Make cPanel/WHM VPS more Secure

Clara - VPS Hosting Team

Use Secure Passwords

Weak passwords are a major security risk for servers. An unsecured password can lead to compromised accounts, defaced client sites, or even virus spread. Ensure your server’s security by using strong passwords. Aim for at least 8 characters, combining letters, numbers, and symbols. Avoid using dictionary words or significant dates. Configure password settings in /etc/login.defs, where detailed documentation is available.

Secure SSH

Enable Public Key Authentication: Switch to public key authentication for SSH and disable password authentication.
Change the Default Port: Move SSH to a different port to deter unauthorized access attempts. Port 22 is commonly targeted, so selecting an alternative port enhances security.

Secure Apache

To protect your Apache installation:

Use ModSecurity: Install mod_security from the Addon Modules section in WHM. More info is available here.
Include Suexec: Compile Apache with suexec to ensure CGI scripts run with the user’s permissions. This helps
identify and control malicious scripts.
Enable PHPsuexec: Compile Apache + PHP with PHPsuexec to ensure PHP scripts run as the script owner. This makes it easier to trace malicious scripts to their owners.
Activate PHP’s open_basedir: Prevent PHP from accessing files outside the user’s home directory by enabling open_basedir in Tweak Security in WebHost Manager.

Secure the /tmp Partition

Use a separate partition for /tmp mounted with nosetuid to ensure processes run with the executor's privileges. Consider mounting /tmp with noexec after cPanel installation. For extra security, run /scripts/securetmp to mount /tmp to a temporary file.

Upgrade to Maildir Format

Switching to Maildir format enhances both security and performance. If you’re using an older cPanel version, upgrade with /scripts/convert2maildir after backing up your mail. If Maildir is already enabled, no conversion is needed.

Lock Down Compilers

Most users don’t need C and C++ compilers. Use the Compilers Tweak in WHM’s Tweak Security to disable compilers for all unprivileged users or specific users. Disabling compilers helps protect against exploits that require them.

Turn Off Unused Services and Daemons

Minimize security risks by disabling unused services and daemons. To do this:

For Daemons on Linux: Check /etc/xinetd.conf.
For Services: Use the Service Manager in the WHM Service Configuration section to disable unnecessary services.

Monitor Your System

Regularly check your system for unusual activity:

Use netstat -anp to identify unauthorized programs attached to ports.
Run find / ( -perm -a+w ) ! -type l >> world_writable.txt to detect world-writable files and directories.
Execute find / -nouser -o -nogroup >> no_owner.txt to find files without associated users or groups.
Review logs in /var/log/ for system, Apache, and mail activity.

Utilize monitoring utilities:

Tripwire: Monitors file checksums for changes.
Chrootkit: Scans for common rootkits and backdoors.
Rkhunter: Detects rootkits and backdoors.
Logwatch: Reports daily system activity.

Enable a Firewall

Install a firewall to limit access to your server. While removing unused software is crucial, a firewall provides immediate protection. We recommend ConfigServer firewall for WHM; find the tutorial here.

Stay Up-to-Date

Keep your system secure by running the latest stable software versions. Regularly update:

cPanel and WHM (automatically updated)
User Applications (within WHM)
System Software (automatically updated)

Install ClamAV Antivirus

ClamAV is an open-source antivirus engine that detects Trojans, viruses, malware, and other threats on Linux systems. Perform daily scans to ensure your system remains protected.