Security Hardening for cPanel server
Server security is the main aspect of web-hosting. We need to initially secure our servers before hosting the sites. In this documentation, you can see some advanced steps to overcome the most common security vulnerabilities. When coming up with a security plan for your servers, you need to take several key factors into the server. These key factors include your server configuration and settings.
If you move SSH access to a different port, individuals without specific knowledge of your server will not know which port to use for SSH. Many malicious users attempt to use port 22 to access servers. To modify the port on which SSH runs, edit the /etc/ssh/sshd_config file.
We recommend that you use a port number less than 1024 and one that another service does not already use.
These ports are “privileged” ports, because only the root user can bind to them.
Ports 1024 and above are “unprivileged” ports, and anyone can use them.
Always use SSHv2 only. SSHv1 will not properly secure connections. You must change the #Protocol 2,1 line in the /etc/ssh/sshd_config file to Protocol 2
You must secure your Apache installation. The ModSecurity tool can help you to secure your server’s Apache installation.
When you compile Apache, include the suEXEC module to ensure that CGI applications and scripts run as the user that owns and executes them. This module identifies the location of malicious scripts and who executed them. It also enforces permission and environment controls.
We strongly recommend that you compile Apache and PHP with the suPHP module. The suPHP module forces all PHP scripts to run as the user who owns the script. This allows you to identify the owner of all PHP scripts that run on your server and find the location of malicious scripts. To compile Apache and PHP with the suPHP module, select the suPHP option in WHM’s EasyApache 4 interface (WHM >> Home >> Software >> EasyApache 4).
Finally, we recommend that you implement symlink race condition protection on your server through EasyApache. For more information about the symlink race condition vulnerability and how to protect against it, read our Symlink Race Condition Protection documentation.
Disable unwanted functions, Some PHP functions are not safe for a production environment. If your PHP developers do not require these functions, we strongly recommend that you disable them so that an attacker cannot use them. Generally, when you disable these functions, you can stop an attacker who manages to load a malicious PHP script on to your system.
File inclusion attacks often occur when an attacker exploits a file-inclusion vulnerability in a web application that dynamically includes files and scripts. A user may create applications that do not properly validate include and require statements, or use filenames as parameters.
Attackers often upload malicious programs to vulnerable systems in order to compromise them. If you restrict all file uploads, this can ensure that attackers cannot exploit your PHP configuration to inject their own PHP scripts.
Enable a firewall
Before you remove all unused services and daemons or disable unused services and daemons, you can enable a firewall to prevent unwanted access. For more information on the ports that cPanel & WHM requires to function properly, read our How to Configure Your Firewall for cPanel Services documentation.
You may use all of these services or other services, and you should adjust your rules accordingly.
Restrict your system’s compilers
Most users do not require the use of C and C++ compilers. We strongly recommend that you disable compilers for all users who do not exist in the compilers group in the /etc/group file. Many pre-packaged exploits require functional compilers.
To disable compilers from the WHM interface, use WHM’s Compiler Access interface (WHM >> Home >> Security Center >> Compiler Access).
To disable compilers from the command line, run the following command as the root user:
Disable unused services and daemons
Any service or daemon that allows connections to your server may also allow hackers to gain access. To reduce security risks, disable all services and daemons that you do not use.
Disable any services that you do not currently use with WHM’s Service Manager interface (WHM >> Home >> Service Configuration >> Service Manager).
Monitor your system
Its an important step to enable monitoring for your server with any kind of monitoring tool like Nagios. So you will be notified if the any service outages or downtimes occurred.
As like the security hardening the update and maintanence also an important thing to keep the servers secure. Need to keep all the application components up to date. Outdated softwares are vulnerable to the hackers.