Recommended Security SettingsCopyright © 2009 cPanel, Inc.Revision HistoryRevision 1 Sept. 28, 2009Revision 2 Oct. 16, 2009Revision 3 Nov. 30, 2009Revision 4 Dec. 9, 2009Table of Contents1. Recommended Security Settings ............................................................................................................ 12. Recommended Security Settings Checklist .............................................................................................. 13. Authentication Method ........................................................................................................................ 14. Cookies ............................................................................................................................................ 25. Require SSL ..................................................................................................................................... 26. Security Token .................................................................................................................................. 36.1. Referrer Checking .................................................................................................................... 37. Password Strength ............................................................................................................................... 41. Recommended Security SettingsThis document describes security settings cPanel recommends as of cPanel version 11.25. The scope of the discussion islimited to the cPanel/WHM product. Operating System and Network security is only addressed where applicable.2. Recommended Security Settings ChecklistThe following tables summarize the recommended security settings discussed in this document.Table 1. Tweak Settings ChecklistSetting RecommendationDisable HTTP Authentication for cPanel/WebMail/WHM Logins (forces cookie authentication). EnabledValidate the IP addresses used in all cookie based logins. EnabledAutomatically create cpanel, webmail, webdisk and whm proxy subdomain DNS entries for newaccountsDisabledRequire SSL for all remote logins to cPanel, WHM and Webmail EnabledRequire security tokens for all interfaces. EnabledTable 2. Security Center ChecklistSetting Recommended ValueDefault Password Strength 50+3. Authentication MethodSetting RecommendationDisable HTTP Authentication for cPanel/WebMail/WHM Logins (forces cookie authentication). EnabledRecommended Security Settings2The design of HTTP Authentication does not allow for logging out of an authenticated session. Once a HTTP Authenticationsession is established, the credentials are cached by the browser until the browser application is terminated. Somebrowsers allow a method to flush the credentials, but this method is not reliable nor available in all browsers. Because theauthetication credentials are cached they are a likely target for cross-site request forgery attacks, often known as XSRFor CSRF.Due to the inherit weaknesses of HTTP Authenitcation cPanel recommends disabling its use with the product. This isdone by checking the box of the Tweak Setting labeled:Disable Http Authentication for cPanel/WebMail/WHM Logins (forces cookie authentication.) This will help preventcertain types of XSRF attacks that rely on cached Http Auth credentials.As noted in the Tweak Setting description, disabling HTTP Authentication forces use of Cookie based logins.4. CookiesSetting RecommendationValidate the IP addresses used in all cookie based logins. This will limit the ability of attackers whocapture cPanel session cookies to use them in an exploit of the cPanel or WebHost Manager interfaces.For this setting to have maximum effectiveness, proxydomains should also be disabled.EnabledMalicious users can steal cookies for use in CSRF and XSS attacks. There is little to no protection provided by browsersto mitigate this attack vector. To prevent malicious use of cookies used by cPanel, version 11.25 allows recording ofthe originating IP address as part of the cookie during authentication. On subsequent requests the remote IP address iscompared to the original value in the cookie. Mismatches cause an error and result in a request for re-authentication. Itis recommended this protection be enabled.Proxy Access with Cookie IP ValidationWhen using this feature it is strongly recommended that Proxy domains be disabled. Access via the proxydomains will record the IP address for localhost ( typically 127.0.0.1 ) in the cookie rendering the IP validationcheck moot.To enable this protection, check the box for the following Tweak Setting:• Validate the IP addresses used in all cookie based logins. This will limit the ability of attackers who capture cPanelsession cookies to use them in an exploit of the cPanel or WebHost Manager interfaces. For this setting to havemaximum effectiveness, proxydomains should also be disabled.To disable Proxy domains, uncheck the boxes for the following Tweak Settings:• Add proxy VirtualHost to httpd.conf to automatically redirect unconfigured cpanel, webmail, webdisk and whm subdomainsto the correct port (requires mod_rewrite and mod_proxy)• Automatically create cpanel, webmail, webdisk and whm proxy subdomain DNS entries for new accounts. When thisis initially enabled it will add appropriate proxy subdomain DNS entries to all existing accounts. (Use /scripts/proxydomainsto reconfigure the DNS entries manually)5. Require SSLSetting RecommendationRequire SSL for all remote logins to cPanel, WHM and Webmail. EnabledRecommended Security Settings3Whether using HTTP or Cookie based authentication, if the authentication happens on ports 2082, 2086 or 2095 the logincredentials are sent in plain text. Requiring authentication to happen via SSL or TLS is a basic way of improving systemsecurity. In the past System Administrators were required to block the non-SSL cPanel ports using a firewall.cPanel 11.25 and newer allow disabling use of ports 2082, 2086 and 2095 for remote authentication. Requests that originatefrom localhost may still use these ports for authentication. To disable use of ports 2082, 2086 and 2095 for remoteauthentication purposes check the box for the following Tweak Setting:Require SSL for all remote logins to cPanel, WHM and Webmail. This setting is recommended.When the Tweak Setting is enabled, remote authentication requests to ports 2082, 2086 and 2095 will encounter a pageredirecting the user to the proper port. The redirection is not automatic.6. Security TokenSetting RecommendationRequire security tokens for all interfaces. EnabledCross-site request forgery, often abbreviated as CSRF or XSRF, exploits the trust a website has in a user's browser. Byexploiting that trust a malicious user can execute unauthorized commands on a website. CSRF attacks rely upon twoitems to accomplish a successful attack:• Access to authentication credentials• Surreptitious execution of a command ( url )To prevent CSRF attacks cPanel can insert into the URL a token unique to the login session. Requests without the tokenproduce an error and a request for authentication. This effectively thwarts CSRF attacks as the attacking URL will notcontain the token.To activate the security token feature, check the box for the following Tweak Setting• Require security tokens for all interfaces. This will greatly improve the security of cPanel and WHM against XSRFattacks, but may break integration with other systems, login applications, billing software and third party themes.CautionUse of the security token feature may cause usability problems with custom scripts and third-party applicationsthat integrate with cPanel or WHM. It is recommended to verify that the third party applicationis compatible with security tokens. For applications that are not compatible it is recommended the URLReferrer checks be enabled.6.1. Referrer CheckingCautionIt is strongly recommended to use the security token feature rather than the Referrer checks. The Referrerchecks are not as dependible a security mechanism. These checks are only dependible when the "blankreferer" check is enabled and enabling the "blank referer" check will result in an unacceptable number offalse positives.The security token works even when the browser is hiding its referrer.The HTTP Referrer, commonly mispelled referer, identifies the address of the webpage that links to a web page. Theidentification is performed from the point of view of the requested web page.Recommended Security Settings4Example 1. RefererA hyperlink on www.example.com that points to www.example.org will set the referrer to www.example.comIf use of Security Tokens is not possible it is recommended the following settings be enabled in Tweak Settings:1. Only permit cpanel/whm/webmail to execute functions when the browser provides a referrer2. Only permit cpanel/whm/webmail to execute functions when the browser provided referrer (Domain/IP and Port)exactly matches the destination URL.7. Password StrengthSetting RecommendationDefault Required Password Strength 50+Weak passwords provide little protection against brute force attacks. Within Web Host Manager's Security Center youcan use the Password Strength Configuration interface to require new passwords meet a minimum threshold. cPanelrecommends setting the minimum threshold to 50 as a starting point.The Default threshold may be inherited by the granular thresholds, or overriden.The minimum password strength requirement only applies to passwords created and modified by the product. The featuredoes not configure PAM to enforce the requirements. Thus a user with shell access may be able to change his passwordto a weaker one using the passwd system utility.
A Beginner's Guide to Securing Your Server These are items inside of WHM/Cpanel that should be...
Physical SecurityLocal SecurityRemote Security Your server is just like your office.Keep a...
/tmp directoryA lot of the time malicious scripts will be installed intothe /tmp directoryYou...
Main TopicsDisabling toolsSYN cookiessysctlApache modulesWhat to do if your hacked. Disable...
Local security measuresâ— Protecting against common remote attacksâ— What to do after an...