How to properly secure your cPanel VPS

Quags

Administrator
Staff member
I am going to expand on this further over time. However here are steps I recommend on a cpanel/WHM server to secure it. InterServer customers can email support to get any of these added.

If you have a server or KVM vps, I recommend cloudlinux if you are selling shared hosting or will have many separate cpanel accounts. You will immediately get benefits of cagefs to isolate each cpanel user, as well as CPU/memory/io limits and the ability to choose multiple PHP versions. Cloudlinux does not support openvz yet. Cost is $10 / month for the license. Cloudlinux is a commercial OS supported by cpanel, based on CentOS.

1) Install CSF firewall. This is not part of cpanel, but a firewall and login failure system. In addition to installing csf, turn off/ disable CPHULKD in WHM once csf firewall is running. cPhulkd can lock out your logins from a brute force, csf firewall will just block the ip. It also adds other security features.

http://download.configserver.com/csf/install.txt

The rest are options in WHM:
2) Disable SSH password auth. Instead you should be using ssh keys to access the server, and not logging in as user root for SSH.

3) Under manage plugins select CLAMAV virus scanner

4) Enable WHM->security questions for added security logging into WHM from unknown ips.

5) Enable WHM backups at least locally to /backup. I recommend offsite backups as well, but at least have this option enabled just in case.

Less Recommend but still good:
6) Enable password age. This forces a password change after a certain period.

7) Under FTP configuration enable TLS support as a requirement. This encrypts the connection if FTP os used.

If you do not have cloudlinux
8) Enable the symlink race patch in the Easyapache/apachebuilder layout.


PHP Settings
The most secure PHP setting is SUPHP, but this has a high over head. I generally recommend suphp, and for cloudlinux's php selector you must run suphp.

mod_ruid2 gives a performance boost at the expense of the high security suphp provides, so it is a tradeoff removing suphp
 
Last edited:
Thanks for the security advice. I've heard from other people that PHP in general isn't too secure, what are your opinions on this?
 

Quags

Administrator
Staff member
Thanks for the security advice. I've heard from other people that PHP in general isn't too secure, what are your opinions on this?
PHP's problems tend to be from the PHP scripts itself due to exploits in the script - like sql injections. PHP itself is not responsible, although one could say its ease of use leads to more poorly written php scripts. Some of the causes of that, like global variables in PHP are being removed or no longer enabled by default.
 

camsdad

New Member
What I heard about sql injections via my tech friends actually did blame the PHP scripts completely. You're post makes more sense of things. Great Post!
 

Quags

Administrator
Staff member
What I heard about sql injections via my tech friends actually did blame the PHP scripts completely. You're post makes more sense of things. Great Post!
Mod_security can block some types of attacks like sql injection attacks. There are third party rulesets that can be used to increase protection, with daily updates. I like atomic gotroot rulesets, and personally use it on my sites. It can be used with cpanel.

Places like cloudflare and securi also add basic protections against these as well as they add in rule sets. Cloudflare free version does less than the paid. Securi is a paid product I have not personally used, but have used their site scanner often which is quite good.
 

deanhills

New Member
Great tips many thanks Quags. :cool:

I'm used to CSF Firewall with WHM in my shared hosting environment and find it very useful for security, particularly with the dashboard that comes up for managing the CSF in WHM. Cpanel is pricey of course, so when I purchased my Interserver VPS, I purchased a WEBUZO license for VPS and then installed CSF Firewall that comes with WEBUZO, however there is no dashboard as such. Do you have any recommendations for the CSF Firewall configuration in WEBUZO and any further suggestions for what I should do within WEBUZO to make the server more secure?
 

Quags

Administrator
Staff member
You can email support for help with csf on webuzo.

While it is installed and creates a basic config it can be tweaked, but in ssh, manually to make more secure modifying /etc/csf/csf.conf
 

Harryptx

New Member
1) Install CSF firewall. This is not part of cpanel, but a firewall and login failure system. In addition to installing csf, turn off/ disable CPHULKD in WHM once csf firewall is running. cPhulkd can lock out your logins from a brute force, csf firewall will just block the ip. It also adds other security features.
I am using WHM/cPanel for my VPS, I remembered I enabled CPHULKD while I was installing and configurating WHM

Now how can I check it if it is enabling on my WHM? Can I turn off it and switch to CSF firewall?
 

Quags

Administrator
Staff member
You can check in WHM under security center. There is a cphulkd option which can be enabled or disabled. It will show if its enabled.
 
Top