how to secure CentOS server using CWP features

how to secure CentOS server using CWP features

1. Enable CSF Firewall (in CWP.root in security menu you have CSF Firewall)
2. Change SSH port
3. Enable ModSecurity with OWASP security rules
4. Use only random generated passwords


How to enable CSF Firewall
In your CWP menu go to Security --> CSF Firewall and click on firewall enable



How to change SSH port
In your CWP menu go to Services Config --> SSH Configuration
now replace #22 with eg. 8404 and restart ssh server on index page of the CWP

You will need to add this port also in CSF Firewall
1. go to Security --> CSF Firewall --> Firewall Configuration
2. replace TCP_IN and TCP_OUT port 22 with your port
3. restart CSF Firewall

cut from configuration

Code: [Select]

# Allow incoming TCP ports
TCP_IN = "20,21,22,25,53,80,110,143,443,465,587,993,995,2030,2031"

# Allow outgoing TCP ports
TCP_OUT = "20,21,22,25,53,80,110,113,443,2030,2031"


How to Install ModSecurity with OWASP security rules
In your CWP menu go to Security --> Mod Security and click on Install Mod Security



Use only random generated passwords
One of the most important things is to ALWAYS use random generated passwords with length 8+ characters.
CWP also has built in random password generator which will generate random password for each new account on creation.

One of best tools for that is here:
https://www.random.org/passwords/

Random passwords needs to be used for all public services like:
 - CMS applications like Wordpress admin user
 - FTP Passwords
 - Email Account Passwords
 - Account passwords
... and any other available on the internet

hi
i apply to change port but 22 is always work,

after changing port u need to restart ssh..

Admin you thinking to add comodo waf support for this panel?

CWAF, maybe if they will have some kind of interface for it which can be used.

3. Enable ModSecurity with OWASP security rules

Could you be more specific about this? Where and what it is?
Thanks

I got HUGE problems with the mod_security OWASP rules.
I've also started a stackoverflow thread but no help at all (http://stackoverflow.com/questions/28375602/syntax-error-on-owasp-rules)

I totally disable it...

Later on the night :X i broke the full system then reinstall whole machine/cwp/websites.
I'll try again to use owasp from scratch then check if my wp website is still causing that.

Was a full pain and im near to sure that i will get it again.

After doing those 3 steps I am getting many emails from root:

these are two exemples.

(1) email one
------------------------------
subject : Suspicious File Alert
--
email content:
Time:   Tue Apr 14 05:40:45 2015 -0400
File:   /tmp/apache-build/apr-util-1.5.3/xml/expat/conftools/mkinstalldirs
Reason: Script, starts with #!
Owner:  : (1000:1000)
Action: No action taken

(2) email two
---------------
subject : Suspicious process running under user postfix
email content:
Time:    Tue Apr 14 05:46:41 2015 -0400
PID:     6817 (Parent PID:1209)
Account: postfix
Uptime:  61 seconds


Executable:

/usr/libexec/postfix/smtpd


Command Line (often faked in exploits):

smtpd -n smtp -t inet -u -o stress=


Network connections by the process (if any):

tcp: 0.0.0.0:25 -> 0.0.0.0:0


Files open by the process (if any):

/dev/null
/dev/null
/dev/null
/var/spool/postfix/pid/inet.smtp
[eventpoll]
/etc/aliases.db
/etc/aliases.db


Memory maps by the process (if any):

001ee000-00203000 r-xp 00000000 fc:01 1185576    /lib/libresolv-2.12.so
00203000-00204000 ---p 00015000 fc:01 1185576    /lib/libresolv-2.12.so
00204000-00205000 r--p 00015000 fc:01 1185576    /lib/libresolv-2.12.so
00205000-00206000 rw-p 00016000 fc:01 1185576    /lib/libresolv-2.12.so
00206000-00208000 rw-p 00000000 00:00 0
00208000-0020c000 r-xp 00000000 fc:01 1185581    /lib/libplc4.so
0020c000-0020d000 r--p 00003000 fc:01 1185581    /lib/libplc4.so
0020d000-0020e000 rw-p 00004000 fc:01 1185581    /lib/libplc4.so
0020e000-00211000 r-xp 00000000 fc:01 1185567    /lib/libdl-2.12.so
00211000-00212000 r--p 00002000 fc:01 1185567    /lib/libdl-2.12.so
00212000-00213000 rw-p 00003000 fc:01 1185567    /lib/libdl-2.12.so
00213000-00216000 r-xp 00000000 fc:01 1185465    /lib/libcom_err.so.2.1
00216000-00217000 r--p 00002000 fc:01 1185465    /lib/libcom_err.so.2.1
00217000-00218000 rw-p 00003000 fc:01 1185465    /lib/libcom_err.so.2.1
0021a000-00231000 r-xp 00000000 fc:01 1185571    /lib/libnsl-2.12.so
00231000-00232000 r--p 00016000 fc:01 1185571    /lib/libnsl-2.12.so
00232000-00233000 rw-p 00017000 fc:01 1185571    /lib/libnsl-2.12.so
00233000-00235000 rw-p 00000000 00:00 0
00235000-00247000 r-xp 00000000 fc:01 1185147    /lib/libz.so.1.2.3
00247000-00248000 r--p 00011000 fc:01 1185147    /lib/libz.so.1.2.3
00248000-00249000 rw-p 00012000 fc:01 1185147    /lib/libz.so.1.2.3
00249000-00256000 r-xp 00000000 fc:01 1185488    /lib/liblber-2.4.so.2.10.2
00256000-00257000 r--p 0000d000 fc:01 1185488    /lib/liblber-2.4.so.2.10.2
00257000-00258000 rw-p 0000e000 fc:01 1185488    /lib/liblber-2.4.so.2.10.2
00258000-002b9000 r-xp 00000000 fc:01 264142     /usr/lib/libssl.so.1.0.1e
002b9000-002bb000 r--p 00061000 fc:01 264142     /usr/lib/libssl.so.1.0.1e
002bb000-002bf000 rw-p 00063000 fc:01 264142     /usr/lib/libssl.so.1.0.1e
002bf000-002fa000 r-xp 00000000 fc:01 263153     /usr/lib/libssl3.so
002fa000-002fb000 ---p 0003b000 fc:01 263153     /usr/lib/libssl3.so
002fb000-002fd000 r--p 0003b000 fc:01 263153     /usr/lib/libssl3.so
002fd000-002fe000 rw-p 0003d000 fc:01 263153     /usr/lib/libssl3.so
002fe000-00326000 r-xp 00000000 fc:01 262860     /usr/lib/libsmime3.so
00326000-00328000 r--p 00028000 fc:01 262860     /usr/lib/libsmime3.so
00328000-00329000 rw-p 0002a000 fc:01 262860     /usr/lib/libsmime3.so
00329000-0034a000 r-xp 00000000 fc:01 262906     /usr/lib/libnssutil3.so
0034a000-0034d000 r--p 00021000 fc:01 262906     /usr/lib/libnssutil3.so
0034d000-0034e000 rw-p 00024000 fc:01 262906     /usr/lib/libnssutil3.so
0034e000-00350000 r-xp 00000000 fc:01 1185437    /lib/libfreebl3.so
00350000-00351000 r--p 00001000 fc:01 1185437    /lib/libfreebl3.so
00351000-00352000 rw-p 00002000 fc:01 1185437    /lib/libfreebl3.so
00352000-00353000 r-xp 00000000 00:00 0          [vdso]
00353000-00481000 r-xp 00000000 fc:01 265142     /usr/lib/mysql/libmysqlclient.so.16.0.0
00481000-004c9000 rw-p 0012d000 fc:01 265142     /usr/lib/mysql/libmysqlclient.so.16.0.0
004c9000-004d0000 r-xp 00000000 fc:01 1185577    /lib/librt-2.12.so
004d0000-004d1000 r--p 00006000 fc:01 1185577    /lib/librt-2.12.so
004d1000-004d2000 rw-p 00007000 fc:01 1185577    /lib/librt-2.12.so
004d2000-004dc000 r-xp 00000000 fc:01 1180545    /lib/libkrb5support.so.0.1
004dc000-004dd000 r--p 00009000 fc:01 1180545    /lib/libkrb5support.so.0.1
004dd000-004de000 rw-p 0000a000 fc:01 1180545    /lib/libkrb5support.so.0.1
004e1000-00509000 r-xp 00000000 fc:01 1185569    /lib/libm-2.12.so
00509000-0050a000 r--p 00027000 fc:01 1185569    /lib/libm-2.12.so
0050a000-0050b000 rw-p 00028000 fc:01 1185569    /lib/libm-2.12.so
0050b000-00545000 r-xp 00000000 fc:01 1185580    /lib/libnspr4.so
00545000-00546000 r--p 00039000 fc:01 1185580    /lib/libnspr4.so
00546000-00547000 rw-p 0003a000 fc:01 1185580    /lib/libnspr4.so
00547000-00549000 rw-p 00000000 00:00 0
00549000-00587000 r-xp 00000000 fc:01 1185447    /lib/libgssapi_krb5.so.2.2
00587000-00588000 r--p 0003e000 fc:01 1185447    /lib/libgssapi_krb5.so.2.2
00588000-00589000 rw-p 0003f000 fc:01 1185447    /lib/libgssapi_krb5.so.2.2
00589000-005a0000 r-xp 00000000 fc:01 1185176    /lib/libpthread-2.12.so
005a0000-005a1000 r--p 00016000 fc:01 1185176    /lib/libpthread-2.12.so
005a1000-005a2000 rw-p 00017000 fc:01 1185176    /lib/libpthread-2.12.so
005a2000-005a4000 rw-p 00000000 00:00 0
005a4000-005bd000 r-xp 00000000 fc:01 262855     /usr/lib/libsasl2.so.2.0.23
005bd000-005be000 r--p 00018000 fc:01 262855     /usr/lib/libsasl2.so.2.0.23
005be000-005bf000 rw-p 00019000 fc:01 262855     /usr/lib/libsasl2.so.2.0.23
005bf000-005c1000 r-xp 00000000 fc:01 1180546    /lib/libkeyutils.so.1.3
005c1000-005c2000 r--p 00001000 fc:01 1180546    /lib/libkeyutils.so.1.3
005c2000-005c3000 rw-p 00002000 fc:01 1180546    /lib/libkeyutils.so.1.3
005c3000-005c8000 r-xp 00000000 fc:01 1185466    /lib/libnss_dns-2.12.so
005c8000-005c9000 r--p 00004000 fc:01 1185466    /lib/libnss_dns-2.12.so
005c9000-005ca000 rw-p 00005000 fc:01 1185466    /lib/libnss_dns-2.12.so
005d0000-005ee000 r-xp 00000000 fc:01 1185511    /lib/ld-2.12.so
005ee000-005ef000 r--p 0001d000 fc:01 1185511    /lib/ld-2.12.so
005ef000-005f0000 rw-p 0001e000 fc:01 1185511    /lib/ld-2.12.so
005f0000-00618000 r-xp 00000000 fc:01 1179660    /lib/libk5crypto.so.3.1
00618000-00619000 r--p 00028000 fc:01 1179660    /lib/libk5crypto.so.3.1
00619000-0061a000 rw-p 00029000 fc:01 1179660    /lib/libk5crypto.so.3.1
0061a000-0061b000 rw-p 00000000 00:00 0
0061b000-00627000 r-xp 00000000 fc:01 1185574    /lib/libnss_files-2.12.so
00627000-00628000 r--p 0000b000 fc:01 1185574    /lib/libnss_files-2.12.so
00628000-00629000 rw-p 0000c000 fc:01 1185574    /lib/libnss_files-2.12.so
00631000-00660000 r-xp 00000000 fc:01 1185522    /lib/libpcre.so.0.0.1
00660000-00661000 rw-p 0002e000 fc:01 1185522    /lib/libpcre.so.0.0.1
00661000-0080f000 r-xp 00000000 fc:01 262811     /usr/lib/libcrypto.so.1.0.1e
0080f000-0081f000 r--p 001ad000 fc:01 262811     /usr/lib/libcrypto.so.1.0.1e
0081f000-00826000 rw-p 001bd000 fc:01 262811     /usr/lib/libcrypto.so.1.0.1e
00826000-00829000 rw-p 00000000 00:00 0
00829000-009b9000 r-xp 00000000 fc:01 1179784    /lib/libc-2.12.so
009b9000-009ba000 ---p 00190000 fc:01 1179784    /lib/libc-2.12.so
009ba000-009bc000 r--p 00190000 fc:01 1179784    /lib/libc-2.12.so
009bc000-009bd000 rw-p 00192000 fc:01 1179784    /lib/libc-2.12.so
009bd000-009c0000 rw-p 00000000 00:00 0
009c0000-009dd000 r-xp 00000000 fc:01 1185463    /lib/libselinux.so.1
009dd000-009de000 r--p 0001c000 fc:01 1185463    /lib/libselinux.so.1
009de000-009df000 rw-p 0001d000 fc:01 1185463    /lib/libselinux.so.1
009f8000-009ff000 r-xp 00000000 fc:01 1185449    /lib/libcrypt-2.12.so
009ff000-00a00000 r--p 00007000 fc:01 1185449    /lib/libcrypt-2.12.so
00a00000-00a01000 rw-p 00008000 fc:01 1185449    /lib/libcrypt-2.12.so
00a01000-00a28000 rw-p 00000000 00:00 0
00a42000-00bb5000 r-xp 00000000 fc:01 1185478    /lib/libdb-4.7.so
00bb5000-00bb8000 rw-p 00172000 fc:01 1185478    /lib/libdb-4.7.so
00c8a000-00d02000 r-xp 00000000 fc:01 399243     /usr/libexec/postfix/smtpd
00d03000-00d06000 r--p 00078000 fc:01 399243     /usr/libexec/postfix/smtpd
00d06000-00d07000 rw-p 0007b000 fc:01 399243     /usr/libexec/postfix/smtpd
00d07000-00d09000 rw-p 00000000 00:00 0
00d09000-00e41000 r-xp 00000000 fc:01 262858     /usr/lib/libnss3.so
00e41000-00e44000 r--p 00138000 fc:01 262858     /usr/lib/libnss3.so
00e44000-00e46000 rw-p 0013b000 fc:01 262858     /usr/lib/libnss3.so
00e80000-00e83000 r-xp 00000000 fc:01 1185582    /lib/libplds4.so
00e83000-00e84000 r--p 00002000 fc:01 1185582    /lib/libplds4.so
00e84000-00e85000 rw-p 00003000 fc:01 1185582    /lib/libplds4.so
00ef8000-00f47000 r-xp 00000000 fc:01 1185553    /lib/libldap-2.4.so.2.10.2
00f47000-00f48000 r--p 0004f000 fc:01 1185553    /lib/libldap-2.4.so.2.10.2
00f48000-00f49000 rw-p 00050000 fc:01 1185553    /lib/libldap-2.4.so.2.10.2
00f49000-0101f000 r-xp 00000000 fc:01 1179801    /lib/libkrb5.so.3.3
0101f000-01025000 r--p 000d5000 fc:01 1179801    /lib/libkrb5.so.3.3
01025000-01026000 rw-p 000db000 fc:01 1179801    /lib/libkrb5.so.3.3
02a94000-02c40000 rw-p 00000000 00:00 0          [heap]
b77a3000-b77d3000 rw-p 00000000 00:00 0
b77d9000-b77da000 rw-p 00000000 00:00 0
bf937000-bf94c000 rw-p 00000000 00:00 0          [stack]

OWASP rules must only be enabled if you have ample to time to rectify huge false positive generated. I would never suggest to enable those rules. You can always install comodo Waf rules for better security.


@asrof_id

May be CSF is sending you those emails

How to change SSH port
In your CWP menu go to Services Config --> SSH Configuration
now replace #22 with eg. 8404 and restart ssh server on index page of the CWP

Hi, where i find #22 ?
This is my SSH configuration

Code: [Select]

# $OpenBSD: sshd_config,v 1.80 2008/07/02 02:24:18 djm Exp $

# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options change a
# default value.

#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

# Disable legacy (protocol version 1) support in the server for new
# installations. In future the default will change to require explicit
# activation of protocol 1
Protocol 2

# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key

# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 1024

# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
SyslogFacility AUTHPRIV
#LogLevel INFO

# Authentication:

#LoginGraceTime 2m
#PermitRootLogin yes
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10

#RSAAuthentication yes
#PubkeyAuthentication yes
#AuthorizedKeysFile .ssh/authorized_keys
#AuthorizedKeysCommand none
#AuthorizedKeysCommandRunAs nobody

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
PasswordAuthentication yes

# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication no

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
#KerberosUseKuserok yes

# GSSAPI options
#GSSAPIAuthentication no
GSSAPIAuthentication yes
#GSSAPICleanupCredentials yes
GSSAPICleanupCredentials yes
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
#UsePAM no
UsePAM yes

# Accept locale-related environment variables
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS

#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#UsePrivilegeSeparation yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#ShowPatchLevel no
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none

# no default banner path
#Banner none

# override default of no subsystems
Subsystem sftp /usr/libexec/openssh/sftp-server

# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
# AllowTcpForwarding no
# ForceCommand cvs server


# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options change a
# default value.

#Port 22 <-- Here! Remove the # and change 22 to whatever you want
#AddressFamily any

My SSH not work after change port.
Can you help me?

My SSH not work after change port.
Can you help me?

What error you are having? Anyhow, you can revert the port change by Visiting SSH configuration module at https://{server_ip}:2031/admin/index.php?module=file_editor&file=/etc/ssh/sshd_config

My TCP IN and TCP OUT are changining automatically

Defaults are:
# Allow incoming TCP ports
TCP_IN = "20,21,22,25,53,80,110,143,443,465,587,993,995,2030,2031"
# Allow outgoing TCP ports
TCP_OUT = "20,21,22,25,53,80,110,113,443,2030,2031"

If i reboot server it changes them to
TCP
IN: 1:65535
OUT: 1:65535
UDP
IN: 1:65535
OUT: 1:65535

My this vps is on NVMe as on my VPS with SSD i am not facing this issue.

Remember to restart the service for the changes to be taken