+44 151 528 8706 [email protected]

How to harden a cPanel server

cPanel and WHM comes with some security settings activated by default, however there are lot of things you need to do after the initial cPanel installation to have a secure cPanel server. On this post we will explore how to harden cPanel and increase the WHM Security..

As a part of our Server Management services, we harden servers for our client daily.

Today, we will show you some steps on how to make your cPanel server safer.

Let’s start hardening the server

1. Disable direct root login.

2. Change SSH default port

3. Disable ping request.

4. Setup CSF firewall

5. Setup Mod_Evasive

6. Setup Mod_Security

7. Scan your system using Clam AntiVirus.

8. Setup cron job to run Clam AntiVirus weekly.

9. Disable Apache header informations.

10. Hide PHP Version informations.

Disable direct root login

 

Edit the sshd file with the below command:

nano /etc/ssh/sshd_config

Change #PermitRootLogin to PermitRootLogin without-password
Than restart the sshd service by executing the below command:
service sshd restart

 

Change SSH default port.

 

 The default SSH port is 22, we recommend changing that, to do so, follow the steps below:
Execut the below command:

/etc/ssh/sshd_config

 Find Port 22 and change 22 to any number between 1024->65535.

Disable ping request.

To disable the ping request, execute the following command:

cd /proc/sys/net/ipv4

echo 0 > icmp_echo_ignore_all (enabling)

echo 1 > icmp_echo_ignore_all (disabling)

 

Setup CSF firewall

Execute the below commands:
cd /usr/src
wget https://download.configserver.com/csf.tgz
tar -xzf csf.tgz
cd csf
sh install.sh
Next, test whether you have the required iptables modules:
perl /usr/local/csf/bin/csftest.pl

 

You should not run any other iptables firewall configuration script. For
example, if you previously used APF+BFD you can remove the combination (which
you will need to do if you have them installed otherwise they will conflict):

sh /usr/local/csf/bin/remove_apf_bfd.sh

 

Setup Mod_Evasive

The mod_evasive module is an Apache web services module that helps your server stay running in the event of an attack. A common type of cyber attack comes in the form of a Denial of Service (DoS), Distributed Denial of Service (DDoS), or brute-force attempting to overwhelm your security.

The nature of these attacks is to use several different computers to make repeated requests against your server. This causes the server to run out of processing power, memory, network bandwidth, and become unresponsive.

This guide will walk you through configuring and installing mod_evasive to protect against DoS and DDoS.

With the advent of EA4 mod_evasive has become very easy to install. Simply login to your server with a root SSH connection and issue the following command.
yum install ea-apache24-mod_evasive

That’s it, by default the cPanel configuration will begin to block most attacks without any additional changes.

To install this via the EA4 WHM interface, simply login to WHM on your server as root and navigate to.
WHM >> Home >> Software >> EasyApache 4

And select mod_evasive within the “Apache Modules” selection of the interface.

Follow the prompts to complete the install.

 

Disable ping request.

To disable the ping request, execute the following command:

cd /proc/sys/net/ipv4

echo 0 > icmp_echo_ignore_all (enabling)

echo 1 > icmp_echo_ignore_all (disabling)

 

Setup CSF firewall

Execute the below commands:
cd /usr/src
wget https://download.configserver.com/csf.tgz
tar -xzf csf.tgz
cd csf
sh install.sh
Next, test whether you have the required iptables modules:
perl /usr/local/csf/bin/csftest.pl

 

You should not run any other iptables firewall configuration script. For
example, if you previously used APF+BFD you can remove the combination (which
you will need to do if you have them installed otherwise they will conflict):

sh /usr/local/csf/bin/remove_apf_bfd.sh

 

Setup Mod_Evasive

The mod_evasive module is an Apache web services module that helps your server stay running in the event of an attack. A common type of cyber attack comes in the form of a Denial of Service (DoS), Distributed Denial of Service (DDoS), or brute-force attempting to overwhelm your security.

The nature of these attacks is to use several different computers to make repeated requests against your server. This causes the server to run out of processing power, memory, network bandwidth, and become unresponsive.

This guide will walk you through configuring and installing mod_evasive to protect against DoS and DDoS.

With the advent of EA4 mod_evasive has become very easy to install. Simply login to your server with a root SSH connection and issue the following command.
yum install ea-apache24-mod_evasive

That’s it, by default the cPanel configuration will begin to block most attacks without any additional changes.

To install this via the EA4 WHM interface, simply login to WHM on your server as root and navigate to.
WHM >> Home >> Software >> EasyApache 4

And select mod_evasive within the “Apache Modules” selection of the interface.

Follow the prompts to complete the install.

 

Setup Mod_security

1. Log in to your server’s WHM interface and navigate to EasyApache.

2. Follow the prompts to rebuild using your last saved profile, or the default profile. Ensure Mod_Security is selected in the installation choices.

3. Wait for the rebuild to complete (20-30 minutes).
Log in to your server’s console, terminal, or access remotely via SSH. You will need root privileges. Run the following commands to download and install the ConfigServer ModSec Control (CMC) plugin for WHM:

cd /root; wget http://download.configserver.com/cmc.tgz

tar xvf cmc.tgz; cd cmc/; sh install.sh

 Than configure it:

1. Refresh the WHM interface and navigate to Plugins > ModSec Control.

2. Switch the state to ‘On‘ and save to activate the web firewall.

3. Scroll down to ConfigServer ModSecurity Tools and select modsec2.user.conf to Edit.

Here, you can copy in a ruleset. Rules are directives for mod_security to use when screening web server activity, instructing mod_security what events to check for, and what actions to take.

The best mod_security rules will greatly depend on your server and the application(s) you are hosting. We have provided an example ruleset below, which defines basic directives to help protect from MySQL injection, PHP, and other web server abuse.

How to Disable Apache Header Information :

It is not good to expose your serve information. Follow the steps given to disable Apache header information.

Edit your main Apache configuration file and you can find the following directives.

nano /etc/httpd/conf/httpd.conf

---
ServerSignature On

ServerTokens OS
---

Change it to as shown below.

ServerSignature off

ServerTokens Prod

You can find some information about the ServerSignature and  ServerTokens directives below.

ServerSignature : This directive allows the configuration of a trailing footer line under server-generated documents ( error messages, mod_proxy ftp directory listings, mod_info output, …etc ). The Off setting, will suppresses the footer line.

ServerTokens : This directive controls whether Server response header field which is sent back to clients includes a description of the generic OS-type of the server as well as information about compiled-in modules.

ServerTokens Prod[uctOnly]
Server sends (e.g.): Server: Apache
ServerTokens Major
Server sends (e.g.): Server: Apache/2
ServerTokens Minor
Server sends (e.g.): Server: Apache/2.0
ServerTokens Min[imal]
Server sends (e.g.): Server: Apache/2.0.41
ServerTokens OS
Server sends (e.g.): Server: Apache/2.0.41 (Unix)
ServerTokens Full (or not specified)
Server sends (e.g.): Server: Apache/2.0.41 (Unix) PHP/4.2.2 MyMod/1.2

This setting applies to the entire server, and cannot be enabled or disabled on a virtualhost-by-virtualhost basis.

Add the below entries to disable Apache Last Modified header.

<filesMatch ".*$">
Header unset Last-Modified

Restart Apache.

/etc/init.d/httpd restart

That’s it!! You have disabled Apache header information.

Scan your system using Clam AntiVirus and how to setup weekly scans

 

What is ClamAv?

The Clam AntiVirus Scanner (ClamAV) antivirus software searches your server for malicious programs. If the scanner identifies a potential security threat, it flags the file to allow you to take the appropriate action.

How To install ClamAV?

You can easily install ClamAV on a cPanel server via WHM’s Manage Plugins interface (WHM >> Home >> cPanel >> Manage Plugins).

How To Update ClamAV’s signatures?

The ClamAv binaries reside in the /usr/local/cpanel/3rdparty/bin/ directory:

/usr/local/cpanel/3rdparty/bin/clamscan
/usr/local/cpanel/3rdparty/bin/clamdscan
/usr/local/cpanel/3rdparty/bin/freshclam

You can create symbolic links for these binaries to “/usr/local/bin” directory so that you don’t want to mention the complete path to the binary file everytime you run it

ln -s /usr/local/cpanel/3rdparty/bin/clamscan /usr/local/bin/clamscan
ln -s /usr/local/cpanel/3rdparty/bin/freshclam /usr/local/bin/freshclam

 

Now, run the following command to update ClamAV’s signatures:

/usr/local/bin/freshclam

How To Configure a Weekly Scan?

Now, just copy paste the following script to a file called “clamavscan.sh” under “/opt/” directory.

 #!/bin/bash
rm -f /root/infections;
touch /root/infections;
for i in `awk '!/nobody/{print $2 | "sort | uniq" }' /etc/userdomains | sort | uniq`;
do echo -e "Scan Report for Account $i \n" >>/root/infections ;echo -e "Scan Started at `date` \n" >> /root/infections ;
nice -n5 /usr/local/cpanel/3rdparty/bin/clamscan -i -r /home/$i/public_html 2>>/dev/null >> /root/infections;
echo -e "\n Scan Ended at `date` \n--------------------------------------  \n \n" >> /root/infections; done;
cat /root/infections | mail -s "ClamAV Scan Result" -r "[email protected]$HOSTNAME"  [email protected]

 

The above script will scan the files under the “public_html” directory of all the cpanel accounts hosted on your server. Please do remember to replace “[email protected]” with the respective email address you want to receive the alerts to.

 

Finally, create a cron job to automate this scan on a Weekly basis.

Eg: To create a cron job that runs on every Sunday at 00:00, use the following entry:

0 0 * * SUN  /bin/sh /opt/clamavscan.sh

 

Hide PHP and Apache version in cPanel

 

For hiding PHP version on a cPanel Server you have to change the “expose_php” to “off” from the following instructions:

Service Configurations >> PHP Configuration Editor >> Advance mode change expose_php from on >OFF

 =============================================
Those were some of the steps on what you could do to make your server safer out in the web, there are more and more settings you could change to make your server safer
=============================================
If you need any assistance on hardening your server, let us know.

How to Mount an NFS Share in Linux

Network File System (NFS) is a distributed file system protocol that allows you to share remote directories over a network. With NFS, you can mount...

How to install Plesk on CentOS

Plesk is a commercial web hosting and server data center automation software with a control panel developed for Linux and Windows-based retail hosting...

Plesk vs cPanel

When choosing between web hosting control panels, it’s often a toss-up between Plesk or cPanel. Between them, they dominate the market for users looking for account and server...

We're Here To Help!

8 + 7 =

Head Office

Ukshin Kovaçica, 10,000 Pristina, Republic of Kosovo

Call Us

+44 151 528 8706