cPanel Security Advisor: Don’t Take it to Heart

cPanel 11.40 introduces a new feature in WHM called “Security Advisor“. I don’t mess with WHM a lot so while I was vaguely aware that such a feature existed in cPanel, only today did I actually mozy over and give it a run.

Well, it’s pretty obvious that this tool was whipped up in response to people repeatedly asking the blanket question: “How do I secure my server?” (Easy: you hire someone that knows how to secure servers). As the leading provider of its type, cPanel is under a lot of pressure to keep up with the demands of their clientèle, including the ones that expect a point and click solution to everything.  And while cPanel’s efforts here are meritorious, Security Advisor appears to do nothing more than make a series of “educated” guesses about what your server is, or should be, doing.  This leaves me wondering how many people are making unnecessary and thoughtless changes to their servers because some script told them to.

Here are a few examples of what it found on one of my test boxes:

Apache vhosts are not segmented or chroot()ed.

Enable “Jail Apache” in the “Tweak Settings” area, and change users to jailshell in the “Manage Shell Access” area. Consider a more robust solution by using “CageFS on CloudLinux”

 

No brute force protection detected

Enable cPHulk Brute Force Protection in the “cPHulk Brute Force Protection” area.

 

ClamAV is not installed.

Install ClamAV within “Manage Plugins”.

 

A newer kernel is installed, however the system has not been rebooted. running: 2.6.32-279.22.1.el6, installed: 2.6.32-431.5.1.el6

Reboot the system in the “Graceful Server Reboot” area.

So, for one: my contempt for CloudLinux is only matched by equal hatred for mod_ruid2 (required for “Jail Apache”).  SA missed the CloakFS setup on this server, which achieves the necessary jailing.

CpHulkd and ClamAV are also not the only software of their kind, so if you use CSF, BFD, and/or your own AV, be prepared to hear Security Advisor roar.

Ksplice has been a thing for a while now.  My reboot-less kernel upgrade is no match for you, Security Advisor.

Now, there were some legitimate things SA found, but nothing that I necessarily care about.  Here’s why:

My intention here, quite to what seems to be the contrary, is not to blast Security Advisor for its efforts in guiding sysadmins through the daunting and never-ending path of system security.  My point is, you need to understand your system and what security ‘violations’ it reports are actually problematic and what is the best way to address these problems in your environment.  The solutions SA is suggesting may actually be invalidated by  other measures in place on your system, or better addressed using a different method.  For example, I don’t condone switching to ruid2 on a shared server just to provide the jailing capabilities that CloakFS and CageFS can just as securely provide.  Or pointlessly rebooting your server because SA doesn’t like the output of uname.  Before you make changes to your server, understand what you’re doing, why you’re doing it, and whether it really needs to be done.

BTW, cPanel, I still love you guys.  I just don’t fancy Security Advisor.

Be Sociable, Share!

Leave a Reply

Your email address will not be published. Required fields are marked *