Prevention is better than cure. Software security could be a complex subject if you have no idea which way to follow. Here’s a list of 7 useful tips to make sure you don’t compromise on your cPanel security and make it more secure.
An Overview of cPanel Security Tips
- Have Latest Version of cPanel
- Secure Password
- Secure SSH
- Secure Apache and PHP
- Enable Brute Force Protection
- Install Firewall
1. Keep cPanel Updated
If you don’t upgrade your cPanel to the latest version, the vulnerabilities increase. Therefore, make sure you have the latest version in-line.
Update cPanel: WHM > cPanel > Upgrade to Latest Version.
You can also update using this line: #/scripts/upcp –force
To escape these efforts, you can simply turn on the automatic updates. Go to WHM > Server Configuration > Update Preferences.
2. Secure Password
Something everybody knows today!
- Weak passwords > Hacked easily > Infect client sites or spread viruses
But how can you make sure your password is secure?
Edit “/etc/login.defs” file to configure password options on your system.
- Utilize at least 8 characters including alphanumeric and grammatical symbols.
- Avoid using significant dates and dictionary words.
- If you have issues, you can leverage “Password Generator tool” to have ideas.
- Go to “Tweak Settings” in “Server Configuration” and enable SSL to avoid any leak.
- Still uncertain about password security? Test it via JTR cracker or check password strength using pam_passwdqc.
3. Secure SSH
SSH or Secure Shell is a remote connectivity tool in Linux which helps users to log into a remote machine and execute commands. Therefore, if you don’t secure SSH, there are chances of attacks.
How can you secure SSH?
Update SSH packages to the latest stable version.
A. Setup Wheel User
When you are logged into root user, create a new user, you will then be asked a few questions.
Hit “Enter” once you are done with setting a password.
Add that user to the Wheel user group. If you want an existing user to be the wheel user, you can simply go to WHM > Security Center > Manage Wheel Group Users > Select the user and click “Add to Group”.
Now Disable Root User:
Open SSH config file > Set PermitRootLogin to ‘No’ > Restart SSH
Once you have terminated the session, you can’t log in as a Root user. To log in, use the new user you just created or the existing one.
B. Setup Key based Password-less login
Disable password authentication and allow SSH access only by key-based authentication.
Open SSH Config file (vi /etc/ssh/sshd_config) > Edit the Password Authentication to “no”
Password authentication in the server is disabled now. Generate SSH key in the host machine > ssh-keygen
If you hit ‘Enter’, the key will be placed in ‘/home/user/.ssh/id_rsa’ by default.
4. Secure Apache and PHP
In WHM, you should enable ModSecurity to secure Apache from attacks like code injection. Specific rules defined in the ModSecurity helps in blocking connection that doesn’t match the rules.
WHM > Plugins > ModSecurity
- Configure suEXEC for executing the CGI scripts and suPHP as the PHP handler. Enable suEXEC and suPHP by browsing to WHM > Service Configuration > suEXEC.
- Change the PHP handler to suPHP, turn Apache suEXEC to ‘On’ and ‘Save’ New Configuration.
- Enable PHP open_basedir protection: It prevents PHP scripts from files outside of its home directory.
- WHM > Security Center > PHP open_basedir Tweak > Enable PHP open_basedir Protection > Save.
Disable some of the PHP functions:
- WHM > Service Configuration > PHP Configuration Editor > Select Advanced mode > register_globals: Off
- The register_globals setting controls how you access server, form, and environment. If it is on, anything passed via GET or POST or COOKIE automatically appears to be the global variable in the code, this might have security consequences.
- Disable_functions: allow_url_fopen, proc_open, popen, phpinfo, exec, passthru, shell_exec, system, show_source.
“Save” the settings and restart Apache after this.
Important: Don’t forget latest versions for proper security.
5. Enable Brute-Force Protection
Brute-Force: Repeated hit and trial attempt to access the server.
When you set the value of Brute-Force protection, it ensures that repeated unsuccessful attempts to access the server from a given IP address will get that IP blocked.
To activate this feature: “CPHulk Brute-Force Protection > Security Center > Enable”
Under “IP Deny Manager” option, you can also block a particular IP address, domain name, or range of IP addresses from accessing a site managed by cPanel.
6. Enable Firewall
The most critical part of cPanel security is keeping Firewall enabled as it refuses all the unwanted connections to the server.
CSF is most commonly used as a firewall for cPanel and its easily manageable via WHM interface.
- Download CSF package
- Extract the tar file
tar zxvf csf.tgz
- Change the directory to the CSF installation directory
- Execute the install script for cPanel
- Start CSF service
- Test the installation configuration
- Disable the test flag in CSF configuration after doing the testing
- Restart CSF
Now, access CSF via WHM > Plugins > ConfigServer Security & Firewall
Change the following parameters:
- Block every IP with excessive connections [CT_LIMIT = “Put Number Here”]
- Block those IPs permanently [CT_PERMANENT = “1”]
- Set the IP time limit to 1800 secs [CT_BLOCK_TIME = “1800”]
- Set connection tracking interval to 60 secs [CT_INTERVAL = “60”]
7. Plugins for cPanel Security
Rootkit is a popular type of malware which is secretly installed on your server by intruders and allows 3rd party root access. It offers full control to the information that is on your machine or even passes through it. Install RKHunter helps to guard against this malware. This plugin scraps your machine and matches it against a database of known rootkits.
B. ConfigServer eXploit Scanner (cxs)
You can try ConfigServer eXploit Scanner, a tool that actively scans files as they are uploaded to the server. This can help prevent exploitation of an account by malware by moving suspicious files to quarantine before they become active or deleting them. Cxs will prevent files uploaded with the Gumblar Virus, PHP and Perl shell scripts.
Not to Miss these Points
- Keep a documentation: Noting every modification you have made will help you keep a track since there many users accessing cPanel.
- Backups: I can never underestimate backups. Keep a backup on another server so that if by any chance, your cPanel security is compromised, you can recover important files.
- Cloud Linux: If there are multiple sites run by multiple owners, go for Cloud Linux. For example, if you are on shared hosting site, make sure you ask your hosting provider for this. Or if you are already running on your server, go to your system administrator to know more about cloud Linux.
- Open Source scripts should be maintained.
- Configure SSL
- Monitoring should be configured
Compromising your cPanel security? Contact us for a free basic consultation with our experts!