A reference guide that outlines certain ways to harden your VPS hosting plan for your Content Management Systems, websites, and email solutions. VPS hosting does provide the ability to request root access and access to WebHost Manager (WHM), these capabilities grant you more responsibility and available options to harden your VPS hosting.
Overall, the goal is to create a more secure and protected hosting environment.
Strengthen Server Security
IMPORTANT: This solution will require root access. If this needs to be obtained, follow the guide on requesting root access.
-
Clam AV Scanner
- An open-source anti-virus scanner accessible in cPanel and configurable in WHM
- After installing ClamAV in WHM as root, cPanel users can click the Virus Scanner utility in cPanel to check files and mail
- The scanner will list any potentially infected files after the scan
TIP: ImunifyAV can also be used for easy automatic scans.
NOTE: It's recommended to run at least monthly.
-
cPHulk Brute Force Protection
- Protects cPanel accounts against brute force login attempts
- Enabling cPHulk allows you to configure failed login lockouts, whitelist/blacklist IP addresses and countries, and log login attempts to harden VPS Hosting accounts automatically
NOTE: It's recommended to enable username and IP-based protection, enable notifications, blacklist non-applicable countries, and check History Reports at least monthly.
-
Config&Server Security Firewall (CSF)
- Config&Server Security Firewall (CSF) is a versatile server-level firewall with the ability to detect and prevent brute-force login attempts, port scans, and other network-based attacks
- Account owners with Advanced Policy Firewall (APF) should upgrade to CSF for improved security
NOTE: It's recommended to block unneeded ports, schedule Checks for IPs in RBLs, enable port flood protection, port scan tracking, and port knocking settings.
-
DNS Records
- Enable domain privacy to protect your WhoIs information. Remove old DNS records that are no longer needed
- Ask your registrar how to enable DNS security extensions (DNSSEC)
NOTE: It's recommended to enable DNS security extensions (DNSSEC) when possible via your domain registrar and server or within proxy servers such as Cloudflare.
-
Email Authentication
- Email is a popular attack vector for cyber-attacks, always look for signs of malicious emails
- Enlist your server to assist you by using all available server security software and spam filters within your server
NOTE: Follow our related guides on Email Authentication - Add or update an SPF Record, GenerateSPF/DKIM records automatically for new child accounts, and Enable SpamAssassin.
-
ModSecurity
- ModSecurity is generally left alone unless it blocks an important task
- If disabling is required, reenable once done
NOTE: It's recommended to keep ModSecurity enabled. If you are not sure whether or not disabling this feature is the best option, please contact Technical Support for further assistance.
-
PHP Versions
- The newest PHP version is PHP 8.1 while 7.4 and 8.0 are also still being supported
- All older PHP versions should be avoided and removed if not required to run an important software
NOTE: It's recommended to use the highest PHP version possible. Remove older PHP versions in WHM.
-
Security Advisor
- The cPanel Security Advisor in WHM offers configuration recommendations for passwords, cPHulk, MySQL/MariaDB, SSH, SMTP, and more
- Security Advisor can be found in the Security Center area of Root WHM
NOTE: It's recommended to run the Security Advisor periodically and follow its recommendations.
-
Softaculous
- Softaculous Apps Installer takes the pain out of installing new software, however, there are many included installable CMS's that aren’t actively maintained or require an outdated PHP version
- If you remove those older PHP versions, those installation scripts will have unmet requirements
- Abandoned Content Management Systems are more vulnerable to cyber-attacks and avoiding them is an easy way to harden VPS Hosting
NOTE: It's recommended to only use CMS's and frameworks in active development. Remove outdated Softaculous scripts.
-
SSL Certificate
- A Secure Socket Layer (SSL) certificate encrypts communication between the user and the website
- There are three validation levels for SSLs – domain (DV), organization (OV), and extended (EV)
- We offer a free and paid DV Comodo SSL and recommend paid SSLs for major organizations and e-commerce stores
- The free AutoSSL suffices for other websites
- After installing an SSL, HTTPS will work with your website, however, you’ll need to force your website to redirect from HTTP to HTTPS to ensure it protects website visitors
- The type of website, CMS, or other software you use will determine how you implement this
- Some business owners use HTTP Strict Transport Security (HSTS) which forces HTTPS at the browser level
- Websites with HSTS enabled will not display if the SSL expires
NOTE: It's recommended to install a free or paid SSL certificate and force HTTPS via .htaccess or website plugin. Consider HSTS.
- Websites with HSTS enabled will not display if the SSL expires
- A Secure Socket Layer (SSL) certificate encrypts communication between the user and the website
-
WHM/cPanel Updates
- cPanel updates keep server-level software up to date
- Check WHM, as user root, for updates in the upper-right corner
NOTE: It's recommended to check WHM for updates monthly.
-
Backups
- The unfortunate truth is you can do everything above and still suffer from a malware infection
- Part of working to harden VPS hosting is preparing for the possibility that it still doesn’t stop a cyber intrusion
- Up-to-date backups, stored externally from the server, are your primary disaster recovery solution
- Get an external drive if you don’t have one
- AMP snapshots are another backup option, but it's a single backup for your entire container
- It’s used to restore your entire VPS to a last known best configuration
NOTE: It's recommended to schedule cPanel backups in WHM and snapshots in AMP.
- It’s used to restore your entire VPS to a last known best configuration
-
Training
- It’s important to train cPanel users, website administrators, and email account holders on everything above
- Like customer service, security is everyone’s job and everyone shares the role to harden VPS security
- Share security news related to installed CMSs, cPanel, phishing, and InMotion infrastructure regularly
NOTE: It's recommended to email cPanel users from WHM often and recommend training courses for further learning.
Comments
0 comments
Article is closed for comments.