Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Advertise on LowEndTalk.com
Script/AutoSecure for Cpanel(Auto Harden Cpanel)
New on LowEndTalk? Please read our 'Community Rules' by clicking on it in the right menu!

Script/AutoSecure for Cpanel(Auto Harden Cpanel)

MonsteRMonsteR Member
edited January 2014 in Tutorials

Hey,
So I have been apart of this community for a few years and decided to make a script to Auto Secure(Harden) cpanel. There are a few reasons for me releasing this script lets start.
I think (Most/Some) of the Hosting community hasn't been doing its job to secure clients sites/data on a server level.
I wanted to help a few people who don't know much about Security and/or to make it more convenient to take a few steps to secure their cpanel.
Helping to Secure the future as we have all seen way to many recent security breach down to misconfigurations.

This script is in the beta phase (Harden v0.5 Beta)and will do the following:

Basic hardening of sysctl.conf
Disable SeLinux
Secures PHP
Configure CSF Custom Firewall Rules
Passive ports (Optional)
Secure SSH
Changes SSH port(optional)
Secures /etc/named.conf
Disables IPv6
Secures Httpd.conf
Adds rules to
/etc/host.conf
/etc/security/limits.conf
Mount Temp and Secure(Optional)
Secures Mysql
Turns off Unnecessary Processes

Installs Following Software:
Cpanel (optional)
ClamAV
RKHunter

This is pretty basic stuff at the moment but as I have said v0.5, With this being said I am open to all Suggestions written here or email to me via [email protected] also please check out our website at http://samuraibit.com and Help Support this Project and future Projects to come(It will be updated to look nicer later on this week)

There is also stuff we have held back releasing which we hope to put in later versions of this, Here are a couple of things you can look forward too!
Mod_Security- With Custom config
Securing FTP settings
and a ton more

Installation Instructions Below:

wget http://projects.samuraibit.com/autosecure/harden.sh
chmod 0755 harden.sh
sh harden.sh

Thanked by 1Spirit
RaptorNode.com - DDoS Protected|VPS|Cloud|Dedicated Servers|Collocation - Los Angeles, CA
SamuraiBit Security

Comments

  • ...not really a script - more like a random binary:

    harden.sh: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), stripped

    seems to be compiled for x86, needs ld-linux.so.2 and segfaults when I run it.

  • edited January 2014

    "Cannot execute binary file" - Now how am I supposed to secure my cPanel servers?!

  • MonsteRMonsteR Member
    edited January 2014

    @SegmentationFault 1 second, This will be down to the way I compiled it, Will recompile it now.

    RaptorNode.com - DDoS Protected|VPS|Cloud|Dedicated Servers|Collocation - Los Angeles, CA
    SamuraiBit Security
  • Could we see the source? I'm not all that fond of running random binaries I find on the Internet.

    Thanked by 1ryanarp
  • MonsteRMonsteR Member
    edited January 2014

    @WebSearchingPro @SegmentationFault CharlesA
    wget http://projects.samuraibit.com/autosecure/harden64.sh
    chmod 777 harden64.sh
    ./harden64.sh

    Sorry for the delay here is a 64 Bit compile.

    RaptorNode.com - DDoS Protected|VPS|Cloud|Dedicated Servers|Collocation - Los Angeles, CA
    SamuraiBit Security
  • MonsteRMonsteR Member
    edited January 2014

    @CharlesA said:
    Could we see the source? I'm not all that fond of running random binaries I find on the Internet.

    Hi,
    we might be able to setup a Desktop share my end, But as this is a private project oppose to open source, Don't entirely want to give the source away but I might be able to setup a page for you to view if you are interested?

    RaptorNode.com - DDoS Protected|VPS|Cloud|Dedicated Servers|Collocation - Los Angeles, CA
    SamuraiBit Security
  • I still cant get it to run, I get a segmentation fault.

  • @Spencer said:
    I still cant get it to run, I get a segmentation fault.

    Hi,
    Are you using cpanel + centos?

    RaptorNode.com - DDoS Protected|VPS|Cloud|Dedicated Servers|Collocation - Los Angeles, CA
    SamuraiBit Security
  • [[email protected] ~]# strace ./harden64.sh 
    execve("./harden64.sh", ["./harden64.sh"], [/* 21 vars */]) = 0
    brk(0)                                  = 0x1ec4000
    mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f117f3e2000
    access("/etc/ld.so.preload", R_OK)      = -1 ENOENT (No such file or directory)
    mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f117f3e1000
    mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f117f3e0000
    arch_prctl(ARCH_SET_FS, 0x7f117f3e1680) = 0
    --- SIGSEGV (Segmentation fault) @ 0 (0) ---
    +++ killed by SIGSEGV +++
    Segmentation fault
    

    ...

  • Ok it seems the way i encrypt it destroys it, So I will update it with the source :)

    RaptorNode.com - DDoS Protected|VPS|Cloud|Dedicated Servers|Collocation - Los Angeles, CA
    SamuraiBit Security
  • MonsteRMonsteR Member
    edited January 2014

    @Spencer @SegmentationFault @CharlesA @WebSearchingPro
    Ok this should do it, please try
    wget http://projects.samuraibit.com/autosecure/harden.sh
    chmod 0755 harden.sh
    sh harden.sh
    please Enjoy and its the full source :)

    RaptorNode.com - DDoS Protected|VPS|Cloud|Dedicated Servers|Collocation - Los Angeles, CA
    SamuraiBit Security
  • @MonsteR said:
    we might be able to setup a Desktop share my end, But as this is a private project oppose to open source, Don't entirely want to give the source away but I might be able to setup a page for you to view if you are interested?

    Nah, that's fine, I was just curious.

  • @CharlesA said:
    Nah, that's fine, I was just curious.

    http://projects.samuraibit.com/autosecure/harden.sh
    This is the full source now anyway :) My encryption Obfuscation method made the code not work, So just posted the source here now

    RaptorNode.com - DDoS Protected|VPS|Cloud|Dedicated Servers|Collocation - Los Angeles, CA
    SamuraiBit Security
  • Looks good overall. Perhaps you should reword the IPv6 disabling part because all I see that doing is turning off ip6tables, not disabling IPv6 entirely.

  • MonsteRMonsteR Member
    edited January 2014

    @CharlesA said:
    Looks good overall. Perhaps you should reword the IPv6 disabling part because all I see that doing is turning off ip6tables, not disabling IPv6 entirely.

    Yeah, Either way im going to be working on updating some of the stuff, Also any suggestions or input is great, And were looking for some new Developers who know alot about Security, C/C++ and Bash for all of your Suggestions and Applcations please email support[at]samuraibit.com

    RaptorNode.com - DDoS Protected|VPS|Cloud|Dedicated Servers|Collocation - Los Angeles, CA
    SamuraiBit Security
  • ^ You should use curl instead of wget, as wget is not included in the minimal images of some distros (most notably CentOS) now, but curl is still a standard in all distros ; and can download a file with identical parameters.

    Either that, or check that wget exists first (you can't assume anything!)

    The same thing goes for how you extract it, either with tar and gzip, or just tar, or bunzip, or unzip, or libgzip, ...

    Acting Director of Albino Geek Services Ltd. My Keybase ID ( gh )
    GoodHosting.co | Enterprise KVM Virtual Private Servers | Twitter / Status : @ GoodHostingCo

  • MonsteRMonsteR Member
    edited January 2014

    @HardCloud said:
    ^ You should use curl instead of wget, as wget is not included in the minimal images of some distros (most notably CentOS) now, but curl is still a standard in all distros ; and can download a file with identical parameters.

    Either that, or check that wget exists first (you can't assume anything!)

    The same thing goes for how you extract it, either with tar and gzip, or just tar, or bunzip, or unzip, or libgzip, ...

    On the install cpanel stage it install wget and tar :) least it should do will need to double check tomorrow as I could be thinking of v1.0 I started.

    RaptorNode.com - DDoS Protected|VPS|Cloud|Dedicated Servers|Collocation - Los Angeles, CA
    SamuraiBit Security
  • @MonsteR said:

    Ahh, alright. But if installing cPanel is optional, should it not check for these earlier?

    Acting Director of Albino Geek Services Ltd. My Keybase ID ( gh )
    GoodHosting.co | Enterprise KVM Virtual Private Servers | Twitter / Status : @ GoodHostingCo

  • MonsteRMonsteR Member
    edited January 2014

    @HardCloud It installs them if yes or no but in the next v I will add them within there own section sorry for the confusion.

    RaptorNode.com - DDoS Protected|VPS|Cloud|Dedicated Servers|Collocation - Los Angeles, CA
    SamuraiBit Security
  • Done a few updates, Also working on the site a little had a long day today so might leave it at that.

    RaptorNode.com - DDoS Protected|VPS|Cloud|Dedicated Servers|Collocation - Los Angeles, CA
    SamuraiBit Security
Sign In or Register to comment.