Set network with nmtui
systemctl restart network.service
implement firewall ( we use config server wget https://download.configserver.com/csf.tgz
tar -xzf csf.tgz)
disable ssh (if you want to leave ssh enabled then make sure the firewall is blocking world access and only letting you thru)
disable selinux on whm/cpanel systems (edit the 'SELINUX=' line in /etc/selinux/config for either 'enforcing', 'permissive', or 'disabled'.)
disable but do not remove avahi-daemon
systemctl stop avahi-daemon.socket avahi-daemon.service
systemctl disable avahi-daemon.socket avahi-daemon.service
install whm/cpanel cd /home && curl -o latest -L https://securedownloads.cpanel.net/latest && sh latest
inside whm:
tweak
Enable open_basedir protection
Disable Compilers for all accounts(except root)
Enable Shell Bomb/memory Protection
Enable cPHulk Brute Force Protection
disable shell access
disable anoymous ftp
set mysql password
enable suexec
edit php.ini
safe_mode = On
expose_php = Off
Enable_dl= Off
magic_quotes = On
register_globals = off
display errors = off
disable_functions = system, show_source, symlink, exec, dl,
shell_exec, passthru, phpinfo, escapeshellarg,escapeshellcmd
Edit the /etc/sysctl.conf file and add the following line in order to enable SYN cookies protection:
# Enable TCP SYN Cookie Protection
net.ipv4.tcp_syncookies = 1
clamav
yum install clamav
freshclam
run crontab -e then add @daily root clamscan -R /home
rootkit:
cd /root/
wget
http://sourceforge.net/projects/rkh...irror=iweb tar -zxvf rkhunter-1.4.0.tar.gz
cd rkhunter-1.4.0
./installer.sh --install
Harden /tmp partition
Run the /scripts/securetmp script to mount your /tmp partition to a temporary file for extra security.
disable compilers in whm
host access control to specific ranges
ignore any recommendations regarding xfs,gpm,saslauthd,nfs,chargen,ypbind,anacron,hidd,cups. They are either not running on default minimal or are needed