Ever since the introduction of VPS (Virtual Private Server) it has been the preferred hosting solution for SMEs, bloggers, and marketplaces. VPS combines the features of both Shared Hosting and Dedicated Server. Virtual host can be an excellent solution for websites where control and resources are a prerequisite. Security is one of the major concerns for users of VPS. However, you can take care of it with some essential steps.

people helping office

cPanel

cPanel is a Linux based web hosting control panel that offers a graphical interface and automation tools designed to make the process of hosting a website simpler. The control panel of a hosting account is the key to managing elementary parts of the hosting service, and it allows the user to manage the settings for one hosting directory.

Why is it Important to Secure your cPanel?

With cyberattacks growing each year, server security is something that every admin should take seriously.

There are no specific number of ‘things’ a VPS user can do to secure their server. However, there are certain practices that a system administrator must know of and apply.

Ways to Secure VPS cPanel


1. Use Latest Version of cPanel

Securing a VPS cPanel is a continuous process, and updating your system is the first step to bridging its vulnerabilities. Keep the cPanel updated to the latest version. It will fix security vulnerabilities, resolve technical errors (if any) and minimize the chance of a cyber-attack.

  • Update cPanel Manually

Update the cPanel manually by going to ‘WHM > cPanel > Upgrade to Latest Version’

  • Update cPanel using Command Line

Log into the server through SSH as a Root user. Once you are connected, run the following command –

# /scripts/upcp

Alternatively, you can force an update by running the following command –

# /scripts/upcp –force

  • Enable Daily Updates

Enable daily updates by going to ‘WHM > Server Configuration > Update Preferences’

2. Use SSL

It is advisable to use SSL (Secure Sockets Layer) to secure your connection when accessing the cPanel. SSL will encrypt the usernames and passwords used on the website and keep them out of hackers’ reach. Here’s how you can configure redirection parameters:

  • Log in to your cPanel using the URL; it is ‘https://example:2087’ typically (where ‘example’ is the actual IP address of your virtual server)
  • Navigate to Server Configuration > Tweak Settings
  • Under the redirection tab, toggle the ‘Always redirect to SSL’ option from off to on

3. Move SSH to a Different Port

SSH is Secure Shell and is a protocol which is always running on a Virtual Host. Secure Shell is used to operate cPanel securely over an unsecured network. Since SSH is always running, it is often targeted by hackers. To secure SSH configuration, it is important to move the SSH port from its default address to deter anyone from discovering the active SSH port.

Changing the default port from 22 to a different port will prevent hackers from running malicious scripts from directly connecting to the port.

Use following methods to change the default port for SSH:

To change port number /etc/ssh/sshd_config

Change Port 22 to a port which is not being utilized by any other service.

Restart service sshd restart

Furthermore, you can implement the following actions –

  • Disable password-based authentication and instead use key pairs for logging in
  • Install intrusion-detection software such as fail2ban or DenyHosts

Note – Make sure you allow the new port in the server firewall. Do not end the current SSH connection in the process of testing the new port to avoid any redundant outcome.

4. Secure Apache and PHP

The most effortless way to access a web server is through the web server application, so it is imperative to keep Apache secured. There are several ways to secure your Apache installation:

  • Use mod_security add on

Mod_security is an Apache module that aids in safeguarding your website from various attacks. It is used to block known exploits by use of regular expressions and rule sets. Mod_security can prevent common code injection attacks and safeguard your VPS server. To install mod_security module, follow the steps mentioned below –

Login to your VPS as root via SSH

yum install mod_security

Verify if mod_security was loaded with your Apache

apachectl -M | grep --color sec

If you see ‘security2_module (shared)’, it indicates that the module was loaded

Restart Apache

systemctl restart apache2

systemctl restart httpd

Use EasyApache

cPanel includes EasyApache for rapid building and compiling of new versions of Apache server and PHP scripting language. System administrators must also contain any potentially malicious PHP scripts within their home directory to prevent them from opening anywhere else. To do this, navigate to PHP open_basedir Tweak command in the ‘Security Centre’ of your cPanel. Check and save the following option:

Enable php open_basedir Protection

5. Disable Anonymous FTP access

Disabling anonymous FTP access will prevent anonymous users from uploading files to your server. Log in to your cPanel, and go to ‘WHM > Server Configuration > FTP Server Configuration’ and toggle the following options –

  • Allow Anonymous Logins > No
  • Allow Anonymous Uploads > No

6. Secure Password

Maintain a strong password policy for all accounts as simple passwords can be easily read by hackers using brute-force attacks.

Users can set up a password policy by editing Pluggable Authentication Manager (PAM) configuration file. The location for PAM file in the following Linux distros –

For CentOS/RHEL

/etc/pam.d/system-auth

For Ubuntu/Debian

/etc/pam.d/common-password

In the above PAM configuration file, add the following lines to implement the use of minimum quantity of numbers, special characters, and uppercase letters.

password requisite pam_cracklib.so retry=3 minlen=10 difok=4 ucredit=3 dcredit=2 ocredit=1

Furthermore, you can test the security of the password using John the Ripper Password Cracker. If your password gets broken in a few hours, then it is insecure to use it to access your VPS server.

7. Enable cPHulk

cPHulk is a service that protects a web server from Brute Force attacks by blocking suspect IP addresses for a particular amount of time. Brute force attack is a hacking method which uses an automated system to guess the password of the web servers.

Access cPHulk by the logging in to your cPanel –

WHM > Security Centre > cPHulk Brute Force Protection

Toggle cPHulk Brute Force Detection to ‘On’

8. ClamAV Antivirus

Installing an antivirus is always a good practice as it can check for vulnerabilities and scan for infected files. Even if a web server is not infected or compromised, it can still be used to host a virus which can infect the visitors to your website.

As an open source antivirus engine, ClamAV is used for detecting trojans, viruses, malware and other malicious threats. ClamAV is accessible on cPanel servers as a plugin and can be enabled in the following steps:

  1. Navigate to WHM > cPanel > Manage Plugins
  2. On ClamAV Plugin, select ‘Install and Keep Updated’ and click on ‘Save’
  3. After ClamAV plugin is installed, reload the cPanel, so that main menu is updated
  4. Search for ClamAV and click on ‘Configure ClamAV Scanner’
  5. Select all four options and save

9. Secure TMP

Temporary directories such as /tmp offer a platform for hackers to run programs and scripts which can be used to abuse a web server. Any system administrator who knows the importance of web security will use a separate partition for /tmp with limited permissions that is mounted with NOSETUID.

NOSETUID will force any process to run with the privileges of its executor. Alternatively, the user can also mount /tmp withnoexec on cPanel.

Log in to your VPS with Root privilege using SSH, and edit the ‘fstab’ file

nano /etc/fstab

  • Find the /tmp line and make a 3GB file for /tmp partition and an ext3 filesystem for tmp –

# dd if=/dev/zero of=/dev/tmpNEW bs=1024 count=3000000

# /sbin/mkfs.ext3 /dev/tmpNEW

  • Create a backup copy of your existing /tmp drive

# cp -Rpf /tmp /tmpbackupOLD

  • Mount the new /tmp partition and change the permissions

# mount -o loop,noexec,nosuid,rw /dev/tmpNEW /tmp

# chmod 1777 /tmp

  • Copy old data

cp -Rpf /tmpbackupOLD/* /tmp/

  • Edit the fstab file and add the following line

/dev/tmpMnt /tmp ext3 loop,nosuid,noexec,rw 0 0

10. Firewall

Enable firewall to limit access to your server and prevent unauthorized applications, plugins, scripts, and daemons from running in the background. Furthermore, it is advisable to remove all unused services and daemons from your web server or limit them from unwanted access. Most system administrators use CSF (ConfigServer Security and Firewall) for a firewall. To install CSF, follow the steps mentioned below –

  • Login to your VPS server as a Root User using SSH
  • Type the following commands

wget http://www.configserver.com/free/csf.tgz

tar -xzf csf.tgz

cd csf

sh install.sh

  • After the installation is finished, you can enable the firewall from your cPanel
  • Search for plugins, select ConfigServer Security and Firewall and configure the settings as per your requirement

Security should be your first priority when you buy a VPS hosting plan. The security fixes mentioned above are essential for a secure VPS cPanel and a hacker-proof website. However, you can always customize these security settings as per your need and configure the cPanel of your virtual host accordingly. Also you can be more proactive and implement novel solutions for a robust web server.

About the author

Alex Roman

Independent graphic artist and architect based in Bucharest. I really love what i do!

Follow me on Instagram and Facebook.

Post a comment

Comments

  • There are no comments, be first to comment!