Securing a cPanel/WHM ServerOverview of cPanel WHM Server Security

Server Security is very important to keep your websites and other data secure as new methods of attacks and hacks are popping up almost every day, so it is critically important to keep your servers secure and updated. This will make the servers highly resistant to attacks, hacks and other threats. This article is based on cPanel WHM based Linux servers.

Here are a few basic steps that you should keep in mind for keeping a server secure.

1) Strong Server Passwords

If the passwords are not strong enough to withstand the brute force, there is no point in securing the server with other means. Because it is widely open to the world otherwise. So keep strong and lengthy alphanumeric passwords with multiple characters. There are online tools to check password strength and it can guide you to set a strong password.

2) Securing SSH

SSH/Shell is the remote connectivity tool in Linux with which users can connect to the server remotely. It is important to secure SSH/Shell for restricting the attacks through it. For this always update the SSH packages to the latest stable version. Other means to secure SSH are:

Setup Wheel User

With this setup, you can only login to the server as a desired user. Idea behind this process is to disable Root SSH login and create a new user and add the new user or an existing user to the Wheel user group. So that SSH will only connect as that user. Here are the steps.

Open the SSH config file

vi /etc/ssh/sshd_config

Set PermitRootLogin to ‘No

PermitRootLogin no

Restart SSH

/etc/init.d/sshd restart

This will disable the Root login. Please note that if you terminate the session now, you can’t login as Root user. Now, you have to create a new wheel user simply with,

adduser <wheel_user_name>

Adding a new user is not necessary, if you want an existing user to be the wheel user, you can skip the above step. Now go to WHM and add the user to wheel user group.

WHM >> Security Center >> Manage Wheel Group Users >> Select the user and click ‘Add to Group’.

Now a wheel user is added and you can only login to SSH as that particular user and after logging in, you can swith to Root.

Setup key based password less login

The idea behind this is to disable password authentication and allow SSH access only by Key based authentication. For this you need to general an SSH key in the machine that you want to connect to the server and add the public key to the authorized keys of the server.

Open SSH config file

vi /etc/ssh/sshd_config

Edit the PasswordAuthentication parameter to ‘no’
PasswordAuthentication no

This will disable password authentication in the server.

Generate SSH key in the host machine (system from which you need to connect to the server)


This will prompt the file to specify the key which is generated. If you hit ‘Enter’, the key will be placed in ‘/home/user/.ssh/id_rsa’ by default.

It will also ask the desired passphrase, which is similar to password but you’ll only have to add it once. You can refer the screenshot below.


Once the key is generated, you’ll have to add the public key in the authorized keys file in the server. For this you can use scp functionality.

scp -P portnumber ~/.ssh/ [email protected]

SSH into the remote server, and in the home directory of the SSH user, you can see the file ‘’. Just copy paste the key in the said file to the file ‘/root/.ssh/authorized_keys’

cat >> /root/.ssh/authorized_keys

With this, you will be able to login to the server without prompting passwords and only based on the key added,

3) Updating cPanel

Updating cPanel to the latest version is the best way to keep the system from vulnerabilities and bugs as cPanel releases the bug fixes regularly.

You can update cPanel via WHM,
WHM >> cPanel >> Upgrade to Latest Version >> Click to upgrade

You can also do this via Command Line

/scripts/upcp --force

4) Tweaking cPanel and WHM Access

It is always best to keep SSL based encryption when you login to cPanel and WHM. For this goto:

WHM >> Server Configuration >> Tweak Settings >> Redirection

Keep the settings as shown in the screenshot below.


5) Enable cPHulk Brute Force Protection

cPHulk is a commonly used tool to protect the server from Brute Force attacks. You can enable cPHulk via:

WHM >> Security Center >> cPHulk Brute Force Protection.

6) Apache and PHP security tweak

You can enable ModSecurity in WHM for securing Apache from attacks like code injection etc. There are specific rules defined in the ModSecurity configuration file and any connection not matching the rules will be blocked. You can install ModSecurity via:

WHM >> Plugins >> Mod Security

Configure suPHP as the PHP handler and suEXEC for executing the CGI scripts in the user privilege. You can enable suPHP and suEXCEC via:

WHM >> Service Configuration >> suEXEC

Change the PHP handler to suPHP, Turn Apache suEXEC to ‘ON’ and click Save New Configuration.


You need to enable PHP open_basedir protection for preventing PHP scripts from files outside of its home directory. Goto:
WHM >> Security Center >> PHP open_basedir Tweak >> check box the option Enable PHP open_basedir Protection >> Click Save.

You need to tweak the PHP configuration to disable some of the PHP functions. Goto:

WHM >> Service Configuration >> PHP Configuration Editor >> Select Advanced mode

And set the following parameters.

register_globals: Off

disable_functions: show_source, system, shell_exec, passthru, exec, phpinfo, popen, proc_open, allow_url_fopen

Then click ‘Save’

Restart Apache after this tweak
service httpd restart

7) Disable compiler access to users other than root

You can either disable disable compiler access to all users or you can enable it for trusted users via:

WHM >> Security Center >> Compiler Access

8) Hardening /tmp

We can set /tmp partition mounted with the nosuid option because this will force the file in to be executed in its user privilege. cPanel/WHM has a custom script for this and you can simply run the script via Command Line. Here is the script/command.


9) Enable firewall

Setting up a firewall is very important in security because it denies all the unwanted connections to the server. CSF (ConfigServer Security & Firewall) is the commonly used firewall and it is supported by cPanel and manageable by WHM interface.

Download CSF package


Extract the tar file

tar zxvf csf.tgz

Change directory to the CSF installation directory.

cd csf

Execute the install script for cpanel


Start CSF service

/etc/init.d/csf start

Test the installation configuration (Assuming perl is already installed)

perl /usr/local/csf/bin/

After testing, disable the test flag in CSF configuration

vi /etc/csf/csf.conf

Edit the flag ‘TESTING’ to ‘0’


Restart CSF

/etc/init.d/csf restart

Now you should be able access CSF via WHM >> Plugins >> ConfigServer Security & Firewall

Here are a few parameters to change:

Block every IP with more than 200 connections.

CT_LIMIT = “200”

Block those IPs permanently


Set the IP block time limit to 1800 secs

CT_BLOCK_TIME = “1800”

Set the connection tracking interval to 60 secs.


10) Install ClamAV

ClamAV is a cPanel plugin for protection against Viruses and malwares. You can install it via,

WHM >> Manage Plugins >> Tick ‘Install and keep updated’ check box in ClamAV and click ‘Save’

11) Install RKHunter for protection against Rootkits.

RKHunter is an application which detects Rootkits, backdoors and other exploits in its scan. You can install it via Command Line:

Download the RKHunter package


Untar the package

tar -zxvf rkhunter-1.4.0.tar.gz

Change irectory to installation directory

cd rkhunter-1.4.0

Run the install script

./ --install

You can run the manual scan with the command:

rkhunter -c

Or, you may keep a cronjob with the same command to run this periodically.

Please also refer to our rkhunter installation and configuration tutorial.

12) Checking suspicious files and folders

Files and folders with full permissions and with out user and or groups is always suspicious as it can be accessed by the attackers easily. So we need to find such files and check if it is necessary.

Here is the command to check the world writable files and folders:

find / \( -type f -o -type d \) -perm /o+w 2>/dev/null | egrep -v '/(proc|sys)' > world_writable_files.txt

Command to find no owner files and folders is:

find / -nouser -o -nogroup >> no_owner_files.txt

Just open the files listed in the files ‘world_writable_files.txt’ and ‘no_owner_files.txt’ and see if the files/folders are genuine. Remove them if it looks suspicious.

13) Disable Recursion in Bind

Enabling Recursion in Bind may lead to DNS amplification attacks, lookups from DNS lookup websites etc. So it is recommended to turn it off.

Open Bind configuration files

vi /etc/named.conf

Set ‘recursion’ to ‘no’

recursion no

Restart Bind
service named restart

14) Update rpms and kernel with yum update

It is always advised to update the kernel and the rpm packages to the latest stable version to avoid the vulnerabilities. This can done easily with yum commands.

Clean yum repository

yum clean all

Update yum

yum update

15) Disable Anonymous FTP & Logins with root

Attackers always tend to upload malicious scripts as the anonymous user. So it is advised to disable Anonymous user and you can do it via:

WHM >> Service Configuration >> FTP Server Configuration

16) SYSCTL tweak

/etc/sysctl.conf is a text file containing sysctl values to be read in and set by sysctl at boot time. You can edit kernel, networking and other system parameters by editing the said file. Please note that you cannot do this in Virtualization environments.

Here are a few essential parameters.

Enable TCP SYN Cookie Protection

net.ipv4.tcp_syncookies = 1

Turn on execshield


Enable IP spoofing protection


Disable IP source routing


Enable logging of spoofed packets

net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.log_martians = 1

Disable ICMP routing redirects

sysctl -w net.ipv4.conf.all.accept_redirects=0
sysctl -w net.ipv6.conf.all.accept_redirects=0
sysctl -w net.ipv4.conf.all.send_redirects=0
sysctl -w net.ipv6.conf.all.send_redirects=0

Disable the magic-sysrq key

kernel.sysrq = 0

Disable tcp_sack

net.ipv4.tcp_sack = 0

These are the basic settings/modifications applicable in a cPanel server.

17) Keep your eyes open

You are never safe as long as someone else can connect to your server in some way or to some port. So keep yourselves updated about the latest threats, attacks, vulnerabilities and bugs and apply patches immediately.

If you implement these recommendations on your dedicated server or VPS you will have greatly reduced the possibility of getting hacked.

Leave a Reply

Your email address will not be published. Required fields are marked *