Getting started with your own cPanel VPS server should be very simple, especially knowing that Hostek is available when & where needed to assist. The purpose of this article is to get you more familiar with your server environment and a few need to know topics.
We will be covering the following topics in this guide:
cPanel & WHM Basics
cPanel Security Features
What is cPanel & WHM?
WHM, which stands for Web Host Manager, manages the server side settings and the different accounts/domains that are hosted on that server.
In addition to managing what accounts are hosted on the server, WHM can fully manage services such as Apache, PHP, MySQL, DNS, etc. that are vital for your website functionality.
cPanel, on the other hand, is the control panel for your actual website(s). Earlier we mentioned WHM controls different accounts that are on the server. Well, cPanel is the control panel for those accounts. Each account has a primary domain (website) attached to it, which you can manage the different website files, databases, e-mail accounts, FTP accounts, etc. all within the cPanel.
How to login to WHM
To login to your Web Host Manager (WHM), you must first know the IP Address or hostname (If you have a hostname that resolves to the server IP). You can obtain the IP Address for your server from the account welcome e-mail that was sent to you after the server was successfully created.
Once you have the IP Address or hostname, then you can access WHM by several different URL methods:
For this guide we’ll pretend the server IP Address is 123.123.123.123.
Option 1: http://123.123.123.123:2086
This first option will successfully take you to the WHM login page since you specified the port for WHM (2086).
Option 2: https://123.123.123.123:2087
This second option will take you to the WHM login page, however, you might first have to accept a security warning due to the request being over HTTPS and you cannot properly secure an IP Address (must be a hostname with a valid SSL to be secure).
Note: Using port 2087 will result in the request being over HTTPS regardless if you entered https:// in the request, so be sure to only use this if you have a valid SSL certificate covering the servers WHM.
Option 3: http://123.123.123.123/whm
This third option is actually the same as Option #1, as the server will detect the request and forward you to the normal http:// request over port 2086.
Once you are at the login page for WHM you can login with the credentials that were sent to you in the account welcome e-mail (the same e-mail that had the IP Address of the server we talked about earlier).
How to create a new account
To create a new account (website) on your server follow these easy steps:
1.) Login to WHM (covered here).
2.) In the top-left search box within WHM search for ‘Create’, then select the option that shows up labeled ‘Create a New Account’.
3.) You will now be asked to enter following:
Domain - the full website name you’re setting up (Hint: Do not include the ‘www’).
Username - the username you’ll use to login to cPanel for this account.
Password - the password you’ll use to login to cPanel for this account.
Email - the e-mail address any important notifications (such as disk quotas) goes to for the account.
Package - Choose the pre-built package you want the account to use.
The package controls the limits for the account, such as how much disk space the account can use, how many e-mail accounts they can use, etc.
Note: If you don’t have any packages setup you can create a new package following this WHM guide.There will be several more settings beneath these options, however, unless there is something specific you’re needing these are generally left as their default settings. The only option we’d recommend changing is setting ‘Mail Routing Settings’ to ‘Remote Mail Exchanger’.
4.) Once you’re happy with the values you’ve entered in the form click the ‘Create’ button underneath the form. You will be directed to a page that shows the status of the account creation and it will let you know once it’s been completed.
How to access cPanel
In the above section, we learned how to create a new cPanel account on the server. Let’s now show how to access it.
To access cPanel we have a couple different options available. If you are already logged into WHM, or have access to login to WHM, then we’d recommend the following option:
Option 1: Login to cPanel from within WHM:
1.) Within WHM type ‘List Accounts’ in the top-left search box, then click on the option that appears labeled ‘List Accounts’.
2.) Now you should see a list of every account on the server. Alongside the domain name on the account you’ll see a cPanel icon. Click on this icon and WHM will automatically log you into the cPanel account that you’ve chosen.
Option 2: Login to cPanel via direct URL:
You can log in to cPanel using either the IP Address of the server or a domain hostname that points to the server using the below URL methods:
For this guide, we’ll pretend the servers IP address is 123.123.123.123
Option 2.1.) http://123.123.123.123:2082
This first option uses the port 2082, which is the non-SSL (https://) port. Use this format if you are either using an IP Address to connect, or using a hostname that doesn’t have a valid SSL certificate.
Option 2.2.) https://example-domain.com:2083
This second option uses SSL (https://) in order to connect. To do this we utilized the secure port 2083. Use this option if your site is pointing to the correct server IP AND uses a valid SSL certificate.
Option 2.3) http://123.123.123.123/cpanelThis third option is actually the same as Option 2.1, as the server will detect the request and forward you to the normal http:// request over port 2082.
Once you are on the cPanel login page you can use the username & password that you previously setup via WHM when you created the account (covered in above section). If you need to reset the password to the cPanel user you can do so by clicking the + icon next to the domain within WHM > List Accounts, instead of clicking on the cPanel icon that logs you into the cPanel.
How to manage cPHulk
The cPHulk firewall blocks IP Addresses based on possible malicious\suspicious activity when multiple login failures occur for connections to the following services (cPanel, Email, SSH, FTP, etc.).
To check and remove a blocked IP Address:
Login to WHM (covered here).
In the top-left search box within WHM search for ‘cphulk’, then select the option that shows up labeled ‘cPHulk Brute Force Protection’.
On the page for cPHulk Brute Force Protection, click on the tab labeled ‘History Reports’
For the drop-down for ‘Select a Report’, we want to look at both Failed Logins and Blocked IP Addresses.
You will then see a list of blocked IP Addresses, if any, along with the reason for the block. If you want to clear the block you must click on the button labeled ‘Remove Blocks and Clear Reports’.
To whitelist an IP Address in cPHulk:
Login to WHM (covered here).
In the top-left search box within WHM search for ‘cphulk’, then select the option that shows up labeled ‘cPHulk Brute Force Protection’.
On the page for cPHulk Brute Force Protection, click on the tab labeled ‘Whitelist Management’.
In the field labeled ‘New Whitelist Records’ enter the desired IP Address you want to whitelist, then click the Add button.
How to manage CSF Firewall
The CSF firewall, which stands for Config Server Firewall, is a firewall protection service installed on the server to help protect against malicious brute force attacks and other common attack methods against a cPanel server, as well as it is used to configure what ports are open on the server.
If you’ve ever failed logins to services such as WHM, cPanel, E-mail accounts, FTP, etc. on a cPanel server and found that you couldn’t connect to the server any longer then there is a good chance you got temporary or permanently blocked by the CSF firewall.
The CSF firewall will perform a temporary block against an IP Address if that IP Address fails to many logins with a short period of time (generally 5 minutes).
The CSF firewall will perform a permanent block against an IP Address if that IP had 4 or more temporary blocks previous to the new automatic block request.
To unblock an IP Address perform the following steps:
1.) Login to WHM (covered here).
2.) In the top-left search box within WHM search for ‘Firewall’, then select the option that shows up labeled ‘ConfigServer Security & Firewall’.
3.) Scroll down the page until you find the option labeled ‘Search for IP’, then enter the IP Address you believe to be blocked. Click the ‘Search for IP’ button.
4.) You should then see if the IP is blocked or not. If blocked you should see something similar to the following text (the reason for the block could be different):
csf.deny: 123.123.123.123 # lfd: (sshd) Failed SSH login from 123.123.123.123 (US/United States/-): 5 in the last 300 secs - Thur Oct 18 20:02:25 2018
5.)Along with the block should be a button to unblock the IP Address, as shown in the screenshot below:
6.) The IP Address should now be removed from the blocked list, however, if the reason for the block continues it will soon become blocked again so we recommend whitelisting the IP Address or fixing the reason for the block (could be an application on users’ computer sending in a bad request repeatedly).
To whitelist an IP Address perform the following steps:
Login to WHM (covered here).
In the top-left search box within WHM search for ‘Firewall’, then select the option that shows up labeled ‘ConfigServer Security & Firewall’.
Find the option labeled ‘Quick Allow’, then enter the IP Address you desire to be whitelisted. If desired, enter a comment for the reason for the whitelist, then click on the ‘Quick Allow’ button.
To block an IP Address perform the following steps:
Login to WHM (covered here).
In the top-left search box within WHM search for ‘Firewall’, then select the option that shows up labeled ‘ConfigServer Security & Firewall’.
Find the option labeled ‘Quick Deny’, then enter the IP Address you desire to be blocked from the server. If desired, enter a comment for the reason for the block, then click on the ‘Quick Deny’ button.
How to manage Mod Security
Mod Security is a cPanel server plugin that checks incoming HTTP and HTTPS traffic coming into the server against specific algorithms. If the request matches an algorithm that it detects as being malicious or has keywords triggered in the request that are common in spam or phishing attempts then it will block the request.
When mod security blocks a request you will receive a generic 403 Forbidden error. This error is very generic and could mean several things, however, one of the first things we’d check is the Apache logs to see why the request was blocked.
Checking Mod Security Event Activity
1.) Login to WHM (covered here).
2.) In the top-left search box within WHM search for ‘Terminal’, then select the option that shows up labeled ‘Terminal’.
3.) You should now be able to see the SSH terminal built into WHM (requires a minimum WHM version of 74.x). Within this terminal enter the following command, then click the enter key on your keyboard:
cd /usr/local/apache/logs/
4.) The above command changed the directory to /usr/local/apache/logs/. Let’s now search the logs to see if mod security is possibly blocking the request. To do this, we recommend first using the grep command to find anything related to the specific domain you’re searching the logs for (so any other domains log content may not show). See the below command to run:
grep "example.com" error_log | less
The above code will do a search for ‘example.com’ within the error_log file. Then it will display the results using the ‘less’ command.
5.) You should now see all the logs for this domain from recent days. This could be several days or even weeks of logs, so we recommend that you go to the end of the log results. To do this hold down your SHIFT key on your keyboard and press G. (SHIFT + G)
6.) You should now be at the bottom of the log file. Scroll up through the logs until you see any errors that stand out for the URL that you’re getting the 403 Forbidden error code at. Once you see it you might see something that looks like the snippet below:
[Thurs Oct 18 14:50:28.988 2018] [:error] [pid 3771:tid 13994747728402] [client 123.123.123.123] ModSecurity: Access denied with code 403 (phase 2). Pattern match "(/\\\\*!?|\\\\*/|[';]--|--[\\\\s\\\\r\\\\n\\\\v\\\\f]| . (?:--[^-]*?-)|([^\\\\-&])#.*?[\\\\s\\\\r\\\\n\\\\v\\\\f]|;?\\\\x00)" at ARGS_NAMES:;--. [file "/owasp-modsecurity- crs/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "49"] [id "981231"] [rev "2"] [msg "SQL Comment Sequence Detected."] [data "Matched Data: ;-- found within ARGS_NAMES:;--: ;--"] [severity "CRITICAL"] [ver "OWASP_CRS/2.2.9"] [maturity "8"] [accuracy "8"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"] [hostname "omitted"] [uri "/"] [unique_id "V4OyNKwRAAIAAA67KCwAAABF"]
7.) In this case, the rule being triggered was ‘981231’, as you can see from the snippet above we were looking for the ‘id’ variable. In this case, we could whitelist the rule ‘981231’ for the server or the site specifically. We recommend that you do some research on the rule # mentioned and see if it’s recommended to whitelist it or not, as whitelisting the wrong rules could leave vulnerabilities open on the server or your site specifically.
How to Whitelist Mod Security rules
Login to WHM (covered here).
In the top-left search box within WHM search for ‘ModSec’, then select the option that shows up labeled ‘ConfigServer ModSec Control’.
You can then enter in the rule number(s) in the ‘ModSecurity rule ID list’ if you want to whitelist the rules globally, then click on the ‘Save Global Whitelist’ button. If you want to save the rule only on a specific domain, then select the desired domain from the list and click the button for ‘Modify User Whitelist’.
If you chose a specific domain then enter the rules in the ‘ModSecurity rule ID list’ field and then choose to save the whitelist.
Now you can attempt to replicate the error previously recorded. The error may no longer be present, however, if it’s still there then go through this process again as there is a chance a new ModSecurity rule is being triggered this time. This is due to the fact the request stops once the first ModSecurity rule gets triggered.