Overview
This section contains suggestions that you can use to quickly reference whether you use the security settings that we recommend.
The Tweak Settings checklist
We recommend that you review the following settings in WHM's Tweak Settings interface (Home >> Server Configuration >> Tweak Settings) to help secure your server.
Setting | Recommendation |
---|---|
Enable HTTP Authentication If you enable this setting, WHM will allow HTTP Authentication for cPanel/WebMail/WHM Logins. We do not recommend that you enable this setting because certain types of XSRF attacks rely on cached HTTP Auth credentials. As long as you do not enable this setting, WHM will require cookie authentication, which helps to prevent certain types of attacks. |
Off |
Cookie IP Validation If you enable this setting, WHM limits the ability of attackers who capture cPanel session cookies and attempt to access the cPanel and WHM interfaces. For this setting to work best, you should also disable proxy domains. |
On |
Proxy Subdomain Creation If you disable this option, WHM removes the ability for cPanel, Webmail, WebDisk, and WHM proxy subdomain DNS entries to be added to new accounts. |
Off |
Require SSL If you enable this option, WHM requires logins from remote locations to use SSL. |
On |
Security Tokens If you enable this option, WHM will require you to use security tokens to access any cPanel & WHM associated interface. This helps to prevent XSRF attacks. |
On |
Block Common Domains Usage If you enable this option, WHM will not allow users to add or park common Internet domains. For example, hotmail.com or google.com . |
On |
Initial default/catch-all forwarder destination If you select Bounce for this option, the server will automatically discard unroutable email that is sent to email accounts that use default settings. This is the best option to protect your server against mail attacks. |
Bounce |
The Security Center checklist
We recommend that you also review the following settings in WHM's Security Center interface (Home >> Security Center) to help secure your server.
Setting | Recommendation |
---|---|
Password Strength Configuration This feature allows you to specify a minimum password strength for accounts that your server hosts. |
A value of 50 or greater. |
PHP open_basedir Tweak If you enable this option, users must manually specify the open_basdir setting in their relevant php.ini files if PHP is configured to run as a CGI, SuPHP, or FastCGI process. |
Enabled |
Apache mod_userdir Tweak If you enable this option, users can not bypass bandwidth limits when they access their sites with a tilde ( ~ ), username, and hostname/ For example, http://example.com/~user ). |
Enabled |
Compiler Access When you disable compiler access for unspecified users, it will help prevent attacks on your server. |
Disabled |
Manage Wheel Group Users This feature allows you to define which users can use the su command to become the root user. |
Remove all users except for root and your main account. |
Shell Fork Bomb Protection If you enable this option, WHM will not allow users with terminal access from to use all of the resources on the server. Note: If you enable this option, it may cause resource shortage problems as this setting heavily limits various resources. |
Enabled |
FTP Configuration | Disable Anonymous FTP |
Manage Shell Access | Disable shell access for all other users. |
cPHulk Brute Force Protection If you enable this option, use the White/Black List Management tab to add trusted IPs. This will prevent you from being locked out if someone attempts to brute force your server. |
Enabled |
Disable identification output for Apache
We recommend that you disable identification output for Apache. To change this setting:
- Log in to WHM and access the Apache Global Configuration feature (Home >> Service Configuration >> Apache Configuration >> Global Configuration).
- Select Off (PCI Recommended) from the ServerSignature menu.
- Click Save.
EasyApache configuration
When you configure EasyApache, include the following modules:
- suPHP — This module causes PHP scripts to run as the owner of the script versus the nobody user.
- Suhosin — This module is an advanced protection system for PHP installations. For more information, read the Suhosin website.
- mod_security — This module is an open-source web application firewall. For more information, read cPanel's ModSecurity documentation.
We suggest that you do not include the following modules unless absolutely necessary:
- mod_frontpage — We no longer provide FrontPage in EasyApache by default. The option will only be available in EasyApache if you install the Custom Module. We do not recommend that you install FrontPage as it may introduce a vulnerability to your server. FrontPage was End-Of-Lifed by Microsoft on June 30, 2006. Microsoft no longer releases updates or security patches for FrontPage.
- mod_perl — This module allows unlimited control to scripts over the website, and it can be unsafe in a shared hosting environment.
- mod_JK — This module runs code as a shared user and presents a security risk.
- mod_Mono —This module runs code as a shared user and presents a security risk.
- mod_Mono2 —This module runs code as a shared user and presents a security risk.
- Xcache — This module has shared caching logic, and it is disabled by default.
- EAccelerator — This module has shared caching logic, and it is enabled by default.
- Any other modules that are marked as End-Of-Life or Deprecated.
Finally, we urge you to keep up to date with the most recent stable versions of software, such as PHP or Apache.
Additional documentation