Advanced cPanel Security Settings for Users
WHM – Tweak Settings:
- Select Fail to automatically discard mail sent to bad email addresses
- Prevent nobody from sending email.
- Enable SPF on domains
- Max hourly emails per domain
WHM – Security Center
- Password Strength set to 60 or above
- Compiler Access – Disable
- FTP Server Configuration – Disable Anonymous FTP
Use mod_security
Mod_security is an Apache module that enables the ModSecurity web application firewall. This can be complied in via WHM – Easy Apache or via ssh by running /scripts/easyapache.
Configuring of mod_security rules is accomplished through Security Center - ModSecurity Configuration. For most users, the basic rule set can be used.
Whitelisting rules is easy for even basic administrators. A free plugin for WHM can be installed to provide a web interface on whitelisting for users/accounts. Disabling per account can also be accomplished. Instructions and the download link can be found at: http://configserver.com/cp/cmc.html.
Securing SSH
Change the port that SSH runs on from port 22. Select a port that is less that 1024 and isn’t in use by another service. This can be changed at /etc/ssh/sshd_config. Also, use SSHv2 only as SSHv1 is not sure any longer.
Harden the /tmp partition
cPanel has a script that will take care of all security issues with /tmp. Via ssh, run /scripts/securetmp.
Other free utilities for cPanel:
ConfigServer Security and Firewall (CSF) – A free firewall, login/intrustion detection and security application. This can be used in conjunction with mod_security as well. Instructions and download links can be found at http://configserver.com/cp/csf.html.
ConfigServer Mail Manage – A free add-on for WHM. This provides the capability to manage cPanel user accounts without having to login to individual accounts (such as password changes, forwarding, filters, quotas). Instructions and and download links can be found at http://configserver.com/cp/cmm.html.
ConfigServer Mail Queues – Another free add-on for WHM. This provides the capability to monitor and manage the exim queue within WHM without having to know ssh commands. Instructions and download links can be found athttp://configserver.com/cp/cmq.html.
Maldet – Maldet is a malware scanner that is designed for web hosting environments. Can scan automatically and on demand as well as report without a quarantine or report with a quarantine. To install, do the following on SSH:
# wget http://www.rfxn.com/downloads/maldetect-current.tar.gz
# tar -xvf maldetect-current.tar.gz# cd mald*# ./install.sh
All configurations are done through /usr/local/maldetect/conf.maldet, to include setting up email alerts, quarantine options, scan options and monitoring options.
