Basic cPanel Server Hardening - Part 5

The last article in this series covered securing the /tmp directory, this article will go over adding some security specific to the root user. The root user is used for administration tasks and has access to everything on the server. If a hacker is able to gain access to the root account they can do anything they want to with your machine.

One of the easiest security enhancements you can make is to prevent the root user from logging in via SSH. Although some will disagree on how effective this is I believe it is still a good idea as I often see brute force attacks attempting to log in as root. You will still be able to log in as the root user, but you will have to sign in first as a regular user and then execute a special command to become the root user.

Depending on which linux distribution you are using it may already be disabled but you should always check to be sure. To do this open the file /etc/ssh/sshd_config in a text editor and confirm that PermitRootLogin is set to no. If it is set to yes change it to no and restart the SSH daemon with the command

/etc/init.d/sshd restart 

Now that you have made this change you will need to run a special command each time you want to work as the root user. To sign in as root first sign in as a regular user and then execute the command

su -

Another way that hackers attempt to gain access to the root account is by using a root kit. A root kit is basically just a collection of scripts installed on the server using a regular user account that run various exploits as that user to gain root access. Since this would be a very bad thing you want to be alerted if someone does manage to break in and start installing rootkits.

There are a few options for keeping an eye out for root kits, but I like rkhunter. Install with the command

yum install  rkhunter

and then execute it for the first time with the command

rkhunter --checkall

Once the initial execution is done set up a crontab to run it once a day with the command

/usr/bin/rkhunter  --checkall --cronjob

Once a day it will email you a report of its findings. If you prefer a smaller report you can add --reportmode to the command. I actually prefer my cron jobs have no output unless there is something that needs my attention, but that doesn't seem to be an option.

If someone does manage to install a root kit on your server it is time to consider re-installing the operating system and starting the hardening process over again. This article concludes the operating system level hardening that I will be covering, the next article will start going into hardening cPanel itself.