# Server Security Hardening Plan

**Server:** srv.srv1006020.hstgr.cloud (72.60.193.167)
**OS:** AlmaLinux 9.7 / cPanel WHM
**Created:** 2026-05-16
**Status:** In Progress

---

## Phase 1 -- Critical (Immediate)

### Step 1.1 -- Block IPv6 Sensitive Ports
- [ ] Task 1.1.1 Block MySQL port 3306 (IPv6): ip6tables -I INPUT -p tcp --dport 3306 -j DROP
- [ ] Task 1.1.2 Block Hermes Dashboard port 9119 (IPv6): ip6tables -I INPUT -p tcp --dport 9119 -j DROP
- [ ] Task 1.1.3 Block OpenClaw port 18789 (IPv6): ip6tables -I INPUT -p tcp --dport 18789 -j DROP
- [ ] Task 1.1.4 Save ip6tables rules (persist on reboot)

### Step 1.2 -- Disable rpcbind
- [ ] Task 1.2.1 Stop rpcbind service: systemctl stop rpcbind rpcbind.socket
- [ ] Task 1.2.2 Disable on boot: systemctl disable rpcbind rpcbind.socket
- [ ] Task 1.2.3 Verify port 111 is closed

### Step 1.3 -- Remove Dangerous sudo Rules
- [ ] Task 1.3.1 Remove almalinux user NOPASSWD:ALL: delete /etc/sudoers.d/90-cloud-init-users
- [ ] Task 1.3.2 Verify almalinux cannot sudo without password
- [ ] Task 1.3.3 Lock almalinux account if unused: passwd -l almalinux

### Step 1.4 -- Enable SELinux
- [ ] Task 1.4.1 Set permissive mode first: edit /etc/selinux/config -> SELINUX=permissive
- [ ] Task 1.4.2 Relabel filesystem: fixfiles -F onboot
- [ ] Task 1.4.3 Reboot and review SELinux logs
- [ ] Task 1.4.4 Verify cPanel / Apache / OpenClaw / Hermes all work correctly
- [ ] Task 1.4.5 Switch to enforcing mode and reboot to confirm

---

## Phase 2 -- High (This Week)

### Step 2.1 -- Apply System Security Updates
- [ ] Task 2.1.1 Update all packages: dnf update -y
- [ ] Task 2.1.2 Verify kernel updated to 5.14.0-611.54.3
- [ ] Task 2.1.3 Reboot to load new kernel
- [ ] Task 2.1.4 Update Apache via WHM (ea-apache24 -> 2.4.67)
- [ ] Task 2.1.5 Verify all services running after reboot

### Step 2.2 -- Disable Direct Root SSH Login
- [ ] Task 2.2.1 Create new sudo user (e.g. dayops) with SSH key
- [ ] Task 2.2.2 Verify new user can SSH and sudo
- [ ] Task 2.2.3 Edit /etc/ssh/sshd_config: PermitRootLogin no
- [ ] Task 2.2.4 Restart sshd and verify new user login works

### Step 2.3 -- Disable Plaintext Mail Protocols
- [ ] Task 2.3.1 Disable IMAP port 143 (plaintext) in Dovecot
- [ ] Task 2.3.2 Disable POP3 port 110 (plaintext) in Dovecot
- [ ] Task 2.3.3 Verify IMAPS (993) and POP3S (995) still work
- [ ] Task 2.3.4 Block ports 110 and 143 via iptables / ip6tables

### Step 2.4 -- Harden cPanel PHP84 Settings
- [ ] Task 2.4.1 Set expose_php = Off in /usr/local/cpanel/3rdparty/php/84/etc/php.ini
- [ ] Task 2.4.2 Set allow_url_fopen = Off
- [ ] Task 2.4.3 Set disable_functions = exec,passthru,shell_exec,system,proc_open,popen
- [ ] Task 2.4.4 Configure open_basedir to restrict directory access
- [ ] Task 2.4.5 Restart PHP84-FPM and verify

---

## Phase 3 -- Medium (Soon)

### Step 3.1 -- Kernel sysctl Network Hardening
- [ ] Task 3.1.1 Create /etc/sysctl.d/99-hardening.conf with:
  - net.ipv4.conf.all.rp_filter = 1         (prevent IP spoofing)
  - net.ipv4.conf.all.accept_redirects = 0  (block ICMP redirects)
  - net.ipv6.conf.all.accept_redirects = 0
  - net.ipv4.conf.all.log_martians = 1      (log malformed packets)
  - net.ipv4.conf.default.log_martians = 1
- [ ] Task 3.1.2 Apply: sysctl -p /etc/sysctl.d/99-hardening.conf
- [ ] Task 3.1.3 Verify settings applied

### Step 3.2 -- Configure auditd Rules
- [ ] Task 3.2.1 Install audit package: dnf install -y audit
- [ ] Task 3.2.2 Add rules to monitor /etc/passwd, /etc/sudoers, SSH config changes
- [ ] Task 3.2.3 Monitor privileged commands (sudo, su)
- [ ] Task 3.2.4 Restart auditd and verify rules loaded

### Step 3.3 -- Expand fail2ban Jails
- [ ] Task 3.3.1 Add apache-auth jail (block Apache brute force)
- [ ] Task 3.3.2 Add apache-badbots jail (block malicious crawlers)
- [ ] Task 3.3.3 Add dovecot jail (block mail brute force)
- [ ] Task 3.3.4 Add exim jail (block SMTP brute force)
- [ ] Task 3.3.5 Verify all jails running: fail2ban-client status

### Step 3.4 -- Restrict MariaDB User Grants
- [ ] Task 3.4.1 Remove remote host grants for dmxhk user (keep localhost only)
- [ ] Task 3.4.2 Verify dmxhk can still connect locally
- [ ] Task 3.4.3 Run FLUSH PRIVILEGES

### Step 3.5 -- Restrict wp-toolkit sudo Permissions
- [ ] Task 3.5.1 Identify which commands wp-toolkit actually needs
- [ ] Task 3.5.2 Edit /etc/sudoers.d/48-wp-toolkit to allow specific commands only
- [ ] Task 3.5.3 Verify WP Toolkit functions correctly

---

## Progress

| Phase     | Tasks | Done | Progress            |
|-----------|-------|------|---------------------|
| Phase 1   |  13   |  0   | 0%                  |
| Phase 2   |  17   |  0   | 0%                  |
| Phase 3   |  20   |  0   | 0%                  |
| Total     |  50   |  0   | 0%                  |

---

## Already Completed (2026-05-16)

- [x] SSH password login disabled (key-only)
- [x] PermitRootLogin set to prohibit-password
- [x] fail2ban installed (SSH jail, 3 attempts = 24h ban)
- [x] iptables blocks port 3306 / 9119 / 18789 (IPv4)
- [x] iptables rules persisted on reboot
- [x] OpenClaw gateway bound to localhost only
- [x] claw.dmxhk.app / hermes.dmxhk.app reverse proxy configured
- [x] hermes.dmxhk.app Basic Auth protection enabled
- [x] /tmp disk expanded from 608MB to 16GB