How to secure your WHM/cPanel server
In this tutorial we will go over some steps that include few software installation and web server security settings modification.
The collection of these easy steps is a results of years of experience in maintenance and management of linux servers.
1) Updates & Installation
Update cPanel to the latest version from the WHM interface:
Navigate to: Home » cPanel » Upgrade to Latest Version
Next, install the Apache mod_security with EasyApache:
Navigate to: Home » Software » EasyApache (Apache Update)
On step 4 check the “Mod Security” option and click the “Save and Build” button.
Next, login to the cPanel server as root via SSH and run OS update, then install some softwares from ConfigServer:
yum update -y wget http://www.configserver.com/free/csf.tgz tar -xzf csf.tgz cd csf/ sh install.sh cd .. rm -Rfv csf/ csf.tgz wget http://configserver.com/free/cmc.tgz tar -xzf cmc.tgz cd cmc/ sh install.sh cd .. rm -Rfv cmc/ cmc.tgz
2) Use The Security Advisors
If your cPanel version is 11.42+ and CSF is installed on your server there is two Security Advisors on your server that will check the security level of your server and will suggest recommendations on how fix the security issues.
For cPanel Security Advisor navigate to:
Home » Security Center » Security Advisor
For ConfigServer Firewall Security Advisor navigate to:
Home » Plugins » ConfigServer Security & Firewall » Check Server Security
* Follow all the recommendations and make the necessary changes to fix your server security issues.
We recommend to run the Security Advisors at least once a month.
3) Web Server Security & Firewall (ModSecurity)
Our choice for Mod Security rules is the Comodo Web Application Firewall (CWAF) agent. The cPanel\WHM plugin automate the installation & configuration of CWAF on the server and the deployment of periodically published predefined firewall rules set updates.
1) To get access to Comodo Mod Security rules and CWAF free sign up is needed: https://waf.comodo.com
2) To download the comodo client agent login to the web administration console and click the “Download latest installer” link (top right of the screen) “cwaf_client_install.sh”.
3) Copy the agent setup file to a local directory in the server E.g. /root
4) Run the installation script as root via SSH:
bash /root/cwaf_client_install.sh
Follow the instructions in the setup wizard!
Next edit mod_security conf file and include the CWAF Rules.
vi /usr/local/apache/conf/modsec2.conf
And add this line:
Include "/var/cpanel/cwaf/etc/cwaf.conf"
The file should look like this:
LoadFile /opt/xml2/lib/libxml2.so # LoadFile /opt/lua/lib/liblua.so LoadModule security2_module modules/mod_security2.so <IfModule mod_security2.c> SecRuleEngine On SecTmpDir /tmp SecDataDir /tmp SecRequestBodyAccess On SecAuditEngine RelevantOnly SecPcreMatchLimitRecursion 250000 SecDebugLog logs/modsec_debug_log SecPcreMatchLimit 250000 SecAuditLog logs/modsec_audit.log SecDebugLogLevel 0 Include "/var/cpanel/cwaf/etc/cwaf.conf" </IfModule>
5) Now login to WHM as root and navigate to:
Home » Plugins » Comodo WAF
At the “Main” tab you can run updates if needed,
At the “Catalog” tab you can set or unset rules for all vhosts or for a singel domain.
6) Restart Apache
service httpd restart
7) Set new Apache configuration:
Home » Service Configuration » Apache Configuration » Global Configuration
Change to:
SSL Cipher Suite = (PCI recommended)
Trace Enable = Off
Server Signature = Off
Server Tokens = ProductOnly
File ETag = None
Then clicking on “Save”
8) Set new PHP configuration:
Home » Service Configuration » PHP Configuration Editor
Select the “Advanced Mode” and set the following settings:
allow_url_fopen = off
expose_php = Off
enable_dl= Off
register_globals = off
display_errors = off
disable_functions = show_source, system, shell_exec, passthru, exec, popen, proc_open, eval, symlink, link, readlink, dl, escapeshellarg, escapeshellcmd, ini_restore, apache_get_modules, ini_get_all, get_cfg_var
9) Restart Apache
service httpd restart
10) Enable failure detection of repeated Apache mod_security rule triggers
Navigate to:
Home » Plugins » ConfigServer Security & Firewall » Firewall Configuration
And set the number of failures between 3 and 5 by changing the value:
LF_MODSEC = 3
4) Tweaks
1) Install and config “tmpwatch”
yum install tmpwatch
Edit the tmpwatch cron file:
vi /etc/cron.daily/tmpwatch
The file should look like this:
#! /bin/sh flags=-umc /usr/sbin/tmpwatch "$flags" -x /tmp/.X11-unix -x /tmp/.XIM-unix \ -x /tmp/.font-unix -x /tmp/.ICE-unix -x /tmp/.Test-unix \ -X '/tmp/hsperfdata_*' -m 24 /tmp /usr/sbin/tmpwatch "$flags" -m 12 /var/tmp for d in /var/{cache/man,catman}/{cat?,X11R6/cat?,local/cat?}; do if [ -d "$d" ]; then /usr/sbin/tmpwatch "$flags" -mf 12 "$d" fi done
2) Disable Compilers for all accounts from:
Home » Security Center » Compiler Access
3) Disable Anonymous FTP & Logins with root
Home » Service Configuration » FTP Server Configuration
5) eXploit Scanner
The eXploit Scanner is the best tool out there for detecting malicious code on the server and for real time detection while files are uploaded to the server.
eXploit Scanner detecting malicious code uploaded real time and deny the upload and blocks the IP address from which the file is upload.
1) Install ClamAV:
Home » cPanel » Manage Plugins
Select “clamavconnector” and Seve.
2) The “eXploit Scanner” is not free, but worth every cent. Buy license at:
http://configserver.com/cp/cxs.html
3) Once you received the confirmation email of the activation of the license you can start the installation of the eXploit Scanner plugin:
wget http://www.configserver.com/free/cxsinstaller.tgz tar -xzf cxsinstaller.tgz perl cxsinstaller.pl rm -fv cxsinstaller.* mkdir -m 1777 /usr/suspicious_files touch /var/log/cxs.log chmod 0666 /var/log/cxs.log cp /etc/cxs/cxs.defaults.example /etc/cxs/cxs.defaults cp /etc/cxs/cxs.ignore.example /etc/cxs/cxs.ignore cp /etc/cxs/cxs.xtra.example /etc/cxs/cxs.xtra chmod 644 /etc/cxs/cxs.xtra /etc/cxs/cxs.defaults /etc/cxs/cxs.ignore chmod 755 /etc/cxs/cxscgi.sh /etc/cxs/cxsftp.sh
4) Enable the pure-ftp upload script:
vi /etc/pure-ftpd.conf
And change the “CallUploadScript” value
From:
# CallUploadScript yes
To:
CallUploadScript yes
Next, restart the pure-uploadscript daemon:
/etc/init.d/pure-uploadscript restart
5) Edit the config files and comment any exiting line with # in this files:
Edit cxscgi.sh file:
vi /etc/cxs/cxscgi.sh
Add:
/usr/sbin/cxs -Z --cgi --block --smtp --mail root --delete --qoptions Mexv -I /etc/cxs/cxs.ignore --xtra /etc/cxs/cxs.xtra "$1"
Edit cxsftp.sh file:
vi /etc/cxs/cxsftp.sh
And set the line:
/usr/sbin/cxs -Z --ftp --block --smtp --mail root --delete --qoptions Mexv -I /etc/cxs/cxs.ignore --xtra /etc/cxs/cxs.xtra "$1"
Edit cxswatch.sh file:
vi /etc/cxs/cxswatch.sh
And set the line:
/usr/sbin/cxs --Wstart --allusers --www --block --smtp --mail root --quarantine /usr/suspicious_files --qoptions Mexv --xtra /etc/cxs/cxs.xtra --Wmaxchild 5 --Wloglevel 0 --Wsleep 3 --filemax 0 --Wrateignore 300
6) Create Cron jobs via the UI from:
Home » Plugins » ConfigServer eXploit Scanner
Click on “Edit Cron Jobs” and add the command:
/usr/sbin/cxs --mail root --exp --vir -I /etc/cxs/cxs.ignore -X /etc/cxs/cxs.xtra -Q /usr/suspicious_files --options mMOLfSGchexdnwWZDRPu --qoptions Mexv -Z --sum -S 1000000 -F 10000 -C /var/clamd -T 2 --MD5 -B --allusers
Add the auto update cron command:
/usr/sbin/cxs --upgrade --quiet
Create the cxs suspicious files folder:
mkdir /usr/suspicious_files
* Enable detection of repeated cxs and mod_security rules trigger. This option will block the user IP address if cxs or ModSecurity triger is detected.
Navigate to:
Home » Plugins » ConfigServer Security & Firewall » Firewall Configuration
And set: LF_CXS = 1
Finally we finished securing your server!
To set up firewall on your dedicated server click.