Overview of cPanel WHM Server Security
Server Security is very important to keep your websites and other data secure as new methods of attacks and hacks are popping up almost every day, so it is critically important to keep your servers secure and updated. This will make the servers highly resistant to attacks, hacks and other threats. This article is based on cPanel WHM based Linux servers.
Here are a few basic steps that you should keep in mind for keeping a server secure.
1) Strong Server Passwords
If the passwords are not strong enough to withstand the brute force, there is no point in securing the server with other means. Because it is widely open to the world otherwise. So keep strong and lengthy alphanumeric passwords with multiple characters. There are online tools to check password strength and it can guide you to set a strong password.
2) Securing SSH
SSH/Shell is the remote connectivity tool in Linux with which users can connect to the server remotely. It is important to secure SSH/Shell for restricting the attacks through it. For this always update the SSH packages to the latest stable version. Other means to secure SSH are:
Setup Wheel User
With this setup, you can only login to the server as a desired user. Idea behind this process is to disable Root SSH login and create a new user and add the new user or an existing user to the Wheel user group. So that SSH will only connect as that user. Here are the steps.
Open the SSH config file
Set PermitRootLogin to ‘No
This will disable the Root login. Please note that if you terminate the session now, you can’t login as Root user. Now, you have to create a new wheel user simply with,
Adding a new user is not necessary, if you want an existing user to be the wheel user, you can skip the above step. Now go to WHM and add the user to wheel user group.
WHM >> Security Center >> Manage Wheel Group Users >> Select the user and click ‘Add to Group’.
Now a wheel user is added and you can only login to SSH as that particular user and after logging in, you can swith to Root.
Setup key based password less login
The idea behind this is to disable password authentication and allow SSH access only by Key based authentication. For this you need to general an SSH key in the machine that you want to connect to the server and add the public key to the authorized keys of the server.
Open SSH config file
Edit the PasswordAuthentication parameter to ‘no’
This will disable password authentication in the server.
Generate SSH key in the host machine (system from which you need to connect to the server)
This will prompt the file to specify the key which is generated. If you hit ‘Enter’, the key will be placed in ‘/home/user/.ssh/id_rsa’ by default.
It will also ask the desired passphrase, which is similar to password but you’ll only have to add it once. You can refer the screenshot below.
Once the key is generated, you’ll have to add the public key in the authorized keys file in the server. For this you can use scp functionality.
scp -P portnumber ~/.ssh/id_rsa.pub [email protected]
SSH into the remote server, and in the home directory of the SSH user, you can see the file ‘id_rsa.pub’. Just copy paste the key in the said file to the file ‘/root/.ssh/authorized_keys’
cat id_rsa.pub >> /root/.ssh/authorized_keys
With this, you will be able to login to the server without prompting passwords and only based on the key added,
3) Updating cPanel
Updating cPanel to the latest version is the best way to keep the system from vulnerabilities and bugs as cPanel releases the bug fixes regularly.
You can update cPanel via WHM,
WHM >> cPanel >> Upgrade to Latest Version >> Click to upgrade
You can also do this via Command Line
4) Tweaking cPanel and WHM Access
It is always best to keep SSL based encryption when you login to cPanel and WHM. For this goto:
WHM >> Server Configuration >> Tweak Settings >> Redirection
Keep the settings as shown in the screenshot below.
5) Enable cPHulk Brute Force Protection
cPHulk is a commonly used tool to protect the server from Brute Force attacks. You can enable cPHulk via:
WHM >> Security Center >> cPHulk Brute Force Protection.
6) Apache and PHP security tweak
You can enable ModSecurity in WHM for securing Apache from attacks like code injection etc. There are specific rules defined in the ModSecurity configuration file and any connection not matching the rules will be blocked. You can install ModSecurity via:
WHM >> Plugins >> Mod Security
Configure suPHP as the PHP handler and suEXEC for executing the CGI scripts in the user privilege. You can enable suPHP and suEXCEC via:
WHM >> Service Configuration >> suEXEC
Change the PHP handler to suPHP, Turn Apache suEXEC to ‘ON’ and click Save New Configuration.
You need to enable PHP open_basedir protection for preventing PHP scripts from files outside of its home directory. Goto:
WHM >> Security Center >> PHP open_basedir Tweak >> check box the option Enable PHP open_basedir Protection >> Click Save.
You need to tweak the PHP configuration to disable some of the PHP functions. Goto:
WHM >> Service Configuration >> PHP Configuration Editor >> Select Advanced mode
And set the following parameters.
disable_functions: show_source, system, shell_exec, passthru, exec, phpinfo, popen, proc_open, allow_url_fopen
Then click ‘Save’
Restart Apache after this tweak
service httpd restart
7) Disable compiler access to users other than root
You can either disable disable compiler access to all users or you can enable it for trusted users via:
WHM >> Security Center >> Compiler Access
8) Hardening /tmp
We can set /tmp partition mounted with the nosuid option because this will force the file in to be executed in its user privilege. cPanel/WHM has a custom script for this and you can simply run the script via Command Line. Here is the script/command.
9) Enable firewall
Setting up a firewall is very important in security because it denies all the unwanted connections to the server. CSF (ConfigServer Security & Firewall) is the commonly used firewall and it is supported by cPanel and manageable by WHM interface.
Download CSF package
Extract the tar file
tar zxvf csf.tgz
Change directory to the CSF installation directory.
Execute the install script for cpanel
Start CSF service
Test the installation configuration (Assuming perl is already installed)
After testing, disable the test flag in CSF configuration
Edit the flag ‘TESTING’ to ‘0’
TESTING = "0"
Now you should be able access CSF via WHM >> Plugins >> ConfigServer Security & Firewall
Here are a few parameters to change:
Block every IP with more than 200 connections.
CT_LIMIT = “200”
Block those IPs permanently
CT_PERMANENT = “1”
Set the IP block time limit to 1800 secs
CT_BLOCK_TIME = “1800”
Set the connection tracking interval to 60 secs.
CT_INTERVAL = “60”
10) Install ClamAV
ClamAV is a cPanel plugin for protection against Viruses and malwares. You can install it via,
WHM >> Manage Plugins >> Tick ‘Install and keep updated’ check box in ClamAV and click ‘Save’
11) Install RKHunter for protection against Rootkits.
RKHunter is an application which detects Rootkits, backdoors and other exploits in its scan. You can install it via Command Line:
Download the RKHunter package
Untar the package
tar -zxvf rkhunter-1.4.0.tar.gz
Change irectory to installation directory
Run the install script
You can run the manual scan with the command:
Or, you may keep a cronjob with the same command to run this periodically.
Please also refer to our rkhunter installation and configuration tutorial.
12) Checking suspicious files and folders
Files and folders with full permissions and with out user and or groups is always suspicious as it can be accessed by the attackers easily. So we need to find such files and check if it is necessary.
Here is the command to check the world writable files and folders:
find / \( -type f -o -type d \) -perm /o+w 2>/dev/null | egrep -v '/(proc|sys)' > world_writable_files.txt
Command to find no owner files and folders is:
find / -nouser -o -nogroup >> no_owner_files.txt
Just open the files listed in the files ‘world_writable_files.txt’ and ‘no_owner_files.txt’ and see if the files/folders are genuine. Remove them if it looks suspicious.
13) Disable Recursion in Bind
Enabling Recursion in Bind may lead to DNS amplification attacks, lookups from DNS lookup websites etc. So it is recommended to turn it off.
Open Bind configuration files
Set ‘recursion’ to ‘no’
service named restart
14) Update rpms and kernel with yum update
It is always advised to update the kernel and the rpm packages to the latest stable version to avoid the vulnerabilities. This can done easily with yum commands.
Clean yum repository
yum clean all
15) Disable Anonymous FTP & Logins with root
Attackers always tend to upload malicious scripts as the anonymous user. So it is advised to disable Anonymous user and you can do it via:
WHM >> Service Configuration >> FTP Server Configuration
16) SYSCTL tweak
/etc/sysctl.conf is a text file containing sysctl values to be read in and set by sysctl at boot time. You can edit kernel, networking and other system parameters by editing the said file. Please note that you cannot do this in Virtualization environments.
Here are a few essential parameters.
Enable TCP SYN Cookie Protection
net.ipv4.tcp_syncookies = 1
Turn on execshield
Enable IP spoofing protection
Disable IP source routing
Enable logging of spoofed packets
net.ipv4.conf.all.log_martians = 1 net.ipv4.conf.default.log_martians = 1
Disable ICMP routing redirects
sysctl -w net.ipv4.conf.all.accept_redirects=0 sysctl -w net.ipv6.conf.all.accept_redirects=0 sysctl -w net.ipv4.conf.all.send_redirects=0 sysctl -w net.ipv6.conf.all.send_redirects=0
Disable the magic-sysrq key
kernel.sysrq = 0
net.ipv4.tcp_sack = 0
These are the basic settings/modifications applicable in a cPanel server.
17) Keep your eyes open
You are never safe as long as someone else can connect to your server in some way or to some port. So keep yourselves updated about the latest threats, attacks, vulnerabilities and bugs and apply patches immediately.
If you implement these recommendations on your dedicated server or VPS you will have greatly reduced the possibility of getting hacked.