How to Secure a cPanel/WHM Web Server

Here are a few basic steps that you should keep in mind for keeping a server secure.

1) Strong Server Passwords

If the passwords are not strong enough to withstand the brute force, there is no point in securing the server with other means. Because it is widely open to the world otherwise. So keep strong and lengthy alphanumeric passwords with multiple characters. There are online tools to check password strength and it can guide you to set a strong password.

2) Securing SSH

SSH/Shell is the remote connectivity tool in Linux with which users can connect to the server remotely. It is important to secure SSH/Shell for restricting the attacks through it. For this always update the SSH packages to the latest stable version. Other means to secure SSH are:

Setup Wheel User

With this setup, you can only log in to the server as the desired user. The idea behind this process is to disable Root SSH login and create a new user and add the new user or an existing user to the Wheel user group. So that SSH will only connect as that user. Here are the steps.

Open the SSH config file

nano /etc/ssh/sshd_config

Set PermitRootLogin to ‘No

PermitRootLogin no

Restart SSH

/etc/init.d/sshd restart

This will disable the Root login. Please note that if you terminate the session now, you can’t log in as a root user. Now, you have to create a new wheel user simply with,

adduser <wheel_user_name>

Adding a new user is not necessary, if you want an existing user to be the wheel user, you can skip the above step. Now go to WHM and add the user to the wheel user group.

WHM >> Security Center >> Manage Wheel Group Users >> Select the user and click ‘Add to Group’.

Now a wheel user is added and you can only log in to SSH as that particular user and after logging in, you can switch to Root.

Setup key-based password less login

The idea behind this is to disable password authentication and allow SSH access only by Key-based authentication. For this, you need to general an SSH key in the machine that you want to connect to the server and add the public key to the authorized keys of the server.

Open SSH config file

nano /etc/ssh/sshd_config

Edit the PasswordAuthentication parameter to ‘no’
PasswordAuthentication no

This will disable password authentication in the server.

Generate SSH key in the host machine (system from which you need to connect to the server)

ssh-keygen

This will prompt the file to specify the key which is generated. If you hit ‘Enter’, the key will be placed in ‘/home/user/.ssh/id_rsa’ by default.

It will also ask the desired passphrase, which is similar to the password but you’ll only have to add it once. You can refer to the screenshot below.

secure_cpanel
Once the key is generated, you’ll have to add the public key in the authorized keys file in the server. For this, you can use SCP functionality.

scp -P portnumber ~/.ssh/id_rsa.pub [email protected]

SSH into the remote server, and in the home directory of the SSH user, you can see the file ‘id_rsa.pub’. Just copy-paste the key in the said file to the file ‘/root/.ssh/authorized_keys’

cat id_rsa.pub >> /root/.ssh/authorized_keys

With this, you will be able to login to the server without prompting passwords and only based on the key added,

3) Updating cPanel

Updating cPanel to the latest version is the best way to keep the system from vulnerabilities and bugs as cPanel releases the bug fixes regularly.

You can update cPanel via WHM,
WHM >> cPanel >> Upgrade to Latest Version >> Click to upgrade

You can also do this via Command Line

/scripts/upcp --force

4) Tweaking CPanel And WHM Access

It is always best to keep SSL based encryption when you log in to cPanel and WHM. For this go to:

WHM >> Server Configuration >> Tweak Settings >> Redirection

Keep the settings as shown in the screenshot below.

5) Enable CPHulk Brute Force Protection

cPHulk is a commonly used tool to protect the server from Brute Force attacks. You can enable cPHulk via:

WHM >> Security Center >> cPHulk Brute Force Protection.

6) Apache And PHP Security Tweak

You can enable ModSecurity in WHM for securing Apache from attacks like code injection etc. There are specific rules defined in the ModSecurity configuration file and any connection not matching the rules will be blocked. You can install ModSecurity via:

WHM >> Plugins >> Mod Security

Configure suPHP as the PHP handler and suEXEC for executing the CGI scripts in the user privilege. You can enable suPHP and suEXCEC via:

WHM >> Service Configuration >> suEXEC

Change the PHP handler to suPHP, Turn Apache suEXEC to ‘ON’ and click Save New Configuration.

secure_cpanel-02

You need to enable PHP open_basedir protection for preventing PHP scripts from files outside of its home directory. Goto:
WHM >> Security Center >> PHP open_basedir Tweak >> check box the option Enable PHP open_basedir Protection >> Click Save.

You need to tweak the PHP configuration to disable some of the PHP functions. Goto:

WHM >> Service Configuration >> PHP Configuration Editor >> Select Advanced mode

And set the following parameters.

register_globals: Off

disable_functions: show_source, system, shell_exec, passthru, exec, phpinfo, popen, proc_open, allow_url_fopen

Then click ‘Save’

Restart Apache after this tweak
service httpd restart

7) Disable Compiler Access To Users Other Than Root

You can either disable compiler access to all users or you can enable it for trusted users via:

WHM >> Security Center >> Compiler Access

8) Hardening /Tmp

We can set /tmp partition mounted with the nosuid option because this will force the file to be executed in its user privilege. cPanel/WHM has a custom script for this and you can simply run the script via Command-Line. Here is the script/command.

/scripts/securetmp

9) Enable Firewall

Setting up a firewall is very important in security because it denies all the unwanted connections to the server. CSF (ConfigServer Security & Firewall) is the commonly used firewall and it is supported by cPanel and manageable by WHM interface.

Download CSF package

wget https://download.configserver.com/csf.tgz

Extract the tar file

tar zxvf csf.tgz

Change directory to the CSF installation directory.

cd csf

Execute the install script for cPanel

./install.cpanel.sh

Start CSF service

/etc/init.d/csf start

Test the installation configuration (Assuming Perl is already installed)

perl /usr/local/csf/bin/csftest.pl

After testing, disable the test flag in CSF configuration

nano /etc/csf/csf.conf

Edit the flag ‘TESTING’ to ‘0’

TESTING = "0"

Restart CSF

/etc/init.d/csf restart

Now you should be able access CSF via WHM >> Plugins >> ConfigServer Security & Firewall

Here are a few parameters to change:

Block every IP with more than 200 connections.

CT_LIMIT = “200”

Block those IPs permanently

CT_PERMANENT = “1”

Set the IP block time limit to 1800 secs

CT_BLOCK_TIME = “1800”

Set the connection tracking interval to 60 secs.

CT_INTERVAL = “60”

10) Install ClamAV

ClamAV is a cPanel plugin for protection against Viruses and malware. You can install it via,

WHM >> Manage Plugins >> Tick ‘Install and keep updated’ checkbox in ClamAV and click ‘Save’

11) Install RKHunter For Protection Against Rootkits.

RKHunter is an application that detects Rootkits, backdoors, and other exploits in its scan. You can install it via Command Line:

Download the RKHunter package

wget https://sourceforge.net/projects/rkhunter/files/rkhunter/1.4.0/rkhunter-1.4.0.tar.gz/download?use_mirror=iweb

Untar the package

tar -zxvf rkhunter-1.4.0.tar.gz

Change directory to the installation directory

cd rkhunter-1.4.0

Run the install script

./installer.sh --install

You can run the manual scan with the command:

rkhunter -c

Or, you may keep a cronjob with the same command to run this periodically.

12) Checking Suspicious Files And Folders

Files and folders with full permissions and without users and or groups are always suspicious as they can be accessed by the attackers easily. So we need to find such files and check if it is necessary.

Here is the command to check the world-writable files and folders:

find / \( -type f -o -type d \) -perm /o+w 2>/dev/null | egrep -v '/(proc|sys)' > world_writable_files.txt

Command to find no owner files and folders is:

find / -nouser -o -nogroup >> no_owner_files.txt

Just open the files listed in the files ‘world_writable_files.txt’ and ‘no_owner_files.txt’ and see if the files/folders are genuine. Remove them if it looks suspicious.

13) Disable Recursion In Bind

Enabling Recursion in Bind may lead to DNS amplification attacks, lookups from DNS lookup websites, etc. So it is recommended to turn it off.

Open Bind configuration files

nano /etc/named.conf

Set ‘recursion’ to ‘no’

recursion no

Restart Bind
service named restart

14) Update Rpms And Kernel With Yum Update

It is always advised to update the kernel and the rpm packages to the latest stable version to avoid the vulnerabilities. This can be done easily with yum commands.

Clean yum repository

yum clean all

Update yum

yum update

15) Disable Anonymous FTP & Logins With Root

Attackers always tend to upload malicious scripts as the anonymous user. So it is advised to disable Anonymous user and you can do it via:

WHM >> Service Configuration >> FTP Server Configuration

16) SYSCTL Tweak

/etc/sysctl.conf is a text file containing sysctl values to be read in and set by sysctl at boot time. You can edit kernel, networking and other system parameters by editing the said file. Please note that you cannot do this in Virtualization environments.

Here are a few essential parameters.

Enable TCP SYN Cookie Protection

net.ipv4.tcp_syncookies = 1

Turn on execshield

kernel.exec-shield=1
kernel.randomize_va_space=1

Enable IP spoofing protection

net.ipv4.conf.all.rp_filter=1

Disable IP source routing

net.ipv4.conf.all.accept_source_route=0

Enable logging of spoofed packets

net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.log_martians = 1

Disable ICMP routing redirects

sysctl -w net.ipv4.conf.all.accept_redirects=0
sysctl -w net.ipv6.conf.all.accept_redirects=0
sysctl -w net.ipv4.conf.all.send_redirects=0
sysctl -w net.ipv6.conf.all.send_redirects=0

Disable the magic-sysrq key

kernel.sysrq = 0

Disable tcp_sack

net.ipv4.tcp_sack = 0

These are the basic settings/modifications applicable in a cPanel server.

17) Keep Your Eyes Open

You are never safe as long as someone else can connect to your server in some way or to some port. So keep yourselves updated about the latest threats, attacks, vulnerabilities, and bugs and apply patches immediately.

If you implement these recommendations on your dedicated server or VPS you will have greatly reduced the possibility of getting hacked.

We hope you found this tutorial useful on how to secure a cPanel WHM Server.

  • 2 Users Found This Useful
Was this answer helpful?

Related Articles

How to fix defaultwebpage.cgi on a webserver

Running the following commands solves the above problem:   /scripts/updateuserdomains...

How to fix IP Missing issue on cPanel/WHM

We are here to help you with solving the problem of Missing IP Server in list accounts. The...

Install Let's Encrypt SSL in cPanel/WHM

Let's Encrypt, a valid, open-source license that offers free SSL for your domains. The Let's...

Fix Email Issue on a server using the MSFE

To solve the problem of not sending/receiving email on a server using the MSFE / Mailscanner...

Domain names are not showing in WHM

We were unable to see any domains listed under WHM -> List Accounts. However, we can see the...