How to make cPanel / WHM servers more secure?
1) Apache / PHP Suexec: Known as a more secure management for PHP. It also allows to track and
monitor client’s usage on shared servers. That means PHP scripts correctly identified by their
true owner as opposed to “nobody” user. In addition, apache http server, Suexec provides
Apache users an ability to run CGI and SSI programs under user Ids which differs from the user
ID of the calling web-server. Generally, when a CGI or SSI program executes, they run with the
same user who is running the web-server.
a. PHPSuexec: If PHP runs as an Apache Module without PHPSuexec then the user / group
of a web server may execute as “nobody”. This causes real problems when PHP scripts
are sending mail out as nobody@servername. In this case you will be unable to track
abuse or hijack issues. When PHPSuexec is enabled (running as CGI with suexec enabled)
your PHP scripts execute under your UID/GID level and not nobody.
b. Files or directories that you require for your PHP scripts to write no longer need to have
777 permissions. In fact, assigning 777 permissions to all scripts or the directories will
reside them in and instead of running properly it would cause a 500 internal server error
when attempting to execute them. So make sure your scripts have a maximum 755
permissions, read/write/execute by you and read/execute for everyone else. It means
PHPSuexec is much more secure than PHP running as an Apache module.
2) Mod Security: mod_security provides an array of request filtering and other security features of
the Apache HTTP Server.ModSecurity which is an open source intrusion detection and
prevention for web applications. While operating Apache Web Server Module one thing you
should keep remembers, the purpose of ModSecurity is to increase security of web applications
to protect them from known and unknown attacks.
3) PHP Security – Suhosin: Suhosin is an advanced protection system for PHP installations. It is
designed in a way to protect servers and users from knowing and unknown flaws in PHP
applications and the PHP core. Suhosin comes in two independent parts which can be used
separately or in combination. The first part is a small patch against the PHP core that
implements a few low level protections against buffer overflows or format string vulnerabilities.
The second part is a powerful PHP extension that implements all other essential protections.
4) Disable Some PHP Functions: You need to disable some PHP functions through shell commands
because some of them can manipulate server side settings.
a. For Example:
5) Disable FTP access for the default users: You also need to disable FTP access for all the default
users of your accounts. You will have to create additional FTP user for the accounts from the
respective cPanel control panel. In cPanel you will find FTP account options through which you
can manage the complete account.
6) Always use secure password: Insecure predictable passwords are the most common cause of
security vulnerability for the most servers. If an account password is insecure and compromised,
your websites can be defaced, infected, or used to spread viruses. Having secure passwords is
standard practice to make a secure server.
a. In addition, you can edit /etc/login.defs to configure many passwords on your system.
Usually, a password utilizes at least 8 characters including alphanumeric and special
symbols which are quite sufficient. Remember never ever use passwords based upon
dictionary words or significant dates. If you are uncertain about the security of a
password, then you can test by using JTR cracker. If you notice that your password can
be broken in a few hours, then it is probably too much insecure and should not be used.
You can also install tools like pam_passwdqc to check the strength of passwords.
7) Secure SSH:
Enable public key authentication for SSH and disable password authentication. Read more >>
Move SSH access to a different port. Hackers usually look for port 22 as a possible way to access
servers. So moving SSH to a different port will add a simple way to prevent those hackers without
giving specific knowledge of your server from easily discovering the SSH port of your server.
You can modify the port that SSH runs on within /etc/ssh/sshd_config. Change the line that says
#Port 22 to a different port such as: Port 1653. Make sure to keep your current SSH session open
when testing the new port so you can change back to port 22 if the new port doesn’t work.
You should always use SSHv2 instead of SSHv1 as it may not be secure. Make sure you change the
line in /etc/ssh/sshd_config that says #Protocol 2, 1 to Protocol 2.
You may also wish to set Shell Resource Limits for your users to prevent applications and scripts
from using up all your resources and taking down your server. You can configure shell resource
limits in /etc/security/limits.conf on most Linux systems.
8) Secure your /tmp partition:
It is recommended that you use a separate partition for /tmp that is mounted with nosetuid because
nosetuid will force to run with privileges of its executor. You may also wish to mount /tmp with
noexec after installing cPanel. Check the mount man page for more information. And running
/scripts/securetmp will mount your /tmp partition to a temporary file for extra security.
9) Upgrade your mail to maildir format:
Maildir format adds extra security and speed up your mail system. Newer installs using mail-order
by default. If you’re running an older copy of cPanel, you will probably want to upgrade using
/scripts/convert2maildir. Make sure to back up your current mail before converting to maildir, this
can be done within /scripts/convert2maildir. If you see maildir is enabled when running
/scripts/convert2maildir, it means you are already using maildir, and will not need to convert.
10) Lock down your system’s compilers:
Most users do not require the use of C and C++ compilers. You can use the Compilers Tweak within
Tweak Security in WHM (Web Host Manager) to turn off use of the compilers for all privileged users,
or to disable them for specific users only. Many pre-packaged exploits require working compilers.
Disabling compilers will help protect against many exploits.
11) Turn off unused services and daemons:
Any service or daemon that allows a connection to be established to your server is way for hackers
to gain access. To reduce security risks, you should disable all services and daemons that are not
Daemons on Linux:
Check /etc/xinetd.conf for services you are not using. For example, cupsd (printing daemon) and
nfs/statd (network file system daemons) which are generally not used in many systems.
Go to the Service Manager in the Service Configuration section of WHM and disable any services
that you are not using.
12) Monitor your system:
It is important to be up to date on what is going on with your system. Make sure that you know
when accounts are being created, what software is being installed, and when software need to be
Check your system frequently to ensure it is functioning in the way you expect. Make sure to check
Netstat -amp: Look for programs attached to ports that you did not install / or authorize.
find / ( -perm -a+w ) ! -type l >> world_writable.txt : Look at world_writable.txt to see all world
writable files and directories. This will reveal locations where an attacker can store files on your
system. NOTE: Fixing permissions on some PHP/CGI scripts that are not properly coded will break
find / -nouser -o -nogroup >> no_owner.txt : Look at no_owner for all files that do not have a user or
group associated with them. All files should be owned by a specific user or group to restrict access
ls /var/log/: There are many different logs on your system which can be valuable resources. Check
your system logs, apache logs, mail logs, and other logs frequently to make sure your system is
functioning as expected.
There are many readily available utilities to monitor your system and to detect rootkits, backdoors,
etc. Here are some commonly available utilities:
Tripwire - Monitors checksums of files and reports changes.
http://tripwire.com or http://sourceforge.net/projects/tripwire
Chrookit - Scans for common rootkits, backdoors, etc.
Rkhunter - Scans for common rootkits, backdoors, etc.
Logwatch - Monitors and reports on daily system activity.
13) Enable a Firewall:
Installing a firewall to limit access to your server is useful. Removing all unused software on your
system is more useful. Before you have the chance to remove all unused services and daemons, or
the chance to figure out which services / daemons are unused, you can enable a firewall to prevent
14) Stay up to date:
It is important to make sure that you are running the latest stable versions of the software on your
system to ensure that it has been patched of any security issues that past versions may be
susceptible to. Make sure to keep on top of updates for:
cPanel and WHM
User Applications (bulletin boards, CMS, blog engines, etc)