cPanel Server Security Tips and Tutorial
This tutorial lists several tips to make your cPanel & WHM installation more secure.
Warning!! Exercise extreme caution when following these tips. the author or vpsserver.com takes no responsibility to individual servers or the security practices mentioned in this guide. Each server is a collection of compromises which means that any server that allows connections could be insecure.
Use Secure Passwords
insecure passwords are one common security vulnerability. If an account password is insecure and compromised client sites can be defaced, hacked and valuable data can be stolen.
Always change your password as often as possible. Here are more tips to making a secure password.
- Passwords should be alphanumeric and grammatical.
- Passwords should be in 10 or more characters.
- Do not use the same password for other sites.
- Do not let your browser store your passwords.
- Do not use names of your family, birthdate or numbers special to you.
- Do not use any dictionary words in your password.
- Generate a random password, some password generator sites include passwordsgenerator.net. They provide options to generate password with special characters.
Use secure SSH Keys
Change the way you login to your servers shell from passwords to SSH keys. SSH keys are more secure and require a special pass phrase to be used. To generate an SSH key login to WHM > Security Center Section > Manage rootâs SSH Keys.
Click on Generate a New Key, enter the key name and your secure password twice.
Move SSH to a Different Port
Try to move your ssh to a different port to deter anyone without any specific knowledge of your server from easily discovering your ssh port. Most visitors search on port 22 which is the default ssh port.
Always use ports below 1024 since these are privilege ports and only root can use them. Anything above port 1024 can be used by anyone.
To move your ssh to a different port login to your server command line as root and open 'sshd_config'.
Uncomment and change:
then restart sshd:
service sshd restart
As an example we have changed the default ssh port 22 to port 102.
Note: It is important to allow the new port in the server firewall. Make sure not to close the current ssh connection while testing the new port to avoid any unnecessary outcome.
Enable CPHulk Brute Force Protection
CPHUlk is a service that protects your server from brute force attacks. A brute force attack is a hacking method that uses an automated system to guess the password to your web server or services.
When CPHulk blocks an attack it shows in the login page that the 'login is invalid'. To avoid getting locked out of your own server, add your ip address to the whitelist.
You can access CPHulk thru WHM > Security Center section > cPHulk Brute Force Protection.
Turn off unused services and daemons
Any service or daemon that allows connections to your server may also allow hackers to gain access. To reduce security risks, disable all services and daemons that you do not use.
Disable any services that are not in use in WHM's Service Manager interface (Home >> Service Configuration >> Service Manager).
Secure your Apache
The most readily-available way to access a web server is the web server application. You must secure your Apache installation.
One of the best tools that you can use to prevent malicious Apache use is ModSecurityâ¢.
In cPanel & WHM version 11.46 and later, you can use the following interfaces to manage ModSecurity:
- WHM's ModSecurityâ¢ Tools interface (Home >> Security Center >> ModSecurityâ¢ Tools).
- WHM's ModSecurityâ¢ Configuration interface (Home >> Security Center >> ModSecurityâ¢ Configuration).
If your PC is connected to the Internet, you are a potential target to an array of cyber threats, such as hackers, keyloggers, and Trojans that attack through unpatched security holes. This means that if you, like most people shop and bank online, are vulnerable to identity theft and other malicious attacks.
A firewall works as a barrier, or a shield, between your PC and cyber space. When you are connected to the Internet, you are constantly sending and receiving information in small units called packets. The firewall filters these packets to see if they meet certain criteria set by a series of rules, and thereafter blocks or allows the data. This way, hackers cannot get inside and steal information such as bank account numbers and passwords from you.
Once such firewall you can install for WHM/cPanel is CSF (ConfigServe Firewall). CSF configures your server's firewall to lock down public access to services and only allow certain connections, such as logging in to FTP, checking your email, or loading your websites. ConfigServe Firewall also comes with a service called Login Failure Daemon, or LFD.
To install CSF follow the commands below:
rm -fv csf.tgz
tar -xzf csf.tgz
Next, test whether you have the required iptables modules:
Login to your WHM and you will now see a CSF configuration page in the Plugins section. To configure CSF you can follow the steps taken on the tutorial Installing and Configuring CSF on CentOS 7.
Harden your /tmp partition
We recommend that you use a separate /tmp partition that you mount with the nosuid option. This option forces a process to run with the privileges of its executor. You may also wish to mount the /tmp directory with noexec after you install cPanel & WHM.
To mount your /tmp partition to a temporary file for extra security you will have to run:
Note: make sure that disk space is enough for the partitions. 8GB minimumfor /usr and 16GB for /var is recommended. Anyting under the recommended disk space will result in some issues later on. You can read cPanel Advanced Partitioning Guide for more information.
Disable system compilers
Most users do not require the use of C and C++ compilers. We strongly recommend that you disable compilers for all users who are not in the compilers group in the /etc/group file. Many pre-packaged exploits require functional compilers.
To disable compilers from the WHM interface, use WHM's Compiler Access interface (Home >> Security Center >> Compiler Access).
To disable compilers from the command line, run the following command as the root user: