How to secure cpanel server

by · Last Updated: February 15, 2016

After installing cpanel in dedicated or vps server, you should make below security check’s on your server to avoid hacking/unwanted access.

Common Settings

Check the below common settings are ON/OFF properly on server.
Home » Server Configuration » Basic cPanel & WHM Setup

  • Basic cPanel & WHM Setup : (Contact Information) Update your email address to receive alerts from server.
  • Basic Config : Check the server shared IP address whether its correct or not.
  • Nameservers : Check once again your nameservers & its IP address are correct.

Home » Account Functions

  • Manage Shell Access : Set Disabled Shell to all users.
  • Manage Demo Mode : Don’t enable demo mode to any users.

Tweak Settings

Check the below Tweak settings are ON/OFF properly on server.
Home » Server Configuration » Tweak Settings

  • Always redirect to SSL : On (When ever if you open cpanel, whm & webmail it will be redirected to https)
  • Proxy subdomains : Off
  • Horde & RoundCube webmail : Off
  • Allow Remote Domains : Off
  • Require SSL : On
  • Prevent cPanel users from creating specific domains : Off (User’s can’t add or park common Internet domains, Like(gmail.com, yahoo.com,etc..)
  • Initial default/catch-all forwarder destination : Fail
  • BoxTrapper Spam Trap : Off
  • Allow cPanel users to reset their password via email : Off
  • Blank referrer safety check : On
  • Use cPanel jailshell by default : On
  • Email password reset : Off
  • Send passwords when creating a new account : Off
  • Blank referrer safety check : On
  • Referrer safety check : On

Apache Settings

Check the below Apache settings are ON/OFF properly on server.
Service Configuration » Apache Configuration » Global Configuration

  • SSL Cipher Suite : ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP:!kEDH PCI
  • Trace Enable : Off
  • Server Signature : Off
  • Server Tokens : ProductOnly
  • File ETag : None
  • Max Requests Per Child : 1000

PHP Settings

Check the below PHP settings are ON/OFF properly on server.
Home » Service Configuration

  • PHP 5 Handler : Should be “suphp”

You may edit your PHP configuration in Basic Mode or in Advanced Mode.

  • enable_dl = Off
  • register_globals = Off
  • disable_functions = “show_source, system, shell_exec, passthru, exec, phpinfo, popen, proc_open, allow_url_fopen, ini_set”

Note :

You can make this changes from ssh itself @ /usr/local/lib/php.ini

Cpanel Security Center Settings

Check the below Security Center settings are ON/OFF properly on server.
Home » Security Center

  • Configure Security Policies : password strength more then 50
  • PHP open_basedir Tweak : Enable
  • Apache mod_userdir Tweak : Enable
  • Compiler Access : Enable
  • Manage Wheel Group Users : This group controls which users can use the system’s `su` utility.
  • Shell Fork Bomb Protection : Enable
  • cPHulk Brute Force Protection : Enable

FTP Settings

Check the below FTP settings are ON/OFF properly on server.
Home » Service Configuration » FTP Server Configuration

  • TLS Encryption Support : Disable ( While connecting ftp from FTP client use “Encryption = FTP over TLS”)
  • Allow Anonymous Logins : No
  • Allow Anonymous Uploads : No
  • Allow Logins with Root Password : No

Note :

I have strongly recommended to install free firewall such as CSF or APF for more protection. And finally restart the apache webserver.

Tags:

Magesh Maruthamuthu

Love to play with all Linux distribution

You may also like...