WHM - Recommended Security Settings Checklists

 

Recommended Security Settings Checklists

Overview

This section contains suggestions that you can use to quickly reference whether you use the security settings that we recommend.

 

The Tweak Settings checklist

We recommend that you review the following settings in WHM's Tweak Settings interface (Home >> Server Configuration >> Tweak Settings) to help secure your server.

 

Setting Recommendation
Enable HTTP Authentication
If you enable this setting, WHM will allow HTTP Authentication for cPanel/WebMail/WHM Logins. We do not recommend that you enable this setting because certain types of XSRF attacks rely on cached HTTP Auth credentials. As long as you do not enable this setting, WHM will require cookie authentication, which helps to prevent certain types of attacks.
Off
Cookie IP Validation
If you enable this setting, WHM limits the ability of attackers who capture cPanel session cookies and attempt to access the cPanel and WHM interfaces. For this setting to work best, you should also disable proxy domains.
On
Proxy Subdomain Creation
If you disable this option, WHM removes the ability for cPanel, Webmail, WebDisk, and WHM proxy subdomain DNS entries to be added to new accounts.
Off
Require SSL
If you enable this option, WHM requires logins from remote locations to use SSL.
On
Security Tokens
If you enable this option, WHM will require you to use security tokens to access any cPanel & WHM associated interface. This helps to prevent XSRF attacks.
On
Block Common Domains Usage
If you enable this option, WHM will not allow users to add or park common Internet domains. For example, hotmail.com or google.com.
On
Initial default/catch-all forwarder destination
If you select Bounce for this option, the server will automatically discard unroutable email that is sent to email accounts that use default settings. This is the best option to protect your server against mail attacks.
Bounce

 

The Security Center checklist

We recommend that you also review the following settings in WHM's Security Center interface (Home >> Security Center) to help secure your server.

 

Setting Recommendation
Password Strength Configuration
This feature allows you to specify a minimum password strength for accounts that your server hosts.
A value of 50 or greater.
PHP open_basedir Tweak
If you enable this option, users must manually specify the open_basdirsetting in their relevant php.ini files if PHP is configured to run as a CGI, SuPHP, or FastCGI process.
Enabled
Apache mod_userdir Tweak
If you enable this option, users can not bypass bandwidth limits when they access their sites with a tilde (~), username, and hostname/ For example, http://example.com/~user).
Enabled
Compiler Access
When you disable compiler access for unspecified users, it will help prevent attacks on your server.
Disabled
Manage Wheel Group Users
This feature allows you to define which users can use the su command to become the root user.
Remove all users except for root and your main account.
Shell Fork Bomb Protection
If you enable this option, WHM will not allow users with terminal access from to use all of the resources on the server.
Note: If you enable this option, it may cause resource shortage problems as this setting heavily limits various resources.
Enabled
FTP Configuration Disable Anonymous FTP
Manage Shell Access Disable shell access for all other users.
cPHulk Brute Force Protection 
If you enable this option, use the White/Black List Management tab to add trusted IPs. This will prevent you from being locked out if someone attempts to brute force your server.
Enabled

 

 

Disable identification output for Apache

We recommend that you disable identification output for Apache. To change this setting:

 

  1. Log in to WHM and access the Apache Global Configuration feature (Home >> Service Configuration >> Apache Configuration >> Global Configuration).
  2. Select Off (PCI Recommended) from the ServerSignature menu.
  3. Click Save.

 

EasyApache configuration

When you configure EasyApache, include the following modules:

 

  • suPHP — This module causes PHP scripts to run as the owner of the script versus the nobody user.
  • Suhosin — This module is an advanced protection system for PHP installations. For more information, read the Suhosin website.
  • mod_security — This module is an open-source web application firewall. For more information, read cPanel's ModSecurity documentation.

 

We suggest that you do not include the following modules unless absolutely necessary:

  • mod_frontpage — We no longer provide FrontPage in EasyApache by default. The option will only be available in EasyApache if you install the Custom Module. We do not recommend that you install FrontPage as it may introduce a vulnerability to your server. FrontPage was End-Of-Lifed by Microsoft on June 30, 2006. Microsoft no longer releases updates or security patches for FrontPage.
  • mod_perl — This module allows unlimited control to scripts over the website, and it can be unsafe in a shared hosting environment.
  • mod_JK — This module runs code as a shared user and presents a security risk.
  • mod_Mono —This module runs code as a shared user and presents a security risk.
  • mod_Mono2 —This module runs code as a shared user and presents a security risk.
  • Xcache — This module has shared caching logic, and it is disabled by default.
  • EAccelerator — This module has shared caching logic, and it is enabled by default.
  • Any other modules that are marked as End-Of-Life or Deprecated.

Finally, we urge you to keep up to date with the most recent stable versions of software, such as PHP or Apache.

 

Additional documentation

 

Add comment


Security code
Refresh

Category: