How To Secure A cPanel WHM Server?

1. Securing Apache and PHP 

If you run a cPanel server and need to upgrade your Apache or PHP version, cPanel provides the Easyapache tool to make these updates a breeze. While it can be run from WHM, it is generally preferred to run it from the command line.

Starting Easyapache

As root, on the command line, run:

/scripts/easyapache

This will bring up an interactive menu. Unless you completely want to rebuild your apache and php configuration from the ground up, leave the selection on Previously Saved Config, then use the Tab key and the arrow keys until you have selected Start customizing based on the profile.

Hit Enter to move to the next screen. Here you can choose which version of Apache you wish to run on your server. While Easyapache allows you to install versions of Apache that have reached the end of life status, it is not recommended.

(OR)

Go to WHM and follow the steps mentioned below:

1.  Login to WHM and go to Softwares > choose EasyApache (Apache Update).

2.  From here, select “Previously Save Config” [ To reuse your server’s current settings].

3.  Press over  “Start customizing based on profile”.

4.  Select the latest stable  Apache version.  

5.  On the PHP Version page, select the latest stable release.

Note: When you choose the version of PHP you wish to change to, make sure that your site works with the new version.

6.  You can select the most commonly used Apache and PHP modules.

7.  If there is a module you wish to install that is not on this list, select Exhaustive Options List

8.  Otherwise, click Save and Build to begin.


Now, you must configure suPHP as the PHP handler. By enabling suPHP, the files created by PHP scripts will be owned by the website’s user account instead of the account running the Apache process. To enable suPHP:

1. Go to 
WHM >> Service Configuration >> suEXEC 

2. Next change the PHP handler to suPHP and turn Apache suEXEC to ‘ON’ and finally click on "Save New Configuration". 


To prevent PHP scripts from opening files outside of their home directory, it is recommended to enable "open_basedir". Follow the steps to enable:

1. Log into WHM > go to Security Center > PHP open_basedir Tweak.

2. Choose "Enable php open_basedir Protection" and finally click on "Save".

The Apache server should restart automatically once this is done.

Make sure that "open_basedir" works properly, for that you need to create a file named "php.ini" under “public_html” directory with the following content: 

# su - root

This will prevent PHP scripts from accessing files located outside of the defined folders.

Finally, here are some recommended settings for PHP to disable some of the PHP functions.  For that go to, WHM > Service Configuration > PHP Configuration Editor and select “Advanced Mode”. Configure the following parameters: 

register_globals: Off
Click on "Save". The new settings won’t take effect until you restart Apache. So, go to "WHM > Restart Services > HTTP Server (Apache)" .

2. Disabling Anonymous FTP Access

 To prevent anonymous users from uploading files to your server. Perform the following:

1. Login to WHM 
2. Select  FTP Server Configuration from Service Configuration
3. And now, set "Allow Anonymous Logins" and "Allow Anonymous Uploads" to "No".


3. Use a Strong Password

You can force your users to use more complex passwords by going to WHM > Security Center > Password Strength Configuration. 

4. Securing SSH 

SSH/Shell is the remote connectivity tool in Linux with which users can connect to the server remotely. It is most vulnerable to Brute Force Attacks. So, always keep the SSH packages to the latest stable version. Other means to secure SSH are:

Setup Wheel User

With this setup, you can only login to the server as a desired user. The idea behind this process is to disable Root SSH login and create a new user and add the new user or an existing user to the Wheel user group. So that SSH will only connect as that user. Here are the steps.

Open the SSH config file

vi /etc/ssh/sshd_config

Set PermitRootLogin to ‘No

PermitRootLogin no

Restart SSH

/etc/init.d/sshd restart

This will disable the Root login. Please note that if you terminate the session now, you can’t log in as "Root" user. Now, you have to create a new wheel user simply with,

adduser <wheel_user_name>

Adding a new user is not necessary, if you want an existing user to be the wheel user, you can skip the above step. Now go to WHM and add the user to wheel user group.

WHM >> Security Center >> Manage Wheel Group Users >> Select the user and click ‘Add to Group’.

Now a wheel user is added and you can only login to SSH as that particular user and after logging in, you can switch to Root.

5.Updating CPanel

The first thing you want to do is to make sure you have the latest version of cPanel running.

You can update cPanel via WHM,

 Login to WHM > cPanel > Upgrade to Latest Version

. You can also achieve the same thing using this command line: 

# /scripts/upcp --force


6.Enable CPHulk

 This protects your web servers from Brute Force Attacks by blocking suspect IP addresses for a predetermined period.  You can enable it: 
 Login to WHM > Security Center > CPHulk Brute Force Protection and click on “Enable”.


7. Installing ClamAV Antivirus 

ClamAV is available for cPanel servers as a plugin. Here’s how to enable it:

1. Login to WHM >locate  cPanel > select "Manage Plugins".
2. Select "Install and keep updated" next to ClamAV and click on "Save".
3. One the ClamAV plugin installation is completed, reload your WHM control panel so that the menu is updated.
4. Click on WHM > Plugins > Configure ClamAV Scanner and from here select all four options.
5. Finally "Save".


8. Install a Firewall

One of the most popular firewall software for cPanel servers is ConfigServer Security and Firewall (CFS).

To begin the install process follow the below-mentioned steps:

Download CSF package

wget https://download.configserver.com/csf.tgz

Extract the tar file

tar zxvf csf.tgz

Change directory to the CSF installation directory.

cd csf

Execute the install script for cpanel

./install.cpanel.sh

Start CSF service

/etc/init.d/csf start

Test the installation configuration (Assuming Perl is already installed)

perl /usr/local/csf/bin/csftest.pl

After testing, disable the test flag in CSF configuration

vi /etc/csf/csf.conf

Edit the flag ‘TESTING’ to ‘0’

TESTING = "0"

Restart CSF

/etc/init.d/csf restart

Now you should be able access CSF via WHM >> Plugins >> ConfigServer Security & Firewall

Here are a few parameters to change:

Block every IP with more than 200 connections.

CT_LIMIT = “200”

Block those IPs permanently

CT_PERMANENT = “1”

Set the IP block time limit to 1800 secs

CT_BLOCK_TIME = “1800”

Set the connection tracking interval to 60 secs.

CT_INTERVAL = “60”

9.Disable Recursion In Bind

Enabling Recursion in Bind may lead to DNS amplification attacks, lookups from DNS lookup websites etc. So it is recommended to turn it off.

Open Bind configuration files

vi /etc/named.conf

Set ‘recursion’ to ‘no’

recursion no

Restart Bind
service named restart


10. Update Rpms And Kernel With Yum Update
 

It is always advised to update the kernel and the rpm packages to the latest stable version to avoid the vulnerabilities. This can done easily with yum commands.

Clean yum repository

yum clean all

Update yum

yum update


11. SYSCTL Tweak
 

/etc/sysctl.conf is a text file containing sysctl values to be read in and set by sysctl at boot time. You can edit kernel, networking and other system parameters by editing the said file. Please note that you cannot do this in Virtualization environments.

Here are a few essential parameters.

Enable TCP SYN Cookie Protection

net.ipv4.tcp_syncookies = 1

Turn on execshield

kernel.exec-shield=1
kernel.randomize_va_space=1

Enable IP spoofing protection

net.ipv4.conf.all.rp_filter=1

Disable IP source routing

net.ipv4.conf.all.accept_source_route=0

Enable logging of spoofed packets

net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.log_martians = 1

Disable ICMP routing redirects

sysctl -w net.ipv4.conf.all.accept_redirects=0
sysctl -w net.ipv6.conf.all.accept_redirects=0
sysctl -w net.ipv4.conf.all.send_redirects=0
sysctl -w net.ipv6.conf.all.send_redirects=0

Disable the magic-sysrq key

kernel.sysrq = 0

Disable tcp_sack

net.ipv4.tcp_sack = 0

These are the basic settings/modifications applicable in a cPanel server.


12) Checking Suspicious Files And Folders 

Files and folders with full permissions and with out user and or groups is always suspicious as it can be accessed by the attackers easily. So we need to find such files and check if it is necessary.

Here is the command to check the world writable files and folders:

find / \( -type f -o -type d \) -perm /o+w 2>/dev/null | egrep -v '/(proc|sys)' > world_writable_files.txt

Command to find no owner files and folders is:

find / -nouser -o -nogroup >> no_owner_files.txt

Just open the files listed in the files ‘world_writable_files.txt’ and ‘no_owner_files.txt’ and see if the files/folders are genuine. Remove them if it looks suspicious.


13) Disable Recursion In Bind 

Enabling Recursion in Bind may lead to DNS amplification attacks, lookups from DNS lookup websites etc. So it is recommended to turn it off.

Open Bind configuration files

vi /etc/named.conf

Set ‘recursion’ to ‘no’

recursion no

Restart Bind
service named restart


That' it. Implement these on your dedicated server or VPS to reduce the possibility of getting hacked. 

Was this answer helpful? 0 Users Found This Useful (0 Votes)