cPanel Hardening
Tweak Settings
Disabled unnecessary stats programs
- Enable Analog Stats – Off
- Enable Awstats stats – Off
Email Security Tweaked
- Enable DKIM on domains for newly created accounts – On
- Enable SPF on domains for newly created accounts – On
- BoxTrapper Spam Trap – Off
- Initial default/catch-all forwarder destination – Fail
- Track email origin via X-Source email headers – On
- Enable Apache SpamAssassin™ spam filter – On
Blank referrer safety check – On
Referrer safety check – On
Misc Security Settings
- Use cPanel jailshell by default – On
- Include password in the raw log download link in cPanel (via FTP) – Off
- Limit Server Status Allowed IPs
Allow server-info and server-status – server IP only.
Spam/Abuse related settings
- Max hourly emails per domain – 100
- Count mailman deliveries towards a domain’s Max hourly emails - On
- Maximum percentage of failed or deferred messages a domain may send per hour – 25%
Prevent “nobody” from sending mail – On
Allow users to relay mail if they use an IP address through which someone has validated an IMAP or POP3 login within the last hour (Pop-before-SMTP) – Off
Add X-PopBeforeSMTP header for mail sent via POP-before-SMTP – Off
Prefix “mail.” onto Mailman URLs – On
WHM Security
- Apache mod_userdir Tweak – On
- Compiler Access – Off
- Shell Fork Bomb Protection – On
- Two factor authentication – Enable
- Password Strength Configuration - 65
cPHulk Brute Force Protection
- Brute Force Protection Period (in minutes): 5
- Maximum Failures by Account: 15
- IP Address-based Brute Force Protection Period (in minutes): 15
- Maximum Failures per IP Address: 5
Apache Configuration > Global Configuration > TraceEnable and change the value to ‘Off’.
Apache Configuration > Global Configuration > ServerTokens and change the value to ‘ProductOnly’.
Check apache for FileETag
Go to WHM > Apache Configuration > Global Configuration > FileETag and change the value to ‘None’.
Check mod_userdir protection
Go to WHM > Security Center > mod_userdir Tweak , Tick the ‘Enable mod_userdir Protection’ box.
Click Restart apache button after saving the above configurations
Check php for disable_functions
Add the below functions to ‘php.ini’ file
vi /usr/local/lib/php.ini
show_source, system, shell_exec, passthru, exec, phpinfo, popen, proc_open
Check php open_basedir protection
Go to WHM > Security Center > php open_basedir Tweak
Tick ‘Enable php open_basedir protection’ and click save
Check cPanel login is SSL only
Go to WHM > Tweak Settings / Select ‘Always redirect users to the ssl/tls ports when visiting /cpanel, /webmail, etc.’ option and click ‘Save’
Check boxtrapper is disabled
WHM > Tweak Settings > BoxTrapper Spam Trap /Select ‘off’ option and click ‘Save’
Check max emails per hour is set
Go to WHM > Tweak Settings > The maximum each domain can send out per hour / Limit mail sending limit to your desired value and click ‘Save’
Example: 150
Check compilers
Go to WHM > Security Center > Compilers Tweak, Click Disable compilers
Check FTP Logins with Root Password
Go to WHM > FTP Server Configuration > Allow Logins with Root Password and select ‘No’
Click save
Check proxy subdomains
Go to WHM > Tweak Settings > Proxy subdomains and select ‘No’
Select ‘Save’
Check Cookie IP Validation
Go to WHM > Tweak Settings > Cookie IP validation and select ‘Stirct’ and click ‘save’
Check Referrer Blank Security
Go to WHM > Tweak Settings > Blank referrer safety check and click ‘On’ and click ‘save’
Go to WHM > Tweak Settings > Referrer safety check and click ‘On’ and select ‘save’
Go to WHM > Tweak Settings > Hide login password from cgi scripts and select ‘On’ and click ‘save’
Check SMTP Restrictions
Go to WHM > Security Center > SMTP Restrictions and select ‘Disable’ button
Disable shell access for all accounts(except root)
You can disable shell access for all accounts via Home >> Account Functions >> Manage Shell Access
Select the radio button on “Disable shell’ and click ‘Apply to all’
Restart csf once all the above steps has been completed.
Restart csf via the command ‘csf -r’