As you learned in our Intro to Server Security, securing your server is one of the most important things you need to do when you’re setting up and maintaining your cPanel server. We’re building on the knowledge presented in the introduction to provide more advanced tips for server security.
In this article, you’ll learn more in-depth techniques and best practices for safeguarding your site, server, and account from hackers. We’ll cover security topics like:
- Managing Shell Access
- Recommended Security Settings
- Configuring Security Policies
- Restricting System Compilers on Your Server
- Setting Up a Firewall for Your Server
- Implement Rules for ModSecurity in WHM
- Disabling Redundant Services
- AND How to Stay Updated and Actively Monitor Your System
Steps to Secure Your Server
Aside from the Security Advisor, there are some manual steps each sysadmin should take to keep their server safe from attacks. Some of these are settings that can be disabled once, and others require regular monitoring. One of the first places to start is our knowledge base article about Recommended Security Settings. Pay special attention to the “Tweak Settings Checklist” as it has a lot of significant beginning steps. These additional suggestions provided below will help you set up a secure environment.
Enabling Configure Security Policy allows you to limit who can log in to only verified IP addresses. In this area, you can also add Two-factor authentication using Google Authenticator, and change the settings for Password Strength and Password Age. You can also set it up when creating a new account to disable shell access or use VirtFS Jailed Shell by visiting the Manage Shell Access interface.
Restrict System Compilers
Most users don’t require access to a C or C++ compiler. We recommend that you disable compilers for users that don’t belong to the compilers group under /etc/group in your server’s settings. Without a functional compiler, most pre-packaged exploits can’t run.
- You can deactivate compilers through the Compiler Access interface in WHM.
- You can also use the following command in the command line:
Start Using a Firewall
A computer firewall is either a hardware device or a software program that is configured to inspect all the data traffic that is received by the firewall before it enters the server or network. It uses a set of predefined rules to determine whether the data it should be allowed to pass or be blocked.
cPanel does not come with a firewall provided, but adding a firewall to your server will prohibit malicious elements from accessing your system. There are several 3rd party firewalls we recommend, and we provide documentation about how to configure your firewall for your cPanel. Here is a brief list of some 3rd party firewalls you might use.
It’s important to note that if a firewall is incorrectly configured, it can block desired traffic. If you set up a firewall and suddenly find that you can’t access parts of your website, you should go back and look further into your firewall configuration.
Disable Redundant Daemons and Services
When you have daemons or services that enable connections to your server that are redundant or not being actively used, there’s a risk of attracting hackers who will abuse those connections. The more services that are running on your server, the more opportunities there are for others to use them, break into or take control of your system through them. Examine your system to see what programs are redundant or unused. To improve your server’s security, deactivate all daemons and services that you don’t require. You can do this in the Service Manager interface. (WHM >> Home >> Service Configuration).
Actively Monitor Your System
One of the most important ways to protect your server is to keep an eye on it yourself. Track the number of user accounts created. Subscribe to the cPanel Mailing List to be notified of critical updates and keep your server updated. Stay aware of what software is installed so you can keep 3rd party applications updated, too. In our documentation, we’ve compiled a list of additional security software that we recommend for helping you to monitor your system.
cPanel offers some other tips to make your server more secure. These include Logwatch, which is a customizable log analysis system that parses through your system’s logs and creates a report analyzing areas that you specify, and chrootkit. This tool checks locally for signs of a rootkit on your server.
ModSecurity in WHM
ModSecurity is an open-source web-based firewall application (or WAF) supported by different web servers: Apache, Nginx and IIS. The module is configured to protect web applications from various attacks. ModSecurity supports flexible rules to perform both simple and complex operations. It comes with a Core Rule Set (CRS) which has various rules. You can learn more in our ModSecurity documentation or by watching the video linked above.
In general, security experts highly recommend that you use only the latest stable versions of any software on a server that is live and in production. At cPanel, we recommend that you set your server to automatically update on the LTS tier. You can specify your update settings in the Update Preferences interface. You should also check your other software on your server for updates regularly, or enable automatic updates.
Server security is as essential as network security, and in some ways more important. Our servers often contain a great deal of vital company information as well as private user data. If your server is compromised, crackers can not only cause damage to the way the site is displayed; they can steal data as all of the server’s contents may become available for them to use at will. As a web host, you should consider putting your team through SafeAdmin Accreditation so your System Administrators know what the best practices for protecting your server are.
Simple Steps for Securing Your cPanel: Advanced Server Security
cPanel, combined with WHM (Web Host Manager), is among the most used web hosting control panels. Like all server software, it can be vulnerable to various attacks if not properly secured. This article delves into advanced strategies for bolstering cPanel server security.
1. Use Secure Passwords and Two-Factor Authentication (2FA):
- Strong Passwords: Ensure that root, SSH, and cPanel account passwords are complex, involving a combination of uppercase and lowercase letters, numbers, and special characters.
- Two-Factor Authentication: Enable 2FA for cPanel and WHM to add an extra layer of security. Users will need both their password and a secondary code to access their accounts.
2. Change Default Ports:
To mitigate automated attacks, modify the default ports for services:
- Change the default SSH port from 22 to a higher value, like 2222.
- Update firewall rules to reflect these changes.
3. Implement a Firewall and Brute-Force Protection:
- ConfigServer Security & Firewall (CSF): A popular choice for cPanel, CSF provides a comprehensive firewall solution, along with brute-force protection.
- cPHulk: Built into WHM, cPHulk protects your server against brute-force attacks. Ensure it’s enabled and configured.
4. Secure SSH Access:
- Disable Root Login: Never allow direct root login. Instead, log in as a standard user and escalate privileges using ‘sudo’ when necessary.
- Use SSH Keys: Instead of password-based authentication, use SSH key pairs for a more secure method of login.
5. Harden PHP:
To avoid vulnerabilities associated with PHP:
- Disable Dangerous Functions: Disable functions known to be insecure, like
open_basedir: This restricts PHP’s access to your file system.
6. Update Regularly:
Always keep your cPanel, WHM, operating system, and other server software updated. Frequently, updates contain security patches for known vulnerabilities.
7. Secure Apache and PHP with ModSecurity:
ModSecurity is an Apache module that acts as a web application firewall, providing protection against various attacks:
- Install and configure ModSecurity with rules tailored for your applications.
- Regularly update the ModSecurity ruleset.
8. Secure DNS:
- Enable DNSSEC: Domain Name System Security Extensions (DNSSEC) helps prevent DNS spoofing and cache poisoning.
- Configure Recursive DNS Restrictions: Ensure your DNS server doesn’t answer recursive queries from outside your network.
9. Isolate Accounts with CloudLinux:
CloudLinux isolates each cPanel account, ensuring that:
- One compromised account doesn’t affect others.
- Users can only see their own processes.
- System resources are fairly allocated.
10. Regular Backups:
While backups are primarily for data recovery, they’re crucial for security too:
- Configure automatic backups within WHM.
- Store backups off-site, ensuring they’re encrypted and regularly tested for integrity.
11. Monitor System Activity:
Use tools like
ps to monitor server activity. Investigate any unusual behavior or unexpected processes.
12. Secure Kernel with KernelCare:
KernelCare ensures that the latest kernel patches are applied without needing to reboot the server. This ensures continuous security without downtime.
Securing your cPanel server requires diligence, regular maintenance, and proactive measures. Regularly audit your server, stay informed about emerging threats, and always prioritize security when configuring new services or software. Remember, while these advanced measures significantly bolster security, no system can be made entirely invulnerable—aim to achieve a balance between security, usability, and performance.