How to secure cpanel server

After installing cpanel in dedicated or vps server, you should make below security check’s on your server to avoid hacking/unwanted access.

Common Settings

Check the below common settings are ON/OFF properly on server.
Home » Server Configuration » Basic cPanel & WHM Setup

  • Basic cPanel & WHM Setup : (Contact Information) Update your email address to receive alerts from server.
  • Basic Config : Check the server shared IP address whether its correct or not.
  • Nameservers : Check once again your nameservers & its IP address are correct.

Home » Account Functions

  • Manage Shell Access : Set Disabled Shell to all users.
  • Manage Demo Mode : Don’t enable demo mode to any users.

Tweak Settings

Check the below Tweak settings are ON/OFF properly on server.
Home » Server Configuration » Tweak Settings

  • Always redirect to SSL : On (When ever if you open cpanel, whm & webmail it will be redirected to https)
  • Proxy subdomains : Off
  • Horde & RoundCube webmail : Off
  • Allow Remote Domains : Off
  • Require SSL : On
  • Prevent cPanel users from creating specific domains : Off (User’s can’t add or park common Internet domains, Like(gmail.com, yahoo.com,etc..)
  • Initial default/catch-all forwarder destination : Fail
  • BoxTrapper Spam Trap : Off
  • Allow cPanel users to reset their password via email : Off
  • Blank referrer safety check : On
  • Use cPanel jailshell by default : On
  • Email password reset : Off
  • Send passwords when creating a new account : Off
  • Blank referrer safety check : On
  • Referrer safety check : On

Apache Settings

Check the below Apache settings are ON/OFF properly on server.
Service Configuration » Apache Configuration » Global Configuration

  • SSL Cipher Suite : ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP:!kEDH PCI
  • Trace Enable : Off
  • Server Signature : Off
  • Server Tokens : ProductOnly
  • File ETag : None
  • Max Requests Per Child : 1000

PHP Settings

Check the below PHP settings are ON/OFF properly on server.
Home » Service Configuration

  • PHP 5 Handler : Should be “suphp”

You may edit your PHP configuration in Basic Mode or in Advanced Mode.

  • enable_dl = Off
  • register_globals = Off
  • disable_functions = “show_source, system, shell_exec, passthru, exec, phpinfo, popen, proc_open, allow_url_fopen, ini_set”

Note :

You can make this changes from ssh itself @ /usr/local/lib/php.ini

Cpanel Security Center Settings

Check the below Security Center settings are ON/OFF properly on server.
Home » Security Center

  • Configure Security Policies : password strength more then 50
  • PHP open_basedir Tweak : Enable
  • Apache mod_userdir Tweak : Enable
  • Compiler Access : Enable
  • Manage Wheel Group Users : This group controls which users can use the system’s `su` utility.
  • Shell Fork Bomb Protection : Enable
  • cPHulk Brute Force Protection : Enable

FTP Settings

Check the below FTP settings are ON/OFF properly on server.
Home » Service Configuration » FTP Server Configuration

  • TLS Encryption Support : Disable ( While connecting ftp from FTP client use “Encryption = FTP over TLS”)
  • Allow Anonymous Logins : No
  • Allow Anonymous Uploads : No
  • Allow Logins with Root Password : No

Note :

I have strongly recommended to install free firewall such as CSF or APF for more protection. And finally restart the apache webserver.

Magesh Maruthamuthu

Love to play with all Linux distribution

You may also like...