Please note that by allowing users to have week site security your server overall security can be compromised .
Most of the hackers will be denied by ModSecurity and FileSystemLock.
- ModSecurity for CWP: It will block many malware infections.
- File System Lock: It will deny any kind of change on the files system and also disable any file uploads, and that means no more malware infections and website hacks.
- Hide system processes: This will hide all system process from the users. http://wiki.centos-webpanel.com/hide-system-processes-from-users
- CloudLinux: It provides very high security and resource limiting per user, recommended for servers having many different clients.
- CWP SECURE Linux: this is a custom kernel which works similar to SeLinux and provides very high security at the kernel level.
Compared to Cloudlinux in same cases its better and has much more rules you can custom modify by yourself and in some cases Cloudlinux is better.
*Can't work with Cloudlinux since both use custom kernel
*Can't work with openVZ/virtuozzo servers, same reason custom kernel.
*It can work only with servers having ability to install centos default kernel.
*It can set many different limits for any file, service, process, network or socket on the server.
CWP SECURE Linux currently can be installed only by CWP Managed support as they will setup custom rules for your server so you could have the best server security, you need to have a support service for that.
Recommended for all servers which needs to have highest security.
- CWP IP Access control: http://wiki.centos-webpanel.com/ip-access-control
- Change ssh port: in file /etc/ssh/sshd_config and restart sshd
** Don't forget to change the port in CSF firewall!!!
- CSF/LFD Firewall configuration: http://wiki.centos-webpanel.com/csflfd-firewall-configuration
- tmpfs Security: What is tmpfs?
Edit your /etc/fstab file and add ,nodev,nosuid,noexec after defaults ,old:
tmpfs /dev/shm tmpfs defaults 0 0
tmpfs /dev/shm tmpfs defaults,nodev,nosuid,noexec 0 0
- Kernel panic reboot: Reboot server if kernel panic
Add the following into /etc/sysctl.conf
After that load new kernel settings
- Shell Access: Default is disabled, don't allow users to use shell access since that is NOT secure.
- Processes Limit per user: Limit number of processes user can have, this will limit imap process number, cron's... it will also limit php process number if using suphp, note that apache/php process number and other process are not sharing the same limit, this means if limit is set to 25, user can have 25 imap/shell processes and 25 php processes.
- Open Files: (Limit number of open files)
This limits number of open files user can have, its recommended to have it at 100 or higher as users/applications in many cases can have many files open at the same time.
- Apache mod_limits: This apache module is aimed at protecting the web server during attacks.
It provides a few, very usefull, functionalities:
* Limit the maximum number of simultaneous connections
* Limit the maximum number of simultaneous connections per Vhost
* Limit the maximum number of spawned processes with the same UID
* Do not serve request if the load is over certain value
- MySQL/MariaDB Limit per user - Prevent mysql abuse from the clients by setting limit of maximum simultaneous connections permitted for a user account.
In this example we will have it set to a fair limit of 45 connection. Some global shared hosting providers have it in the range from 20-30.
Find line starting with [mysqld] in file /etc/my.cnf or /etc/my.cnf.d/server.cnf and add the following line under:
Don't forget to restart mysql after adding that line:
service mysql restart
The best would be that you select only what you need or try to consult with our support for assistance as each server needs different configuration depending on the purpose and usage of it.
...more info coming soon.