Bobcares

A complete 14 point guide to secure cPanel servers

by | Feb 27, 2017

Security is one of the major concerns we tackle in our Outsourced hosting Support for web hosting companies. Server compromises can lead to financial loss and affect the business credibility.

With our expertise managing hundreds of cPanel servers for web hosts, we have been able to identify and address all the security loop holes that can happen in a cPanel server.

At Bobcares, we perform a comprehensive security check and implement a 360 degree fool-proof protection system for cPanel servers, which we’ll discuss here.

1. Keep the server software updated

We’ve come across servers where outdated or vulnerable server software have led to server hacks. To protect the servers from getting prone to hacks, we ensure that all server software are updated and patched without delay.

Since automatic software updates may mess up with the service functioning, we update the software in customers’ live servers only after testing them in our test servers.

Our cPanel security experts also scan the various user application software in the server for vulnerabilities and prevent them from affecting the server security.

Other security measures we take are:

  1. Disabling unused services and daemons to reduce the security risks.
  2. Using only verified and authentic software from their official repositories.
  3. Staying alert to notifications regarding software updates and vulnerabilities.

[ Focus on your core business without interruptions. Our tech support experts are here to manage your customers 24/7. ]

2. Update cPanel to the latest stable version

Like most official server software, cPanel team also releases their newer versions from time to time. Not updating the version can affect the functionality and features of the server.

But we’ve seen cases where blindly updating the cPanel has messed up the server functions. At Bobcares, we perform fully supervised updates to the latest stable versions and ensure that everything is working fine post upgrade.

3. Enable TLS encryption for all services

We always stress on encrypting all the services in cPanel server with TLS, to securely transfer the data. But weak or vulnerable encryption parameters can end up giving opposite result.

To ensure that the services are properly secured with encryption, we take additional precautions such as:

  • Disabling weak ciphers such as DES and RC4, which are vulnerable, and replacing them with stronger ones like AES and GCM.
  • Disabling SSL v2 and v3, which are SSL protocols with serious vulnerabilities and are prone to attacks.
  • Using valid SSL certificates of at least 2048 bit, to strengthen the security of critical websites.

4. Implement a strong password policy

To prevent account level hacking, we enforce a strong password policy in all cPanel servers, for all accounts starting with the root. The password policy consists of these aspects too:

  1. Not using same password for different accounts
  2. Not storing passwords in insecure locations
  3. Using strong password generator tools
  4. Preventing password reuse
  5. Locking account after login failures
  6. Using IP restriction for critical services 
  7. Using 2-factor authentication for high-privilege accounts

See how our 24/7 support team helps you!

5. Lock the SSH server

SSH is a very critical service in any cPanel server, as it provides direct access to the users to the server. So we take special care in securing and restricting access to SSH server.

Along with keeping the SSH server updated and hiding the version from public, we perform these tasks to further secure it:

  1. Restricting the users who have access to SSH server
  2. Disabling direct root access and providing sudo access to track user activities
  3. Enabling secure key access and allow/deny computers that can access the server
  4. Configuring a different port for SSH other than the default port 22
  5. Disabling SSH v1 protocol, as it is vulnerable
  6. Limiting SSH IP address to just one IP in the server
  7. Disabling port forwarding to avoid exploits

6. Secure the web server

The web server is the most important service in a web hosting server. Securing the web server forms an integral part of cPanel server security measures that we perform:

  1. We restrict malicious activity to the web server by configuring web application firewalls such as mod-security.
  2. To prevent users from accessing files outside their home, we enforce PHP open base dir protection.
  3. We secure the PHP configuration to prevent remote file injection/access in the server using PHP scripts.
  4. We configure suPHP as the PHP handler and suEXEC for CGI script execution in the user privilege instead of ‘nobody’.
  5. To detect real time detection of malicious code in uploaded files, we configure CXS (ConfigServer eXploit Scanner).
  6. Disabling unused modules and running apache as non-privileged user are further security measures.
  7. Setting resource limits per user and connection limits helps us to prevent resource abuse.

7. Protect the /tmp partition

To prevent arbitrary scripts from getting executed in /tmp and leading to vulnerability or exploits, we mount ‘/tmp’ partition with ‘nosuid’ and ‘noexec’ options.

All ‘tmpfs’ partitions are world-writable, and are therefore securely protected to avoid attackers from hijacking these folders to upload malicious scripts that can hack the server.

8. Firewalls to safeguard from attacks

Firewalls are indispensable barriers that protect servers from unauthorized access or undesired data. Protecting the server from brute force attacks, viruses and malware, etc. are also vital tasks we do for security.

  1. By setting limits on the number of access or failed logins to the server using CPHulk, we protect it from brute force attacks.
  2. As a part of server security, we close all server ports and open only the required ones.
  3. Using strong firewall such as iptables with strict rules, we further limit access to the server.
  4. We configure CSF firewall to lock down access to public services and to monitor login failure and port scanning attempts.
  5. Disabling compiler access for unprivileged users helps us to reduce the risk involved in users running malicious scripts.
  6. To protect against viruses and malware, we run ClamAV service, and other scanning software in the servers.
  7. Using intrusion detection system, we are able to quickly notice and fix unusual access to server.
  8. By configuring tools such as RKHunter, we detect and eliminate rootkits that can tamper with the server security.

9. Secure the FTP server

In the servers that we manage, we disable anonymous FTP as it enables anyone to randomly upload contents to server. FTP itself is an insecure tool and we don’t recommend it much to our customers.

For users who require FTP, we secure it using TLS, so that the data transfer would be encrypted. By enabling disk quotas for accounts and limiting session duration, we exercise control on the FTP sessions.

10. Harden the Exim mail server

Mail server is one of the commonly abused services in most cPanel servers. Preventing inbound and outbound spamming and viruses and malware transmission via emails are the key tasks we perform, along with these:

  • Preventing open relay to allow only valid users to send mail through the server, thus preventing outbound spamming.
  • Blocking web applications from sending out mail as user nobody, to restrict spamming from server.
  • Enabling extended logging mechanisms to track abuses in the mail server.
  • Setting rate limits on outgoing mail for users to prevent resource abuse.
  • Configuring an alternate SMTP port other than default port 25, to block spam relays.
  • Scanning outgoing mails for spam and virus to protect server IP reputation.
  • Blocking mails from blacklisted mail servers to prevent inbound spamming to the server.
  • Configuring anti-spam DNS records like SPF, DKIM, RDNS, etc. to prevent email spoofing.
  • Running exim server as unprivileged user to prevent vulnerabilities that allow attackers to hack the entire server.
  • Keeping the exim server updated to the latest secure version and timely patching it to avoid vulnerabilities.

[ Don’t lose your sleep over server issues. Keep your customers happy with the best support specialists. ]

11. Secure the database server

While managing the cPanel servers for hosting providers that range from application hosting to cloud providers, we’ve noticed that many website applications are database driven.

That’s why we give importance to secure the database server, with these steps:

  • Keeping the MySQL server updated and secure
  • Enforcing strong password for all database users
  • Removing all unwanted user accounts and demo databases
  • Restricting user privileges and database access
  • Disabling or limiting remote MySQL connections
  • Setting a limit on the number of database connections

12. Tighten the DNS server

DNS service helps in resolving domain names in the internet. We’ve secured our customers’ servers from a variety of DNS attacks, such as DNS poisoning, Denial of service, Zero day attacks, and so on.

Here are some highlights of what we do to secure the DNS server:

  1. Protecting the DNS server information to prevent attackers from targeting vulnerabilities.
  2. Limiting recursive queries to protect the server from risks such as DOS attacks and Cache poisoning.
  3. Configuring a closed DNS server to accept queries only from a trusted set of clients, to prevent abuse.
  4. Running the server as non-privileged user to confine attackers to only DNS processes.
  5. Restricting zone transfers to prevent unauthorized hosts from abusing the server.
  6. Using DNS Security Extensions (DNSSEC) to validate the server and prevent DNS spoofing.

13. Harden the server security

In addition to securing the individual services, we perform these server hardening methods to secure the entire server:

  • File system hardening to block the malware uploaded to the server from being executed.
  • Protecting system binaries to prevent them from getting modified and used to attack the server.
  • Hardening the network against common attacks such as syn flood or spoofed packets.
  • Segregating system and user files so that one user cannot access files outside his home directory.
  • Patching the kernel to protect against vulnerabilities such as buffer overflows, privilege escalation, etc.
  • Setting up Mandatory Access Control systems such as SELinux or AppArmor to restrict user access.
  • Tweaking the kernel parameters related to networking to protect from DoS attacks.
  • Configuring VPNs to restrict and encrypt the traffic to critical servers.

[ Focus on your core business without interruptions. Our tech support experts are here to manage your customers 24/7. ]

14. Monitoring the server for security incidents

Hackers are on a constant prowl to track and attack weak servers, which is obvious from the new vulnerability and exploit notifications that we come across everyday.

That’s why we don’t leave a server ignored, even for a minute, after its initial hardening. cPanel has a chkservd monitoring system which checks and restarts services that are found to be unresponsive.

But it faces hiccups when a service restarts frequently or doesn’t start. While managing cPanel servers, our 24/7 cPanel experts investigate into such issues and fix them promptly to avoid service downtime.

By periodically inspecting the server with our various scanning and detection tools such as nessus, nmap, etc. and by auditing the server logs and spam database, we are able to confirm that the server is well secured.

Our monitoring system also include customized software for detecting malicious processes and files, tracking changes to critical files, monitoring access to directories and intrusions to network.

The security specialist team at Bobcares reviews these information and take continual actions to curb any security incidents and to fine-tune the security tweaks in the server to further enhance its security.

 

 

GET 24 HOURS PHONE SUPPORT SERVICES

Use Bobcares for your phone support services. Ensure 24/7 coverage for your customers!

CONTACT US FOR 24/7 PHONE SUPPORT PLANS

0 Comments

Never again lose customers to poor
server speed! Let us help you.

Privacy Preference Center

Necessary

Necessary cookies help make a website usable by enabling basic functions like page navigation and access to secure areas of the website. The website cannot function properly without these cookies.

PHPSESSID - Preserves user session state across page requests.

gdpr[consent_types] - Used to store user consents.

gdpr[allowed_cookies] - Used to store user allowed cookies.

PHPSESSID, gdpr[consent_types], gdpr[allowed_cookies]
PHPSESSID
WHMCSpKDlPzh2chML

Statistics

Statistic cookies help website owners to understand how visitors interact with websites by collecting and reporting information anonymously.

_ga - Preserves user session state across page requests.

_gat - Used by Google Analytics to throttle request rate

_gid - Registers a unique ID that is used to generate statistical data on how you use the website.

smartlookCookie - Used to collect user device and location information of the site visitors to improve the websites User Experience.

_ga, _gat, _gid
_ga, _gat, _gid
smartlookCookie
_clck, _clsk, CLID, ANONCHK, MR, MUID, SM

Marketing

Marketing cookies are used to track visitors across websites. The intention is to display ads that are relevant and engaging for the individual user and thereby more valuable for publishers and third party advertisers.

IDE - Used by Google DoubleClick to register and report the website user's actions after viewing or clicking one of the advertiser's ads with the purpose of measuring the efficacy of an ad and to present targeted ads to the user.

test_cookie - Used to check if the user's browser supports cookies.

1P_JAR - Google cookie. These cookies are used to collect website statistics and track conversion rates.

NID - Registers a unique ID that identifies a returning user's device. The ID is used for serving ads that are most relevant to the user.

DV - Google ad personalisation

_reb2bgeo - The visitor's geographical location

_reb2bloaded - Whether or not the script loaded for the visitor

_reb2bref - The referring URL for the visit

_reb2bsessionID - The visitor's RB2B session ID

_reb2buid - The visitor's RB2B user ID

IDE, test_cookie, 1P_JAR, NID, DV, NID
IDE, test_cookie
1P_JAR, NID, DV
NID
hblid
_reb2bgeo, _reb2bloaded, _reb2bref, _reb2bsessionID, _reb2buid

Security

These are essential site cookies, used by the google reCAPTCHA. These cookies use an unique identifier to verify if a visitor is human or a bot.

SID, APISID, HSID, NID, PREF
SID, APISID, HSID, NID, PREF