Child pages
  • Tips to Make Your Server More Secure
Skip to end of metadata
Go to start of metadata

Overview

This document lists several tips that you can use to make your cPanel & WHM server more secure.    

Warning:

Exercise caution when you follow these tips. cPanel, Inc. takes no responsibility for modifications to individual servers or the security practices of individual servers. Server security is a collection of compromises, which means that any server that allows connections could be insecure.

Use secure passwords

Insecure passwords are the most common security vulnerability. If a hacker compromises an account password, they can use it to deface or infect client sites, or used them to spread viruses. Secure passwords are of paramount importance if you wish to maintain a secure server.

Edit the /etc/login.defs file to configure many password options on your system. 

Generally, a secure password utilizes at least eight characters, which includes alphanumeric and grammatical symbols. Never use passwords that include dictionary words or significant dates. 

If you are uncertain about a password's security, test it with JTR cracker. You can also install tools like pam_passwdqc to check the strength of passwords.

Secure SSH

Move SSH access to a different port to deter anyone without specific knowledge of your server from easy discovery of your SSH port. Many visitors search for port 22 as a possible way to access servers. To modify the port on which SSH runs, edit the /etc/ssh/sshd_config file.

We recommend that you use a port number that is less than 1024 and that another service does not already use.

  • These ports are "privileged" ports, because only the root user can bind to them. 
  • Ports 1024 and above are "unprivileged" ports, and anyone can use them.

Warning:

Always use SSHv2 only. SSHv1 is not secure. You must change the #Protocol 2,1 line in the /etc/ssh/sshd_config file to Protocol 2

You may also wish to configure shell resource limits for you users. These limits ensure that applications and scripts cannot use all of your server's resources and take down your server. You can configure shell resource limits in the /etc/security/limits.conf file on most Linux systems.

Secure Apache

The most readily-available way to access a web server is the web server application. You must secure your Apache installation.

One of the best tools that you can use to prevent malicious Apache use is ModSecurity™. 

  • In cPanel & WHM version 11.44 and earlier, you can install ModSecurity in WHM's ModSecurity interface (WHM >> Home >> Plugins >> ModSecurity). For more information, visit the ModSecurity website.
  • In cPanel & WHM version 11.46 and later, you can use the following interfaces to manage ModSecurity:

When you compile Apache, include suEXEC to ensure that CGI applications and scripts run as the user that owns and executes them. This identifies the location of malicious scripts, and who executed them. It also enforces permission and environment controls.

We strongly recommend that you compile Apache and PHP with suPHP. suPHP forces all PHP scripts to run as the user who owns the script. This allows you to identify the owner of all PHP scripts that run on your server, and find the location of malicious scripts. To compile Apache and PHP with suPHP, select the suPHP option in WHM's EasyApache interface (WHM >> Home >> Software >> EasyApache (Apache Update)) or run the /scripts/easyapache script from the command line.

Finally, we recommend that you implement symlink race condition protection on your server through EasyApache. For more information about the symlink race condition vulnerability and how to protect against it, read our Symlink Race Condition Protection documentation.

Harden your system

We recommend that you take steps to harden your system to increase its security. Click the links below to access the security guides of supported Linux distributions on which you can install cPanel & WHM:

Harden your /tmp partition

We recommend that you use a separate /tmp partition that you mount with the nosuid option. This option forces a process to run with the privileges of its executor. You may also wish to mount the /tmp directory with noexec after you install cPanel & WHM.

Run the /scripts/securetmp script to mount your /tmp partition to a temporary file for extra security.

Important:

If you do not wish for your server to run the /scripts/securetmp script, create the /var/cpanel/version/securetmp_disabled file. To do this, run the following command:

touch /var/cpanel/version/securetmp_disabled

This file ensures that the script cannot run on your server. However, we strongly recommend that you do not disable the /scripts/securetmp script. 

Restrict your system’s compilers

Most users do not require the use of C and C++ compilers. We strongly recommend that you disable compilers for all users who are not in the compilers group in the /etc/group file. Many pre-packaged exploits require functional compilers.

  • To disable compilers from the WHM interface, use WHM's Compiler Access interface (WHM >> Home >> Security Center >> Compiler Access).
  • To disable compilers from the command line, run the following command as the root user:

    /scripts/compilers off

Disable unused services and daemons

Any service or daemon that allows connections to your server may also allow hackers to gain access. To reduce security risks, disable all services and daemons that you do not use.

Disable any services that are not in use in WHM's Service Manager interface (WHM >> Home >> Service Configuration >> Service Manager).

Monitor your system

Make certain that you know when a user creates an account accounts are created Also make certain that you know what software runs on the server, when software requires updates, and other similar information about your server.

Run the following commands frequently to to ensure that your system functions in the way that you expect:

  • netstat -anp — Check for programs on ports that you did not install or authorize.
  • find / \( -type f -o -type d \) -perm /o+w 2>/dev/null | egrep -v '/(proc|sys)' > world_writable.txt — Check the world_writable.txt file for all of the world writable files and directories. This command reveals locations where an attacker can store files on your system. 

    Note:

    If you fix permissions on some improperly-written PHP and CGI scripts, the script or website may no longer function.

  • find / -nouser -o -nogroup >> no_owner.txt — Check the no_owner file for all files that do not have a user or group associated with them. A specific user or group should own all files, to restrict access to them.
  • ls /var/log/ — Many of the different logs on your system can be valuable resources. Check your system logs, Apache logs, mail logs, and other logs frequently to ensure that your system functions as expected.

There are many readily-available utilities to monitor your system and to detect rootkits, backdoors, or other vulnerabilities.

For example, you could install one of the following commonly-available utilities:

  • Tripwire – Monitors checksums of files and reports changes.
  • chkrookit – Scans for common vulnerabilities.
  • Rkhunter – Scans for common vulnerabilities.
  • Logwatch – Monitors and reports on daily system activity.

Additionally, we recommend that you allow a technical security professional to perform regular configuration checks of your system.

Enable a firewall

You can install a firewall to limit access to your server, or remove all unused software on your system. Before you remove all unused services and daemons, or ascertain which services and daemons are unused, you can enable a firewall to prevent unwanted access. For more information on the ports that cPanel & WHM need to have open to function properly, read our WHM FAQ documentation.

These ports are for all services that cPanel & WHM can use. You may use all of these services or other services and should adjust your rules accordingly.

Remember:

Set a cron job to disable your firewall every five minutes when you test your rules, or you may be locked out of your server.

Stay up-to-date

It is important that you run the latest stable versions of the software on your system to ensure that it is patched for any security issues to which past versions may be susceptible. Be aware of updates for the following:

  • Kernel
  • cPanel & WHM*
  • User Applications (bulletin boards, CMS, blog engines, etc)**
  • System Software*

*These can be set to automatically update in WHM's Update Preferences interface (WHM >> Home >> Server Configuration >> Update Preferences).

**You can upgrade all cPAddon installations in WHM's Manage cPAddons Site Software interface (WHM >> Home >> cPanel >> Manage cPAddons Site Software).

Additional documentation