Tweak settings can be see under Main » Server Configuration » Tweak Settings. We can select On/OFF by selecting corresponding redial button.
1. Enable HTTP Authentication: Recommendation - Off
For cPanel & WHM logins its recommend to use a cookied authentication method. HTTP authentication will not log out of an authenticated session unless the web browser application session is terminated. If HTTP authentication is used, the login credentials are cached by the browser until the application is terminated. Some browsers allow a method to flush credentials, but this method is not reliable or available in all browsers. When login credentials are cached by a web browser, they are susceptible to cross-site request forgery (XSRF) attacks.
Leaving this option disabled enables cookie authentication, helping to prevent certain types of XSRF attacks.
(Cross-site request forgeries (XSRF) occur when a malicious user exploits the trust between a website and a user's browser. By exploiting that trust, malicious users can execute unauthorized commands on a website.
XSRF attacks rely on 2 items:
Access to authentication credentials
Surreptitious execution of a command via a URL
)
2. Cookie IP Validation: Recommendation - On
Malicious users can hack cookies used in XSRF attacks. Most browsers do not provide any protection to prevent this attack. This is why they provide an option that allows to validate the originating IP address as part of the the cookie during authentication. On subsequent authentication requests, IP addresses are compared to original values in their cookies. A mismatched value causes an error and will result in a request for re-authentication.
When using validated cookies, it is important to remember to disable proxy access. Accessing interfaces via a proxy domain will cause the IP address for the local host to be recorded (usually 127.0.0.1), rendering IP validation useless.
3. To disable proxy subdomains: Recommendation - Off
Automatically create cpanel, webmail, webdisk and whm proxy subdomain DNS entries for new accounts. When this is initially enabled it will add appropriate proxy subdomain DNS entries to all existing accounts
Disabling this option prevents cPanel, webmail, webdisk, and WHM proxy subdomain DNS entries from being added to new accounts.
4. Require SSL: Recommendation - On
Requiring your users to log in via SSL or TLS is a basic way of improving your system's security. If users do not use SSL/TLS (instead, using an unsecured connection over ports 2082, 2086, or 2095) then authentication credentials are sent in plain text, making them easy to steal, read, and use again later. As of cPanel 11.25, you can disable logins over ports 2082, 2086, and 2095, forcing your users to use secure (SSL/TLS) connections. Once you have enabled this option in WHM's Tweak Settings interface, users who attempt to use ports 2082, 2086, and 2095 will encounter a page redirecting him or her to the proper (protected) port.
5. Security Tokens: Recommendation - On
In addition to the methods listed above, cPanel has also included tokens to help combat XSRF attacks. Tokens are inserted into the URL and are unique to a single login session. Requests made without the appropriate token produce an error and result in a request for re-authentication. This action effectively prevent XSRF attacks because the attacking URL will not contain the appropriate token.
Warning: Security tokens may cause problems with custom scripts and some third-party applications that integrate with cPanel & WHM. We recommend that you verify that third-party applications are compatible with security tokens before enabling them. If you must use applications that are not compatible with security tokens, we strongly recommend using URL referrer checks instead.
6. Block Common Domains Usage:
Enabling this option prevents users from adding or parking common Internet domains, such as hotmail.com or google.com.
7. Initial default/catch-all forwarder destination: Recommendation - Bounce
Selecting Bounce for this option causes the server to automatically discard email which is not routable sent to your server's new accounts. This option is the best at protecting your server against mail attacks.
8. Enable DKIM on domains for newly created accounts
DKIM Used to verify the sender and integrity of a message. It allows an email system to prove that a message was not altered during transit (meaning it is not forged), and that the message came from the specified domain.
9. Enable SPF on domains for newly created accounts
SPF will prevent spammers from sending email while forging your domain’s name as the sender (spoofing). This authentication function works by adding IP addresses to a list, specifying computers that are authorized to send mail from your domain(s). It verifies that messages sent from your domain(s) are coming from the listed server, reducing the amount of backscatter you receive.
10. Enable SpamAssassin spam filter
11. Prevent “nobody” from sending mail
Prevent the user “nobody” from sending out mail to remote addresses. (PHP and CGI scripts generally run as “nobody” if you are using mod_php or have Suexec disabled.)
12. Attempt to prevent pop3 connection floods:
Once we enable this it will Limit the amount of connections from each host to the POP3 server.
13. Default catch-all/default address behavior for new accounts : (Blackhole)
The catch-all or default address handles email sent to nonexistent users on your server’s domains. It is useful to keep in mind that spammers frequently use Directory Harvest Attacks to try to guess recipient usernames at known domains. Thus, a domain may receive a large number of spam messages sent to nonexistent users, costing you server resources.
Options are
fail — Checks for the intended email recipient and, if no matching recipient is found, denies the SMTP request before downloading the message. This option is recommended.
blackhole — Discards the message after downloading it. This option uses system resources.
localuser — Allows users to set up their own catch-all email addresses. These email accounts will mainly serve to collect spam.
14.Use jailshell as the default shell for all new accounts and modified accounts:
Once it enabled, the server will be using the jailshell as the default shell for all customers who log in via Telnet/SSH. Jailshell does not allow you to view /etc/passwd for all users or view other user's files.
15. BoxTrapper Spam Trap:
There is a feature called BoxTrapper Spam Trap in cPanel. If you have enabled this option for your domain then whenever anyone sends email they will need to reply the automated mail generated by BoxTrapper Spam Trapper and then you will receive the email to your account. However, it is advisable not to enable this option.
16. Send passwords when creating a new account:
Send passwords in plaintext over email when creating a new acccount. Enabling this option is a security risk.
