BASIC WHM SETUP

1) Check that the main ip is the server primary ip
2) Make sure that the primary and secondary ns are set to ns1 and ns2 (or
how they had been prior to a reload)
******************************************************

1) Under Domains: "Prevent users from parking/adding on common
internet domains. (ie hotmail.com, aol.com)"
2) Under Mail: "Attempt to prevent pop3 connection floods"
3) "Default catch-all/default address behavior for new accounts." Select
'fail'
4) "Email users when they have reached 80% of their bandwidth"
5) "Include a list of Pop before SMTP senders in the X-PopBeforeSMTP header
when relaying mail. (exim 4.34-30+ required)"
6) "Silently Discard all FormMail-clone requests with a bcc: header in the
subject line"
7) "Track the origin of messages sent though the mail server by adding the
X-Sender headers (exim 4.34+ required)"
8)Under Software: "Loader to use for internal cPanel PHP" select
'sourceguardian'
9) Under Status: "The load average that will cause the server status to
appear red (leave blank for default):" >> 5
10) Under System: "Allow Sharing Nameserver Ips"
11) "Use jailshell as the default shell for all new accounts and modified accounts"

1) Select 'Automatic (STABLE Tree)'
2) Verify that the cPanel Package Update and Security Package Update are also set to 'Automatic'

1) Php open_basedir Tweak
2) Compilers Tweak
3) SMTP Tweak

1) Exim Configuration editor - enable Verify the existence of email senders

2) FTP configuration - Make sure Anonymous FTP is disabled
3) Nameserver Setup - Be sure that the nameserver is running
4) Service Manager - Check to monitor all EXCEPT the following:
Entropychat, Interchange, Melange, Tomcat and Exim on Another Port

1) Click all open boxes and save.

1) Click on cPanel Pro, Clamavconnector, Modbandwidth, Modsecurity and Addonupdates and click 'save' to install.

1) Click all and click 'save' to install.

Security audit
Ensuring your server is safe and secure as well as assessing its possible vulnerabilities.

SSH Tweaks

Server ssh configured to run on custom port.
Deny direct root ssh access

APF with AntiDOS Installation
Login to your server through SSH as root user.

1. cd /usr/src or another temporary folder where you store your files.

2. wget http://www.rfxnetworks.com/downloads/apf-current.tar.gz

3. tar -xvzf apf-current.tar.gz

4. cd apf-0.9.6-1/ or whatever the latest version is.

5. Run the install file: ./install.sh
You will receive a message saying it has been installed

APF CONFIGURATION

1) Change USE_DS="0" to USE_DS="1"

2) Change the Value of IG_TCP_CPORTS to
IG_TCP_CPORTS="21,22,25,26,53,80,110,143,443,465,953,993,995,2082,2083,2086,2087,2095,2096,3306,5666,3000_3500"

3) Change the Value of IG_UDP_CPORTS to
IG_UDP_CPORTS="53"

4) The value of EGF should be EGF="1"

5) Change the value of EG_TCP_CPORTS to
EG_TCP_CPORTS="21,25,37,53,80,110,113,443,43,873,953,2089,3306"

6) Change the Value of EG_UDP_CPORTS to
EG_UDP_CPORTS="20,21,53,873,953,6277"

7) Change the value of USE_AD to
USE_AD="1"

8)Please note that there is no COMMENT SYMBOL (#) to the left of each CONSTANT

9) Change the Value of DEVEL_MODE to
DEVEL_MODE="1"

10) Save and quit.

11) From the shell, run
chkconfig --del apf
apf -s

12) Run tail -f /var/log/apf_log for about ten minutes.

13) If there are no issues and the firewall gets flushed every five minutes,
You can get into the conf file and edit the value of DEVEL_MODE to 0, that is, change it to DEVEL_MODE="0"

cd /usr/src
wget http://www.rfxnetworks.com/downloads/bfd-current.tar.gz
tar -xvzf bfd-current.tar.gz
cd bfd-0.9/
./install.sh
/usr/local/sbin/bfd -q

configuration file - /usr/local/bfd/conf.bfd
Enable alert user.
# Enable/disable user alerts [0 = off; 1 = on]
ALERT_USR="1"

Specify an email address for alerts
# User alert email address
EMAIL_USR="xxx@xxxx.com"

Tweak bfd rules in /usr/local/bfd/rules/

Tweak cron for bfd in /etc/cron.d/bfd to 3 min

Add friendly ips to /usr/local/bfd/ignorehosts

Install and configure rootkit detection software
wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz

(download the kit)
tar -zxvf chkrootkit.tar.gz ( untar the kit )
cd chkrootkit-version ( choose the right directory)
make sense
./chkrootkit

wget http://downloads.rootkit.nl/rkhunter-1.2.8.tar.gz
tar -zxvf rkhunter-1.2.8.tar.gz
cd rkhunter-1.2.8
./installer.sh

Load checking to ensure availability of services designed to give advance warning of potential server issues

Scan and harden /tmp /var/tmp directories

Configuration of your servers logging to ensure it catches any problems the moment they happen.

rpm -qa |grep logwatch ( Checking for present logwatch versions )
rpm -Uvh logwatch.x.x (Upgrade the version if older than 5.2.2-1)
wget ftp://rpmfind.net/linux/fedora/core/3/i386/os/Fedora/RPMS/logwatch-5.2.2-1.noarch.rpm ( download the latest rpm)
rpm -ivh logwatch-5.2.2-1.noarch.rpm (To install logwatch on the server)
vi /etc/log.d/conf/logwatch.conf ( change the Print option No to Yes )

#Kernel sysctl configuration file for Red Hat Linux
#
# For binary values, 0 is disabled, 1 is enabled. See sysctl(Cool and
# sysctl.conf(5) for more details.
# Disables packet forwarding
net.ipv4.ip_forward=0
# Disables IP source routing
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.lo.accept_source_route = 0
net.ipv4.conf.eth0.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
# Enable IP spoofing protection, turn on source route verification
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.lo.rp_filter = 1
net.ipv4.conf.eth0.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
# Disable ICMP Redirect Acceptance
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.lo.accept_redirects = 0
net.ipv4.conf.eth0.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
# Enable Log Spoofed Packets, Source Routed Packets, Redirect Packets
net.ipv4.conf.all.log_martians = 0
net.ipv4.conf.lo.log_martians = 0
net.ipv4.conf.eth0.log_martians = 0
# Disables IP source routing
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.lo.accept_source_route = 0
net.ipv4.conf.eth0.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
# Enable IP spoofing protection, turn on source route verification
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.lo.rp_filter = 1
net.ipv4.conf.eth0.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
# Disable ICMP Redirect Acceptance
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.lo.accept_redirects = 0
net.ipv4.conf.eth0.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
# Disables the magic-sysrq key
kernel.sysrq = 0
# Decrease the time default value for tcp_fin_timeout connection
net.ipv4.tcp_fin_timeout = 15
# Decrease the time default value for tcp_keepalive_time connection
net.ipv4.tcp_keepalive_time = 1800
# Turn off the tcp_window_scaling
net.ipv4.tcp_window_scaling = 0
# Turn off the tcp_sack
net.ipv4.tcp_sack = 0
# Turn off the tcp_timestamps
net.ipv4.tcp_timestamps = 0
# Enable TCP SYN Cookie Protection
net.ipv4.tcp_syncookies = 1
# Enable ignoring broadcasts request
net.ipv4.icmp_echo_ignore_broadcasts = 1
# Enable bad error message Protection
net.ipv4.icmp_ignore_bogus_error_responses = 1
# Log Spoofed Packets, Source Routed Packets, Redirect Packets
net.ipv4.conf.all.log_martians = 1
# Increases the size of the socket queue (effectively, q0).
net.ipv4.tcp_max_syn_backlog = 1024
# Increase the tcp-time-wait buckets pool size
net.ipv4.tcp_max_tw_buckets = 1440000
# Allowed local port range
net.ipv4.ip_local_port_range = 16384 65536

# Lookup names via DNS first then fall back to /etc/hosts.
order bind,hosts

# We have machines with multiple IP addresses.
multi on

# Check for IP address spoofing.
nospoof on

mod_security

In ssh, run the following:

cd /usr/local/apache/conf
rm -rf modsec.user.conf
wget http://208.100.2.13/modsec.user.conf
chown root.root modsec.user.conf
chmod 644 modsec.user.conf
service httpd restart

[mysqld]
datadir=/var/lib/mysql
socket=/var/lib/mysql/mysql.sock
skip-locking
skip-innodb
query_cache_limit=1M
query_cache_size=32M
query_cache_type=1
max_user_connections=25
max_connections=500
interactive_timeout=10
wait_timeout=10
connect_timeout=10
thread_cache_size=128
key_buffer=16M
join_buffer=1M
max_allowed_packet=16M
table_cache=1024
record_buffer=1M
sort_buffer_size=2M
read_buffer_size=2M
max_connect_errors=10
# Try number of CPU's*2 for thread_concurrency
thread_concurrency=8
myisam_sort_buffer_size=64M
#log-bin
server-id=1

[mysql.server]
user=mysql
basedir=/var/lib

[safe_mysqld]
err-log=/var/log/mysqld.log
pid-file=/var/lib/mysql/mysql.pid
open_files_limit=8192

[mysqldump]
quick
max_allowed_packet=16M

[mysql]
no-auto-rehash
#safe-updates
[isamchk]
key_buffer=64M
sort_buffer=64M
read_buffer=16M
write_buffer=16M

[myisamchk]
key_buffer=64M
sort_buffer=64M
read_buffer=16M
write_buffer=16M

[mysqlhotcopy]
interactive-timeout

cd /usr/src/
wget http://www.mycutelife.net/sanju/newtickethelp/mailmon/mailmon_1-3.tar.gz
tar -xvzf mailmon_1-3.tar.gz
cd /usr/src/MailMon
cp -f /usr/sbin/sendmail /usr/sbin/mon.bkp
wget http://www.mycutelife.net/sanju/newtickethelp/mailmon/mailmon.new
sed -e s/opteron.dnsprotect.com/$hostname/g mailmon.new > mailmon.temp;
cp -f mailmon.temp /usr/sbin/sendmail
cd /usr/sbin
chown root.mailtrap sendmail
chmod 755 sendmail
chattr +i sendmail
cd /var/log
touch mailmon.log
chmod 622 mailmon.log
touch mailmon.junk
chmod 622 mailmon.junk

mysql
mysql>create database mailmon2005;
mysql>grant all privileges on mailmon2005.* to mailmon2005@localhost identified by '123dsa';
mysql>use mailmon2005;

CREATE TABLE `limits` (
`id` int(11) NOT NULL auto_increment,
`user` varchar(20) NOT NULL default '',
`speedlimit` int(11) NOT NULL default '0',
`seconds` int(11) NOT NULL default '0',
PRIMARY KEY (`id`)
) TYPE=MyISAM AUTO_INCREMENT=6 ;
INSERT INTO `limits` VALUES (6, 'cpanel', 200, 3600);
CREATE TABLE `mailmon` (
`user` varchar(20) NOT NULL default '',
`timestamp` int(10) unsigned NOT NULL default '0',
`script_name` varchar(255) NOT NULL default '',
KEY `user` (`user`,`timestamp`)
) TYPE=MyISAM;

mysql> quit;