1330 Avenue of the Americas
Suite 23A,New York, NY 10019
+1.646.775.2855
+1.212.653.0368
[email protected] Skype:Medhacloud
[email protected]

15 Easy Steps to Secure cPanel Server as Rock Hard

cpanel server management

We use to perform server hardening and thought to share those steps to secure cPanel server. The following steps will suite for cPanel (CentOS).

At, Medha Hosting we do this 15 steps server hardening process.

Let’s do the “cPanel Hardening”

cpanel server management

cpanel server management

  1. Disable direct root login.
  2. Create dedicated SSH user.
  3. Change SSH default port
  4. Disable ping request.
  5. Setup CSF firewall
  6. Setup Mod_Evasive
  7. Setup Mod_Security
  8. Scan your system with RootKit Hunter
  9. Scan your system using maldet
  10. Scan your system using Clam AntiVirus.
  11. Setup cron job to run Clam AntiVirus weekly.
  12. Disable Apache header informations.
  13. Hide PHP Version informations.
  14. Disable FTP. Use SFTP instead.
  15. Disable shell access for unknown users.

 

1) Disable direct root login.

Impotent note: Please do not log out from your System after disabling the direct root login. Please follow the steps until you create a dedicated SSH user and then you can log out. Otherwise you won’t be able to login to your system again. Please be careful.
Root user is the one that have the license to do anything in your system. What if someone got access to the root user account?! Let’s disable direct root login by following the below steps.
Edit the SSH main configuration file.

vi /etc/ssh/sshd_config
You can find the below line.

 

#PermitRootLogin yes
Change it as below.

PermitRootLogin no

Restart SSH to update the changes.
/etc/init.d/sshd restart

Now you have disabled direct root login. Now follow the below steps to create a dedicated SSH user.
2) Create dedicated SSH user.

After disabling the direct root login, the next step is to create a dedicated SSH user. ( Only this user will have SSH login permission in your system. )

We are going to create a dedicated user called “sshusr” Please follow the below steps.

Create the user account.

useradd sshusr

Set Password.

passwd sshusr

Add this user to “/etc/sudoers” file. edit this file or run the below command.

visudo

You can find a line as shown below.

root ALL=(ALL) ALL

The above line means root user can run any commands anywhere. Add the line given below under this line.

sshusr ALL=(ALL) ALL

Now save the file.

Now on, the user “sshusr” have the permission to run any commands anywhere. But for this you have to add “sudo” the begining of every command that you execute as user “sshusr”.

For example, if you login as “sshusr” and want to restart Apache. You have to do it as shown below.

sudo /etc/init.d/httpd restart

You can also switch this user to root user. Please run the below command.

sudo su –

Now we have disabled direct root login and created a user called “sshusr” with full permission in your system. But this doesn’t mean “sshusr” is a dedicated SSH user. May be there are other users in your system that have SSH shell access. Please follow the below steps to block all those users and to set “sshusr” as dedicated SSH user.

Edit the main SSH configuration file.

vi /etc/ssh/sshd_config

Add the below lines.

AllowUsers sshusr

Save the file and restart SSH service to update these changes.

/etc/init.d/sshd restart

You have created a dedicated SSH user.

3) Change SSH default port

Everyone knows 22 is the default SSH port. So it’s always good to change this default port and set it to something unguessable. Please follow the below steps.

Here I’m going to change the port to 4242. Edit the main SSH configuration file.

vi /etc/ssh/sshd_config

You can find the below line.

#Port 22

Change it as below.

Port 4242

Restart SSH to update the changes.

/etc/init.d/sshd restart

That’s it!! You have changed the SSH port to 4242.

To login as “sshusr” from a remote Linux machine you can run the below command.

ssh [email protected]/Hostname -p 4242

4) Disable ping request.

Please run the following command to disable ping request to your server.

echo “1” > /proc/sys/net/ipv4/icmp_echo_ignore_all

You can also do the same using IPtables. Please run the below command if you want to disable the ping request using IPtables.

iptables -A INPUT -p icmp -j DROP

You have disabled ping request to your server.

So we have completed the cPanel and Plesk hardening and your server is hard as rock now.


Medha Hosting ( a Medha Cloud company ) is the leading global Cloud, Managed hosting and managed IT services provider with award winning platforms in USA, Europe and Asia. Medha Hosting have delivered enterprise-level hosting services to businesses of all sizes round the world since 2014 and still serve a growing base of customers. They relay heavily on our 100 percent up time guarantee, unbeatable level of client service through our triumph Support Heroes, and world reach with half-dozen data centers across five regions in Europe, US, and Asia.we have a tendency to integrate the industry’s best technology to supply you better of breed cloud hosting solutions, all backed by our triumph Support Heroes