- Points
- 178
Securing a cPanel server involves a multi-layered approach that includes securing the operating system, cPanel/WHM itself, the web server, databases, and other services. Here are comprehensive steps to enhance the security of your cPanel server:
OR
1. Secure the Operating System
- Update the OS and Software: Regularly update the operating system and all installed software packages to their latest stable versions.
Code:yum update -y # For CentOS/RHEL apt update && apt upgrade -y # For Debian/Ubuntu
- Disable Unnecessary Services: Turn off services that are not required to reduce the attack surface.
Code:systemctl disable service_name systemctl stop service_name
- Configure a Firewall: Use iptables, firewalld, or CSF (ConfigServer Security & Firewall) to manage inbound and outbound traffic.
Code:yum install firewalld systemctl start firewalld systemctl enable firewalld
- Install Fail2Ban: Protect your server from brute force attacks.
Code:yum install fail2ban systemctl start fail2ban systemctl enable fail2ban
2. Secure SSH
- Change Default SSH Port: Change the SSH port from the default (22) to something less common.
Code:sed -i 's/#Port 22/Port 2222/' /etc/ssh/sshd_config systemctl restart sshd
- Disable Root Login: Disable direct root login and use a regular user with sudo privileges.
Code:sed -i 's/PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config systemctl restart sshd
- Use SSH Key Authentication: Disable password authentication and use SSH keys instead.
Code:sed -i 's/PasswordAuthentication yes/PasswordAuthentication no/' /etc/ssh/sshd_config systemctl restart sshd
3. Secure cPanel/WHM
- Enable Two-Factor Authentication (2FA):For additional security.
- Navigate to WHM > Security Center > Two-Factor Authentication.
- Restrict cPanel Access:Limit access to WHM and cPanel ports by IP.
- Navigate to WHM > Security Center > Host Access Control.
- Configure cPHulk Brute Force Protection:Enable and configure to protect against brute force attacks.
- Navigate to WHM > Security Center > cPHulk Brute Force Protection.
- Secure WHM Access:Use SSL/TLS for WHM, cPanel, and Webmail.
- Navigate to WHM > SSL/TLS > Manage SSL Hosts and ensure you have an SSL certificate installed for your hostname.
4. Secure Apache and PHP
- Disable Unnecessary Apache Modules: Remove modules that are not required.
Code:apachectl -M # List all loaded modules
- Secure PHP Configuration: Edit php.ini to secure PHP.
Code:
sed -i 's/expose_php = On/expose_php = Off/' /opt/cpanel/ea-php81/root/etc/php.ini
sed -i 's/disable_functions =/disable_functions = exec,passthru,shell_exec,system,proc_open,popen,curl_exec,curl_multi_exec,parse_ini_file,show_source/' /opt/cpanel/ea-php81/root/etc/php.ini
Code:
sed -i 's/expose_php = On/expose_php = Off/' /etc/php.ini
sed -i 's/disable_functions =/disable_functions = exec,passthru,shell_exec,system,proc_open,popen,curl_exec,curl_multi_exec,parse_ini_file,show_source/' /etc/php.ini5. Secure MySQL/MariaDB
- Run MySQL Secure Installation: Secure the MySQL installation.
Code:mysql_secure_installation
- Disable Remote Root Login: Edit the MySQL configuration to disable remote root logins.
Code:UPDATE mysql.user SET Host='localhost' WHERE User='root'; FLUSH PRIVILEGES;
6. Use ModSecurity
- Install and Configure ModSecurity:Add an extra layer of security for Apache.
- Navigate to WHM > Security Center > ModSecurity™ Vendors and enable the OWASP ModSecurity Core Rule Set.
7. Regular Backups
- Automate Backups:Set up automatic backups to secure locations.
- Navigate to WHM > Backup > Backup Configuration.
8. Monitor and Audit
- Install and Configure Logwatch: For daily reports on log activity.
Code:yum install logwatch logwatch --output mail --mailto [email protected] --detail high
- Enable Process Resource Monitor (PRM): Monitor processes for suspicious activity.
Code:yum install prm systemctl start prm systemctl enable prm
- Regular Security Audits: Regularly audit the server and update configurations as needed.
9. Additional Security Tools
- Install ClamAV: For antivirus scanning.
Code:yum install clamav freshclam clamscan -r /home
- RKHunter and CHKRootKit: To check for rootkits.
Code:yum install rkhunter rkhunter --check
- Lynis: For a comprehensive security auditing tool.
Code:wget https://downloads.cisofy.com/lynis/lynis-3.0.7.tar.gz tar xfz lynis-3.0.7.tar.gz cd lynis ./lynis audit system Install and Configure CXS (ConfigServer eXploit Sscanner)
- Install CXS:
- Follow the CXS installation guide for setup.
- Configure CXS Scanning:
- Set up scanning options in /etc/cxs/cxs.conf to detect and manage exploits.
- Regularly scan for malware and unauthorized files.
- Enable File Integrity Monitoring:
- Use CXS to monitor file changes and alert on suspicious activities.
- Install CXS:
Conclusion
Securing a cPanel server is an ongoing process. Regularly update software, monitor logs, and review security policies to adapt to new threats. By following these steps, you can significantly enhance the security of your cPanel server.
Last edited:
