WHM Server Hardening And Security Basics

1. Introduction

A step by step paper how to secure linux server with cPanel/WHM and
Apache installed. By default, linux is not secured enough but you have
to understand there is no such thing as “totally secured server/system”.
The purpose of this paper is to understand how to at least provide some
kind of security to the server.

Let’s start

So, you bought the server with CentOS 5 installed. If you ordered cPanel/WHM together with the server you can skip 2.1 step

2. WHMcPanel installation and configuration

2.1 WHMcPanel Installation

To begin your installation, use the following commands into SSH:

cd /home
wget http://layer1.cpanel.net/latest

cd /home – Opens /home directory
wget http://layer1.cpanel.net/latest – Fetches the latest installation file from the cPanel servers.
./latest – Opens and runs the installation files.

WHMcPanel should be installed now. You should be able to access cPanel via
http://serverip:2082(SSL-2083) or http://serverip/cpanel and WHM via
http://serverip:2086(SSL-2087) or http://serverip/whm. Let’s configure
it now.

2.2 WHMcPanel Configuration

Login to WHM using root username/passwd
http://serverip:2086 or http://serverip/whm

WHM – Server setup – Tweak Security:

Enable open_basedir protection
Disable Compilers for all accounts(except root)
Enable Shell Bomb/memory Protection
Enable cPHulk Brute Force Protection
WHM – Account Functions:

Disable cPanel Demo Mode
Disable shell access for all accounts(except root)
WHM – Service Configuration – FTP Configuration:

Disable anonymous FTP access


Set some MySQL password(Don’t set the same password like for the root access)
-If you didn’t set MySQL password someone will be able to login into the DB with
username “root” without password and delete/edit/download any db on the server.

WHM – Service Configuration – Apache Configuration – PHP and SuExec Configuration

Enable suEXEC – suEXEC = On
When PHP runs as an Apache Module it executes as the user/group of the
webserver which is usually “nobody” or “apache”. suEXEC changes this so
scripts are run as a CGI. Than means scripts are executed as the user
that created them. With suEXEC script permissions can’t be set to
777(read/write/execute at user/group/world level)

3. The server and it’s services – PHP Installation, Optimization & Security

3.1 Keep all services and scripts up to date and make sure that you running the latest secured version.

On CentOS type this into SSH to upgrade/update services on the server.

yum upgrade