The introduction of cPanel in 1996 simplified Linux hosting management, and almost 30 years later it’s still a favorite for website owners and hosters alike. The changes in the Linux operating system, additional distributions, new attack vectors, and discovered vulnerabilities force cPanel developers to release security patches frequently. The cPanel software has gone through several version updates, and each change increases complexity. The added complexity makes it more likely for hackers to find vulnerabilities, but your business can reduce risks by following these best practices to avoid becoming a victim of an exploit. The article goes over tips and tricks on how to keep your cPanel account protected.
If you need SSH running on the server, here are a few tips to harden security:
Options Indexes FollowSymLinks
To the following:
Options FollowSymLinks
After you change the file, you must restart Apache.
Service Configuration → Apache Configuration → Global Configuration Documentation
In this settings window, disable signatures, eversion, tokens, tracing, and enable symbolic link protection.
At the heart of your hosting is the operating system, so it should be configured to withstand any attack. No strategy is 100% risk-free, but the right operating system configurations greatly reduce the risk of a compromised system. Compromising the operating system would allow an attacker to steal keys, data, install malware, and take over operation of the server. You can avoid a critical cybersecurity incident using a few operating system best practices for your server.
When an application is installed or needs to store temporary files, it uses the tmp directory. This directory is used for temporary storage and used by some applications to create lock files. The files in this directory could be used by the system, and they are deleted after system reboot. If an attacker can compromise the server and run applications, the application could store malicious files in the tmp directory. Locking down the tmp folder blocks attackers from storing or executing files in this directory. You can configure the Linux operating system using several methods to harden security for this folder.
To fully secure the tmp partition, use the following script example:
/usr/local/cpanel/scripts/securetmp --help
/usr/local/cpanel/scripts/securetmp - secure /tmp and /var/tmp
Options:
- auto: skip interactive customization questions
- install: install & enable securetmp service
- uninstall: disable & uninstall securetmp service
- daemonize: run securetmp in background ( default true )
Sample usages:
# run in interactive mode
> /usr/local/cpanel/scripts/securetmp
# disable interactive mode, run in background
> /usr/local/cpanel/scripts/securetmp --auto
# disable interactive mode, do not run in background
> /usr/local/cpanel/scripts/securetmp --auto --nodaemonize
In computing, a compiler is a computer program that translates computer code written in one programming language into binaries. Leaving a compiler (e.g., gcc) on the server gives attackers the ability to compile their own scripts should they get a limited shell during a compromise. In essence, an attacker can upload their own malicious code and run it on the server. It’s unlikely that antivirus software would catch it if it’s a zero-day attack. A web hosting server also doesn’t need compilers unless it’s hosting applications in unique and rare circumstances. For cybersecurity purposes, compilers should be removed or restricted. If you can’t remove the compilers altogether, you should restrict access to the root user only.
You can disable compilers using WHM. The Compilers Tweak option setting will let you disable compilers for any unprivileged user. The Compiler Tweak setting is found in the Security Center of WHM.
Anything that goes wrong on the web server could cause downtime for users, including cPanel users. One web server could potentially crash hundreds of customer sites, so it’s critical that customers can always reach cPanel. Monitoring involves watching several components of the system including user activity, application activity, performance, and network connectivity. It’s the administrator’s responsibility to review monitoring reports, but a good tool should alert administrators when anomalies are detected.
You could have one or several tools for server monitoring, but they must target the right components on the web server. Monitoring is also a requirement for compliance, so it’s unavoidable for most hosts. Without it, your downtime could be unpredictably long, which ruins your reputation, lowers customer satisfaction, and violates service level agreements.
A few things you should monitor on a server:
A web server has a public and private IP address. The public IP is necessary for online clients, but the private IP address should be restricted to administrators and client applications that absolutely need access to the host. For example, anyone within the organization on the private subnet should have access to the server, but anyone with a public IP address should not be able to access specific server resources.
The Apache Listen directive limits listening ports to a specific IP. By default, the server will listen to a specific port on all interfaces (IPs). For example, you might limit port 80 to the external IP address only. The following httpd directive tells Apache to listen to port 80 on an external IP:
Listen 203.0.113.8
A common mistake on older web host servers is allowing for cryptographically insecure cipher suites. The National Institute of Standards and Technology (NIST) recommends that servers should not support Transport Layer Security (TLS) versions 1.0 or 1.1. They should be configured to support versions 1.2 and above.
When web servers support older vulnerable TLS versions, an attacker located in a suitable location (e.g., on the same network or Wi-Fi hotspot as a client machine) could perform a downgrade attack. Older TLS versions are often enabled to support older applications, but they present a significant risk to user data security.
To disable insecure ciphers in WHM go to:
Service Configuration → Apache Configuration → Global Configuration Documentation → SSL Cipher Suite
A hardware firewall can be used to whitelist services available on the server. By blocking unwanted services, no traffic reaches the server unless otherwise specified on the firewall. For web servers, port 80 and 443 are necessary, and you can block all other traffic from reaching the server.
The web server might host other services, and these should be carefully considered before opening ports on the firewall. For example, telnet and FTP should not be available as they allow data to transfer on cleartext channels. Telnet should be blocked, but you can offer the alternative secure SFTP (port 22) as an option to users who want to manage files using the file transfer protocol.
A WAF defends the web server from application-based attacks. For example, a WAF would detect malicious SQL input sent from a web form. Attackers have numerous application-level attacks to choose from, so you need a WAF that effectively detects malicious traffic and alerts administrators. WAF reports also provide an overall view of traffic requests so that administrators can identify a malicious host, IP address, or client.
Application-level security covers more than just web input. A WAF protects cookie transfers by requiring that they must be encrypted, checks for viruses in file uploads, stops path traversal, logs activity on the web host, forces TLS encrypted connections, and prevents cross-site scripting (XSS) attacks. It’s a tool that provides extensive cybersecurity in environments where numerous applications are installed including ones that cannot be verified by administrators.
You can’t work with a WAF and forget to mention ModSecurity. ModSecurity is a WAF for web servers that monitors traffic in real-time. It monitors anomalies at the application layer rather than the network layer like a traditional hardware firewall. Installation commands depend on your distribution. For example, you can install ModSecurity on CentOS 7 using:
sudo yum install mod_security
After you install ModSecurity, you must restart Apache.
ModSecurity has numerous rules vendors that you can use with your WAF. For example, OWASP has a ModSecurity Core Rule Set but proper rules configuration depends on applications that the server runs and may require advanced skills.
Whether it’s customer or administrator passwords, they should be stored and implemented using best practices. Secure passwords are also a component in compliance regulations. Passwords should be complex and be at least 10 characters in length for applications storing critical information. For administrators and highly sensitive applications, a 12-character password is recommended.
Complex passwords are rendered insecure if stored using cryptographically insecure ciphers. For example, passwords should not be hashed using MD5 and stored in a database. They should be salted and hashed using SHA2 or SHA3 or any other cryptographically secure cipher approved by NIST.
Internal employees are a target for cyber-criminals, and phishing is a primary tool in a threat actor’s toolbox. Email messages with suspicious content including attachments should be heavily monitored. A standard document with malicious macros will download malware, install it on the network, and could create significant downtime for the entire organization.
Ransomware attacks continue to increase, and they cripple entire governments and businesses locking them out of important files and forcing a payment in cryptocurrency. Just recently, ransomware shut down a major gas pipeline in the US that supplied 45% of the fuel consumed on the east coast. It’s a major threat to any organization.
Email filters stop many of the malicious email messages from reaching user’s inboxes. Web content filters work in conjunction with email filters and block users from accessing malicious web content. Your organization should also implement Sender Policy Framework (SPF) and Domain-based Message Authentication, Reporting and Conformance (DMARC) to stop attackers from spoofing your domain in their phishing campaigns.
As with any application, keeping cPanel updated will eliminate security vulnerabilities in older, end-of-life (EOL) or unsupported versions. Older EOL versions no longer receive security patches, so your server and your customer sites could be vulnerable to the latest exploits. Since cPanel controls many aspects of customer websites, it should be updated as soon as possible when a new version is released, especially if your current version is deprecated.
You can update cPanel from WHM, but most administrators manually update it using the command line. You can first run the following command to view the currently installed cPanel version:
/usr/local/cpanel/cpanel -V
If you determine that your version must be upgraded, run the following command to install the latest cPanel version (note that this is turned on by default every night):
/usr/local/cpanel/scripts/upcp
Even with strong secure passwords implemented, attackers use scripts that attempt to “guess” credentials stored on the web server. It could be administrator credentials or customer passwords. Threat actors will use downloaded passwords along with their own custom dictionary of common passwords in combination with other hacked account information in an automated brute-force attack.
The cPanel application has a brute-force protection mechanism named cPHulk. This tool can be enabled on your web hosting server to mitigate brute-force attacks. It monitors several ports associated with brute-force scans and blocks IP addresses executing an attack.
Imunify360 also offers the same brute-force protection and more. It’s a more convenient and thorough option instead of focusing on different cybersecurity components that handle their own functions. Not only does it have anti-malware functions, but it also combines an Intrusion Prevention and Detection system, Linux malware scanner, a Web Application Firewall, Real-time Antivirus protection, a Network Firewall, and Patch Management components.
Administrators unfamiliar with the signs of a compromise need help identifying issues. The Security Center section of WHM has a tool named Security Advisor. Security Advisor lists concerns including outdated software, poor password strength, and potential misconfigurations. It provides suggestions for administrators so that they can take action and remediate the issue.
The Security Advisor is found in WHM, but you can configure it to send alerts to administrators. It’s color-coded so that critical issues can be differentiated from warnings and informational content. You can get a list of colors and what they mean on the cPanel site, and set priorities based on the severity of the issue.
Backups are part of cybersecurity, business continuity, and disaster recovery. Every administrator should have a backup plan with a set retention duration (e.g., two weeks, one month). The cPanel application has a backup tool to create full or partial backups of all files. Backups should be taken frequently, but the cadence should be set based on the business and its own disaster recovery rules. The Backup Wizard can be found in the “Files” section of the cPanel application.
After backups are taken, they should be stored in a safe location. Backups contain data valuable to an attacker, so they should be safeguarded against threats. You should have at least one full backup, and then you can take partial backups of each section of sites as needed to limit storage space.
The cPanel website has several plugins available for security. These tools are third-party solutions, but the most common integrated tool included in cPanel is the ConfigServer Security and Firewall (CSF) plugin. This tool acts as a firewall that will control traffic flow, help prevent distributed denial-of-service (DDoS) and track network connections.
A few other beneficial cPanel tools integrated into the software include ImunifyAV (free linux server antivirus), Imunify360, ImunifyAV+. All these tools have various benefits, and they offer a convenient yet effective way to harden security on the web server.
Beyond the essential steps, consider reinforcing your defenses with two-factor authentication (2FA) and multi-factor authentication (MFA). These are like adding extra locks to your server's doors.
By implementing 2FA or MFA, hackers can't just rely on passwords to breach accounts. They need an additional piece of the puzzle – a second factor, like a unique code from a mobile app or a fingerprint scan. This extra layer significantly raises the bar for unauthorized access.
Integrating 2FA or MFA enhances your cPanel server's protection and safeguards its sensitive data. It's a smart move to stay ahead of modern cyber threats and maintain a top-notch security posture.
A web server is a critical component not just for hosters, but for their customers as well. For this reason, it should be monitored and secured with the best configurations possible. You could perform these configurations manually, or you can rely on Imunify360 as the next step to secure your server. Just one tool, centralized reports, and advanced threat protection that basic tools can’t offer.