WHM Guides
30
 min read

How to secure WHM/cPanel

How to secure WHM/cPanel

This document lists several tips that you can use to make your cPanel & WHM server more secure.

View Whitepaper

This guide lists several tips that you can use to make your cPanel & WHM server more secure.

So you have your new WHM/cPanel server setup and want to start hosting site straight away or maybe start a reseller hosting business.

First things first, lets get your server as secure as possible without effecting the end users or websites you host.

Security and Virus Scans in WHM

WHM/cPanel comes with this built in in the form of ClamAV Scanner, however we recommend removing this and installing CPGuard or Bitninja.

Learn how to install and configure CPGuard here.

Tweak Settings checklist

cPanel recommend the following settings for WHM’s Tweak Settings interface (WHM >> Home >> Server Configuration >> Tweak Settings):

• Hide login password from cgi scripts — Enable this setting to allow you to hide the REMOTE_PASSWORD environment variable from scripts that the cpsrvd daemon’s CGI handler executes.

• Referrer safety check — Enable this setting to only permit cPanel, Webmail, and WHM to execute functions when the browser-provided referrer (port and domain or IP address) exactly matches the destination URL.

o This helps prevent XSRF attacks but may break integration with other systems, login applications, and billing software.

o You must use cookies if you enable this setting.

• Initial default/catch-all forwarder destination — Select the Fail setting to automatically discard un-routable email that your server’s new accounts receive. This setting helps to protect your server from mail attacks.

• Verify signatures of 3rdparty cPaddons — Enable this setting to verify GPG signatures of all third-party cPAddons. To use this setting, you must enable the Signature validation on assets downloaded from cPanel & WHM mirrors setting.

• Prevent “nobody” from sending mail — Enable this setting to block email that the nobody user sent to the remote address.

• Add X-POPBeforeSMTP header for mail sent via POP-before-SMTP — Enable this setting to include a list of POP-before-SMTP senders in the X-POPBeforeSMTP header for outgoing email.

• Enable SPF on domains for newly created accounts — Enable this setting to deny spammers the ability to send email when they forge your domain’s name as the sender (spoofing).

• Service subdomain override — Disable this setting to prevent automatically-generated service domains when a user creates a cPanel, Webmail, Web Disk, or WHM subdomain.

• Service Subdomain Creation — Disable this setting to prevent the addition of cPanel, Webmail, Web Disk, and WHM service subdomain DNS entries to new accounts.

• Cookie IP validation — Select strict for full IP address validation of cookies.

Secure SSH

Use ssh on a different port. Many malicious users attempt to use port 22 to access servers. To modify the port on which SSH runs, edit the /etc/ssh/sshd_config file.

Then edit the port 22 to a port of your choosing below 1024

You can also set it to listen on a different IP if you have multiple IP on your server.

Do this by adding below port;

ListenAddress your.ip.here

You can also disable login by password with;

PasswordAuthentication no

Or via in WHM gui disable password tweak.

Disable root login;

First create a Sudo user: https://cpanelplesk.com/howto-create-sudo-user-in-cpanel/

Now change;

PermitRootLogin yes

To

PermitRootLogin no

After any changes to this file run: /scripts/restartsrv_sshd

We recommend that you use a port number less than 1024 and one that another service does not already use.

• These ports are “privileged” ports, because only the root user can bind to them.

• Ports 1024 and above are “unprivileged” ports, and anyone can use them.

Enable a Firewall

For firewall we recommend CSF.

Our Technical Support Analysts recommend that you use CSF (ConfigServer Firewall), a free product that ConfigServer provides. CSF contains a stateful packet inspection (SPI) firewall, a login and intrusion detection mechanism, and a general security application for Linux servers.

To install CSF, perform the following steps:

1. Log in to your server as the root user via SSH.

2. Run the cd /root command to change to the root directory.

3. Run the following command to download CSF:

wget https://download.configserver.com/csf.tgz

4. Run the tar -xzf csf.tgz command to decompress the downloaded file.

5. Run the cd csf command to change directories.

6. To begin the CSF installation, run the ./install.cpanel.sh command.

To configure CSF, use WHM’s ConfigServer Security & Firewall interface (WHM >> Home >> Plugins >> ConfigServer Security & Firewall). The installation script should enable the correct ports in CSF, but we recommend that you confirm this on your server.

After you configure CSF, you must disable testing mode. To take CSF out of testing mode, perform the following steps:

1. Click Firewall.

2. Change the value of Testing from 1 to 0.

3. Click Change.

For more information about how to use CSF, visit the CSF website.

Also as an added extra if CPGuard does not do this for you automatically install chkrootkit

Install chkrootkit

The chkrootkit shell script examines your system’s binaries for rootkit installations. Rootkits allow a malicious user to gain undetected administrative access to the server.

To install the chkrootkit script, perform the following steps:

1. Log in to your server as the root user via SSH.

2. Run the cd /root command to change to the root directory.

3. Run the following command to download chkrootkit:

wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz

4. Run the tar -xvzf chkrootkit.tar.gz command to decompress the downloaded file.

5. Run the cd chkrootkit-0.53 command to change directories.

6. To begin the chkrootkit installation, run the make sense command. The system will install the chkrootkit script on your server.

To run the chkrootkit script, run the following command:

/root/chkrootkit-0.53/chkrootkit

Note:

We strongly recommend that you run the chkrootkit script often and add a cron job that runs the above command.

For more information about the chkrootkit script, visit the chkrootkit website.

Author
Mark Grindey
Group CEO / MD

Mark Grindey is a dedicated professional with a strong passion for cloud computing and a mission to make it accessible to all. With a over a decades experience and a deep understanding of existing cloud technologies, Mark Grindey is constantly striving to improve and enhance these tools, ensuring that their benefits can be leveraged by businesses of all sizes.

Latest Articles
View All Articles