Secure & optimise a cPanel Server (2017)

Please note: this is not a complete guide and doesn’t guarantee anything. Use at your own risk! If you don’t know what you’re doing, consult with someone who does.

Use this guide to learn how to secure and optimise a Linux VPS/Dedicated Server for cPanel/WHM (2017).

Use The Latest Software

Always keep the OS, Apache, cPanel and 3rd party software up to date.

Go to Main >> cPanel >> Upgrade to Latest Version
Main >> Software >> EasyApache (Apache Update)

cPanel Tweak Settings

Require SSL = On
Allow Remote Domains = On
Allow unregistered domains = On
Hide login password from CGI scripts = On
Conserve memory = Off
Enable SPF on domains for newly created accounts = On
Initial default/catch-all forwarder destination from System account = Fail
Track email origin via X-Source email headers = On
Use pigz = On
Use cPanel® jailshell by default = Off
Critical load threshold = Autodetect
Prevent “nobody” from sending mail = On
cPanel PHP max POST size = 155
cPanel PHP max upload size = 100
Enable BoxTrapper spam trap = Off
cPanel PHP loader = Ioncube
Set timezone = “Europe/London”

Secure cPanel/WHM
These are items inside of cPanel/WHM that should be changed to secure your server.

Goto Main >> Server Configuration >> Tweak Settings

Under Domains
Prevent users from parking/adding on common internet domains. (ie hotmail.com, aol.com). Make sure this is enabled.

Under Mail
Default catch-all/default address behaviour for new accounts. To reduce server load, set this to ‘fail’.
The maximum each domain can send out per hour (0 is unlimited). Set this to 200 for Shared, 500 for VPS, and 3600 for Dedicated.

Under System
Use jailshell as the default shell for all new accounts and modified accounts. Make sure this is enabled.

Goto Main >> Security Center >> Enable php open_basedir Protection.
Goto Main >> Security Center >> Enable mod_userdir Protection.
Goto Main >> Security Center >> Enable Shell Fork Bomb/Memory Protection.
Goto Main >> Security Center >> Disabled Compilers for all accounts (except root).
Goto Main >> Security Center >> Enable cPHulk Brute Force Protection.
Goto Main >> Security Center >> Manage Wheel Group Users >> Remove all users from the wheel group (except for root and your main account).
Goto Main >> Security Center >> Run Quick Security Scan
Goto Main >> Security Center >> Scan for Trojan Horses often.
Goto Main >> Service Configuration >> FTP Configuration >> Disable Anonymous FTP
Goto Main >> Account Functions >> Manage Shell Access >> Disable Shell Access for all users (except for root and your main account)
Goto Main >> Mysql >> MySQL Root Password >> Change root password for MySQL (Make it different to your root password!)
Goto Main >> System Health >> Background Process Killer >> Check boxes for all of the services.
Goto Main >> Apache Configuration >> Global Configuration >> Set ServerSignature to Off
Goto Main >> Apache Configuration >> Global Configuration >> Set ServerTokens to ProductOnly

Set an SSH Legal Message
To set an SSH legal message, SSH into server and login as root.

At command prompt type:
nano /etc/motd

Enter your message, save and exit.
Note: I use the following message…

ALERT! You are entering a secured area! Your IP and login information have been recorded. System administration has been notified. This system is restricted to authorised access only. All activities on this system are recorded and logged. Unauthorised access will be thoroughly investigated and reported to the appropriate law enforcement agencies.

Hold Ctrl and press X, then Y, and then press Enter to exit.

PHP Configuration Settings

memory_limit = 512M
max_execution_time = 300
max_input_time = -1
upload_max_filesize = 100M
post_max_size = 100M
enable_dl = no
disable_functions = system, exec, shell_exec

EasyApache 4

Select profile “All PHP Options + OpCache

SSHD Config

SSH into server and login as root.
Note: You can download Putty by Clicking Here ( http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html ). It’s a clean running application that will not require installation on Windows-boxes.

At command prompt type:
nano /etc/ssh/sshd_config

Scroll down to the section of the file that looks like this:
#Port 22
#Protocol 2, 1
#ListenAddress 0.0.0.0
#ListenAddress ::

Uncomment (Remove HASH ‘#’) and change
#Port 22
to look like
Port 5678 (choose your own 4 to 5 digit port number (49151 is the highest port number)

Uncomment (Remove HASH ‘#’) and change
#Protocol 2, 1
to look like
Protocol 2

Uncomment (Remove HASH ‘#’) and change
#ListenAddress 0.0.0.0
to look like
ListenAddress 123.123.123.15 (use one of your own IP Addresses that has been assigned to your server)

Use DNS = No

Hit CTRL+X press y and then enter to save the file.

Now restart SSH
At command prompt type:

/etc/rc.d/init.d/sshd restart

Install ConfigServer Firewall ( http://www.configserver.com/cp/csf.html )

rm -fv csf.tgz
wget https://download.configserver.com/csf.tgz
tar -xzf csf.tgz
cd csf
sh install.sh

Initial Settings

Test Mode = 0
RESTRICT_SYSLOG = 2

IPv4 Port Settings

TCP_IN = 20,21,22,28,53,80,110,143,443,465,587,993,995,2077,2078,2082,2083,2086,2087,2095,2096,30000:35000

General Settings

SYSLOG_CHECK = 300
FASTSTART = 1
LFDSTART = 1

SMTP Settings

SMTP_BLOCK = 1

Login Failure Blocking and Alerts

LF_EMAIL_ALERT = 0

Directory Watching & Integrity

LF_DIRWATCH = 0
LF_INTEGRITY = 0

Connection Tracking

CT_EMAIL_ALERT = 0

Process Tracking

PT_LIMIT = 0

Port Scan Tracking

PS_EMAIL_ALERT = 0

A note about FTP Connection Issues

It is important when using an SPI firewall to ensure FTP client applications are configured to use Passive (PASV) mode connections to the server.

On servers running Monolithic kernels (e.g. VPS Virtuozzo/OpenVZ and custom built kernels) ip_conntrack and ip_conntrack_ftp iptables kernel modules may not be available or fully functional. If this happens, FTP passive mode (PASV) won’t work. In such circumstances, you will have to open a port in your firewall and configure the FTP server to use that same port.

For example, with pure-ftpd you could add the port range 30000:35000 to TCP_IN and add the following line to nano /etc/pure-ftpd.conf and then restart pure-ftpd:

nano /etc/pure-ftpd.conf
PassivePortRange 30000 35000
service pure-ftpd restart

Disable Telnet

To disable telnet, SSH into server and login as root.

At command prompt type: nano -w /etc/xinetd.d/telnet

change disable = no to disable = yes

Hit CTRL+X press y and then enter to save the file.

At command prompt type:

/etc/init.d/xinetd restart

and then type:

/etc/init.d/xinetd stop

Also, add the following line to nano /etc/hosts.deny to flag Telnet access attempts as ’emergency’ messages.

in.telnetd : ALL : severity emerg

Author: Christopher Smith

I managed websites.

Leave a Reply

Your email address will not be published. Required fields are marked *