1. Main >> Server Configuration >> Tweak Settings
* Under Mail:
- Initial default/catch-all forwarder destination >> "fail" is usually the best choice if you are getting mail attacks. - set this to FAIL
The maximum each domain can send out per hour - set to 300
- Enable Mailman:
If none of the cpanel users aren't running any mail listings through cPanel, it would be a good idea to disable Mailman.
* Under System:
- enable default shell jailed
* Under Security
- enable security token
Require security tokens for all interfaces. This will greatly improve the security of cPanel and WHM against XSRF attacks, but may break integration with other systems, login applications, billing software, and third party themes.
2. Main >> Account functions >> Manage Shell Access
* Disable shell access for all users
3. Main >> SQL Services >> MySQL Root Password
* MySQL Root Password - Change Root Password for MySQL
Notes: By default, no mysql root password is set.
4. Main >> Service Configuration >> FTP Server Configuration
* Allow Anonymous Logins - Select 'NO'
* Allow Anonymous Uploads - Select 'NO'
5. Main >> Service Configuration >> Configure PHP and SuExec
* Enable suEXEC
This module will cause PHP scripts to run as the user who owns the script versus the system user known as nobody
6. Main >> System Health >> Background Process Killer
Check all of them and save
7. Main >> Security Center
* Enable PHP open_basedir Tweak
PHP's open_basedir protection prevents users from opening files outside of their home directory with PHP.
* Enable Shell Fork Bomb Protection
Fork Bomb Protection will prevent users with terminal access (ssh/telnet) from using up all the resources on the server. Unchecked resource allocation can potentially lead to a server crash.
* Disable Compilers Access
Many common exploits require a working C compiler on the system. This tweak allows you to deny compiler access to unprivileged users; you can also choose to allow some users to use the compilers while they remain disabled by default.
* Enable cPHulk Brute Force Protection
cPHulk Brute Force Protection prevents malicious forces from trying to access your server’s services by guessing the login password for that service.
* Manage Wheel Group Users
Remove all users except root
* Quick Security Scan for Trojan Horses
8. Update Apache: /scripts/easyapache Or from WHM >> Software >> Apache Update
* Enable Mod_Evasive
mod_evasive module is used to secure Apache Web Server from DDoS and brute force attacks by implementing web application firewall
* Enable Suhosin
This module is an advanced protection system for PHP installations
9. Update cPanel
[root@server ]# /scripts/upcp
10. Securing the /tmp Partition
[root@server ]# /scripts/securetmp
In case of cpanel vps, the above script doesn't work. Please add the following line in /etc/fstab
none /tmp tmpfs nodev,nosuid,noexec 0 0
11. php.ini & disabled functions
[root@server ]# nano /usr/local/lib/php.ini
safe_mode = On
allow_url_fopen = off
expose_php = Off
magic_quotes = On
register_globals = off
display errors = off
disable_functions = system, show_source, symlink, exec, dl,shell_exec, passthru, phpinfo, escapeshellarg,escapeshellcmd, popen, proc_open, allow_url_fopen, ini_set
12. Install csf
[root@server ]# cd /usr/local/src
[root@server ]# wget http://www.configserver.com/free/csf.tgz
[root@server ]# tar -xzf csf.tgz
[root@server ]# cd csf
[root@server ]# ./install.sh
[root@server ]# nano /etc/csf/csf.conf
#To disable testing mode
Testing = "0"
#If you are using any ports, you have to enable it here. Suppose ssh port is changed, add the port here.
# Allow incoming TCP ports
TCP_IN = "20,21,22,25,53,80,110,143,443,465,587,993,995,207 7,2078,2082,2083,2086,2087,2095,2096"
# Allow outgoing TCP ports
TCP_OUT = "20,21,22,25,37,43,53,80,110,113,443,587,873,2087, 2089,2703"
#CSF Connection Limit
CT_LIMIT = "200"
#It means every IP with more than 200 connections are blocked.
CT_PERMANENT = "1"
#IP will be blocked permanenty
CT_BLOCK_TIME = "1800"
#IP will be blocked 1800 secs(1800 secs = 30 mins)
#CT_INTERVAL = "60"
13. Enable TCP SYN Cookie Protection
[root@server ]# nano /etc/sysctl.conf
net.ipv4.tcp_syncookies = 1
14. Main >> cPanel >> Manage Plugins
* Install clamav
* Run the scan
[root@server ]# clamscan -r /home
15. Install RootKit Hunter - scanning tool to ensure your system does not have any backdoors or exploits
[root@server ]# cd /usr/local/src
[root@server ]# wget http://dfn.dl.sourceforge.net/sourceforge/rkhunter/rkhunter-1.3.8.tar.gz
[root@server ]# tar -xzvf rkhunter-1.3.8.tar.gz
[root@server ]# cd rkhunter-1.3.8
[root@server ]# ./installer.sh
* Run the scan
[root@server ]# rkhunter -c
16. Securing and Upgrading of SSH Server:
open ssh configuration /etc/ssh/sshd_config and change ssh port 22 to some other like 2211