cPanel Server Hardening

Performing some basic cPanel server hardening steps is essential in protecting your server and its hosted content from unwanted access.  Whilst the steps below are no guarantee that your server will not be accessed by intruders or used for rogue activities, these are some of the good practices you can follow to help minimise the potential for you server getting hacked or compromised.

1) Use Super Strong Passwords

This seems pretty obvious but it is still surprising just how many people don’t get the strong password message, even when managing hosting servers that are fully accessible from the web.

Using strong passwords is the first level of defence when it comes to protecting your information, and if you’re not willing to take notice then you should give up now and maybe become a gardener or something. A strong password contains at least 8 characters(the more the better) in a combination of upper and lowercase letters, plus numbers, plus symbols.

In addition to this, if you run multiple servers, you should NOT be using the same root password for all servers. As long as you carefully manage your logins, you should be able to safely use a different strong password for each server, so if one gets breached, it doesn’t mean the whole lot go down.

Bloomberg Businessweek recently posted this information on their website with regards to password strength and how long a password takes to crack:

Most-used passwords: 123456, password, 12345678, qwerty, abc123

Time it takes a hacker’s computer to randomly guess your password:

Password Length: 6 7 8 9
Lowercase 10 minutes 4 hours 4 days 4 months
+ Uppercase 10 hours 23 days 3 years 178 years
+ Nos. & Symbols 18 days 4 years 463 years 44,530 years

Average amount it costs a business to field a phone call requesting a password reset: $10
Proportion of help desk calls that are password-related: 30%
Users who choose a common word or simple key combination for a password: 50%

Data: Gartner, Forrester, Duo Security, Imperva, LastBit Software

2) Install ModSecurity and Suhosin

Installing ModSecurity and Suhosin is a must if you are serious about cPanel server hardening and protecting your hosted websites code from exploitation. These two applications working together protect both your PHP installation from undesired config changes, as well as your web applications. Used in conjunction with a software firewall such as ConfigServer Security&Firewall, and you’ll stop a large junk of attempted attack dead in their tracks. This of course does not mean that websites can get away with not updating themselves, but certainly helps along the way.

Both ModSecurity and Suhosin can be easily installed onto your cPanel server using the built-in EasyApache application as part of your initial server setup. Once installed, you should then consider installing Gotroot’s ModSecurity rules, which provide a significantly enhanced level or protection while minimising false positives. You can also use Suhosin to disable the use of custom php.in files, which prevents clients making ill advised and insecure adjustments to the php settings for their account.

3) Install A More Advanced Firewall

While Linux’s included ip tables is a very effective network security tool, the management and configuring of it can be made significantly easier by installing an application called ConfigServer Security&Firewall(CSF), which has a plugin management interface for cPanel. Not only does CSF provide much greater control over how your server handles various intrusion attempts, it also comes with a full security assessment tool that will guide you through various security hardening steps.

Installing ConfigServer applications is pretty simple and can be done in only a few steps. They also offer a few other free applications, such as ModSecurity Control, which can make the day to day management of your security setup much easier.

4) Disable SSH Password Login

Using encrypted SSH keys and disabling SSH password login removes another possible “in” for the wannabe hacker. Once this is configured, only people that have an authorised SSH key will be able to login to the server via SSH. Obviously this then means you need to be very careful of where and how you keep your SSH keys to ensure they are safe from data theives.

5) Changing The Default SSH Port

Now that you’ve disabled SSH password logins, the next thing to do to improve your security is move SSH off the default port which is TCP 22. You can choose whichever port you like, however you need to make sure that no other service is using that port to avoid any conflicts.

To change this on a cPanel server, just open /etc/ssh/sshd_config and change the “Port” value to the port you wish to use. Make sure there is no # in front of that setting, then save the file and restart the SSH service. IMPORTANT: Make sure you have opened the TCP Port in your firewall.