Please go through the below steps to harden a cPanel server for better security
==========================
Hardening of a cPanel server
Assume CSF has been installed on the server, If it’s not installed. Please install it.
Go to WHM >> Plugins >> ConfigServer Security & Firewall >> Check Server Security
Do the following Tweaks on the server end as per the CSF security checks:
RESTRICT_SYSLOG option check
vi /etc/csf/csf.conf
Change RESTRICT_SYSLOG = “0” to RESTRICT_SYSLOG = “3”
LF_SCRIPT_ALERT option check
vi /etc/csf/csf.conf
Change LF_SCRIPT_ALERT = “0” to LF_SCRIPT_ALERT= “1”
SYSLOG_CHECK option check
Change SYSLOG_CHECK = “0” to SYSLOG_CHECK = “300”
PT_ALL_USERS option check
Change PT_ALL_USERS = “0” to PT_ALL_USERS = “1”
Check SSH on non-standard port
vi /etc/ssh/sshd_config
uncomment the line ‘Port’
Give a custom port
example:
Port 666
Restart ssh service
/etc/init.d/sshd restart
edit csf config file
vi /etc/csf/csf.conf
Add the port number on the following parameters
TCP_IN = “20,21,22,25,53,80,110,143,443,465,587,993,995,2077,2078,2082,2083,2086,2087,2095,2096,666”
TCP_OUT = “20,21,22,25,53,80,110,143,443,465,587,993,995,2077,2078,2082,2083,2086,2087,2095,2096,666”
Check SSH UseDNS
vi /etc/ssh/sshd_config
Uncomment the line ‘UseDNS’ and change to the following
UseDNS no
Restart ssh service
/etc/init.d/sshd restart
Check Background Process Killer
Go to Home »System Health »Background Process Killer
Tick all the processes and click save button
Check root forwarder
vi /root/.forward
Add an email address to this file for getting all alerts about cPanel server to your email address
Eg: sd1@ideaminetech.com
Check apache for TraceEnable
Go to WHM > Apache Configuration > Global Configuration > TraceEnable and change the value to ‘Off’.
Check apache for ServerTokens
Go to WHM > Apache Configuration > Global Configuration > ServerTokens and change the value to ‘ProductOnly’.
Check apache for FileETag
Go to WHM > Apache Configuration > Global Configuration > FileETag and change the value to ‘None’.
Check mod_userdir protection
Go to WHM > Security Center > mod_userdir Tweak , Tick the ‘Enable mod_userdir Protection’ box.
Click Restart apache button after saving the above configurations
Check php for disable_functions
Add the below functions to ‘php.ini’ file
vi /usr/local/lib/php.ini
show_source, system, shell_exec, passthru, exec, phpinfo, popen, proc_open
Check php open_basedir protection
Go to WHM > Security Center > php open_basedir Tweak
Tick ‘Enable php open_basedir protection’ and click save
Check cPanel login is SSL only
Go to WHM > Tweak Settings / Select ‘Always redirect users to the ssl/tls ports when visiting /cpanel, /webmail, etc.’ option and click ‘Save’
Check boxtrapper is disabled
WHM > Tweak Settings > BoxTrapper Spam Trap /Select ‘off’ option and click ‘Save’
Check max emails per hour is set
Go to WHM > Tweak Settings > The maximum each domain can send out per hour / Limit mail sending limit to your desired value and click ‘Save’
Example: 150
Check compilers
Go to WHM > Security Center > Compilers Tweak, Click Disable compilers
Check FTP Logins with Root Password
Go to WHM > FTP Server Configuration > Allow Logins with Root Password and select ‘No’
Click save
Check proxy subdomains
Go to WHM > Tweak Settings > Proxy subdomains and select ‘No’
Select ‘Save’
Check Cookie IP Validation
Go to WHM > Tweak Settings > Cookie IP validation and select ‘Stirct’ and click ‘save’
Check Referrer Blank Security
Go to WHM > Tweak Settings > Blank referrer safety check and click ‘On’ and click ‘save’
Go to WHM > Tweak Settings > Referrer safety check and click ‘On’ and select ‘save’
Go to WHM > Tweak Settings > Hide login password from cgi scripts and select ‘On’ and click ‘save’
Check SMTP Restrictions
Go to WHM > Security Center > SMTP Restrictions and select ‘Disable’ button
Disable shell access for all accounts(except root)
You can disable shell access for all accounts via Home >> Account Functions >> Manage Shell Access
Select the radio button on “Disable shell’ and click ‘Apply to all’
Restart csf once all the above steps has been completed.
Restart csf via the command ‘csf -r’
============================