Basic tips how to secure your WHM/cPanel VPS

Basic tips how to secure your WHM/cPanel VPS
In this tutorial we will show you couple  basic tips how to secure your WHM/cPanel VPS.


WHAT IS WHM/CPANEL?

WHM/cPanel is a Linux based web hosting control panel that provides a graphical interface and automation tools designed to simplify the process of hosting a web site.


Server security is something that every admin shout take very seriously.

One day or another, chances are your server will be hacked and the safety of your data will be at risk are pretty big.  I won’t even mention that you may lose potential or existing customers in the process.

There is no specific number of “things” that you can do to secure your server… even when you thing that you are done and secured completely, you can always do more.

Every decent system administrator who takes good care of it’s users is absolutely necessary to elaborate a great attention to his systems security. As the time goes by the technology development runs very fast and results with a number of vulnerabilities.

Here are the most basic 10 things you can do to secure your WHM/cPanel VPS server from attacks:


1. LATEST WHM/CPANEL VERSION

Always make sure that you have the latest WHM/cPanel version running on your VPS. You can update WWHM/cPanel to the latest version as explained here. If you want to keep your server updated automatically you can enable the daily updates by going to “WHM -> Server Configuration -> Update Preferences”:

Basic tips how to secure your WHM/cPanel VPS


2. USE SSL

Always use SSL to secure your connection and all access to the control panels. When using an unsecured connection (without SSL) all the username and passwords are sent as clear text over the Internet, so every idiot with a simple scanner and/or sniffer can see them and abuse the later.
To secure WHM/cPanel with SSL log in to your WHM/cPanel control panel interface using your web browser. To do that start your web browser and enter the WHM/cPanel URL, in most cases that should be: “https://your_VPS_IP_address:2087
(do not forget to replace “your_VPS_IP_address” with the actual IP address of your virtual server).

Once you are in, click on the “Server Configuration” icon/box:

Basic tips how to secure your WHM/cPanel VPS

and on the next screen click on the “Tweak Settings” icon/box:

Basic tips how to secure your WHM/cPanel VPS

once you see the “Tweak Settings” screen/section click on the “Redirection” and setup the “Always redirect to SSL” from “Off” to “On

Basic tips how to secure your WHM/cPanel VPS
…click on the “Save” button to save the changes.


3. SECURE SSH

Always keep SSH secured. A great tutorial how to secure SSH can be found here.


4. SECURE APACHE

Keep Apache secured. The most readily available way to access a web server, is of course, the web server application. It is important to take steps to secure your Apache installation.

One of the best tools for preventing malicious Apache use is mod_security. This can be installed in Addon Modules in the cPanel section of WebHost Manager. You can find information about how to install mod_security here.

When compiling Apache, you should include “suexec” to ensure that CGI applications and scripts run as the user that owns / executes them. This will help identify where malicious scripts are and who is running them. It will also enforce permission and environment controls.

To  include “suexec” in your PHP you will need to log in to your WHM/cPanel control panel interface using your web browser. To do that start your web browser and enter the WHM/cPanel URL, in most cases that should be: “https://your_VPS_IP_address:2087
(do not forget to replace “your_VPS_IP_address” with the actual IP address of your virtual server).

Once you are in, in the “Search” field located at the top left corner type:

Configure PHP and suEXEC

and after that click on the “Configure PHP and suEXEC” link:

Basic tips how to secure your WHM/cPanel VPS

on the right side on your screen find the “Alter Configuration” section and from the “PHP 5 Handler” drop down menu select “suphp“:

Basic tips how to secure your WHM/cPanel VPS


You may also wish to include “safe_mode” for PHP 5.x and below. Safe_mode ensures that the owner of a PHP script matches the owner of any files to be operated on. You can enable “safe_mode” by changing the “safe_mode =” line in php.ini to “safe_mode = On”.

To do that log in to your server as ROOT via SSH. Once you are edit the php.ini file:

nano /usr/lib/php.ini

find this line:

;safe_mode = Off

and change it to:

safe_mode = On

restart the Apache service for the changes to take effects:

/etc/init.d/httpd restart

5. DISABLE ANONYMOUS FTP ACCESS

To prevent anonymous users from uploading files to your server you must disable the anonimous FTP access on your server. To do that you will need to log in to your WHM/cPanel control panel interface using your web browser. To do that start your web browser and enter the WHM/cPanel URL, in most cases that should be: “https://your_VPS_IP_address:2087
(do not forget to replace “your_VPS_IP_address” with the actual IP address of your virtual server).

Once you are in, in the “Search” field located at the top left corner type:

FTP Server Configuration

Basic tips how to secure your WHM/cPanel VPS
… and click on the “FTP Server Configuration” link.


Once you click on the “FTP Server Configuration” link a new page will be opened on your screen right side:
Basic tips how to secure your WHM/cPanel VPS

…scroll down and find the “Allow Anonymous Logins” and “Allow Anonymous Uploads” drop down boxes. Select both to be “NO“:

Basic tips how to secure your WHM/cPanel VPS

… and after that just click on the “Save” button.


6. STRONG PASSWORDS

Make sure your users use secure passwords! Insecure passwords are the most common security vulnerability for most servers. If an account password is insecure and is compromised, client sites can be defaced, infected, or used to spread viruses. Having secure passwords is paramount to having a secure server.

You can edit /etc/login.defs to configure many password options on your system. It is well documented.

Generally, a password utilizing at least 8 characters including alphanumeric and grammatical symbols is sufficient. Never use passwords based upon dictionary words or significant dates. If you are uncertain about the security of a password, then you can test it using John the Ripper cracker. If a password can be broken in a few hours, then it is probably too insecure and should not be used. some useful tips about how to create a strong passwords you can find here.


7. ENABLE CPHULK

Enable cPhulk which will protects your web servers from Brute Force Attacks by blocking suspect IP addresses for a predetermined period. To enable it you will need to log in to your WHM/cPanel control panel interface using your web browser. To do that start your web browser and enter the WHM/cPanel URL, in most cases that should be: “https://your_VPS_IP_address:2087
(do not forget to replace “your_VPS_IP_address” with the actual IP address of your virtual server). Once you are in click on the “Security Center” box/icon located at the front screen.

Basic tips how to secure your WHM/cPanel VPS

and on the next screen click on the “CPHulk Brute Force Protection” box/icon:

Basic tips how to secure your WHM/cPanel VPS

and if CPHulk is disabled you will see the following image:

Basic tips how to secure your WHM/cPanel VPS

… to enable it just click on the “ON/OFF” button located next to “cPHulk is Disabled

Basic tips how to secure your WHM/cPanel VPS

and that’s it. Once CPHulk is enabled you will see the following image/screen:

Basic tips how to secure your WHM/cPanel VPS


8. CLAMAV ANTIVIRUS

Install clamav antivirus. We all know that Linux servers are more resistant to viruses than Windows-based servers, but it is always a good practice to install an antivirus. Even if your web server is not infected, it could still host a virus intended to infect visitors to your website.

ClamAV is available for cPanel servers as a plugin. To enable it you will need to log in to your WHM/cPanel control panel interface using your web browser. To do that start your web browser and enter the WHM/cPanel URL, in most cases that should be: “https://your_VPS_IP_address:2087
(do not forget to replace “your_VPS_IP_address” with the actual IP address of your virtual server). Once you are in, in the “Search” field located at the top left corner type:

Manage Plugins

and click on the “Manage Plugins” link:

Basic tips how to secure your WHM/cPanel VPS

… and from the next screen select “Install and keep updated” check box under the ClamAV section and click on the “Save” button.

Basic tips how to secure your WHM/cPanel VPS

One the ClamAV plugin installation is completed, reload your WHM control panel so that the main menu is updated, so again, in the “Search” filed located at the top left corner on your screen type:

Configure ClamAV Scanner

and click on the “Configure ClamAV Scanner” link:Basic tips how to secure your WHM/cPanel VPS

… and on the next screen on the right side select all four (4) options and click on the “Save” button:

Basic tips how to secure your WHM/cPanel VPS


9. SECURE TMP

Secure your /tmp partition. We recommend that you use a separate partition for /tmp that is mounted with nosetuid. Nosetuid will force a process to run with the privileges of it’s executor. You may also wish to mount /tmp withnoexec after installing cPanel. To do that once the WHM/cPanel installation is done log in to your VPS as ROOT via SSH. Next, edit the “fstab” file:

nano /etc/fstab

find the “/tmp” line (it should look something similar as):

UUID=t1740f70-4333-4f27-4434-272aa244rfcf /tmp                    ext3    defaults        1 2

Append the text “,nodev,nosuid,noexec” to the list of mount options in column 4. In the end, your entry should look like as follows:

UUID=t1740f70-4333-4f27-4434-272aa244rfcf /tmp                    ext3    defaults,nodev,nosuid,noexec        1 2

Save and close the file.

Another thing you can do is to secure the “/var/tmp” file too. To do that just bind the “/var/tmp” file to “/tmp”. To do that edit the file /etc/fstab again and append:

/tmp /var/tmp none rw,noexec,nosuid,nodev,bind 0 0

Save and close the file. At the end reboot your VPS for the changes to take effects. To reboot your VPS just type:

 reboot -f

10. FIREWALL

Installing a firewall to limit access to your server is useful. Removing all unused software on your system is more useful. Before you have the chance to remove all unused services and daemons, or the chance to figure out which services / daemons are unused, you can enable a firewall to prevent unwanted access. Many people are using CSF for a firewall, we do too. To install CSF log in to your server as ROOT via SSH. Next type:

wget http://www.configserver.com/free/csf.tgz
tar -xzf csf.tgz
cd csf
sh install.sh

Once the installation is done you can enable the firewall from your WHM/cPanel admin area. To do that start your web browser and enter the WHM/cPanel URL, in most cases that should be: “https://your_VPS_IP_address:2087
(do not forget to replace “your_VPS_IP_address” with the actual IP address of your virtual server).

Once you are in, in the “Search” field located at the top left corner type:

plugins

and after that click on the “ConfigServer Security & Firewall” link:

Basic tips how to secure your WHM/cPanel VPS

… here you will be able to manage and configure your firewall according your needs.

Basic tips how to secure your WHM/cPanel VPS


If you’re one of our Linux VPS Hosting customers we can help you secure your WHM/cPanel  on your virtual server for you free of charge. Just contact us and some of our experts will complete your request immediately.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes:

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>