Intuitive bash/shell script to setup and harden/configure cPanel CentOS/RHEL server with ConfigServer Firewall, MailManage, MailQueue, Malware Detect, ClamAV, mod_cloudflare, CloudFlare RailGun, and many more applications and security tweaks
Author: Myles McNamara
Version: 1.5.0
Last Update: May 22, 2019
cpsetup is a custom bash/shell script to setup and harden/configure cPanel CentOS/RHEL server with a wide range of applications, plugins, and modules. This script will also install cPanel if it's not already installed.
Each installation and configuration/hardening is organized into functions. By default running the script without any arguments will prompt for each install/configuration as well as prompt for any required configs (email, api key, etc).
You can also run any of the available functions individually ... to see a list of functions available, execute this command:
./cpsetup --functions
wget https://github.com/tripflex/cpsetup/raw/master/cpsetup
chmod +x cpsetup
./cpsetup
Features Include:
Deprecated (but still available) Features/Functions:
Future Enhancements:
|
Name | Reason |
---|---|
Account DNS Check | Reported to no longer work on CentOS 7, or WHM > 11.52 |
PHP.INI Manager | WHM now has built in handling, and unsure of status of plugin |
Clean Backups | No longer works or updated? |
I decided to remove these from the auto install process because I either do not know the status of them (compatibility wise) with WHM, they are not compatible with latest release, or because the developers either do not provide ANY changelog, or even if they do, they don't even date the versions, which IMO is sloppy dev work, and as such, they do not belong in the auto install process.
cpsetup - sMyles cPanel Setup Script
Usage example:
./cpsetup [(-h|--help)] [(-v|--verbose)] [(-V|--version)] [(-u|--unattended)] [(-m|--menu)] [(-r|--run) value] [(-R|--functions)]
Options:
-h or --help: Displays this information.
-v or --verbose: Verbose mode on.
-V or --version: Displays the current version number.
-u or --unattended: Unattended installation ( bypasses all prompts ).
-r or --run: Run a specific function.
-R or --functions: Show available functions to use with -r or --run command.
Option | Original Value | New Value |
---|---|---|
RESTRICT_SYSLOG |
0 | 3 |
SMTP_BLOCK |
0 | 1 |
LF_SCRIPT_ALERT |
0 | 1 |
SYSLOG_CHECK |
0 | 1800 |
PT_ALL_USERS |
0 | 1 |
Any options that have (prompt)
means you will be prompted to specify your own custom value if -u
was not used as an argument.
Option | Original Value | New Value |
---|---|---|
Port |
22 | 222 (prompt) |
UseDNS |
yes | no |
Option | Original Value | New Value |
---|---|---|
Shell Fork Bomb Protection | Disabled | Enabled |
Compiler Access | Enabled | Disabled |
Root Forwarder Email | None | User Specified (prompt) |
Option | Original Value | New Value | Result |
---|---|---|---|
RootPassLogins |
yes | no | Can't login with root pw |
AnonymousCantUpload |
no | yes | Anonymous can't upload |
NoAnonymous |
no | yes | Anonymous can't login |
Option | Original Value | New Value |
---|---|---|
BoxTrapper | Enabled | Disabled |
Referrer Blank Sanity Check | Disabled | Enabled |
Referrer Safety Check | Disabled | Enabled |
Hide Login PW from CGI Scripts | Disabled | Enabled |
Max Emails Account Can Send Per Hour | Unlimited | 199 |
Restrict outgoing SMTP to root, exim, and mailman | Enabled | Disabled |
Proxy Subdomains (whm.example.com, etc) | Enabled | Disabled |
Option | Original Value | New Value |
---|---|---|
local-infile | 1 | 0 |
Option | Original Value | New Value |
---|---|---|
enable_dl | On | Off |
disable_functions | None | show_source, system, shell_exec, passthru, exec, phpinfo, popen, proc_open, allow_url_fopen, ini_set |
Option | Original Value | New Value |
---|---|---|
Server Signature | On | Off |
Server Tokens | All | ProductOnly |
Trace Enable | On | Off |
Option | Original Value | New Value |
---|---|---|
memcached.servers | /tmp/memcached.sock | /var/run/memcached/memcached.sock |
activation.railgun_host | YOUR_PUBLIC_IP_OR_HOSTNAME | (user defined) |
activation.token | YOUR_TOKEN_HERE | (user defined) |
Option | Original Value | New Value |
---|---|---|
PORT | 11211 | 22222 |
USER | memcached | memcached |
MAXCONN | 1024 | 20480 |
CACHESIZE | 64 | 4096 |
OPTIONS | -s /var/run/memcached/memcached.sock |
Use at your own risk, if you don't know what you're doing you should probably not be using this script. Myself and any contributors to this project take absolutely no responsibility for anything you do with this script. I strongly recommend reading the script so you understand what it does before using.
Implemented enhancements:
disable_functions
in all /opt/cpanel/ea-phpXX/root/etc/php.ini
where XX
is PHP versionenable_dl
in all /opt/cpanel/ea-phpXX/root/etc/php.ini
where XX
is PHP versioninstallJetBackup
function (not called by default)Bug Fixes:
disable_functions
not replacing entire line if functions already defined-m
and --menu
args-R
or --functions
at start of script executionImplemented enhancements:
Bug Fixes:
Other: