Improving System Security On CPanel Systems (servermatrix)


Basic things that can be done to improve security.


Use The Latest Software

Keep the OS and 3rd party software up to date. Always!

CPanel itself can be updated from the root WHM.


Change Passwords

Change the root passwords at least once a month and try to make them hard to guess. Yes it's a pain to have to keep remembering them, but it's better than being hacked.


Set Up A More Secure SSH Environment

This section describes how to disable direct 'root' login to the machine and how to force the more secure SSH 2 protocols.

Disabling direct root login will force a hacker to have to guess 2 seperate passwords to gain root access.

After you do this, you will have to login as anotheruser then you will 'su -' to get to root.

We also will be forcing the use of SSH protocol 2, which is a newer, more secure SSH protocol

Just a couple more ways to help your server stay safe from the bad guys.

If you're using cPanel make sure you add your anotheruser user to the 'wheel' group so that you will be able to 'su -' to root, otherwise you may lock yourself out of root.

1. Set up anotheruser if you haven't already got one:

i. Type: groupadd anotheruser
ii. Type: useradd anotheruser -ganotheruser
iii. Type: passwd anotheruser and add a password for the new account.

On a CPanel system, you can now go into root WHM and add anotheruser to the wheel group.

2. SSH into your server as anotheruser and gain root access by going su - root and entering the root password.

3. Type: pico -w /etc/ssh/sshd_config

4. Find the line:


#Protocol 2, 1

Uncomment it and change it to look like:


Protocol 2

5. Next, find the line:


#PermitRootLogin yes

Uncomment it and make it look like:


PermitRootLogin no

6. It is also recommended that the following additional lines are added to the file:


LoginGraceTime 300
IgnoreRhosts yes
X11Forwarding no
UseLogin no

7. Hit CTRL+x, then y then enter to save the file.

8. Restart SSH with /etc/rc.d/init.d/sshd restart


Disable Telnet

1. Type: pico -w /etc/xinetd.d/telnet
2. Change the disable = no line to disable = yes.
3. Hit CTRL+X press y and then enter to save the file.
4. Restart xinted with: /etc/rc.d/init.d/xinetd restart


Install A Firewall

I recommend APF firewall personally, but they all do a similar job.

APF can be found at:

Also guard against 'brute force' attacks with:


Disable Unnecessary Ports

First backup the file that contains your list of ports with:

cp /etc/services /etc/services.original

Now configure /etc/services so that it only has the ports you need in it. This will match the ports enabled in your firewall.

On a typical CPanel system it would look something like this:


tcpmux          1/tcp                           # TCP port service multiplexer
echo            7/tcp
echo            7/udp
ftp-data        20/tcp
ftp             21/tcp
ssh             22/tcp                          # SSH Remote Login Protocol
smtp            25/tcp          mail
domain          53/tcp                          # name-domain server
domain          53/udp
http            80/tcp          www www-http    # WorldWideWeb HTTP
pop3            110/tcp         pop-3           # POP version 3
imap            143/tcp         imap2           # Interim Mail Access Proto v2
https           443/tcp                         # MCom
smtps           465/tcp                         # SMTP over SSL (TLS)
syslog          514/udp
rndc            953/tcp                         # rndc control sockets (BIND 9)
rndc            953/udp                         # rndc control sockets (BIND 9)
imaps           993/tcp                         # IMAP over SSL
pop3s           995/tcp                         # POP-3 over SSL
cpanel          2082/tcp
cpanels         2083/tcp
whm             2086/tcp
whms            2087/tcp
webmail         2095/tcp
webmails        2096/tcp
mysql           3306/tcp                        # MySQL

Additional ports are controlled by /etc/rpc. These aren't generally needed, so get shot of that file with: mv /etc/rpc /etc/rpc-moved


Watch The Logs

Install something like logwatch to keep an eye on your system logs. This will extract anything 'interesting' from the logs and e-mail to you on a daily basis.

Logwatch can be found at:


Run A Root Kit Checker Regularly

You can get a root kit from and make sure you run it on a regular basis, perhaps including it in a cron job.


Limit The Kernel's Capabilities

1. Type: wget
2. Type: rpm -Uvh lcap-0.0.6-3.i686.rpm
3. Type: lcap CAP_SYS_PTRACE

This will limit the ptrace option which allows attaching to, and controlling the execution of, arbitrary processes. Debuggers do this sort of thing.

The LCAP limitations only stay in place until the next reboot unless you put them in a startup file somewhere.

LCAP can be used in various way to harden the kernel, but you also run the risk of locking yourself out of facilities you need, so research is recommended before messing about. One good place to start looking is in /usr/include/linux/capability.h which contains a brief description of kernel capabilities.


Avoid CPanel Demo Mode

Switch it off via WHM Account Functions => Disable or Enable Demo Mode.


Jail All Users

Via WHM Account Functions => Manage Shell Access => Jail All Users.

Better still never allow shell access to anyone - no exceptions.


Disable Troublesome Formmails

Cpanel's formmails are known to be insecure and, worse, every time one attempts to disable them, the next CPanel upgrade comes along and enables them again.

This is the recommended procedure for disabling them:

1. SSH into the box.

2. Type: cd /usr/local/cpanel/cgi-sys

3. Type: chmod 0 cgiemail formmail.cgi FormMail.cgi FormMail-clone.cgi helpdesk.cgi realhelpdesk.cgi realsignup.cgi signup.cgi

4. Type: chattr +i cgiemail formmail.cgi FormMail.cgi FormMail-clone.cgi helpdesk.cgi realhelpdesk.cgi realsignup.cgi signup.cgi


Immediate Notification Of Specific Attackers

If you need immediate notification of a specific attacker (TCPWrapped services only), add the following to /etc/hosts.deny

ALL : nnn.nnn.nnn.nnn : spawn /bin/ 'date' %c %d | mail -s"Access attempt by nnn.nnn.nnn.nnn on for hostname"

Replacing nnn.nnn.nnn.nnn with the attacker's IP address.
Replacing hostname with your hostname.
Replacing with your e-mail address.

This will deny access to the attacker and e-mail the sysadmin about the access attempt.


Check Open Ports

From time to time it's worth checking which ports are open to the outside world. This can be done with:

nmap -sT -O localhost

If nmap isn't installed, you can install from WHM -> Software -> Install RPM.


Set The MySQL Root Password

This can be done in CPanel from the root WHM Server Setup -> Set MySQL Root Password.

Make it different to your root password!


Tweak Security (CPanel)

From the root WHM, Server Setup -> Tweak Security, you will most likely want to enable:

- php open_basedir Tweak.
- SMTP tweak.

You may want to enable:

- mod_userdir Tweak. But that will disable domain preview.


Use SuExec (CPanel)

From root WHM, Server Setup -> Enable/Disable SuExec. This is CPanel's decription of what it does:

"suexec allows cgi scripts to run with the user's id. It will also make it easier to track which user has sent out an email. If suexec is not enabled, all cgi scripts will run as nobody. "

Even if you don't use phpsuexec (which often causes more problems), SuExec should be considered.


Use PHPSuExec (CPanel)

This needs to built into Apache (Software -> Update Apache from the root WHM) and does the same as SuExec but for PHP scripts.

Wisth PHPSuExec enabled, you users will have to make sure that all their PHP files have permissions no greater than 0755 and that their htaccess files contain no PHP directives.


Disable Compilers

This will prevent hackers from compiling worms, root kits and the like on your machine.

To disable them, do the following:


chmod 000 /usr/bin/perlcc
chmod 000 /usr/bin/byacc
chmod 000 /usr/bin/yacc
chmod 000 /usr/bin/bcc
chmod 000 /usr/bin/kgcc
chmod 000 /usr/bin/cc
chmod 000 /usr/bin/gcc
chmod 000 /usr/bin/i386*cc
chmod 000 /usr/bin/*c++
chmod 000 /usr/bin/*g++
chmod 000 /usr/lib/bcc /usr/lib/bcc/bcc-cc1
chmod 000 /usr/i386-glibc21-linux/lib/gcc-lib/i386-redhat-linux/2.96/cc1

You will need to enable them again when you need to perform system updates. To do this, run:


chmod 755 /usr/bin/perlcc
chmod 755 /usr/bin/byacc
chmod 755 /usr/bin/yacc
chmod 755 /usr/bin/bcc
chmod 755 /usr/bin/kgcc
chmod 755 /usr/bin/cc
chmod 755 /usr/bin/gcc
chmod 755 /usr/bin/i386*cc
chmod 755 /usr/bin/*c++
chmod 755 /usr/bin/*g++
chmod 755 /usr/lib/bcc /usr/lib/bcc/bcc-cc1
chmod 755 /usr/i386-glibc21-linux/lib/gcc-lib/i386-redhat-linux/2.96/cc1


This is really just a start. There are many other things one can do too (tripwires etc.).

cPanel Reset Password Vuln. 
A new 'backdoor' was found in cPanel that would allow malicious users to reboot your server, delete files, and gain unauthorized access. Basically you NEED to fix this or risk getting 'hacked/attacked'. The security issue resides with cPanels new 'request a password' feature for accounts. You can disable this feature as detailed below, and also fix the file that allows the malicious code to be executed. Right now the main issue seen is that anyone can reset any users password, such as *gasp* root.


Step 1

  1.  Login to WHM as root
  2. Click "Tweak Settings"
  3. Scroll down to the bottom and UNCHECK
    Allow cPanel users to reset their password via email
  4. Click Save

    Step 2

  5. Login to your server via SSH as root. (or su to root)
  6. Type: chmod 600 /usr/local/cpanel/base/resetpass.cgi
  7. Type: chattr +i /usr/local/cpanel/base/resetpass.cgi