Best Server Hosting & Managed IT Company Since 2016

15 Easy Steps to Secure cPanel Server as Rock Hard

We use to perform server hardening for our Managed Dedicated servers and cpanel server management services customers and thought to share those steps to secure cPanel server. The following steps will suite for cPanel (CentOS).

At, Medha Hosting we do this 15 steps server hardening process.

Let’s do the “cPanel Hardening

cpanel whm server management services 1 - 15 Easy Steps to Secure cPanel Server as Rock Hard

  1. Disable direct root login.
  2. Create dedicated SSH user.
  3. Change SSH default port
  4. Disable ping request.
  5. Setup CSF firewall
  6. Setup Mod_Evasive
  7. Setup Mod_Security
  8. Scan your system with RootKit Hunter
  9. Scan your system using maldet
  10. Scan your system using Clam AntiVirus.
  11. Setup cron job to run Clam AntiVirus weekly.
  12. Disable Apache header informations.
  13. Hide PHP Version informations.
  14. Disable FTP. Use SFTP instead.
  15. Disable shell access for unknown users.

1) Disable direct root login.

Important note: Please do not log out from your System after disabling the direct root login. Please follow the steps until you create a dedicated SSH user and then you can log out. Otherwise you won’t be able to login to your system again. Please be careful.
Root user is the one that have the license to do anything in your system. What if someone got access to the root user account?! Let’s disable direct root login by following the below steps.
Edit the SSH main configuration file.

You can find the below line.

#PermitRootLogin yes
Change it as below.

PermitRootLogin no

Restart SSH to update the changes.

Now you have disabled direct root login. Now follow the below steps to create a dedicated SSH user.

2) Create dedicated SSH user.

After disabling the direct root login, the next step is to create a dedicated SSH user. ( Only this user will have SSH login permission in your system. )

We are going to create a dedicated user called “sshusr” Please follow the below steps.

Create the user account.

 

The above line means root user can run any commands anywhere. Add the line given below under this line.

 

Now save the file.

Now on, the user “sshusr” have the permission to run any commands anywhere. But for this you have to add “sudo” the begining of every command that you execute as user “sshusr”.

For example, if you login as “sshusr” and want to restart Apache. You have to do it as shown below.

 

You can also switch this user to root user. Please run the below command.

 

Now we have disabled direct root login and created a user called “sshusr” with full permission in your system. But this doesn’t mean “sshusr” is a dedicated SSH user. May be there are other users in your system that have SSH shell access. Please follow the below steps to block all those users and to set “sshusr” as dedicated SSH user.

Edit the main SSH configuration file.

 

Add the below lines.

AllowUsers sshusr

Save the file and restart SSH service to update these changes.

 

You have created a dedicated SSH user.

READ THIS: How to Choose Best Managed Service Provider

3) Change SSH default port

Everyone knows 22 is the default SSH port. So it’s always good to change this default port and set it to something unguessable. Please follow the below steps.

Here I’m going to change the port to 4242. Edit the main SSH configuration file.

 

You can find the below line.

#Port 22

Change it as below.

Port 4242

Restart SSH to update the changes.

 

That’s it!! You have changed the SSH port to 4242.

To login as “sshusr” from a remote Linux machine you can run the below command.

 

4) Disable ping request.

Please run the following command to disable ping request to your server.

 

You can also do the same using IPtables. Please run the below command if you want to disable the ping request using IPtables.

 

You have disabled ping request to your server.

[sociallocker]

5) Setup CSF firewall

CSF is a Stateful Packet Inspection (SPI) firewall, Login/Intrusion Detection and Security application for Linux servers.

Please follow the below steps to install and configure CSF. ( If already installed, ignore these steps )

Go to “/opt”, download the latest CSF source files and untar it.

 

Execute the “install.sh” shell script to install the CSF.

 

Next, test whether you have the required iptables modules:

 

If you have any APF or BFD firewalls installed in your system, you can run the below command to uninstall it. ( Otherwise there will be conflict. )

 

By default CSF will be running in “test” mode. Please follow the below steps to disable “test” mode and to make CSF full functional.

Edit the CSF main configuration file.

 

You can find the below lines.

TESTING = “1”

Change it as follows.

TESTING = “0”

Also you need to add Plesk “8880” and “8443” ports in the CSF “TCP_IN” and “TCP_OUT” list.

You can find the below lines.

# Allow incoming TCP ports TCP_IN = “20,21,22,25,53,80,110,143,443,465,587,993,995,4242” # Allow outgoing TCP ports TCP_OUT = “20,21,22,25,53,80,110,113,443”

Add the ports 8443 and 8880 in the list.

# Allow incoming TCP ports TCP_IN = “20,21,22,25,53,80,110,143,443,465,587,993,995,4242,8443,8880” # Allow outgoing TCP ports TCP_OUT = “20,21,22,25,53,80,110,113,443,8443,8880”

Also make sure to disable ICMP ( Ping ). By changing “ICMP_IN” to “0”.

# Allow incoming PING ICMP_IN = “0”

Now restart CSF and LFD to update the changes.

 

You have Installed and configured CSF and LFD in your cheap dedicated server.

6) Setup Mod_Evasive

“mod_evasive” is an evasive maneuvers module for Apache to provide evasive action in the event of an HTTP DoS or DDoS attack or brute force attack. I have installed it in several servers and seems very efficient to prevent normal DDoS attacks. Please follow the below steps to install it in your server.

Go to “/opt” directory and download the latest the “mod_evasive” source and extract it.

cd /opt wget http://www.zdziarski.com/blog/wp-content/uploads/2010/02/mod_evasive_1.10.1.tar.gz tar -xvf mod_evasive_1.10.1.tar.gz cd mod_evasive

We are going to compile the “mod_evasive” module with Apache with “apxs” tool. “apxs” is a tool came with “httpd-devel” package. First step is to check if you have the “httpd-devel” package.

rpm -qa | grep httpd-devel

You won’t get any result and that means you don’t have that package. If you don’t have, please follow the below steps to install it in your server.

yum install httpd-devel

After installing httpd-devel, run the below command to compile the “mod_evasive”with Apache. ( In case of cPanel, the bin path of apxs is – “/usr/local/apache/bin/apxs” and you may have to use the full path )

apxs -cia mod_evasive20.c

Add the following rules at the end of /etc/httpd/conf/httpd.conf :

 

Now restart Apache to update the changes.

 

It will install and create all necessary configurations for “mod_evasive”.

7) Setup Mod_Security

ModSecurity supplies an array of request filtering and other security features for Apache.

You can either install it using EasyApache. To avoid the downtime you can follow the manual steps given below )

 

 

If you want to setup rules. You can <<download it from here >>

8) Scan your system with RootKit Hunter.

This tool scans for rootkits, backdoors and local exploits by running tests like:

– MD5 hash compare – Look for default files used by rootkits – Wrong file permissions for binaries – Look for suspected strings in LKM and KLD modules – Look for hidden files – Optional scan within plaintext and binary files

Please follow the below steps to scan your system using RootKit Hunter.

1) Go to “/opt” and download the latest RootKit Hunter from here >>

 

 

( Please note that, the above URL won’t work always. So you need to find the correct package and download link from here >> http://sourceforge.net/projects/rkhunter/ )

Install the RootKit Hunter by running the installer.sh script with “–install” switch.

 

Run the below command to update RootKit Hunter.

 

Run the below command to perform the scan. ( Where -c is to check the local system and –sk is to skip key press )

 

That’s it. It will scan the local system and will give you a detailed out put.

( Let us know if you find any issues and we will be right here for your help. )

9) Scan your system using maldet

maldet – It is an efficient Malware Detect virus scanner for Linux. Please follow the below steps to install it in your system.

 

Install the maldet using the “install.sh” shell script.

 

Now open a new screen session and scan the whole system by running the below command.

 

( Please note that, this will take hours to complete depending on the disk usage in your system and that is the reason why we are running it in a screen session. )

You can detach and enter to screen session any time and check the status .

If the scan complete. You will get a result as shown below.

 

( Please note:These files will deleted from your system within 14 days. )

You have completed the maldet scan. Your system is now malware free.

10) Scan your system using Clam AntiVirus.

ClamAV is an open source (GPL) antivirus engine designed for detecting Trojans, viruses, malware and other malicious threats. It is the de facto standard for mail gateway scanning. It provides a high performance mutli-threaded scanning daemon, command line utilities for on demand file scanning, and an intelligent tool for automatic signature updates.

Please follow the below steps to install and configure ClamAV in your system.

Install the Atomic repository in your system.

 

Install ClamAV using yum.

yum install clamd

It will install clamd, clamav and clamav-db in your system. Run the below command to update the virus definitions.

freshclam

Start the ClamAV.

 

Now open a new screen session and scan the whole system by running the below command.

 

( Please note that, this will take hours to complete depending on the disk usage in your system and that is the reason why we are running it in a screen session. )

You can detach and enter to screen session any time and check the status .

You will get the scan result at the end and the command will only list the infected files. You can find the files in “/opt/clamscan.log”. ( grep the word FOUND ) You may either remove or correct these files or else run the below command that will remove all infected files in your system ( Make sure to run in screen session )

 

You have removed the virus and malicious codes from your system.

11) Setup cron job to run Clam AntiVirus weekly.

Setting up ClamAV cron is a easy task and a user called “Stefano Stagnaro” uploaded a grate cron script called “clamav-cron” in Google codes that will update ClamAV, will scan the system and will send a brief report via e-mail. Please follow the below steps to set this.

Go to “/opt” ,download the “clamav-cron” and give execute permission.

 

Open the “/usr/local/bin/clamav-cron” and edit user informations.

 

Set a cron job. I’m going to set a cron job to run this task every Saturday 11.45PM.

 

Add the lines at the end.

 

You have setup the ClamAV cron script.

12) Disable Apache header information.

It is not good to expose your serve information to the public. Please follow the below steps to disable Apache header information.

Edit your mail Apache configuration file and add you can see the below lines somewhere in that file.

 

Change it to as shown below.

ServerSignature off ServerTokens Prod

Also add the below entries somewhere in it to disable Apache Last Modified header.

<filesMatch “.*$”> Header unset Last-Modified

Restart Apache.

 

You have disabled Apache header information.

13) Hide PHP Version information.

Like Apache, it is not good to expose your PHP information to the public. Please follow the below steps to hide it from the public.

Find your main PHP configuration file.

 

You will get the location of your mail php.ini file from this. Edit the file and you can see the below lines.

 

Edit it as follows.

expose_php = off

Restart Apache

 

You have disabled PHP version information.

14) Disable FTP. Use SFTP instead.

FTP is always the favourite back-door of hacker and there are a million ways to hack an FTP account. May be you are not that familiar with SSH and disabling FTP may put you in trouble. I have an alternative option. If you are some one that want the simplicity of FTP with the security features of SSH, you can use SFTP. It is not a big deal. Any users that have SSH access to your system can use SFTP. WinSCP is a SFTP client for Windows and you can find it here >> http://winscp.net/eng/index.php

Let’s disable the 21 port by setting up a firewall rule as shown below.

iptables -A INPUT -p tcp –dport 21 -j REJECT

That’s all you have to do.

15) Disable shell access for unknown users.

Run the below command to list all users that have shell access to your system.

 

Below Command will change the shell of unknown user to /sbin/nologin.

Here I’m going to change the shell of “u1″ user to /sbin/nologin”.

chsh u1 Changing shell for u1. New shell [/bin/bash]: /sbin/nologin Shell changed.

This way you can change the shell of a user.

[/sociallocker]

Yep! we have completed the cPanel and Plesk hardening and your server is hard as rock now.

Of course, you don’t have to do any of this if you use one of our Cheap Dedicated Servers hosting services or cpanel servers or cpanel server management services, in which case you can simply ask our expert Linux admins to do server hardening.They are available 24×7 and will take care of your request immediately.

PS. If you liked this post please share it with your friends on the social networks using the buttons below or simply leave a comment in the comments section. Thanks.

About the Author
Medha Hosting
Medha Hosting is the leading global Cloud, Managed hosting and managed IT services provider with award winning platforms in USA, Europe and Asia. Medha Hosting have delivered enterprise-level hosting services to businesses of all sizes round the world since 2014 and still serve a growing base of customers. They relay heavily on our 100 percent up time guarantee, unbeatable level of client service through our triumph Support Heroes, and world reach with half-dozen data centers across five regions in Europe, US, and Asia.we have a tendency to integrate the industry’s best technology to supply you better of breed cloud hosting solutions, all backed by our triumph Support Heroes.