Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Script/AutoSecure for Cpanel(Auto Harden Cpanel)
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Script/AutoSecure for Cpanel(Auto Harden Cpanel)

MonsteRMonsteR Member
edited January 2014 in Tutorials

Hey,
So I have been apart of this community for a few years and decided to make a script to Auto Secure(Harden) cpanel. There are a few reasons for me releasing this script lets start.
I think (Most/Some) of the Hosting community hasn't been doing its job to secure clients sites/data on a server level.
I wanted to help a few people who don't know much about Security and/or to make it more convenient to take a few steps to secure their cpanel.
Helping to Secure the future as we have all seen way to many recent security breach down to misconfigurations.

This script is in the beta phase (Harden v0.5 Beta)and will do the following:

Basic hardening of sysctl.conf
Disable SeLinux
Secures PHP
Configure CSF Custom Firewall Rules
Passive ports (Optional)
Secure SSH
Changes SSH port(optional)
Secures /etc/named.conf
Disables IPv6
Secures Httpd.conf
Adds rules to
/etc/host.conf
/etc/security/limits.conf
Mount Temp and Secure(Optional)
Secures Mysql
Turns off Unnecessary Processes

Installs Following Software:
Cpanel (optional)
ClamAV
RKHunter

This is pretty basic stuff at the moment but as I have said v0.5, With this being said I am open to all Suggestions written here or email to me via [email protected] also please check out our website at http://samuraibit.com and Help Support this Project and future Projects to come(It will be updated to look nicer later on this week)

There is also stuff we have held back releasing which we hope to put in later versions of this, Here are a couple of things you can look forward too!
Mod_Security- With Custom config
Securing FTP settings
and a ton more

Installation Instructions Below:

wget http://projects.samuraibit.com/autosecure/harden.sh
chmod 0755 harden.sh
sh harden.sh

Thanked by 1Spirit

Comments

  • ...not really a script - more like a random binary:

    harden.sh: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), stripped

    seems to be compiled for x86, needs ld-linux.so.2 and segfaults when I run it.

  • edited January 2014

    "Cannot execute binary file" - Now how am I supposed to secure my cPanel servers?!

  • MonsteRMonsteR Member
    edited January 2014

    @SegmentationFault 1 second, This will be down to the way I compiled it, Will recompile it now.

  • Could we see the source? I'm not all that fond of running random binaries I find on the Internet.

    Thanked by 1ryanarp
  • MonsteRMonsteR Member
    edited January 2014

    @WebSearchingPro @SegmentationFault CharlesA
    wget http://projects.samuraibit.com/autosecure/harden64.sh
    chmod 777 harden64.sh
    ./harden64.sh

    Sorry for the delay here is a 64 Bit compile.

  • MonsteRMonsteR Member
    edited January 2014

    @CharlesA said:
    Could we see the source? I'm not all that fond of running random binaries I find on the Internet.

    Hi,
    we might be able to setup a Desktop share my end, But as this is a private project oppose to open source, Don't entirely want to give the source away but I might be able to setup a page for you to view if you are interested?

  • I still cant get it to run, I get a segmentation fault.

  • @Spencer said:
    I still cant get it to run, I get a segmentation fault.

    Hi,
    Are you using cpanel + centos?

  • [segfault@test ~]# strace ./harden64.sh 
    execve("./harden64.sh", ["./harden64.sh"], [/* 21 vars */]) = 0
    brk(0)                                  = 0x1ec4000
    mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f117f3e2000
    access("/etc/ld.so.preload", R_OK)      = -1 ENOENT (No such file or directory)
    mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f117f3e1000
    mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f117f3e0000
    arch_prctl(ARCH_SET_FS, 0x7f117f3e1680) = 0
    --- SIGSEGV (Segmentation fault) @ 0 (0) ---
    +++ killed by SIGSEGV +++
    Segmentation fault
    

    ...

  • Ok it seems the way i encrypt it destroys it, So I will update it with the source :)

  • MonsteRMonsteR Member
    edited January 2014

    @Spencer @SegmentationFault @CharlesA @WebSearchingPro
    Ok this should do it, please try
    wget http://projects.samuraibit.com/autosecure/harden.sh
    chmod 0755 harden.sh
    sh harden.sh
    please Enjoy and its the full source :)

  • @MonsteR said:
    we might be able to setup a Desktop share my end, But as this is a private project oppose to open source, Don't entirely want to give the source away but I might be able to setup a page for you to view if you are interested?

    Nah, that's fine, I was just curious.

  • @CharlesA said:
    Nah, that's fine, I was just curious.

    http://projects.samuraibit.com/autosecure/harden.sh
    This is the full source now anyway :) My encryption Obfuscation method made the code not work, So just posted the source here now

  • Looks good overall. Perhaps you should reword the IPv6 disabling part because all I see that doing is turning off ip6tables, not disabling IPv6 entirely.

  • MonsteRMonsteR Member
    edited January 2014

    @CharlesA said:
    Looks good overall. Perhaps you should reword the IPv6 disabling part because all I see that doing is turning off ip6tables, not disabling IPv6 entirely.

    Yeah, Either way im going to be working on updating some of the stuff, Also any suggestions or input is great, And were looking for some new Developers who know alot about Security, C/C++ and Bash for all of your Suggestions and Applcations please email support[at]samuraibit.com

  • ^ You should use curl instead of wget, as wget is not included in the minimal images of some distros (most notably CentOS) now, but curl is still a standard in all distros ; and can download a file with identical parameters.

    Either that, or check that wget exists first (you can't assume anything!)

    The same thing goes for how you extract it, either with tar and gzip, or just tar, or bunzip, or unzip, or libgzip, ...

  • MonsteRMonsteR Member
    edited January 2014

    @HardCloud said:
    ^ You should use curl instead of wget, as wget is not included in the minimal images of some distros (most notably CentOS) now, but curl is still a standard in all distros ; and can download a file with identical parameters.

    Either that, or check that wget exists first (you can't assume anything!)

    The same thing goes for how you extract it, either with tar and gzip, or just tar, or bunzip, or unzip, or libgzip, ...

    On the install cpanel stage it install wget and tar :) least it should do will need to double check tomorrow as I could be thinking of v1.0 I started.

  • @MonsteR said:

    Ahh, alright. But if installing cPanel is optional, should it not check for these earlier?

  • MonsteRMonsteR Member
    edited January 2014

    @HardCloud It installs them if yes or no but in the next v I will add them within there own section sorry for the confusion.

  • Done a few updates, Also working on the site a little had a long day today so might leave it at that.

Sign In or Register to comment.