Author Topic: 10 Tips for Keeping cPanel and WHM Secure  (Read 993 times)

Administrator

  • Administrator
  • Green Belt
  • ***
  • Posts: 225
  • Karma: +0/-0
10 Tips for Keeping cPanel and WHM Secure
« on: June 11, 2015, 09:45:10 AM »
 

Server security is something that should never be overlooked. One day or another, chances are your server will be under attack and the integrity of your data will be at risk, not mentioning you may lose potential and existing customers in the process.

Here are 10 things you can do to secure your web server from attacks:

1. Updating cPanel

The first thing you want to do is to make sure you have the latest version of cPanel running. You can update cPanel by going to “WHM > cPanel > Upgrade to Latest Version”. You can also achieve the same thing using this command line:

# /scripts/upcp --force

In order to have your server updated automatically, I recommend you enable daily updates by going to “WHM > Server Configuration > Update Preferences”

2. Securing cPanel and WHM Access

When using an unsecured connection to cPanel and WHM, your username and password are sent as clear text over the Internet. It is advised to use SSL to secure all accesses to both control panels. From WHM, click on “Server Configuration > Tweak Settings” and configure the redirection parameters as follow:

3. Securing SSH

SSH is among the services mostly vulnerable to Brute Force Attacks. The default SSH configuration allows root access on the default port (22). Here’s how to secure the SSH daemon:

Establish an SSH connexion to your server and connect as root.
Edit the SSH daemon configuration file:
# nano /etc/ssh/sshd_config
Set a different port for incoming SSH connections by changing this line:
Port 22
to:
Port 22200
You don’t have to use port 22200 as mentioned above. Refer to this list of common TCP/UDP ports to find a port number that isn’t already in use.
Disable SSH root login by changing this line:
#PermitRootLogin yes
to:
PermitRootLogin no
Save the file and restart the SSH daemon:
# service sshd restart
In order to gain root access through SSH, you will now need to log on as a regular user and then become root by issuing the command:

# su - root
Note that you will first need to add the desired users to the wheel group (WHM > Security Center > Manage Wheel Group Users).

4. Securing Apache and PHP

cPanel allows to easily build and compile Apache and PHP using EasyApache. The first step in securing Apache and PHP is to update both components to the latest version:

Log in to WHM and go to “Softwares > EasyApache (Apache Update)”.
On the first page, select “Previously Save Config” so that you can reuse your server’s current settings.
Click on “Start customizing based on profile”.
When prompted to select which Apache version to build, select the latest stable version. At the moment of this writing, the latest version is 2.4.6.
On the PHP Version page, select the latest stable release (PHP 5.4.20 at this moment).
On the next page, click on “Exhaustive Options List”.
Check the following options: Mod SuPHP, Mod Security and “Save my profile with the appropriate PHP 5 options…”. Leave all other the options set as they were.
Click on “Save and build”.
At this point, rebuilding Apache and PHP may take up to 30 minutes depending on the speed of your server.

Next you must configure suPHP as the PHP handler. By enabling suPHP, the files created by PHP scripts will be owned by the website’s user account instead of the account running the Apache process. To enable suPHP go to “WHM > Service Configuration > Configure PHP and suEXEC”, select “suphp” and click on “Save New Configuration”

In order to prevent malicious PHP scripts from opening files outside of their home directory, it is recommended to enable open_basedir:

Log into WHM and go to “Security Center >Security Center> PHP open_basedir Tweak”.
Check “Enable php open_basedir Protection”.
Click on “Save”.
The Apache server should restart automatically once this is done.

In order to make open_basedir work correctly, you will need to create a file named “php.ini” for each account and place it in their “public_html” directory with the following content:

open_basedir = "/home/[username]/public_html/:/path/to/other/folders/"
This will prevent PHP scripts from accessing files located outside of the defined folders.

Finally, here are some recommended settings for PHP. Go to “WHM > Service Configuration > PHP Configuration Editor” and select “Advanced Mode”. Configure the following parameters:

register_globals: Off
disable_functions: show_source, system, shell_exec, passthru, exec, phpinfo, popen, proc_open, allow_url_fopen
Click on “Save” when you’re done. The new settings won’t take effect until your restart Apache. Go to “WHM > Restart Services > HTTP Server (Apache)” to restart the service.

5. Disabling Anonymous FTP Access

To prevent anonymous users from uploading files to your server, go to “WHM > Service Configuration > FTP Server Configuration” and set “Allow Anonymous Logins” and “Allow Anonymous Uploads” to “No”.

6. Increasing Required Password Strength

You can force your users to use more complex passwords by going to “WHM > Security Center > Password Strength Configuration”.

7. Enabling cPHulk

cPHulk protects your web servers from Brute Force Attacks by blocking suspect IP addresses for a predetermined period. To enable it, go to “WHM > Security Center > CPHulk Brute Force Protection” and click on “Enable”.

If you’re connecting from a static IP address, you can add it to cPHulk’s white list to avoid locking yourself out of your own server.

8. Installing ClamAV Antivirus

While Linux servers are not prone to viruses as much as Windows-based servers, it is nonetheless a good practice to install an antivirus. Even if your web server is not infected, it could still host a virus intended to infect visitors to your website.

ClamAV is available for cPanel servers as a plugin. Here’s how to enable it:

Go to “WHM > cPanel > Manage Plugins”.
Select “Install and keep updated” next to ClamAV and click on “Save”.
One the ClamAV plugin installation is completed, reload your WHM control panel so that the main menu is updated.
Click on “WHM > Plugins > Configure ClamAV Scanner” and select all four (4) options.
Click on “Save”.

9. Installing a Rootkit hunter

A “rootkit” is basically a malicious computer program that is running on your server in “stealth mode”. The rootkit allows the attacker to gain root access to your server without you noticing it.

In order to detect rootkit on a cPanel server, you will need to install a rootkit scanner such as the Rootkit Hunter:

Log on to your server through SSH as a regular user and then become root:
# su - root
Download the latest version of rkhunter from http://sourceforge.net/projects/rkhunter/files/latest/download?source=files:
# wget http://downloads.sourceforge.net/project/rkhunter/rkhunter/1.4.0/
rkhunter-1.4.0.tar.gz
Extract the content from the archive:
# tar xvzf rkhunter-1.4.0.tar.gz
Launch the installer:
# cd rkhunter-1.4.0
# ./installer.sh --install
Fill the file properties database:
# rkhunter --propupd
To scan for rootkits as root, run the following command:
# rkhunter --check
10. Installing a Firewall

This is perhaps the most critical part of hardening a cPanel server. One of the most popular firewall software for cPanel servers is ConfigServer Security and Firewall. CSF not only acts as firewall by scanning various authentication log files, it will also scan your entire system and give you recommendations as to what you can do to increase security.

Installing CSF is quite easy:

rm -fv csf.tgz
wget http://www.configserver.com/free/csf.tgz
tar -xzf csf.tgz
cd csf
sh install.sh
Once you’ve installed CSF, go to “WHM > Plugins > ConfigServer Security&Firewall” and click on “Check Server Security” to get a list of tips to secure your web server.

Don’t forget to open the new SSH port you’ve defined earlier otherwise CSF will block it. To do this, go to “WHM > Plugins > ConfigServer Security&Firewall > Firewall Configuration”. Find the parameter named “TCP_IN” and add the SSH port to the list.