1. Apache mod_userdir Tweak:Apache's mod_userdir allows users to view their sites by entering a tilde(~) and their username as the uri on a specific host. For example
http://test.cpanel.net/~fred/ will bring up the user fred's domain. The disadvantage of this feature is that any bandwidth usage used by this site will be put on the domain it is accessed under (in this case test.cpanel.net). Enabling this option prevents users from bypassing bandwidth limits by accessing their sites using a tilde (~), username, and hostname (e.g.
http://example.com/~user).
2. Compiler Access:Many common exploits require a working C compiler on the system. This tweak allows you to deny compiler access to unprivileged users; you can also choose to allow some users to use the compilers while they remain disabled by default.
3. Configure Security Policies : back end - /var/cPanel/cPanel.config
This section of the interface allows you to configure three options for your security policy. Password Age, Password Strength and Limit logins to verifies IP address. In addition to cPanel, cPanel webmail, and WHM interfaces, enable Security Policies for the following request types:
XML-API and JSON-API requests and DNS Cluster Requests.
4. Password Strength Configuration:This feature allows you to specify a minimum password strength for accounts hosted by your server. Its recommend a value of 50 or greater. From here we can set password strength individually for seperate user like email account, ftp user etc.
5. Security Questions:To keep your account secure, WHM asks questions to verify your identity when you log in from an unrecognized IP address. If you answer correctly, you will be able to log in, and the unrecognized IP address will be added to the list of recognized IP addresses. Funtion of this setting is to Set up security questions. And Manage Recognized IP Addresses.
To disable security questions, open the /var/cpanel/cpanel.config file with a text editor and change the value of SecurityPolicy::SourceIPCheck to 0
6. cPHulk Brute Force Protection:cPHulk Brute Force Protection prevents malicious forces from trying to access your server’s services by guessing the login password for that service. If you enable this option, you should add trusted IPs using the White/Black List Management tab. This will prevent you from being locked out if someone attempts to brute force your server. Brute Force (Attack): A type of attack wherein the attacker enters a large number of combinations of characters, in an attempt to decrypt a key.
7. Fixing Permissions on CGI Scripts:This function scans the file permissions of SuEXEC- and CGI-related files and fixes any security issues related to the file permissions. File permissions control not only which users can access your files, but also how they can interact with files. For example, the root user or superuser will be able to write to, read from, and execute all files on the system, while an anonymous user may only be allowed to read from or execute some files. Its Scanning suexec_log.
8. Host Access Control:Host Access Control allows you to set up specific rules to allow or deny access to your server and services on it based on the IP address that is attempting to connect. It is general practice that denying all connections and only allowing connections that you wish to proceed is the most secure way to use Host Access Control.
To set up a rule, you will need to add the service you wish to create the rule for, the IP address(es) you wish to allow or deny, and then the action to be taken (allow or deny).
For example, you could set up the following rules to lock down your SSH service:
Daemon
Access List
Action
Comment
sshd
192.168.0.0/255.255.255.0
allow
Allow local SSH access
9. Manage root’s SSH Keys:SSH allows secure file transfer and remote logins over the internet. Your connection via SSH is encrypted allowing the secure connection. In this section you can manage your SSH keys to allow automation when logging in via SSH. You can Import existing keys, generate new keys, as well as manage/delete keys.
10. Manage Wheel Group Users:This feature allows you to define users who can use the su command to become the root user.
11. PHP open_basedir Tweak:- Recc – Enabled.open_basedir is a feature that uses PHP to prevent users from opening files outside their home directories. This can be enabled using WHM’s PHP open_basedir Tweak feature.
Enabling this option requires users to manually specify the open_basdir setting in their relevant php.ini files if PHP is configured to run as a CGI, SuPHP, or FastCGI process.
12.Quick Security Scan:There are services enabled by default with your operating system that are not necessary for most web servers. This function will disable the following services: portmap - Used by NFS to map network drives. cupsd - Used for printing nfs statd - Used for NFS file system mounting. nis - Network information service gpm - Console mouse services If you see a [FAILED] error message, this means that the service was not running when the scanner tried to shut it down. This is not a problem, the service will still be prevented from automatically starting.
13. Security Advisor:The Security Advisor Tool will scan your server for common misconfigurations, out-of-date system components, and more. When the Security Advisor detects an issue, information is reported on the nature of the problem, the severity of the problem, and guidance is provided on how to correct the issue.
14. Shell Fork Bomb Protection:Enabling this option prevents users with terminal access from using all of the resources on the server.
Enabling this option may cause resource shortage problems as this setting heavily limits various resources.
15.SMTP Restrictions:This feature prevents users from bypassing the mail server to send mail, a common practice used by spammers. It will allow only the MTA, mailman, and root to connect to remote SMTP servers.
16. SSH Password Authorization Tweak:This feature allows you to tweak your SSH authentication by enabling or disabling password authorization. If password authorization is disabled, users will be forced to use keys when using SSH to access your server.
Changes made to the Password Authorization feature will affect two settings in the SSH configuration file ( /etc/sshd_config ):
If you enable Password Authorization, PasswordAuthentication and ChallengeResponseAuthentication will be set to "yes."
If you disable Password Authorization, PasswordAuthentication and ChallengeResponseAuthentication will be set to "no."
Keys created under the section GnuPG keys (cPanel >> Security >> GnuPG Keys) will need to be manually imported to be used as SSH keys.
17. Traceroute Enable/Disable:Traceroute displays the packet routing statistics from the server to another network host. It can be used to map the network’s topology and subsequently be used as a tool to focus a hacking attack.
