This feature is enabled by CSF, which integrates a user interface inside Web-host manager software. You can find the Config Security and Firewall link on the Addons section on WHM. Once there you will find the first button to perform security check. These are the basic guidelines that configserver places forward to maintain a healthy hosting environment. Most of the time the security checks are below par, so this is the reason why I write this article. The security score can be seriously increased with few quick
steps as follows:
1. Check csf LF_SCRIPT_ALERT
the first warning message that you might encounter, in this case you can either use the configuration editor option on the page or log on to server via ssh and follow the commands:
and search in for LF_SCRIPT_ALERT and change the value from 0 to 1.
2. Check csf PT_ALL_USERS
while you are at the configuration menu you can also ensure that PT_ALL_USERS is also enabled by changing the value from 0 to 1
3. Check MySQL LOAD DATA
for the above error you will need to edit mysql configuration as:
and insert the entry :
under the [mysqld] section. and restart mysql services.
4. Check for IPv6
if there are no active ipv6 users then you can disable this feature using the commands:
service ip6tables stop
chkconfig ip6tables off
5. There are few more suggestions on SSH configuration but this is again a personal choice and wont be causing much harm to the scores.
6. Check Background Process Killer
another wonderful tool from CPanel, you can use WHM ( root login) to kill the processes and once the processes are selected you can save the entries and get back to the security check.
7. Check exim for extended logging (log_selector)
This feature will allow you to get more information from the header entries, for this to work you can either use:
or we can try using the WHM > Exim Configuration editor and add the entry :
log_selector = +arguments +subject +received_recipients
on to the first text box section on the configuration editor page.
8. Apache Checks
here are the next few sections where you will be required to maintain the latest version ( Apache v2.2 for now) and also enable suphp with php5 as default. But this will be dependent on how your scripts are set to behave.
Next to this we will need to update the SSL.conf file on the server to reflect the following changes:
* Add -SSLv2 to SSLCipherSuite
* Set TraceEnable as Off
* Set ServerSignature Off
* Set ServerTokens as ProductOnly
* Set FileETag as None
once this is done you should save the file and restart Apache services.
This can also be done via WHM > Apache Configuration > Global Configuration
9. Coming on to the WHM settings,
- Update WHM to the latest
- You should disable box-trapper spam Trap via WHM > Tweak Settings
- Disable the option to retrieve Cpanel password via email
- Disable Anonymous login via FTP Configuration menu on WHM or use /etc/pure-ftpd.conf or /etc/proftpd.conf
- Disable log ins to FTP as root ( again using WHM > FTP configuration menu )
- Enable security tokens : WHM > Tweak settings > Require security tokens
- Enable Only permit cpanel/whm/webmail to execute functions when the browser provided referrer (Domain/IP and Port) exactly matches the destination URL
- Enable Validate the IP addresses used in all cookie based logins on tweak settings menu
10. Finally Disable the services that are not required:
service cups stop
chkconfig cups off
service xfs stop
chkconfig xfs off
service atd stop
chkconfig atd off
service nfslock stop
chkconfig nfslock off