How to secure cpanel server
After installing cpanel in dedicated or vps server, you should make below security check’s on your server to avoid hacking/unwanted access.
Common Settings
Check the below common settings are ON/OFF properly on server.
Home » Server Configuration » Basic cPanel & WHM Setup
- Basic cPanel & WHM Setup : (Contact Information) Update your email address to receive alerts from server.
- Basic Config : Check the server shared IP address whether its correct or not.
- Nameservers : Check once again your nameservers & its IP address are correct.
Home » Account Functions
- Manage Shell Access : Set Disabled Shell to all users.
- Manage Demo Mode : Don’t enable demo mode to any users.
Tweak Settings
Check the below Tweak settings are ON/OFF properly on server.
Home » Server Configuration » Tweak Settings
- Always redirect to SSL : On (When ever if you open cpanel, whm & webmail it will be redirected to https)
- Proxy subdomains : Off
- Horde & RoundCube webmail : Off
- Allow Remote Domains : Off
- Require SSL : On
- Prevent cPanel users from creating specific domains : Off (User’s can’t add or park common Internet domains, Like(gmail.com, yahoo.com,etc..)
- Initial default/catch-all forwarder destination : Fail
- BoxTrapper Spam Trap : Off
- Allow cPanel users to reset their password via email : Off
- Blank referrer safety check : On
- Use cPanel jailshell by default : On
- Email password reset : Off
- Send passwords when creating a new account : Off
- Blank referrer safety check : On
- Referrer safety check : On
Apache Settings
Check the below Apache settings are ON/OFF properly on server.
Service Configuration » Apache Configuration » Global Configuration
- SSL Cipher Suite : ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP:!kEDH PCI
- Trace Enable : Off
- Server Signature : Off
- Server Tokens : ProductOnly
- File ETag : None
- Max Requests Per Child : 1000
PHP Settings
Check the below PHP settings are ON/OFF properly on server.
Home » Service Configuration
- PHP 5 Handler : Should be “suphp”
You may edit your PHP configuration in Basic Mode or in Advanced Mode.
- enable_dl = Off
- register_globals = Off
- disable_functions = “show_source, system, shell_exec, passthru, exec, phpinfo, popen, proc_open, allow_url_fopen, ini_set”
Note :
You can make this changes from ssh itself @ /usr/local/lib/php.ini
Cpanel Security Center Settings
Check the below Security Center settings are ON/OFF properly on server.
Home » Security Center
- Configure Security Policies : password strength more then 50
- PHP open_basedir Tweak : Enable
- Apache mod_userdir Tweak : Enable
- Compiler Access : Enable
- Manage Wheel Group Users : This group controls which users can use the system’s `su` utility.
- Shell Fork Bomb Protection : Enable
- cPHulk Brute Force Protection : Enable
FTP Settings
Check the below FTP settings are ON/OFF properly on server.
Home » Service Configuration » FTP Server Configuration
- TLS Encryption Support : Disable ( While connecting ftp from FTP client use “Encryption = FTP over TLS”)
- Allow Anonymous Logins : No
- Allow Anonymous Uploads : No
- Allow Logins with Root Password : No
Note :
I have strongly recommended to install free firewall such as CSF or APF for more protection. And finally restart the apache webserver.