Important Tips To Make Your cPanel & WHM Based Server More Secure

Server security is a complex and multifaceted subject that can take years to fully understand and master.

Most administrators must diligently develop and deploy a vast array of security measures on their servers in order to prevent attacks and breaches.

The security measures in question can be as simple as requiring more secure passwords and as complex as deploying updated encryption protocols for stored data.

Luckily, however, cPanel server security falls more towards the “Simple” end of the server security spectrum.

Here are 15 easy ways to significantly improve your server security in only a matter of minutes.

1. Securing SSH

Though the SSH is an encrypted protocol, it is not impervious. Meaning that, as the administrator, you must exercise due diligence during configuration.

Here are three simple steps to increase the security of your SSH.

1.Change SSH Port

Keeping SSH on the default port 22 makes it vulnerable to brute force attacks. In order to prevent these attacks you should select a random port for SSH to make it more difficult for potential attackers to discern its location.

Here are the steps to change SSH port.

  1. Login to your server via SSH.
  2. Edit the SSH configuration file which is located at /etc/ssh/sshd_config by issuing the following command:
    nano /etc/ssh/sshd_config
  3. Set a random port for SSH connection at the following line.Original: Port 22
    New line: Port 2468
  4. Now, restart SSH service by executing following command:
    service sshd restart

2.Disable Root Login

To add an additional layer of security and further strengthen your SSH, you can disable the root user and create a separate user to access the server.

Here is how:

  1. Login to your server via SSH. Before disabling root login, we will create a user to access the server:
    adduser new_username_name
    passwd new_username_name
  2. You will be asked to set a password for this new user. Ensure that the password is as strong as possible (at least 10 characters with several numbers and symbols) and then add the new user in a wheel group granting it access to the server by using the following line of code.
    # usermod -aG wheel new_username_name
  3. Now, disable the root user. Edit the SSH configuration file which is located at /etc/ssh/sshd_config.
    nano /etc/ssh/sshd_config
  4. Change the line: “PermitRootLogin yes” to “PermitRootLogin no”
  5. Now, restart SSH service by executing following command.
    service sshd restart

3.Disable SSH V1

With the inception of SSHv2 making its predecessor SSHv1 all but obsolete, it is highly recommended that you disable the less secure and outdated SSH to improve your server’s security.

  1. Login to your server via SSH and edit the SSH configuration file which is located at /etc/ssh/sshd_config.
  2. Uncomment the following line.
    Protocol 2,1
  3. And change it to:
    Protocol 2
  4. Now, restart SSH service by executing following command:
     # service sshd restart

2. Enabling cPHulk Protection

A brute force attack is a hacking method that relies on an automated system to guess the password to your web server.

cPHulk is an easy to use service that will protect your server against most brute force attack.

To enable cPHulk, login to WHM→ Security Center → cPHulk Brute Force Protection and click on Enable.

You can now set custom rules based on the cPanel username, IP address and other parameters.

Once a set number of failed login attempts has been reached, cPHulk will block any further attempts from the IP address being used.

Note: If you have a static IP then it is highly recommended that you add it to the Whitelist Management so that you do not lock yourself out of your server.

3. Setup ConfigServer Firewall (CSF)

CSF (ConfigServer Security and Firewall) is one of the most popular firewalls for cPanel servers.

Not only does it act as a Firewall by scanning various authentication log files but it also scans your server on a regular basis and gives you personalized recommendations for improving your server’s security.

In addition to its primary features, CSF also gives you access to a number of useful features like “View System Logs”, IPTable Logs, IFD statistics and much more.

Installing ConfigServer Firewall

It is quite easy to install CSF in your server with cPanel. Please refer to our step by step guide on How to Install ConfigServer Firewall to cPanel/WHM?

Once you have followed the directions in our aforementioned guide, you can manage CSF directly from WHM.

To do so, login to your WHM, navigate to Plugins → ConfigServer Security & Firewall.

Here you will be presented with a number of options and measures that you can use to tighten up your security even further.

4. Setup ClamAV Antivirus

While Linux servers have a more “natural” resilience to viruses than their Windows based counterparts, it is still considered wise to install an additional antivirus application.

ClamAV, which is easy to install as a plugin on your server, is one of the most popular open source antivirus plugins for cPanel servers and allows individual users to scan their home directory and emails for potentially malicious files.

Again, for the sake of brevity, please refer to our step-by-step guide How to Install ClamAV plugin from WHM.

Once ClamAV is installed, you can scan any particular cPanel account with cPanel user level access. Here is our guide on How to run ClamAV virus scan from cPanel.

5. Switch to CloudLinux

CloudLinux, a paid replacement for the free CentOS is regarded as one of the most secure operating systems for cPanel servers.

With CloudLinux, you can increase the server density and stability by keeping cPanel accounts isolated from one another.

It accomplishes this feat by using LVE (Lightweight Virtualized Environment) which limits server resources like processing, memory, and connections for each user, thus ensuring that a single user cannot put the server stability at risk and cause all sites to slow down.

The OS “cages” users from one another to avoid any security breaches. Any unstable or compromised script or malware can not be spread across the server by any compromised account.

Following are the major security features of CloudLinux OS:

  1. CageFS
  2. HardenedPHP
  3. SecureLinks

CageFS

CageFS encapsulates each user, preventing users from seeing each other and reading sensitive information. It also prevents a large number of attacks including most of the privilege escalation and information disclosure attacks.

→ With CageFS users will have access to safe files only.
→ Users can not see server configuration files such as Apache config files.
→ Users can not view other users and have no way to detect the presence of other users.
→ Users can not see the processes of other users.

HardenedPHP

Old PHP version 5.2, 5.3, 5.4, while used widely, have vulnerabilities that are not patched by the PHP.net community.
The HardenedPHP in CloudLinux fixes those vulnerabilities and secures the old and unsupported versions.

→ It ensures the application and server are secured by patching all PHP versions.
→ It provides security and flexibility to all users.
→ It increases customer retention by not forcing upgrades to a newer PHP version
→ Offers selection of PHP version from multiple versions installed on the same web server with PHP selector option

SecureLinks

SecureLinks is kernel level technology which strengthens the server by preventing all known symbolic link (symlink) attacks while simultaneously preventing malicious users from creating symlink files.
→ With SecureLinks, you can prevent attacks by keeping malicious users from creating symlinks and hardlinks to files that they do not own.
→ It prevents malicious users from creating symbolic link files.
→ Enhances the security level of the server from symlink attacks.

6. Disable Ping Request

A ping is a ICMP (Internet Control Message Protocol) request, and it should disable to avoid “Ping of Death” and “Ping Flood” attacks.

Ping of Death

Ping of Death is a denial of service attack caused by an attacker deliberately sending an IP packet larger than allowed by IP protocol.

As a result, many operating systems do not know what to do when they receive oversized packets, the machine will be frozen, crashed or rebooted.

Ping Flood

Ping Flood is a simple denial-of-service attack where the attacker overwhelms the victim with the ICMP packets in hopes that the victim will respond with ICMP reply packed thus consuming both incoming and outgoing bandwidth.

If the target machine is slower, it is possible to consume its CPU cycles creating a noticeable slowdown in the system’s processing capabilities.

To disable ping response, run following command as a root user:
echo “1” > /proc/sys/net/ipv4/icmp_echo_ignore_all

echo “1” > /proc/sys/net/ipv4/icmp_echo_ignore_all

To disable ping response using IPtables firewall, run following command as a root user:

iptables -A INPUT -p icmp -j DROP

7. Configure Host Access Control

In certain instances you might want to allow specific services to one IP only. In order to accomplish this goal, all you need to do is properly configure your Host Access Control, which allows you to create rules approving or denying server access based on the IP address of the user.

Denying all connections and only allowing the connections which you wish to proceed is the most secure practice for increasing the security of your server against brute force attacks over specific ports.

In order to configure a rule with Host Access Control, you will need three things.

  1. The service for which you want to create a rule
  2. The IP address for which you want to allow or deny privileges
  3. And the action you want to be taken (e.g. Allow or Deny)

To setup rules in Host Access Control, login to your WHM, navigate to Security Center → Host Access Control.

Following is an example of locking down SSH service:

Daemon Access List Action Comment
sshd 192.168.3.152 allow Allow local SSH access
sshd 1xx.6x.2xx.2xx allow Allow SSH from my specific IP
sshd ALL deny Deny access from all other IPs

Note: The rules have an order of precedence. You will have to put ‘allow’ rules before ‘deny’ rules if you are choosing to use the allow from a few, then deny from all technique.

8. Setup Mod_Security

In 2017, more than 70% of all malicious server attacks are executed at the web application level.
In order to mitigate the risk associated with your specific server, it is an industry best practice to deploy a WAF or Web Applications Firewall to increase external security and detect/prevent attacks before they reach web applications.

ModSecurity is one of the oldest and most popular Web Applications Firewalls around and is designed to prevent:

  1. SQL Injection
  2. iFrame attacks
  3. Webshell/Backdoor Detection
  4. Botnet Attack Detection
  5. HTTP Denial of Service (DoS) Attacks

Installing mod_security is can be done within a few minutes with few changes to existing infrastructure.

You can enable it from Easy Apache configuration.

To create Mod_Security rules go to ModSeurity Tools and click on Rules List.

In the new windows, it will display all the rules. You can click on Add Rule, to create new rules. Please note that you will need to Restart Apache to deploy new rules.

To know more about ModSecurity Tools click here.

9. Scan Your System With RootKit Hunter

Rootkit Hunter or rkhunter is a UNIX based tool that scans for rootkits, backdoors, and possible local exploits.

It compares SHA-1 hashes of important files with the files located in online databases to ensure the files integrity.

It also searches for default rootkits directories, excessive permissions, hidden files, suspicious strings in kernel modules and a plethora of other things that have the potential to compromise your server’s security.

Installing RootKit Hunter

Change current working directory to the desired installation directory.

cd /usr/local/src

Download the rkhunter package using wget command.

wget http://dfn.dl.sourceforge.net/sourceforge/rkhunter/rkhunter-1.4.2.tar.gz

Unzip the downloaded rkhunter archive.

tar -zxvf rkhunter-1.4.2.tar.gz

Change the current working directory to the rkhunter directory. Make sure you replace the directory name with the actual directory name. In our case, it’s “rkhunter-1.4.2” which can be changed when new updates are released. 

cd rkhunter-1.4.2

Install the rkhunter package by executing the installation script.

./installer.sh --layout default --install

This will install the rkhuter tool in the server.

Configuring rkhunter

You can find configuration file of rkhunter at path /etc/rkhunter.conf. By changing the parameter values in this file, we can modify the properties of rkhunter to secure the server. To allow root login via SSH

ALLOW_SSH_ROOT_USER = yes

rkhunter installation directory

INSTALLDIR=/path/of/installation/directory

rkhunter Database directory

DBDIR=/var/lib/rkhunter/db

rkhunter script directory

SCRIPTDIR=/usr/local/lib64/rkhunter/scripts

rkhunter temporary directory

TMPDIR=/var/lib/rkhunter/tmp

Manual Scan With rkhunter

To run a manual scan with rkhunter run below command.

/usr/local/bin/rkhunter -c

By default, rkhunter runs in interactive mode. rkhunter performs a series of scans and after each set of scans, you’ll need to press Enter to continue the scan.

To skip interactive mode run, and scan all the set use below command. Note that -c is to check the local system and –sk is to skip key press.

/usr/local/bin/rkhunter -c -sk

To scan the entire file system run below command.

rkhunter --check

Scheduling Automatic Scans With Rkhunter

To create a scheduled automatic scan, create a script which executes rkhunter scan and emails the scan results.

If you want to run rkhunter scan daily, upload the script to /etc/cron.daily directory and to /etc/cron.weekly for weekly scans.

Open a file in an editor and write the below script to schedule it daily.

vi /etc/cron.daily/rkhunter.sh

Script to schedule daily scan

#!/bin/sh

(

/usr/local/bin/rkhunter --versioncheck

/usr/local/bin/rkhunter --update

/usr/local/bin/rkhunter --cronjob --report-warnings-only

) | /bin/mail -s 'rkhunter Daily Run (HostnameOfServer)' youremail@address

Note: Make sure you change HostnameOfServer and youremail@address with the actual server hostname and the Email address to which the notifications are to be sent in the script.

rkhunter Update & Options

To check the rkhunter current version.

/usr/local/bin/rkhunter --versioncheck

To update the rkhunter version.

/usr/local/bin/rkhunter --update

If the database files are updated, to check and save the updated values and properties.

/usr/local/bin/rkhunter --propupd

rkhunter logs stores all activities done and error encountered by the application. To check rkhunter logs.

/var/log/rkhunter.log

You can refer the other rkhunter options with.

/usr/local/bin/rkhunter --help

10. Scan Your System With Maldet

Maldet, also known as Linux Malware Detect (LMD) is a malware scanner for Linux systems that is designed to effectively detect php backdoors, darkmailers, and a number of other malicious files that might be present on compromised websites.

Installing Maldet

  1. SSH to the server and download the tar file.
    wget href="http://www.rfxn.com/downloads/maldetect-current.tar.gz">
  2. Extract the file.
    tar -xzf maldetect-current.tar.gz
  3. Go to the maldet folder.
    cd maldetect-*
  4. To install maldet, run the below command.
    sh ./install.sh

Use Maldet in Linux Server

You should always open a new screen session and run the scan as it may take hours to scan depending on the disk space usage of your system. To run a scan, use below command.

maldet -a /path/to/scan OR

maldet –scan-all /path/to/scan

You can also simply run the below command to scan the whole system

maldet -a /

Once the scan of the server is complete, you will get SCAN ID at the end. To view scanned report use below command. Note that you will need to replace SCAN ID with the actual ID.

maldet –report SCAN ID

Ex: maldet –report 062617-2220.1771

To Quarantine all malware results from a previous scan, run below command.

maldet -q SCAN ID

Ex. maldet -quarantine 062617-2220.1771

Automize Maldet

You can edit maldet configuration file conf.maldet to automize the processes like, 

  1. Set email_alert to 1 to send reports to the configured email account.
  2. In email_addr, set the email account on which you want to receive scan reports.
  3. Change quar_hits to 1 so that any malware found are moved to the directory ‘/usr/local/maldetect/quarantine‘ and you get a notification on the configured email address. 
  4. change quar_susp to 1, This will enable account suspension of cPanel users or set the shell access to ‘/bin/false‘ for non-cPanel users.

11. Setup Cron Job To Run ClamAV Daily

Since add, update, and delete actions occur rapidly with files residing on your server, it is of paramount importance to ensure that all new changes are safe and properly scanned with an anti-virus application.

You can use the ClamAV scanner cron job to run weekly scans that will automatically start during “Off-hours”.

Use the following command to run this cron.

for i in `awk '!/nobody/{print $2 | "sort | uniq" }' /etc/userdomains | sort | uniq`; do /usr/local/cpanel/3rdparty/bin/clamscan -i -r /home/$i 2>>/dev/null; done >> /root/infections&

This command recursively searches the home directory for spam and infected files.

12. Disable Apache Header Information

Since your server signature contains information like Apache and OS versions it is important that you hide this information from prying public eyes using WHM Login.

  1. Once you are logged into WHM. Navigate to Service Configuration → Apache Configuration → Global Configuration.
  2. Set the following values.
    Server Signature = Off
    Server Tokens = Product only

13. Hide PHP Version Information

Like Apache headers, you shouldn’t also expose PHP version information. Here are the steps to hide this information.

  1. Once you are logged into WHM. Navigate to Service Configuration → PHP Configuration Editor.
  2. Set the following values.
    expose_php= "off"

14. Disable FTP & Use SFTP Instead

Although you wouldn’t guess it from their names, the FTP and SFTP protocols couldn’t be more different from one another.

With standard FTP, all data transmitted between the client and server is in plain text. This makes it possible for an eavesdropper to retrieve your confidential information including login credentials and otherwise “Private” messages.

Unlike standard FTP, SFTP (SSH File Transfer Protocol) encrypts both commands and data, preventing passwords and sensitive information from being transmitted in the plain text over the network.

Click here for the steps to generate SSH Key and connect to the server via SFTP client.

If you just want to allow SFTP connection and disable plan FTP then follow below steps in WHM/cPanel.

  1. Login into your WHM/cPanel as root user.
  2. Navigate to FTP Server Configuration. In TLS Encryption Support change it to Required (Command) and click on Save button.

15. Securing cPanel and WHM Access

Force HTTPS URL to Access cPanel/WHM

To safeguard your cPanel or WHM login with an SSL based encryption, follow these two simple steps.

  1. Login to WHM and navigate Home → Server Configuration → Tweak Settings.
  2. Scroll right side to redirection tab and use the settings shown in below image.

Disabling cPanel-ID Login

A cPanel server allows two types of logins.

The first is the default/standard username and password login and the second is to login to the server with a cPanel ID.

A cPanel ID allows users to deploy a single username and password to gain access to a wide variety of cPanel services.

While this method is more than suitable for the organization who manage a large datacenter and frequently hire new technicians, if you only have a single server, you should disable it by using the following steps.

  1. Login to WHM and navigate to Home → Security Center → Manage External Authentication.
  2. Change the cPanel-ID login to disable as shown in below image.

Conclusion

By implementing these 15 easy tips to your VPS or dedicated server you will immediately reduce your vulnerability to attacks both internally and externally and boost your system’s security within a matter of hours.

And while these tips will reduce the number of threats to your server, they aren’t a cure all.

In order to optimize your system’s security, you need to do your due diligence and regularly update yourself on the most recent happenings in the server security world.

However, with only a few hours of research a month, you can stay on the cutting edge of cPanel security and ensure that you and your company will remain secure for years to come.

  • cpanel, whm, server security
  • 0 Users Found This Useful
Was this answer helpful?

Related Articles

How To Change cPanel Default Time Zone

The .htaccess file is a hidden text file within your hosting account that can be very powerful....

How To Restore a Home Directory Backup in cPanel

In this article I'm going to show you how to restore a partial home directory backup in cPanel....

How to Create a MySQL Database in cPanel

When you create a database, many users are unaware that there are several other items that you...

Install SSL certificates with cPanel SSL/TLS Manager

Enable SSL/TLS Manager in WHM for cPanel users Before using the SSL/TLS Manager as a cPanel...

5 Important Things to Consider When Choosing a Domain for Your Business or Website

When first setting up any website, one of the hardest — but most important — things to decide is...