Blend Hosting logo
Blend Hosting logo
You are here:
Tips and Tutorial for cPanel Server Security

Tips and Tutorial for cPanel Server Security

Tips and Tutorial for cPanel Server Security

Overview

This tutorial provides several tips to enhance the security of your cPanel & WHM installation.

Warning!!
Exercise extreme caution when following these tips. the author or blendhosting.com takes no responsibility to individual servers or the security practices mentioned in this guide. Each server is a collection of compromises which means that any server that allows connections could be insecure.

Employ Strong Passwords

Insecure passwords represent a common security vulnerability. Compromised account passwords can lead to defacement, hacking, and the theft of valuable data from client sites.

It is imperative to change your password regularly. Here are additional tips for creating a secure password:

  1. Passwords should be alphanumeric and grammatical.
  2. Passwords should consist of 10 or more characters.
  3. Avoid using the same password for multiple sites.
  4. Refrain from allowing your browser to store your passwords.
  5. Avoid incorporating names of family members, birthdates, or personally significant numbers.
  6. Avoid using any dictionary words in your password.
  7. Consider generating a random password; some password generator sites, such as passwordsgenerator.net[1], provide options to generate passwords with special characters.

Employ safe SSH keys

Change the method of logging into your server’s shell from passwords to SSH keys. SSH keys offer enhanced security and require a special passphrase for usage. To generate an SSH key, log in to WHM > Security Center Section > Manage root’s SSH Keys.

Click on ‘Generate a New Key,’ enter the key name, and your secure passphrase twice.

Generate a Key

Transfer SSH to an Other Port

Attempt to move your SSH to a different port to deter individuals without specific knowledge of your server from easily discovering your SSH port. Most visitors typically search on port 22, which is the default SSH port.

Always use ports below 1024, as these are privileged ports accessible only to root. Any port above 1024 can be used by anyone.

To move your SSH to a different port, log in to your server command line as root and open ‘sshd_config‘.

nano /etc/ssh/sshd_config

Discard and adapt:

Port 22

to

Port 102

then restart sshd:

service sshd restart

For instance, we have set port 102 as the default SSH port instead of 22.

Note: It is crucial to allow the new port in the server firewall. Ensure not to close the current SSH connection while testing the new port to avoid any unintended disruptions.

Activate the CPHulk Brute Force Defence

cPHulk is a service designed to safeguard your server from brute force attacks, a hacking method that employs an automated system to guess passwords for your web server or services.

When cPHulk blocks an attack, it displays ‘login is invalid‘ on the login page. To prevent being locked out of your own server, add your IP address to the whitelist.

You can access cPHulk through WHM > Security Center section > cPHulk Brute Force Protection.

cphulk brute force protection page

Disable any unused daemons and services

Any service or daemon that permits connections to your server may pose a security risk by providing potential entry points for hackers. To mitigate these risks, disable all services and daemons that are not essential.

You can disable unused services in WHM’s Service Manager interface(Home >> Service Configuration >> Service Manager).

Service Manager for WHM

Protect your Apache

The most accessible means of accessing a web server is through the web server application itself. Securing your Apache installation is paramount.

One of the most effective tools to prevent malicious use of Apache is ModSecurity™.

In cPanel & WHM version 11.46 and later, you can utilize the following interfaces to manage ModSecurity:

  • WHM’s ModSecurity™ Tools interface (Home >> Security Center >> ModSecurity™ Tools).
  • WHM’s ModSecurity™ Configuration interface (Home >> Security Center >> ModSecurity™ Configuration).

ModeSecurity Configuration Page

CSF Installation Guide

If your PC is connected to the Internet, you are a potential target for an array of cyber threats, including hackers, keyloggers, and Trojans that exploit unpatched security holes. This vulnerability means that, like most people who shop and bank online, you are exposed to the risk of identity theft and other malicious attacks.

A firewall acts as a barrier or shield between your PC and cyberspace. When connected to the Internet, you continually send and receive information in small units called packets. The firewall filters these packets, checking if they meet certain criteria set by a series of rules, and subsequently blocking or allowing the data. This way, hackers cannot infiltrate and steal sensitive information such as bank account numbers and passwords.

One such firewall you can install for WHM/cPanel is ConfigServe Firewall (CSF). CSF configures your server’s firewall to restrict public access to services, allowing only specific connections, such as logging in to FTP, checking your email, or loading your websites. ConfigServe Firewall also includes a service called Login Failure Daemon, or LFD.

Use the following commands to install CSF:

cd /usr/src

rm -fv csf.tgz

wget https://download.configserver.com/csf.tgz

tar -xzf csf.tgz

cd csf

sh install.sh

Next, confirm that you have the necessary iptables modules:

perl /usr/local/csf/bin/csftest.pl

Login to your WHM, and you will now find a CSF configuration page in the Plugins section. To configure CSF, you can follow the steps outlined in the tutorial “Installing and Configuring CSF on CentOS 7[2].”

CSF Configuration Page

Fortify the /tmp partition

We recommend using a separate /tmp partition mounted with the nosuid option. This option compels a process to run with the privileges of its executor. After installing cPanel & WHM, you may also choose to mount the /tmp directory with noexec for additional security.

You must perform the following in order to mount your /tmp partition to a temporary file for added security:

/scripts/securetmp

Note: Ensure that there is sufficient disk space for the partitions. It is recommended to have a minimum of 8GB for /usr and 16GB for /var. Anything below the recommended disk space may lead to issues later on. You can refer to the cPanel Advanced Partitioning Guide[3] for more information.

Turn off the system compilers

Many users do not require the use of C and C++ compilers. It is strongly recommended to disable compilers for all users who are not in the compilers group in the /etc/group file. Many pre-packaged exploits rely on functional compilers.

To disable compilers from the WHM interface, use WHM’s Compiler Access interface (Home >> Security Center >> Compiler Access).

System Compiler configuration page

Use the following command as the root user to stop compilers from the command line:

/scripts/compilers off

[1]: https://passwordsgenerator.net/
[2]: https://www.blendhosting.com/kb/install-and-set-up-the-centos-7-64-bit-csf-configserver-firewall/
[3]: https://confluence2.cpanel.net/display/1142Docs/Installation+Guide+-+Advanced+Partitions

Was this article helpful?
Dislike 0
  • Products
  • Programs
  • Company
Blend Hosting logo

© 2005-2026 Blend Hosting. all rights reserved.

All Trademarks Are The Property of Their Respective Owner.