Basic cPanel Server Hardening - Part 7

The last article in this series went over the options found on the cPanel WHM Tweak Settings page. Today you will learn how to secure FTP access to your server.

Anonymous FTP is used to give users of sites a place to upload files. Many of today's web sites implement file uploads internally though, so for most sites it is not needed. In some cases attackers make use of anonymous FTP access to upload software needed for an attack to the server and then use a security hole elsewhere to execute the software.

To disable Anonymous FTP scroll down the left column until you find the "Server Configuration" section, then click on the "FTP server configuration" link. Once the page loads change "Allow Anonymous Logins" and Allow Anonymous Uploads" to "No".

Next set "TLS Encryption Support" to "Required". This will require all FTP users to use encrypted connections. If a user really can't upgrade their FTP client to support this you can always change it back to "Optional" later.

While on this page confirm that "Allow Logins with Root Password" is set to "No". This ensures that an attacker can not attempt a brute force attack as the root user via FTP.

Now your server is somewhat secured as far as FTP is concerned. It is preferable to disable FTP completely, and do file transfers over SSH connections, but that generally involves allowing your users to have shell access and you have already disabled shell access. In the next installment of this series you will learn about the options in the cPanel Security Center.

Basic cPanel Server Hardening - Part 6

The previous article finished up basic hardening of the operating system. Now that you have a somewhat secure operating system it is time to secure cPanel as best you can. Adding software like cPanel to a server creates additional ways for an attacker to gain access, but many web hosts add it to help users maintain their own sites. What you are doing is to reduce the options hackers have in attacking a cPanel host.

You should disable shell access for all users that don't absolutely need it. This helps limit the damage done when a hacker manages to exploit a user account. If a user does need shell access make sure they are using jail shell. The jail shell is a special shell with relatively restricted access to the server. It is not perfect, but if an account using the jail shell is compromised it can help restrict the damage to just that user account instead of the entire server.

To set the default shell to be the jail shell open the cPanel WHM interface and click on the "tweak settings" link under "Server Configuration" in the left hand column. Look for the "Default shell jailed" option and set it to be "on" by default.

While you are on the "Tweak Settings" page find the checkbox for "Disable login with root or reseller password" and check it. Being able to sign into cPanel as root or a reseller is a handy feature. It allows you to work in cPanel as one of your users without knowing their password. Losing this capability is necessary though since it also prevents someone from logging in via cPanel as root. An attacker attempting to sign into cPanel as root could use a brute force attack to eventually guess the correct root password. Even if they don't manage to guess the correct password, too many failed attempts by an attacker can lock the root user out of cPanel and WHM, effectively locking you out of your own server.

Now that you are done with the changes on the "Tweak Settings" page save them by scrolling to the bottom of the page and clicking the "Save" button. The next article in this series will go over how to secure FTP access.