As you learned in our Intro to Server Security, securing your server is one of the most important things you need to do when you’re setting up and maintaining your cPanel server. We’re building on the knowledge presented in the introduction to provide more advanced tips for server security.
In this article, you’ll learn more in-depth techniques and best practices for safeguarding your site, server, and account from hackers. We’ll cover security topics like:
- Managing Shell Access
- Recommended Security Settings
- Configuring Security Policies
- Restricting System Compilers on Your Server
- Setting Up a Firewall for Your Server
- Implement Rules for ModSecurity in WHM
- Disabling Redundant Services
- AND How to Stay Updated and Actively Monitor Your System
Steps to Secure Your Server
Aside from the Security Advisor, there are some manual steps each sysadmin should take to keep their server safe from attacks. Some of these are settings that can be disabled once, and others require regular monitoring. One of the first places to start is our knowledge base article about Recommended Security Settings. Pay special attention to the “Tweak Settings Checklist” as it has a lot of significant beginning steps. These additional suggestions provided below will help you set up a secure environment.
Enabling Configure Security Policy allows you to limit who can log in to only verified IP addresses. In this area, you can also add Two-factor authentication using Google Authenticator, and change the settings for Password Strength and Password Age. You can also set it up when creating a new account to disable shell access or use VirtFS Jailed Shell by visiting the Manage Shell Access interface.
Restrict System Compilers
Most users don’t require access to a C or C++ compiler. We recommend that you disable compilers for users that don’t belong to the compilers group under /etc/group in your server’s settings. Without a functional compiler, most pre-packaged exploits can’t run.
- You can deactivate compilers through the Compiler Access interface in WHM.
- You can also use the following command in the command line:
Start Using a Firewall
A computer firewall is either a hardware device or a software program that is configured to inspect all the data traffic that is received by the firewall before it enters the server or network. It uses a set of predefined rules to determine whether the data it should be allowed to pass or be blocked.
cPanel does not come with a firewall provided, but adding a firewall to your server will prohibit malicious elements from accessing your system. There are several 3rd party firewalls we recommend, and we provide documentation about how to configure your firewall for your cPanel. Here is a brief list of some 3rd party firewalls you might use.
It’s important to note that if a firewall is incorrectly configured, it can block desired traffic. If you set up a firewall and suddenly find that you can’t access parts of your website, you should go back and look further into your firewall configuration.
Disable Redundant Daemons and Services
When you have daemons or services that enable connections to your server that are redundant or not being actively used, there’s a risk of attracting hackers who will abuse those connections. The more services that are running on your server, the more opportunities there are for others to use them, break into or take control of your system through them. Examine your system to see what programs are redundant or unused. To improve your server’s security, deactivate all daemons and services that you don’t require. You can do this in the Service Manager interface. (WHM >> Home >> Service Configuration).
Actively Monitor Your System
One of the most important ways to protect your server is to keep an eye on it yourself. Track the number of user accounts created. Subscribe to the cPanel Mailing List to be notified of critical updates and keep your server updated. Stay aware of what software is installed so you can keep 3rd party applications updated, too. In our documentation, we’ve compiled a list of additional security software that we recommend for helping you to monitor your system.
cPanel offers some other tips to make your server more secure. These include Logwatch, which is a customizable log analysis system that parses through your system’s logs and creates a report analyzing areas that you specify, and chrootkit. This tool checks locally for signs of a rootkit on your server.
ModSecurity in WHM
ModSecurity is an open-source web-based firewall application (or WAF) supported by different web servers: Apache, Nginx and IIS. The module is configured to protect web applications from various attacks. ModSecurity supports flexible rules to perform both simple and complex operations. It comes with a Core Rule Set (CRS) which has various rules. You can learn more in our ModSecurity documentation or by watching the video linked above.
In general, security experts highly recommend that you use only the latest stable versions of any software on a server that is live and in production. At cPanel, we recommend that you set your server to automatically update on the LTS tier. You can specify your update settings in the Update Preferences interface. You should also check your other software on your server for updates regularly, or enable automatic updates.
Server security is as essential as network security, and in some ways more important. Our servers often contain a great deal of vital company information as well as private user data. If your server is compromised, crackers can not only cause damage to the way the site is displayed; they can steal data as all of the server’s contents may become available for them to use at will. As a web host, you should consider putting your team through SafeAdmin Accreditation so your System Administrators know what the best practices for protecting your server are.
As always, if you have any feedback or comments, please let us know. We are here to help you provide the best service you can to your customers. You’ll find us on Discord, the cPanel forums, and Reddit.
Leave a Reply
You must be logged in to post a comment.