How to secure a WHM/cPanel?

Kaz Wolfe

Well-known member
Registered
Joined
Jul 7, 2016
Messages
604
Points
28
I installed WHM/cPanel on my server but seem i am just using default setting from them. Does WHM need to improve security? if yes how to do? can you tell me the ways?
 

HostechSupport

Active member
Registered
Joined
Jan 19, 2013
Messages
68
Points
8
WHM - Server setup - Tweak Security:

Enable open_basedir protection
Disable Compilers for all accounts(except root)
Enable Shell Bomb/memory Protection
Enable cPHulk Brute Force Protection
WHM - Account Functions:

Disable cPanel Demo Mode
Disable shell access for all accounts(except root)
WHM - Service Configuration - FTP Configuration:

Disable anonymous FTP access
You can enable cPHulk install csf firewall and change your SSH port number to custom one. That would be enough.
 

mobin

Well-known member
Registered
Joined
Jun 22, 2017
Messages
234
Points
28
Since you want to do this yourselves..you should do a lot of research, read multiple articles, compare/collect the steps and compile a list that suits best. If you google "cpanel server hardening" you can find lot of articles to secure your cPanel server.
 

bountysite

Well-known member
Registered
Joined
Oct 11, 2017
Messages
109
Points
28
Best answer
Most of the information is about adding security to your hosting server, which is what you need.

  • I have heard use of fail2ban, CSF, regularly for firewall.
  • Brute force protection on sites(application layer), is also good
  • Ensure you have offsite backup
  • Have File Change monitoring to keep track of file changes, which helps you catch suspicious files early
  • Run ssh on different port, only known to you
  • I am guessing anonymous FTP should already be disabled, by default
  • Use cgroups, based file isolation(Eg CloudLinux). To protect from cross site contamination
  • If you can enable Strict SSL for FTP(instead of optional). Basically forcing end users to use FTPS
  • ClamAV, rkhunter for basic malware protection
  • Ensure that sites are running latest updates
  • Modsecurity for local WAF
  • If you are giving ssh access, enforce strong password policy
  • Disable root login for ssh
  • Remove unnecessary services
  • Disable compilers
  • Restrict new outbound traffic, if you can. Prevents some reverse shells.
 

bountysite

Well-known member
Registered
Joined
Oct 11, 2017
Messages
109
Points
28
Try using BountySite.
BountySite downloads all files in the first backup and stores in revision control. Subsequent backups are only incremental. In case there are file changes, BountySite notifies with files created, modified and deleted summary, on backup, via mail(text only) and control panel notification.
Site owner is the best person to judge whether the file change is unauthorized. Site owner can then decide to revert back or delete file(s).

Dormant sites can be protected by using Stable operating mode, in which case all file changes are considered as unauthorized, and are auto reverted to a specific snapshot.

BountySite has storage nodes across the globe, choose one close to your Hosting server location for best performance.
 

AlbaHost

Well-known member
Moderator
Hosting Provider
Joined
Jan 18, 2017
Messages
791
Points
43
And enable 2FA aswell ;)
 

DaRecordon

Well-known member
Registered
Joined
Oct 7, 2016
Messages
242
Points
18

AlbaHost

Well-known member
Moderator
Hosting Provider
Joined
Jan 18, 2017
Messages
791
Points
43
AlbaHost
2FA, two factor authenticator. The benefit is, even if someone got/hacks your whm cpanel root/username with password he still cannot login because he need your phone generated app code to type which is impossible to get that. You know, the more secure the better ;)
 
Recommended Threads
Replies
3
Views
2,535
Replies
0
Views
1,221
Replies
7
Views
3,035

Latest Hosting OffersNew Reviews

Sponsors

Tag Cloud

You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an alternative browser.

Top