Improving Server Security Questions

bins_uk

• January 27, 2017 05:28

I have just moved to cPanel and am really happy with the security it imposed, especially with software version. My server gets checked for vulnerabilities via Beyondsecurity and only some minor issues pop up: FTP Service AUTH TLS Command Support IMAP Service STARTTLS Command Support SSH Server Backported Security Patches FTP Clear Text Authentication HTTP Packet Inspection Mailman Detection BIND Version Gathering Wanting to be as tight as possible, can any one suggest ways to close these little holes?

• 

  cPanelMichael

  • January 27, 2017 20:57

  Hello @bins_uk, The following document is helpful when initially setting up your server: Recommended Security Settings - cPanel Knowledge Base - cPanel Documentation Regarding the reports, I'll address each one individually:

  FTP Service AUTH TLS Command Support

  
  There's a thread on this topic at: Pure-FTPd Cipher Settings

  IMAP Service STARTTLS Command Support

  
  This is discussed on the following thread: Disabling STARTTLS for IMAP services.

  SSH Server Backported Security Patches

  
  Could you provide some more information about the specific data or test that was ran for this particular report?

  FTP Clear Text Authentication

  
  You can adjust the TLS Encryption Support value to Required (Command/Data) via "WHM >> FTP Server Configuration": FTP Server Configuration - Documentation - cPanel Documentation

  HTTP Packet Inspection

  
  Could you provide some more information about the specific data or test that was ran for this particular vulnerability?

  Mailman Detection

  
  You can disable the Mailman feature via "WHM >> Tweak Settings" and "WHM >> Service Manager", however there is currently an open bug report regarding the mailman aliases. This is discussed on the following thread: Disabling mailman

  BIND Version Gathering

  
  You can modify the /etc/named.conf file on the system and add the following line within the "Options" section (just above or below the "recursion no;" line is acceptable):
  version none;
  Then, restart Named via the /scripts/restartsrv_named command. Thank you.

  0
• 

  bins_uk

  • February 01, 2017 08:21

  Thanks for this great & detailed response. I did search for answers, but must have used wrong search strings. Anyway, all implemented and here is more info on the other bits: SSH Server Backported Security Patches Security patches may have been 'back ported' to the remote SSH server without changing its version number. Banner-based checks have been disabled to avoid false positives. HTTP Packet Inspection (2 reports) This test gives some information about the remote HTTP protocol - the version used, whether HTTP Keep-Alive and HTTP pipelining are enabled, etc. Protocol version: HTTP/1.1 SSL: no Pipelining: yes Keep-Alive: yes Options allowed: (Not implemented) Headers: Date: Wed, 01 Feb 2017 02:02:59 GMT Server: Apache Set-Cookie: dac8ea8dfedad2d1de375b143a684be4=s0ekbv31p4u62fbffj5g09itq2, path=... Location: example.com Content-Length: 0 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html, charset=utf-8 ---------------------------------------- This test gives some information about the remote HTTP protocol - the version used, whether HTTP Keep-Alive and HTTP pipelining are enabled, etc. Protocol version: HTTP/1.1 SSL: yes Pipelining: yes Keep-Alive: yes Options allowed: (Not implemented) Headers: Date: Wed, 01 Feb 2017 02:03:03 GMT Server: Apache X-Logged-In: False X-Content-Powered-By: K2 v2.7.1 (by JoomlaWorks) P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Wed, 17 Aug 2005 00:00:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: dac8ea8dfedad2d1de375b143a684be4=greq69brsg6bj0pvq6cgos1ri7, path=... Last-Modified: Wed, 01 Feb 2017 02:03:05 GMT Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Transfer-Encoding: chunked Content-Type: text/html, charset=utf-8

  0
• 

  cPanelMichael

  • February 01, 2017 19:57

  SSH Server Backported Security Patches Security patches may have been 'back ported' to the remote SSH server without changing its version number. Banner-based checks have been disabled to avoid false positives.

  
  This is how the patches are handled by your Operating System, and is unrelated to the cPanel software. There's a URL where this is explained at: Security Backporting Policy - Red Hat Customer Portal You can use a command like this if you want to list security patches that were backported:
  rpm -q --changelog openssh | grep CVE
  

  HTTP Packet Inspection (2 reports) This test gives some information about the remote HTTP protocol - the version used, whether HTTP Keep-Alive and HTTP pipelining are enabled, etc.

  
  You can verify the following options are disabled via "WHM >> Service Configuration >> Apache Configuration >> Global Configuration": Trace Enable Server Signature Server Tokens (Product Only) File ETag Additionally, you can browse to "WHM >> Software >> MultiPHP INI Editor", switch to Editor Mode, search for the "expose_php" option, and set it to "No". Thank you.

  0
• 

  bins_uk

  • February 02, 2017 08:47

  Many thanks for your quick responses and help. this is great support other could learn from!

  0

Please sign in to leave a comment.