Secure SSH and harden the OS

Secure Shell, or SSH for short, is a remote administration protocol. It allows users to control servers remotely. In other words, whoever has SSH access, has the privilege to modify the system. Thus SSH access should only be given to trained professionals. In some cases, it would be better to turn off SSH completely to protect the system.

You can create SSH keys for the root user and disable password authentication for SSH via the WHM Password Authorization Tweak menu. You can also disable directory listing. Disabling it prevents attackers to see the stored files, therefore they will not be able to discover publicly accessible files or any other file information. You can also avoid using the standard port and use an alternative one.

You should harden your operating system to protect your system. One of the most important is to keep your operations always up to date, especially if there is a security patch released. Security patches aim to remove a vulnerability from the operating system and hackers might be aware of the situation.

There are also various settings you can change to secure your operating system further. You can disable password authentication for sshd and disable unnecessary applications or server functions. You can disable unnecessary ports to minimize the possibility of a breach. To be able to pinpoint any anomalies or possible intrusions, logs should be analyzed regularly.

One last thing you can do is to get backups frequently in case something goes wrong. Backups are the last resort but they can also save the system from many unexpected problems. Make sure that the backups you get don’t include malware and investigate the problem you are facing to be able to avoid it in the future.

Apache, web, and email security

Apache is a popular web server application and like other parts of the system, it should be updated and patched as soon as possible. To manage installations, updates, and configurations, you can use EasyApache.

To conceal your files against hackers, you can disable directory listing. If you don’t disable it, third parties will be able to discover publicly accessible files or will be able to use the file information as leverage. You can disable directory listing by changing the line in the /etc/httpd/conf/httpd.conf from

Options Indexes FollowSymLinks

to

Options FollowSymLinks

You can also decrease your attack surface by disabling the modules that you don’t need. By disabling server-info, you can prevent attackers from seeing server version information, thus they won’t be able to identify vulnerabilities in that version. In the WHM, you can go to Service Configuration – Apache Configuration – Global Configuration Documentation menu and disable signatures, eversion, tokens, tracing, and enable symbolic link protection.

When hackers can’t find any technical weaknesses, sometimes they may look for a human error to be able to attack a system. One of the most popular methods is phishing, which in this scenario aims to make an employee click a link that would install malware to the system. Recently, many organizations suffered serious ransomware attacks.

To avoid these kinds of situations, you can use email filters and web content filters to prevent users from accessing these web content. You can also implement Sender Policy Framework and Sender Policy Framework to stop attackers from targeting employees.

TMP Partition and Restrict System Compilers

TMP directory is used as temporary storage. It is used during the installation of an application that needs to store temporary files. However, if a hacker manages to compromise a server and run applications, they can store malicious files in this directory. To harden the TMP folder, you can create a separate partition for it. You can also change the partition to non-executable. Finally, you can also improve its security with the following scripts of the custom script from /usr/local/cpanel/scripts/securetmp;

/usr/local/cpanel/scripts/securetmp --help
/usr/local/cpanel/scripts/securetmp - secure /tmp and /var/tmp

Another essential thing you can do to harden your system is to restrict system compiles, which is a program that translates a programming language code to binaries. If you don’t restrict it, a hacker can run its own code on your server. In most cases, a hosting server doesn’t need compilers. From the WHM interface, you can disable compilers for unprivileged users via The Compilers Tweak option in the Security Center of WHM.

IP addresses and insecure encryption ciphers

Managing IP addresses is an important part of server security. Web servers have public and private IP addresses. The private IP address should be restricted to only administrator and client applications that need access to the host. Apache listens to a specific port by default, you can limit port 80 for external IP addresses only. You can use the following httpd directive and Apache will listen to port 80 on an external IP;

Listen 203.0.113.8

If you want your web host server to be completely secure, the server should be configured to support Transport Layer Security version 1.2, according to The National Institute of Standards and Technology. Older versions can cause an attacker who is on the same network or WiFi hotspot to perform a downgrade attack. You can disable insecure ciphers from the WHM in the Service Configuration – Apache Configuration – Global Configuration Documentation – SSL Cipher Suite menu.

Firewall settings and WAF

With a hardware firewall, you can block all unwanted traffic from reaching the server. For web servers, ports 80 and 443 are necessary, you can block other ports, including telnet and FTP. Alternatively, you can use secure SFTP, port 22, for managing files via the file transfer protocol.

To secure your server, you will also need a Web Application Firewall, or WAF for short, which is responsible for protecting the webserver from application-based threats, including malicious SQL inputs. WAF is also capable of checking for viruses in uploads, forces TLS connections, preventing cross-site scripting, and reporting traffic requests which can be used to identify malicious hosts, IP addresses, and clients.

Passwords and application updates

Customer and administrator passwords should be strong, complex, and long, and should be hashed with a secure cipher approved by NIST. Generally, 12-character long complex passwords are considered strong. To store passwords safely, they should be salted and hashed with SHA2 or SHA3 or some other secure cipher approved by NIST.

As we mentioned above, keeping your applications updated protects you and that includes cPanel too. You can update cPanel from WHM or manually. To see the current cPanel version that you are using you can use the command;

/usr/local/cpanel/cpanel -V

And if you need to update you can run the command;

/usr/local/cpanel/scripts/upcp

Brute-force protection, cPanel Security Advisor, and security tools

Strong passwords are important but they can not be enough by themselves. In this case, you may need an additional solution against brute force attacks. Luckily, cPanel comes with cPHulk Brute Force Protection, a tool to help web servers mitigate brute force attacks. Imunify360 also offers brute force protection. It also provides an Intrusion Prevention and Detection system, malware scanner, WAF, antivirus, a network firewall, and patch management solutions.

If you are still unsure what might be a weak spot in the system, you can take a look at Security Advisor, under the Security Center menu of WHM. It lists safety concerns, potential misconfigurations with suggestions. It can be configured to send alerts.