Advanced Partitioning:

One of the key features in securing and optimizing cPanel starts with the way your HDD is partitioned.
I made a table detailing on how you should partition a cPanel server, you should check out cPanel’s documentation page also.

Pre-Installation Configuration:

Make sure that /etc/cpupdate.config contains:

CPANEL=release

You will need to exclude a few packages from yum, at the bottom of /etc/yum.conf add the following line:

Exclude= apache* bind-chroot courier* dovecot* exim* httpd* mod_ssl* mysql* nsd* perl* php* proftpd* pure-ftpd* spamassassin* squirrelmail*

SeLinux must be disabled, edit: /etc/selinux/config
And make sure it is disabled:

SELINUX=disabled

cPanel Installation:

In order to install cPanel you must run the following commands as root:

cd /home
wget -N http://layer1.cpanel.net/latest
sh latest

Securing and Optimizing cPanel:

First of all you will need to access the WHM interface of cPanel, this can be done by accessing: https://IP:2087 in your favorite Internet Explorer, remember to replace IP with your server’s ip address.
Now that you are in let’s start by tweaking a bit cPanel’s configuration.
Navigate to:  Main >> Server Configuration >> Tweak Settings
And make sure that the following options are configured like this:

Navigate to: Main >> Security Center >> Compiler Access
And click on Disable compilers, this way users won’t be able to compile who knows what applications on your server.

Navigate to: Main >> Security Center >> Shell Fork Bomb Protection
And click on Enable Protection, this kind of protection is crucial if you allow users telnet/ssh access to the server.

Navigate to: Main >> Security Center >> Password Strength Configuration
Make sure that Default Required Password Strength is checked and raise the limit to 10 at least.
Users will be forced to use more secure passwords, this way you will reduce the risk of a successfully brute force attack.

Navigate to: Main >> Security Center >> Traceroute Enable/Disable
And make sure that Traceroute is disabled.

Navigate to: Main >> Service Configuration >> FTP Server Configuration
From here make sure that: Allow Anonymous Logins, Allow Anonymous Uploads and Allow Logins with Root Password are set to NO.

Navigate to: Main >> Service Configuration >> Exim Configuration Editor
And check the following options:
+ Automatically send outgoing mail from the account’s IP address instead of the main IP address.
+ Sender Verification
+ RBL: zen.spamhaus.org and rbl.spamcop.net
After you are done click on Save.

Navigate to:  Main >> Service Configuration >> cPanel Log Rotation Configuration
And make sure that all logs listed there are checked, then click on Save.

Securing /tmp
Edit /etc/fstab and make sure that tmpfs looks like this:

tmpfs                   /dev/shm                tmpfs   noexec,nosuid   0 0

Disabling bandwidth usage reports
If you are not interested in the bandwidth used by users then you should consider disabling generation of rrd files:

touch /etc/rrdtooldisable

Disabling IPV6
If you don’t plan on using IPV6 then this option should be disabled, here it is how to do it on CentOS.
Edit /etc/modprobe.conf and add the following lines at the bottom:

install ipv6 /bin/true
alias net-pf-10 off
alias ipv6 off

Noe make sure that ipv6 firewall is disabled:

chkconfig ip6tables off

Disabling unwanted services:
First download the following file: Services List (389)
Now check if you are using any of the services listed there, if not, just copy and paste it’s content while logged in as root.  A few of the services might fail, don’t worry about this, it’s something normal.

I’ll skip the firewall installation and configuration for now, that will be a different tutorial.

chkconfig ip6tables off

Claudiu Popescu

VIsit Claudiu Popescu's website