This tutorial is based on the release version of cpanel. With updates is is bound to change with time.

This setup is based on security, performance and tries to take consideration to new setups as well as existing setups. If a setting isn’t mentioned here you are safe to make sure your own setting. This is also only a guide. If you are a web hosting company and DO offer Front Page services then naturally you need to ensure it is turned on in the Feature Lists – however you should make sure its only turned on in packages where you are offering that feature. Use common sense and always think of security first.

Form: For your convenience and for hard copy records you can use the check list provided and print afterwards.

Server IP Address

Basic cPanel/WHM Setup

Set a Server Contact E-Mail Address

Change Root Password

Reset Root Password

Server Time

Set correct time zone for syncing. Ensures time is setup for updates to be setup later

Tweak Settings

Untick: Allow users to Park/Addon Domains on top of domains owned by other users

Untick: Allow Creation of Parked/Addon Domains that are not registered

Tick: Prevent users from parking/adding on common internet domains

Blackhole: Default catch-all/default address behavior for new accounts. fail will generally save the most CPU time

Tick: Email users when they have reached 80% of their bandwidth

60: Number of minutes between mail server queue runs (default is 60)

Tick: Track the origin of messages sent though the mail server by adding the X-Source headers (exim 4.34+ required)

50: The maximum each domain can send out per hour

Tick: Prevent the user “nobody” from sending out mail to remote addresses (PHP and CGI scripts generally run as nobody if you are not using PHPSuexec and Suexec respectively.)

120: The number of times users are allowed to check their mail using pop3 per hour. Zero is unlimited

Tick: Attempt to prevent pop3 connection floods

Tick: Mail Box Usage Warnings

Untick: Disable Suspending accounts that exceed their bandwidth limit

Tick: Disk Space Usage Warnings

Untick: FormMail-clone cgi

Tick: Allow Sharing Nameserver Ips

Untick: Disable Disk Quota display caching

Tick: Display Errors in cPanel instead of logging them to /usr/local/cpanel/logs/error_log

Untick: Do not warn about features that will be depreciated in later releases

Untick: Use jailshell as the default shell for all new accounts and modified accounts

Untick: Allow cPanel users to reset their password via email

Untick: Disable Http Authentication for cPanel/WebMail/WHM Logins (forces cookie authentication)

Set: The default administrative contact for cPAddons moderation emails

Tick: Alert cPAddons administrator of pending moderation requests

Tick: Prevent installation of addon scripts not provided by cPanel

Tick: Prevent installation of cPanel addon scripts that have be altered

Update Config

cPanel/WHM Updates: Automatic (RELEASE tree)

cPanel Package Updates: Automatic

Security Package Updates: Automatic

Networking Setup

Hostname

Set Valid Hostname. Set a name that describes the server’s role.

Resolver Configuration

Set Resolver IP addresses – Run a WHOIS on the IP addresses already present to check if the provider has already entered these values. If not, contact your provider for the resolver IP addresses.

Security

Fix Insecure Permissions (Scripts)

Run – Only have to click link in nav to run it

Manage Wheel Group Users

WARNING: Only proceed with this one if you have disabled direct root login with SSH
Remove all users who shouldn’t have su (switch user) access. Generally this should include root if direct root login is disabled for security.

Manage Wheel Group Users

Run – Only have to click link in nav to run it

Quick Security Scan

Run – Only have to click link in nav to run it. Everything should have [FAILED] next to it.

Shell Fork Bomb Protection

Enable Protection

Tweak Security

Php open_basedir Tweak: Enable php open_basedir Protection & Untick all other boxes

mod_userdir Tweak: Enable mod_userdir Protection

Compilers Tweak: Disable Compilers

Traceroute Tweak: Disable

SMTP Tweak: Enable

Server Contacts

Alert Type Assignment

AIM: 1

ICQ: 2

Email: 3

Pager: 4

Alert Priority Assignment

Set all to 3

Resellers
(Needs to be setup before anyone is added. If not, the default settings have to be overwritten or an ACL List made and set on creation of a reseller account)

Edit Privileges/Nameservers

Untick: Enabling/Disabling FrontPage Extensions

Untick: Turn an account into a demo account

Untick: Allow Creation of Packages with Shell Access

Untick: Allow creation of packages with Addon Domains

Untick: Allow creation of packages with Parked Domains

Tick: Disallow creation of accounts with packages that are not global or not owned by this user

Tick: Never allow creation of accounts with shell access

Untick: All Features (warning: root access)

Service Configuration

Enable/Disable SuExec

Enable

Exim Configuration Editor

Untick: Always set the Sender: header when the sender is changed from the actual sender

Tick: Verify the existance of email senders

Tick: Use callouts to verify the existance of email senders

Tick: Discard emails for users who have exceeded their quota instead of keeping them in the queue

FTP Configuration

Ensure “pure-ftpd” is in use – Change otherwise

Anonymous Ftp: Disabled

Service Manager

For performance untick enabled and monitoring on:

entropychat
imap
interchange
melange

Only tick the monitor option for things you want customers to see. Best to reduce to cause less confusion. Try and stick to minimum like FTP, HTTPD, BIND and MYSQL.

Account Information

List Parked Domains

Check for any unauthorised domains

List Suspended Accounts

Check and become familiar with any suspended accounts

Show Accounts over Quota

Check and become familiar with any accounts over quotas

View Bandwidth Usage

Check and become familiar with any accounts over limits

Account Functions

Manage Shell Access

Disable all accounts

Modify Suspended Account Page

Change to:

<b>Attention: This account has been suspended. Please contact your provider for more information</b>

Skeleton Directory

Check this path, then SSH into the server and setup the directory. Remove any rubbish and leave only what is needed. Ensure that no Front page Server Extensions are present.

FrontPage

Uninstall FrontPage Extensions

Uninstall any known installations of these. Note: Doing so will rename the .htaccess file in the document root on the account. Only do this is you know it installed and want it removed. You may have to login to the account, rename the .htaccess.986984278 (or something similar) back to .htaccess and manually remove any FrontPage rubbish from the file.

Packages

Add Packages

If there are no packages, add a default package with the following:

Package Name: Default

Others can be left blank.

Delete Packages

As required: Remove any old packages or packages belonging to users that no longer exist.

Edit Packages

Check all packages and make sure the following is set:

Untick: Shell AccessWARNING:

Feature Manager

Untick: SSH Window

Untick: Frontpage

Untick: Parked Domain Manager

Untick: Addon Domain Manager

Tick: Fantastico (if available)

Tick: Fantastico De Luxe (if available)

Email

Mail Queue Manager

Check that there is no back log. If any, check why frozen. Investigate any large back logs.

Repair Mailbox permissions

Run

System Health

Background Process Killer

Tick all boxes:

BitchX
bnc
eggdrop
generic-sniffers
guardservices
ircd
psyBNC
ptlink
services

Remove any trusted users.

cPanel

Addon Modules

Tick: Install and Keep Updated

Tick: clamavconnector

Tick: modsecurity

Tick: addonupdates

Tick: cronconfig

Allow to install. Then close WHM and reopen.

Install cPAddon Scripts

Untick anything giving a rank of 1 – these are the most insecure or ones that are going to give hell.

Addon Scripts (Deprecated)

Uninstall anything in here – these are “handy” but in the end cause trouble especially if they are allowed to get out dated.

Modify cPanel/WHM News

Global cPanel News:

<p><br><b>Account Tips:</b>
<ul>
<li>Set all unrouted mail or your default email address on all domains and subdomains to <i><b>:blackhole:</b></i> to avoid spam attacks against your account.</li>
<li>Set a contact email address that is not located on this server so you can be contacted in emergencies (eg. gmail or hotmail).</li>
<li>Ensure Anonymous FTP Access is turned off on your account.</li>
<li>Disable directory listing on your public_html folder to secure your files.</li>
<li>Use a strong password and change it regularly.</li>
<li>Back up your data regularly. Customers are responsible for backing up their own data.</li></ul>
<p>If you need help with any of the above, please contact our support department.</p>

cPanel News (displayed in all of your customers cPanels):

Welcome to $company_name. For all your support needs, <a href=“http://www.support-url-here.com” target=”_blank”>contact our helpdesk</a> and we’d be glad to help.

Synchronize FTP Passwords

Run

Add-ons

Addon Script Manager

Check for any out of date install that are open to attack

Configure cPanel Cron Times

Configure to a time that know that your server load is low. The default may be okay, but this needs to be checked.

Configure ClamAV Scanner

Tick: Scan Entire Home Directory

Tick: Scan Mail

Tick: Scan Public FTP Space

Tick: Scan Public Web Space

Mod Security

Press Edit button

Press Default button

After you have finished the above run, under Security go back and run Scan for Trojan Horses.

Setup By:

Related posts

• Cpanel Back end (0)

cPanel is a hosting automation company driven by technology and dedicated to providing the most feature rich, easy to use, practical applications. We are committed to the hosting community and our continued role as a market leader.

cPanel and WebHost Manager (WHM) combine to form a fully featured web hosting control panel system. cPanel and WHM allow you to provide an interface for both your customers and your staff.

The cPanel and WebHost Manager package includes: * cPanel – Domain Owner Control Panel
* WebHost Manager – Server Administration and Reseller Panel
* Webmail Panel – Webmail Access Panel

————————————————————————————————————————————–

Directory Structure of Cpanel
=======================

Apache
=======
/usr/local/apache
+ bin- apache binaries are stored here – httpd, apachectl, apxs
+ conf – configuration files – httpd.conf
+ cgi-bin
+ domlogs – domain log files are stored here
+ htdocs
+ include – header files
+ libexec – shared object (.so) files are stored here – libphp4.so,mod_rewrite.so
+ logs – apache logs – access_log, error_log, suexec_log
+ man – apache manual pages
+ proxy -
+ icons -

Init Script :/etc/rc.d/init.d/httpd – apache start script
Cpanel script to restart apache – /scripts/restartsrv_httpd

Exim
=====
Conf : /etc/exim.conf – exim main configuration file
/etc/localdomains – list of domains allowed to relay mail
Log : /var/log/exim_mainlog – incoming/outgoing mails are logged here
/var/log/exim_rejectlog – exim rejected mails are reported here
/var/log/exim_paniclog – exim errors are logged here
Mail queue: /var/spool/exim/input
Cpanel script to restart exim – /scripts/restartsrv_exim
Email forwarders and catchall address file – /etc/valiases/domainname.com
Email filters file – /etc/vfilters/domainname.com
POP user authentication file – /home/username/etc/domainname/passwd
catchall inbox – /home/username/mail/inbox
POP user inbox – /home/username/mail/domainname/popusername/inbox
POP user spambox – /home/username/mail/domainname/popusername/spam
Program : /usr/sbin/exim (suid – -rwsr-xr-x 1 root root )
Init Script: /etc/rc.d/init.d/exim

ProFTPD
========
Program :/usr/sbin/proftpd
Init Script :/etc/rc.d/init.d/proftpd
Conf: /etc/proftpd.conf
Log: /var/log/messages, /var/log/xferlog
FTP accounts file – /etc/proftpd/username – all ftp accounts for the domain are listed here

Pure-FTPD
=========
Program : /usr/sbin/pure-ftpd
Init Script :/etc/rc.d/init.d/pure-ftpd
Conf: /etc/pure-ftpd.conf
Anonymous ftp document root – /etc/pure-ftpd/ip-address

Frontpage Extensions
=================
Program – (Install): /usr/local/frontpage/version5.0/bin/owsadm.exe
Uninstall and then install for re-installations
FP files are found as _vti-bin, _vti-pvt, _vti-cnf, vti-log inside the public_html

Mysql
=======
Program : /usr/bin/mysql
Init Script : /etc/rc.d/init.d/mysql
Conf : /etc/my.cnf, /root/.my.cnf
Data directory – /var/lib/mysql – Where all databases are stored.
Database naming convention – username_dbname (eg: john_sales)
Permissions on databases – drwx 2 mysql mysql
Socket file – /var/lib/mysql/mysql.sock, /tmp/ mysql.sock

SSHD
======
Program :/usr/local/sbin/sshd
Init Script :/etc/rc.d/init.d/sshd
/etc/ssh/sshd_config
Log: /var/log/messages

Perl
====
Program :/usr/bin/perl
Directory :/usr/lib/perl5/5.6.1/

PHP
====

Program :/usr/local/bin/php, /usr/bin/php
ini file: /usr/local/lib/php.ini – apache must be restarted after any change to this file
php can be recomplied using /scripts/easyapache

Named(BIND)
============
Program: /usr/sbin/named
Init Script: /etc/rc.d/init.d/named
/etc/named.conf
db records:/var/named/
/var/log/messages

————————————————————————————————————————————–

Cpanel installation directory structure
=============================
/usr/local/cpanel
+ 3rdparty/ – tools like fantastico, mailman files are located here
+ addons/ – AdvancedGuestBook, phpBB etc
+ base/ – phpmyadmin, squirrelmail, skins, webmail etc
+ bin/ – cpanel binaries
+ cgi-sys/ – cgi files like cgiemail, formmail.cgi, formmail.pl etc
+ logs/ – cpanel access log and error log
+ whostmgr/ – whm related files

WHM related files
===============
/var/cpanel – whm files
+ bandwidth/ – rrd files of domains
+ username.accts – reseller accounts are listed in this files
+ packages – hosting packages are listed here
+ root.accts – root owned domains are listed here
+ suspended – suspended accounts are listed here
+ users/ – cpanel user file – theme, bwlimit, addon, parked, sub-domains all are listed in this files
+ zonetemplates/ – dns zone template files are taken from here

Common CPanel scripts
===================
cpanel/whm Scripts are located in /scripts/
+ addns – add a dns zone
+ addfpmail – Add frontpage mail extensions to all domains without them
+ addfpmail2 -Add frontpage mail extensions to all domains without them
+ addnetmaskips – Add the netmask 255.255.255.0 to all IPs that have no netmask
+ addnobodygrp – Adds the gorup nobody and activates security
+ addpop – add a pop account
+ addservlets – Add JSP support to an account (requires tomcat)
+ addstatus – (Internal use never called by user)
+ adduser – Add a user to the system
+ bandwidth – (OLD)
+ betaexim – Installs the latest version of exim
+ biglogcheck – looks for logs nearing 2 gigabytes in size
+ bsdcryptoinstall – Installs crypto on FreeBSD
+ bsdldconfig – Configures the proper lib directories in FreeBSD
+ bsdpkgpingtest – Tests the connection speed for downloading FreeBSD packages
+ buildbsdexpect – Install expect on FreeBSD
+ builddomainaddr – (OLD)
+ buildeximconf – Rebuilds exim.conf
+ buildpostgrebsd-dev – Installs postgresql on FreeBSD.
+ chcpass – change cpanel passwords
+ easyapache – recompile/upgrade apache and/or php
+ exim4 – reinstall exim and fix permissions
+ fixcommonproblems – fixes most common problems
+ fixfrontpageperm – fixes permission issues with Front Page
+ fixmailman – fixes common mailman issues
+ fixnamed – fixes common named issues
+ fixndc – fixes rndc errors with named
+ fixquotas – fixes quota problems
+ fullhordereset – resets horde database to a fresh one – all previous user data are lost
+ initquotas – initializes quotas
+ installzendopt – installs zend optimizer
+ killacct – terminate an account – make sure you take a backup of the account first
+ mailperm – fixes permission problems with inboxes
+ park – to park a domain
+ pkgacct – used to backup an account
+ restartsrv – restart script for services
+ restorepkg – restores an account from a backup file ( pkgacct file)
+ runlogsnow – update logs of all users
+ runweblogs – update stats for a particular user
+ securetmp – secures /tmp partition with options nosuexec and nosuid
+ suspendacct – suspends an account
+ unsuspendacct – unsuspends a suspended account
+ upcp – updates cpanel to the latest version
+ updatenow – updates the cpanel scripts
+ updateuserdomains – updates userdomain entries

Important cpanel/whm files
====================
/etc/httpd/conf/httpd.conf – apache configuration file
/etc/exim.conf – mail server configuration file
/etc/named.conf – name server (named) configuration file
/etc/proftpd.conf – proftpd server configuration file
/etc/pure-ftpd.conf – pure-ftpd server configuration file
/etc/valiases/domainname – catchall and forwarders are set here
/etc/vfilters/domainname – email filters are set here
/etc/userdomains – all domains are listed here – addons, parked,subdomains along with their usernames
/etc/localdomains – exim related file – all domains should be listed here to be able to send mails
/var/cpanel/users/username – cpanel user file
/var/cpanel/cpanel.config – cpanel configuration file ( Tweak Settings )*
/etc/cpbackup-userskip.conf -
/etc/sysconfig/network – Networking Setup*
/etc/hosts -
/var/spool/exim -
/var/spool/cron -
/etc/resolv.conf – Networking Setup–> Resolver Configuration
/etc/nameserverips – Networking Setup–> Nameserver IPs ( FOr resellers to give their nameservers )
/var/cpanel/resellers – For addpkg, etc permissions for resellers.
/etc/chkserv.d – Main >> Service Configuration >> Service Manager *
/var/run/chkservd – Main >> Server Status >> Service Status *
/var/log/dcpumon – top log process
/root/cpanel3-skel – skel directory. Eg: public_ftp, public_html. (Account Functions–>Skeleton Directory )*
/etc/wwwacct.conf – account creation defaults file in WHM (Basic cPanel/WHM Setup)*
/etc/cpupdate.conf – Update Config *
/etc/cpbackup.conf – Configure Backup*
/etc/clamav.conf – clamav (antivirus configuration file )
/etc/my.cnf – mysql configuration file
/usr/local/Zend/etc/php.ini OR /usr/local/lib/php.ini – php configuration file
/etc/ips – ip addresses on the server (except the shared ip) (IP Functions–>Show IP Address Usage )*
/etc/ipaddrpool – ip addresses which are free
/etc/ips.dnsmaster – name server ips
/var/cpanel/Counters – To get the counter of each users.
/var/cpanel/bandwidth – To get bandwith usage of domain

Related posts

• Secure/Setup cPanel/WHM (0)