Using hardening tools Suhosin in Cpanel Servers for PHP
The Suhosin extension “was designed to protect servers and users from known and unknown flaws in PHP applications and the PHP core.”
Reference : http://www.hardened-php.net/suhosin/
Perhaps more importantly, the Suhosin community would be an excellent starting point for learning about flaws in PHP, as well as other extensions, configurations, and techniques you can use to protect your server.
Since many popular scripts are not compatible with Suhosin’s restrictions, you need to test it before moving to production.
Apache PHP Request Handling in Cpanel
Cpanel PHP’s main configuration file is located at /usr/local/apache/conf/php.conf
The php.conf file is called by the Apache configuration file (httpd.conf) by means of an include command.
WHM provides an interface that can assist you in configuring PHP. It is located in Service Configuration >> Apache Configuration >> PHP and SuExec Configuration. You are also able to access a command line interface that provides the same options through the following script:
/usr/local/cpanel/bin/rebuild_phpconf
Reference: http://cpanel.net
CA (Certificate Authority) Bundle
A file on your server that verifies that your public and private keys were issued by a trusted entity.
If your Certificate Authority sent you a CA bundle file, you can install it to your server using WHM’s Install a SSL Certificate and Setup the Domain feature, or the Manage Service SSL Certificates feature.
Install a SSL Certificate and Setup the Domain
When you use this feature, WHM will automatically install your SSL certificate and private key in the correct directories. You may either paste the certificate and key into the fields on the screen yourself, or allow WHM to retrieve them.
It is very important that your SSL certificate and private key reside in the correct directories because if they do not, your server will remain unauthenticated, leaving your visitors at risk.
cPHulk software with Cpanel/WHM
cPHulk is a small program that will run in the background of your server to prevent people from using a brute force attack to compromise your machine.
While doing - WHM Initial Setup
To enable and configure cPHulk:
1. Click the Enable cPHulk checkbox.
2. Use the checkboxes to determine:
Whether to extend lockout time for each additional failure past the limit.
Whether you will receive notifications when a brute force attack is detected.
3. You may access cPHulk’s advanced settings by clicking the Configure Advanced Settings checkbox. Using the advanced settings you can:
Specify the number of minutes you would like to block the IP address of a potentially malicious user (in the IP Based Brute Force Protection Period in minutes field).
Specify the number of minutes to lock an account (in the Brute Force Protection in minutes field).
Specify the maximum number of failed authentication attempts allowed by an account (in the Maximum Failures By Account field).
Reference : http://cpanel.net/
mod_userdir:
A feature of Apache that lets visitors view websites on your server by typing your hostname followed by a tilde and the website owner’s username.
Example: http://host.mywebsite.com/~username
Disabling this via the WHM Security Center is desirable, as the bandwidth used when the site is accessed using this method is attributed to the web host’s main domain, skipping bandwidth monitoring systems.
Reference:
Information on mod_userdir, you should visit http://httpd.apache.org/docs/2.0/mod/mod_userdir.html
