HowTo Server Auditing - Cpanel

From PheonixSolutions
Jump to navigation Jump to search

Here we gonna know how to do server auditing. Please run the below commands and prepare the report with that output.

1: Hostname

The command used to display the system's hostname 

  hostname

Update cPanel Version

We will keep a stable version. If a client wants to update to a new version, we will update it. If available a new version, update it to a new version when rebooting the server.

2: IP Address

Displays network interface configuration, including IP addresses. 

 ifconfig

3: Date

Prints the current date and time. 

 date

4: Uptime

It shows how long the system has been running and the current load used. 

  uptime

5: Disk Usage

Displays disk space usage for mounted filesystems. 

 df -h

6: Memory Usage

Shows memory usage in megabytes. 

 free -m

7: Malware Hits

Uses maldet to scan specific directories

Note-maldet always on screen 

 /usr/local/sbin/maldet -a /home/?/public_html
 /usr/local/sbin/maldet -a /home2/?/public_html
 /usr/local/sbin/maldet -a /tmp

It shows the output like : 

 maldet(18341): {scan} signatures loaded: 17045 (14225 MD5 | 2035 HEX | 785 YARA | 0 USER)
 maldet(18341): {scan} building file list for /home/?/public_html, this might take awhile...
 maldet(18341): {scan} setting nice scheduler priorities for all operations: cpunice 19 , ionice 6
 maldet(18341): {scan} file list completed in 1s, found 1 files...
 maldet(18341): {scan} scan of /home/?/public_html (1 files) in progress...
 maldet(18341): {scan} 1/1 files scanned: 0 hits 0 cleaned
 maldet(18341): {scan} scan completed on /home/?/public_html: files 1, malware hits 0, cleaned hits 0, time 1s
 maldet(18341): {scan} scan report saved, to view run: maldet --report 200804-2355.18341

You can also verify the report using the saved path like

maldet --report 200804-2355.18341

calmscan and nikitoscan

8: Rootkit check 

 rkhunter -c -sk

Old version 1.3.6

New Hunter version 1.4.6

9: kernel Version Displays the current and potentially available kernel versions 

 uname -srm

Current kernel version: 3.10.0-1127.8.2.el7.x86_64

New kernel version: 3.10.0-1127.18.2.el7.x86_64

10: Firewall (ConfigServer Security & Firewall) to manage firewall configuration. 

 csf -c

11: Compiler Access

We need to go whm search → search compiler access and view enabled or disabled. If enabled means we need to disable it by go to server and type the command "which gcc" it shows which its pointing to and file should have 750 permission.

12: Tweak Settings

→ Security → Cookie IP Validation → Select disable.

13: SpamAssassin

We need to go to whm search → service manager → view the Apache SpamAssassin.

14: cPHulk Daemon

We need to go whm search → service manager → view the cphulk daemon.

15: ClamAV for cPanel

We need to go whm search → manage plugins → and view clamav for cpanel plugin.

16: Maximum hourly mail (For Cpanel server)

We need to go whm search → tweak settings and in search bar we need to Max hourly emails per domain and note it. → set as 300

17: Prevent nobody from sending emails (For Cpanel server)

We need to go whm search → tweak settings and in search bar we need to Prevent “nobody” from sending mail and note it.

18: SMTP Tweak in the server We need to go whm search → in tweak settings → search

SMTP → 3 searches will be found → in that check (FKA SMTP Tweak) if it is on/off)

19: Traceroute (For Cpanel server)

We need to go whm search → Traceroute enable/disable and note it.

20: Apache mod_userdir tweak (For Cpanel server)

We need to go whm search → Apache mod_userdir Tweak and note it.

21: Disable functions

We need to access info page in webpage http://IP/info.php. Replace IP with orginal ip of the server. And search mod_user tweak and note it..

22: php open_basedir Protection

We need to access info page in webpage http://IP/info.php. Replace IP with orginal ip of the server. And search open_basedir and note it.

23: Password policies - Default (For Cpanel server)

Default Required Password Strength: We need to go whm search → search → Password Strength Configuration

24: Change SSH port

check the port by using the below mentioned commands. 

  grep Port /etc/ssh/sshd_config

  lsof -Pi|grep ssh

If we need to change the SSH default port to custom port, we use below three steps,

Run the following command: 

  nano /etc/ssh/sshd_config

Locate the following line: 

  Port 22

Remove # and change 22 to your desired port number and save it.

Remove Unwanted Services : NIL.

Disable direct root login and enable wheel user account - If wheel user created means details about wheel and root user updated in admit panel.

25: Files and folder permissions:

We always want to check 3 permissions in server.

First, we need to go cd /home directory.

After that we need to check the file permission. 

  find /home/*/public_html -type d -perm 777 > /tmp/folders_777_perm_list.txt
  find /home/*/public_html -type f -perm 755 > /tmp/files_755_perm_list.txt
  find /home/*/public_html -type f -perm 777 > /tmp/files_777_perm_list.txt

After that you need to check the username and make note of it. The listed username in

above file is insecure permissions.

Remaining username are good.

Retrieved from "https://wiki.pheonixsolutions.com/index.php?title=HowTo_Server_Auditing_-_Cpanel&oldid=475"