Skip to content

Intuitive bash/shell script to setup and harden/configure cPanel CentOS/RHEL server with ConfigServer Firewall, MailManage, MailQueue, Malware Detect, ClamAV, mod_cloudflare, CloudFlare RailGun, and many more applications and security tweaks

Notifications You must be signed in to change notification settings

tripflex/cpsetup

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

92 Commits
 
 
 
 
 
 
 
 

Repository files navigation

cpSetup

Author: Myles McNamara
Version: 1.5.0
Last Update: May 22, 2019

cpsetup is a custom bash/shell script to setup and harden/configure cPanel CentOS/RHEL server with a wide range of applications, plugins, and modules. This script will also install cPanel if it's not already installed.

Each installation and configuration/hardening is organized into functions. By default running the script without any arguments will prompt for each install/configuration as well as prompt for any required configs (email, api key, etc).

You can also run any of the available functions individually ... to see a list of functions available, execute this command:

./cpsetup --functions

Usage

wget https://github.com/tripflex/cpsetup/raw/master/cpsetup
chmod +x cpsetup
./cpsetup

Features Include:

Deprecated (but still available) Features/Functions:

Future Enhancements:

  • You tell me, open up an issue and suggest a new feature!

Depreciated Functions/Installs (*)

Name Reason
Account DNS Check Reported to no longer work on CentOS 7, or WHM > 11.52
PHP.INI Manager WHM now has built in handling, and unsure of status of plugin
Clean Backups No longer works or updated?

I decided to remove these from the auto install process because I either do not know the status of them (compatibility wise) with WHM, they are not compatible with latest release, or because the developers either do not provide ANY changelog, or even if they do, they don't even date the versions, which IMO is sloppy dev work, and as such, they do not belong in the auto install process.

Available Arguments

cpsetup - sMyles cPanel Setup Script
Usage example:
./cpsetup [(-h|--help)] [(-v|--verbose)] [(-V|--version)] [(-u|--unattended)] [(-m|--menu)] [(-r|--run) value] [(-R|--functions)]
Options:
-h or --help: Displays this information.
-v or --verbose: Verbose mode on.
-V or --version: Displays the current version number.
-u or --unattended: Unattended installation ( bypasses all prompts ).
-r or --run: Run a specific function.
-R or --functions: Show available functions to use with -r or --run command.

Firewall Updates

Option Original Value New Value
RESTRICT_SYSLOG 0 3
SMTP_BLOCK 0 1
LF_SCRIPT_ALERT 0 1
SYSLOG_CHECK 0 1800
PT_ALL_USERS 0 1

SSH Updates

Any options that have (prompt) means you will be prompted to specify your own custom value if -u was not used as an argument.

Option Original Value New Value
Port 22 222 (prompt)
UseDNS yes no

cPanel Config Updates

Option Original Value New Value
Shell Fork Bomb Protection Disabled Enabled
Compiler Access Enabled Disabled
Root Forwarder Email None User Specified (prompt)

Pure FTP Updates

Option Original Value New Value Result
RootPassLogins yes no Can't login with root pw
AnonymousCantUpload no yes Anonymous can't upload
NoAnonymous no yes Anonymous can't login

cPanel Tweak Settings Updates

Option Original Value New Value
BoxTrapper Enabled Disabled
Referrer Blank Sanity Check Disabled Enabled
Referrer Safety Check Disabled Enabled
Hide Login PW from CGI Scripts Disabled Enabled
Max Emails Account Can Send Per Hour Unlimited 199
Restrict outgoing SMTP to root, exim, and mailman Enabled Disabled
Proxy Subdomains (whm.example.com, etc) Enabled Disabled

MySQL Settings Updates

Option Original Value New Value
local-infile 1 0

PHP Configuration Updates

Option Original Value New Value
enable_dl On Off
disable_functions None show_source, system, shell_exec, passthru, exec, phpinfo, popen, proc_open, allow_url_fopen, ini_set

Apache Global Configuration Updates

Option Original Value New Value
Server Signature On Off
Server Tokens All ProductOnly
Trace Enable On Off

CloudFlare RailGun Configuration

Option Original Value New Value
memcached.servers /tmp/memcached.sock /var/run/memcached/memcached.sock
activation.railgun_host YOUR_PUBLIC_IP_OR_HOSTNAME (user defined)
activation.token YOUR_TOKEN_HERE (user defined)

CloudFlare RailGun MemCached Configurations

Option Original Value New Value
PORT 11211 22222
USER memcached memcached
MAXCONN 1024 20480
CACHESIZE 64 4096
OPTIONS -s /var/run/memcached/memcached.sock

Caution

Use at your own risk, if you don't know what you're doing you should probably not be using this script. Myself and any contributors to this project take absolutely no responsibility for anything you do with this script. I strongly recommend reading the script so you understand what it does before using.

Change Log

1.5.0 (May 22, 2019)

Full Changelog

Implemented enhancements:

  • Replace disable_functions in all /opt/cpanel/ea-phpXX/root/etc/php.ini where XX is PHP version
  • Replace enable_dl in all /opt/cpanel/ea-phpXX/root/etc/php.ini where XX is PHP version
  • Added installJetBackup function (not called by default)
  • Updated ClamAV version to 0.101.2
  • Updated ClamAV install from source now uses init for CentOS 7+
  • Added libjson-c-dev libcurl-devel for clamsubmit support
  • Added version output in header display

Bug Fixes:

  • Fixed PHP replacement for disable_functions not replacing entire line if functions already defined
  • Removed never implemented -m and --menu args
  • Check for -R or --functions at start of script execution
  • Updated Y/N check to y/N to signify N as default when nothing entered

1.4.0 (Feb 1, 2017)

Full Changelog

Implemented enhancements:

  • Added AfterLogic WebMail Lite installer
  • Added Let's Encrypt AutoSSL for cPanel installer
  • Added import for CloudFlare new public key
  • Added Disable Proxy Subdomains (whm.example.com, etc) to harden config call
  • Added Disable SMTP Restrictions to harden config call (when using CSF this should NOT be enabled)
  • Use hostname if nothing set at prompt or in file for RailGun Host
  • Moved CloudFlare RailGun install process and config process to separate functions

Bug Fixes:

  • Fixed/Updated URL to download ConfigServer Firewall install file
  • Fixed incorrect function call for MySQL Tuner install

Other:

  • Removed prompt to install CleanBackups
  • Removed prompt to install PHP.ini Manager
  • Removed prompt to install Account DNS Check

About

Intuitive bash/shell script to setup and harden/configure cPanel CentOS/RHEL server with ConfigServer Firewall, MailManage, MailQueue, Malware Detect, ClamAV, mod_cloudflare, CloudFlare RailGun, and many more applications and security tweaks

Topics

Resources

Stars

Watchers

Forks

Packages

No packages published