A complete 14 point guide to secure cPanel servers
Security is one of the major concerns we tackle in our Outsourced hosting Support for web hosting companies. Server compromises can lead to financial loss and affect the business credibility.
With our expertise managing hundreds of cPanel servers for web hosts, we have been able to identify and address all the security loop holes that can happen in a cPanel server.
At Bobcares, we perform a comprehensive security check and implement a 360 degree fool-proof protection system for cPanel servers, which we’ll discuss here.
1. Keep the server software updated
We’ve come across servers where outdated or vulnerable server software have led to server hacks. To protect the servers from getting prone to hacks, we ensure that all server software are updated and patched without delay.
Since automatic software updates may mess up with the service functioning, we update the software in customers’ live servers only after testing them in our test servers.
Our cPanel security experts also scan the various user application software in the server for vulnerabilities and prevent them from affecting the server security.
Other security measures we take are:
- Disabling unused services and daemons to reduce the security risks.
- Using only verified and authentic software from their official repositories.
- Staying alert to notifications regarding software updates and vulnerabilities.
[ Focus on your core business without interruptions. Our tech support experts are here to manage your customers 24/7. ]
2. Update cPanel to the latest stable version
Like most official server software, cPanel team also releases their newer versions from time to time. Not updating the version can affect the functionality and features of the server.
But we’ve seen cases where blindly updating the cPanel has messed up the server functions. At Bobcares, we perform fully supervised updates to the latest stable versions and ensure that everything is working fine post upgrade.
3. Enable TLS encryption for all services
We always stress on encrypting all the services in cPanel server with TLS, to securely transfer the data. But weak or vulnerable encryption parameters can end up giving opposite result.
To ensure that the services are properly secured with encryption, we take additional precautions such as:
- Disabling weak ciphers such as DES and RC4, which are vulnerable, and replacing them with stronger ones like AES and GCM.
- Disabling SSL v2 and v3, which are SSL protocols with serious vulnerabilities and are prone to attacks.
- Using valid SSL certificates of at least 2048 bit, to strengthen the security of critical websites.
4. Implement a strong password policy
To prevent account level hacking, we enforce a strong password policy in all cPanel servers, for all accounts starting with the root. The password policy consists of these aspects too:
- Not using same password for different accounts
- Not storing passwords in insecure locations
- Using strong password generator tools
- Preventing password reuse
- Locking account after login failures
- Using IP restriction for critical services
- Using 2-factor authentication for high-privilege accounts
5. Lock the SSH server
SSH is a very critical service in any cPanel server, as it provides direct access to the users to the server. So we take special care in securing and restricting access to SSH server.
Along with keeping the SSH server updated and hiding the version from public, we perform these tasks to further secure it:
- Restricting the users who have access to SSH server
- Disabling direct root access and providing sudo access to track user activities
- Enabling secure key access and allow/deny computers that can access the server
- Configuring a different port for SSH other than the default port 22
- Disabling SSH v1 protocol, as it is vulnerable
- Limiting SSH IP address to just one IP in the server
- Disabling port forwarding to avoid exploits
6. Secure the web server
The web server is the most important service in a web hosting server. Securing the web server forms an integral part of cPanel server security measures that we perform:
- We restrict malicious activity to the web server by configuring web application firewalls such as mod-security.
- To prevent users from accessing files outside their home, we enforce PHP open base dir protection.
- We secure the PHP configuration to prevent remote file injection/access in the server using PHP scripts.
- We configure suPHP as the PHP handler and suEXEC for CGI script execution in the user privilege instead of ‘nobody’.
- To detect real time detection of malicious code in uploaded files, we configure CXS (ConfigServer eXploit Scanner).
- Disabling unused modules and running apache as non-privileged user are further security measures.
- Setting resource limits per user and connection limits helps us to prevent resource abuse.
7. Protect the /tmp partition
To prevent arbitrary scripts from getting executed in /tmp and leading to vulnerability or exploits, we mount ‘/tmp’ partition with ‘nosuid’ and ‘noexec’ options.
All ‘tmpfs’ partitions are world-writable, and are therefore securely protected to avoid attackers from hijacking these folders to upload malicious scripts that can hack the server.