A bunch of beginner questions

Discussion in 'Linux VPS/Dedicated - cPanel' started by jnicol, Nov 6, 2013.

  1. jnicol

    jnicol New Member

    Hi all,

    I am new to VPS hosting, and after doing my initial WHM and server configuration I have a few questions for the community, to ensure I'm following best practices and not overlooking anything important.

    Apologies for cramming so many questions into one post - I thought it would be better than flooding the forum with multiple threads.

    WHM and OS updates

    What is the best practice for upgrading the VPS operating system and WHM? I think that by default WHM and cPanel auto-update themselves - is this correct?


    What are some best practices for securing my VPS? Here's what I've done already:

    - Created a new unix user with a strong password, added it to the wheel group and gave wheel users sudo. This is the user I'll be using to ssh to the VPS.
    - Disabled password login for root user
    - Changed root password to something strong
    - Enabled cPHulk brute force protection in WHM
    - Change PHP handler to suPHP
    - Enabled SMTP restrictions
    - Enabled PHP open_basedir

    I'll be using my VPS for hosting my personal sites, and a small number of client sites (I'm a web designer/developer). Are there any other tweaks I should make to harden the server security?


    I notice that ConfigServer Security & Firewall plugin is installed. Is there anything special I need to configure here? Is the firewall a set-and-forget kind of thing, or do I need to keep an eye on it for e.g. system diagnostics and security?


    Should I enable mod_security? I have memories of running into problems with shared hosts where mod_security was running, which makes me wary.

    That's enough for now I think! Thanks to anyone who can give me some tips on these points.
  2. KH-Jonathan

    KH-Jonathan Director of Managed Services Staff Member

    Welcome to KnownHost!

    Bring it on ;)

    It's indeed automatic so nothing to worry about here.

    Sounds like you've got it covered. If you wanted to go even more secure you could swap SSH away from passwords at all and use keys.

    We've already got this configured for you, and it auto-updates as well. Nothing to worry about here.

    This is wholly up to you. We are not able to assist in writing rules for it for you, but if you understand how it works it can be a very, very powerful system.

    About the only thing I have to add is to make sure you always keep your scripts updated. Do that, combined with our default setup and the steps you've already taken and you're golden.
  3. jnicol

    jnicol New Member

    Holy speedy reply batman!

    Thanks Jonathan, your answers are very reassuring that I'm on the right track.

    I do plan on creating SSH keys (as much as anything to save me having to copy/paste my password every time I log in!), but I did read in another thread that KH prefer that password login is left enabled in order to facilitate login by KH support staff, should it be required. Is that true?

    I'm also wondering - is it advisable to implement IP whitelisting for WHM logins? I like this idea, but I notice that in WHM -> Security Center -> Configure Security Policies it states that the security policies are applied to cPanel users too. I don’t want cPanel users to have to answer security questions when they log in. As a cPanel end user I’ve never had to do that and I imagine it would be annoying and confusing for my clients...
  4. KH-Jonathan

    KH-Jonathan Director of Managed Services Staff Member

    It's possible to separate the policies for cPanel and WHM - you just have to define which daemon you're making the rule for. See http://docs.cpanel.net/twiki/bin/view/AllDocumentation/WHMDocs/DenyAccess
  5. jnicol

    jnicol New Member

    OK, awesome. I'll look into that. Thanks again for your help.
  6. Nicki

    Nicki Member

    Just my $0.02: until you make the switch to using SSH keys, you could implement IP whitelisting for SSH. You'd do this in WHM by going to
    Home, Security Center, Host Access Control. I have mine setup to allow access to only a few IPs and deny all others.
  7. jnicol

    jnicol New Member

    I set up ssh keys already, but I dig the idea of IP whitelisting too. I have a dynamic IP address though, so if I whitelist then I run the risk of locking myself out, I think?
  8. Dan

    Dan Moderator


    Yes you do run the risk of getting locked out. Not many consumers have static IP numbers, I know I don't lol

Share This Page