cPanel Server


7 Easy Ways to Secure your cPanel/ WHM


Server security is a complex and multifaceted subject that can take years to fully understand and master. Most system administrators diligently develop and deploy a vast array of security measures on their servers in order to prevent attacks and breaches. however, cPanel server security falls more towards the “Simple” end of the server security spectrum.

Here’s a list of 7 useful ways to make sure you don’t compromise with your cPanel security.

1. Securing SSH

SSH or Secure Shell is a remote connectivity tool in Linux which helps users to log into a remote machine and execute commands. Therefore, if you don’t secure SSH, there are chances of attacks.

  • CHANGE SSH PORT
    Keeping SSH on the default port 22 makes it vulnerable to brute force attacks. In order to prevent these attacks you should select a random port for SSH to make it more difficult for potential attackers to discern its location.Here are the steps to change SSH port.

    1. Login to Server via SSH Client
    2. Edit the SSH configuration file which is located at /etc/ssh/sshd_config by issuing the following command:
      1. vi /etc/ssh/sshd_config and change default port 22 to new one like 4455
      2. restart ssh by this command : service sshd restart
  • DISABLE ROOT LOGIN
    To add an additional layer of security and further strengthen your SSH, you can disable the root user and create a separate user to access the server.

    1. Create New user and add newly created user to wheel group by running following command
      • adduser username
      • passwd username
    2. Now Add user to Group
      • usermod -aG wheel new_username_name
    3. now Edit the SSH Configuration by following command
      • vi /etc/ssh/sshd_config
      • Change the line: “PermitRootLogin yes” to “PermitRootLogin no”
      • Now, restart SSH by this command:  service sshd restart

2. Enabling cPHulk Protection

A brute force attack is a hacking method that relies on an automated system to guess the password to your web server. cPHulk is an easy to use service that will protect your server against most brute force attack.

  • To enable cPHulk, login to WHM→ Security Center → cPHulk Brute Force Protection and click on Enable.

3. Turn off unused services and daemons

Any service or daemon that allows connections to your server may also allow hackers to gain access. To reduce security risks, disable all services and daemons that you do not use.

  • Disable any services that are not in use in WHM’s Service Manager interface (Home >> Service Configuration >> Service Manager). and uncheck those box you don’t want to

4. Setup ClamAV Antivirus

ClamAV, which is easy to install as a plugin on your server, is one of the most popular open source antivirus plugins for cPanel servers and allows individual users to scan their home directory and emails for potentially malicious files.

  • To Install ClamAV Antivirus in WHM’s interface (Home »cPanel »Manage Plugins [Documentation] ). and click on “Install ClamAV for cPanel”

5. Install ConfigServer Firewall (CSF)

If your PC is connected to the Internet, you are a potential target to an array of cyber threats, such as hackers, keyloggers, and Trojans that attack through unpatched security holes. This means that if you, like most people shop and bank online, are vulnerable to identity theft and other malicious attacks.

A firewall works as a barrier, or a shield, between your PC and cyber space. When you are connected to the Internet, you are constantly sending and receiving information in small units called packets. The firewall filters these packets to see if they meet certain criteria set by a series of rules, and thereafter blocks or allows the data. This way, hackers cannot get inside and steal information such as bank account numbers and passwords from you.

Once such firewall you can install for WHM/cPanel is CSF (ConfigServe Firewall). CSF configures your server’s firewall to lock down public access to services and only allow certain connections, such as logging in to FTP, checking your email, or loading your websites. ConfigServe Firewall also comes with a service called Login Failure Daemon, or LFD.

To install CSF and Configuration follow this step by step guideline :

6. Harden your /tmp partition

We recommend that you use a separate /tmp partition that you mount with the nosuid option. This option forces a process to run with the privileges of its executor. You may also wish to mount the /tmp directory with noexec after you install cPanel & WHM.

To mount your /tmp partition to a temporary file for extra security you will have to run:

  • /scripts/securetmp

7. Secure Apache and PHP

We recommend that In WHM, you should enable ModSecurity to secure Apache from attacks like code injection. Specific rules defined in the ModSecurity helps in blocking connection that doesn’t match the rules.

  • Enable Mod Security in WHM Interface
    Keeping SSH on the default port 22 makes it vulnerable to brute force attacks. In order to prevent these attacks you should select a random port for SSH to make it more difficult for potential attackers to discern its location.Here are the steps to change SSH port.

    1. Login to WHM as root
    2. Now navigate to Home »Security Center »ModSecurity™ Vendors »Manage Vendors
    3. Select “OWASP ModSecurity” and Enable it
  • Secure Apache
    1. Disable Compiler Access : Home »Security Center »Compiler Access» Disable Compilers
    2. Disable Server Signature : Home »Service Configuration »Apache Configuration »Global Configuration »Server Signature »OFF
  • Secure PHP
    To add an additional layer of security and further strengthen your server, you can disable some php function to prevent php explosion

    1. WHM > Service Configuration > PHP Configuration Editor > Select Advanced mode > register_globals: Off
    2. The register_globals setting controls how you access server, form, and environment. If it is on, anything passed via GET or POST or COOKIE automatically appears to be the global variable in the code, this might have security consequences.
    3. Disable_functions: allow_url_fopen, proc_open, popen, phpinfo, exec, passthru, shell_exec, system, show_source.
    4. Now, restart apache by this command: service httpd restart