Portal Home > Knowledgebase > Articles Database > How to secure WHM/Cpanel

How to secure WHM/Cpanel

Posted by ansaripk, 06-09-2014, 04:15 AM
Hello Friends, I am running a web development company. We also provide web hosting for clients. Since last one month our clients websites are being hacked. Whenever they login to their cpanel account the lost login from IP XX.XX.XX.XX showing someone else IP address for some clients. Some clients websites are deleted and some are disturbed. This is also happened with my whm. I guess someone hacked my whm and accessing all clients websites. I had a live chat discussion to my reseller company and asked them to restrict my WHM to be accessed only from my IP address but they told that they can't do this. How can i secure my clients web hostings from attacks?

Posted by XeSupport, 06-09-2014, 06:34 AM
I'm a bit confused - are you hosted on a reseller package or do you actually have your own server?

Posted by Atlanical-Mike, 06-09-2014, 06:50 AM
Easy.... Have a secure 18 digit password..

Posted by bear, 06-09-2014, 07:10 AM
A weak or short password is not the only way to be "hacked", and a long number (18 digit) won't guarantee security.

Posted by Atlanical-Mike, 06-09-2014, 07:28 AM
Agreed, I always use the generated passwords with symbols and numbers at 18 digits long (I think that's the max on cPanel). 18 or 12.

Posted by Vernard, 06-09-2014, 07:38 AM
If your WHM is being accessed then I would perform a local scan on your computer before doing anything else. Malwarebytes is a good tool for malware. http://www.malwarebytes.org/ Once you've made sure your local PC is clean go ahead and update all your passwords to something secure. Below is a good website to do so. https://strongpasswordgenerator.com/ I also recommend storing your passwords using Keepass. http://keepass.info/ If you are still being hacked then chances are one of your websites is vulnerable or your web-host has not properly secured the server.

Posted by CircuitoX, 06-09-2014, 08:26 AM
Watch the official documentation capnel. (Tips to Make Your Server More Secure) https://documentation.cpanel.net/dis...er+More+Secure

Posted by hostcurator, 06-09-2014, 11:08 AM
Hi, Are you sure this wasn't a root level hack? If not, it must be your whm account that is hacked. possibly you used a weak password. get apache,ftp logs of the days possibly attack occurred. scan the whole accounts. Find suspected accounts. create a ticket to your provider and have them investigate thoroughly.

Posted by Mr Terrence, 06-09-2014, 11:21 AM
Make sure you are running all the latest updates, I always recommend you have a admin if you are not sure.

Posted by bear, 06-09-2014, 12:23 PM
Ah, you don't mean numbers (digits), you mean characters. Got it.

Posted by Server Management, 06-09-2014, 12:41 PM
Maybe interesting to you: http://www.dailymail.co.uk/sciencete...ords-hour.html

Posted by bear, 06-09-2014, 12:59 PM
Interesting indeed. "a 25-computer cluster that can make 350 billion guesses a second". Some clever folks out there.

Posted by HRR--, 06-09-2014, 01:09 PM
For root, minimum 40 long.

Posted by brianoz, 06-09-2014, 07:15 PM
If they install a key logger or wifi snooper, a 40 digit password may not help very much... security is a series of layers, of which this is only one.

Posted by HRR--, 06-09-2014, 08:25 PM
oh sure. you are right. I was just fixing that typo To make things clear. If you got a problem like those you said, there is not much you can do. Further more. Unless you install something like the 2nd auth plugin from RV and firewall the port only to your IP... there is not much you can do in cPanel Is all password based (web)

Posted by YasIT, 06-10-2014, 12:03 AM
Hello. You should cloudlinux + cagefs for full secure. if use centos or other os fix this The following step by step : secure php.ini set 0700 permssion for /usr/bin/perl set 0700 permssion for /bin/ln secure apache by symlink production fix all warning display in CSF put important rule in mod_sec disable cgi for all users. disable follow symlink in apache. disable php.ini dedicated for user in SuPHP. enable open_basedir production. disable mod_userdir in apache. Thank you.

Posted by hostingandvps, 06-10-2014, 12:13 AM
Use a strong pass word and change it every few days, if you have root access change your port every few days too, also ddos protection or migrations would be something to look into. Also encourage your clients to use strong passwords too.

Posted by Hosting4Real, 06-10-2014, 12:40 AM
http://xkcd.com/936/ - a good one about passwords

Posted by Venja_Matt, 06-10-2014, 12:41 AM
Any time I used whm/cpanel I restricted everything to my ip including ssh, securing things like ssh is a good place to start.

Posted by Atlanical-Mike, 06-10-2014, 02:53 AM
ah, Blesta used that on a blog post last year haha: http://www.blesta.com/2013/03/01/two...y-you-need-it/ Made me chuckle reading it then still does

Posted by bear, 06-10-2014, 08:15 AM
and failed to attribute it? http://www.xkcd.com/license.html

Posted by Blesta-Paul, 06-10-2014, 11:10 AM
Fixed, thanks for bringing this to our attention.

Posted by kandyjet, 06-11-2014, 02:01 PM
Please correct me if i am wrong. coz even i am having this hacking issue and me also leaning from WHT members. -i think it's better to use linux pcs to access the server than from the windows pcs. - also good to avoid accessing server from mobile devises and using google play (i have android) apps. one another thing is keep the billing ex: whmcs upto date. coz for us, all the problem started from an outdated whmcs.

Posted by ZenMonk, 06-12-2014, 02:30 AM
Here are a few ways to prevent your accounts from being hacked Set strong passwords for root,ftp,cpanel etcChange the passwords regularlyRun maldet regularly on serverMake sure /tmp is securedUpdate wordpress sites if anyEnsure your desktops are secureEnable 2Factor Authentication whereever possibleMake sure kernels are updated and does not have any zero day vulnerability.

Posted by HRR--, 06-12-2014, 02:52 AM
Move to a Managed VPS, ask the staff of the provider to limit port 2087, 2083, 2086 and 2082 to your IP, also port 22 and 21. They can do this by white listing your IP in CSF and by removing those ports from the INPUT IPV4 and IPV6 fields in CSF. Then restart. You should check your computer for virus, trojans, rootkits, etc. For this, carefully use ComboFix, Malwarebytes antimalware, S&D Spybot and Hitman Pro. Inform your new Managed VPS provider about the issue (if you do the move) so that they can scan your websites and further secure tweak.

Posted by bilrom, 06-12-2014, 10:12 AM
I would strongly suggest you to use cagefs in case the situation become an internal issue.

Posted by georgeappiah, 06-13-2014, 01:19 AM
Funniest security advice ever! How will the OP's customers access their cPanel accounts, use FTP, etc if these ports are restricted to the business owner's IP?

Posted by liquidone, 06-13-2014, 01:28 AM
The right answer is security in layers. But I am surprised nobody mentioned simply changing your SSH port. Script kiddies all love port 22

Posted by HRR--, 06-13-2014, 01:34 AM
they dont. The OP did not specified he allow customer to access cPanel. For example I provide for my customer almost a 100% managed, so they dont have to access cPanel for nothing. TLDR so I don't remember correctly but i think he run a web design agency. he also mentioned that he asked the current reseller provider to lock those main port. So yeah i think i gave a good advise, it depends on your needs. Like someone said security is in layers. cPanel has ton of ways to get pardon the expression: ****ed up, closing unnecessary ports to the public if they are unneeded do help. For example, for ssh people tend to use keys and leave the port open to hammering, why would I? if the only one using that port is me, so limit it to just you.

Posted by georgeappiah, 06-13-2014, 01:44 AM
The OP clearly said:

Posted by ServerManagement, 06-17-2014, 11:01 PM
Any server with even the most basic firewall with brute force protection would block anyone after a few attempts. Your password does not have to be 1000 characters to be secure. If your password is reasonably secure (reasonable length, contain upper & lower case letters, numbers, and a few characters), it would be impossible to be guessed before the firewall would detect and block the attacker. If the host does have a firewall with brute force protection and someone logged in with your password, then most likely it was leaked somewhere (ie, spyware, key logger, trojan, etc) or found in an insecure/hacked script in your account. It's even possible that the server is rooted and the passwords are being sniffed/stolen through a rootkit/trojan on the server

Was this answer helpful?

Add to Favourites Add to Favourites    Print this Article Print this Article

Also Read
Simple Scripts (Views: 396)
dedicated server (Views: 379)