here is the overview of what needs to be done during a server
security setup/performance tweaking. This only applies to cPanel based
servers. In this overview I will assume you all have a thorough knowledge of
cPanel AND redhat linux. If you do not, make sure to let me know before you
proceed. If you don’t understand something (whatever it is) make sure to ask
me before you proceed.

- First make sure the server is setup properly in WHM and that the proper
features are selected (open_basedir turned on, things like that). Again, I
assume you all know how it works.

- In WHM setup a user with username admin (and some random password). Then
turn off direct root login in the SSHD configuration, and add the username
admin to the wheel group in /etc/wheel. In the SSHD configuration also make
sure to select a different port as port 22 and make sure to only use
protocol 2. Afterwards restart SSHD.

- Proceed by setting up APF. I assume you know how to configure it, make
sure to enable features such as USE_AD. With most servers egress filtering
is not necessary, but I’ll leave that up to your judgement. Ingress
filtering should be configured with ports that are necessary for cPanel, and
nothing else. Make sure to close port 22, and open a new port for SSH
instead (whichever port you used in the ssh configuration). It’s quite good
to use this tutorial; ” eth0.us/?q=apf ” (don’t forget to take out
port 22)

- Install BFD from rfxnetworks.net - this is very easy

- Install LSM from rfxnetworks.net - this is also very easy

- Install SIM from rfxnetworks.net and use the configuration wizard to
configure it. I assume you know what needs to be monitored. Make sure to set
it up so that it monitors the right services (make sure to leave FTP and
SMTP disabled) and make sure you enter the email address of the client when
it asks for the email address (you can find the client’s email address in
their ticket)

- Secure the tmp partitions (/tmp and /dev/shm). I assume you know how to do
this (fstab, noexec, nosuid and such).

- Run /scripts/compilers off (that’s all)

- Use this tutorial to secure sysctl: ” eth0.us/?q=sysctl

- Use /scripts/easyapache (option 6) to recompile Apache. Right now make
sure to use PHP4.3.11 (unless stated otherwise by the client) and enable
modules such as GD, curl, curl ssl, mcrypt.

- Use /scripts/installzendopt to install zend optimizer

- Use this tutorial to further secure PHP: ” eth0.us/?q=php

- Setup eaccelerator using the attached RPM (which will only work for 4.3.11
- do NOT use it if you have setup a different PHP version). Just run the
RPM, and afterwards do this:

- pico /usr/lib/php.ini
- enter “ctrl + w” to search in the document and search for
zend_extension
- then insert this under that line:
zend_extension=”/usr/lib/php4/eaccelerator.so”
- then save the file and exit
- now create a directory called /tmp/eaccelerator and chmod it to 0777.
- now restart apache. If the server is active and PHP scripts are
running you’ll see that /tmp/eaccelerator directory filling up with cached
requests
- It’s important that you verify apache is running after this is done.
If not, make sure to take out the line that you inserted in the php.ini and
then restart apache again (then eaccelerator is disabled). If this ever
happens let me know.

Lastly an important note about eaccelerator: if eaccelerator is running and
you upgrade apache to a different version, Apache will keep on failing until
eaccelerator is disabled. The proper procedure is: first disable
eaccelerator, then upgrade apache, then upgrade eaccelerator to the right
version.

- use this guide to install mod_security: ” eth0.us/?q=mod_security

- Run the following commands:

chmod 750 /usr/bin/rcp
chmod 750 /usr/bin/wget
chmod 750 /usr/bin/lynx
chmod 750 /usr/bin/links
chmod 750 /usr/bin/scp

chmod 000 /etc/httpd/proxy/

- Make sure the kernel is up to date, and if not make sure to upgrade it to
the last version. Same goes for all other system software.

- Enable mysql query cache by inserting the following two lines in
/etc/my.cnf (at the right place):

query-cache-type = 1
query-cache-size = 100M

You can adjust that 100M to whatever number you see fit. Make sure to
restart mysql afterwards.

- install rkhunter and run it (if it shows errors make sure to run rkhunter
–update and try again when it’s done). If it shows any problems make sure
to investigate.

Also setup the following in the crontab:

10 0 * * * /usr/local/bin/rkhunter –update > /dev/null 2>&1
25 0 * * * /usr/local/bin/rkhunter -c –nocolors –cronjob –report-mode
–createlogfile –skip-keypress –quiet

- enter this in /root/.bash_profile all the way at the bottom and replace
email@address.com by the email address of the client:

echo ‘ALERT - Root Shell Access on:’ `date` `who` | mail -s “Alert: Root
Access from `who | awk ‘{print $6}’`” <mailto:email@s> email@address.com

- Enter this in /etc/motd:

This computer system is for authorized users only. All activity is logged
and regulary checked by systems personal. Individuals using this system
without authority or in excess of their authority are subject to having all
their services revoked. Any illegal services run by user or attempts to take
down this server or its services will be reported to local law enforcement,
and said user will be punished to the full extent of the law. Anyone using
this system consents to these terms.

- Tweak the httpd.conf. Mainly just look at how active Apache is and
increase the number of allowed connections to whatever it needs. Never
decrease this number.

- Furthermore it’s important to look at the specific purpose of the server
(if the server is already in use that shouldn’t be too hard to see, and if
the server isn’t in use yet just ask the client). If you see a specific
resource hog it’s important to focus on that and improve the server’s
performance as you see fit. Since you are all level 3 techs I expect a very
high level of intuition and knowledge, so I’m sure I can leave this up to
you. We will bend over for every customer any time, so just make sure the
server performs the best way possible.

- Lastly, also very important make sure to create such a document as I sent
you before. You may use that document as template. Make sure to work it all
out in full detail.

All this may be in a bit weird order because I just wrote it out in the
order it came up to me. I will send you all another email with what servers
still need to be done today.