cPanel Security Advisor

Version: 1.04

Important

Apache vhosts are not segmented or chroot()ed.

Enable “Jail Apache” in the “Tweak Settings” area, and change users to jailshell in the “Manage Shell Access” area. Consider a more robust solution by using “CageFS on CloudLinux”. Note that this may break the ability to access mailman via Apache.

ClamAV is not installed.

Install ClamAV within "Manage Plugins".

The system kernel is at version “3.10.0-1062.1.1.el7.x86_64”, but an update is available: 3.10.0-1062.4.3.el7.x86_64

Update the system (run “yum -y update” on the command line), and reboot the system.

The MySQL service is currently configured to listen on all interfaces: (bind-address=*)

Configure bind-address=127.0.0.1 in /etc/my.cnf, or close port 3306 in the server’s firewall.

SSH direct root logins are permitted.

Manually edit /etc/ssh/sshd_config and change PermitRootLogin to “without-password” or “no”, then restart SSH in the “Restart SSH” area

Recommendations

Use Imunify360 for complete protection against attacks on your servers.

Imunify360 delivers sophisticated detection and display of security threats, powered by a self-learning firewall with herd immunity. It blocks attacks in real-time using a combination of technologies, including:

  • Proactive Defense™
  • Smart Intrusion Detection and Protection System
  • Malware Detection
  • Patch Management via KernelCare
  • Learn more about Imunify360

Use KernelCare to automate kernel security updates without reboots.

KernelCare provides an easy and effortless way to ensure that your operating system uses the most up-to-date kernel without the need to reboot your server. After you purchase and install KernelCare, you can obtain and install the KernelCare "Extra" Patchset, which includes symlink protection.

Information

Apache Symlink Protection: mod_ruid2 loaded in Apache

mod_ruid2 is enabled in Apache. To ensure that this aids in protecting from symlink attacks, Jailed Apache needs to be enabled. If this not set properly, you should see an indication in Security Advisor (this page) in the sections for “Apache vhosts are not segmented or chroot()ed” and “Users running outside of the jail”. If those are not present, your users should be properly jailed. Review Symlink Race Condition Protection for further information.

Verified

cPHulk Brute Force Protection is enabled.

MySQL test database does not exist.

MySQL check for anonymous users

Password strength requirements are strong.

The system did not detect processes with outdated binaries.

SSH password authentication is disabled.

Current SSH version is up to date: 7.4p1-21.el7

SCGI is disabled, currently using the recommended suEXEC.

The pseudo-user “nobody” is not permitted to send email.

Outbound SMTP connections are restricted.

Apache is being queried to determine the actual sender when mail originates from the “nobody” pseudo-user.