In this tutorial we are going to see, how to secure our cPanel/WHM installed server.
Use Secure Passwords
Insecure passwords are one common security vulnerability. If an account password is insecure and compromised client sites can be defaced, hacked and valuable data can be stolen.
Always change your password as often as possible. Here are more tips to making a secure password.
- Passwords should be alphanumeric and grammatical.
- Passwords should be in 10 or more characters.
- Don’t use the same password for other sites.
- Don’t let your browser store your passwords.
- Don’t use names of your family, birthdate or numbers special to you.
- Don’t use any dictionary words in your password.
- Generate a random password, some password generator sites. They provide options to generate password with special characters.
Use secure SSH Keys
Change the way of login to your servers shell from passwords to SSH keys. SSH keys are more secure and require a special pass phrase to be used. To generate an SSH key login to WHM > Security Center Section > Manage root’s SSH Keys.
Click on Generate a New Key, enter the key name and your secure password twice.
Move SSH to a Different Port
Try to move your ssh to a different port to deter anyone without any specific knowledge of your server from easily discovering your ssh port. Most visitors search on port 22 which is the default ssh port.
Always use custom port since these are privilege ports and only root can use them.
This topic we have already discussed here
Enable CPHulk Brute Force Protection
CPHUlk a service that protects your server from brute force attacks. A brute force attack is a hacking method that uses an automated system to guess the password to your web server or services.
When CPHulk blocks an attack it shows in the login page that the ‘login is invalid‘. To avoid getting locked out of your own server, add your ip address to the whitelist.
You can access CPHulk thru WHM > Security Center section > cPHulk Brute Force Protection.
Turn off unused services and daemons
Any service or daemon that allows connections to your server may also allow hackers to gain access. To reduce security risks, disable all services and daemons that you do not use.
Disable any services that are not in use in WHM’s Service Manager interface
(Home >> Service Configuration >> Service Manager).
Secure your Apache
The most readily-available way to access a web server is the web server application. You must secure your Apache installation.
One of the best tools that you can use to prevent malicious Apache use is ModSecurity™.
In cPanel & WHM version 64.0 and later, you can use the following interfaces to manage ModSecurity:
- WHM’s ModSecurity™ Tools interface (Home >> Security Center >> ModSecurity™ Tools).
- WHM’s ModSecurity™ Configuration interface (Home >> Security Center >> ModSecurity™ Configuration).
Install CSF
If your PC is connected to the Internet, you are a potential target to an array of cyber threats, such as hackers, keyloggers, and Trojans that attack through unpatched security holes. This means that if you, like most people shop and bank online, are vulnerable to identity theft and other malicious attacks.
A firewall works as a shield, between your PC and cyber space. When you are connected to the Internet, you are constantly sending and receiving information in small units called packets. The firewall filters these packets to see if they meet certain criteria set by a series of rules, and thereafter blocks or allows the data. This way, hackers cannot get inside and steal information such as bank account numbers and passwords from you.
Once such firewall you can install for WHM/cPanel is CSF (ConfigServe Firewall). CSF configures your server’s firewall to lock down public access to services and only allow certain connections, such as logging in to FTP, checking your email, or loading your websites. ConfigServe Firewall also comes with a service called Login Failure Daemon, or LFD.
To install CSF follow the steps provided here Refer Step 2 & 3.
Now, Login to your WHM and you will now see a CSF configuration page in the Plugins section.
Harden your /tmp partition
We recommend that you use a separate /tmp partition that you mount with the nosuid option. This option forces a process to run with the privileges of its executor. You may also wish to mount the /tmp directory with noexec after you install cPanel & WHM.
To mount your /tmp partition to a temporary file for extra security you will have to run:
# /scripts/securetmp
Note: make sure that disk space is enough for the partitions. 8GB minimumfor /usr and 16GB for /var is recommended.
Disable system compilers
Most users do not require the use of C and C++ compilers. We strongly recommend that you disable compilers for all users who are not in the compilers group in the /etc/group file. Many pre-packaged exploits require functional compilers.
To disable compilers from the WHM interface, use WHM’s Compiler Access interface
(Home >> Security Center >> Compiler Access).
You can also disable compilers from the command line, run the following command as the root user
# /scripts/compilers off
