1. Securing Apache and PHP
If you run a cPanel server and need to upgrade your Apache or PHP version, cPanel provides the Easyapache tool to make these updates a breeze. While it can be run from WHM, it is generally preferred to run it from the command line.
Starting Easyapache
As root, on the command line, run:
/scripts/easyapache
This will bring up an interactive menu. Unless you completely want to rebuild your apache and php configuration from the ground up, leave the selection on Previously Saved Config, then use the Tab key and the arrow keys until you have selected Start customizing based on the profile.
Hit Enter to move to the next screen. Here you can choose which version of Apache you wish to run on your server. While Easyapache allows you to install versions of Apache that have reached the end of life status, it is not recommended.
(OR)
Go to WHM and follow the steps mentioned below:
1. Login to WHM and go to Softwares > choose EasyApache (Apache Update).
2. From here, select “Previously Save Config” [ To reuse your server’s current settings].
3. Press over “Start customizing based on profile”.
4. Select the latest stable Apache version.
5. On the PHP Version page, select the latest stable release.
Note: When you choose the version of PHP you wish to change to, make sure that your site works with the new version.
6. You can select the most commonly used Apache and PHP modules.
7. If there is a module you wish to install that is not on this list, select Exhaustive Options List
8. Otherwise, click Save and Build to begin.
Now, you must configure suPHP as the PHP handler. By enabling suPHP, the files created by PHP scripts will be owned by the website’s user account instead of the account running the Apache process. To enable suPHP:
1. Go to WHM >> Service Configuration >> suEXEC
2. Next change the PHP handler to suPHP and turn Apache suEXEC to ‘ON’ and finally click on "Save New Configuration".
To prevent PHP scripts from opening files outside of their home directory, it is recommended to enable "open_basedir". Follow the steps to enable:
1. Log into WHM > go to Security Center > PHP open_basedir Tweak.
2. Choose "Enable php open_basedir Protection" and finally click on "Save".
The Apache server should restart automatically once this is done.
Make sure that "open_basedir" works properly, for that you need to create a file named "php.ini" under “public_html” directory with the following content:
# su - root
This will prevent PHP scripts from accessing files located outside of the defined folders.
Finally, here are some recommended settings for PHP to disable some of the PHP functions. For that go to, WHM > Service Configuration > PHP Configuration Editor and select “Advanced Mode”. Configure the following parameters:
register_globals: OffClick on "Save". The new settings won’t take effect until you restart Apache. So, go to "WHM > Restart Services > HTTP Server (Apache)" .
2. Disabling Anonymous FTP Access
1. Login to WHM
2. Select FTP Server Configuration from Service Configuration
3. And now, set "Allow Anonymous Logins" and "Allow Anonymous Uploads" to "No".
3. Use a Strong Password
You can force your users to use more complex passwords by going to WHM > Security Center > Password Strength Configuration.
4. Securing SSH
SSH/Shell is the remote connectivity tool in Linux with which users can connect to the server remotely. It is most vulnerable to Brute Force Attacks. So, always keep the SSH packages to the latest stable version. Other means to secure SSH are:
Setup Wheel User
With this setup, you can only login to the server as a desired user. The idea behind this process is to disable Root SSH login and create a new user and add the new user or an existing user to the Wheel user group. So that SSH will only connect as that user. Here are the steps.
Open the SSH config file
vi /etc/ssh/sshd_config
Set PermitRootLogin to ‘No
PermitRootLogin no
Restart SSH
/etc/init.d/sshd restart
This will disable the Root login. Please note that if you terminate the session now, you can’t log in as "Root" user. Now, you have to create a new wheel user simply with,
adduser <wheel_user_name>
Adding a new user is not necessary, if you want an existing user to be the wheel user, you can skip the above step. Now go to WHM and add the user to wheel user group.
WHM >> Security Center >> Manage Wheel Group Users >> Select the user and click ‘Add to Group’.
Now a wheel user is added and you can only login to SSH as that particular user and after logging in, you can switch to Root.
5.Updating CPanel
The first thing you want to do is to make sure you have the latest version of cPanel running.
You can update cPanel via WHM,
Login to WHM > cPanel > Upgrade to Latest Version
. You can also achieve the same thing using this command line:
# /scripts/upcp --force
6.Enable CPHulk
Login to WHM > Security Center > CPHulk Brute Force Protection and click on “Enable”.
7. Installing ClamAV Antivirus
ClamAV is available for cPanel servers as a plugin. Here’s how to enable it:
1. Login to WHM >locate cPanel > select "Manage Plugins".
2. Select "Install and keep updated" next to ClamAV and click on "Save".
3. One the ClamAV plugin installation is completed, reload your WHM control panel so that the menu is updated.
4. Click on WHM > Plugins > Configure ClamAV Scanner and from here select all four options.
5. Finally "Save".
8. Install a Firewall
To begin the install process follow the below-mentioned steps:
Download CSF package
wget https://download.configserver.com/csf.tgz
Extract the tar file
tar zxvf csf.tgz
Change directory to the CSF installation directory.
cd csf
Execute the install script for cpanel
./install.cpanel.sh
Start CSF service
/etc/init.d/csf start
Test the installation configuration (Assuming Perl is already installed)
perl /usr/local/csf/bin/csftest.pl
After testing, disable the test flag in CSF configuration
vi /etc/csf/csf.conf
Edit the flag ‘TESTING’ to ‘0’
TESTING = "0"
Restart CSF
/etc/init.d/csf restart
Now you should be able access CSF via WHM >> Plugins >> ConfigServer Security & Firewall
Here are a few parameters to change:
Block every IP with more than 200 connections.
CT_LIMIT = “200”
Block those IPs permanently
CT_PERMANENT = “1”
Set the IP block time limit to 1800 secs
CT_BLOCK_TIME = “1800”
Set the connection tracking interval to 60 secs.
CT_INTERVAL = “60”
9.Disable Recursion In Bind
Enabling Recursion in Bind may lead to DNS amplification attacks, lookups from DNS lookup websites etc. So it is recommended to turn it off.
Open Bind configuration files
vi /etc/named.conf
Set ‘recursion’ to ‘no’
recursion no
Restart Bind
service named restart
10. Update Rpms And Kernel With Yum Update
It is always advised to update the kernel and the rpm packages to the latest stable version to avoid the vulnerabilities. This can done easily with yum commands.
Clean yum repository
yum clean all
Update yum
yum update
11. SYSCTL Tweak
/etc/sysctl.conf is a text file containing sysctl values to be read in and set by sysctl at boot time. You can edit kernel, networking and other system parameters by editing the said file. Please note that you cannot do this in Virtualization environments.
Here are a few essential parameters.
Enable TCP SYN Cookie Protection
net.ipv4.tcp_syncookies = 1
Turn on execshield
kernel.exec-shield=1 kernel.randomize_va_space=1
Enable IP spoofing protection
net.ipv4.conf.all.rp_filter=1
Disable IP source routing
net.ipv4.conf.all.accept_source_route=0
Enable logging of spoofed packets
net.ipv4.conf.all.log_martians = 1 net.ipv4.conf.default.log_martians = 1
Disable ICMP routing redirects
sysctl -w net.ipv4.conf.all.accept_redirects=0 sysctl -w net.ipv6.conf.all.accept_redirects=0 sysctl -w net.ipv4.conf.all.send_redirects=0 sysctl -w net.ipv6.conf.all.send_redirects=0
Disable the magic-sysrq key
kernel.sysrq = 0
Disable tcp_sack
net.ipv4.tcp_sack = 0
These are the basic settings/modifications applicable in a cPanel server.
12) Checking Suspicious Files And Folders
Files and folders with full permissions and with out user and or groups is always suspicious as it can be accessed by the attackers easily. So we need to find such files and check if it is necessary.
Here is the command to check the world writable files and folders:
find / \( -type f -o -type d \) -perm /o+w 2>/dev/null | egrep -v '/(proc|sys)' > world_writable_files.txt
Command to find no owner files and folders is:
find / -nouser -o -nogroup >> no_owner_files.txt
Just open the files listed in the files ‘world_writable_files.txt’ and ‘no_owner_files.txt’ and see if the files/folders are genuine. Remove them if it looks suspicious.
13) Disable Recursion In Bind
Enabling Recursion in Bind may lead to DNS amplification attacks, lookups from DNS lookup websites etc. So it is recommended to turn it off.
Open Bind configuration files
vi /etc/named.conf
Set ‘recursion’ to ‘no’
recursion no
Restart Bind
service named restart
That' it. Implement these on your dedicated server or VPS to reduce the possibility of getting hacked.