The introduction of cPanel in 1996 simplified Linux hosting management, and almost 30 years later it’s still a favorite for website owners and hosters alike. The changes in the Linux operating system, additional distributions, new attack vectors, and discovered vulnerabilities force cPanel developers to release security patches frequently. The cPanel software has gone through several version updates, and each change increases complexity. The added complexity makes it more likely for hackers to find vulnerabilities, but your business can reduce risks by following these best practices to avoid becoming a victim of an exploit. The article goes over tips and tricks on how to keep your cPanel account protected.
How do I protect my cPanel?
1. Secure SSH
SSH gives remote users access to commands and operating system execution over an unsecured network. It’s not uncommon for administrators to have SSH access, but not every user in your organization should have SSH access. In some cases, you can turn off SSH completely to improve security.
If you need SSH running on the server, here are a few tips to harden security:
- Create SSH keys using WebHost Manager (WHM) for the root user and disable password authentication for SSH in the WHM Password Authorization Tweak interface.
- Disable directory listing so that attackers cannot see the list of files stored in every folder. Otherwise attackers can discover unknown publicly accessible files, or use the file information to launch additional attacks. To disable directory listing, change the following line in the /etc/httpd/conf/httpd.conf file. In the /etc/ssh/sshd_config file, change the settings for the SSH port, protocol, ListenAddress, and PermitRootLogin. The cPanel website has a list of suggested values that you should use for these settings. You can also move away from the standard port 22 and use an alternative port.
2. Secure Apache
Apache is at the heart of web hosting on Linux. It’s long been a favorite open-source web server application since its inception in 1999. Like any other server software, Apache should always be updated and patched as new versions are released, but following general security hardening standards will reduce risk of a compromise.You can also alternatively use EasyApache to manage installation, updates, and configurations.
- Disable directory listing so that attackers cannot see the list of files stored in every folder. Otherwise attackers can discover unknown publicly accessible files, or use the file information to launch additional attacks. To disable directory listing, change the following line in the /etc/httpd/conf/httpd.conf file:
Options Indexes FollowSymLinks
To the following:
After you change the file, you must restart Apache.
- Disable unnecessary modules that could open vulnerabilities and increase your attack surface.
- Disable server-info. Attackers use server version information to identify vulnerabilities and craft attacks. To configure this setting, open WHM and then go to:
Service Configuration → Apache Configuration → Global Configuration Documentation
In this settings window, disable signatures, eversion, tokens, tracing, and enable symbolic link protection.
3. Harden Your Operating System
At the heart of your hosting is the operating system, so it should be configured to withstand any attack. No strategy is 100% risk-free, but the right operating system configurations greatly reduce the risk of a compromised system. Compromising the operating system would allow an attacker to steal keys, data, install malware, and take over operation of the server. You can avoid a critical cybersecurity incident using a few operating system best practices for your server.
- Always keep your server operating system up-to-date, especially after vendors release security patches. Note: yum update is the default on cPanel.
- Disable password authentication for sshd.
- Open only the ports necessary for client connections.
- Disable applications not necessary for hosting or server functions (i.e., the bluetooth service).
- Regularly review logs to detect any anomalies that other intrusion detection systems might not detect.
- It should go without saying, but you should have frequent backups of your server. Should a cybersecurity incident compromise the operating system, backups can be used to restore it. Just make sure that backups don’t contain any malware and ensure that you contain the incident. You should also understand what went wrong so that the vulnerability can be remediated.
4. Harden The TMP Partition
When an application is installed or needs to store temporary files, it uses the tmp directory. This directory is used for temporary storage and used by some applications to create lock files. The files in this directory could be used by the system, and they are deleted after system reboot. If an attacker can compromise the server and run applications, the application could store malicious files in the tmp directory. Locking down the tmp folder blocks attackers from storing or executing files in this directory. You can configure the Linux operating system using several methods to harden security for this folder.
- Create a separate partition for the tmp directory.
- Change the tmp partition to non-executable (chmod 1777 /tmp).
- The cPanel application has a custom script that will harden the tmp partition’s security (/usr/local/cpanel/scripts/securetmp).
To fully secure the tmp partition, use the following script example:
/usr/local/cpanel/scripts/securetmp - secure /tmp and /var/tmp
- auto: skip interactive customization questions
- install: install & enable securetmp service
- uninstall: disable & uninstall securetmp service
- daemonize: run securetmp in background ( default true )
# run in interactive mode
# disable interactive mode, run in background
> /usr/local/cpanel/scripts/securetmp --auto
# disable interactive mode, do not run in background
> /usr/local/cpanel/scripts/securetmp --auto --nodaemonize
5. Restrict System Compilers
In computing, a compiler is a computer program that translates computer code written in one programming language into binaries. Leaving a compiler (e.g., gcc) on the server gives attackers the ability to compile their own scripts should they get a limited shell during a compromise. In essence, an attacker can upload their own malicious code and run it on the server. It’s unlikely that antivirus software would catch it if it’s a zero-day attack. A web hosting server also doesn’t need compilers unless it’s hosting applications in unique and rare circumstances. For cybersecurity purposes, compilers should be removed or restricted. If you can’t remove the compilers altogether, you should restrict access to the root user only.
You can disable compilers using WHM. The Compilers Tweak option setting will let you disable compilers for any unprivileged user. The Compiler Tweak setting is found in the Security Center of WHM.
6. Monitor the System Continuously
Anything that goes wrong on the web server could cause downtime for users, including cPanel users. One web server could potentially crash hundreds of customer sites, so it’s critical that customers can always reach cPanel. Monitoring involves watching several components of the system including user activity, application activity, performance, and network connectivity. It’s the administrator’s responsibility to review monitoring reports, but a good tool should alert administrators when anomalies are detected.
You could have one or several tools for server monitoring, but they must target the right components on the web server. Monitoring is also a requirement for compliance, so it’s unavoidable for most hosts. Without it, your downtime could be unpredictably long, which ruins your reputation, lowers customer satisfaction, and violates service level agreements.
A few things you should monitor on a server:
- Connections: How many clients and other servers connect to your server? This opening could be used by attackers to send information to a remote server, or you could have unwanted connections using server resources unnecessarily.
- Requests: Identify the number of requests on the server so that traffic and resource utilization can be analyzed.
- Uptime: Know when your server is down immediately so that it can be remediated to satisfy service level agreements.
7. IP Address Management
A web server has a public and private IP address. The public IP is necessary for online clients, but the private IP address should be restricted to administrators and client applications that absolutely need access to the host. For example, anyone within the organization on the private subnet should have access to the server, but anyone with a public IP address should not be able to access specific server resources.
The Apache Listen directive limits listening ports to a specific IP. By default, the server will listen to a specific port on all interfaces (IPs). For example, you might limit port 80 to the external IP address only. The following httpd directive tells Apache to listen to port 80 on an external IP:
8. Disable Cryptographically Insecure Encryption Ciphers
A common mistake on older web host servers is allowing for cryptographically insecure cipher suites. The National Institute of Standards and Technology (NIST) recommends that servers should not support Transport Layer Security (TLS) versions 1.0 or 1.1. They should be configured to support versions 1.2 and above.
When web servers support older vulnerable TLS versions, an attacker located in a suitable location (e.g., on the same network or Wi-Fi hotspot as a client machine) could perform a downgrade attack. Older TLS versions are often enabled to support older applications, but they present a significant risk to user data security.
To disable insecure ciphers in WHM go to:
Service Configuration → Apache Configuration → Global Configuration Documentation → SSL Cipher Suite
9. Configure Hardened Firewall Settings
A hardware firewall can be used to whitelist services available on the server. By blocking unwanted services, no traffic reaches the server unless otherwise specified on the firewall. For web servers, port 80 and 443 are necessary, and you can block all other traffic from reaching the server.
The web server might host other services, and these should be carefully considered before opening ports on the firewall. For example, telnet and FTP should not be available as they allow data to transfer on cleartext channels. Telnet should be blocked, but you can offer the alternative secure SFTP (port 22) as an option to users who want to manage files using the file transfer protocol.
10. Add a Web Application Firewall (WAF)
A WAF defends the web server from application-based attacks. For example, a WAF would detect malicious SQL input sent from a web form. Attackers have numerous application-level attacks to choose from, so you need a WAF that effectively detects malicious traffic and alerts administrators. WAF reports also provide an overall view of traffic requests so that administrators can identify a malicious host, IP address, or client.
Application-level security covers more than just web input. A WAF protects cookie transfers by requiring that they must be encrypted, checks for viruses in file uploads, stops path traversal, logs activity on the web host, forces TLS encrypted connections, and prevents cross-site scripting (XSS) attacks. It’s a tool that provides extensive cybersecurity in environments where numerous applications are installed including ones that cannot be verified by administrators.
You can’t work with a WAF and forget to mention ModSecurity. ModSecurity is a WAF for web servers that monitors traffic in real-time. It monitors anomalies at the application layer rather than the network layer like a traditional hardware firewall. Installation commands depend on your distribution. For example, you can install ModSecurity on CentOS 7 using:
sudo yum install mod_security
After you install ModSecurity, you must restart Apache.
ModSecurity has numerous rules vendors that you can use with your WAF. For example, OWASP has a ModSecurity Core Rule Set but proper rules configuration depends on applications that the server runs and may require advanced skills.
11. Secure Passwords
Whether it’s customer or administrator passwords, they should be stored and implemented using best practices. Secure passwords are also a component in compliance regulations. Passwords should be complex and be at least 10 characters in length for applications storing critical information. For administrators and highly sensitive applications, a 12-character password is recommended.
Complex passwords are rendered insecure if stored using cryptographically insecure ciphers. For example, passwords should not be hashed using MD5 and stored in a database. They should be salted and hashed using SHA2 or SHA3 or any other cryptographically secure cipher approved by NIST.
12. Web and Email Security
Internal employees are a target for cyber-criminals, and phishing is a primary tool in a threat actor’s toolbox. Email messages with suspicious content including attachments should be heavily monitored. A standard document with malicious macros will download malware, install it on the network, and could create significant downtime for the entire organization.
Ransomware attacks continue to increase, and they cripple entire governments and businesses locking them out of important files and forcing a payment in cryptocurrency. Just recently, ransomware shut down a major gas pipeline in the US that supplied 45% of the fuel consumed on the east coast. It’s a major threat to any organization.
Email filters stop many of the malicious email messages from reaching user’s inboxes. Web content filters work in conjunction with email filters and block users from accessing malicious web content. Your organization should also implement Sender Policy Framework (SPF) and Domain-based Message Authentication, Reporting and Conformance (DMARC) to stop attackers from spoofing your domain in their phishing campaigns.
13. Timely Application Updates
As with any application, keeping cPanel updated will eliminate security vulnerabilities in older, end-of-life (EOL) or unsupported versions. Older EOL versions no longer receive security patches, so your server and your customer sites could be vulnerable to the latest exploits. Since cPanel controls many aspects of customer websites, it should be updated as soon as possible when a new version is released, especially if your current version is deprecated.
You can update cPanel from WHM, but most administrators manually update it using the command line. You can first run the following command to view the currently installed cPanel version:
If you determine that your version must be upgraded, run the following command to install the latest cPanel version (note that this is turned on by default every night):
14. Enable Brute-Force Protection
Even with strong secure passwords implemented, attackers use scripts that attempt to “guess” credentials stored on the web server. It could be administrator credentials or customer passwords. Threat actors will use downloaded passwords along with their own custom dictionary of common passwords in combination with other hacked account information in an automated brute-force attack.
The cPanel application has a brute-force protection mechanism named cPHulk. This tool can be enabled on your web hosting server to mitigate brute-force attacks. It monitors several ports associated with brute-force scans and blocks IP addresses executing an attack.
Imunify360 also offers the same brute-force protection and more. It’s a more convenient and thorough option instead of focusing on different cybersecurity components that handle their own functions. Not only does it have anti-malware functions, but it also combines an Intrusion Prevention and Detection system, Linux malware scanner, a Web Application Firewall, Real-time Antivirus protection, a Network Firewall, and Patch Management components.
15. The cPanel Security Advisor
Administrators unfamiliar with the signs of a compromise need help identifying issues. The Security Center section of WHM has a tool named Security Advisor. Security Advisor lists concerns including outdated software, poor password strength, and potential misconfigurations. It provides suggestions for administrators so that they can take action and remediate the issue.
The Security Advisor is found in WHM, but you can configure it to send alerts to administrators. It’s color-coded so that critical issues can be differentiated from warnings and informational content. You can get a list of colors and what they mean on the cPanel site, and set priorities based on the severity of the issue.
16. Implement Backups
Backups are part of cybersecurity, business continuity, and disaster recovery. Every administrator should have a backup plan with a set retention duration (e.g., two weeks, one month). The cPanel application has a backup tool to create full or partial backups of all files. Backups should be taken frequently, but the cadence should be set based on the business and its own disaster recovery rules. The Backup Wizard can be found in the “Files” section of the cPanel application.
After backups are taken, they should be stored in a safe location. Backups contain data valuable to an attacker, so they should be safeguarded against threats. You should have at least one full backup, and then you can take partial backups of each section of sites as needed to limit storage space.
17. Setup Security Tools for cPanel
The cPanel website has several plugins available for security. These tools are third-party solutions, but the most common integrated tool included in cPanel is the ConfigServer Security and Firewall (CSF) plugin. This tool acts as a firewall that will control traffic flow, help prevent distributed denial-of-service (DDoS) and track network connections.
A few other beneficial cPanel tools integrated into the software include ImunifyAV (free linux server antivirus), Imunify360, ImunifyAV+. All these tools have various benefits, and they offer a convenient yet effective way to harden security on the web server.
A web server is a critical component not just for hosters, but for their customers as well. For this reason, it should be monitored and secured with the best configurations possible. You could perform these configurations manually, or you can rely on Imunify360 as the next step to secure your server. Just one tool, centralized reports, and advanced threat protection that basic tools can’t offer.