Server security is something that should never be overlooked. One day or another, chances are your server will be under attack and the integrity of your data will be at risk, not mentioning you may lose potential and existing customers in the process.
Here are 10 things you can do to secure your web server from attacks:
1. Updating cPanel
The first thing you want to do is to make sure you have the latest version of cPanel running. You can update cPanel by going to WHM > cPanel > Upgrade to Latest Version. You can also achieve the same thing using this command line:
# /scripts/upcp --force
In order to have your server updated automatically, I recommend you enable daily updates by going to WHM > Server Configuration > Update Preferences:
2. Securing cPanel and WHM Access
When using an unsecured connection to cPanel and WHM, your username and password are sent as clear text over the Internet. It is advised to use SSL to secure all accesses to both control panels. From WHM, click on Server Configuration > Tweak Settings and configure the redirection parameters as follow:
3. Securing SSH
SSH is among the services mostly vulnerable to Brute Force Attacks. The default SSH configuration allows root access on the default port (22). Here’s how to secure the SSH daemon:
a) Establish an SSH connexion to your server and connect as root.
b) Edit the SSH daemon configuration file:
# nano /etc/ssh/sshd_config
c) Set a different port for incoming SSH connections by changing this line:
d) You don’t have to use port 22200 as mentioned above. Refer to this list of common TCP/UDP ports to find a port number that isn’t already in use.
Disable SSH root login by changing this line:
e) Save the file and restart the SSH daemon:
# service sshd restart
In order to gain root access through SSH, you will now need to log on as a regular user and then become root by issuing the command:
# su - root
Note that you will first need to add the desired users to the wheel group (WHM > Security Center > Manage Wheel Group Users).
4. Securing Apache and PHP
cPanel allows to easily build and compile Apache and PHP using EasyApache. The first step in securing Apache and PHP is to update both components to the latest version:
- Log in to WHM and go to Softwares > EasyApache (Apache Update).
- On the first page, select “Previously Save Config” so that you can reuse your server’s current settings.
- Click on “Start customizing based on profile”.
- When prompted to select which Apache version to build, select the latest stable version. At the moment of this writing, the latest version is 2.4.6.
- On the PHP Version page, select the latest stable release (PHP 5.4.20 at this moment).
- On the next page, click on “Exhaustive Options List”.
- Check the following options: Mod SuPHP, Mod Security and “Save my profile with the appropriate PHP 5 options…”. Leave all other the options set as they were.
- Click on “Save and build”.
At this point, rebuilding Apache and PHP may take up to 30 minutes depending on the speed of your server.
Next you must configure suPHP as the PHP handler. By enabling suPHP, the files created by PHP scripts will be owned by the website’s user account instead of the account running the Apache process. To enable suPHP go to WHM > Service Configuration > Configure PHP and suEXEC, select “suphp” and click on Save New Configuration:
In order to prevent malicious PHP scripts from opening files outside of their home directory, it is recommended to enable open_basedir:
- Log into WHM and go to Security Center >Security Center> PHP open_basedir Tweak.
- Check “Enable php open_basedir Protection”.
- Click on “Save”.
The Apache server should restart automatically once this is done.
In order to make open_basedir work correctly, you will need to create a file named “php.ini” for each account and place it in their “public_html” directory with the following content:
open_basedir = "/home/[username]/public_html/:/path/to/other/folders/"
This will prevent PHP scripts from accessing files located outside of the defined folders.
Finally, here are some recommended settings for PHP. Go to “WHM > Service Configuration > PHP Configuration Editor” and select “Advanced Mode”. Configure the following parameters:
- register_globals: Off
- disable_functions: show_source, system, shell_exec, passthru, exec, phpinfo, popen, proc_open, allow_url_fopen
Click on “Save” when you’re done. The new settings won’t take effect until your restart Apache. Go to “WHM > Restart Services > HTTP Server (Apache)” to restart the service.
5. Disabling Anonymous FTP Access
To prevent anonymous users from uploading files to your server, go to WHM > Service Configuration > FTP Server Configuration and set “Allow Anonymous Logins” and “Allow Anonymous Uploads” to “No”.
6. Increasing Required Password Strength
You can force your users to use more complex passwords by going to WHM > Security Center > Password Strength Configuration.
7. Enabling cPHulk
cPHulk protects your web servers from Brute Force Attacks by blocking suspect IP addresses for a predetermined period. To enable it, go to WHM > Security Center > CPHulk Brute Force Protection and click on “Enable”.
If you’re connecting from a static IP address, you can add it to cPHulk’s white list to avoid locking yourself out of your own server.
8. Installing ClamAV Antivirus
While Linux servers are not prone to viruses as much as Windows-based servers, it is nonetheless a good practice to install an antivirus. Even if your web server is not infected, it could still host a virus intended to infect visitors to your website.
ClamAV is available for cPanel servers as a plugin. Here’s how to enable it:
- Go to WHM > cPanel > Manage Plugins.
- Select “Install and keep updated” next to ClamAV and click on “Save”.
- One the ClamAV plugin installation is completed, reload your WHM control panel so that the main menu is updated.
- Click on WHM > Plugins > Configure ClamAV Scanner and select all four (4) options:
- Click on “Save”.
9. Installing a Rootkit hunter
A “rootkit” is basically a malicious computer program that is running on your server in “stealth mode”. The rootkit allows the attacker to gain root access to your server without you noticing it.
In order to detect rootkit on a cPanel server, you will need to install a rootkit scanner such as the Rootkit Hunter:
a) Log on to your server through SSH as a regular user and then become root:
# su - root
b) Download the latest version of rkhunter from here:
# wget http://downloads.sourceforge.net/project/rkhunter/rkhunter/1.4.0/
c) Extract the content from the archive:
# tar xvzf rkhunter-1.4.0.tar.gz
d) Launch the installer:
# cd rkhunter-1.4.0
# ./installer.sh --install
e) Fill the file properties database:
# rkhunter --propupd
f) To scan for rootkits as root, run the following command:
# rkhunter --check
10. Installing a Firewall
This is perhaps the most critical part of hardening a cPanel server. One of the most popular firewall software for cPanel servers is ConfigServer Security and Firewall. CSF not only acts as firewall by scanning various authentication log files, it will also scan your entire system and give you recommendations as to what you can do to increase security.
Installing CSF is quite easy:
# rm -fv csf.tgz
# wget http://www.configserver.com/free/csf.tgz
# tar -xzf csf.tgz
# cd csf
# sh install.sh
Once you’ve installed CSF, go to WHM > Plugins > ConfigServer Security&Firewall and click on Check Server Security to get a list of tips to secure your web server.
Don’t forget to open the new SSH port you’ve defined earlier otherwise CSF will block it. To do this, go to WHM > Plugins > ConfigServer Security&Firewall > Firewall Configuration. Find the parameter named “TCP_IN” and add the SSH port to the list.
Do you have more security tips to share? If so, please tell us about it in the comments below.