How to do hosting Server Auditing?

Here we gonna know how to do server auditing. Please run the below commands and prepare the report with that output.

The hostname command fetches and displays the hostname of the server. The hostname is a label assigned to a device connected to a network, serving as its unique identifier.

• Command = hostname

Ensuring that the cPanel software is up-to-date is crucial for security and performance reasons. This involves checking for available updates and applying them if newer versions are available.

Using the ifconfig command provides information about the network interfaces on the server along with their assigned IP addresses.

• Command = ifconfig

The date command displays the current system date and time. This information is important for tracking events and ensuring that timestamps in logs are accurate.

• Command = date

The uptime command reveals how long the server has been running since its last reboot. This information helps assess the server's stability and performance over time.

• command = uptime

Running df -h command provides a summary of disk space usage on the server, including details such as total disk space, used space, available space, and filesystem type.

• Command = df -h

The free -h command displays the amount of free and used memory (RAM) on the server, helping to monitor memory usage and identify potential resource constraints.

• Command = free -h

Performing malware scans using maldet helps detect and remove any malicious software present on the server. The output of the scan indicates if any malware was found and cleaned.

Note: maldet always on screen

• Commands:

1. /usr/local/sbin/maldet -a /home/?/public_html
2. /usr/local/sbin/maldet -a /home2/?/public_html
3. /usr/local/sbin/maldet -a /tmp

It shows the output like :

maldet(18341): {scan} signatures loaded: 17045 (14225 MD5 | 2035 HEX | 785 YARA | 0 USER)

maldet(18341): {scan} building file list for /home/?/public_html, this might take awhile...

maldet(18341): {scan} setting nice scheduler priorities for all operations: cpunice 19 , ionice 6

maldet(18341): {scan} file list completed in 1s, found 1 files...

maldet(18341): {scan} scan of /home/?/public_html (1 files) in progress...

maldet(18341): {scan} 1/1 files scanned: 0 hits 0 cleaned

maldet(18341): {scan} scan completed on /home/?/public_html: files 1, malware hits 0, cleaned hits 0, time 1s

maldet(18341): {scan} scan report saved, to view run: maldet --report 200804-2355.18341

You can also verify the report using the saved path like

maldet --report 200804-2355.18341

calmscan and nikitoscan

Using rkhunter to scan for rootkits helps detect any unauthorized modifications to the system files and binaries, which could indicate a security breach. Old version 1.3.6

New Hunter version 1.4.6

• Command:uname -srm

Current kernel version: 3.10.0-1127.8.2.el7.x86_64

New kernel version: 3.10.0-1127.18.2.el7.x86_64

• Command:csf -c

We need to go whm search → search compiler access and view enabled or disabled. If enabled means we need to disable it by go to server and type the command "which gcc" it shows which its pointing to and file should have 750 permission.

→ Security → Cookie IP Validation → Select disable.

We need to go to whm search → service manager → view the Apache SpamAssassin.

We need to go whm search → service manager → view the cphulk daemon.

We need to go whm search → manage plugins → and view clamav for cpanel plugin.

We need to go whm search → tweak settings and in search bar we need to Max hourly emails per domain and note it. → set as 300

We need to go whm search → tweak settings and in search bar we need to Prevent “nobody” from sending mail and note it.

===19: SMTP Tweak in the server We need to go whm search → in tweak settings → search

SMTP → 3 searches will be found → in that check (FKA SMTP Tweak) if it is on/off)

We need to go whm search → Traceroute enable/disable and note it.

We need to go whm search → Apache mod_userdir Tweak and note it.

We need to access info page in webpage http://IP/info.php. Replace IP with orginal ip of the server. And search mod_user tweak and note it..

We need to access info page in webpage http://IP/info.php. Replace IP with orginal ip of the server. And search open_basedir and note it.

Default Required Password Strength: We need to go whm search → search-->Password Strength Configuration

check the port by using the below mentioned commands.

1. grep Port /etc/ssh/sshd_config
2. lsof -Pi|grep ssh

If we need to change the SSH default port to custom port, we use below three steps, Run the following command:

1. nano /etc/ssh/sshd_config

Locate the following line:

#Port 22

Remove # and change 22 to your desired port number and save it.

Remove Unwanted Services : NIL.

Disable direct root login and enable wheel user account - If wheel user created means details about wheel and root user updated in admit panel.

We always want to check 3 permissions in server.

First, we need to go cd /home directory.

After that we need to check the file permission.

find /home/*/public_html -type d -perm 777 > /tmp/folders_777_perm_list.txt

find /home/*/public_html -type f -perm 755 > /tmp/files_755_perm_list.txt

find /home/*/public_html -type f -perm 777 > /tmp/files_777_perm_list.txt

After that you need to check the username and make note of it. The listed username in

above file is insecure permissions.

Remaining username are good.