cPanel & WHM 11.32
Installation Guides
cPanel User Guide
WHM User Guide
Apache & WHM
Change Log
Software Development Kit
Enkompass
Installation Guide
Help Files & Glossary
Change Log
Additional Documentation
PCI Compliance
cPanel Game Server (cPGS)
All English Documentation
Español – Documentación completa
RSS Feed
Installation Guides
cPanel User Guide
WHM User Guide
Apache & WHM
Change Log
Software Development Kit
Enkompass
Installation Guide
Help Files & Glossary
Change Log
Additional Documentation
PCI Compliance
cPanel Game Server (cPGS)
All English Documentation
Español – Documentación completa
RSS Feed
Recommended Security Settings Checklists
For WHM version 11.32 This section contains 2 checklists that you can use to quickly reference whether or not you are using our recommended security settings. You can find additional information about each of these configuration options in this document set.The Tweak Settings Checklist
This checklist pertains to the Tweak Settings interface of WHM. You can access the Tweak Settings interface at Main >> Server Configuration >> Tweak Settings.| Setting | Recommendation |
|---|---|
| Enable HTTP Authentication Leaving this option disabled enables cookie authentication, helping to prevent certain types of XSRF attacks. |
Off |
| Cookie IP Validation Enabling this option limits the ability of attackers who capture cPanel session cookies and attempt to access the cPanel and WHM interfaces. For this setting to work best, you should also disable proxy domains. |
On |
| Proxy Subdomain Creation Disabling this option prevents cPanel, webmail, webdisk, and WHM proxy subdomain DNS entries from being added to new accounts. |
Off |
| Require SSL Enabling this option requires logins from remote locations to use SSL. |
On |
| Security Tokens Enabling this option requires that security tokens be used to access any interface associated with cPanel & WHM. This helps to prevent XSRF attacks. |
On |
| Block Common Domains Usage Enabling this option prevents users from adding or parking common Internet domains, such as hotmail.com or google.com. |
On |
| Initial default/catch-all forwarder destination Selecting Bounce for this option causes the server to automatically discard unroutable email sent to your server's new accounts. This option is the best at protecting your server against mail attacks. |
Bounce |
The Security Center Checklist
You can access WHM's Security Center features at Main >> Security Center. Many of these features will help to secure your server.| Setting | Recommendation |
|---|---|
| Password Strength Configuration This feature allows you to specify a minimum password strength for accounts hosted by your server. |
A value of 50 or greater. |
| PHP open_basedir Tweak Enabling this option requires users to manually specify the open_basdir setting in their relevant php.ini files if PHP is configured to run as a CGI, SuPHP, or FastCGI process. |
Enabled |
| Apache mod_userdir Tweak Enabling this option prevents users from bypassing bandwidth limits by accessing their sites using a tilde (~), username, and hostname (e.g. http://example.com/~user). |
Enabled |
| Compiler Access Disabling compiler access for unspecified users will help prevent attacks on your server. |
Disabled |
| Manage Wheel Group Users This feature allows you to define users who can use the su command to become the root user. |
Remove all users except for root and your main account. |
| Shell Fork Bomb Protection Enabling this option prevents users with terminal access from using all of the resources on the server.  Note: Enabling this option may cause resource shortage problems as this setting heavily limits various resources. |
Enabled |
| FTP Configuration | Disable Anonymous FTP |
| Manage Shell Access | Disable shell access for all other users. |
| cPHulk Brute Force Protection If you enable this option, you should add trusted IPs using the White/Black List Management tab. This will prevent you from being locked out if someone attempts to brute force your server. |
Enabled |
Disable Identification Output for Apache
- Log into WHM and access the Apache Global Configuration feature (located at Main >> Service Configuration >> Apache Configuration >> Global Configuration).
- Select Off (PCI Recommended) from the ServerSignature pull-down menu.
- Click Save.
EasyApache Configuration
When you configure EasyApache, you should include the following modules:- suPHP — This module will cause PHP scripts to run as the user who owns the script versus the system user known as nobody.
- Suhosin — This module is an advanced protection system for PHP installations. Read more at the Suhosin website.
- mod_security — This module is an open source web application firewall. Read more at modsecurity.org. You may also wish to read our forum post about mod_security.
Topic revision: r12 - 22 Apr 2011 - 18:08:57 - Main.RosieArcelay
AllDocumentation/WHMDocs.SecureServerChecklists moved from Sandbox.SecureServerChecklists on 16 Jul 2010 - 18:31 by Main.JustinSchaefer - put it back
Copyright © cPanel 2000–2011.