ConfigServer Security & Firewall - csf v5.40    
    		 [csf Logout]    

Note: Internal WHM links will not work within the csf Integrated UI

Firewall CheckStatusComment
Check whether csf is enabledOK 
Check csf is runningOK 
Check whether csf is in TESTING modeOK 
Check csf AUTO_UPDATES optionWARNINGTo keep csf up to date and secure you should enable AUTO_UPDATES. You should also monitor our blog
Check whether lfd is enabledOK 
Check incoming MySQL portOK 
Check csf SMTP_BLOCK optionOK 
Check csf LF_SCRIPT_ALERT optionOK 
Check csf LF_SSHD optionOK 
Check csf LF_FTPD optionOK 
Check csf LF_SMTPAUTH optionOK 
Check csf LF_POP3D optionOK 
Check csf LF_IMAPD optionOK 
Check csf LF_HTACCESS optionOK 
Check csf LF_MODSEC optionOK 
Check csf LF_CPANEL optionOK 
Check csf LF_CPANEL_ALERT optionOK 
Check csf LF_DIRWATCH optionOK 
Check csf LF_INTEGRITY optionOK 
Check csf PT_SKIP_HTTP optionOK 
Check csf PT_ALL_USERS optionOK 
Check csf SAFECHAINUPDATE optionOK 
RT_RELAY_LIMIT sanity checkWARNINGRT_RELAY_LIMIT = 3. Recommended range: 10-10000 (Default: 100)
RT_AUTHRELAY_LIMIT sanity checkWARNINGRT_AUTHRELAY_LIMIT = 3. Recommended range: 10-10000 (Default: 100)
RT_POPRELAY_LIMIT sanity checkWARNINGRT_POPRELAY_LIMIT = 3. Recommended range: 10-10000 (Default: 100)
RT_LOCALRELAY_LIMIT sanity checkWARNINGRT_LOCALRELAY_LIMIT = 3. Recommended range: 10-10000 (Default: 100)
RT_LOCALHOSTRELAY_LIMIT sanity checkWARNINGRT_LOCALHOSTRELAY_LIMIT = 3. Recommended range: 10-10000 (Default: 100)
DEBUG sanity checkWARNINGDEBUG = 1. Recommended range: 0 (Default: 0)
Server CheckStatusComment
Check /tmp permissionsOK 
Check /tmp ownershipOK 
Check /tmp is mounted as a filesystemOK 
Check /tmp is mounted noexec,nosuidOK 
Check /etc/cron.daily/logrotate for /tmp noexec workaroundWARNINGDue to a bug in logrotate if /tmp is mounted with the noexec option, you need to have logrotate use a different temporary directory. If you don't do this syslog may not restart correctly and will write to the wrong (older) log files. See here for a way to do this
Check /var/tmp permissionsOK 
Check /var/tmp ownershipOK 
Check /var/tmp is mounted as a filesystem or is a symlink to /tmpOK 
Check /usr/tmp permissionsOK 
Check /usr/tmp ownershipOK 
Check /usr/tmp is mounted as a filesystem or is a symlink to /tmpOK 
Check /dev/shm is mounted noexec,nosuidOK 
Check for DNS recursion restrictionsOK 
Check for DNS random query source portOK 
Check server runlevelOK 
Check nobody cronOK 
Check Operating System supportOK 
Check perl versionOK 
Check MySQL versionOK 
Check MySQL LOAD DATA disallows LOCALOK 
Check SUPERUSER accountsOK 
Check for cxsOK 
Check for IPv6OK 
Check for kernel loggerOK 
SSH/Telnet CheckStatusComment
Check SSHv1 is disabledOK 
Check SSH on non-standard portWARNINGYou should consider moving SSH to a non-standard port [currently:22] to evade basic SSH port scans. Don't forget to open the port in the firewall first!
Check SSH PasswordAuthenticationWARNINGFor ultimate SSH security, you should consider disabling PasswordAuthentication and only allow access using PubkeyAuthentication
Check SSH UseDNSOK 
Check telnet port 23 is not in useOK 
Check shell limitsOK 
Check Background Process KillerOK 
Mail CheckStatusComment
Check root forwarderOK 
Check exim for extended logging (log_selector)OK 
Check exim weak SSL/TLS Ciphers (tls_require_ciphers)OK 
Check for maildir conversionOK 
Check dovecot weak SSL/TLS Ciphers (ssl_cipher_list)OK 
Apache CheckStatusComment
Check apache versionOK 
Check suPHPOK 
Check SuexecOK 
Check apache for mod_securityOK 
Check apache for FrontPageOK 
Check apache for RLimitCPUOK 
Check apache for RLimitMEMOK 
Check Apache weak SSL/TLS Ciphers (SSLCipherSuite)OK 
Check apache for TraceEnableOK 
Check apache for ServerSignatureOK 
Check apache for ServerTokensOK 
Check apache for FileETagOK 
Check mod_userdir protectionOK 
PHP CheckStatusComment
Check php version (/usr/local/bin/php)OK 
Check php for enable_dl or disabled dl()OK 
Check php for disable_functionsOK 
Check php for ini_set disabledWARNINGYou should consider adding ini_set to the disable_functions in the PHP configuration as this setting allows PHP scripts to override global security and performance settings for PHP scripts. Adding ini_set can break PHP scripts and commenting out any use of ini_set in such scripts is advised
Check php for register_globalsOK 
Check php for SuhosinOK 
Check php open_basedir protectionOK 
WHM Settings CheckStatusComment
Check cPanel login is SSL onlyOK 
Check boxtrapper is disabledOK 
Check max emails per hour is setOK 
Check whether users can reset passwords via emailOK 
Check whether native cPanel SSL is enabledOK 
Check compilersOK 
Check Anonymous FTP LoginsOK 
Check Anonymous FTP UploadsOK 
Check pure-ftpd weak SSL/TLS Ciphers (TLSCipherSuite)OK 
Check FTP Logins with Root PasswordOK 
Check allow remote domainsOK 
Check block common domainsOK 
Check allow park domainsOK 
Check proxy subdomainsWARNINGThis option can mask a users real IP address and hinder security. You should disable WHM > Tweak Settings > Proxy subdomains
Check proxy subdomains for new usersWARNINGThis option can mask a users real IP address and hinder security. You should disable WHM > Tweak Settings > Proxy subdomain creation
Check cPAddons update email to ownerOK 
Check cPAddons update email to rootOK 
Check cPanel treeWARNINGRunning EDGE/BETA on a production server could lead to server instability
Check cPanel updatesWARNINGYou have cPanel updating disabled, this can pose a security and stability risk. WHM > Update Config >cPanel/WHM Updates > Daily Updates > Update cPanel & WHM daily
Check package updatesOK 
Check security updatesOK 
Check melange chat serverOK 
Check Accounts that can access a cPanel user accountWARNINGYou should consider setting this option to "user" after use. WHM > Tweak Settings > Accounts that can access a cPanel user account
Check cPanel php for register_globalsOK 
Check cPanel php.ini file for register_globalsOK 
Check cPanel passwords in emailOK 
Check core dumpsOK 
Check Cookie IP ValidationOK 
Check MD5 passwords with ApacheOK 
Check Referrer Blank SecurityOK 
Check Referrer SecurityOK 
Check HTTP AuthenticationOK 
Check Security TokensOK 
Check Parent SecurityOK 
Check Domain Lookup SecurityOK 
Check SMTP TweakOK 
Check nameserversWARNINGAt least one of the configured nameservers:
ns2.webumake.net
ns1.webumake.net
should be located in a topologically and geographically dispersed location on the Internet - See RFC 2182 (Section 3.1)
Server Services CheckStatusComment
Check server startup for cupsOK 
Check server startup for xfsOK 
Check server startup for atdOK 
Check server startup for nfslockOK 
Check server startup for cannaOK 
Check server startup for FreeWnnOK 
Check server startup for cups-config-daemonOK 
Check server startup for iiimOK 
Check server startup for mDNSResponderOK 
Check server startup for nifdOK 
Check server startup for rpcidmapdOK 
Check server startup for bluetoothOK 
Check server startup for anacronOK 
Check server startup for gpmOK 
Check server startup for saslauthdOK 
Check server startup for avahi-daemonOK 
Check server startup for avahi-dnsconfdOK 
Check server startup for hiddOK 
Check server startup for pcscdOK 
Check server startup for sbadmOK 


Your Score: 124/141*

       141 (max) 
    124 (score)

*This scoring does not necessarily reflect the security of your server or the relative merits of each check

Generate and email this report to the email address 

csf: v5.40

©2006-2011, ConfigServer Services (Way to the Web Limited)