helpful for those looking forward to achieving PCI Compliance.

release notes:

http://docs.moodle.org/en/Moodle_1.9.5_release_notes

http://docs.moodle.org/en/Moodle_1.8.9_release_notes