10 Tips for Tune and Secure your cPanel Server

Please note that these tips are suggestions only and cPanel takes no responsibility for modifications to individual servers, or the security practices of individual servers. Server security is a collection of compromises, as any server that allows connections could be insecure. These tips are to be followed at your own risk.

1) Use secure passwords!
Insecure passwords are the most common security vulnerability for most servers. If an account password is insecure and is compromised, client sites can be defaced, infected, or used to spread viruses. Having secure passwords is paramount to having a secure server.
You can edit /etc/login.defs to configure many password options on your system. It is well do*****ented.
Generally, a password utilizing at least 8 characters including alphanumeric and grammatical symbols is sufficient. Never use passwords based upon dictionary words or significant dates. If you are uncertain about the security of a password, then you can test it using JTR cracker. If a password can be broken in a few hours, then it is probably too insecure and should not be used. You can also install tools like pam_passwdqc to check the strength of passwords.
2) Secure SSH
Enable public key authentication for SSH and disable password authentication read more >>
Move SSH access to a different port. People are looking for port 22 as a possible way to access your servers. Moving SSH to a different port will add a simple way to deter those without specific knowledge of your server from easily discovering your SSH port.
You can modify the port that SSH runs on within /etc/ssh/sshd_config. Change the line that says #Port 22 to a different port such as: Port 1653. Make sure to keep your current SSH session open when testing the new port so you can change back to port 22 if the new port doesn’t work.
You should always use SSHv2 only as SSHv1 is not secure. Make sure to change the line in /etc/ssh/sshd_config that says #Protocol 2,1 to Protocol 2.
You may also wish to set Shell Resource Limits for you users to prevent applications and scripts from using all up your resources and taking down your server. You can configure shell resource limits in /etc/security/limits.conf on most Linux systems.
3) Secure Apache
The most readily available way to access a web server, is of course, the web server application. It is important to take steps to secure your Apache installation.
One of the best tools for preventing malicious Apache use is mod_security. This can be installed in Addon Modules in the cPanel section of WebHost Manager. You can find information about mod_security at http://www.modsecurity.org/.
When compiling Apache, you should include suexec to ensure that CGI applications and scripts run as the user that owns / executes them. This will help identify where malicious scripts are and who is running them. It will also enforce permission and environment controls.
We also recommend compiling Apache + PHP with PHPsuexec. PHPsuexec forces all PHP scripts to run as the user who owns the script. This means that you will be able to identify the owner of all PHP scripts running on your server. If one is malicious, you will be able to find it’s owner quickly and resolve the issue. To compile Apache + PHP with PHPsuexec, select the PHPSuexec option in the Apache Upgrade interface in WHM or when running /scripts/easyapache from the command line.
You should enable PHP’s open_basedir protection. This protection will prevent users from open files outside of their home directory with PHP. This can be enabled in Tweak Security within WebHost Manager.
You may also wish to include safe_mode for PHP 5.x and below. Safe_mode ensures that the owner of a PHP script matches the owner of any files to be operated on. You can enable safe_mode by changing the safe_mode = line in php.ini to safe_mode = On.
4) Secure your /tmp partition
We recommend that you use a separate partition for /tmp that is mounted with nosetuid. Nosetuid will force a process to run with the privileges of it’s executor. You may also wish to mount /tmp with noexec after installing cPanel. Check the mount man page for more information.
Also, Running /scripts/securetmp will mount your /tmp partition to a temporary file for extra security.
5) Upgrade your mail to maildir format
Maildir format adds extra security and speed to your mail system. Newer installs use maildir by default. If you’re running an older copy of cPanel, you’ll probably want to upgrade using /scripts/convert2maildir. Make sure to back up your current mail before converting to maildir, this can be done within /scripts/convert2maildir. If you see maildir is enabled when running /scripts/convert2maildir, you are already using maildir, and will not need to convert.
6) Lock down your system’s compilers
Most users do not require the use of C and C++ compilers. You can use the Compilers Tweak within Tweak Security in WebHost Manager to turn off use of the compilers for all unprivileged users, or to disable them for specific users only. Many pre-packaged exploits require working compilers. Disabling compilers will help protect against many exploits.
7) Turn off unused services and daemons
Any service or daemon that allows a connection to be established to your server is away for hackers to gain access. To reduce security risks, you should disable all services and daemons that are not being used.
For Daemons on Linux:
Check /etc/xinetd.conf for services you are not using. For example, cupsd (printing daemon) and nfs/statd (network file system daemons) are not used on many systems.
For Services:
Go to the Service Manager in the Service Configuration section of WHM and disable any services that you are not using.
8) Monitor your system
It is important to be up to date on what is going on with your system. Make sure that you know when accounts are being created, what software is being installed, when software needs updates, etc.
Check your system frequently to ensure it is functioning in the way you expect. Make sure to check things like:
netstat -anp : Look for programs attached to ports that you did not install / authorize
find / ( -perm -a+w ) ! -type l >> world_writable.txt : Look at world_writable.txt to see all world writable files and directories. This will reveal locations where an attacker can store files on your system. NOTE: Fixing permissions on some PHP/CGI scripts that are not properly coded will break them.
find / -nouser -o -nogroup >> no_owner.txt : Look at no_owner for all files that do not have a user or group associated with them. All files should be owned by a specific user or group to restrict access to them.
ls /var/log/: There are many different logs on your system which can be valuable resources. Check your system logs, apache logs, mail logs, and other logs frequently to make sure your system is functioning as expected.
There are many readily available utilities to monitor your system and to detect rootkits, backdoors, etc. Here are some commonly available utilities:
  • Tripwire – Monitors checksums of files and reports changes.
    http://tripwire.com or http://sourceforge.net/projects/tripwire
  • Chrookit – Scans for common rootkits, backdoors, etc.
  • Rkhunter – Scans for common rootkits, backdoors, etc.
  • Logwatch – Monitors and reports on daily system activity.
9) Enable a Firewall
Installing a firewall to limit access to your server is useful. Removing all unused software on your system is more useful. Before you have the chance to remove all unused services and daemons, or the chance to figure out which services / daemons are unused, you can enable a firewall to prevent unwanted access.
The following will show the ports cPanel and WHM need open to function properly and what the port is used for:
If you are using APF, see:
Please note that these ports are for all services that can be used by cPanel and WHM, you may or may not be using all of these services or other services and should adjust your rules accordingly.
Remember to set a cron job to disable your firewall every 5 minutes when testing your rules, or you may be locked out of your server.
10) Stay up to date
It is important to make sure that you are running the latest stable versions of the software on your system to ensure that it has been patched of any security issues that past versions may be susceptible to. Make sure to keep on top of updates for:
  • Kernel
  • cPanel and WHM*
  • User Applications (bulletin boards, CMS, blog engines, etc)**
  • System Software*
*These can be set to automatically update in WebHost Manager under Update Config in the Server Configuration section.
**You can upgrade all cPAddon installations through Manage cPAddons in the cPanel section of WebHost Manager.
About the Author

50 thoughts on “10 Tips for Tune and Secure your cPanel Server

  1. seo - 23 November 2010 at 02:31

    I am very interested in. May I ask to spoon feed the detail please?

  2. PHP Functions - 26 November 2010 at 15:38

    I really like your writing style, wonderful info , thankyou for putting up : D.

  3. Goks Ajah - 12 June 2011 at 18:07

    Hha Hha Nice Blog

  4. Tegan Kooken - 2 September 2011 at 21:57

    77% of people are using mobile browsers to view websites now. You should try this plugin for only $10 to use on all your sites to make sure they look good on mobile browsers or you will lose visitors.

  5. Sherika - 12 November 2011 at 17:33

    Hi I located your blog by mistake when i was searching AOL for this topic, I must express your webpage is truly valuable I also enjoy the theme, its superb!

  6. # - 24 November 2011 at 05:13

    This kind of certainly a great website you might have clicking here. The difficulty can be quite informative along with directly concise. Ecstatic to see much more about your site the next time.

  7. dexter watch series - 2 October 2012 at 22:23

    I relish, cause I discovered exactly what I used to be having a look for. You have ended my 4 day long hunt! God Bless you man. Have a nice day. Bye

  8. line - 31 October 2012 at 06:48

    thank you admin perfect blog !

  9. czy zbasz o swoj? flag? - 18 April 2013 at 01:47

    Woah! I’m really loving the template/theme of this website. It’s
    simple, yet effective. A lot of times it’s very hard to get that “perfect balance” between superb usability and visual appeal. I must say that you’ve done a very good job with this.
    In addition, the blog loads very fast for me on Internet explorer.
    Superb Blog!

  10. Georgeann Michalke - 19 April 2013 at 02:21

    I like this post, enjoyed this one regards for posting. “No trumpets sound when the important decisions of our life are made. Destiny is made known silently.” by Agnes de Mille.

  11. http://www.mediafire.com/ - 19 May 2013 at 20:12

    I blog often and I seriously appreciate your information.
    This article has truly peaked my interest. I will bookmark your blog and keep checking for new information about once
    per week. I opted in for your RSS feed too.

  12. Ricky Cassem - 14 July 2013 at 14:30

    Great blog here! Additionally your web site lots up fast! What web host are you the usage of? Can I get your affiliate link for your host? I wish my web site loaded up as fast as yours lol

  13. free facebook hack airtel - 7 October 2014 at 14:48

    John: It is not purpose enough so that you can simply have a Facebook Web page.
    The general public in your database probably use Facebook already.

  14. Clean trim - 9 October 2014 at 14:01

    I like what you guys are up too. This kind of clever work
    and reporting! Keep up the awesome works guys I’ve included you guys to my personal blogroll.

  15. real estate india - 26 May 2015 at 16:17

    Oh my goodness! Impressive article dude! Many thanks, However I am going through problems with your RSS.
    I don’t know the reason why I can’t subscribe to it. Is there anybody
    getting similar RSS problems? Anyone who knows the answer
    can you kindly respond? Thanks!!

  16. light wood dining room sets - 26 December 2015 at 20:43

    By connecting your Fitbit Tracker to your MyFitnessPall account, all of the
    information tracked by your Fitbit can be synchronized with your MyFitnessPal account.

  17. technology blogs - 18 January 2016 at 22:53

    Excellent post. I was checking constantly this weblog and I’m impressed!
    Extremely useful info specifically the ultimate phase ­čÖé I deal with
    such information much. I used to be looking for this certain information for a very long time.
    Thank you and good luck.

  18. new business ideas - 11 February 2016 at 22:56

    I am really glad to glance at this web site posts which includes tons of helpful data,
    thanks for providing these information.

  19. EnduroStack - 25 October 2018 at 09:14

    I think what you posted was actually very logical.
    But, what about this? what if you composed a catchier post title?

    I mean, I don’t want to tell you how to run your website,
    but what if you added a headline that grabbed people’s attention? I mean 10 Tips
    for Tune and Secure your cPanel Server is a little plain. You ought to look at Yahoo’s front page and note
    how they create news titles to get viewers to click.
    You might try adding a video or a pic or two to grab readers interested
    about everything’ve got to say. In my opinion,
    it would make your posts a little bit more interesting. http://www.apocalypedia.org/index.php/How_To_Burn_Fat_Quickly

  20. www.wewantscience.com - 25 October 2018 at 17:25

    I’m impressed, I must say. Rarely do I come across a blog
    that’s both educative and interesting, and let me tell you, you have hit the nail on the head.
    The problem is something that not enough folks are speaking intelligently about.
    I’m very happy I found this in my search for something concerning this.

  21. Testo Edge - 8 November 2018 at 04:23

    Hello, yeah this piece of writing is really fastidious and I have learned lot of things from it about blogging.

    thanks. https://testoedgeex.net/

  22. Dodow Sleep Aid Device - 8 November 2018 at 07:09

    Keep up the good piece of work, I read few content on this internet site and
    I conceive that your web site is rattling interesting and has got bands
    of great information. https://dodowsleep.net/

  23. Azur Derma - 10 November 2018 at 01:13

    Thanks a lot for being the instructor on this subject
    matter. My spouse and i enjoyed the article greatly and most of all appreciated the way you
    handled the areas I regarded as controversial.
    You happen to be always quite kind towards readers really like me and assist me to in my
    existence. Thank you. https://azurderma.net/

  24. Keto Boost - 10 November 2018 at 09:32

    Hi there everybody, here every one is sharing such experience, thus
    it’s pleasant to read this website, and I used to pay a visit this webpage daily. https://ketoneboost.com/

  25. Azur Derma Review - 10 November 2018 at 12:25

    Hi! Quick question that’s entirely off topic. Do you know how to make your site
    mobile friendly? My weblog looks weird when viewing from my iphone 4.
    I’m trying to find a theme or plugin that might be able to correct this issue.
    If you have any suggestions, please share. Appreciate it! https://azurderma.org/

  26. Life Restore CBD Oil - 21 November 2018 at 06:46

    Great ? I should certainly pronounce, impressed with your web site.
    I had no trouble navigating through all the tabs as well as related information ended up being truly easy to do to access.
    I recently found what I hoped for before you know it at all.
    Reasonably unusual. Is likely to appreciate it for those who add forums or anything, site theme .
    a tones way for your customer to communicate. Nice task. https://liferestorecbd.com/

  27. Angeletta Skin Cream - 21 November 2018 at 08:04

    Very good website you have here but I was wanting
    to know if you knew of any discussion boards that cover the same
    topics discussed in this article? I’d really like to be a part of community where I can get opinions from other knowledgeable individuals
    that share the same interest. If you have any suggestions, please let me know.
    Thanks a lot! https://angelettaskincare.com/

  28. Qq poker online terpercaya - 9 December 2018 at 03:03

    This post gives clear idea designed for the new people of blogging, that really how to do blogging.

  29. preschool kids Photos - 24 January 2019 at 20:41

    Considering a photographer masters in event photography and asking if
    he or she could be ready to shoot being married may yield surprising results.
    If you’re just starting to build a fascination with it, it is likely you know, from the photographs
    you’ve seen, until this is much more than money earner.
    MANY folks here would also STRONGLY encourage you to
    obtain insurance for your business.

  30. prediksi bola parlay - 27 February 2019 at 22:24

    Hi there all, here every one is sharing these knowledge, therefore it’s nice to read this website, and I used to
    pay a visit this website everyday.

  31. ????? ????? - 4 March 2019 at 17:20

    I have fun with, result in I found exactly wht I ussed
    to be taking a look for. You have ended my four day llng hunt!
    Good Bless you man. Have a great day. Bye

  32. Mari - 6 March 2019 at 05:58

    Around the arc, the flux melts to form a cavity.

  33. Rigoberto - 6 March 2019 at 06:42

    Permit the pipe to cool prior to the next weld.

  34. casinositelerim1.eu - 16 March 2019 at 23:24

    Thank you for the auspicious writeup. It if truth be told was a leisure account it.
    Glance complex to far delivered agreeable from you!
    By the way, how can we be in contact?

  35. wer sucht reinigungsfirma - 14 May 2019 at 23:39

    5. Soweit wegen des aufgrund der Benzinklausel eingreifenden Leistungsausschlusses, wie
    vorliegend, Deckungsl├╝cken entstehen, weil weder die Privathaftpflichtversicherung, noch die Kfz-Versicherung einstandspflichtig ist, ist dies vom Versicherten hinzunehmen. Wenn Sie hier einen Gesch├Ąftsproze├č
    eingeben, wird dieser automatisch in die Abrechnungsvorschrift des Proze├čauftrags ├╝bernommen. Reicht eine physikalische
    Reinigung aus, oder mu├č mit desinfizierenden L├Âsungen gearbeitet werden um
    Bakterien, Pilze, Keime zu t├Âten? Wir stehen auch f├╝r private Auftr├Ąge zur Verf├╝gung
    und reinigen Ihre Wohnung oder das Treppenhaus. Subunternehmer sucht Auftr├Ąge.
    Fensterreinigung,Treppenhausreinigung,Winterdienst,abbrucharbeiten, B├╝ro & ..

  36. Claudette - 20 May 2019 at 00:22

    Your style is very unique compared to other people I have read stuff from.
    Thank you for posting when you have the opportunity, Guess I’ll just book mark this web site.

  37. g├╝venilir canl? rulet siteleri - 10 June 2019 at 09:47

    For the reason that the admin of this site is working, no doubt very shortly it will
    be well-known, due to its quality contents.

Leave a Reply