This section contains suggestions that you can use to quickly reference whether you use the security settings that we recommend.
We recommend that you review the following settings in WHM's Tweak Settings interface (Home >> Server Configuration >> Tweak Settings) to help secure your server.
Setting | Recommendation |
---|---|
Enable HTTP Authentication If you enable this setting, WHM will allow HTTP Authentication for cPanel/WebMail/WHM Logins. We do not recommend that you enable this setting because certain types of XSRF attacks rely on cached HTTP Auth credentials. As long as you do not enable this setting, WHM will require cookie authentication, which helps to prevent certain types of attacks. |
Off |
Cookie IP Validation If you enable this setting, WHM limits the ability of attackers who capture cPanel session cookies and attempt to access the cPanel and WHM interfaces. For this setting to work best, you should also disable proxy domains. |
On |
Proxy Subdomain Creation If you disable this option, WHM removes the ability for cPanel, Webmail, WebDisk, and WHM proxy subdomain DNS entries to be added to new accounts. |
Off |
Require SSL If you enable this option, WHM requires logins from remote locations to use SSL. |
On |
Security Tokens If you enable this option, WHM will require you to use security tokens to access any cPanel & WHM associated interface. This helps to prevent XSRF attacks. |
On |
Block Common Domains Usage If you enable this option, WHM will not allow users to add or park common Internet domains. For example, hotmail.com or google.com . |
On |
Initial default/catch-all forwarder destination If you select Bounce for this option, the server will automatically discard unroutable email that is sent to email accounts that use default settings. This is the best option to protect your server against mail attacks. |
Bounce |
We recommend that you also review the following settings in WHM's Security Center interface (Home >> Security Center) to help secure your server.
Setting | Recommendation |
---|---|
Password Strength Configuration This feature allows you to specify a minimum password strength for accounts that your server hosts. |
A value of 50 or greater. |
PHP open_basedir Tweak If you enable this option, users must manually specify the open_basdir setting in their relevant php.ini files if PHP is configured to run as a CGI, SuPHP, or FastCGI process. |
Enabled |
Apache mod_userdir Tweak If you enable this option, users can not bypass bandwidth limits when they access their sites with a tilde ( ~ ), username, and hostname/ For example, http://example.com/~user ). |
Enabled |
Compiler Access When you disable compiler access for unspecified users, it will help prevent attacks on your server. |
Disabled |
Manage Wheel Group Users This feature allows you to define which users can use the su command to become the root user. |
Remove all users except for root and your main account. |
Shell Fork Bomb Protection If you enable this option, WHM will not allow users with terminal access from to use all of the resources on the server. Note: If you enable this option, it may cause resource shortage problems as this setting heavily limits various resources. |
Enabled |
FTP Configuration | Disable Anonymous FTP |
Manage Shell Access | Disable shell access for all other users. |
cPHulk Brute Force Protection If you enable this option, use the White/Black List Management tab to add trusted IPs. This will prevent you from being locked out if someone attempts to brute force your server. |
Enabled |
We recommend that you disable identification output for Apache. To change this setting:
When you configure EasyApache, include the following modules:
We suggest that you do not include the following modules unless absolutely necessary:
Finally, we urge you to keep up to date with the most recent stable versions of software, such as PHP or Apache.
For more information, read our EasyApache PCI and Security documentation.