CentOS cPanel Installation, Security and Optimization
cPanel is one of the most used control panels for web hosting providers, therefore I’m sharing a few security and optimization secrets learned over the years. This should get you started in the right direction.
Advanced Partitioning:
One of the key features in securing and optimizing cPanel starts with the way your HDD is partitioned.
I made a table detailing on how you should partition a cPanel server, you should check out cPanel’s documentation page also.
| Partition | Minimal Size | Recommended Size | Partition Contents |
|---|---|---|---|
| /boot | 70 Megabytes (MB) | 200 Megabytes (MB) | Kernels, bootloader configuration file. |
| / | 8 Gigabytes (GB) | 14 Gigabytes (GB) | Operating system core files. |
| /usr | 8 Gigabytes (GB) | 14 Gigabytes (GB) | cPanel, Apache, Apache logs, and most applications. |
| /var | 16 Gigabytes (GB) | 24 Gigabytes (GB) | MySQL databases, cPanel configuration, system logs, mail queue, and rrd files. |
| /tmp | 1 Gigabyte (GB) | 2 Gigabytes (GB) | Temporary files. |
| /home | Fill to disk | Fill to disk | All cPanel user accounts. |
| swap | 2x Memory (RAM) | 2.5x Memory (RAM) | Overflow from RAM contained on your disk. |
If not, you should reinstall with the proper partition scheme.
Pre-Installation Configuration:
Make sure that /etc/cpupdate.config contains:
CPANEL=release
You will need to exclude a few packages from yum, at the bottom of /etc/yum.conf add the following line:
Exclude= apache* bind-chroot courier* dovecot* exim* httpd* mod_ssl* mysql* nsd* perl* php* proftpd* pure-ftpd* spamassassin* squirrelmail*
SeLinux must be disabled, edit: /etc/selinux/config
And make sure it is disabled:
SELINUX=disabled
cPanel Installation:
In order to install cPanel you must run the following commands as root:
cd /home wget -N http://layer1.cpanel.net/latest sh latest
Securing and Optimizing cPanel:
First of all you will need to access the WHM interface of cPanel, this can be done by accessing: https://IP:2087 in your favorite Internet Explorer, remember to replace IP with your server’s ip address.
Now that you are in let’s start by tweaking a bit cPanel’s configuration.
Navigate to: Main >> Server Configuration >> Tweak Settings
And make sure that the following options are configured like this:
| Option Name | Option Value |
|---|---|
| BoxTrapper Spam Trap | Not Checked |
| Always redirect users to the ssl/tls ports when visiting /cpanel, /webmail, etc. | Checked |
| The maximum each domain can send out per hour | 120 |
| Allow Creation of Parked/Addon Domains that resolve to other servers | Not Checked |
| Prevent users from parking/adding on common internet domains | Checked |
| Allow users to Park/Addon Domains on top of domains owned by other users | Not Checked |
| Validate the IP addresses used in all cookie based logins | Checked |
| Only permit cpanel/whm/webmail to execute functions when the browser provides a referrer | Checked |
| Require security tokens for all interfaces | Checked |
| Default catch-all/default address behavior for new accounts. | Fail |
At the bottom there is a Save button, don’t forget to click on it after you are done.
Navigate to: Main >> Security Center >> Compiler Access
And click on Disable compilers, this way users won’t be able to compile who knows what applications on your server.
Navigate to: Main >> Security Center >> Shell Fork Bomb Protection
And click on Enable Protection, this kind of protection is crucial if you allow users telnet/ssh access to the server.
Navigate to: Main >> Security Center >> Password Strength Configuration
Make sure that Default Required Password Strength is checked and raise the limit to 10 at least.
Users will be forced to use more secure passwords, this way you will reduce the risk of a successfully brute force attack.
Navigate to: Main >> Security Center >> Traceroute Enable/Disable
And make sure that Traceroute is disabled.
Navigate to: Main >> Service Configuration >> FTP Server Configuration
From here make sure that: Allow Anonymous Logins, Allow Anonymous Uploads and Allow Logins with Root Password are set to NO.
Navigate to: Main >> Service Configuration >> Exim Configuration Editor
And check the following options:
+ Automatically send outgoing mail from the account’s IP address instead of the main IP address.
+ Sender Verification
+ RBL: zen.spamhaus.org and rbl.spamcop.net
After you are done click on Save.
Navigate to: Main >> Service Configuration >> cPanel Log Rotation Configuration
And make sure that all logs listed there are checked, then click on Save.
Securing /tmp
Edit /etc/fstab and make sure that tmpfs looks like this:
tmpfs /dev/shm tmpfs noexec,nosuid 0 0
Disabling bandwidth usage reports
If you are not interested in the bandwidth used by users then you should consider disabling generation of rrd files:
touch /etc/rrdtooldisable
Disabling IPV6
If you don’t plan on using IPV6 then this option should be disabled, here it is how to do it on CentOS.
Edit /etc/modprobe.conf and add the following lines at the bottom:
install ipv6 /bin/true alias net-pf-10 off alias ipv6 off
Noe make sure that ipv6 firewall is disabled:
chkconfig ip6tables off
Disabling unwanted services:
First download the following file: Services List (86)
Now check if you are using any of the services listed there, if not, just copy and paste it’s content while logged in as root. A few of the services might fail, don’t worry about this, it’s something normal.
I’ll skip the firewall installation and configuration for now, that will be a different tutorial.
chkconfig ip6tables off
March 26, 2010
Verry good tutorial!! Keep up the good work !!