Here are a few steps on how to secure a cPanel server. #
1) Strong Server Passwords #
If the passwords are not strong enough to withstand brute force, there is no point in securing the server with other means. Because it is widely open to the world otherwise. So keep strong and lengthy alphanumeric passwords with multiple characters. There are online tools to check password strength and they can guide you to set a strong password.
2) Securing SSH #
SSH/Shell is the remote connectivity tool in Linux with which users can connect to the server remotely. It is important to secure SSH/Shell for restricting the attacks through it. For this always update the SSH packages to the latest stable version. Other means to secure SSH are:
Setup Wheel User #
With this setup, you can only log in to the server as the desired user. The idea behind this process is to disable Root SSH login and create a new user and add the new user or an existing user to the Wheel user group. So that SSH will only connect as that user. Here are the steps.
Open the SSH config file
nano /etc/ssh/sshd_config
Set PermitRootLogin to ‘No
PermitRootLogin no
Restart SSH
/etc/init.d/sshd restart
This will disable the Root login. Please note that if you terminate the session now, you can’t log in as a root user. Now, you have to create a new wheel user simply with,
adduser <wheel_user_name>
Adding a new user is not necessary, if you want an existing user to be the wheel user, you can skip the above step. Now go to WHM and add the user to the wheel user group.
WHM >> Security Center >> Manage Wheel Group Users >> Select the user and click ‘Add to Group’.
Now a wheel user is added and you can only log in to SSH as that particular user and after logging in, you can switch to Root.
Setup key-based password less login #
The idea behind this is to disable password authentication and allow SSH access only by Key-based authentication. For this, you need to general an SSH key in the machine that you want to connect to the server and add the public key to the authorized keys of the server.
Open SSH config file
nano /etc/ssh/sshd_config
Edit the PasswordAuthentication parameter to ‘no’
PasswordAuthentication no
This will disable password authentication in the server.
Generate SSH key in the host machine (system from which you need to connect to the server)
ssh-keygen
This will prompt the file to specify the key which is generated. If you hit ‘Enter’, the key will be placed in ‘/home/user/.ssh/id_rsa’ by default.
It will also ask for the desired passphrase, which is similar to the password but you’ll only have to add it once. You can refer to the screenshot below.
Once the key is generated, you’ll have to add the public key in the authorized keys file in the server. For this, you can use SCP functionality.
scp -P portnumber ~/.ssh/id_rsa.pub [email protected]
SSH into the remote server, and in the home directory of the SSH user, you can see the file ‘id_rsa.pub’. Just copy-paste the key in the said file to the file ‘/root/.ssh/authorized_keys’
cat id_rsa.pub >> /root/.ssh/authorized_keys
With this, you will be able to login to the server without prompting passwords and only based on the key added,
3) Updating CPanel #
Updating cPanel to the latest version is the best way to keep the system from vulnerabilities and bugs as cPanel releases the bug fixes regularly.
You can update cPanel via WHM,
WHM >> cPanel >> Upgrade to Latest Version >> Click to upgrade
You can also do this via Command Line
/scripts/upcp --force
4) Tweaking CPanel And WHM Access #
It is always best to keep SSL based encryption when you log in to cPanel and WHM. For this go to:
WHM >> Server Configuration >> Tweak Settings >> Redirection
Keep the settings as shown in the screenshot below.
Remember those settings you have to do it for the first time only in order to Secure a cPanel Server
5) Enable CPHulk Brute Force Protection #
cPHulk is a commonly used tool to protect the server from Brute Force attacks. You can enable cPHulk via:
WHM >> Security Center >> cPHulk Brute Force Protection.
6) Apache And PHP Security Tweak #
You can enable ModSecurity in WHM for securing Apache from attacks like code injection etc. There are specific rules defined in the ModSecurity configuration file and any connection not matching the rules will be blocked. You can install ModSecurity via:
WHM >> Plugins >> Mod Security
Configure suPHP as the PHP handler and suEXEC for executing the CGI scripts in the user privilege. You can enable suPHP and suEXCEC via:
WHM >> Service Configuration >> suEXEC
Change the PHP handler to suPHP, Turn Apache suEXEC to ‘ON’ and click Save New Configuration.
You need to enable PHP open_basedir protection for preventing PHP scripts from files outside of its home directory. Goto:
WHM >> Security Center >> PHP open_basedir Tweak >> check box the option Enable PHP open_basedir Protection >> Click Save.
You need to tweak the PHP configuration to disable some of the PHP functions. Goto:
WHM >> Service Configuration >> PHP Configuration Editor >> Select Advanced mode
And set the following parameters.
register_globals: Off
disable_functions: show_source, system, shell_exec, passthru, exec, phpinfo, popen, proc_open, allow_url_fopen
Then click ‘Save’
Restart Apache after this tweak
service httpd restart
7) Disable Compiler Access To Users Other Than Root #
You can either disable compiler access to all users or you can enable it for trusted users via:
WHM >> Security Center >> Compiler Access
8) Hardening /Tmp #
We can set /tmp partition mounted with the nosuid option because this will force the file to be executed in its user privilege. cPanel/WHM has a custom script for this and you can simply run the script via Command-Line. Here is the script/command.
/scripts/securetmp
9) Enable Firewall #
Setting up a firewall is very important in security because it denies all the unwanted connections to the server. CSF (ConfigServer Security & Firewall) is the commonly used firewall and it is supported by cPanel and manageable by WHM interface.
Download CSF package
wget https://download.configserver.com/csf.tgz
Extract the tar file
tar zxvf csf.tgz
Change directory to the CSF installation directory.
cd csf
Execute the install script for cPanel
./install.cpanel.sh
Start CSF service
/etc/init.d/csf start
Test the installation configuration (Assuming Perl is already installed)
perl /usr/local/csf/bin/csftest.pl
After testing, disable the test flag in CSF configuration
nano /etc/csf/csf.conf
Edit the flag ‘TESTING’ to ‘0’
TESTING = "0"
Restart CSF
/etc/init.d/csf restart
Now you should be able access CSF via WHM >> Plugins >> ConfigServer Security & Firewall
Here are a few parameters to change:
Block every IP with more than 200 connections.
CT_LIMIT = “200”
Block those IPs permanently
CT_PERMANENT = “1”
Set the IP block time limit to 1800 secs
CT_BLOCK_TIME = “1800”
Set the connection tracking interval to 60 secs.
CT_INTERVAL = “60”
10) Install ClamAV #
ClamAV is a cPanel plugin for protection against Viruses and malware. You can install it via,
WHM >> Manage Plugins >> Tick ‘Install and keep updated’ checkbox in ClamAV and click ‘Save’
11) Install RKHunter For Protection Against Rootkits. #
RKHunter is an application that detects Rootkits, backdoors, and other exploits in its scan. You can install it via Command Line:
Download the RKHunter package
wget https://sourceforge.net/projects/rkhunter/files/rkhunter/1.4.0/rkhunter-1.4.0.tar.gz/download?use_mirror=iweb
Untar the package
tar -zxvf rkhunter-1.4.0.tar.gz
Change directory to the installation directory
cd rkhunter-1.4.0
Run the install script
./installer.sh --install
You can run the manual scan with the command:
rkhunter -c
Or, you may keep a cronjob with the same command to run this periodically.
12) Checking Suspicious Files And Folders #
Files and folders with full permissions and without users and or groups are always suspicious as they can be accessed by the attackers easily. So we need to find such files and check if it is necessary.
Here is the command to check the world-writable files and folders:
find / \( -type f -o -type d \) -perm /o+w 2>/dev/null | egrep -v '/(proc|sys)' > world_writable_files.txt
Command to find no owner files and folders is:
find / -nouser -o -nogroup >> no_owner_files.txt
Just open the files listed in the files ‘world_writable_files.txt’ and ‘no_owner_files.txt’ and see if the files/folders are genuine. Remove them if it looks suspicious.
13) Disable Recursion In Bind #
Enabling Recursion in Bind may lead to DNS amplification attacks, lookups from DNS lookup websites, etc. So it is recommended to turn it off.
Open Bind configuration files
nano /etc/named.conf
Set ‘recursion’ to ‘no’
recursion no
Restart Bind
service named restart
14) Update Rpms And Kernel With Yum Update #
It is always advised to update the kernel and the rpm packages to the latest stable version to avoid vulnerabilities. This can be done easily with yum commands.
Clean yum repository
yum clean all
Update yum
yum update
15) Disable Anonymous FTP & Logins With Root #
Attackers always tend to upload malicious scripts as anonymous users. So it is advised to disable Anonymous users and you can do it via:
WHM >> Service Configuration >> FTP Server Configuration
16) SYSCTL Tweak #
/etc/sysctl.conf is a text file containing sysctl values to be read in and set by sysctl at boot time. You can edit kernel, networking and other system parameters by editing the said file. Please note that you cannot do this in Virtualization environments.
Here are a few essential parameters.
Enable TCP SYN Cookie Protection
net.ipv4.tcp_syncookies = 1
Turn on execshield
kernel.exec-shield=1 kernel.randomize_va_space=1
Enable IP spoofing protection
net.ipv4.conf.all.rp_filter=1
Disable IP source routing
net.ipv4.conf.all.accept_source_route=0
Enable logging of spoofed packets
net.ipv4.conf.all.log_martians = 1 net.ipv4.conf.default.log_martians = 1
Disable ICMP routing redirects
sysctl -w net.ipv4.conf.all.accept_redirects=0 sysctl -w net.ipv6.conf.all.accept_redirects=0 sysctl -w net.ipv4.conf.all.send_redirects=0 sysctl -w net.ipv6.conf.all.send_redirects=0
Disable the magic-sysrq key
kernel.sysrq = 0
Disable tcp_sack
net.ipv4.tcp_sack = 0
These are the basic settings/modifications applicable in a cPanel server.
17) Keep Your Eyes Open #
You are never safe as long as someone else can connect to your server in some way or to some port. So keep yourselves updated about the latest threats, attacks, vulnerabilities, and bugs and apply patches immediately.
If you implement these recommendations on your dedicated server or VPS you will have greatly reduced the possibility of getting hacked.
We hope you found this tutorial useful on how to secure a cPanel Server.