- Points
- 178
To prevent a compromised cPanel account from affecting other websites or the entire server, especially on a CloudLinux server, there are several security measures you can implement:
1. CloudLinux Features
CloudLinux provides several tools and features designed to enhance the security and stability of shared hosting environments:1.1 CageFS
CageFS is a virtualized per-user file system that encapsulates each user in their own 'cage', preventing users from seeing each other and viewing sensitive information on the server.- Install and Enable CageFS:
Code:sudo yum install cagefs sudo /usr/sbin/cagefsctl --init sudo /usr/sbin/cagefsctl --enable-all
1.2 LVE (Lightweight Virtual Environment)
LVE limits the amount of resources (CPU, memory, IO) each user can consume. This ensures that a single user cannot bring down the server by consuming too many resources.- Install and Configure LVE:
Code:sudo yum install lvemanager lve-utils
Configure LVE limits through WHM or via command line.
1.3 SecureLinks
SecureLinks is a CloudLinux kernel module that prevents symbolic link attacks by ensuring that a user can only create and follow symlinks within their own directories.- Enable SecureLinks:
Code:sudo /etc/sysctl.conf
Add the following lines:
Code:fs.enforce_symlinksifowner = 1
Then reload the sysctl configuration:
Code:sudo sysctl -p
2. Additional Security Measures
2.1 Disable Dangerous PHP Functions
Modify the php.ini file to disable dangerous PHP functions that can be exploited.- Edit PHP.ini:
Add the following to the disable_functions directive:Code:sudo nano /opt/cpanel/ea-php81/root/etc/php.ini
Code:disable_functions = exec,passthru,shell_exec,system,proc_open,popen,curl_exec,curl_multi_exec,parse_ini_file,show_source
Restart Apache to apply changes:
Code:sudo systemctl restart httpd
2.2 Harden cPanel Accounts
Ensure each cPanel account is isolated and limited in terms of permissions and capabilities.- Harden Permissions:
Ensure the file and directory permissions are set correctly. Directories should generally be 755 and files 644.
Code:sudo find /home/user/public_html -type d -exec chmod 755 {} \; sudo find /home/user/public_html -type f -exec chmod 644 {} \;
- Disable Shell Access:
Ensure that shell access is disabled for cPanel users unless absolutely necessary.- WHM: Home »Account Functions »Manage Shell Access
2.3 Install ModSecurity
ModSecurity is a web application firewall that can protect your websites from various types of attacks.- Install ModSecurity:
Code:sudo yum install ea-apache24-mod_security2
Configure ModSecurity through WHM or by editing the configuration files.
3. Monitor and Respond to Security Incidents
3.1 Install and Configure CSF (ConfigServer Security & Firewall)
CSF is a popular firewall for cPanel servers that also provides intrusion detection and security auditing.- Install CSF:
Code:sudo yum install csf sudo csf -r
- Configure CSF:
Edit the CSF configuration file to suit your needs:
Code:sudo nano /etc/csf/csf.conf
Enable CSF and LFD:
Code:sudo systemctl enable csf sudo systemctl enable lfd sudo systemctl start csf sudo systemctl start lfd
3.2 Regular Security Audits
Perform regular security audits of your server to identify and mitigate vulnerabilities.- Check for Malware:
Use tools like ClamAV or Maldet to scan for malware.
Code:sudo yum install clamav sudo freshclam sudo clamscan -r /home
4. Update and Patch Regularly
Ensure that your server, cPanel, CloudLinux, and all installed software are regularly updated and patched to protect against known vulnerabilities.- Update System:
Code:sudo yum update -y
