15 Easy Tips For Securing a cPanel Server

15 Easy Tips For Securing a cPanel Server

Imagine you’ve just launched your new website using cPanel, one of the most popular tools for managing websites. You’ve spent countless hours making sure everything looks great and works perfectly. Your site is finally live, and visitors are starting to check it out. But then, something goes wrong—a security breach. Suddenly, all your hard work is in danger. Secure your cPanel server to keep your site safe and protect all your hard work.

Securing your server isn’t just optional; it’s essential. With hackers and cyber threats becoming more advanced, an unsecured server is a risk. However securing your server doesn’t need to be complex. In this guide, we’ll share 15 straightforward tips to help you protect your website, safeguard your data, and ensure peace of mind. Let’s dive in and make sure your server is as secure as possible.

Tips for Enhancing the Security of Your cPanel Server:

1. Securing SSH

SSH allows remote users to run commands and access the operating system over an unsecured network. While it’s common for administrators to have SSH access, not all users in your organization should. In some cases, it’s best to turn off SSH to enhance security.

If you need SSH enabled on your server, here are some tips to make it more secure:

  • Use WebHost Manager (WHM) to create SSH keys for the root user and turn off password authentication in the WHM Password Authorization Tweak settings.
  • Edit the /etc/ssh/sshd_config file to adjust settings like the SSH port, protocol, ListenAddress, and PermitRootLogin. The cPanel website provides recommended values for these settings. Consider using a different port than the standard port 22.

Here are the steps to change the SSH port.

  1. Login to your server via SSH.
  2. Edit the SSH configuration file which is located at /etc/ssh/sshd_config by issuing the following command:
    nano /etc/ssh/sshd_config
  3. Set a random port for SSH connection at the following line. Original: Port 22
    New line: Port 2468
  4. Now, restart the SSH service by executing the following command:
    service ssh restart

2. Disable Root Login

To add an additional layer of security and further strengthen your SSH, you can disable the root user and create a separate user to access the server.

Here is how:

  1. Login to your server via SSH. Before disabling root login, we will create a user to access the server:
    adduser new_username_name
    passwd new_username_name
  2. You will be asked to set a password for this new user. Ensure that the password is as strong as possible (at least 10 characters with several numbers and symbols) and then add the new user in a wheel group granting it access to the server by using the following line of code.
    # usermod -aG wheel new_username_name
  3. Now, disable the root user. Edit the SSH configuration file which is located at /etc/ssh/sshd_config.
    nano /etc/ssh/sshd_config
  4. Change the line: “PermitRootLogin yes” to “PermitRootLogin no”
  5. Now, restart SSH service by executing following command.
    service sshd restart

3. Disable SSH V1

With the inception of SSHv2 making its predecessor SSHv1 all but obsolete, it is highly recommended that you disable the less secure and outdated SSH to improve your server’s security.

  1. Login to your server via SSH and edit the SSH configuration file which is located at /etc/ssh/sshd_config.
  2. Uncomment the following line.
    Protocol 2,1
  3. And change it to:
    Protocol 2
  4. Now, restart SSH service by executing following command:
    # service sshd restart

2. Enabling cPHulk Protection

A brute force attack is a hacking method that relies on an automated system to guess the password to your web server.

cPHulk is an easy to use service that will protect your server against most brute force attack.

To enable cPHulk, login to WHM→ Security Center cPHulk Brute Force Protection and click on Enable.

You can now set custom rules based on the cPanel username, IP address and other parameters.

Once a set number of failed login attempts has been reached, cPHulk will block any further attempts from the IP address being used.

Note: If you have a static IP then it is highly recommended that you add it to the Whitelist Management so that you do not lock yourself out of your server.

3. Setup ConfigServer Firewall (CSF)

CSF (ConfigServer Security and Firewall) is one of the most popular firewalls for cPanel servers.

Not only does it act as a Firewall by scanning various authentication log files but it also scans your server on a regular basis and gives you personalized recommendations for improving your server’s security.

In addition to its primary features, CSF also gives you access to a number of useful features like “View System Logs”, IPTable Logs, IFD statistics and much more.

Installing ConfigServer Firewall

It is quite easy to install CSF in your server with cPanel. Please refer to our step by step guide on How to Install ConfigServer Firewall to cPanel/WHM?

Once you have followed the directions in our aforementioned guide, you can manage CSF directly from WHM.

To do so, login to your WHM, navigate to Plugins → ConfigServer Security & Firewall.

Here you will be presented with a number of options and measures that you can use to tighten up your security even further.

4. Setup ClamAV Antivirus

While Linux servers have a more “natural” resilience to viruses than their Windows based counterparts, it is still considered wise to install an additional antivirus application.

ClamAV, which is easy to install as a plugin on your server, is one of the most popular open source antivirus plugins for cPanel servers and allows individual users to scan their home directory and emails for potentially malicious files.

Again, for the sake of brevity, please refer to our step-by-step guide How to Install ClamAV plugin from WHM.

Once ClamAV is installed, you can scan any particular cPanel account with cPanel user level access. Here is our guide on How to run ClamAV virus scan from cPanel.

5. Switch to CloudLinux

CloudLinux, a paid replacement for the free CentOS is regarded as one of the most secure operating systems for cPanel servers.

With CloudLinux, you can increase the server density and stability by keeping cPanel accounts isolated from one another.

It accomplishes this feat by using LVE (Lightweight Virtualized Environment) which limits server resources like processing, memory, and connections for each user, thus ensuring that a single user cannot put the server stability at risk and cause all sites to slow down.

The OS “cages” users from one another to avoid any security breaches. Any unstable or compromised script or malware can not be spread across the server by any compromised account.

The following are the major security features of CloudLinux OS:

  1. CageFS
  2. HardenedPHP
  3. SecureLinks

CageFS

CageFS encapsulates each user, preventing users from seeing each other and reading sensitive information. It also prevents a large number of attacks including most of the privilege escalation and information disclosure attacks.

→ With CageFS users will have access to safe files only.
→ Users can not see server configuration files such as Apache config files.
→ Users can not view other users and have no way to detect the presence of other users.
→ Users can not see the processes of other users.

HardenedPHP

Old PHP version 5.2, 5.3, 5.4, while used widely, have vulnerabilities that are not patched by the PHP.net community.
The HardenedPHP in CloudLinux fixes those vulnerabilities and secures the old and unsupported versions.

→ It ensures the application and server are secured by patching all PHP versions.
→ It provides security and flexibility to all users.
→ It increases customer retention by not forcing upgrades to a newer PHP version
→ Offers selection of PHP version from multiple versions installed on the same web server with PHP selector option

SecureLinks

SecureLinks is kernel level technology which strengthens the server by preventing all known symbolic link (symlink) attacks while simultaneously preventing malicious users from creating symlink files.
→ With SecureLinks, you can prevent attacks by keeping malicious users from creating symlinks and hardlinks to files that they do not own.
→ It prevents malicious users from creating symbolic link files.
→ Enhances the security level of the server from symlink attacks.

6. Disable Ping Request

A ping is a ICMP (Internet Control Message Protocol) request, and it should disable to avoid “Ping of Death” and “Ping Flood” attacks.

Ping of Death

Ping of Death is a denial of service attack caused by an attacker deliberately sending an IP packet larger than allowed by IP protocol.

As a result, many operating systems do not know what to do when they receive oversized packets, the machine will be frozen, crashed or rebooted.

Ping Flood

A ping is a type of network message used to check if a device is reachable. It’s a good idea to turn off ping requests to prevent attacks like “Ping of Death” and “Ping Flood.”

If the target machine is slower, it is possible to consume its CPU cycles creating a noticeable slowdown in the system’s processing capabilities.

To disable the ping response, run the following command as a root user:

echo “1” > /proc/sys/net/ipv4/icmp_echo_ignore_all
echo “1” > /proc/sys/net/ipv4/icmp_echo_ignore_all

To disable ping response using IPtables firewall, run the following command as a root user:
iptables -A INPUT -p icmp -j DROP

7. Configure Host Access Control

Sometimes, you need to allow certain services for only specific IP addresses. To do this, you should set up Host Access Control properly. This lets you create rules to allow or block access based on the user’s IP address. You should block all connections by default and only permit the ones you want. This is a very secure way to protect your server from brute force attacks on specific ports.

To set up a rule with Host Access Control, you’ll need:

  1. The service you want to create a rule for
  2. The IP address you want to allow or block
  3. The action you want to take, such as Allow or Deny

To set up rules in Host Access Control, login to your WHM, and navigate to Security CenterHost Access Control.

Following is an example of locking down SSH service:

Daemon Access List Action Comment
sshd 192.168.3.152 allow Allow local SSH access
sshd 1xx.6x.2xx.2xx allow Allow SSH from my specific IP
sshd ALL deny Deny access from all other IPs

Note: The rules have an order of precedence. You will have to put ‘allow’ rules before ‘deny’ rules if you are choosing to use the allow from a few, then deny from all technique.

8. Setup Mod_Security

In 2017, more than 70% of all malicious server attacks are executed at the web application level.
In order to mitigate the risk associated with your specific server, it is an industry best practice to deploy a WAF or Web Applications Firewall to increase external security and detect/prevent attacks before they reach web applications.

ModSecurity is one of the oldest and most popular Web Applications Firewalls around and is designed to prevent:

  1. SQL Injection
  2. iFrame attacks
  3. Webshell/Backdoor Detection
  4. Botnet Attack Detection
  5. HTTP Denial of Service (DoS) Attacks

Installing mod_security is can be done within a few minutes with few changes to existing infrastructure.

You can enable it from Easy Apache configuration.

To create Mod_Security rules go to ModSeurity Tools and click on Rules List.

In the new windows, it will display all the rules. You can click on Add Rule, to create new rules. Please note that you will need to Restart Apache to deploy new rules.

To know more about ModSecurity Tools click here.

9. Scan Your System With RootKit Hunter

Rootkit Hunter or rkhunter is a UNIX based tool that scans for rootkits, backdoors, and possible local exploits.

It compares SHA-1 hashes of important files with the files located in online databases to ensure the files integrity.

It also searches for default rootkits directories, excessive permissions, hidden files, suspicious strings in kernel modules and a plethora of other things that have the potential to compromise your server’s security.

Installing RootKit Hunter

Change current working directory to the desired installation directory.
cd /usr/local/src
Download the rkhunter package using wget command.
wget http://dfn.dl.sourceforge.net/sourceforge/rkhunter/rkhunter-1.4.2.tar.gz
Unzip the downloaded rkhunter archive.
tar -zxvf rkhunter-1.4.2.tar.gz
Change the current working directory to the rkhunter directory. Make sure you replace the directory name with the actual directory name. In our case, it’s “rkhunter-1.4.2” which can be changed when new updates are released.
cd rkhunter-1.4.2
Install the rkhunter package by executing the installation script.
./installer.sh –layout default –install
This will install the rkhuter tool in the server.

Configuring rkhunter

You can find configuration file of rkhunter at path /etc/rkhunter.conf. By changing the parameter values in this file, we can modify the properties of rkhunter to secure the server. To allow root login via SSH
ALLOW_SSH_ROOT_USER = yes
rkhunter installation directory
INSTALLDIR=/path/of/installation/directory
rkhunter Database directory
DBDIR=/var/lib/rkhunter/db
rkhunter script directory
SCRIPTDIR=/usr/local/lib64/rkhunter/scripts
rkhunter temporary directory
TMPDIR=/var/lib/rkhunter/tmp

Manual Scan With rkhunter

To run a manual scan with rkhunter run below command.
/usr/local/bin/rkhunter -c
By default, rkhunter runs in interactive mode. rkhunter performs a series of scans and after each set of scans, you’ll need to press Enter to continue the scan.

To skip interactive mode run, and scan all the set use below command. Note that -c is to check the local system and –sk is to skip key press.
/usr/local/bin/rkhunter -c -sk
To scan the entire file system run below command.
rkhunter –check

Scheduling Automatic Scans With Rkhunter

To create a scheduled automatic scan, create a script which executes rkhunter scan and emails the scan results.

If you want to run rkhunter scan daily, upload the script to /etc/cron.daily directory and to /etc/cron.weekly for weekly scans.

Open a file in an editor and write the below script to schedule it daily.
vi /etc/cron.daily/rkhunter.sh
Script to schedule daily scan

#!/bin/sh

(

/usr/local/bin/rkhunter --versioncheck

/usr/local/bin/rkhunter --update

/usr/local/bin/rkhunter --cronjob --report-warnings-only

) | /bin/mail -s 'rkhunter Daily Run (HostnameOfServer)' youremail@address

Note: Make sure you change HostnameOfServer and youremail@address with the actual server hostname and the Email address to which the notifications are to be sent in the script.

rkhunter Update & Options

To check the rkhunter current version.
/usr/local/bin/rkhunter –versioncheck
To update the rkhunter version.
/usr/local/bin/rkhunter –update
If the database files are updated, to check and save the updated values and properties.
/usr/local/bin/rkhunter –propupd
rkhunter logs stores all activities done and error encountered by the application. To check rkhunter logs.
/var/log/rkhunter.log
You can refer the other rkhunter options with.
/usr/local/bin/rkhunter –help

10. Scan Your System With Maldet

Maldet, also known as Linux Malware Detect (LMD) is a malware scanner for Linux systems that is designed to effectively detect php backdoors, darkmailers, and a number of other malicious files that might be present on compromised websites.

Installing Maldet

  1. SSH to the server and download the tar file.
    wget href=”http://www.rfxn.com/downloads/maldetect-current.tar.gz”>
  2. Extract the file.
    tar -xzf maldetect-current.tar.gz
  3. Go to the maldet folder.
    cd maldetect-*
  4. To install maldet, run the below command.
    sh ./install.sh

Use Maldet in Linux Server

You should always open a new screen session and run the scan as it may take hours to scan depending on the disk space usage of your system. To run a scan, use below command.
maldet -a /path/to/scan OR

maldet –scan-all /path/to/scan
You can also simply run the below command to scan the whole system
maldet -a /
Once the scan of the server is complete, you will get SCAN ID at the end. To view scanned report use below command. Note that you will need to replace SCAN ID with the actual ID.
maldet –report SCAN ID
Ex: maldet –report 062617-2220.1771

To Quarantine all malware results from a previous scan, run below command.
maldet -q SCAN ID
Ex. maldet -quarantine 062617-2220.1771

Automize Maldet

You can edit maldet configuration file conf.maldet to automize the processes like,

  1. Set email_alert to 1 to send reports to the configured email account.
  2. In email_addr, set the email account on which you want to receive scan reports.
  3. Change quar_hits to 1 so that any malware found are moved to the directory ‘/usr/local/maldetect/quarantine‘ and you get a notification on the configured email address.
  4. change quar_susp to 1, This will enable account suspension of cPanel users or set the shell access to ‘/bin/false‘ for non-cPanel users.

11. Setup Cron Job To Run ClamAV Daily

Your files on the server will be changed often, so it’s important to make sure all new changes are scanned for viruses. You can use the ClamAV scanner to run weekly scans during off-hours to automatically check for any issues and keep your files safe.

Use the following command to run this cron.

for i in awk '!/nobody/{print $2 | "sort | uniq" }' /etc/userdomains | sort | uniq; do /usr/local/cpanel/3rdparty/bin/clamscan -i -r /home/$i 2>>/dev/null; done >> /root/infections&

This command recursively searches the home directory for spam and infected files.

12. Disable Apache Header Information

Since your server signature contains information like Apache and OS versions you must hide this information from prying public eyes using WHM Login.

  1. Once you are logged into WHM. Navigate to Service ConfigurationApache ConfigurationGlobal Configuration.
  2. Set the following values.
    Server Signature = Off
    Server Tokens = Product only

13. Hide PHP Version Information

Like Apache headers, you shouldn’t also expose PHP version information. Here are the steps to hide this information.

  1. Once you are logged into WHM. Navigate to Service ConfigurationPHP Configuration Editor.
  2. Set the following values.
    expose_php= “off”

14. Disable FTP & Use SFTP Instead

In FTP, all data sent between the client and server is in plain text, which means it can be easily intercepted by someone spying on the network. This can include sensitive information like login details and private messages.

SFTP (SSH File Transfer Protocol), on the other hand, encrypts both commands and data. This means SFTP keeps your passwords and other sensitive information secure while it’s being sent over the network.

15. Securing cPanel and WHM Access

Force HTTPS URL to Access cPanel/WHM

To safeguard your cPanel or WHM login with SSL-based encryption, follow these two simple steps.

  1. Login to WHM and navigate HomeServer ConfigurationTweak Settings.
  2. Scroll right side to the redirection tab and use the settings shown in the below image.

Disabling cPanel-ID Login

A cPanel server allows two types of logins.

The first is the default/standard username and password login and the second is to login to the server with a cPanel ID.

A cPanel ID allows users to deploy a single username and password to gain access to a wide variety of cPanel services.

While this method is more than suitable for organizations that manage a large data center and frequently hire new technicians, if you only have a single server, you should disable it by using the following steps.

  1. Login to WHM and navigate to HomeSecurity Center → Manage External Authentication.
  2. Change the cPanel-ID login to disable as shown in the below image.

Conclusion

By implementing these 15 easy tips to your VPS or dedicated server you will immediately reduce your vulnerability to attacks both internally and externally and boost your system’s security within a matter of hours.

And while these tips will reduce the number of threats to your server, they aren’t a cure-all.

In order to optimize your system’s security, you need to do your due diligence and regularly update yourself on the most recent happenings in the server security world.

However, with only a few hours of research a month, you can stay on the cutting edge of cPanel security and ensure that you and your company will remain secure for years to come.

Do you have any questions about the 15 tips listed above? Have you found any new security features of cPanel servers that you want to share? Let us know in the comments below.

(Visited 12,343 times, 1 visits today)

Latest Comments

  1. karan November 18, 2018
  2. weather sayer June 9, 2023

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.