I have written this checklist to secure your newly installed cPanel server. We will keep improving it over time, by adding in details for each point.
To harden your cPanel server can be split into six areas.
To harden your cPanel server can be split into six areas.
Server security overall (not very much related to cPanel)
Server Check (13 steps)
SSH/Telnet Check (7 Steps)
Mail Check (4 Steps)
Apache Check (9 Steps)
PHP Check (4 Steps)
WHM Settings Check (32 Steps)
SSH/Telnet Check (7 Steps)
Mail Check (4 Steps)
Apache Check (9 Steps)
PHP Check (4 Steps)
WHM Settings Check (32 Steps)
Server Check (13 steps)
- Secure temp folder, Check /tmp permissions
/tmp should be chmod 1777 - Check /tmp ownership
/tmp should be owned by root:root - Check the permission of tmp folder in /var > /var/tmp
/var/tmp should be chmod 1777 - Check the ownership of tmp folder in /var > /var/tmp
/var/tmp should be owned by root:root - Check permission of /tmp folder within /user > /usr/tmp
/usr/tmp should be chmod 1777 - Check ownership of tmp folder within user folder > /usr/tmp
/usr/tmp should be owned by root:root - Check for DNS random query source port
ISC recommends that you do not configure BIND to use a static query port. You should remove/disable the
query-source line that specifies port 53 from the named configuration files - Check nobody cron
Check for cron You have a nobody cron log file – you should check that this has not been created by an
exploit. - Check Perl version
The version of Perl (v5.032000) is out of date, and you should upgrade it. - Check SUPERUSER accounts
You have accounts other than root set up with UID 0. This is a considerable security risk. You should use
su, or best of all, sudo for such access - Check for dhclient
In a standard hosting environment, DHCP is no longer needed. Infect it hinders badly with cPanel standard
hosting operations. In a shared hosting server, this setting poses a security risk. You should configure all
network cards with static IPs. - Check for swap file
Swap files are necessary for any server, as it is used when RAM runs out. Do not have a swap file is a
performance and stability risk. Make sure your server has a swap file configured, preferably a dedicated
partition for it. How to create a swap file, we have written a tutorial for it. << link >>create
a swap file on the existing partition for the Cpanel server - Check server services
The following services come with all cPanel servers by default but are not needed at all by almost all the
shared hosting servers.
Each service can usually be disabled using:
/bin/systemctl stop [service]
/bin/systemctl disable [service]
SSH/Telnet Check (7 Steps)
- Check if SSHv1 is disabled
SSHv1 is long gone, make sure it is disabled from /etc/ssh/sshd_config and setting:Protocol 2 - Move SSH on a non-standard port (other than 22)
Almost all password brute force attacks are made on a standard ssh port. You should consider moving SSH
to a non-standard port. If you are using a firewall, open your new port in the firewall to avoid locking
yourself out. Here is in detail how to change your SSH port. - Check SSH PasswordAuthentication
This is recommended but could be hard to practice if you do not use a password manager. By using this
option, chances to get nailed by a brute force attack reach zero. To do it, disable
PasswordAuthentication and only allow access with PubkeyAuthentication - Check SSH UseDNS
You need to disable UseDNS by editing /etc/ssh/sshd_config and setting: UseDNS no. With this enabled,
lfd will be unable to track SSHD login failures, successfully as the log files will not report IP
addresses - Disable telnet, make sure port 23 is not in use
Telnet is an insecure protocol, and it is not needed by most shared hosting servers. You should disable
the telnet daemon if it is running. - Check shell limits/ enable Shell Fork Bomb Protection
DOS exploits often can very easily take of server resources with shell access is not well configured.
cPanel has given a very good way to mitigate such problems. Use WHM options to enable “Shell Fork Bomb
Protection” - Enable Background Process Killer
Another good tool provided by cPanel, All options You should be enabled in WHM > “Background Process
Killer”
Mail Check (4 Steps)
- Check root email forwarder
The root email must have a forwarder, so you, as the server admin, receive all critical server emails. - Exim for extended logging for tracking SPAM (log_selector)
If you want to track and catch spam, you must enable exim extend logging. to do that, in “Exim Configuration
Manger” > “Advanced Editor” > log_selector add log_selector = +arguments +subject +received_recipients - Check weak SSL/TLS Ciphers in exim config (tls_require_ciphers)
Cipher list
[ECDHE-ECDSA-AES128-GCM-SHA256
ECDHE-RSA-AES128-GCM-SHA256
ECDHE-ECDSA-AES256-GCM-SHA384
ECDHE-RSA-AES256-GCM-SHA384
ECDHE-ECDSA-CHACHA20-POLY1305
ECDHE-RSA-CHACHA20-POLY1305
DHE-RSA-AES128-GCM-SHA256
DHE-RSA-AES256-GCM-SHA384]
Due to weaknesses in the SSLv2 cipher, you should disable WHM > Exim Configuration Manager > Allow
weak SSL/TLS ciphers to be used, and also ensure tls_require_ciphers in /etc/exim.conf does not allow SSLv2
as OpenSSL currently shows that it does - Check exim for secure authentication
You should require clients to connect with SSL or issue the STARTTLS command before they are allowed to
authenticate with the server otherwise, passwords may be sent in plain text in WHM > Exim Configuration
Manager Check dovecot weak SSL/TLS Ciphers (ssl_cipher_list)Cipher list
[ ECDHE-ECDSA-AES128-GCM-SHA256
ECDHE-RSA-AES128-GCM-SHA256
ECDHE-ECDSA-AES256-GCM-SHA384
ECDHE-RSA-AES256-GCM-SHA384
ECDHE-ECDSA-CHACHA20-POLY1305
ECDHE-RSA-CHACHA20-POLY1305
DHE-RSA-AES128-GCM-SHA256
DHE-RSA-AES256-GCM-SHA384 ].
Due to weaknesses in the SSLv2 cipher, you should disable SSLv2 in WHM > Mailserver Configuration >
SSL Cipher List > Remove +SSLv2 or Add -SSLv2
Apache Check (9 Steps)
- Check apache version
The minimum apache version you should be using is v2.2*, which is the minimum recommended by the apache
organization. - Check Apache for ModSecurity
If you are running a shared hosting server, ModSecurity is a must-have. If you have not compiled Apache with
it, recompile it with the ModSecurity option. It prevents the exploitation of vulnerable web scripts. - Check Apache for mod_cloudflare
This module logs the real user’s IP address to Apache. A must-have as more and more users are moving to
Cloudflare. - Check Apache for FrontPage
Microsoft Frontpage Extensions were EOL in 2006, and there is no support for bugs or security issues. It is
a huge security risk, and nobody uses it nowadays. - Check Apache weak SSL/TLS Ciphers (SSLCipherSuite)
Cipher list
[ ECDHE-ECDSA-AES128-GCM-SHA256
ECDHE-RSA-AES128-GCM-SHA256
ECDHE-ECDSA-AES256-GCM-SHA384
ECDHE-RSA-AES256-GCM-SHA384
ECDHE-ECDSA-CHACHA20-POLY1305
ECDHE-RSA-CHACHA20-POLY1305
DHE-RSA-AES128-GCM-SHA256
DHE-RSA-AES256-GCM-SHA384
TLS_AES_256_GCM_SHA384
TLS_CHACHA20_POLY1305_SHA256
TLS_AES_128_GCM_SHA256 ].
Due to known and well-exploited weaknesses in the SSLv2 cipher, you as a server admin should avoid using it. to do that disable SSLv2 in WHM > Apache Configuration > Global Configuration > SSLCipherSuite > and then Add -SSLv2 to SSLCipherSuite and/or remove +SSLv2. After it, you need to save and rebuild the configuration and then restart Apache. - Disable Apache for TraceEnable
You should disable TraceEnable in:WHM > Apache Configuration > Global Configuration > Trace Enable > Off
Again to make these changes take effect, click rebuild apache configuration and then restart it. As any changes made to httpd.conf will not take effect with doing this. - Disable apache ServerSignature
You should set apache ServerSignature to Off in:WHM > Apache Configuration > Global Configuration > Server Signature > Off
As usual, save, rebuild configuration, and restart Apache. - Set Apache for ServerTokens appropriately
Set Apache ServerTokens to ProductOnly, to do that:WHM > Apache Configuration > Global Configuration > Server Tokens > Product Only.
Save, rebuild configuration, and restart Apache. - Check Apache for FileETag
FileETag should always be set to None for shared hosting servers. to do that
WHM > Apache Configuration > Global Configuration > File ETag > None. and then save, rebuild configuration and restart apache.
PHP Check (4 Steps)
- Check PHP version
Any version of PHP older than v7.2.* is now obsolete and should be considered a security threat. You should upgrade exclusively to PHP v7.3+: - Check php for enable_dl or disabled dl()
To prevent your users from loading PHP modules that would affect all other users, you need to set:
enable_dl = OffAll necessary dynamic libraries should be loaded directly in the PHP configuration.
- Disable dangerous PHP functions
There are PHP functions that are rarely used by the common application, wordpress, Joomla, Moodle, etc., but often exploited by hackers. The most common of these functions are as listed below. Disable them in php.ini file
disable_functions = show_source, system, shell_exec, passthru, exec, popen, proc_open - Check PHP for register_globals
You should set:register_globals = Off
It is not needed nowadays and should only be enabled until it is absolutely necessary. It is such a significant security risk that it should be evaluated carefully against benefits.
WHM Settings Check (32 Steps)
- Check cPanel login is SSL only (Must have)
In tweak settings, choose the option
WHM > Tweak Settings > “Choose the closest matched domain for which the system has a valid certificate when redirecting from non-SSL to SSL URLs” - Check boxtrapper is disabled
Boxtrapper is a good feature, and in the past, it has been used very well, but with the emergence of new spam avoiding techniques, it is no longer relevant. It can lead to your server being listed in common RBLs. The ultimate effect of it can be an increase in overall spam load instead of decreasing it. In my opinion, it will soon be removed from future WHM/cPanel versions. You should disable it without a thought.
to do that, in WHM > Tweak Settings > BoxTrapper Spam Trap - Disable GreyListing
Gray listing will delay necessary emails to be delayed for hours, at least when your server receives from a certain domain/ server for the first time. This results in increased support load and often leads to lost legitimate emails.
Other than the above problems, it also, at times, cause problems with “password verification” systems. - Check if popbeforesmtp is disabled
Many server admins will not agree to it, as if enabled, it offers smooth email connections for outlook users of all versions. For other admins and for me too, using “pop before SMTP” is a security risk. SMTP AUTH option should be used in lieu of it.
You should disable it in WHM > Tweak Settings > “Allow users to relay mail if they use an IP address through which someone has validated an IMAP or POP3 login” - Check max emails per hour is set
This is the ultimate solution to not get your IPs listed in RBLs. By limiting maximum emails a Cpanel account can send in one hour, you certainly limit the damage by potential spammers on the server,
To set a value, goto WHM > Tweak Settings > Max hourly emails per domain - Check Reset Password for cPanel accounts
I believe this cannot be implemented for a shared environment, as end-users will need it. But with some users who cannot protect their accounts, this poses a potential security risk and should be disabled unless necessary in
WHM > Tweak Settings > Reset Password for cPanel accounts. - Check Reset Password for Subaccounts
This poses a potential security risk and should be disabled unless necessary in WHM > Tweak Settings > Reset Password for Subaccounts. - Check compilers
Compilers are a known security risk since the early days of cPanel; You should disable compilers WHM > Security Center > Compilers Access - Check to allow remote domains
Users can park domains that resolve to other servers on this server. Only domains that resolve to your server should be parked.
This can be disabled in WHM > Tweak Settings > Allow Remote Domain - Check block common domains
Users can park common domain names on this server. This can easily aid in phishing attacks.
Disable it in WHM > Tweak Settings > Prevent cPanel users from creating specific domains - Check allow park domains
Users can park/addon domains that belong to other users on this server. Again there is no practical use of this functionality for server admins who manage shared servers.
Disable this option in
WHM > Tweak Settings > “Allow cPanel users to create subdomains across accounts” - Check proxy subdomains
This option can mask a user’s real IP address and hinder security. You should disable
WHM > Tweak Settings > Service subdomains - Check cPAddons update email to resellers
You should have cPAddons email users if cPAddon installations require updating WHM > Tweak Settings > “Notify reseller of cPAddons Site Software installations” - Check cPAddons update email to root
You should have cPAddons email root if cPAddon installations require updating WHM > Tweak Settings > Notify root of cPAddons Site Software installations - Check cPanel tree
Running EDGE/BETA on a production server could lead to server instability. Only run stable cPanel releases - Check accounts that can access a cPanel user
You should consider setting this option to “user” after use. WHM > Tweak Settings > Accounts that can access a cPanel user account. - Check cPanel passwords in email
You should not send passwords out in plain text emails. You should disable WHM > Tweak Settings > Send passwords when creating a new account - Check core dumps
You should disable WHM > Tweak Settings > Allow WHM/Webmail/cPanel services to create core dumps for debugging purposes - Check Cookie IP Validation
You should enable strict Cookie IP validation in WHM > Tweak Settings > Cookie IP validation - Check MD5 passwords with Apache
You should enable WHM > Tweak Settings > Use MD5 passwords with Apache - Check Referrer Blank Security
Blank referrer security check must be enabled to enable it go to
WHM > Tweak Settings > Blank referrer safety check - Check Referrer Security
Again like blank referrer security, it is a must-have.
Enable it in WHM > Tweak Settings > Referrer safety check - Check HTTP Authentication
You should disable skiphttpauth in /var/cpanel/cpanel.config - Check Parent Security
There is no need to allow other applications to run cPanel binaries unless you are doing some custom cPanel stuff for auto-deployment within your own applications.
You should disable
WHM > Tweak Settings > Allow other applications to run the cPanel and admin binaries - Check Domain Lookup Security
You should disable WHM > Tweak Settings > cpsrvd username domain lookup - Check Password ENV variable
You should enable WHM > Tweak Settings > Hide login password from cgi scripts - Check SMTP Restrictions
You should enable WHM > Security Center > SMTP Restrictions. If you are using CSF firewall, then it can be disabled safely as it is replaced with csf configuration option SMTP_BLOCK instead - Check AppConfig Required
You should disable WHM > Tweak Settings > “Allow apps that have not registered with AppConfig to be run when logged in as a reseller in WHM” - Check AppConfig as root
You should disable WHM > Tweak Settings > “Allow apps that have not registered with AppConfig to be run when logged in as root or a reseller with the “all” ACL in WHM” - Check AppConfig ACLs
You should disable WHM > Tweak Settings > “Allow apps that have not registered with AppConfig to be run when logged in as root or a reseller with the “all” ACL in WHM” - Check AppConfig Feature List
You should disable WHM > Tweak Settings > “Allow cPanel and Webmail apps registered with AppConfig to be executed even if a Required Features list has not been defined” - Check Security Tokens
Security Tokens should not be disabled as, without them, the security of WHM/cPanel is compromised. The setting disable-security-tokens=0 should be set in /var/cpanel/cpanel.config