Please note that by allowing users to have week site security your server overall security can be compromised.
Most of the hackers will be denied by ModSecurity and FileSystemLock.
Set for all .php files permissions to 640.
You can also use in cwp admin left menu User Accounts -> Fix Permissions
- Disable dangerus PHP functions
* If you are hosting multiple sites for your clients then some sites might need some of this disabled functions.
- PHP Open_Basedir protection
* We recommend to use option per user.
- ModSecurity for CWP: It will block many malware infections.
- File System Lock: It will deny any kind of change on the files system and also disable any file uploads, and that means no more malware infections and website hacks.
- Hide system processes: This will hide all system process from the users. http://wiki.centos-webpanel.com/hide-system-processes-from-users
- CloudLinux: It provides very high security and resource limiting per user, recommended for servers having many different clients.
- CWP SECURE Linux: this is a custom kernel which works similar to SeLinux and provides very high security at the kernel level.
- cgroups can be used only with CentOS default kernel or CWP Secure Kernel.
- cgroups allow you to limit each user with cpu, memory, and disk IO limits.
Cgroups detailed info: http://wiki.centos-webpanel.com/cgroups-limits-per-user
Compared to Cloudlinux in some cases, it's better and has many more rules you can custom modify by yourself and in some cases, Cloudlinux is better.
*Can't work with Cloudlinux since both use a custom kernel
*Can't work with OpenVZ/Virtuozzo servers, same reason custom kernel.
*It can work only with servers having the ability to install centos default kernel.
*It can set many different limits for any file, service, process, network, or socket on the server.
CWP SECURE Linux currently can be installed only by CWP Managed support as they will set up custom rules for your server so you could have the best server security, you need to have a support service for that.
Recommended for all servers which need to have the highest security.
- CWP IP Access control: http://wiki.centos-webpanel.com/ip-access-control
- Change ssh port: in file /etc/ssh/sshd_config and restart sshd
** Don't forget to change the port in CSF firewall!!!
- CSF/LFD Firewall configuration: http://wiki.centos-webpanel.com/csflfd-firewall-configuration
- tmpfs Security: What is tmpfs?
Edit your /etc/fstab file and add ,nodev,nosuid,noexec after defaults ,old:
tmpfs /dev/shm tmpfs defaults 0 0
tmpfs /dev/shm tmpfs defaults,nodev,nosuid,noexec 0 0
- Kernel panic reboot: Reboot server if kernel panic
Add the following into /etc/sysctl.conf
After that load new kernel settings
- Shell Access: Default is disabled, don't allow users to use shell access since that is NOT secure if not using one of the following: Jailkit, Cloudlinux, CWP Secure Kernel
- Processes Limit per user: Limit number of processes user can have, this will limit IMAP process number, cron's... it will also limit PHP process number if using suphp, note that apache/PHP process number and other process are not sharing the same limit, this means if the limit is set to 25, user can have 25 IMAP/shell processes and 25 PHP processes.
- Open Files: (Limit number of open files)
This limits the number of open files the user can have, its recommended to have it at 100 or higher as users/applications in many cases can have many files open at the same time.
- Apache mod_limits: This apache module is aimed at protecting the webserver during attacks.
It provides a few, very useful, functionalities:
* Limit the maximum number of simultaneous connections
* Limit the maximum number of simultaneous connections per Vhost
* Limit the maximum number of spawned processes with the same UID
* Do not serve request if the load is over a certain value
- MySQL/MariaDB Limit per user - Prevent MySQL abuse from the clients by setting the limit of maximum simultaneous connections permitted for a user account.
In this example, we will have it set to a fair limit of 45 connection. Some global shared hosting providers have it in the range from 20-30.
Find line starting with [mysqld] in file /etc/my.cnf or /etc/my.cnf.d/server.cnf and add the following line under:
Don't forget to restart MySQL after adding that line:
service mysql restart
The best would be that you select only what you need or try to consult with our support for assistance as each server needs different configuration depending on the purpose and usage of it.
...more info coming soon.