Monday, August 8, 2011

cpanel setup Traceroute Tweak SMTP Tweak

Traceroute Tweak, buat nyembunyiin IP server, sehingga cracker (biskuit) mau tak mau harus menDdOS domain.
Kondisi ini akan mengamanken server, karena domain si VPS (hostname) tidak diketahui, jadi kemungkinan yang terkena serangan hanya salah-satu klien saja. Begitu bandwith klien abis, tinggal ditambahin lagi dari VPSnya, sekalian si VPS memblok IP si biskuit.




We provide professional Cpanel server setup and hardening service. We can setup Cpanel control panel on RedHat Enterprise Linux, CentOS, Fedora Linux and FreeBSD.
Default installation of Cpanel servers provided by most of the data centers are not secure. If you got an unmanaged server, you have to secure your server yourself. Keeping the server with default settings can make the hackers job easy.
Our Cpanel server setup package offers:


  • Basic Cpanel/WHM Setup
  • Set proper hostname, DNS and rDNS
  • Shell Fork Bomb Protection
  • Tweak Settings
  • Update Config
  • Php open_basedir Tweak - Php's open_basedir protection prevents users from opening files outside of their home directory with php.
  • mod_userdir Tweak - Apache's mod_userdir allows users to view their sites by entering a tilde(~) and their username as the uri on a specific host. For example http://test.cpanel.net/~fred will bring up the user fred's domain. The disadvantage of this feature is that any bandwidth usage used by this site will be put on the domain it is accessed under (in this case test.cpanel.net). mod_userdir protection prevents this from happening. You may however want to disable it on specific virtual hosts (generally shared ssl hosts.)
  • Compilers Tweak - This tweak will disable the system's c and c++ compilers for unprivileged. Many canned exploits require a working c on the system. You can also choose to allow some users to use the compilers while they remain disabled by default.
  • Traceroute Tweak - This tweak will disable the system's traceroute utility.
  • SMTP Tweak - This SMTP tweak will prevent users from bypassing the mail server to send mail (This is a common practice used by spammers). It will only allow the MTA (mail transport agent), mailman, and root to connect to remote SMTP servers.
  • Enable suexec - suexec allows cgi scripts to run with the user's id. It will also make it easier to track which user has sent out an email. If suexec is not enabled, all cgi scripts will run as nobody.
  • Exim Configuration
  • Disabling Anonymous Ftp
  • Configure Backup - need second HD or remote backup service
  • Secure /tmp folder
  • root login alert
  • Daily process, untime reports
  • checkroot kit installation
  • Brute Force Detection
  • APF Firewall installation
  • Secure SSH Protocol 2
  • SSH on non default port
  • Disable Insecure commands
  • Disable telnet and other not used services
  • Mod_security (prevent most hacking attempts)
  • secure hosts.conf/sysctl.conf
  • phpsuexe (Only if needed, most data center ask you to do this if your server send out spam mails, phpsuexe have problem with some pooerly coded scripts, so you may face problem with some scripts)