How to Harden Your cPanel System's Kernel

 

Important:

  • The cPanel-provided kernel update will not work for OpenVZ®, Virtuozzo®, LXC, or other container-based systems.
  • This document only applies to systems installed with CentOS 6 64-bit systems.
  • cPanel & WHM does not automatically update the operating system kernel. Unattended system kernel updates may cause unplanned reboots or system failures.
  • We strongly suggest that only experienced System Administrators perform this process.
  • Do not perform these steps if you are using KernelCare™, KernelSplice or similar technologies.

Harden your system's kernel

To harden your cPanel system's kernel, log in to your server as the root user via SSH and perform the following steps:


 

 

Retrieve the repository from cPanel

After you log in to your server, run the following commands to download the signed kernel repository from the securedownloads.cpanel.net site. To do this, run the following command:

This command returns output that resembles the following example:

1
2
3
4
5
6
7
8
Resolving securedownloads.cpanel.net... 1.2.3.4
Connecting to securedownloads.cpanel.net|1.2.3.4|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 221 [text/plain]
Saving to: “cPkernel.repo”
100%[=====================================>] 1,235 --.-K/s in 0s
2016-04-22 12:59:10 (28.8 MB/s) - “cPkernel.repo” saved [1235]

  


 

 

Update the kernel

After you download the signed kernel repository, update the kernel on your system. To do this, run the following command:

yum -y update kernel

This command returns output that resembles the following example:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
Loaded plugins: fastestmirror
Setting up Update Process
Determining fastest mirrors
epel/metalink                                            |  10 kB     00:00
 * base: repos.mia.quadranet.com
 * epel: reflector.westga.edu
 * extras: mirror.5ninesolutions.com
 * updates: mirror.us.oneandone.net
base                                                     | 3.7 kB     00:00
cPkernel                                                 | 2.9 kB     00:00 ...
cPkernel/primary_db                                      | 1.5 MB     00:01
epel                                                     | 4.3 kB     00:00
http://reflector.westga.edu/repos/Fedora-EPEL/6/x86_64/repodata/repomd.xml: [Errno -1] repomd.xml does not match metalink for epel
Trying other mirror.
epel                                                     | 4.3 kB     00:00
epel/primary_db                                          | 5.9 MB     00:00
extras                                                   | 3.4 kB     00:00
updates                                                  | 3.4 kB     00:00
updates/primary_db                                       | 2.0 MB     00:00
Resolving Dependencies
--> Running transaction check
---> Package kernel.x86_64 0:2.6.32-642.4.199.cpanel6 will be installed
--> Processing Dependency: kernel-firmware >= 2.6.32-642.4.199.cpanel6 for package: kernel-2.6.32-642.4.199.cpanel6.x86_64
--> Running transaction check
---> Package kernel-firmware.noarch 0:2.6.32-642.4.2.el6 will be updated
---> Package kernel-firmware.x86_64 0:2.6.32-642.4.199.cpanel6 will be an update
--> Finished Dependency Resolution
 
Dependencies Resolved
 
================================================================================
 Package             Arch       Version                      Repository    Size
================================================================================
Installing:
 kernel              x86_64     2.6.32-642.4.199.cpanel6     cPkernel      32 M
Updating for dependencies:
 kernel-firmware     x86_64     2.6.32-642.4.199.cpanel6     cPkernel      28 M
 
Transaction Summary
================================================================================
Install       1 Package(s)
Upgrade       1 Package(s)
 
Total download size: 60 M
Downloading Packages:
(1/2): kernel-2.6.32-642.4.199.cpanel6.x86_64.rpm        |  32 MB     00:06 ...
(2/2): kernel-firmware-2.6.32-642.4.199.cpanel6.x86_64.r |  28 MB     00:06 ...
--------------------------------------------------------------------------------
Total                                           4.8 MB/s |  60 MB     00:12
warning: rpmts_HdrFromFdno: Header V4 RSA/SHA512 Signature, key ID 7e931c7c: NOKEY
Importing GPG key 0c4F842D6D:
 Userid: "user@example.com"
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
  Updating   : kernel-firmware-2.6.32-642.4.199.cpanel6.x86_64              1/3
  Installing : kernel-2.6.32-642.4.199.cpanel6.x86_64                       2/3
adding symlink protection for user: nobody
Please reboot to enable symlink protection for user: nobody
  Cleanup    : kernel-firmware-2.6.32-642.4.2.el6.noarch                    3/3
  Verifying  : kernel-2.6.32-642.4.199.cpanel6.x86_64                       1/3
  Verifying  : kernel-firmware-2.6.32-642.4.199.cpanel6.x86_64              2/3
  Verifying  : kernel-firmware-2.6.32-642.4.2.el6.noarch                    3/3
 
Installed:
  kernel.x86_64 0:2.6.32-642.4.199.cpanel6
 
Dependency Updated:
  kernel-firmware.x86_64 0:2.6.32-642.4.199.cpanel6
 
Complete!

 


 

 

 

 

Restart the server

After you update the kernel, you must restart the system to complete the kernel update. To reboot the server, run the reboot command.

This command returns output that resembles the following example:

1
2
3
4
Broadcast message from user@example.com
(/dev/pts/0) at 13:02 ...
The system is going down for reboot NOW!
bash-4.1# Connection to example.com closed by remote host.

 


 

 

Verify the kernel update

After you reboot your server, verify that the cPanel Hardened Kernel update succeeded. To verify that your update was successful, log in to the server as the root user via SSH and run the uname command. This command returns output that resembles the following example:

1
2
[user@example.com ~]$ uname -r
*2.6.32-573.22.199.cpanel6.x86_64

If the command's output includes cpanel in the returned value, you successfully updated the kernel.

 

 

 
  • 0 Users Found This Useful
Was this answer helpful?

Related Articles

How to install CXS on a cPanel server

ConfigServer eXploit Scanner (CXS) is a fantastic tool when it comes to malware detection and...

Enable or disable root ssh login do the following

Open the file /etc/ssh/sshd_config Look for the line that says PermitRootLogin no. Change the no...

Country Codes required for CC_DENY/ALLOW in CSF Firewall

To block or allow website access to certain countries, following country codes are used in the...

ssh commands to list the file sizes

Here are some commands to list the file sizes..#present the largest...

open3: exec of ipset flush failed at csf

On CentOS CloudLinux Server starting csf firewall got following erroropen3: exec of ipset flush...