cPanel Apache Security and Optimization
cPanel comes with apache compiled and configured, but it’s not secure at all, it’s not configured for performance either. In this article I’ll share a few tips on how to securely configure apache and optimize it a bit.
In this article I will share a few tips on how to optimize and secure Apache for cPanel servers. This article is the beginning of a long series of server security and optimization for cPanel.
Articles to come: PHP security, CentOS configuration for cPanel, mod security for apache, firewall configuration, cPanel optimization, and much more.
Building Apache:
In order to compile apache, php and other modules you can use “Easy Apache”, you can access it using this ways:
1. From cPanel WHM navigate to: Main >> Software >> EasyApache (Apache Update)
2. From a ssh session execute: /scripts/easyapache
I suggest using the web version, it is easier to read for beginners. Let’s begin:
Page1: Profile
Select: “PHP Security” and push: “Start customizing based on profile”
Page2: Apache Version
Select: “Apache 2.2″ and click “Next Step”
Page3: PHP Major Version
Select: “PHP 5″ and click “Next Step”
Page4: PHP Minor Version
Select: “PHP 5.2.12″ and click “Next Step” (PHP 5.3 is a bit different then 5.2 and has a lot of functions disabled/removed, select PHP 5.3 only if your scripts are compatible with this version).
Page5: Short Options List
Uncheck: Frontpage (this extension is not supported anymore)
Check: Anything that you might need and make sure that: Mod Security, Mod SuPHP and Suhosin for PHP remains checked.
After you are done click on: “Exhaustive Options List”
Page6: Exhaustive Options List
Check: Mod FCGID, Fileprotect, MPM Prefork, Mod SuPHP, Proxy, UniqueId, Mod Security, Suhosin for PHP, CGI, Fastcgi, SafeMode, Safe PHP CGI
Uncheck: Frontpage, Eaccelerator, POSIX, Path Info Check
Don’t forget to read the documentation before you activate any more extensions.
After you are done click “Save and build”.
The compilation process will take a while so be patient. After it is done you will be prompted with a form, select the following:
Default PHP Version (.php files) 5
PHP 5 Handler ***
PHP 4 Handler none
Apache suEXEC on
*** At this point you need to select the php handler, for now let’s stick with suPHP since it’s secure
I guess that you noticed fcgi was selected for compilation, I’ll explain in a future article how to securely configure fcgi as php handler, by default it’s a security risk and not stable at all. For suPHP you can’t enable Eaccelerator so make sure it’s disabled, when you wanna switch to fcgi you can enable it.
And click “Save New Configuration”
Configuring Apahce:
1. Navigate to: Main >> Security Center >> Apache mod_userdir Tweak
And check: “Enable mod_userdir Protection”
2. Navigate to: Main >> Service Configuration >> Apache Configuration >> Global Configuration
Now configure the options as bellow:
TraceEnable – Off
ServerSignature – Off
ServerTokens – ProductOnly
FileTag – None
MaxClients – 256
MaxRequestsPerChild – 1000
Click “Save” and in the following window click “Rebuild Configuration and Restart Apache”.
If you server is under heavy traffic then you should edit: /usr/local/apache/conf/httpd.conf
<IfModule prefork.c> ServerLimit 1000 MinSpareServers 5 MaxSpareServers 10 </IfModule> MaxClients 256 MaxRequestsPerChild 1000
And raise the valuse of “ServerLimit” and “MaxClients”, don’t raise too much the value of MaxClients, if your server ever gets attacked/ddos then it might hang if it runs out of memory, try and set it to under: 150 x RAM Memory (in GB).
3. Navigate to: Main >> Service Configuration >> Apache Configuration >> Memory Usage Restrictions
And click: “Proceed >>”
4. Navigate to: Main >> Service Configuration >> Apache Configuration >> Log Rotation
And check all files/logs, after click “Save”.
That’s it for now, stay tuned for more.
February 24, 2010
You can also secure the server by not opening the unwanted ports on shared and reseller servers.Another way is to provide Jailed Shell access to clients who need Shell access in a shared web hosting environment.
February 24, 2010
Thank you for the info.
This article was meant only for Apache, I’ll be writing a few more articles that will explain firewalls, linux security and more.
December 20, 2010
I only had the choice between PHP minor versions PHP 5.2.9 & PHP 5.2.15
I went for PHP 5.2.15
Was that the right way to go?
February 6, 2011
What about GD ?
February 18, 2011
Your article helped me solve my apache/php problem.
Thank you
March 3, 2011
Thanks! Good info!
When will you do the article about ” how to securely configure fcgi as php handler”?
Thank you very much!
March 4, 2011
@John
The latest php 5.2.x is recommended (don’t use an older version since it might have exploits).
@ThinkFast
GD is optional, and indeed needed this days. You must activate the features needed by your web sites, it’s not that easy for a beginner tho.
@Fred
I might write one soon, but I like LiteSpeed so much that I stopped using Apache + FCGID
April 7, 2011
Hello Claudiu,
Thanks for posting this info… I am curous about #3 though. It seems like it might be a good idea, but what is it actually accomplishing? And what happens if traffic picks up on a site and it needs more memory allocation than it did at the time the restrictions were set?
April 8, 2011
Hi Kirsten,
I suggest switching to Nginx + Apache or LiteSpeed. Apache by its own is not that great for high traffic web sites.
April 8, 2011
Thanks again for the tips Claudiu. I had initially found this post while trying to get more info on the memory usage restriction config, because there just wasn’t that much of an explanation in the Apache documentation in regard to the pro & cons. In your tutorial you recommend it… but why? and what does it actually do? and once you do it, can it be undone if need be?
April 14, 2011
I think you should expand your articles (basically all of the tutorials) – and describe WHY you are doing what you’re doing more. Many things just describe for us to blindly follow you, that’s not really teaching anything…
April 14, 2011
@ Solo – At the time I wrote this tutorials I hoped to start a tutorial database for myself and it could help others.
Anyway I didn’t had much time lately.
@Kirsten – By not doing it you risk to get your server overloaded. The guys at cPanel made this script, it reads the memory installed in your server and configures the apache limits accordingly.
By not setting a value for RLimitMEM your server is vulnerable to exploits and badly written scripts.
July 10, 2011
Removing apache modules that are not needed could help secure the installation a bit more. Additionally, fewer mods result in a smaller executable and memory footprint… this means you could run more processes total in limited memory. My performance testing also resulted in faster performance as well, although not by a very large amount (I think it was 17%).
July 11, 2011
True, I will update this tutorial soon to reflect recent changes with Apache, cPanel and so on.
October 12, 2011
I hope you know that in order to become really effective, Mod_Security must be configured with rules that help it recognize threats and defend against them. Just “checking it” in EasyApache as you suggest, doesn’t make any sense…
October 12, 2011
Also, safe mode is useless!
Explanation: If you offer web-hosting, and offer other scripting languages than PHP (such as Perl), if PHP’s safe mode won’t allow vandals into your web presence, they will simply use Perl. If you don’t offer web-hosting, then you don’t need it, as it is supposed to “fix” the shared-server security problem.
Also, safe mode prevents scripts from creating and using directories and files (because they will be owned by the web server, not by the user who uploaded the PHP script). So it’s not only useless, it’s also a hindrance!
It is architecturally incorrect to try to “fix” the shared-server security problem on the PHP level, and you should take measures to fix it on the web-server level. Site-administrators who know what they are doing, know how to do this.
I am sorry to say, but I believe you didn’t know exactly what you were doing when you wrote this tutorial. With all due respect, knowledge comes with experience.
December 4, 2011
Hi Chris,
About mod security, I am aware of the fact that installing it won’t help at all.
I did forgot to mention this and to give a few links for mod security rules.
Now about safe mode for php, when I wrote this tutorial I didn’t know very much about safe mode indeed, but I did read the documentation.
At the time, when I used it in production, it was for a server offering free web hosting. You can’t even imagine how many users try to hack into the server using all kind of php scripts.
Anyway, I stopped using it a long time ago (deprecated since php 5.3 anyway) and I will update my tutorials soon.
Thanks for your comments